holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

fixed quotes, add CVS Id

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@969 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
mhnoyes 2003-12-26 16:16:55 +00:00
parent 3a70dd9c48
commit d5b6f09407
4 changed files with 73 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
Shorewall-docs/Multiple_Zones.xml
View File

@ -2,6 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="Multiple_Zones">
<!--$Id$-->
<articleinfo>
<title>Multiple Zones per Interface</title>
@ -26,8 +28,8 @@
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -82,11 +84,11 @@
<para><emphasis role="bold">These examples use the local zone but the same
technique works for any zone.</emphasis> Remember that Shorewall
doesn&#39;t have any conceptual knowledge of &#34;Internet&#34;,
&#34;Local&#34;, or &#34;DMZ&#34; so all zones except the firewall itself
($FW) are the same as far as Shorewall is concerned. Also, the examples
use private (RFC 1918) addresses but public IP addresses can be used in
exactly the same way.</para>
doesn&#39;t have any conceptual knowledge of <quote>Internet</quote>,
<quote>Local</quote>, or <quote>DMZ</quote> so all zones except the
firewall itself ($FW) are the same as far as Shorewall is concerned. Also,
the examples use private (RFC 1918) addresses but public IP addresses can
be used in exactly the same way.</para>
</section>
<section>
@ -95,9 +97,9 @@
<para>Here is an example of a router in the local zone.</para>
<note>
<para> the <emphasis role="bold">box called &#34;Router&#34; could be a
VPN server</emphasis> or other such device; from the point of view of
this discussion, it makes no difference.</para>
<para>the <emphasis role="bold">box called <quote>Router</quote> could
be a VPN server</emphasis> or other such device; from the point of view
of this discussion, it makes no difference.</para>
</note>
<graphic fileref="images/MultiZone1.png" />
@ -145,8 +147,8 @@
</listitem>
<listitem>
<para>Set the &#39;routeback&#39; and &#39;newnotsyn&#39; options
for eth1 (the local firewall interface) in
<para>Set the <quote>routeback</quote> and <quote>newnotsyn</quote>
options for eth1 (the local firewall interface) in
/etc/shorewall/interfaces.</para>
</listitem>
@ -165,19 +167,19 @@
<section>
<title>Nested Zones</title>
<para>You can define one zone (called it &#39;loc&#39;) as being all
hosts connectied to eth1 and a second zone &#39;loc1&#39;
<para>You can define one zone (called it <quote>loc</quote>) as being
all hosts connectied to eth1 and a second zone <quote>loc1</quote>
(192.168.2.0/24) as a sub-zone.</para>
<graphic fileref="images/MultiZone1A.png" />
<para>The advantage of this approach is that the zone &#39;loc1&#39;
<para>The advantage of this approach is that the zone <quote>loc1</quote>
can use CONTINUE policies such that if a connection request
doesn&#39;t match a &#39;loc1&#39; rule, it will be matched against
the &#39;loc&#39; rules. For example, if your loc1-&#62;net policy is
CONTINUE then if a connection request from loc1 to the internet
doesn&#39;t match any rules for loc1-&#62;net then it will be checked
against the loc-&#62;net rules.</para>
doesn&#39;t match a <quote>loc1</quote> rule, it will be matched
against the <quote>loc</quote> rules. For example, if your
loc1-&#62;net policy is CONTINUE then if a connection request from
loc1 to the internet doesn&#39;t match any rules for loc1-&#62;net
then it will be checked against the loc-&#62;net rules.</para>
<table>
<title>/etc/shorewall/zones</title>
@ -274,8 +276,8 @@
</table>
<para>If you don&#39;t need Shorewall to set up infrastructure to
route traffic between &#39;loc&#39; and &#39;loc1&#39;, add these two
policies:</para>
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
these two policies:</para>
<table>
<title>/etc/shorewall/policy</title>
@ -435,8 +437,8 @@
</table>
<para>If you don&#39;t need Shorewall to set up infrastructure to
route traffic between &#39;loc&#39; and &#39;loc1&#39;, add these two
policies:</para>
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
these two policies:</para>
<table>
<title>/etc/shorewall/policy</title>
@ -593,8 +595,8 @@
</table>
<para>You probably don&#39;t want Shorewall to set up infrastructure to
route traffic between &#39;loc&#39; and &#39;loc1&#39; so you should add
these two policies:</para>
route traffic between <quote>loc</quote> and <quote>loc1</quote> so you
should add these two policies:</para>
<table>
<title>/etc/shorewall/policy</title>

