holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Documentation updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@548 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-15 19:39:23 +00:00
parent 6e7f5cbd4f
commit d282399aa7
32 changed files with 17316 additions and 16681 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

941
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

353
Shorewall-docs/FAQ.htm
View File

@ -32,7 +32,8 @@
<h1>Looking for Step by Step Configuration Instructions? Check out the <a
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
</h1>
</h1>
<h1>PORT FORWARDING<br>
</h1>
@ -83,15 +84,18 @@ the connection to port 22 on local system 192.168.1.3</b>. How do I do that?</a>
as 'closed' rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
of my firewall and it showed 100s of ports as
open!!!!<br>
</a></p>
<b>4b</b>. <a href="#faq4b">I have a port that I can't close no matter how
I change my rules. </a>
<h1>CONNECTION PROBLEMS</h1>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now
I <b> can't ping</b> through the firewall</a><br>
<b><br>
15. </b><a href="#faq15"><b>My local systems can't see out
to the net</b></a></p>
to the net</b></a></p>
<h1>LOGGING<br>
</h1>
@ -115,15 +119,15 @@ to the net</b></a></p>
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
in Shorewall log messages <b>so long</b>? I thought MAC addresses
were only 6 bytes in length.</a><b><br>
were only 6 bytes in length.</a><b><br>
</b></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!<br>
</a></p>
<b>17</b>.
<a href="#faq17">How do I find out <b>why this traffic is</b>
getting <b>logged?</b></a><br>
<a href="#faq17">How do I find out <b>why this traffic is</b>
getting <b>logged?</b></a><br>
<b><br>
21. </b><a href="#faq21">I see these <b>strange log entries
</b>occasionally; what are they?</a><br>
@ -147,7 +151,7 @@ stop', I can't connect to anything</b>. Why doesn't that command
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly at startup?</a></p>
<b>22. </b><a href="#faq22">I have
some <b>iptables commands </b>that I want to <b>run when Shorewall
some <b>iptables commands </b>that I want to <b>run when Shorewall
starts.</b> Which file do I put them in?</a><br>
<h1>ABOUT SHOREWALL<br>
@ -162,7 +166,7 @@ some <b>iptables commands </b>that I want to <b>run when Shorewall
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
<b>23. </b><a href="#faq23">Why do you use
such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
<b><br>
25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?</a><br>
@ -171,52 +175,52 @@ such <b>ugly fonts</b> on your <b>web site</b>?</a><br>
</h1>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me
to configure/monitor it but as expected if I enable
and it has an internel web server that allows
me to configure/monitor it but as expected if I enable
<b> rfc1918 blocking</b> for my eth0 interface, it also
blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918
address. If I enable RFC 1918 filtering on my external
IP addresses, my ISP's DHCP server has an RFC
1918 address. If I enable RFC 1918 filtering on my external
interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<h1>ALIAS IP ADDRESSES/VIRTUAL INTERFACES<br>
</h1>
<b>18.</b> <a href="#faq18">Is there any
way to use <b>aliased ip addresses</b> with Shorewall, and
maintain separate rulesets for different IPs?</a><br>
<b>18.</b> <a href="#faq18">Is there
any way to use <b>aliased ip addresses</b> with Shorewall,
and maintain separate rulesets for different IPs?</a><br>
<h1>MISCELLANEOUS<br>
</h1>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b>
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br>
<br>
<b>20. </b><a href="#faq20">I have
just set up a server. <b>Do I have to change Shorewall to
allow access to my server from the internet?</b></a><br>
<b>20. </b><a href="#faq20">I
have just set up a server. <b>Do I have to change Shorewall
to allow access to my server from the internet?</b></a><br>
<br>
<b>24. </b><a href="#faq24">How can I <b>allow
conections</b> to let's say the ssh port only<b> from specific
IP Addresses</b> on the internet?</a><br>
conections</b> to let's say the ssh port only<b> from specific
IP Addresses</b> on the internet?</a><br>
<br>
<br>
<br>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've
looked everywhere and can't find how to do it.</h4>
my my personal PC with IP address 192.168.1.5.
I've looked everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a
href="Documentation.htm#Rules">rules file documentation</a> shows how to
do port forwarding under Shorewall. The format of
a port-forwarding rule to a local system is as follows:</p>
do port forwarding under Shorewall. The format
of a port-forwarding rule to a local system is as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
id="AutoNumber1" cellspacing="1">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
@ -252,7 +256,7 @@ IP Addresses</b> on the internet?</a><br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
id="AutoNumber1" cellspacing="1">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
@ -287,8 +291,8 @@ IP Addresses</b> on the internet?</a><br>
system:</div>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<table border="1" cellpadding="2" cellspacing="0"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
@ -317,8 +321,8 @@ IP Addresses</b> on the internet?</a><br>
</tbody>
</table>
</blockquote>
Finally, if you need to forward a range of ports, in the
PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
Finally, if you need to forward a range of ports, in
the PORT column specify the range as <i>low-port</i>:<i>high-port</i>.<br>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions
but it doesn't work</h4>
@ -328,12 +332,12 @@ IP Addresses</b> on the internet?</a><br>
<ul>
<li>You are trying
to test from inside your firewall (no, that won't work
-- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more
basic problem with your local system such as an incorrect
default gateway configured (it should be set to the IP address
of your firewall's internal interface).</li>
to test from inside your firewall (no, that won't
work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a
more basic problem with your local system such as an
incorrect default gateway configured (it should be set to
the IP address of your firewall's internal interface).</li>
<li>Your ISP is blocking that particular port inbound.<br>
</li>
@ -341,43 +345,43 @@ IP Addresses</b> on the internet?</a><br>
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
forwarding</h4>
<b>Answer: </b>To further diagnose
this problem:<br>
<b>Answer: </b>To further
diagnose this problem:<br>
<ul>
<li>As root, type "iptables
-t nat -Z". This clears the NetFilter counters in the
nat table.</li>
nat table.</li>
<li>Try to connect to the
redirected port from an external host.</li>
redirected port from an external host.</li>
<li>As root type "shorewall
show nat"</li>
<li>Locate the appropriate
DNAT rule. It will be in a chain called <i>&lt;source
zone&gt;</i>_dnat ('net_dnat' in the above examples).</li>
<li>Is the packet count in
the first column non-zero? If so, the connection request
is reaching the firewall and is being redirected to the server.
In this case, the problem is usually a missing or incorrect
default gateway setting on the server (the server's default
gateway should be the IP address of the firewall's interface
to the server).</li>
<li>If the packet count is
zero:</li>
DNAT rule. It will be in a chain called <i>&lt;source
zone&gt;</i>_dnat ('net_dnat' in the above examples).</li>
<li>Is the packet count
in the first column non-zero? If so, the connection
request is reaching the firewall and is being redirected
to the server. In this case, the problem is usually a missing
or incorrect default gateway setting on the server (the server's
default gateway should be the IP address of the firewall's
interface to the server).</li>
<li>If the packet count
is zero:</li>
<ul>
<li>the connection request
is not reaching your server (possibly it is being blocked
by your ISP); or</li>
<li>you are trying to connect
to a secondary IP address on your firewall and your rule
is only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your
DNAT rule); or</li>
<li>you are trying to
connect to a secondary IP address on your firewall and
your rule is only redirecting the primary IP address (You need
to specify the secondary IP address in the "ORIG. DEST." column
in your DNAT rule); or</li>
<li>your DNAT rule doesn't
match the connection request in some other way. In that
case, you may have to use a packet sniffer such as tcpdump or
ethereal to further diagnose the problem.<br>
case, you may have to use a packet sniffer such as tcpdump
or ethereal to further diagnose the problem.<br>
</li>
</ul>
@ -431,14 +435,15 @@ zero:</li>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible
server in your local network is like raising foxes
in the corner of your hen house. If the server is compromised,
there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable,
you can put your server in a DMZ such that it is isolated
from your local systems - assuming that the Server can be located
near the Firewall, of course :-)</li>
<li>Having an
internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If
the server is compromised, there's nothing between
that server and your other internal systems. For the cost
of another NIC and a cross-over cable, you can put your
server in a DMZ such that it is isolated from your local systems
- assuming that the Server can be located near the Firewall,
of course :-)</li>
<li>The accessibility
problem is best solved using <a
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
@ -452,7 +457,7 @@ from your local systems - assuming that the Server can be located
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that
your external interface is eth0 and your internal
interface is eth1 and that eth1 has IP address 192.168.1.254
interface is eth1 and that eth1 has IP address 192.168.1.254
with subnet 192.168.1.0/24.<br>
</p>
@ -462,7 +467,7 @@ interface is eth1 and that eth1 has IP address 192.168.1.254
</p>
<p align="left">If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please
upgrade to Shorewall 1.4.2 or later.<br>
upgrade to Shorewall 1.4.2 or later.<br>
</p>
<p align="left">Otherwise:<br>
@ -553,9 +558,9 @@ upgrade to Shorewall 1.4.2 or later.<br>
<div align="left">
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and
are running Shorewall 1.3.4 or later then include this
in /etc/shorewall/init:</p>
IP address. If you have a dynamic IP address
and are running Shorewall 1.3.4 or later then include
this in /etc/shorewall/init:</p>
</div>
<div align="left">
@ -611,8 +616,8 @@ upgrade to Shorewall 1.4.2 or later.<br>
<p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external
and internal clients to access a NATed host using the
host's DNS name.</p>
and internal clients to access a NATed host using
the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in
@ -623,8 +628,8 @@ upgrade to Shorewall 1.4.2 or later.<br>
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
b) Masquerade Z to
itself.<br>
b) Masquerade Z
to itself.<br>
<br>
Example:</p>
@ -715,9 +720,9 @@ itself.<br>
<p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help with Netmeeting.
Look <a href="http://linux-igd.sourceforge.net">here</a> for a solution
for MSN IM but be aware that there are significant security risks
involved with this solution. Also check the Netfilter mailing
Look <a href="http://linux-igd.sourceforge.net">here</a> for a
solution for MSN IM but be aware that there are significant security
risks involved with this solution. Also check the Netfilter mailing
list archives at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p>
@ -728,13 +733,13 @@ itself.<br>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port
113 rather than dropping them. This is necessary
to prevent outgoing connection problems to services that
use the 'Auth' mechanism for identifying requesting users.
Shorewall also rejects TCP ports 135, 137 and 139 as well
as UDP ports 137-139. These are ports that are used by Windows
(Windows <u>can</u> be configured to use the DCE cell locator
on port 135). Rejecting these connection requests rather than
dropping them cuts down slightly on the amount of Windows chatter
to prevent outgoing connection problems to services
that use the 'Auth' mechanism for identifying requesting
users. Shorewall also rejects TCP ports 135, 137 and 139
as well as UDP ports 137-139. These are ports that are used
by Windows (Windows <u>can</u> be configured to use the DCE cell
locator on port 135). Rejecting these connection requests rather
than dropping them cuts down slightly on the amount of Windows chatter
on LAN segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
@ -747,9 +752,20 @@ on LAN segments connected to the Firewall. </p>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b>
back from your firewall then it reports the port
as open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT, restart
Shorewall and do the nmap UDP scan again.</p>
as open. If you want to see which UDP ports are really
open, temporarily change your net-&gt;all policy to REJECT,
restart Shorewall and do the nmap UDP scan again.<br>
</p>
<h4><a name="faq4b"></a>4b. I have a port that I can't close no matter how
I change my rules. </h4>
I had a rule that allowed telnet from my local network to my firewall; I
removed that rule and restarted Shorewall but my telnet session still works!!!<br>
<br>
<b>Answer: </b> Rules only govern the establishment of new connections.
Once a connection is established through the firewall it will be usable until
disconnected (tcp) or until it times out (other protocols).  If you stop telnet
and try to establish a new session your firerwall will block that attempt.<br>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4>
@ -759,8 +775,8 @@ on LAN segments connected to the Firewall. </p>
<p align="left">a) Create /etc/shorewall/common if it doesn't already exist.
<br>
b) Be sure that the
first command in the file is ". /etc/shorewall/common.def"<br>
b) Be sure that
the first command in the file is ". /etc/shorewall/common.def"<br>
c) Add the following
to /etc/shorewall/common </p>
@ -769,8 +785,9 @@ on LAN segments connected to the Firewall. </p>
-j ACCEPT<br>
</p>
</blockquote>
For a complete description of Shorewall 'ping'
management, see <a href="ping.html">this page</a>.
For a complete description of Shorewall
'ping' management, see <a href="ping.html">this page</a>.
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4>
@ -815,12 +832,12 @@ restart"). </p>
</p>
</blockquote>
I personnaly use Logwatch. It emails
me a report each day from my various systems with each report
summarizing the logged activity on the corresponding system.
me a report each day from my various systems with each report
summarizing the logged activity on the corresponding system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
are <b>flooding the logs</b> with their connect requests. Can i
exclude these error messages for this port temporarily from logging
are <b>flooding the logs</b> with their connect requests. Can
i exclude these error messages for this port temporarily from logging
in Shorewall?</h4>
Temporarily add the following rule:<br>
@ -839,23 +856,23 @@ summarizing the logged activity on the corresponding system.
</ol>
You can distinguish the difference by setting the
<b>logunclean</b> option (<a
<b>logunclean</b> option (<a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an
/etc/shorewall/common file like this:<br>
logged twice, they are corrupted. I solve this problem by using
an /etc/shorewall/common file like this:<br>
<blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
</blockquote>
The above file is also include in all of my sample
configurations available in the <a
configurations available in the <a
href="shorewall_quickstart_guide.htm">Quick Start Guides</a> and in
the common.def file in Shorewall 1.4.0 and later.<br>
the common.def file in Shorewall 1.4.0 and later.<br>
<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
Shorewall log messages so long? I thought MAC addresses were only
6 bytes in length.</h4>
6 bytes in length.</h4>
What is labeled as the MAC address in a Shorewall log message
is actually the Ethernet frame header. IT contains:<br>
@ -882,9 +899,9 @@ the common.def file in Shorewall 1.4.0 and later.<br>
<p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed in
/etc/shorewall/routestopped' are activated. If you
want to totally open up your firewall, you must use the 'shorewall
clear' command. </p>
/etc/shorewall/routestopped' are activated. If
you want to totally open up your firewall, you must use the
'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4>
@ -910,7 +927,7 @@ the common.def file in Shorewall 1.4.0 and later.<br>
<h4><a name="faq8a"></a><b>8a. </b>When I try to start Shorewall on RedHat
I get a message referring me to FAQ #8</h4>
<b>Answer:</b> This is usually cured by the sequence of commands
shown above in FAQ #8
shown above in FAQ #8
</div>
<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my interfaces
@ -937,8 +954,8 @@ local zone is defined as all hosts connected through eth1</p>
with?</h4>
<p align="left">Shorewall works with any GNU/Linux distribution that includes
the <a href="shorewall_prerequisites.htm">proper
prerequisites</a>.</p>
the <a
href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
<h4 align="left">11. What Features does it have?</h4>
@ -955,13 +972,13 @@ local zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the
city where I live</a>) and "Fire<u>wall</u>". The full
city where I live</a>) and "Fire<u>wall</u>". The full
name of the product is actually "Shoreline Firewall" but "Shorewall"
is must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me
to configure/monitor it but as expected if I enable
and it has an internal web server that allows
me to configure/monitor it but as expected if I enable
rfc1918 blocking for my eth0 interface (the internet one),
it also blocks the cable modems web server.</h4>
@ -1012,7 +1029,7 @@ following:</p>
interface to correspond to the modem address, you
must also make an entry in /etc/shorewall/rfc1918 for
that address. For example, if you configure the address
192.168.100.2 on your firewall, then you would add two entries
192.168.100.2 on your firewall, then you would add two entries
to /etc/shorewall/rfc1918: <br>
</p>
@ -1066,9 +1083,9 @@ its lease.</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers
with eyes and what those computers will "see" when things
are working properly. That aside, the most common causes
of this problem are:</p>
with eyes and what those computers will "see" when
things are working properly. That aside, the most common
causes of this problem are:</p>
<ol>
<li>
@ -1104,16 +1121,16 @@ firewall to the internet.</p>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4>
<b>Answer: </b>Logging
occurs out of a number of chains (as indicated in the
log message) in Shorewall:<br>
occurs out of a number of chains (as indicated in
the log message) in Shorewall:<br>
<ol>
<li><b>man1918 - </b>The
destination address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> -
The source address is listed in /etc/shorewall/rfc1918
<li><b>rfc1918</b>
- The source address is listed in /etc/shorewall/rfc1918
with a <b>logdrop </b>target -- see <a
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>,
@ -1134,17 +1151,17 @@ The source address is listed in /etc/shorewall/rfc1918
- The packet is being logged under the <b>maclist</b>
<a href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
<li><b>logpkt</b> - The
packet is being logged under the <b>logunclean</b>
<li><b>logpkt</b> -
The packet is being logged under the <b>logunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The
packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a> as
specified in the <b>LOGUNCLEAN </b>setting in <a
<li><b>badpkt </b>-
The packet is being logged under the <b>dropunclean</b>
<a href="Documentation.htm#Interfaces">interface option</a>
as specified in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> -
The packet is being logged because the source IP is
blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
<li><b>blacklst</b>
- The packet is being logged because the source IP
is blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>-
The packet is being logged because it is a TCP packet
@ -1152,11 +1169,11 @@ blacklisted in the<a href="Documentation.htm#Blacklist"> /etc/shorewall/bla
syn packet. Options affecting the logging of such packets include
<b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b>
- The packet has a source IP address that isn't in any
of your defined zones ("shorewall check" and look at the
printed zone definitions) or the chain is FORWARD and the destination
IP isn't in any of your defined zones.</li>
<li><b>INPUT</b> or
<b>FORWARD</b> - The packet has a source IP address
that isn't in any of your defined zones ("shorewall check"
and look at the printed zone definitions) or the chain is FORWARD
and the destination IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet
is being logged because it failed the checks implemented
by the <b>tcpflags </b><a
@ -1166,8 +1183,8 @@ syn packet. Options affecting the logging of such packets include
</ol>
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different
IPs?</h4>
with Shorewall, and maintain separate rulesets for
different IPs?</h4>
<b>Answer: </b>Yes. See <a
href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
@ -1179,7 +1196,7 @@ syn packet. Options affecting the logging of such packets include
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from
the internet?</b><br>
the internet?</b><br>
</h4>
Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that you
@ -1196,43 +1213,43 @@ rules for your server.<br>
192.0.2.3 is external on my firewall...
172.16.0.0/24 is my internal LAN<br>
<br>
<b>Answer: </b>While most people associate
the Internet Control Message Protocol (ICMP) with 'ping',
ICMP is a key piece of the internet. ICMP is used to report
problems back to the sender of a packet; this is what is happening
here. Unfortunately, where NAT is involved (including SNAT, DNAT
and Masquerade), there are a lot of broken implementations. That is
what you are seeing with these messages.<br>
<b>Answer: </b>While most people
associate the Internet Control Message Protocol (ICMP)
with 'ping', ICMP is a key piece of the internet. ICMP is
used to report problems back to the sender of a packet; this is
what is happening here. Unfortunately, where NAT is involved (including
SNAT, DNAT and Masquerade), there are a lot of broken implementations.
That is what you are seeing with these messages.<br>
<br>
Here is my interpretation of what is
happening -- to confirm this analysis, one would have to
Here is my interpretation of what
is happening -- to confirm this analysis, one would have to
have packet sniffers placed a both ends of the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway
206.124.146.179 sent a UDP DNS query to 192.0.2.3 and your
DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as a DNS
reply). When the response was returned to to 206.124.146.179, it
rewrote the destination IP TO 172.16.1.10 and forwarded the packet
206.124.146.179 sent a UDP DNS query to 192.0.2.3 and your
DNS server tried to send a response (the response information
is in the brackets -- note source port 53 which marks this as a
DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet
to 172.16.1.10 who no longer had a connection on UDP port 2857.
This causes a port unreachable (type 3, code 3) to be generated back
to 192.0.2.3. As this packet is sent back through 206.124.146.179,
that box correctly changes the source address in the packet to 206.124.146.179
but doesn't reset the DST IP in the original DNS response similarly.
When the ICMP reaches your firewall (192.0.2.3), your firewall has
no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result is
that the packet gets logged and dropped in the all2all chain. I have
also seen cases where the source IP in the ICMP itself isn't set back
to the external IP of the remote NAT gateway; that causes your firewall
to log and drop the packet out of the rfc1918 chain because the source
IP is reserved by RFC 1918.<br>
no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't
appear to be related to anything that was sent. The final result
is that the packet gets logged and dropped in the all2all chain. I have
also seen cases where the source IP in the ICMP itself isn't set back
to the external IP of the remote NAT gateway; that causes your firewall
to log and drop the packet out of the rfc1918 chain because the source
IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I
put them in?</h4>
You can place these commands in one
of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
I want to <b>run when Shorewall starts.</b> Which file do
I put them in?</h4>
You can place these commands in
one of the <a href="shorewall_extension_scripts.htm">Shorewall Extension
Scripts</a>. Be sure that you look at the contents of the chain(s) that
you will be modifying with your commands to be sure that the
commands will do what they are intended. Many iptables commands
@ -1245,14 +1262,14 @@ REJECT rule and any rules that you add after that will be ignored.
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4>
The Shorewall web site is almost font neutral
(it doesn't explicitly specify fonts except on a few pages) so
the fonts you see are largely the default fonts configured in your
browser. If you don't like them then reconfigure your browser.<br>
(it doesn't explicitly specify fonts except on a few pages)
so the fonts you see are largely the default fonts configured in
your browser. If you don't like them then reconfigure your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
In the SOURCE column of the rule, follow "net"
by a colon and a list of the host/subnet addresses as a comma-separated
by a colon and a list of the host/subnet addresses as a comma-separated
list.<br>
<pre> net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
@ -1269,11 +1286,13 @@ by a colon and a list of the host/subnet addresses as a comma-separat
<br>
<font color="#009900"><b> /sbin/shorewall version</b></font><br>
<br>
<font size="2">Last updated 4/8/2003 - <a
<font size="2">Last updated 4/14/2003 - <a
href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</body>
</html>

