diff --git a/Shorewall-docs/Multiple_Zones.xml b/Shorewall-docs/Multiple_Zones.xml index 94e3fb982..5b1b17382 100644 --- a/Shorewall-docs/Multiple_Zones.xml +++ b/Shorewall-docs/Multiple_Zones.xml @@ -2,6 +2,8 @@
+ + Multiple Zones per Interface @@ -26,8 +28,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -82,11 +84,11 @@ These examples use the local zone but the same technique works for any zone. Remember that Shorewall - doesn't have any conceptual knowledge of "Internet", - "Local", or "DMZ" so all zones except the firewall itself - ($FW) are the same as far as Shorewall is concerned. Also, the examples - use private (RFC 1918) addresses but public IP addresses can be used in - exactly the same way. + doesn't have any conceptual knowledge of Internet, + Local, or DMZ so all zones except the + firewall itself ($FW) are the same as far as Shorewall is concerned. Also, + the examples use private (RFC 1918) addresses but public IP addresses can + be used in exactly the same way.
@@ -95,9 +97,9 @@ Here is an example of a router in the local zone. - the box called "Router" could be a - VPN server or other such device; from the point of view of - this discussion, it makes no difference. + the box called Router could + be a VPN server or other such device; from the point of view + of this discussion, it makes no difference. @@ -145,8 +147,8 @@ - Set the 'routeback' and 'newnotsyn' options - for eth1 (the local firewall interface) in + Set the routeback and newnotsyn + options for eth1 (the local firewall interface) in /etc/shorewall/interfaces. @@ -165,19 +167,19 @@
Nested Zones - You can define one zone (called it 'loc') as being all - hosts connectied to eth1 and a second zone 'loc1' + You can define one zone (called it loc) as being + all hosts connectied to eth1 and a second zone loc1 (192.168.2.0/24) as a sub-zone. - The advantage of this approach is that the zone 'loc1' + The advantage of this approach is that the zone loc1 can use CONTINUE policies such that if a connection request - doesn't match a 'loc1' rule, it will be matched against - the 'loc' rules. For example, if your loc1->net policy is - CONTINUE then if a connection request from loc1 to the internet - doesn't match any rules for loc1->net then it will be checked - against the loc->net rules. + doesn't match a loc1 rule, it will be matched + against the loc rules. For example, if your + loc1->net policy is CONTINUE then if a connection request from + loc1 to the internet doesn't match any rules for loc1->net + then it will be checked against the loc->net rules. /etc/shorewall/zones @@ -274,8 +276,8 @@
If you don't need Shorewall to set up infrastructure to - route traffic between 'loc' and 'loc1', add these two - policies: + route traffic between loc and loc1, add + these two policies: /etc/shorewall/policy @@ -435,8 +437,8 @@
If you don't need Shorewall to set up infrastructure to - route traffic between 'loc' and 'loc1', add these two - policies: + route traffic between loc and loc1, add + these two policies: /etc/shorewall/policy @@ -593,8 +595,8 @@
You probably don't want Shorewall to set up infrastructure to - route traffic between 'loc' and 'loc1' so you should add - these two policies: + route traffic between loc and loc1 so you + should add these two policies: /etc/shorewall/policy diff --git a/Shorewall-docs/NAT.xml b/Shorewall-docs/NAT.xml index c2ae72e5b..d26dd8daf 100644 --- a/Shorewall-docs/NAT.xml +++ b/Shorewall-docs/NAT.xml @@ -2,6 +2,8 @@
+ + One-to-one NAT @@ -30,8 +32,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -113,25 +115,26 @@ /etc/shorewall/masq or /etc/shorewall/proxyarp. - The "ALL INTERFACES" column is used to specify whether - access to the external IP from all firewall interfaces should undergo - NAT (Yes or yes) or if only access from the interface in the INTERFACE - column should undergo NAT. If you leave this column empty, "Yes" - is assumed. The ALL INTERFACES column was added in version 1.1.6. - Specifying "Yes" in this column will not - allow systems on the lower LAN to access each other using their public - IP addresses. For example, the lower left-hand system - (10.1.1.2) cannot connect to 130.252.100.19 and expect to be connected - to the lower right-hand system. See FAQ 2a. + The ALL INTERFACES column is used to specify + whether access to the external IP from all firewall interfaces should + undergo NAT (Yes or yes) or