45
Shorewall-docs/NAT.xml
View File

@ -2,6 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="NAT">
<!--$Id$-->
<articleinfo>
<title>One-to-one NAT</title>
@ -30,8 +32,8 @@
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -113,25 +115,26 @@
/etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
<note>
<para>The &#34;ALL INTERFACES&#34; column is used to specify whether
access to the external IP from all firewall interfaces should undergo
NAT (Yes or yes) or if only access from the interface in the INTERFACE
column should undergo NAT. If you leave this column empty, &#34;Yes&#34;
is assumed. The ALL INTERFACES column was added in version 1.1.6.
<emphasis role="bold">Specifying &#34;Yes&#34; in this column will not
allow systems on the lower LAN to access each other using their public
IP addresses.</emphasis> For example, the lower left-hand system
(10.1.1.2) cannot connect to 130.252.100.19 and expect to be connected
to the lower right-hand system. <ulink url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
<para>The <quote>ALL INTERFACES</quote> column is used to specify
whether access to the external IP from all firewall interfaces should
undergo NAT (Yes or yes) or if only access from the interface in the
INTERFACE column should undergo NAT. If you leave this column empty,
<quote>Yes</quote> is assumed. The ALL INTERFACES column was added in
version 1.1.6. <emphasis role="bold">Specifying <quote>Yes</quote> in
this column will not allow systems on the lower LAN to access each other
using their public IP addresses.</emphasis> For example, the lower
left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and expect
to be connected to the lower right-hand system. <ulink
url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
</note>
<note>
<para>Shorewall will automatically add the external address to the
specified interface unless you specify <ulink
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=&#34;no&#34; (or
&#34;No&#34;) in /etc/shorewall/shorewall.conf; If you do not set
ADD_IP_ALIASES or if you set it to &#34;Yes&#34; or &#34;yes&#34; then
you must NOT configure your own alias(es).</para>
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
(or <quote>No</quote>) in /etc/shorewall/shorewall.conf; If you do not
set ADD_IP_ALIASES or if you set it to <quote>Yes</quote> or
<quote>yes</quote> then you must NOT configure your own alias(es).</para>
<para><important><para>Shorewall versions earlier than 1.4.6 can only
add external addresses to an interface that is configured with a single
@ -141,13 +144,13 @@
</note>
<note>
<para>The contents of the &#34;LOCAL&#34; column determine whether
<para>The contents of the <quote>LOCAL</quote> column determine whether
packets originating on the firewall itself and destined for the EXTERNAL
address are redirected to the internal ADDRESS. If this column contains
&#34;yes&#34; or &#34;Yes&#34; (and the ALL INTERFACES COLUMN also
contains &#34;Yes&#34; or &#34;yes&#34;) then such packets are
redirected; otherwise, such packets are not redirected. The LOCAL column
was added in version 1.1.8.</para>
<quote>yes</quote> or <quote>Yes</quote> (and the ALL INTERFACES COLUMN
also contains <quote>Yes</quote> or <quote>yes</quote>) then such
packets are redirected; otherwise, such packets are not redirected. The
LOCAL column was added in version 1.1.8.</para>
</note>
</section>
</article>

22
Shorewall-docs/NetfilterOverview.xml
View File

@ -2,6 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="NetfilterOverview">
<!--$Id$-->
<articleinfo>
<title>Netfilter Overview</title>
@ -26,8 +28,8 @@
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -76,8 +78,8 @@
<graphic fileref="images/Netfilter.png" />
<para>&#34;Local Process&#34; means a process running on the Shorewall
system itself.</para>
<para><quote>Local Process</quote> means a process running on the
Shorewall system itself.</para>
<para>In the above diagram are boxes similar to this:</para>
@ -102,10 +104,10 @@
</important>
<para>The above diagram should help you understand the output of
&#34;shorewall status&#34;.</para>
<quote>shorewall status</quote>.</para>
<para>Here are some excerpts from &#34;shorewall status&#34; on a server
with one interface (eth0):</para>
<para>Here are some excerpts from <quote>shorewall status</quote> on a
server with one interface (eth0):</para>
<programlisting>[root@lists html]# shorewall status
@ -124,7 +126,7 @@ Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
<para>The following rule indicates that all traffic destined for the
firewall that comes into the firewall on eth0 is passed to a chain called
&#34;eth0_in&#34;. That chain will be shown further down.</para>
<quote>eth0_in</quote>. That chain will be shown further down.</para>
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
@ -157,8 +159,8 @@ Chain OUTPUT (policy DROP 1 packets, 60 bytes)
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
<para>The &#34;dynamic&#34; chain above is where dynamic blacklisting is
done.</para>
<para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
is done.</para>
<para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>

16
Shorewall-docs/OPENVPN.xml
View File

@ -2,6 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="OPENVPN">
<!--$Id$-->
<articleinfo>
<title>OpenVPN Tunnels</title>
@ -34,8 +36,8 @@
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -65,8 +67,8 @@
start and stop it.</para>
<para>On each firewall, you will need to declare a zone to represent the
remote subnet. We&#39;ll assume that this zone is called &#39;vpn&#39; and
declare it in /etc/shorewall/zones on both systems as follows.</para>
remote subnet. We&#39;ll assume that this zone is called <quote>vpn</quote>
and declare it in /etc/shorewall/zones on both systems as follows.</para>
<table>
<title>/etc/shorewall/zones system A &#38; B</title>
@ -288,9 +290,9 @@ key my-b.key
comp-lzo
verb 5</programlisting>
<para>You will need to allow traffic between the &#34;vpn&#34; zone and
the &#34;loc&#34; zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</para>
<para>You will need to allow traffic between the <quote>vpn</quote> zone
and the <quote>loc</quote> zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:</para>
<table>
<title>/etc/shorewall/policy system A &#38; B</title>