132
Shorewall-docs/IPSEC.htm
View File

@ -27,18 +27,19 @@
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a
href="http://jixen.tripod.com"> http://jixen.tripod.com</a> . I highly recommend
that you consult that site for information about confuring FreeS/Wan. 
href="http://www.geocities.com/jixen66/"> http://www.geocities.com/jixen66/</a>
. I highly recommend that you consult that site for information about confuring
FreeS/Wan. 
<p><font color="#ff6633"><b>Warning: </b></font>Do not use Proxy ARP and
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so
I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p>
(I haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
@ -57,7 +58,7 @@ rather than to the interface that you specify in the INTERFACE column of
</font></p>
</font>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
to communicate with systems in the 10.0.0.0/8 network.</p>
to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="left">To make this work, we need to do two things:</p>
@ -67,7 +68,7 @@ to communicate with systems in the 10.0.0.0/8 network.</p>
<p align="left">b) Allow traffic through the tunnel.</p>
<p align="left">Opening the firewall for the IPSEC tunnel is accomplished
by adding an entry to the /etc/shorewall/tunnels file.</p>
by adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following </p>
@ -114,13 +115,14 @@ by adding an entry to the /etc/shorewall/tunnels file.</p>
</blockquote>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br>
</p>
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br>
</p>
<p align="left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote subnet.</p>
it in your local zone. In this example, we'll assume that you have
created a zone called "vpn" to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -141,7 +143,7 @@ a zone called "vpn" to represent the remote subnet.</p>
</blockquote>
<p align="left">At both systems, ipsec0 would be included in /etc/shorewall/interfaces
as a "vpn" interface:</p>
as a "vpn" interface:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -198,7 +200,7 @@ shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<h2><font color="#660066"><a name="RoadWarrior"></a> Mobile System (Road
Warrior)</font></h2>
Warrior)</font></h2>
<p>Suppose that you have a laptop system (B) that you take with you when you
travel and you want to be able to establish a secure connection back to your
@ -210,7 +212,7 @@ local network.</p>
<p align="left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created
a zone called "vpn" to represent the remote host.</p>
a zone called "vpn" to represent the remote host.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -231,8 +233,8 @@ a zone called "vpn" to represent the remote host.</p>
</blockquote>
<p align="left"> In this instance, the mobile system (B) has IP address 134.28.54.2
but that cannot be determined in advance. In the /etc/shorewall/tunnels file
on system A, the following entry should be made:</p>
but that cannot be determined in advance. In the /etc/shorewall/tunnels
file on system A, the following entry should be made:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -255,8 +257,9 @@ on system A, the following entry should be made:</p>
</blockquote>
<p>Note that the GATEWAY ZONE column contains the name of the zone corresponding
to peer subnetworks. This indicates that the gateway system itself comprises
the peer subnetwork; in other words, the remote gateway is a standalone system.</p>
to peer subnetworks. This indicates that the gateway system itself comprises
the peer subnetwork; in other words, the remote gateway is a standalone
system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your "through the tunnel" policy as shown under the first example above.<br>
@ -264,8 +267,8 @@ the peer subnetwork; in other words, the remote gateway is a standalone system.<
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN zones
and add and delete remote endpoints dynamically using /sbin/shorewall. In
/etc/shorewall/zones:<br>
and add and delete remote endpoints dynamically using /sbin/shorewall. In
/etc/shorewall/zones:<br>
<br>
<blockquote>
@ -340,27 +343,78 @@ and add and delete remote endpoints dynamically using /sbin/shorewall. In
<br>
</blockquote>
When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall
will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some other
means. Each of these connectioins will utilize a different updown script that
adds the remote station to the appropriate zone when the connection comes
up and that deletes the remote station when the connection comes down. For
example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the
script will issue the command":<br>
will issue warnings to that effect. These warnings may be safely ignored.
FreeS/Wan may now be configured to have three different Road Warrior connections
with the choice of connection being based on X-509 certificates or some
other means. Each of these connectioins will utilize a different updown
script that adds the remote station to the appropriate zone when the connection
comes up and that deletes the remote station when the connection comes down.
For example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of
the script will issue the command":<br>
<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn</blockquote>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
<br>
</blockquote>
<h3>Limitations of Dynamic Zones</h3>
If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
hosts are not excluded from the rule.<br>
<br>
Example with dyn=dynamic zone:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top"><u><b>ACTION<br>
</b></u></td>
<td valign="top"><u><b>SOURCE<br>
</b></u></td>
<td valign="top"><u><b>DESTINATION<br>
</b></u></td>
<td valign="top"><u><b>PROTOCOL<br>
</b></u></td>
<td valign="top"><u><b>PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>CLIENT<br>
PORT(S)<br>
</b></u></td>
<td valign="top"><u><b>ORIGINAL<br>
DESTINATION<br>
</b></u></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">z:dyn<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the above rule.
<p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2">Last updated 5/3//2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
</body>

1339
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

98
Shorewall-docs/PPTP.htm
View File

@ -27,23 +27,41 @@
</tbody>
</table>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for current
Linux kernel's and pppd. I recommend that you refer to the following URLs
for information about installing MPPE into your kernel and pppd.</h4>
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client project
</a>has a nice GUI for configuring and managing VPN connections where your
Linux system is the PPTP client. This is what I currently use. I am no longer
running PoPToP but rather I use the PPTP Server included with XP Professional
(see <a href="#ServerBehind">PPTP Server running behind your Firewall</a>
below).</h4>
    <a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
(Everything you need to run a PPTP client).<br>
    <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod'
package can be used to quickly install MPPE into your kernel without rebooting).<br>
<h4>I am leaving the instructions for building MPPE-enabled kernels and pppd
in the text below for those who may wish to obtain the relevant current patches
and "roll their own".<br>
</h4>
<hr width="100%" size="2">
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<ul>
<li> <a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your
Firewall.</a></li>
<li> <a href="#ServerBehind">PPTP Server running behind your Firewall.</a></li>
<li> <a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a></li>
<li> <a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
</ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your
Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on your firewall
system. This isn't a detailed HOWTO but rather an example of how I have set
up a working PPTP server on my own firewall.</p>
<p>I will try to give you an idea of how to set up a PPTP server on your
firewall system. This isn't a detailed HOWTO but rather an example of how
I have set up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p>
@ -95,8 +113,8 @@ to use encryption:</p>
</ul>
<p>You will need to install the resulting binary on your firewall system.
To do that, I NFS mount my source filesystem and use "make install" from the
ppp-2.4.1 directory.</p>
To do that, I NFS mount my source filesystem and use "make install" from
the ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
@ -128,8 +146,8 @@ ppp-2.4.1 directory.</p>
<h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
<p>You will need a WINS server (Samba configured to run as a WINS server
is fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p>
<blockquote>
@ -305,7 +323,7 @@ the remote hosts look like they are part of the local subnetwork.</li>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>noping,norfc1918</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
@ -337,7 +355,8 @@ the remote hosts look like they are part of the local subnetwork.</li>
<tr>
<td>loc</td>
<td>eth2:192.168.1.0/24</td>
<td>routestopped</td>
<td><br>
</td>
</tr>
<tr>
<td>loc</td>
@ -421,9 +440,10 @@ the remote hosts look like they are part of the local subnetwork.</li>
</table>
</blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10
and later)<br>
</b></p>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 and
later)<br>
</b></p>
<blockquote>
<table cellpadding="2" border="2" style="border-collapse: collapse;">
<tbody>
@ -447,11 +467,13 @@ and later)<br>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p align="left"><br>
Note: I have multiple ppp interfaces on my firewall. If you have a single
Note: I have multiple ppp interfaces on my firewall. If you have a single
ppp interface, you probably want:</p>
<h4>/etc/shorewall/interfaces:</h4>
@ -469,7 +491,7 @@ ppp interface, you probably want:</p>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>noping,norfc1918</td>
<td>norfc1918</td>
</tr>
<tr>
<td>loc</td>
@ -493,8 +515,8 @@ ppp interface, you probably want:</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
your Firewall</h2>
<p>If you have a single external IP address, add the following to your /etc/shorewall/rules
file:</p>
<p>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -589,15 +611,16 @@ you will need to follow the instructions at <a
loadmodule ip_nat_pptp </p>
</blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your
Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.   
Rather than use the configuration script that comes with the client, I built
my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client
(see below).</p>
/etc/ppp/options file is mostly unchanged from what came with the client (see
below).</p>
<p>The key elements of this setup are as follows: </p>
@ -715,7 +738,8 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
</blockquote>
<p><b>/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)<br>
</b></p>
</b></p>
<blockquote>
<table cellpadding="2" cellspacing="2" border="1"
style="border-collapse: collapse;">
@ -740,19 +764,22 @@ my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq' zone
because I also run a PPTP server on my firewall (see above). Using this technique
allows me to distinguish clients of my own PPTP server from arbitrary hosts
at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq
doesn't use that RFC1918 Class C subnet. </p>
</blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq'
zone because I also run a PPTP server on my firewall (see above). Using this
technique allows me to distinguish clients of my own PPTP server from arbitrary
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients
and Compaq doesn't use that RFC1918 Class C subnet. </p>
<p>I use this script in /etc/init.d to control the client. The reason that
I disable ECN when connecting is that the Compaq tunnel servers don't do ECN
yet and reject the initial TCP connection request if I enable ECN :-( </p>
I disable ECN when connecting is that the Compaq tunnel servers don't do
ECN yet and reject the initial TCP connection request if I enable ECN :-(
</p>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
@ -889,10 +916,11 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
and corresponding ip-up.local </a>from <a
href="mailto:jvonau@home.com">Jerry Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 5/15/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
</body>

89
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -25,28 +25,28 @@
<br>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br>
The traditional net-tools contain a program called <i>ifconfig</i>
which is used to configure network devices. ifconfig introduced the concept
of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and
ifconfig treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as objects. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled </i>and labels
may take the form of ipconfig virtual interfaces.<br>
not use the concept of aliases or virtual interfaces but rather treats
additional addresses on an interface as objects. The ip utility does provide
for interaction with ifconfig in that it allows addresses to be <i>labeled
</i>and labels may take the form of ipconfig virtual interfaces.<br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0"
is a label for a particular address rather than a device name.<br>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
"eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
@ -56,12 +56,12 @@ is a label for a particular address rather than a device name.<br>
<h2>So how do I handle more than one address on an interface?</h2>
The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common scenarios.<br>
In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself that
only applies to a particular IP address, simply qualify the $FW zone with
the IP address.<br>
only applies to a particular IP address, simply qualify the $FW zone with
the IP address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
@ -110,8 +110,8 @@ the IP address.<br>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at
192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br>
192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br>
<br>
<blockquote>
@ -184,12 +184,12 @@ file:<br>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
so that you can see the created address using ifconfig. In addition to
setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in
the INTERFACE column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
@ -253,12 +253,12 @@ file:<br>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
Shorewall can create the alias (additional address) for you if you
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
so that you can see the created address using ifconfig. In addition to
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
the INTERFACE column as follows:<br>
<br>
<blockquote>
@ -293,11 +293,11 @@ file:<br>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
In either case, to create rules that pertain only to this NAT pair,
you simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
192.168.1.3.<br>
<br>
<blockquote>
@ -350,10 +350,10 @@ their system's routing table to bypass your firewall/router. Nevertheless,
there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to simply route all requests between
the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
@ -402,7 +402,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
<td valign="top">eth1:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
@ -410,7 +410,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
<td valign="top">eth1:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
@ -421,7 +421,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
@ -457,7 +457,7 @@ as a zone and allow your firewall/router to route between the two subnetworks.<
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
@ -567,7 +567,7 @@ privileges).<br>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
@ -585,7 +585,7 @@ specify the <b>multi</b> option.<br>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
<td valign="top">eth1:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
@ -593,7 +593,7 @@ specify the <b>multi</b> option.<br>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
<td valign="top">eth1:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
@ -604,10 +604,10 @@ specify the <b>multi</b> option.<br>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/27/2003 A - <a
<p align="left"><font size="2">Last Updated 5/8/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -618,5 +618,6 @@ that you want to permit.<br>
<br>
<br>
<br>
<br>
</body>
</html>

69
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -22,8 +22,8 @@
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
@ -37,7 +37,8 @@
href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
@ -47,20 +48,29 @@
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
help or Answers to Questions</a><br>
<li> <a
href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li><a href="1.3" target="_top">Shorewall
1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
@ -73,9 +83,13 @@ help or Answers to Questions</a><br>
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
<li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</ul>
</li>
@ -83,14 +97,14 @@ help or Answers to Questions</a><br>
</ul>
<ul>
<li> <a href="News.htm">News
Archive</a></li>
<li> <a
href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
@ -101,27 +115,8 @@ Archive</a></li>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font size="-1"> </font>
<font face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
<br>
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>

67
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -11,6 +11,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
@ -21,8 +22,8 @@
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
@ -31,12 +32,13 @@
bgcolor="#ffffff">
<ul>
<li> <a
href="sourceforge_index.htm">Home</a></li>
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
@ -46,7 +48,8 @@
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
@ -56,9 +59,17 @@
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting
Help or Answers to Questions</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a
href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
@ -71,8 +82,11 @@ Help or Answers to Questions</a></li>
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
<li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</ul>
@ -82,15 +96,15 @@ Help or Answers to Questions</a></li>
<ul>
<li> <a href="News.htm">News
Archive</a></li>
Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
@ -99,27 +113,12 @@ Archive</a></li>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
size="2">2001-2003 Thomas M. Eastep.</font></a><a
href="http://www.shorewall.net" target="_top"> </a></p>
<br>
<br>
<br>
<br>
</body>
</html>

144
Shorewall-docs/configuration_file_basics.htm
View File

@ -20,8 +20,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
@ -29,8 +27,8 @@
</tbody>
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
@ -48,8 +46,8 @@ several firewall parameters.</li>
view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li>
<li>/etc/shorewall/interfaces - describes the
interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
@ -58,8 +56,8 @@ where to use many-to-one (dynamic) Network Address Translation
(SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are
exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li>
@ -90,9 +88,9 @@ the completion of a "shorewall stop".</li>
<h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from
the rest of the line with a pound sign.</p>
character a pound sign ("#"). You may also place comments at
the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p>
<p>Examples:</p>
@ -109,6 +107,76 @@ the rest of the line with a pound sign.</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
<br>
</big></big> Examples:<big> </big> <br>
<blockquote>    shorewall/params.mgmt:<br>
<blockquote>    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
</blockquote>
   ----- end params.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/params:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end params -----<br>
</blockquote>
<blockquote>    shorewall/rules.mgmt:<br>
</blockquote>
<blockquote>
<blockquote>    ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules.mgmt -----<br>
</blockquote>
<blockquote>    shorewall/rules:<br>
</blockquote>
<blockquote>
<blockquote>    # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
</blockquote>
</blockquote>
<blockquote>    ----- end rules -----<br>
</blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
@ -146,8 +214,8 @@ no effect on the firewall's ruleset. </p>
<li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to
starting your firewall.<br>
</li>
@ -188,10 +256,10 @@ for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<p>Where specifying an IP address, a subnet or an interface, you can precede
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
@ -212,8 +280,8 @@ no white space following the "!".</p>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<p>Unless otherwise specified, when giving a port number you can use either
an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
@ -230,7 +298,7 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
@ -239,7 +307,6 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote>
@ -247,39 +314,32 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as
a series of 6 hex numbers separated by colons. Example:<br>
In GNU/Linux, MAC addresses are usually written
as a series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -313,8 +373,8 @@ the MAC address in the example above would be written "~02-00-08-E3-
and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not in
the alternate directory will be read from /etc/shorewall.</p>
directory need not contain a complete configuration; those files not
in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
@ -325,19 +385,14 @@ from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory;
and</li>
<li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c
/etc/testconfig restart</b></i> ).</li>
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> )</li>
</ol>
<p><font size="2"> Updated 2/24/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 4/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
@ -347,5 +402,6 @@ from /etc/shorewall to a separate directory;</li>
<br>
<br>
<br>
<br>
</body>
</html>

41
Shorewall-docs/download.htm
View File

@ -29,7 +29,7 @@
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
for the configuration that most closely matches your own.<br>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
@ -40,8 +40,8 @@ for the configuration that most closely matches your own.<br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the
.tgz packages below.</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
@ -51,29 +51,29 @@ for the configuration that most closely matches your own.<br>
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a
init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file
(you might also want to download the .tgz so you will have a copy
of the documentation).</li>
(you might also want to download the .tgz so you will have a
copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li>
Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory
which can be obtained using the following command:<br>
.rpm will install the documentation in your default document directory which
can be obtained using the following command:<br>
</p>
<blockquote>
@ -82,11 +82,11 @@ which can be obtained using the following command:<br>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version
that you have downloaded.</p>
that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS
REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
@ -149,6 +149,18 @@ IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configurat
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
@ -182,5 +194,6 @@ IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configurat
</p>
<br>
<br>
<br>
</body>
</html>

72
Shorewall-docs/errata.htm
View File

@ -22,6 +22,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
@ -47,21 +48,22 @@ the archive, replace the 'firewall' script in the untarred directory
</li>
<li>
<p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p>
firewall script in /usr/share/shorewall/firewall, you
may rename the existing file before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
For example, do NOT install the 1.3.9a firewall script if you are
running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="upgrade_issues.htm">Upgrade
Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li>
<li> <b><a
@ -91,25 +93,44 @@ iptables</a></b></li>
<h3></h3>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<h3>1.4.2</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP port-unreachable
response rather than the more appropriate TCP RST response. This problem
is corrected in this updated common.def file which may be installed in /etc/shorewall/common.def.<br>
<li>When an 'add' or 'delete' command is executed, a temporary directory
created in /tmp is not being removed. This problem may be corrected by installing
<a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described ablve. <br>
</li>
</ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP
port-unreachable response rather than the more appropriate TCP RST response.
This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
</li>
</ul>
<h3>1.4.1</h3>
<ul>
<li>When a "shorewall check" command is executed, each "rule" produces
the harmless additional message:<br>
the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expected<br>
<br>
You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br>
as described above.<br>
</li>
</ul>
@ -143,8 +164,8 @@ RedHat released this buggy iptables in RedHat 7.2.
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
corrected 1.2.3 rpm which you can download here</a>  and I
have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
@ -199,28 +220,28 @@ option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i3
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p>
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must be
running Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or
</li>
<li>if you are running
Shorewall 1.3.6 you may install
<a
<li>if you are
running Shorewall 1.3.6 you may
install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
@ -230,7 +251,7 @@ running Shorewall 1.3.7a or later or:</p>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:<br>
result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -242,15 +263,12 @@ result in Shorewall being unable to start:<br>
disabled it. The 2.4.19 kernel contains corrected support under a
new kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/25/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2"> Last updated 5/11/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/network.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/network.vsd
View File

Binary file not shown.