if only access from the interface in the + INTERFACE column should undergo NAT. If you leave this column empty, + Yes is assumed. The ALL INTERFACES column was added in + version 1.1.6. Specifying Yes in + this column will not allow systems on the lower LAN to access each other + using their public IP addresses. For example, the lower + left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and expect + to be connected to the lower right-hand system. See FAQ 2a. Shorewall will automatically add the external address to the specified interface unless you specify ADD_IP_ALIASES="no" (or - "No") in /etc/shorewall/shorewall.conf; If you do not set - ADD_IP_ALIASES or if you set it to "Yes" or "yes" then - you must NOT configure your own alias(es). + url="Documentation.htm#Aliases">ADD_IP_ALIASES=no + (or No) in /etc/shorewall/shorewall.conf; If you do not + set ADD_IP_ALIASES or if you set it to Yes or + yes then you must NOT configure your own alias(es). Shorewall versions earlier than 1.4.6 can only add external addresses to an interface that is configured with a single @@ -141,13 +144,13 @@ - The contents of the "LOCAL" column determine whether + The contents of the LOCAL column determine whether packets originating on the firewall itself and destined for the EXTERNAL address are redirected to the internal ADDRESS. If this column contains - "yes" or "Yes" (and the ALL INTERFACES COLUMN also - contains "Yes" or "yes") then such packets are - redirected; otherwise, such packets are not redirected. The LOCAL column - was added in version 1.1.8. + yes or Yes (and the ALL INTERFACES COLUMN + also contains Yes or yes) then such + packets are redirected; otherwise, such packets are not redirected. The + LOCAL column was added in version 1.1.8.
\ No newline at end of file diff --git a/Shorewall-docs/NetfilterOverview.xml b/Shorewall-docs/NetfilterOverview.xml index 0f2637c54..760be30f4 100644 --- a/Shorewall-docs/NetfilterOverview.xml +++ b/Shorewall-docs/NetfilterOverview.xml @@ -2,6 +2,8 @@
+ + Netfilter Overview @@ -26,8 +28,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -76,8 +78,8 @@ - "Local Process" means a process running on the Shorewall - system itself. + Local Process means a process running on the + Shorewall system itself. In the above diagram are boxes similar to this: @@ -102,10 +104,10 @@ The above diagram should help you understand the output of - "shorewall status". + shorewall status. - Here are some excerpts from "shorewall status" on a server - with one interface (eth0): + Here are some excerpts from shorewall status on a + server with one interface (eth0): [root@lists html]# shorewall status @@ -124,7 +126,7 @@ Counters reset Sat Oct 11 08:12:57 PDT 2003 The following rule indicates that all traffic destined for the firewall that comes into the firewall on eth0 is passed to a chain called - "eth0_in". That chain will be shown further down. + eth0_in. That chain will be shown further down. 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 @@ -157,8 +159,8 @@ Chain OUTPUT (policy DROP 1 packets, 60 bytes) 785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 - The "dynamic" chain above is where dynamic blacklisting is - done. + The dynamic chain above is where dynamic blacklisting + is done. Next comes the Nat table: diff --git a/Shorewall-docs/OPENVPN.xml b/Shorewall-docs/OPENVPN.xml index ce86d8057..a80c7660e 100644 --- a/Shorewall-docs/OPENVPN.xml +++ b/Shorewall-docs/OPENVPN.xml @@ -2,6 +2,8 @@
+ + OpenVPN Tunnels @@ -34,8 +36,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -65,8 +67,8 @@ start and stop it. On each firewall, you will need to declare a zone to represent the - remote subnet. We'll assume that this zone is called 'vpn' and - declare it in /etc/shorewall/zones on both systems as follows. + remote subnet. We'll assume that this zone is called vpn + and declare it in /etc/shorewall/zones on both systems as follows.
/etc/shorewall/zones system A & B @@ -288,9 +290,9 @@ key my-b.key comp-lzo verb 5 - You will need to allow traffic between the "vpn" zone and - the "loc" zone on both systems -- if you simply want to admit all - traffic in both directions, you can use the policy file: + You will need to allow traffic between the vpn zone + and the loc zone on both systems -- if you simply want to + admit all traffic in both directions, you can use the policy file:
/etc/shorewall/policy system A & B