86
Shorewall-docs/mailing_list.htm
View File

@ -21,8 +21,8 @@
border="0">
<tbody>
<tr>
<td width="33%" valign="middle" align="left">
<td width="33%" valign="middle"
align="left">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@ -36,12 +36,13 @@
<p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)">
src="images/postfix-white.gif" align="right" border="0" width="124"
height="66" alt="(Postfix Logo)">
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img
@ -52,7 +53,7 @@
<div align="right"><br>
<b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br>
   </font></b><br>
</div>
</td>
</tr>
@ -61,24 +62,23 @@
</table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br>
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br>
</h1>
<p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
<h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br>
<p>Please note that the mail server at shorewall.net
checks incoming mail:<br>
</p>
<ol>
@ -86,38 +86,38 @@ at hotmail dot com.</p>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX
record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li>
<li>to verify that the sender's domain has an A
or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br>
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the list
subscribers whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
Nevertheless, to allow subscribers to receive list posts as must as possible,
I have now configured the list server at shorewall.net to strip all HTML
from outgoing posts. This means that HTML-only posts will be bounced by
the list server.<br>
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need to
get a <i>(explitive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts. This means that HTML-only posts
will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your
e-mail admin may be blocking mail whose <i>Received:</i> headers contain
the names of certain ISPs. Again, I believe that such policies hurt more
than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
If you find that you are missing an occasional list post,
your e-mail admin may be blocking mail whose <i>Received:</i> headers
contain the names of certain ISPs. Again, I believe that such policies
hurt more than they help but I'm not prepared to go so far as to start
stripping <i>Received:</i> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
@ -147,8 +147,8 @@ than they help but I'm not prepared to go so far as to start stripping <i>Recei
value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
@ -157,9 +157,9 @@ won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a>
If you want to trust X.509 certificates issued by
Shoreline Firewall (such as the one used on my web site), you
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's
@ -249,7 +249,7 @@ may be found at <a
<p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p>
to make this less confusing. To unsubscribe:</p>
<ul>
<li>
@ -258,10 +258,10 @@ to make this less confusing. To unsubscribe:</p>
</li>
<li>
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
reminder, or change your subscription options enter your subscription
email address:". Enter your email address in the box and
click on the "<b>Unsubscribe</b> or edit options" button.</p>
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
@ -285,7 +285,5 @@ click on the "<b>Unsubscribe</b> or edit options" button.</p>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

60
Shorewall-docs/myfiles.htm
View File

File diff suppressed because one or more lines are too long

25
Shorewall-docs/ping.html
View File

@ -27,6 +27,9 @@
coming in Shorewall version 1.4.0. <br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:<br>
@ -63,11 +66,12 @@ form:<br>
icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
a rule in /etc/shoreall/rules of the form:<br>
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -119,8 +123,8 @@ a rule in /etc/shoreall/rules of the form:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and
simple routing.</li>
</ol>
These cases will be covered separately.<br>
@ -132,8 +136,8 @@ and simple routing.</li>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for
the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the
ping request then the request is ignored.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
@ -168,12 +172,12 @@ destination is applied.<br>
to with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 2/14/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
@ -183,5 +187,6 @@ to with an ICMP echo-reply.</li>
<br>
<br>
<br>
<br>
</body>
</html>

55
Shorewall-docs/ports.htm
View File

@ -52,11 +52,11 @@
<p>DNS</p>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably
want to open TCP Port 53 as well.<br>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will
return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p>
return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p>
</blockquote>
<p>ICQ   </p>
@ -87,6 +87,12 @@ the latter case, be sure that your server is properly configured.</p>
<p> TCP Port 25.</p>
</blockquote>
<p>RealPlayer<br>
</p>
<blockquote>
<p>UDP Port 6790 inbound<br>
</p>
</blockquote>
<p>POP3</p>
<blockquote>
@ -144,8 +150,8 @@ the latter case, be sure that your server is properly configured.</p>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before
Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
<p>If there is a possibility that these modules might be loaded before Shorewall
starts, then you should include the port list in /etc/modules.conf:<br>
</p>
<blockquote>
@ -153,8 +159,25 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
options ip_nat_ftp ports=21,49<br>
</p>
</blockquote>
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
and/or /etc/modules.conf, you must either:<br>
</p>
<ol>
<li>Unload the modules and restart shorewall: (<b><font
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
or</li>
<li>Reboot<br>
</li>
</ol>
<p> </p>
</blockquote>
<blockquote> </blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
@ -177,7 +200,7 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
<blockquote>
<p>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:<br>
to a server with IP address a.b.c.d in zone z2:<br>
</p>
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d tcp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
@ -185,17 +208,24 @@ to a server with IP address a.b.c.d in zone z2:<br>
<blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case). There
is lots of additional information at  <a
is lots of additional information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>VNC<br>
</p>
<blockquote>
<p>TCP port 5900 + &lt;display number&gt;</p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 2/25/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 5/5/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -203,5 +233,8 @@ is lots of additional information at
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

373
Shorewall-docs/seattlefirewall_index.htm
View File

@ -2,11 +2,12 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self">
<base target="_self">
</head>
<body>
@ -15,8 +16,9 @@
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" height="90">
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
@ -30,17 +32,20 @@
<small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center">
<h1><font color="#ffffff">             Shorewall 1.4</font><i><font
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.3 Site is here</small></small></small></small></font></a><a
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><br>
<small><small><small><small>Shorewall 1.2 Site is here</small></small></small></small></font></a><br>
</font></a><br>
</h1>
</div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td>
</tr>
@ -54,180 +59,280 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td
width="90%">
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under
the terms of <a
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program
is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
This
program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See
the GNU General Public License for more details.<br>
<br>
You should have
received a copy of the GNU General Public
License along with this program; if
not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
You
should have received a copy of the GNU General
Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2><br>
Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<br>
<h2>News</h2>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
<p><b>5/10/2003 - Shorewall Mirror in Asia </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation is in HTML format
but was generated from Microsoft PowerPoint and is best viewed using Internet
Explorer although Konqueror also seems to work reasonably well. Neither Opera
or Netscape work well to view the presentation.<br>
Shorewall presentation to GSLUG</a>. The presentation is in
HTML format but was generated from Microsoft PowerPoint and is best viewed
using Internet Explorer (although Konqueror also seems to work reasonably
well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to view
the presentation.<br>
</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<p><b> Problems Corrected:</b></p>
<blockquote>
<ol>
<li>TCP connection requests rejected out of the <b>common</b>
chain are now properly rejected with TCP RST; previously, some of these
requests were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed
out on the first hop (e.g., to the firewall). This has been worked around.</li>
<li>TCP connection requests rejected out of the
<b>common</b> chain are now properly rejected with TCP
RST; previously, some of these requests were rejected with an ICMP
port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously
timed out on the first hop (e.g., to the firewall). This has been
worked around.</li>
</ol>
</blockquote>
<p><b>    New Features:</b></p>
<p><b> New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies
a particular host or network, Shorewall now creates an intermediate chain
for handling input from the related zone. This can substantially reduce the
number of rules traversed by connections requests from such zones.<br>
<li>Where an entry in the/etc/shorewall/hosts file
specifies a particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can substantially
reduce the number of rules traversed by connections requests from such
zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the INCLUDE.
File names given in an INCLUDE directive are assumed to reside in /etc/shorewall
or in an alternate configuration directory if one has been specified for
the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
<li>Any file may include an INCLUDE directive. An
INCLUDE directive consists of the word INCLUDE followed by a file
name and causes the contents of the named file to be logically included
into the file containing the INCLUDE. File names given in an INCLUDE
directive are assumed to reside in /etc/shorewall or in an alternate
configuration directory if one has been specified for the command. <br>
<br>
Examples:<br>
shorewall/params.mgmt:<br>
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
TIME_SERVERS=4.4.4.4<br>
BACKUP_SERVERS=5.5.5.5<br>
----- end params.mgmt -----<br>
<br>
<br>
shorewall/params:<br>
# Shorewall 1.3 /etc/shorewall/params<br>
[..]<br>
#######################################<br>
<br>
INCLUDE params.mgmt <br>
<br>
# params unique to this host here<br>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE<br>
----- end params -----<br>
<br>
<br>
shorewall/rules.mgmt:<br>
ACCEPT net:$MGMT_SERVERS $FW tcp 22<br>
ACCEPT $FW net:$TIME_SERVERS udp 123<br>
ACCEPT $FW net:$BACKUP_SERVERS tcp 22<br>
----- end rules.mgmt -----<br>
<br>
shorewall/rules:<br>
# Shorewall version 1.3 - Rules File<br>
[..]<br>
#######################################<br>
<br>
INCLUDE rules.mgmt <br>
<br>
# rules unique to this host here<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
----- end rules -----<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two
exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information
about how this new option may affect your configuration.<br>
<li>Routing traffic from an interface back out that
interface continues to be a problem. While I firmly believe that
this should never happen, people continue to want to do it. To limit
the damage that such nonsense produces, I have added a new 'routeback'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts. When
used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual
group entries in /etc/shorewall/hosts.<br>
<br>
The 'routeback' option is similar to the old 'multi' option
with two exceptions:<br>
<br>
a) The option pertains to a particular zone,interface,address
tuple.<br>
<br>
b) The option only created infrastructure to pass traffic
from (zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').<br>
<br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>'
for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><b></b></p>
<p><a href="News.htm">More News</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of Bering
1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial"
size="-1"> <input type="text" name="words" size="15"></font><font
size="-1"> </font> <font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input type="hidden"
name="method" value="and"> <input type="hidden" name="config"
value="htdig"> <input type="submit" value="Search"></font> </p>
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
<br>
</td>
</tr>
</tbody>
</table>
</center>
@ -238,31 +343,31 @@ exceptions:<br>
bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<td
width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
<p><font size="2">Updated 5/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>

77
Shorewall-docs/shoreline.htm
View File

@ -6,7 +6,6 @@
content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -40,28 +39,28 @@
<ul>
<li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li>
<li>BA Mathematics from <a
href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980
- present</li>
<li><a href="http://www.tandem.com">Tandem Computers,
Incorporated</a> (now part of the <a href="http://www.hp.com">The
New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I am currently a member of the design team for the next-generation operating
system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and
wrote Shorewall. </p>
ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then designed
and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
@ -71,27 +70,30 @@ I live with my wife Tarry.
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
Serves as a PPTP server for Road Warrior access. Dual boots <a
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB
&amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows
system. Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a
WINS server. This system also has <a
NIC - My personal Linux System which runs Samba configured
as a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run both
<a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0 
and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
- My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My
main work system.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP
(Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD -
3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.2  and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD,
built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My
work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys
WAC11 - Our Laptop.<br>
</li>
</ul>
@ -114,11 +116,16 @@ main work system.</li>
</a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4">
</font></p>
</a><img src="images/shorewall.jpg"
alt="Protected by Shorewall" width="125" height="40" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 3/17/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 5/8/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
@ -126,5 +133,11 @@ main work system.</li>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

11
Shorewall-docs/shorewall_mirrors.htm
View File

@ -47,6 +47,9 @@ is updated at the same time as the rsync site.</b></p>
(Martinez (Zona Norte - GBA), Argentina)</li>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
</li>
@ -59,8 +62,9 @@ is updated at the same time as the rsync site.</b></p>
<li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li> <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/"
target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> (Texas, USA).</li>
<li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).</li>
<li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li>
@ -75,7 +79,7 @@ is updated at the same time as the rsync site.</b></p>
Search results and the mailing list archives are always fetched from the
site in Washington State.<br>
<p align="left"><font size="2">Last Updated 3/7/2003 - <a
<p align="left"><font size="2">Last Updated 5/8/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -84,5 +88,6 @@ site in Washington State.<br>
<br>
<br>
<br>
<br>
</body>
</html>

231
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -22,6 +22,7 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
Version 4.0</font></h1>
@ -31,8 +32,8 @@
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.<br>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
@ -44,90 +45,27 @@ must all first walk before we can run.<br>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li>
Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
Index Below) outlines the steps necessary to set up a firewall
where <b>there are multiple public IP addresses involved or
if you want to learn more about Shorewall than is explained in
the single-address guides above.</b></p>
<ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a
href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a
href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a
href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a
href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0
DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul>
@ -136,28 +74,32 @@ DNS</a></li>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before
trying to use this documentation directly.</p>
trying to use this documentation directly.</p>
<ul>
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<li><a
href="configuration_file_basics.htm">Common configuration file
features</a>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br>
</li>
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a
@ -171,17 +113,18 @@ trying to use this documentation directly.</p>
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
<li><a href="Documentation.htm">Configuration
File Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li> <a
href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
@ -201,40 +144,46 @@ trying to use this documentation directly.</p>
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#TOS">tos</a>
</li>
<li><a
href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a
href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by host or
subnet</a><br>
<li><a href="ECN.html">ECN Disabling by host
or subnet</a><br>
</li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code through the use of files in /etc/shorewall -- /etc/shorewall/start,
/etc/shorewall/stopped, etc.)</li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code through the
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel
Configuration</a></font></li>
<li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a
href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
<li><a href="myfiles.htm">My Shorewall
Configuration (How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
@ -243,21 +192,79 @@ subnet</a><br>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
<li>How to safely test a Shorewall configuration
change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
<li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a><br>
Proxy with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
@ -265,25 +272,27 @@ Proxy with Shorewall</a><br>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from
a system behind your firewall to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White
List Creation</a></li>
<li><a
href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 4/112003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 5/03/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

394
Shorewall-docs/shorewall_setup_guide.htm
View File

@ -27,7 +27,7 @@
<p><a href="#Addresses">4.1 IP Addresses</a><br>
<a href="#Subnets">4.2 Subnets</a><br>
<a href="#Routing">4.3 Routing</a><br>
<a href="#ARP">4.4 Address Resolution Protocol</a><br>
<a href="#ARP">4.4 Address Resolution Protocol (ARP)</a><br>
<a href="#RFC1918">4.5 RFC 1918</a></p>
</blockquote>
@ -57,8 +57,8 @@
where a set of public IP addresses must be managed or who want to know
more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give you
general guidelines and will point you to other resources as necessary.</p>
the range of possible applications is so broad, the Guide will give
you general guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you run LEAF Bering, your Shorewall configuration is NOT
@ -67,7 +67,7 @@ what I release -- I suggest that you consider installing a stock Shorewall
<p>Shorewall requires that the iproute/iproute2 package be installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if
this package is installed by the presence of an <b>ip</b> program on your
this package is installed by the presence of an <b>ip</b> program on your
firewall system. As root, you can use the 'which' command to check for
this program:</p>
@ -81,9 +81,9 @@ this program:</p>
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them with Shorewall.
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them with Shorewall.
Similarly, if you copy a configuration file from your Windows hard drive
to a floppy disk, you must run dos2unix against the copy before using
it with Shorewall.</p>
@ -93,16 +93,16 @@ it with Shorewall.</p>
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
of dos2unix</a></li>
</ul>
<h2 align="left"><a name="Concepts"></a>2.0 Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for most setups, you will only need to deal with a few
of these as described in this guide. Skeleton files are created during the
<a href="Install.htm">Shorewall Installation Process</a>.</p>
<p>The configuration files for Shorewall are contained in the directory /etc/shorewall
-- for most setups, you will only need to deal with a few of these as described
in this guide. Skeleton files are created during the <a
href="Install.htm">Shorewall Installation Process</a>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
@ -144,9 +144,9 @@ the <a href="Documentation.htm#Configs">/etc/shorewall/shorewall.conf</a>
file. In this guide, the default name (<b>fw</b>) will be used.</p>
<p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
to zone names. Zones are entirely what YOU make of them. That means that
you should not expect Shorewall to do something special "because this
is the internet zone" or "because that is the DMZ".</p>
to zone names. Zones are entirely what YOU make of them. That means
that you should not expect Shorewall to do something special "because
this is the internet zone" or "because that is the DMZ".</p>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    Edit the /etc/shorewall/zones file and make any changes necessary.</p>
@ -175,21 +175,21 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
<li> Identify the source zone.</li>
<li> Identify the destination zone.</li>
<li> If the POLICY from the client's zone to the server's
zone is what you want for this client/server pair, you need do
nothing further.</li>
zone is what you want for this client/server pair, you need do nothing
further.</li>
<li> If the POLICY is not what you want, then you must
add a rule. That rule is expressed in terms of the client's zone
and the server's zone.</li>
</ol>
<p> Just because connections of a particular type are allowed from zone A
to the firewall and are also allowed from the firewall to zone B <font
<p> Just because connections of a particular type are allowed from zone
A to the firewall and are also allowed from the firewall to zone B <font
color="#ff6633"><b><u> DOES NOT mean that these connections are allowed
from zone A to zone B</u></b></font>. It rather means that you can
have a proxy running on the firewall that accepts a connection from zone
A and then establishes its own separate connection from the firewall to
zone B.</p>
have a proxy running on the firewall that accepts a connection from
zone A and then establishes its own separate connection from the firewall
to zone B.</p>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that file
@ -241,8 +241,8 @@ zone B.</p>
<ol>
<li>allow all connection requests from your local network to
the internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall or local network and log a message at the <i>info</i>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network and log a message at the <i>info</i>
level (<a href="shorewall_logging.html">here</a> is a description of log
levels).</li>
<li>reject all other connection requests and log a message at
@ -265,12 +265,12 @@ to illustrate the important aspects of Shorewall configuration.</p>
<p align="left">In this diagram:</p>
<ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is
used to isolate your internet-accessible servers from your local systems
so that if one of those servers is compromised, you still have the firewall
between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local
3. </li>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ
is used to isolate your internet-accessible servers from your local
systems so that if one of those servers is compromised, you still have
the firewall between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and
Local 3. </li>
<li>All systems from the ISP outward comprise the Internet Zone.
</li>
@ -308,17 +308,17 @@ If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
computers will be connected to the same switch (note: If you have only
a single DMZ system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p>
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same hub
or switch (even for testing). It won't work the way that you expect
it to and you will end up confused and believing that Linux networking
doesn't work at all.</p>
or switch (even for testing). It won't work the way that you expect it
to and you will end up confused and believing that Linux networking doesn't
work at all.</p>
<p align="left">For the remainder of this Guide, we will assume that:</p>
@ -456,17 +456,17 @@ many times as necessary.</p>
<p align="left">Normally, your ISP will assign you a set of <i> Public</i>
IP addresses. You will configure your firewall's external interface to
use one of those addresses permanently and you will then have to decide
how you are going to use the rest of your addresses. Before we tackle that
question though, some background is in order.</p>
how you are going to use the rest of your addresses. Before we tackle
that question though, some background is in order.</p>
<p align="left">If you are thoroughly familiar with IP addressing and routing,
you may <a href="#Options">go to the next section</a>.</p>
<p align="left">The following discussion barely scratches the surface of addressing
and routing. If you are interested in learning more about this subject,
I highly recommend <i>"IP Fundamentals: What Everyone Needs to Know about
Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN
0-13-975483-0.</p>
<p align="left">The following discussion barely scratches the surface of
addressing and routing. If you are interested in learning more about this
subject, I highly recommend <i>"IP Fundamentals: What Everyone Needs to
Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
1999, ISBN 0-13-975483-0.</p>
<h3 align="left"><a name="Addresses"></a>4.1 IP Addresses</h3>
@ -504,17 +504,17 @@ Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN
of the high order byte of its address so you could look at an IP address
and immediately determine the associated <i>netmask</i>. The netmask
is a number that when logically ANDed with an address isolates the <i>network
number</i>; the remainder of the address is the <i>host number</i>. For
example, in the Class C address 192.0.2.14, the network number is hex
C00002 and the host number is hex 0E.</p>
number</i>; the remainder of the address is the <i>host number</i>.
For example, in the Class C address 192.0.2.14, the network number is
hex C00002 and the host number is hex 0E.</p>
<p align="left">As the internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting (early
on, large corporations and universities were assigned their own class A
network!). After some false starts, the current technique of <i>subnetting</i>
these networks into smaller <i>subnetworks</i> evolved; that technique is
referred to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system
that you are likely to work with will understand CIDR and Class-based networking
<p align="left">As the internet grew, it became clear that such a gross partitioning
of the 32-bit address space was going to be very limiting (early on, large
corporations and universities were assigned their own class A network!).
After some false starts, the current technique of <i>subnetting</i> these
networks into smaller <i>subnetworks</i> evolved; that technique is referred
to as <i>Classless InterDomain Routing</i> (CIDR). Today, any system that
you are likely to work with will understand CIDR and Class-based networking
is largely a thing of the past.</p>
<p align="left">A <i>subnetwork</i> (often referred to as a <i>subnet) </i>is
@ -637,8 +637,8 @@ are used for the subnet address and subnet broadcast address respectively.
<p align="left">You will notice that the above table also contains a column
for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
Mask</i> for a network of size <b>n</b>. From the above table, we can
derive the following one which is a little easier to use.</p>
Mask</i> for a network of size <b>n</b>. From the above table, we
can derive the following one which is a little easier to use.</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -820,9 +820,9 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
<p align="left">Later in this guide, you will see the notation <b>a.b.c.d/v</b>
used to describe the ip configuration of a network interface (the 'ip'
utility also uses this syntax). This simply means that the interface is
configured with ip address <b>a.b.c.d</b> and with the netmask that corresponds
to VLSM <b>/v</b>.</p>
utility also uses this syntax). This simply means that the interface
is configured with ip address <b>a.b.c.d</b> and with the netmask that
corresponds to VLSM <b>/v</b>.</p>
<p align="left">Example: 192.0.2.65/29</p>
@ -847,17 +847,16 @@ as "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.
how to get to a single host. In the 'netstat' output this can be seen
by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the
Flags column. The remainder are 'net' routes since they tell the kernel
how to route packets to a subnetwork. The last route is the <i>default
route</i> and the gateway mentioned in that route is called the <i>default
gateway</i>.</p>
how to route packets to a subnetwork. The last route is the <i>default route</i>
and the gateway mentioned in that route is called the <i>default gateway</i>.</p>
<p align="left">When the kernel is trying to send a packet to IP address <b>A</b>,
it starts at the top of the routing table and:</p>
<p align="left">When the kernel is trying to send a packet to IP address
<b>A</b>, it starts at the top of the routing table and:</p>
<ul>
<li>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value in
the table entry.</p>
<p align="left"><b>A</b> is logically ANDed with the 'Genmask' value
in the table entry.</p>
</li>
<li>
<p align="left">The result is compared with the 'Destination' value in
@ -869,12 +868,10 @@ the table entry.</p>
<ul>
<li>
<p align="left">If the 'Gateway' column is non-zero, the packet is
sent to the gateway over the interface named in the 'Iface' column.</p>
</li>
<li>
<p align="left">Otherwise, the packet is sent directly to <b>A </b>over
the interface named in the 'iface' column.</p>
</li>
@ -888,10 +885,10 @@ the table entry.</p>
</ul>
<p align="left">Since the default route matches any IP address (<b>A</b> land
0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table
entries are sent to the <i>default gateway</i> which is usually a router
at your ISP.</p>
<p align="left">Since the default route matches any IP address (<b>A</b>
land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing
table entries are sent to the <i>default gateway</i> which is usually a
router at your ISP.</p>
<p align="left">Lets take an example. Suppose that we want to route a packet
to 192.168.1.5. That address clearly doesn't match any of the host routes
@ -903,19 +900,20 @@ at your ISP.</p>
<pre>192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2</pre>
</blockquote>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over eth2.</p>
<p>So to route a packet to 192.168.1.5, the packet is sent directly over
eth2.</p>
</div>
<p align="left">One more thing needs to be emphasized -- all outgoing packet
are sent using the routing table and reply packets are not a special
case. There seems to be a common mis-conception whereby people think that
request packets are like salmon and contain a genetic code that is magically
transferred to reply packets so that the replies follow the reverse route
taken by the request. That isn't the case; the replies may take a totally
different route back to the client than was taken by the requests -- they
are totally independent.</p>
case. There seems to be a common mis-conception whereby people think
that request packets are like salmon and contain a genetic code that
is magically transferred to reply packets so that the replies follow
the reverse route taken by the request. That isn't the case; the replies
may take a totally different route back to the client than was taken by
the requests -- they are totally independent.</p>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol</h3>
<h3 align="left"><a name="ARP"></a>4.4 Address Resolution Protocol (ARP)</h3>
<p align="left">When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <i>Media Access Control</i> (MAC)
@ -930,9 +928,9 @@ are totally independent.</p>
</blockquote>
<div align="left">
<p align="left">As you can see from the above output, the MAC is 6 bytes (48
bits) wide. A card's MAC is usually also printed on a label attached to
the card itself. </p>
<p align="left">As you can see from the above output, the MAC is 6 bytes
(48 bits) wide. A card's MAC is usually also printed on a label attached
to the card itself. </p>
</div>
<div align="left">
@ -985,10 +983,10 @@ system (including your Windows system) using the 'arp' command:</p>
of us don't deal with these registrars but rather get our IP addresses
from our ISP.</p>
<p align="left">It's a fact of life that most of us can't afford as many Public
IP addresses as we have devices to assign them to so we end up making use
of <i> Private </i>IP addresses. RFC 1918 reserves several IP address ranges
for this purpose:</p>
<p align="left">It's a fact of life that most of us can't afford as many
Public IP addresses as we have devices to assign them to so we end up making
use of <i> Private </i>IP addresses. RFC 1918 reserves several IP address
ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -998,8 +996,8 @@ for this purpose:</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. This is
understandable given that anyone can select any of these addresses for
their private use.</p>
understandable given that anyone can select any of these addresses
for their private use.</p>
</div>
<div align="left">
@ -1010,8 +1008,8 @@ their private use.</p>
<div align="left">
<ul>
<li>
<p align="left">As the IPv4 address space becomes depleted, more and more
organizations (including ISPs) are beginning to use RFC 1918 addresses
<p align="left">As the IPv4 address space becomes depleted, more and
more organizations (including ISPs) are beginning to use RFC 1918 addresses
in their infrastructure. </p>
</li>
<li>
@ -1035,9 +1033,10 @@ their private use.</p>
<div align="left">
<p align="left">The choice of how to set up your network depends primarily
on how many Public IP addresses you have vs. how many addressable entities
you have in your network. Regardless of how many addresses you have,
your ISP will handle that set of addresses in one of two ways:</p>
on how many Public IP addresses you have vs. how many addressable
entities you have in your network. Regardless of how many addresses
you have, your ISP will handle that set of addresses in one of two
ways:</p>
</div>
<div align="left">
@ -1084,13 +1083,13 @@ change them appropriately:<br>
</div>
<div align="left">
<p align="left">Let's assume that your ISP has assigned you the subnet
192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses
192.0.2.64 - 192.0.2.79 and that your firewall's external IP address
is 192.0.2.65. Your ISP has also told you that you should use a netmask
of 255.255.255.0 (so your /28 is part of a larger /24). With this many
IP addresses, you are able to subnet your /28 into two /29's and set
up your network as shown in the following diagram.</p>
<p align="left">Let's assume that your ISP has assigned you the subnet 192.0.2.64/28
routed through 192.0.2.65. That means that you have IP addresses 192.0.2.64
- 192.0.2.79 and that your firewall's external IP address is 192.0.2.65.
Your ISP has also told you that you should use a netmask of 255.255.255.0
(so your /28 is part of a larger /24). With this many IP addresses,
you are able to subnet your /28 into two /29's and set up your network
as shown in the following diagram.</p>
</div>
<div align="left">
@ -1100,10 +1099,10 @@ change them appropriately:<br>
</div>
<div align="left">
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local
network is 192.0.2.72/29. The default gateway for hosts in the DMZ would
be configured to 192.0.2.66 and the default gateway for hosts in the local
network would be 192.0.2.73.</p>
<p align="left">Here, the DMZ comprises the subnet 192.0.2.64/29 and the
Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ
would be configured to 192.0.2.66 and the default gateway for hosts in
the local network would be 192.0.2.73.</p>
</div>
<div align="left">
@ -1139,13 +1138,13 @@ of 256 would be justified because of the simplicity of the setup.</p>
</div>
<div align="left">
<p align="left">It is this rather unexpected ARP behavior on the part of the
Linux Kernel that prompts the warning earlier in this guide regarding the
connecting of multiple firewall/router interfaces to the same hub or switch.
When an ARP request for one of the firewall/router's IP addresses is sent
by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then a
race as to which "here-is" response reaches the sender first.</p>
<p align="left">It is this rather unexpected ARP behavior on the part of
the Linux Kernel that prompts the warning earlier in this guide regarding
the connecting of multiple firewall/router interfaces to the same hub
or switch. When an ARP request for one of the firewall/router's IP addresses
is sent by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then
a race as to which "here-is" response reaches the sender first.</p>
</div>
<div align="left">
@ -1153,22 +1152,22 @@ by another system connected to the hub/switch, all of the firewall's
</div>
<div align="left">
<p align="left">If you have the above situation but it is non-routed, you
can configure your network exactly as described above with one additional
twist; simply specify the "proxyarp" option on all three firewall interfaces
in the /etc/shorewall/interfaces file.</p>
<p align="left">If you have the above situation but it is non-routed,
you can configure your network exactly as described above with one additional
twist; simply specify the "proxyarp" option on all three firewall
interfaces in the /etc/shorewall/interfaces file.</p>
</div>
<div align="left">
<p align="left">Most of us don't have the luxury of having enough public IP
addresses to set up our networks as shown in the preceding example (even
if the setup is routed). </p>
<p align="left">Most of us don't have the luxury of having enough public
IP addresses to set up our networks as shown in the preceding example
(even if the setup is routed). </p>
</div>
<div align="left">
<p align="left"><b>For the remainder of this section, assume that your ISP
has assigned you IP addresses 192.0.2.176-180 and has told you to use
netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
has assigned you IP addresses 192.0.2.176-180 and has told you to
use netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
</div>
<div align="left">
@ -1200,8 +1199,8 @@ this problem.</p>
</div>
<div align="left">
<p align="left">Often a combination of these techniques is used. Each of these
will be discussed in the sections that follow.</p>
<p align="left">Often a combination of these techniques is used. Each of
these will be discussed in the sections that follow.</p>
</div>
<div align="left">
@ -1212,11 +1211,11 @@ this problem.</p>
<p align="left">With SNAT, an internal LAN segment is configured using RFC
1918 addresses. When a host <b>A </b>on this internal segment initiates
a connection to host <b>B</b> on the internet, the firewall/router
rewrites the IP header in the request to use one of your public IP addresses
as the source address. When <b>B</b> responds and the response is received
by the firewall, the firewall changes the destination address back
to the RFC 1918 address of <b>A</b> and forwards the response back to
<b>A.</b></p>
rewrites the IP header in the request to use one of your public IP
addresses as the source address. When <b>B</b> responds and the response
is received by the firewall, the firewall changes the destination address
back to the RFC 1918 address of <b>A</b> and forwards the response back
to <b>A.</b></p>
</div>
<div align="left">
@ -1274,10 +1273,11 @@ local interface).</div>
<div align="left">
<p align="left">This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT.
If you wanted to use a different IP address, you would either have to
use your distributions network configuration tools to add that IP address
to the external interface or you could set ADD_SNAT_ALIASES=Yes in
/etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p>
If you wanted to use a different IP address, you would either have
to use your distributions network configuration tools to add that IP
address to the external interface or you could set ADD_SNAT_ALIASES=Yes
in /etc/shorewall/shorewall.conf and Shorewall will add the address for
you.</p>
</div>
<div align="left">
@ -1295,8 +1295,8 @@ local interface).</div>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
     Suppose that your daughter wants to run a web server on
her system "Local 3". You could allow connections to the internet
to her server by adding the following entry in <a
her system "Local 3". You could allow connections to the internet to
her server by adding the following entry in <a
href="Documentation.htm#Rules">/etc/shorewall/rules</a>:</p>
</div>
@ -1334,15 +1334,15 @@ to her server by adding the following entry in <a
to access your daughter's server, she can connect to <a
href="http://192.0.2.176"> http://192.0.2.176</a> (the firewall's external
IP address) and the firewall will rewrite the destination IP address
to 192.168.201.4 (your daughter's system) and forward the request. When
your daughter's server responds, the firewall will rewrite the source
address back to 192.0.2.176 and send the response back to <b>A.</b></p>
to 192.168.201.4 (your daughter's system) and forward the request.
When your daughter's server responds, the firewall will rewrite the
source address back to 192.0.2.176 and send the response back to <b>A.</b></p>
</div>
<div align="left">
<p align="left">This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses but Shorewall will not
add that address to the firewall's external interface for you.</p>
<p align="left">This example used the firewall's external IP address for
DNAT. You can use another of your public IP addresses but Shorewall will
not add that address to the firewall's external interface for you.</p>
</div>
<div align="left">
@ -1356,8 +1356,8 @@ add that address to the firewall's external interface for you.</p>
<div align="left">
<ul>
<li>
<p align="left">A host <b>H </b>behind your firewall is assigned one of
your public IP addresses (<b>A)</b> and is assigned the same netmask
<p align="left">A host <b>H </b>behind your firewall is assigned one
of your public IP addresses (<b>A)</b> and is assigned the same netmask
<b>(M) </b>as the firewall's external interface. </p>
</li>
<li>
@ -1365,9 +1365,9 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask
</p>
</li>
<li>
<p align="left">When <b>H</b> issues an ARP "who has" request for an address
in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall will
respond (with the MAC if the firewall interface to <b>H</b>). </p>
<p align="left">When <b>H</b> issues an ARP "who has" request for an
address in the subnetwork defined by <b>A</b> and <b>M</b>, the firewall
will respond (with the MAC if the firewall interface to <b>H</b>). </p>
</li>
</ul>
@ -1387,8 +1387,8 @@ respond (with the MAC if the firewall interface to <b>H</b>). </p>
<div align="left"> Here, we've assigned the IP addresses 192.0.2.177 to
system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned
an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface
on the firewall. That address and netmask isn't relevant - just be sure
it doesn't overlap another subnet that you've defined.</div>
on the firewall. That address and netmask isn't relevant - just be
sure it doesn't overlap another subnet that you've defined.</div>
<div align="left">  </div>
@ -1442,6 +1442,7 @@ rather than behind it.<br>
(192.0.2.177 and 192.0.2.178 in the above example)  to the external interface
(eth0 in this example) of the firewall.</b></font><br>
</p>
<div align="left"> </div>
</div>
@ -1463,26 +1464,27 @@ rather than behind it.<br>
Illustrated, Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP address
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate,...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a
host from being exposed to the Internet to behind Shorewall using proxy
Which is, of course, exactly what you want to do when you switch
a host from being exposed to the Internet to behind Shorewall using proxy
ARP (or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just that:<br>
<br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly
proxied IP&gt;</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for
example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly
to gratuitous ARPs, but googling for "arping -U" seems to support the
idea that it works most of the time.<br>
to gratuitous ARPs, but googling for "arping -U" seems to support the idea
that it works most of the time.<br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP
@ -1518,11 +1520,11 @@ cache entry but many either can't or won't purge individual entries.</li>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of DMZ 1. In other words, the gateway's ARP cache
still associates 192.0.2.177 with the NIC in DMZ 1 rather than with
the firewall's eth0.</p>
different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the
gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ
1 rather than with the firewall's eth0.</p>
</div>
<div align="left">
@ -1533,9 +1535,9 @@ the firewall's eth0.</p>
<p align="left">With static NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public
IP addresses. For outgoing connections SNAT (Source Network Address
Translation) occurs and on incoming connections DNAT (Destination
Network Address Translation) occurs. Let's go back to our earlier example
involving your daughter's web server running on system Local 3.</p>
Translation) occurs and on incoming connections DNAT (Destination Network
Address Translation) occurs. Let's go back to our earlier example involving
your daughter's web server running on system Local 3.</p>
</div>
<div align="left">
@ -1574,8 +1576,8 @@ connections. This is done with the following entry in /etc/shorewall/masq:
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Suppose now that you have decided to give your daughter her
own IP address (192.0.2.179) for both inbound and outbound connections.
    Suppose now that you have decided to give your daughter
her own IP address (192.0.2.179) for both inbound and outbound connections.
You would do that by adding an entry in <a
href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
</div>
@ -1816,8 +1818,8 @@ way to allow connection requests through your firewall is to use ACCEPT
</div>
<div align="left">
<p align="left">If you run a public DNS server on 192.0.2.177, you would need
to add the following rules:</p>
<p align="left">If you run a public DNS server on 192.0.2.177, you would
need to add the following rules:</p>
</div>
<div align="left">
@ -1949,10 +1951,10 @@ way to allow connection requests through your firewall is to use ACCEPT
</div>
<div align="left">
<p align="left">The above discussion reflects my personal preference for using
Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I
prefer to use NAT only in cases where a system that is part of an RFC 1918
subnet needs to have it's own public IP. </p>
<p align="left">The above discussion reflects my personal preference for
using Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems.
I prefer to use NAT only in cases where a system that is part of an RFC
1918 subnet needs to have it's own public IP. </p>
</div>
<div align="left">
@ -1960,20 +1962,21 @@ subnet needs to have it's own public IP.
height="13">
    If you haven't already, it would be a good idea to browse
through <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>
just to see if there is anything there that might be of interest. You
might also want to look at the other configuration files that you
haven't touched yet just to get a feel for the other things that Shorewall
can do.</p>
just to see if there is anything there that might be of interest.
You might also want to look at the other configuration files that
you haven't touched yet just to get a feel for the other things that
Shorewall can do.</p>
</div>
<div align="left">
<p align="left">In case you haven't been keeping score, here's the final set
of configuration files for our sample network. Only those that were modified
from the original installation are shown.</p>
<p align="left">In case you haven't been keeping score, here's the final
set of configuration files for our sample network. Only those that were
modified from the original installation are shown.</p>
</div>
<div align="left">
<p align="left">/etc/shorewall/interfaces (The "options" will be very site-specific).</p>
<p align="left">/etc/shorewall/interfaces (The "options" will be very
site-specific).</p>
</div>
<div align="left">
@ -2353,21 +2356,21 @@ can do.</p>
</div>
<div align="left">
<p align="left">Given the collection of RFC 1918 and public addresses in this
setup, it only makes sense to have separate internal and external DNS
servers. You can combine the two into a single BIND 9 server using <i>Views.
</i> If you are not interested in Bind 9 views, you can <a
<p align="left">Given the collection of RFC 1918 and public addresses in
this setup, it only makes sense to have separate internal and external
DNS servers. You can combine the two into a single BIND 9 server using
<i>Views. </i> If you are not interested in Bind 9 views, you can <a
href="#StartingAndStopping">go to the next section</a>.</p>
</div>
<div align="left">
<p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want the
three local systems named "winken.foobar.net, blinken.foobar.net and
nod.foobar.net. You want your firewall to be known as firewall.foobar.net
DMZ systems named www.foobar.net and mail.foobar.net and you want
the three local systems named "winken.foobar.net, blinken.foobar.net
and nod.foobar.net. You want your firewall to be known as firewall.foobar.net
externally and it's interface to the local network to be know as gateway.foobar.net
and its interface to the dmz as dmz.foobar.net. Let's have the DNS server
on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
and its interface to the dmz as dmz.foobar.net. Let's have the DNS
server on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div>
<div align="left">
@ -2493,8 +2496,8 @@ servers. You can combine the two into a single BIND 9 server using <i>Views.
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
@ -2504,23 +2507,23 @@ servers. You can combine the two into a single BIND 9 server using <i>Views.
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    Edit the /etc/shorewall/routestopped file and configure those
systems that you want to be able to access the firewall when it is
stopped.</p>
    Edit the /etc/shorewall/routestopped file and configure
those systems that you want to be able to access the firewall when
it is stopped.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
added an entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p>
</div>
<p align="left"><font size="2">Last updated 3/21/2003 - <a
<p align="left"><font size="2">Last updated 5/3/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
@ -2535,5 +2538,6 @@ stopped.</p>
<br>
<br>
<br>
<br>
</body>
</html>

265
Shorewall-docs/sourceforge_index.htm
View File

@ -2,11 +2,12 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title>
<base
target="_self">
<base target="_self">
</head>
<body>
@ -15,8 +16,9 @@
bgcolor="#4b017c">
<tbody>
<tr>
<td
width="100%" height="90">
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
@ -25,11 +27,9 @@
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font color="#ffffff">
<small><small><small>Shorewall 1.3 Site here</small></small></small></font></a><br>
<a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small>Shorewall
1.2 Site here<br>
<a target="_top" href="1.3/index.html"><font
color="#ffffff"> </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
</small></small></small></font></a>
</h1>
@ -45,105 +45,145 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td
width="90%">
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
(iptables) based firewall that can be used on
a dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under
the terms of <a
it
under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program
is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
This
program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br>
<br>
You should
have received a copy of the GNU General
Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
You
should have received a copy of the GNU
General Public License along with
this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can
find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations
to Jacques and Eric on the recent release of Bering
1.1!!! <br>
</b>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2>
<b> </b>
<p><b>5/10/2003 - Shorewall Mirror in Asia </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is best
viewed using Internet Explorer although Konqueror also seems to work reasonably
well. Neither Opera or Netscape work well to view the presentation.</blockquote>
is in HTML format but was generated from Microsoft PowerPoint and is
best viewed using Internet Explorer (although Konqueror also seems to
work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<blockquote>
<ol>
<li>TCP connection requests rejected out of the <b>common</b>
chain are now properly rejected with TCP RST; previously, some of these requests
were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously timed
out on the first hop (e.g., to the firewall). This has been worked around.</li>
chain are now properly rejected with TCP RST; previously, some of these
requests were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously
timed out on the first hop (e.g., to the firewall). This has been worked
around.</li>
</ol>
</blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file specifies
a particular host or network, Shorewall now creates an intermediate chain
for handling input from the related zone. This can substantially reduce
the number of rules traversed by connections requests from such zones.<br>
<li>Where an entry in the/etc/shorewall/hosts file
specifies a particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can substantially
reduce the number of rules traversed by connections requests from such
zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An INCLUDE directive
consists of the word INCLUDE followed by a file name and causes the contents
of the named file to be logically included into the file containing the
INCLUDE. File names given in an INCLUDE directive are assumed to reside
in /etc/shorewall or in an alternate configuration directory if one has
been specified for the command. <br>
<li>Any file may include an INCLUDE directive. An
INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
@ -179,47 +219,69 @@ been specified for the command. <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<br>
INCLUDE's may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that interface
continues to be a problem. While I firmly believe that this should never
happen, people continue to want to do it. To limit the damage that such
nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces
and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE'
column may not contain '-'; in other words, 'routeback' can't be used as
an option for a multi-zone interface. The 'routeback' option CAN be specified
however on individual group entries in /etc/shorewall/hosts.<br>
<li>Routing traffic from an interface back out that
interface continues to be a problem. While I firmly believe that this
should never happen, people continue to want to do it. To limit the
damage that such nonsense produces, I have added a new 'routeback' option
in /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual
group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option with two
exceptions:<br>
The 'routeback' option is similar to the old 'multi' option
with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address tuple.<br>
   a) The option pertains to a particular zone,interface,address
tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic from (zone,interface,address)
tuples back to themselves (the 'multi' option affected all (zone,interface,address)
tuples associated with the given 'interface').<br>
   b) The option only created infrastructure to pass traffic
from (zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>' for information
about how this new option may affect your configuration.<br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>'
for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.3.14 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the
recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -227,20 +289,52 @@ exceptions:<br>
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td
width="88" bgcolor="#4b017c" valign="top" align="center"> <br>
<td width="88" bgcolor="#4b017c" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
 </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]">
</font> </form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</tr>
</tbody>
</table>
</center>
@ -254,29 +348,30 @@ exceptions:<br>
<td
width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 4/12/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 5/10/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

98
Shorewall-docs/standalone.htm
View File

@ -45,28 +45,29 @@
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
changes.  Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy disk,
you must run dos2unix against the copy before using it with Shorewall.</p>
must save them as Unix files if your editor supports that option or you
must run them through dos2unix before trying to use them. Similarly, if
you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
@ -77,21 +78,21 @@ you must run dos2unix against the copy before using it with Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a
/etc/shorewall -- for simple setups, you only need to deal with a few
of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tar it (tar -zxvf one-interface.tgz) and and copy the files
to /etc/shorewall (they will replace files with the same names that were
placed in /etc/shorewall during Shorewall installation)</b>.</p>
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the one-interface sample configuration, only one
zone is defined:</p>
set of <i>zones.</i> In the one-interface sample configuration, only
one zone is defined:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -130,10 +131,10 @@ placed in /etc/shorewall during Shorewall installation)</b>.</p>
matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -191,21 +192,21 @@ your firewall</li>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p>
will be the ethernet adapter (<b>eth0</b>) that is connected to that
"Modem"  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a <b>ppp0</b>. If you connect via a regular modem, your
External Interface will also be <b>ppp0</b>. If you connect using ISDN,
your external interface will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
    The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different,
    The Shorewall one-interface sample configuration assumes that
the external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p>
While you are there, you may wish to review the list of options that
are specified for the interface. Some hints:</p>
<ul>
<li>
@ -214,8 +215,8 @@ your firewall</li>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option
list. </p>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
</li>
</ul>
@ -234,15 +235,15 @@ your firewall</li>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation
destination address is reserved by RFC 1918. In some cases though,
ISPs are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
     Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -284,8 +285,8 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
</div>
<div align="left">
@ -333,8 +334,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -395,8 +396,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
@ -406,9 +407,9 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
added an entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
@ -418,7 +419,8 @@ Also, I don't recommend using "shorewall restart"; it is better to create
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>

118
Shorewall-docs/standalone_fr.html
View File

@ -30,24 +30,24 @@
<h2 align="center">Version 2.0.1 Française</h2>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail n'est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une traduction
exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM pour
sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour son
formidable outil et sa disponibilité)</i><i>.</i></small></p>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
Tom EASTEP pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
focalise sur ce qui est nécessaire pour configurer Shorewall, dans son utilisation
la plus courante :</p>
<ul>
<li>Un système Linux</li>
@ -57,8 +57,8 @@ rtc...</li>
</ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
@ -73,15 +73,15 @@ la configuration sont recommand
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
devez les sauver comme des fichiers Unix si votre éditeur supporte cette
option sinon vous devez les faire passer par dos2unix avant d'essayer de
les utiliser. De la même manière, si vous copiez un fichier de configuration
depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix
sur la copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
@ -95,18 +95,18 @@ of dos2unix</a></li>
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers
vers /etc/shorewall (Ils remplaceront les fichiers de même nom déjà existant
dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall
(Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall
installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient des
instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique interface,
une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -126,15 +126,15 @@ interface, une seule zone est d
<p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une zone
à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -143,11 +143,10 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
Si aucune des règles dans ce fichier ne correspondent, alors la première politique
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
@ -198,8 +197,8 @@ a les politiques suivantes :</p>
Ces politiques vont :
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet vers
votre firewall</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li>
@ -216,15 +215,15 @@ simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour une interface suppose que votre
interface externe est <b>eth0</b>. Si votre configuration est différente,
L'exemple de configuration de Shorewall pour une interface suppose que
votre interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p>
@ -232,12 +231,12 @@ sp
<ul>
<li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
</p>
</li>
<li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
de la liste d'option. </p>
</li>
@ -248,15 +247,15 @@ de la liste d'option. </p>
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée (<i>Private</i>IP)
pour l'utilisation dans des réseaux privés :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les paquets
car les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
@ -310,8 +309,8 @@ vers votre firewall, le format g
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
serveur POP3 sur votre système de firewall :</p>
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un serveur
POP3 sur votre système de firewall :</p>
</div>
<div align="left">
@ -417,16 +416,16 @@ d
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation </a> configure votre système
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
La <a href="Install.htm">procédure d'installation </a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la version
1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p>
</div>
@ -441,14 +440,14 @@ de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a
et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
@ -465,5 +464,6 @@ M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

219
Shorewall-docs/support.htm
View File

@ -17,6 +17,7 @@
<tr>
<td
width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
@ -28,28 +29,31 @@
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number
of sources of Shorewall information. Please try these before you
post.
There are
a number of sources of Shorewall information. Please try these before
you post.
<ul>
<li>More than half of the questions
posted on the support list have answers directly accessible from
the <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
<li>Shorewall versions earlier
that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br>
</li>
<li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has solutions
to more than 20 common problems. </li>
<li> The
<a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
problems. </li>
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems.
</li>
<li> The <a
href="errata.htm"> Errata</a> has links to download updated
components. </li>
<li> The Site and
Mailing List Archives search facility can locate documents and
posts about similar problems: </li>
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to help
you solve common problems. </li>
<li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li>
<li> The Site
and Mailing List Archives search facility can locate documents
and posts about similar problems: </li>
</ul>
@ -78,16 +82,17 @@ posts about similar problems: </li>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives:
</font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives:
<select size="1" name="exclude">
<option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select>
</font><br>
Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br>
Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"><br>
</form>
</blockquote>
@ -95,27 +100,30 @@ posts about similar problems: </li>
</h2>
<ul>
<li>Please remember we only know what is posted
in your message. Do not leave out any information that appears
to be correct, or was mentioned in a previous post. There have
been countless posts by people who were sure that some part of
their configuration was correct when it actually contained a small
error. We tend to be skeptics where detail is lacking.<br>
<li>Please remember we only know what
is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking
for <strong>free</strong> technical support. Any help we
offer is an act of generosity, not an obligation. Try to make it
easy for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br>
<li>Please keep in mind that you're
asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li> Please
don't describe your environment and then ask us to send
you custom configuration files. We're here to answer
your questions but we can't do your job for you.<br>
<li>
Please don't describe your environment and then ask us
to send you custom configuration files. We're here
to answer your questions but we can't do your
job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong>
@ -126,17 +134,19 @@ you custom configuration files. We're here to answer
<ul>
<ul>
<li>the exact version of Shorewall you are
running.<br>
<li>the exact version of Shorewall
you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
<b><font color="#009900">shorewall
version</font><br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<li>the exact kernel version you are
running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
@ -147,7 +157,8 @@ you custom configuration files. We're here to answer
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<font color="#009900"><b>ip addr
show<br>
<br>
</b></font></li>
@ -156,15 +167,16 @@ you custom configuration files. We're here to answer
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<font color="#009900"><b>ip route
show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact
output from<br>
<li>If your kernel is modularized,
the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
</li>
@ -183,8 +195,8 @@ you custom configuration files. We're here to answer
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt;
/tmp/status.txt</font></b><br>
3.<b><font color="#009900"> /sbin/shorewall status
&gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
@ -193,47 +205,48 @@ you custom configuration files. We're here to answer
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.<br>
<li><b>If you are running Shorewall under Mandrake using the
Mandrake installation of Shorewall, please say so.<br>
<br>
</b></li>
</ul>
<li>As a
general matter, please <strong>do not edit the diagnostic information</strong>
in an attempt to conceal your IP address, netmask, nameserver
addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<br>
<li>As
a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained in
the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, include
the message(s) in your post along with a copy of your /etc/shorewall/interfaces
you exercise the function that is giving you problems? If so,
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If
you include /etc/shorewall/rules, please include /etc/shorewall/policy
<li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file if
you have modified that file) that you think are relevant.
If you include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a trace
(See the <a href="troubleshoot.htm">Troubleshooting</a> section for
instructions).<br>
(See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so don't post
GIFs of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li>
<li><b>The list server limits posts to 120kb so don't
post GIFs of your network layout, etc. to
the Mailing List -- your post will be rejected.</b></li>
</ul>
@ -250,59 +263,57 @@ rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I
have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
I think that blocking all HTML is
a Draconian way to control spam and that the ultimate losers
here are not the spammers but the list subscribers whose MTAs
are bouncing all shorewall.net mail. As one list subscriber wrote
to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML based
e-mail". Nevertheless, to allow subscribers to receive list posts
as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts.<br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<blockquote> <b>If you have a <u>quick</u> question about
capabilities or where to find something, you may use the</b> <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <u><b>DO NOT POST THE OUTPUT OF "shorewall status" TO THE FORUM;
I WON'T LOOK AT IT.</b></u> <b>If you need to supply "shorewall status"
output, use the appropriate mailing list below.</b><br>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4>
to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft
Multi Network Firewall (MNF) and you have not purchased an MNF
license from MandrakeSoft then you can post non MNF-specific Shorewall
questions to the </b><a
Multi Network Firewall (MNF) and you have not purchased an
MNF license from MandrakeSoft then you can post non MNF-specific
Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.<br>
To Subscribe to the mailing list go to <a
list</a> .</p>
<p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br>
</p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 4/10/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 5/12/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

269
Shorewall-docs/three-interface.htm
View File

@ -31,7 +31,7 @@
<p align="left">Setting up a Linux system as a firewall for a small network
with DMZ is a fairly straight-forward task if you understand the
basics and follow the documentation.</p>
basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
@ -55,9 +55,9 @@ local network.</li>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -74,15 +74,16 @@ tell if this package is installed by the presence of an <b>ip</b> program
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p>
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -91,21 +92,21 @@ tell if this package is installed by the presence of an <b>ip</b> program
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a
few of these as described in this guide. After you have <a
/etc/shorewall -- for simple setups, you will only need to deal with
a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the same
names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
the files to /etc/shorewall (the files will replace files with the
same names that were placed in /etc/shorewall when Shorewall was installed)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions
and default entries.</p>
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the three-interface sample configuration,
the following zone names are used:</p>
the following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -140,7 +141,7 @@ the following zone names are used:</p>
<ul>
<li>You express your default policy for connections from
one zone to another zone in the<a
one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -149,9 +150,9 @@ the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or
DROP  the request is first checked against the rules in /etc/shorewall/common
DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the three-interface sample
@ -235,8 +236,8 @@ firewall to the internet (if you uncomment the additional policy)</li>
</ol>
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy file and
make any changes that you wish.</p>
    At this point, edit your /etc/shorewall/policy file
and make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -245,58 +246,59 @@ firewall to the internet (if you uncomment the additional policy)</li>
</p>
<p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g.,
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the ethernet adapter that is connected to
that "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
via a regular modem, your External Interface will also be <b>ppp0</b>.
If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
via a regular modem, your External Interface will also be <b>ppp0</b>.
If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    If your external interface is <b>ppp0</b> or <b>ippp0
</b>then you will want to set CLAMPMSS=yes in <a
</b>then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have only
a single local system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
computers will be connected to the same switch (note: If you have
only a single local system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have
only a single DMZ system, you can connect the firewall directly to the
computer using a <i>cross-over </i> cable).</p>
only a single DMZ system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect more than one interface to the same
hub or switch (even for testing). It won't work the way that you expect
it to and you will end up confused and believing that Shorewall doesn't
work at all.</p>
hub or switch (even for testing). It won't work the way that you
expect it to and you will end up confused and believing that Shorewall
doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The Shorewall three-interface sample configuration assumes
that the external interface is <b>eth0, </b>the local interface is
<b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
is different, you will have to modify the sample /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
<b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
is different, you will have to modify the sample /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p>
you can replace the "detect" in the second column with "-".
</p>
</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the
option list. </p>
or if you have a static IP address, you can remove "dhcp" from
the option list. </p>
</li>
</ul>
@ -306,14 +308,14 @@ is different, you will have to modify the sample /etc/shorewall/interfaces
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing
your connection when you dial in (standard modem) or establish your PPP
connection. In rare cases, your ISP may assign you a<i> static</i> IP
address; that means that you configure your firewall's external interface
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses for your internal network
(the local and DMZ Interfaces on your firewall plus your other computers).
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left">
@ -323,24 +325,24 @@ RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the IP
address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
    Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits from
the left of the subnet mask. </p>
by "/24". The "24" refers to the number of consecutive "1" bits
from the left of the subnet mask. </p>
</div>
<div align="left">
@ -377,7 +379,7 @@ Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using
<div align="left">
<p align="left">It is conventional to assign the internal interface either
the first usable address in the subnet (10.10.10.1 in the above
example) or the last usable address (10.10.10.254).</p>
example) or the last usable address (10.10.10.254).</p>
</div>
<div align="left">
@ -390,18 +392,18 @@ example) or the last usable address (10.10.10.254).</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (Local Computers 1 &amp; 2) should
be configured with their<i> default gateway</i> set to the IP address
of the firewall's internal interface and your DMZ computers ( DMZ
Computers 1 &amp; 2) should be configured with their default gateway
set to the IP address of the firewall's DMZ interface.   </p>
    Your local computers (Local Computers 1 &amp; 2)
should be configured with their<i> default gateway</i> set to the
IP address of the firewall's internal interface and your DMZ computers
( DMZ Computers 1 &amp; 2) should be configured with their default
gateway set to the IP address of the firewall's DMZ interface.   </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -417,33 +419,33 @@ example) or the last usable address (10.10.10.254).</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might assign
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network and if it is in the 10.10.11.0/24 subnet then you will need
to select a different RFC 1918 subnet for your DMZ.</b><br>
your external interface an RFC 1918 address. If that address is in the
10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918
subnet for your local network and if it is in the 10.10.11.0/24 subnet then
you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
</p>
<p align="left">IP Masquerading (SNAT)</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume local computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in the
packet to be the address of the firewall's external interface; in other
words, the firewall makes it look as if the firewall itself is initiating
the connection.  This is necessary so that the destination host will
be able to route return packets back to the firewall (remember that
packets whose destination address is reserved by RFC 1918 can't be routed
accross the internet). When the firewall receives a return packet, it
rewrites the destination address back to 10.10.10.1 and forwards the
packet on to local computer 1. </p>
forward packets which have an RFC-1918 destination address. When
one of your local systems (let's assume local computer 1) sends a
connection request to an internet host, the firewall must perform
<i>Network Address Translation </i>(NAT). The firewall rewrites the
source address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it look as if the firewall
itself is initiating the connection.  This is necessary so that the
destination host will be able to route return packets back to the firewall
(remember that packets whose destination address is reserved by RFC
1918 can't be routed accross the internet). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -465,24 +467,24 @@ packet on to local computer 1. </p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>, your
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b> then
you do not need to modify the file provided with the sample. Otherwise,
local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
then you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external IP is static, you can enter it in the
third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes <br>
third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes <br>
processing outgoing packets a little more efficient.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change
them appropriately:<br>
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
</p>
<ul>
@ -496,12 +498,12 @@ your static IP in column 3 makes <br>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection
is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When your
server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
address of your server and forwards the packet to that server. When
your server responds, the firewall automatically performs SNAT to
rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -538,8 +540,8 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -586,7 +588,7 @@ the same as <i>&lt;port&gt;</i>.</p>
<li>When you are connecting to your server from your local
systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the
80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000 (e.g., connect to <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z is your
external IP).</li>
@ -621,8 +623,8 @@ following rule and try connecting to port 5000 (e.g., connect to <a
</blockquote>
<p>If you want to be able to access your server from the local network using
your external address, then if you have a static external IP you can
replace the loc-&gt;dmz rule above with:</p>
your external address, then if you have a static external IP you
can replace the loc-&gt;dmz rule above with:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -693,20 +695,20 @@ following rule and try connecting to port 5000 (e.g., connect to <a
</blockquote>
<p>If you want to access your server from the DMZ using your external IP
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
    At this point, add the DNAT and ACCEPT rules for your
servers. </p>
servers. </p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as
your primary and secondary name servers. It is <u>your</u> responsibility
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
@ -717,23 +719,23 @@ servers. </p>
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
-- the name servers are given in "nameserver" records in that file.
</p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching name
server (which also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure your
internal systems to use the caching name server as their primary (and
only) name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address if you choose to
run the name server on your firewall. To allow your local systems to
talk to your caching name server, you must open port 53 (both UDP
and TCP) from the local network to the server; you do that by adding
the rules in /etc/shorewall/rules. </p>
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
name server (which also requires the 'bind' RPM) and for Bering
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the caching name server as their primary
(and only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address if
you choose to run the name server on your firewall. To allow your local
systems to talk to your caching name server, you must open port 53
(both UDP and TCP) from the local network to the server; you do that
by adding the rules in /etc/shorewall/rules. </p>
</li>
</ul>
@ -900,8 +902,8 @@ the rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you commented out the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
removed if you commented out the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -1041,8 +1043,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -1080,7 +1082,7 @@ uses, look <a href="ports.htm">here</a>.</p>
<p align="left"><img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36">
    Bering users will want to add the following two rules to be compatible
with Jacques's Shorewall configuration.<br>
with Jacques's Shorewall configuration.<br>
</p>
<div align="left">
@ -1140,7 +1142,7 @@ with Jacques's Shorewall configuration.<br>
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
@ -1159,8 +1161,8 @@ startup by removing the file /etc/shorewall/startup_disabled.<br>
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
@ -1169,8 +1171,8 @@ your Netfilter configuration, use "shorewall clear".</p>
    The three-interface sample assumes that you want to enable
routing to/from <b>eth1 (</b>your local network) and<b> eth2 </b>(DMZ)
when Shorewall is stopped. If these two interfaces don't connect
to your local network and DMZ or if you want to enable a different
set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
to your local network and DMZ or if you want to enable a different
set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
</div>
<div align="left">
@ -1178,9 +1180,9 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1205,5 +1207,6 @@ set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
<br>
<br>
<br>
<br>
</body>
</html>

490
Shorewall-docs/three-interface_fr.html
View File

@ -32,31 +32,31 @@
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n?est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
traduction exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau
contenant une DMZ est une chose assez simple à réaliser si vous comprenez
les bases et suivez cette documentation.</p>
contenant une DMZ est une chose assez simple à réaliser si vous comprenez
les bases et suivez cette documentation.</p>
<p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités
de Shorewall. Il se focalise sur les besoins pour configurer Shorewall dans
une de ses utilisations les plus populaire :</p>
de Shorewall. Il se focalise sur les besoins pour configurer Shorewall dans
une de ses utilisations les plus populaire :</p>
<ul>
<li>Un système Linux utilisé en tant que firewall/routeur pour un petit
réseau local.</li>
réseau local.</li>
<li>Une seule adresse IP publique.</li>
<li>Une DMZ connectée sur une interface Ethernet séparée.</li>
<li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame Relay,
RTC, ...</li>
RTC, ...</li>
</ul>
@ -66,33 +66,33 @@ RTC, ...</li>
height="635">
</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
le changements dans votre configuration. Les points où, les changements dans
la configuration sont recommandées, sont signalés par une <img
vous familiariser avec ce qu'il va se passer, et de revenir au début en
effectuant le changements dans votre configuration. Les points où, les changements
dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie
avant de l'utiliser avec Shorewall.</p>
devez les sauver comme des fichiers Unix si votre éditeur offre cette option
sinon vous devez les faire passer par dos2unix avant d'essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis votre
disque dur Windows vers une disquette, vous devez lancer dos2unix sur la
copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
@ -102,22 +102,22 @@ of dos2unix</a></li>
alt="">
Les fichiers de configuration pour Shorewall sont situés dans le répertoire
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez la configuration
d'exemple <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/three-interfaces.tgz">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de Shorewall)</b>.</p>
d'exemple <a href="http://www1.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même
nom déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
des fichiers contient des instructions de configuration détaillées et des
entrées par défaut.</p>
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
des fichiers contient des instructions de configuration détaillées et des
entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour trois interfaces,
trois zones sont définies :</p>
<i>zones.</i> Dans les fichiers de configuration fournis pour trois interfaces,
trois zones sont définies :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -144,30 +144,31 @@ trois zones sont d
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première politique
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p>
sample a les politiques suivantes :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -212,8 +213,8 @@ sample a les politiques suivantes :</p>
<blockquote>
<p>Dans l'archive three-interface, la ligne suivante est existante mais
elle est commentée. Si vous souhaitez que votre système de firewall puisse
avoir un accès complet aux serveurs sur Internet, décommentez la.</p>
elle est commentée. Si vous souhaitez que votre système de firewall puisse
avoir un accès complet aux serveurs sur Internet, décommentez la.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
@ -253,7 +254,7 @@ votre firewall et vers Internet (si vous decommentez la politique pr
<p><img border="0" src="images/BD21298_1.gif" width="13" height="13">
A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désire</p>
que vous désire</p>
<h2 align="left">Les Interfaces Réseau</h2>
@ -262,56 +263,56 @@ que vous d
</p>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL (non
USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), votre
interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris
(ISDN), votre interface extérieure sera ippp0<b>.</b></p>
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
votre interface extérieure sera aussi ppp0. Si votre connexion passe par
Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
Si votre interface vers l'extérieur est ppp0 ou ippp0 alors vous mettrez
CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
locaux seront connectés à ce même switch (note : si vous n'avez qu'un seul
ordinateur en local, vous pouvez le connecter directement au firewall par
un <i>câble croisé</i>).</p>
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
locaux seront connectés à ce même switch (note : si vous n'avez qu'un seul
ordinateur en local, vous pouvez le connecter directement au firewall par
un <i>câble croisé</i>).</p>
<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
appartenant à la DMZ seront connectés à ce même switch (note : si vous n'avez
qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au
firewall par un <i>câble croisé</i>).</p>
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
appartenant à la DMZ seront connectés à ce même switch (note : si vous
n'avez qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement
au firewall par un <i>câble croisé</i>).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u> Ne connectez pas l'interface interne et externe sur le même hub
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas que
ce soit shorewall qui ne marche pas.</p>
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas
que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose que
l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> et
que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
spécifiées pour les interfaces. Quelques trucs :</p>
L'exemple de configuration de Shorewall pour trois interfaces suppose
que l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1
</b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration
diffère, vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces
en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
options qui sont spécifiées pour les interfaces. Quelques trucs :</p>
<ul>
<li>
<p align="left">Si votre interface externe est ppp0 ou ippp0, vous pouvez
remplacer le "detect" dans la seconde colonne par un "-". </p>
remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si
vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste
d'option. </p>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
liste d'option. </p>
</li>
</ul>
@ -319,18 +320,19 @@ d'option. </p>
<h2 align="left">Adresses IP</h2>
<p align="left">Avant d'aller plus loin, nous devons dire quelques mots au
sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
provider peu vous assigner une adresse statique (staticIP address); cela signifie
que vous configurez votre interface externe sur votre firewall afin d'utiliser
cette adresse de manière permanente. Une fois votre adresse externe assignée,
elle va être partagée par tout vos systèmes lors de l'accès à Internet. Vous
devrez assigner vos propres adresses à votre réseau local (votre interface
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve
plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas ,
votre provider peu vous assigner une adresse statique (staticIP address);
cela signifie que vous configurez votre interface externe sur votre firewall
afin d'utiliser cette adresse de manière permanente. Une fois votre adresse
externe assignée, elle va être partagée par tout vos systèmes lors de l'accès
à Internet. Vous devrez assigner vos propres adresses à votre réseau local
(votre interface interne sur le firewall ainsi que les autres ordinateurs).
La RFC 1918 réserve plusieurs plages d'IP (Private IP address ranges) à
cette fin :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -340,23 +342,23 @@ plusieurs plages d'IP (Private IP address ranges)
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">Vous devrez assigner les adresses locales à un sous-réseau
(<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre
sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste
en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est
réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255
est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet Broadcast</i>
<i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné en utilisant
la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain
Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau suivie par
"/24". Le "24" se réfère au nombre de bits "1" consécutifs dans la partie
gauche du masque de sous-réseau. </p>
(<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre
sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste
en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est
réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255
est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet
Broadcast</i> <i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné
en utilisant la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
InterDomain Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau
suivie par "/24". Le "24" se réfère au nombre de bits "1" consécutifs dans
la partie gauche du masque de sous-réseau. </p>
</div>
<div align="left">
@ -391,104 +393,105 @@ gauche du masque de sous-r
</div>
<div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la première
adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent)
ou la dernière utilisable (10.10.10.254).</p>
<p align="left">Il est de convention d'assigner à l'interface interne la
première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
précédent) ou la dernière utilisable (10.10.10.254).</p>
</div>
<div align="left">
<p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs ils
peuvent communiquer directement. Pour communiquer avec des systèmes en dehors
du sous-réseau, les ordinateurs envoient des paquets à travers le gateway
(routeur).</p>
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs
ils peuvent communiquer directement. Pour communiquer avec des systèmes
en dehors du sous-réseau, les ordinateurs envoient des paquets à travers
le gateway (routeur).</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
Vos ordinateurs locaux (ordinateur local 1 et 2) devraient être configurés
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i> pointant
sur l'adresse IP de l'interface DMZ du firewall. </p>
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i>
pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
</div>
<p align="left">Cette courte description ne fait que survoler les concepts
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur l'adressage
IP et le routage, je vous recommande chaudement <i>"IP Fundamentals: What
Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur
l'adressage IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">Pour rappel, ce guide supposera que vous avez configuré votre
réseau comme montrer ci-dessous :</p>
réseau comme montrer ci-dessous :</p>
<p align="center"> <img border="0" src="images/dmz2.png" width="721"
height="635">
</p>
<p align="left">La passerelle par défaut (default gateway) pour les ordinateurs
de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les ordinateurs
en local sera 10.10.10.254.</p>
de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les ordinateurs
en local sera 10.10.10.254.</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">Les adresses réservées par la RFC 1918 sont parfois désignées
comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une connexion
à un serveur par Internet, le firewall doit appliquer un NAT (Network Address
Translation). Le firewall ré écrit l'adresse source dans le paquet, et l'a
remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
le firewall fait croire que c'est lui même qui initie la connexion. Ceci
est nécessaire afin que l'hôte de destination soit capable de renvoyer les
paquets au firewall (souvenez vous que les paquets qui ont pour adresse de
destination, une adresse réservée par la RFC 1918 ne pourront pas être routés
à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse à
l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p>
comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une
connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
mots, le firewall fait croire que c'est lui même qui initie la connexion.
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
de destination, une adresse réservée par la RFC 1918 ne pourront pas être
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP
Masquerading mais vous verrez aussi le terme de Source Network Address Translation
(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<ul>
<li>
<p align="left">Masquerade désigne le cas ou vous laissez votre firewall
détecter automatiquement l'adresse de l'interface externe. </p>
détecter automatiquement l'adresse de l'interface externe. </p>
</li>
<li>
<p align="left">SNAT désigne le cas où vous spécifiez explicitement l'adresse
source des paquets sortant de votre réseau local. </p>
source des paquets sortant de votre réseau local. </p>
</li>
</ul>
<p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont configuré
avec des entrés dans le fichier /etc/shorewall/masq.</p>
avec des entrés dans le fichier /etc/shorewall/masq.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
Si votre interface externe est <b>eth0</b>, votre interface locale <b>eth1</b>
et votre interface pour la DMZ <b>eth2</b> vous n'avez pas besoin de modifier
le fichier fourni avec l'exemple. Dans le cas contraire, éditez /etc/shorewall/masq
et votre interface pour la DMZ <b>eth2</b> vous n'avez pas besoin de modifier
le fichier fourni avec l'exemple. Dans le cas contraire, éditez /etc/shorewall/masq
et changez le en conséquence.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
Si votre IP externe est statique, vous pouvez la mettre dans la troisième
colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de
mettre votre IP statique dans la troisième colonne permet un traitement des
paquets sortant un peu plus efficace.<br>
colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de
mettre votre IP statique dans la troisième colonne permet un traitement
des paquets sortant un peu plus efficace.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
Si vous utilisez les paquets Debian, vérifiez que votre fichier de configuration
shorewall.conf contient bien les valeurs suivantes, si elles n'y sont pas
faite les changements nécessaires :<br>
shorewall.conf contient bien les valeurs suivantes, si elles n'y sont pas
faite les changements nécessaires :<br>
</p>
<ul>
@ -501,19 +504,20 @@ faite les changements n
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">Un de nos buts est de, peut être, faire tourner un ou plusieurs
serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur,
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
applique automatiquement un SNAT pour ré écrire l'adresse source dans la réponse.</p>
serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre
serveur, et fait passer le paquet à celui-ci. Lorsque votre serveur répond,
le firewall applique automatiquement un SNAT pour ré écrire l'adresse source
dans la réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant
les règles DNAT dans le fichier /etc/shorewall/rules.</p>
Address Translation(DNAT). Vous configurez le port forwarding en utilisant
les règles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme générale d'une simple règle de port forwarding dans /etc/shorewall/rules
est :</p>
est :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -531,7 +535,8 @@ est :</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> <br>
@ -545,11 +550,11 @@ est :</p>
</blockquote>
<p>Si vous ne spécifiez pas le <i>&lt;server port&gt;</i>, il est supposé
être le même que <i>&lt;port&gt;</i>.</p>
être le même que <i>&lt;port&gt;</i>.</p>
<p>Exemple - vous faites tourner un serveur Web dans votre DMZ (2) et vous
voulez faire passer les paquets entrant en TCP sur le port 80 à ce système
:</p>
voulez faire passer les paquets entrant en TCP sur le port 80 à ce système
:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -591,12 +596,13 @@ voulez faire passer les paquets entrant en TCP sur le port 80
<ul>
<li>Lorsque vous vous connectez à votre serveur à partir de votre réseau
local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
<li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes
de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous
connecter à votre serveur web, essayez la règle suivante et connectez vous
sur le port 5000 (c.a.d., connectez vous à <a href="http://w.x.y.z:5000">
http://w.x.y.z:5000</a> où w.x.y.z est votre IP externe).</li>
de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous
connecter à votre serveur web, essayez la règle suivante et connectez vous
sur le port 5000 (c.a.d., connectez vous à <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> où w.x.y.z est votre
IP externe).</li>
</ul>
@ -629,10 +635,10 @@ http://w.x.y.z:5000</a> o
</table>
</blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis
le réseau local en utilisant votre adresse externe, et si vous avez une adresse
IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente
par :</p>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
depuis le réseau local en utilisant votre adresse externe, et si vous avez
une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
précédente par :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -662,9 +668,9 @@ par :</p>
</blockquote>
<p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre
interface externe est en route avant de lancer Shorewall et vous devez suivre
les étapes suivantes (en supposant que votre interface externe est <b>eth0</b>)
:</p>
interface externe est en route avant de lancer Shorewall et vous devez suivre
les étapes suivantes (en supposant que votre interface externe est <b>eth0</b>)
:</p>
<ol>
<li>Insérez ce qui suit dans /etc/shorewall/params :<br>
@ -703,8 +709,8 @@ les
</table>
</blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse
IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -712,45 +718,46 @@ IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le firewall
(Domain Name Service) est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf
a été écrit). Il arrive que votre provider vous donne une paire d'adresse
IP pour les DNS (name servers) afin que vous configuriez manuellement votre
serveur de nom primaire et secondaire. La manière dont le DNS est configuré
sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une
de ses deux façons :</p>
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
manuellement votre serveur de nom primaire et secondaire. La manière dont
le DNS est configuré sur votre firewall est de votre responsabilité. Vous
pouvez procéder d'une de ses deux façons :</p>
<ul>
<li>
<p align="left">Vous pouvez configurer votre système interne pour utiliser
les noms de serveurs de votre provider. Si votre fournisseur vous donne les
adresses de leurs serveurs ou si ces adresses sont disponibles sur leur site
web, vous pouvez configurer votre système interne afin de les utiliser. Si
cette information n'est pas disponible, regardez dans /etc/resolv.conf sur
votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
"nameserver" dans ce fichier. </p>
les noms de serveurs de votre provider. Si votre fournisseur vous donne
les adresses de leurs serveurs ou si ces adresses sont disponibles sur leur
site web, vous pouvez configurer votre système interne afin de les utiliser.
Si cette information n'est pas disponible, regardez dans /etc/resolv.conf
sur votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
"nameserver" dans ce fichier. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
Vous pouvez installer/configurer un cache dns (Caching Name Server) sur
votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez
votre système interne pour utiliser le firewall lui même comme étant le seul
serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall
(10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom si vous décidez
de faire tourner le serveur de nom sur votre firewall. Pour permettre à vos
systèmes locaux de discuter avec votre serveur cache de nom, vous devez ouvrir
le port 53 (UDP ET  TCP) sur le firewall vers le réseau local; vous ferez
ceci en ajoutant les règles suivantes dans /etc/shorewall/rules. </p>
votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez
votre système interne pour utiliser le firewall lui même comme étant le
seul serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne
du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom
si vous décidez de faire tourner le serveur de nom sur votre firewall. Pour
permettre à vos systèmes locaux de discuter avec votre serveur cache de
nom, vous devez ouvrir le port 53 (UDP ET  TCP) sur le firewall vers le
réseau local; vous ferez ceci en ajoutant les règles suivantes dans /etc/shorewall/rules.
</p>
</li>
</ul>
<blockquote>
<p align="left">Si vous faites tourner le serveur de nom sur le firewall
:
:
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
@ -885,7 +892,7 @@ ceci en ajoutant les r
<div align="left">
<p align="left">L'exemple pour trois interfaces contient les règles suivantes
:</p>
:</p>
</div>
<div align="left">
@ -932,8 +939,8 @@ ceci en ajoutant les r
<div align="left">
<p align="left">Ces règles permettent l'accès DNS depuis votre firewall et
peuvent être enlevées si vous avez décommenté la ligne dans /etc/shorewall/policy
autorisant toutes les connexions depuis votre firewall et vers Internet.</p>
peuvent être enlevées si vous avez décommenté la ligne dans /etc/shorewall/policy
autorisant toutes les connexions depuis votre firewall et vers Internet.</p>
</div>
<div align="left">
@ -984,13 +991,13 @@ autorisant toutes les connexions depuis votre firewall et vers Internet.</p>
<div align="left">
<p align="left">Cette règle permet de faire fonctionner une serveur SSH sur
le firewall et sur tous les systèmes de la DMZ et d'y autoriser la connexion
à partir de votre réseau local.</p>
le firewall et sur tous les systèmes de la DMZ et d'y autoriser la connexion
à partir de votre réseau local.</p>
</div>
<div align="left">
<p align="left">Si vous désirez permettre d'autres connexions entre vos systèmes,
la forme générale est :</p>
la forme générale est :</p>
</div>
<div align="left">
@ -1026,7 +1033,7 @@ la forme g
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur DNS disponible
pour le publique sur votre firewall :</p>
pour le publique sur votre firewall :</p>
</div>
<div align="left">
@ -1069,20 +1076,20 @@ pour le publique sur votre firewall :</p>
<div align="left">
<p align="left">Ces deux règles seront, bien sur, ajoutées aux règles décrites
dans "Vous pouvez installer/configurer un cache dns (Caching Name Server)
sur votre firewall ou dans la DMZ".</p>
dans "Vous pouvez installer/configurer un cache dns (Caching Name Server)
sur votre firewall ou dans la DMZ".</p>
</div>
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le login
et le mot de passe !). Si vous voulez avoir un accès au shell de votre firewall
depuis Internet, utilisez SSH :</p>
depuis ou vers l'Internet car il utilise du texte en clair (même pour le
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
@ -1120,7 +1127,7 @@ depuis Internet, utilisez SSH :</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
désirées.</p>
</div>
<div align="left">
@ -1130,49 +1137,49 @@ d
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation</a> configure votre système
pour lancer Shorewall au boot du système, mais au début avec la version 1.3.9
de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en avez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
La <a href="Install.htm">procédure d'installation</a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la
version 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de
lancer Shorewall avec que la configuration soit finie. Une fois que vous
en avez fini avec la configuration du firewall, vous pouvez permettre le
lancement de Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
/etc/default/shorewall et mettre 'startup=1'<font color="#ff0000">.</font><br>
/etc/default/shorewall et mettre 'startup=1'<font color="#ff0000">.</font><br>
</p>
</div>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
routage est autorisé sur les hôtes qui possèdent une entrée dans <a
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
de Netfilter, utilisez "shorewall clear".</p>
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
L'exemple pour trois interfaces suppose que vous voulez permettre le routage
depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ) lorsque
Shorewall est arrêté. Si ces deux interfaces ne sont pas connectées
à votre réseau local et votre DMZ, ou si vous voulez permettre un ensemble
d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p>
depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ) lorsque
Shorewall est arrêté. Si ces deux interfaces ne sont pas connectées
à votre réseau local et votre DMZ, ou si vous voulez permettre un ensemble
d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p>
</div>
<div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet,
n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté
une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
href="configuration_file_basics.htm#Configs">alternative</a></i>et de la
tester en utilisant la commande <a
tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
@ -1180,7 +1187,8 @@ tester en utilisant la commande <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>

71
Shorewall-docs/troubleshoot.htm
View File

@ -18,7 +18,6 @@
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle">
@ -50,9 +49,8 @@
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log
where the error message you saw is generated -- in 99.9% of the cases, it
will not be near the end of the log because after startup errors, Shorewall
goes through a "shorewall stop" phase which will also be traced.</li>
where the error message you saw is generated -- If you are using Shorewall
1.4.0 or later, you should find the message near the end of the log.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
@ -73,13 +71,12 @@
<h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:
</p>
<p>Many times when people have problems with Shorewall, the problem is actually
an ill-conceived network setup. Here are several popular snafus: </p>
<ul>
<li>Port Forwarding where client and server are in
the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Port Forwarding where client and server are
in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the
external subnet, thinking that Shorewall will suddenly believe that
the system is in the 'net' zone.</li>
@ -114,16 +111,14 @@ the event that you forget to remove them later.</p>
<p align="left">LOGRATE=""<br>
LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">This way, you will see all of the log messages being generated
(be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
@ -151,8 +146,8 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
</p>
<h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to ping
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
Either can't ping when you think you should be able to or are able to
ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3>
@ -160,27 +155,26 @@ policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT
or FORWARD chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that
is sending the packets or the destination host isn't in any zone
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li>
<li>the source and destination hosts are both connected to
the same interface and you don't have a policy or rule for the
source zone to or from the destination zone.</li>
<li>the source and destination hosts are both connected
to the same interface and you don't have a policy or rule for
the source zone to or from the destination zone.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want
pings to be allowed between zones, you need a rule of the form:<br>
type 8 ("ping") requests to be sent between zones. If you want pings
to be allowed between zones, you need a rule of the form:<br>
<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br>
    ACCEPT    &lt;source zone&gt;    &lt;destination
zone&gt;    icmp    echo-request<br>
<br>
The ramifications of this can be subtle. For example, if you
have the following in /etc/shorewall/nat:<br>
The ramifications of this can be subtle. For example, if
you have the following in /etc/shorewall/nat:<br>
<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
@ -190,20 +184,20 @@ and the zone containing 10.1.1.2, the ping requests will be dropped.
<li>If you specify "routefilter" for an interface, that
interface must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems
usually need to be configured with their default gateway set to
the IP address of their nearest firewall interface. One often overlooked
usually need to be configured with their default gateway set to the
IP address of their nearest firewall interface. One often overlooked
aspect of routing is that in order for two hosts to communicate, the
routing between them must be set up <u>in both directions.</u> So
when setting up routing between <b>A</b> and<b> B</b>, be sure to
verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
routing between them must be set up <u>in both directions.</u> So when
setting up routing between <b>A</b> and<b> B</b>, be sure to verify
that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have
a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Shorewall requires the "ip" program. That program is
generally included in the "iproute" package which should be included
<li>Shorewall requires the "ip" program. That program
is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
@ -219,15 +213,12 @@ add all external addresses to be use with NAT unless you have set <a
<p>See the<a href="support.htm"> support page.<br>
</a></p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 2/21/2003 - Tom Eastep</font> </p>
<p><font size="2">Last updated 4/29/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</p>
</body>
</html>

296
Shorewall-docs/two-interface.htm
View File

@ -30,8 +30,8 @@
</table>
<p align="left">Setting up a Linux system as a firewall for a small network
is a fairly straight-forward task if you understand the basics and
follow the documentation.</p>
is a fairly straight-forward task if you understand the basics
and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall
@ -39,7 +39,7 @@
<ul>
<li>Linux system used as a firewall/router for a small
local network.</li>
local network.</li>
<li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN,
Frame Relay, dial-up ...</li>
@ -59,8 +59,8 @@ local network.</li>
</b></p>
<p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use
the rest of this documentation (it has two local zones; "loc" and "masq"
Internet Connection Sharing is strange and is apt to confuse you if you
use the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install
@ -70,37 +70,37 @@ instructions in this Guide.</b><br>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command
to check for this program:</p>
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0"
src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are
marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)" width="49"
height="36">
marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36">
</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system,
you must save them as Unix files if your editor supports that option
or you must run them through dos2unix before trying to use them. Similarly,
if you copy a configuration file from your Windows hard drive to a
floppy disk, you must run dos2unix against the copy before using it with
Shorewall.</p>
    If you edit your configuration files on a Windows
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy
before using it with Shorewall.</p>
<ul>
<li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -112,18 +112,17 @@ Shorewall.</p>
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface
sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy
the files to /etc/shorewall (these files will replace files with
the same name).</b></p>
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
/etc/shorewall (these files will replace files with the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
instructions and default entries.</p>
instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration, the
following zone names are used:</p>
set of <i>zones.</i> In the two-interface sample configuration,
the following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -154,23 +153,23 @@ instructions and default entries.</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from
one zone to another zone in the<a
<li>You express your default policy for connections
from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies
in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or
DROP  the request is first checked against the rules in /etc/shorewall/common
that matches the request is applied. If that policy is REJECT
or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -244,14 +243,14 @@ the following policies:</p>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network</li>
<li>optionally accept all connection requests from the
firewall to the internet (if you uncomment the additional policy)</li>
firewall to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make
any changes that you wish.</p>
    At this point, edit your /etc/shorewall/policy and
make any changes that you wish.</p>
<h2 align="left">Network Interfaces</h2>
@ -259,9 +258,9 @@ firewall to the internet (if you uncomment the additional policy)</li>
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -277,9 +276,9 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you have
only a single internal system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
computers will be connected to the same hub/switch (note: If you
have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
@ -292,8 +291,8 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
width="13" height="13">
    The Shorewall two-interface sample configuration assumes
that the external interface is <b>eth0</b> and the internal interface
is <b>eth1</b>. If your configuration is different, you will have to
modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
is <b>eth1</b>. If your configuration is different, you will have
to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file accordingly. While you are there, you may wish to review the
list of options that are specified for the interfaces. Some hints:</p>
@ -306,7 +305,7 @@ list of options that are specified for the interfaces. Some hints:</p>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from
the option list. </p>
the option list. </p>
</li>
</ul>
@ -314,17 +313,18 @@ the option list. </p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>However your external address
is assigned, it will be shared by all of your systems when you access the
Internet. You will have to assign your own addresses in your internal
network (the Internal Interface on your firewall plus your other computers).
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
you a single <i> Public</i> IP address. This address may be assigned
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>However
your external address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
in your internal network (the Internal Interface on your firewall plus
your other computers). RFC 1918 reserves several <i>Private </i>IP address
ranges for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -334,23 +334,23 @@ RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
IP address of your external interface and if it is one of the
above ranges, you should remove the 'norfc1918' option from the
external interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a
subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive leading "1"
bits from the left of the subnet mask. </p>
bits from the left of the subnet mask. </p>
</div>
<div align="left">
@ -400,17 +400,17 @@ bits from the left of the subnet mask. </p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (computer 1 and computer 2 in
the above diagram) should be configured with their<i> default gateway</i>
to be the IP address of the firewall's internal interface.<i>     
    Your local computers (computer 1 and computer 2
in the above diagram) should be configured with their<i> default
gateway</i> to be the IP address of the firewall's internal interface.<i>     
</i> </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
more about IP addressing and routing, I highly recommend <i>"IP
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -424,34 +424,34 @@ Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might assign
your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24
subnet then you will need to select a DIFFERENT RFC 1918 subnet for your
local network.</b><br>
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP might
assign your external interface an RFC 1918 address. If that address is
in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
1918 subnet for your local network.</b><br>
</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network Address
Translation </i>(NAT). The firewall rewrites the source address in
the packet to be the address of the firewall's external interface; in
other words, the firewall makes it look as if the firewall itself is
initiating the connection.  This is necessary so that the destination
to as <i>non-routable</i> because the Internet backbone routers
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response
to computer 1). When the firewall receives a return packet, it rewrites
the destination address back to 10.10.10.1 and forwards the packet on
to computer 1. </p>
to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<ul>
<li>
@ -468,8 +468,9 @@ to computer 1. </p>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use Masquerading
if your external IP is dynamic and SNAT if the IP is static.</p>
entries in the /etc/shorewall/masq file. You will normally use
Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
@ -491,7 +492,7 @@ the third column in the /etc/shorewall/masq entry if you like although
height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not,
change them appropriately:<br>
change them appropriately:<br>
</p>
<ul>
@ -505,16 +506,16 @@ change them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to the firewall who rewrites the destination address to the
address of your server and forwards the packet to that server. When
your server responds, the firewall automatically performs SNAT to rewrite
the source address in the response.</p>
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their
connection requests to the firewall who rewrites the destination address
to the address of your server and forwards the packet to that server.
When your server responds, the firewall automatically performs SNAT
to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in /etc/shorewall/rules
is:</p>
@ -581,13 +582,13 @@ port forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<ul>
<li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on
computers 1 or 2 or on the firewall). If you want to be able to
access your web server using the IP address of your external interface,
of your local network (i.e., don't test from a browser running
on computers 1 or 2 or on the firewall). If you want to be able
to access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port
80. If you have problems connecting to your web server, try the
following rule and try connecting to port 5000.</li>
<li>Many ISPs block incoming connection requests to
port 80. If you have problems connecting to your web server, try
the following rule and try connecting to port 5000.</li>
</ul>
@ -619,29 +620,30 @@ following rule and try connecting to port 5000.</li>
</blockquote>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, modify /etc/shorewall/rules to add any
DNAT rules that you require.</p>
    At this point, modify /etc/shorewall/rules to add
any DNAT rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. Regardless of how DNS gets
configured on your firewall, it is <u>your</u> responsibility to configure
the resolver in your internal systems. You can take one of two approaches:</p>
an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. Regardless of
how DNS gets configured on your firewall, it is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
</p>
or if those addresses are available on their web site, you can
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your firewall
system -- the name servers are given in "nameserver" records in that
file. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -652,10 +654,10 @@ as your primary and secondary name servers. Regardless of how DNS gets
is dnscache.lrp. If you take this approach, you configure your internal
systems to use the firewall itself as their primary (and only) name
server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address. To allow your
local systems to talk to your caching name server, you must open port
53 (both UDP and TCP) from the local network to the firewall; you
do that by adding the following rules in /etc/shorewall/rules. </p>
in the example above) for the name server address. To allow your local
systems to talk to your caching name server, you must open port 53
(both UDP and TCP) from the local network to the firewall; you do
that by adding the following rules in /etc/shorewall/rules. </p>
</li>
</ul>
@ -744,8 +746,8 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
<div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be
removed if you uncommented the line in /etc/shorewall/policy allowing
all connections from the firewall to the internet.</p>
removed if you uncommented the line in /etc/shorewall/policy
allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
@ -821,8 +823,7 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server on your firewall
system:</p>
<p align="left">Example - You want to run a Web Server on your firewall system:</p>
</div>
<div align="left">
@ -866,7 +867,7 @@ system:</p>
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server on
your firewall"</p>
your firewall"</p>
</div>
<div align="left">
@ -876,8 +877,8 @@ uses, look <a href="ports.htm">here</a>.</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -961,7 +962,7 @@ uses, look <a href="ports.htm">here</a>.</p>
<p align="left"><br>
<img border="0" src="images/BD21298_.gif" width="13" height="13">
    Now edit your /etc/shorewall/rules file to add or
delete other connections as required.</p>
delete other connections as required.</p>
</div>
<div align="left">
@ -974,8 +975,8 @@ delete other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
won't try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
@ -991,28 +992,28 @@ delete other connections as required.</p>
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
command. If you want to totally remove any trace of Shorewall
from your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is
stopped. If your local network isn't connected to <b>eth1</b> or if you
wish to enable access to/from other hosts, change /etc/shorewall/routestopped
routing to/from <b>eth1 </b>(the local network) when Shorewall
is stopped. If your local network isn't connected to <b>eth1</b> or
if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
the internet, do not issue a "shorewall stop" command unless
you have added an entry for the IP address that you are connected
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div>
@ -1025,5 +1026,6 @@ configuration</a></i> and test it using the <a
<br>
<br>
<br>
<br>
</body>
</html>

240
Shorewall-docs/two-interface_fr.html
View File

@ -39,16 +39,16 @@
<p align="left"><br>
<small><i><u>Notes du traducteur</u> :<br>
Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou mon
travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne me
suis pas attach&eacute; &agrave; une traduction exacte du texte, mais plut&ocirc;t
&agrave; en faire une version fran&ccedil;aise intelligible par tous (et
par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou
mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne
me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais
plut&ocirc;t &agrave; en faire une version fran&ccedil;aise intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
les retrouver dans le reste des documentations ainsi que dans les fichiers
de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci &agrave; JMM pour sa relecture et ses commentaires pertinents, ainsi
(merci &agrave; JMM pour sa relecture et ses commentaires pertinents, ainsi
qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i></small><i>.<br>
<br>
</i></p>
@ -57,8 +57,8 @@ qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i>
pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p>
<ul>
@ -80,7 +80,7 @@ ISDN, "Frame Relay", RTC ... </p>
<p align="center"><img src="images/basics.png" name="Image1"
align="bottom" width="444" height="635" border="0">
</p>
</p>
<p><b>Si vous faites tourner Shorewall sous Mandrake 9.0 ou plus r&eacute;cent,
vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant
@ -91,8 +91,8 @@ guide.</b></p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i>
</i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall.
Sous root, utilisez la commande 'which' pour rechercher le programme :</p>
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. Sous
root, utilisez la commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -102,13 +102,13 @@ en effectuant le changements dans votre configuration. Les points o&ugrave;,
les changements dans la configuration sont recommand&eacute;es, sont signal&eacute;s
par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
width="13" height="13" border="0">
.</p>
.</p>
<p><img src="images/j0213519.gif" name="Image3" align="bottom"
width="60" height="60" border="0">
&nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur
un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix
si votre &eacute;diteur offre cette option sinon vous devez les faire passer
&nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur
un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix si
votre &eacute;diteur offre cette option sinon vous devez les faire passer
par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
si vous copiez un fichier de configuration depuis votre disque dur Windows
vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
@ -131,15 +131,14 @@ of dos2unix</a> </p>
<p><img src="images/BD21298_.gif" name="Image4" align="bottom"
width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
&nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; Shorewall</a>,
t&eacute;l&eacute; chargez<b> le <a
href="http://france.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface
sample</a>, un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers
vers /etc/shorewall (ces fichiers remplaceront les fichiers de m&ecirc;me
nom).</b></p>
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute;
Shorewall</a>, t&eacute;l&eacute; chargez<b> le <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall
(ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p>
<p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des fichiers,
je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement
@ -205,11 +204,11 @@ d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/r
<p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te
est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande
de connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou
DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e par
rapport aux r&egrave;gles contenues dans /etc/shorewall/common.</p>
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande de
connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou DROP&nbsp;
la requ&ecirc;te est dans un premier temps compar&eacute;e par rapport aux
r&egrave;gles contenues dans /etc/shorewall/common.</p>
<p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface)
a les politiques suivantes:</p>
@ -292,9 +291,9 @@ a les politiques suivantes:</p>
</dd>
</dl>
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante
est inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall
puisse avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante est
inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall puisse
avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
la ligne.</blockquote>
<a name="AutoNumber31"></a>
<dl>
@ -366,14 +365,14 @@ comment&eacute; la politique additionnelle) </p>
<p><img src="images/BD21298_.gif" name="Image5" align="bottom"
width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; A ce point, &eacute;ditez votre fichier /etc/shorewall/policy
&nbsp;&nbsp;&nbsp; A ce point, &eacute;ditez votre fichier /etc/shorewall/policy
et faite les changements que vous d&eacute;sirez.</p>
<h2 align="left">Network Interfaces</h2>
<p align="center"><img src="images/basics.png" name="Image6"
align="bottom" width="444" height="635" border="0">
</p>
</p>
<p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque la
connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple
@ -381,14 +380,14 @@ modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External Interfac
sera l'adaptateur sur lequel est connect&eacute; le routeur (e.g., <b>eth0</b>)&nbsp;
<u>&agrave; moins que</u> vous ne vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol
over<u>E</u>thernet</i> (PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP),
dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp
dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp
(e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre
interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe
par Num&eacute;ris (ISDN), votre interface ext&eacute;rieure sera<b>ippp0.</b></p>
<p align="left"><img src="images/BD21298_1.gif" name="Image7"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre interface vers l'ext&eacute;rieur est<b>ppp0</b>
&nbsp;&nbsp;&nbsp; Si votre interface vers l'ext&eacute;rieur est<b>ppp0</b>
ou <b>ippp0</b>&nbsp; alors vous mettrez CLAMPMSS=yes dans <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></p>
@ -399,23 +398,23 @@ autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p>
<p align="left"><b><u><img src="images/j0213519.gif" name="Image8"
align="bottom" width="60" height="60" border="0">
</u></b>Ne connectez pas l'interface interne et externe sur le m&ecirc;me
</u></b>Ne connectez pas l'interface interne et externe sur le m&ecirc;me
hub ou switch (m&ecirc;me pour tester). Cela ne fonctionnera pas et ne croyez
pas que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image9"
align="left" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces
&nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces
suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>.
Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier
Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence.
Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options
qui sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p>
Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options qui
sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p>
<ul>
<li>
<p align="left">Si votre interface vers l'ext&eacute;rieur est <b>ppp0</b>
ou <b>ippp0</b>, vous pouvez remplacer le "detect" dans la seconde colonne
ou <b>ippp0</b>, vous pouvez remplacer le "detect" dans la seconde colonne
par un "-". </p>
</li>
<li>
@ -431,24 +430,24 @@ ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez enlever
<p align="left">Avant d'aller plus loin, nous devons dire quelques mots au
sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP
address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i>
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement de
votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i>
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement
de votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
une adresse statique<i> (static</i>IP address); cela signifie que vous devez
configurer l'interface externe de votre firewall afin d'utiliser cette adresse
de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre r&eacute;seau
local (votre interface interne sur le firewall &nbsp;ainsi que les autres
ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages d'IP (<i>Private</i>IP
address ranges) &agrave; cette fin :</p>
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre
r&eacute;seau local (votre interface interne sur le firewall &nbsp;ainsi
que les autres ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages
d'IP (<i>Private</i>IP address ranges) &agrave; cette fin :</p>
<pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
<p align="left"><img src="images/BD21298_.gif" name="Image10"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Avant de lancer Shorewall, vous devriez regarder l'adresse
&nbsp;&nbsp;&nbsp; Avant de lancer Shorewall, vous devriez regarder l'adresse
IP de votre interface externe, et si elle est dans les plages pr&eacute;c&eacute;dentes,
vous devriez enlever l'option 'norfc1918' dans la ligne concernant l'interface
externe dans le fichier /etc/shorewall/interfaces.</p>
@ -456,11 +455,11 @@ externe dans le fichier /etc/shorewall/interfaces.</p>
<p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau
(<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0.
L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau
(<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse
de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un
sous-r&eacute;seau est d&eacute;crit en utilisant <a
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. L'adresse
x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau (<i>Subnet
Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse de
broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un sous-r&eacute;seau
est d&eacute;crit en utilisant <a
href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain
Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
@ -523,23 +522,23 @@ des paquets &agrave; travers le gateway (routeur).</p>
<p align="left"><img src="images/BD21298_1.gif" name="Image11"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur 2
dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de l'interface
interne du firewall.</p>
&nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur
2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de
l'interface interne du firewall.</p>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
regarding subnetting and routing. If you are interested in learning more about
IP addressing and routing, I highly recommend <i>"IP Fundamentals: What Everyone
Needs to Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
1999, ISBN 0-13-975483-0.</p>
<p align="left">Le reste de ce guide assumera que vous avez configur&eacute;
votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
<p align="center"><img src="images/basics1.png" name="Image12"
align="bottom" width="444" height="635" border="0">
</p>
</p>
<p align="left">La passerelle par d&eacute;faut pour les ordinateurs 1 et
2 devrait &ecirc;tre 10.10.10.254.</p>
@ -548,32 +547,32 @@ votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
<p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont
parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
Internet (backbone) ne font pas circuler les paquets qui ont une adresse
de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
Internet (backbone) ne font pas circuler les paquets qui ont une adresse de
destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet,
donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave;
l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse,
il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet
vers l'ordinateur 1. </p>
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, donc
l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'ordinateur
1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, il remet
l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet vers
l'ordinateur 1. </p>
<p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi
le terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi le
terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface
externe. </p>
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface externe.
</p>
</li>
<li>
<p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez
@ -590,25 +589,25 @@ SNAT si elle est statique.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image13"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
&nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
colonne par le nom de votre interface externe, et la seconde colonne par
le nom de votre interface interne.</p>
colonne par le nom de votre interface externe, et la seconde colonne par le
nom de votre interface interne.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image14"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
&nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez
cette colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez cette
colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
colonne permet un traitement des paquets sortant un peu plus efficace.<br>
<br>
<img src="images/BD21298_.gif" name="Image15" align="bottom" width="13"
height="13" border="0">
&nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez que
votre fichier de configuration shorewall.conf contient bien les valeurs suivantes,
si elles n'y sont pas faite les changements n&eacute;cessaires:</p>
<img src="images/BD21298_.gif" name="Image15" align="bottom"
width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si vous utilisez les paquets Debian, v&eacute;rifiez
que votre fichier de configuration shorewall.conf contient bien les valeurs
suivantes, si elles n'y sont pas faite les changements n&eacute;cessaires:</p>
<ul>
<li>
@ -630,11 +629,11 @@ ces clients d'adresser leurs demandes de connexion au firewall qui r&eacute;
&eacute;crit l'adresse de destination de votre serveur, et fait passer le
paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall
applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse source
dans la r&eacute;ponse.</p>
dans la r&eacute;ponse.</p>
<p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez
le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez le
port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding
dans /etc/shorewall/rules est:</p>
@ -761,8 +760,8 @@ voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrav
<li>
<p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente
depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1
ou 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1 ou
2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
&agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall,
regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p>
</li>
@ -833,7 +832,7 @@ suivante et connectez vous sur le port 5000. </p>
<p><img src="images/BD21298_.gif" name="Image16" align="bottom"
width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; A ce point, modifiez /etc/shorewall/rules pour ajouter
&nbsp;&nbsp;&nbsp; A ce point, modifiez /etc/shorewall/rules pour ajouter
les r&egrave;gles DNAT dont vous avez besoin.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
@ -846,13 +845,13 @@ arrive que votre provider vous donne une paire d'adresse IP pour les DNS<i>
(name servers)</i> afin que vous configuriez manuellement votre serveur de
nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute;
sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez
proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
<ul>
<li>
<p align="left">Vous pouvez configurer votre syst&egrave;me interne
pour utiliser les noms de serveurs de votre provider. Si votre fournisseur
vous donne les adresses de leurs serveurs ou si ces adresses sont disponibles
<p align="left">Vous pouvez configurer votre syst&egrave;me interne pour
utiliser les noms de serveurs de votre provider. Si votre fournisseur vous
donne les adresses de leurs serveurs ou si ces adresses sont disponibles
sur leur site web, vous pouvez configurer votre syst&egrave;me interne afin
de les utiliser. Si cette information n' est pas disponible, regardez dans
/etc/resolv.conf sur votre firewall -- les noms des serveurs sont donn&eacute;s
@ -870,7 +869,7 @@ votre syst&egrave;me interne pour utiliser le firewall lui m&ecirc;me comme
IP interne du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur
de nom. Pour permettre &agrave; vos syst&egrave;mes locaux de discuter avec
votre serveur cache de nom, vous devez ouvrir le port 53 (UDP ET&nbsp; TCP)
sur le firewall vers le r&eacute;seau local; vous ferez ceci en ajoutant
sur le firewall vers le r&eacute;seau local; vous ferez ceci en ajoutant
les r&egrave;gles suivantes dans /etc/shorewall/rules. </p>
</li>
@ -1039,10 +1038,10 @@ contiennent les r&egrave;gles suivantes :</p>
</dd>
</dl>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave;
partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez
d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy autorisant
toutes les connexions depuis le firewall vers Internet.</p>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; partir
de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez d&eacute;
comment&eacute; la ligne dans /etc/shorewall/policy autorisant toutes les
connexions depuis le firewall vers Internet.</p>
<p align="left">Les exemples contiennent aussi :</p>
<a name="AutoNumber45"></a>
@ -1103,12 +1102,11 @@ toutes les connexions depuis le firewall vers Internet.</p>
</dl>
<p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre
r&eacute;seau local.</p>
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre r&eacute;seau
local.</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre
firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est
:</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre firewall
et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est :</p>
<a name="AutoNumber46"></a>
<dl>
<dd>
@ -1249,15 +1247,15 @@ firewall :</p>
</dd>
</dl>
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter
aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter aux
r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
<p align="left">Si vous ne savez pas quel port et quel protocole une application
particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre
le telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre le
telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
sur votre firewall depuis Internet, utilisez SSH :</p>
<a name="AutoNumber48"></a>
@ -1319,22 +1317,22 @@ sur votre firewall depuis Internet, utilisez SSH :</p>
<p align="left"><img src="images/BD21298_.gif" name="Image18"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Maintenant &eacute;ditez votre fichier /etc/shorewall/rules
&nbsp;&nbsp;&nbsp; Maintenant &eacute;ditez votre fichier /etc/shorewall/rules
pour ajouter ou supprimer les connexions voulues.</p>
<h2 align="left">Lancer et Arr&ecirc;ter votre Firewall</h2>
<p align="left"><img src="images/BD21298_2.gif" name="Image19"
alt="Arrow" align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a>
configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me,
&nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a>
configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me,
mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement
est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie. Une
fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre
le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall
start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
@ -1346,12 +1344,11 @@ dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
<p align="left"><img src="images/BD21298_.gif" name="Image20"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local)
lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est
pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s
depuis ou vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped
en cons&eacute;quence.</p>
&nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) lorsque
Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est pas connect&eacute;
&agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s depuis ou
vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped en cons&eacute;quence.</p>
<p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave;
votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
@ -1360,7 +1357,7 @@ IP depuis laquelle vous &ecirc;tes connect&eacute; dans<a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De
plus, je ne vous recommande pas d'utiliser "shorewall restart"; il est mieux
de cr&eacute;er une <a href="configuration_file_basics.htm#Configs"><i>configuration
alternative</i></a> et de l'essayer en utilisant la commande<a
alternative</i></a> et de l'essayer en utilisant la commande<a
href="starting_and_stopping_shorewall.htm">"shorewall try".</a></p>
<p align="left"><font size="2">Last updated 12/20/2002 - <a
@ -1376,5 +1373,6 @@ M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

186
Shorewall-docs/upgrade_issues.htm
View File

@ -34,54 +34,59 @@
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are
currently running.<br>
</p>
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</p>
<h3> </h3>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent
proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current documentation
If you have either of these cases, you will want to review the current documentation
and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in the same
zone is accepted by default. Previously, traffic from a zone to itself
was treated just like any other traffic; any matching rules were applied
followed by enforcement of the appropriate policy. With 1.4.1 and later
versions, unless you have explicit rules for traffic from Z to Z or you
have an explicit Z to Z policy (where "Z" is some zone) then traffic between
the groups in zone Z will be accepted. If you do have one or more explicit
rules for Z to Z or if you have an explicit Z to Z policy then the behavior
is as it was in prior versions.</li>
zone is accepted by default. Previously, traffic from a zone to itself was
treated just like any other traffic; any matching rules were applied followed
by enforcement of the appropriate policy. With 1.4.1 and later versions,
unless you have explicit rules for traffic from Z to Z or you have an explicit
Z to Z policy (where "Z" is some zone) then traffic between the groups
in zone Z will be accepted. If you do have one or more explicit rules for
Z to Z or if you have an explicit Z to Z policy then the behavior is as it
was in prior versions.</li>
</ul>
<blockquote>
<ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
two interfaces to the same zone, that policy can be removed and traffic
between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed and
traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has
@ -94,59 +99,36 @@ between the interfaces will traverse fewer rules than previously.</li>
</blockquote>
<ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules
to deal with traffic from a given group back to itself. The <i>multi</i>
interface option is no longer available so if you want to route traffic between
two subnetworks on the same interface then either:</li>
<li> Sometimes, you want two separate zones on one interface but you
don't want Shorewall to set up any infrastructure to handle traffic between
them. </li>
</ul>
<blockquote>
<ol>
<li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li>
</ol>
</blockquote>
If you use the technique described in FAQ 2 to send local requests addressed
to your firewall's external address back to a local server then you need to
change your configuration to match <a href="FAQ.htm#faq2">the new version
of FAQ #2.<br>
</a><br>
Example 1 -- Two zones:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote>
Example 2 -- One zone:
<blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote>
Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't
want Shorewall to set up any infrastructure to handle traffic between them.
<br>
<br>
Example:<br>
<blockquote>
<blockquote>Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be
involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle
traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction. 
and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br>
</h3>
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to deal
with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then I recommend that you upgrade to Version
1.4.2 and use the 'routeback' interface or host option. </li>
</ul>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br>
@ -172,19 +154,20 @@ traffic between z1 and z2 by using the new NONE policy:<br>
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when there
are entries for the zone in both files.</li>
contents are determined by BOTH the interfaces and hosts files when there
are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by
default; there is no need for your own /etc/shorewall/common file simply
to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file
have been moved to /usr/share/shorewall.</li>
have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
@ -205,8 +188,8 @@ have been moved to /usr/share/shorewall.</li>
<ul>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li>
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ul>
@ -219,11 +202,11 @@ not use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same
then the rule must be explicit - it must name the zone in both the SOURCE
and DESTINATION columns.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
</blockquote>
@ -232,9 +215,9 @@ and DESTINATION columns.</li>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
     Beginning in version 1.3.14, Shorewall treats entries in
<a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The
change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
@ -282,11 +265,11 @@ follows:<br>
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be
used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
used (If the option is not set in your /etc/shorewall/shorewall.conf then
OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the old
handling indefinitely so I urge current users to migrate to using the
new handling as soon as possible. See the <a href="ping.html">'Ping' handling
documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
@ -315,8 +298,8 @@ handling documentation</a> for details.<br>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this
file if necessary):</p>
rules in their /etc/shorewall/icmpdef file (creating this file
if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
@ -328,10 +311,10 @@ file if necessary):</p>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol>
<li>Be sure you have a
backup -- you will need to transcribe
any Shorewall configuration changes
that you have made to the new configuration.</li>
<li>Be sure you have
a backup -- you will need to transcribe
any Shorewall configuration changes
that you have made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering floppy
with the later one. If you did not
@ -357,8 +340,8 @@ to add the following two Bering-specific rules to /etc/shorewall/rules:<
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
@ -378,7 +361,7 @@ non-SYN packets after takeover.<br>
<br>
<font face="Courier">run_iptables -A common
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks
to rebuild connection<br>
to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
@ -389,7 +372,7 @@ to rebuild connection<br>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p>
supported. </p>
<p align="left">Example 1:</p>
@ -422,16 +405,17 @@ supported. </p>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 4/7/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font size="2"> Last updated 4/13/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
</body>
</html>