holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Shorewall 1.4.5

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@612 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-06-23 20:24:51 +00:00
parent 8683295810
commit d99bf6942c
27 changed files with 11108 additions and 10147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
STABLE/changelog.txt
View File

@ -1,15 +1,15 @@
Changes since 1.4.3a Changes since 1.4.4b
1. Implement REDIRECT-. 1) The command "shorewall debug try <directory>" now correctly traces
the attempt.
2. Change LOGMARKER to a printf mask and allow embedded spaces. Renamed 2) The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now
it LOGFORMAT to avoid confusion. contain a list of addresses. If the list begins with "!' then the
rule will take effect only if the original destination address in
the connection request does not match any of the addresses listed.
3. DNAT and REDIRECT logging is moved from the filter table to the nat 3) Enhanced processing of the zones file to allow the INCLUDE
table. directive.
4. Don't include log rule number when LOGFORMAT doesn't include "%d".
5. Add --log-level to LOG rules.
4) Fix processing of the routestopped file's second column.

4555
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

900
STABLE/documentation/IPSEC.htm
View File

File diff suppressed because it is too large Load Diff

136
STABLE/documentation/MAC_Validation.html
View File

@ -13,99 +13,107 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br> <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
All traffic from an interface or from a subnet on an interface All traffic from an interface or from a subnet on an interface
can be verified to originate from a defined set of MAC addresses. Furthermore, can be verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP addresses. each MAC address may be optionally associated with one or more IP addresses.
<br> <br>
<br> <br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC <b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
- module name ipt_mac.o).</b><br> - module name ipt_mac.o).</b><br>
<br> <br>
There are four components to this facility.<br> There are four components to this facility.<br>
<ol> <ol>
<li>The <b>maclist</b> interface option in <a <li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li> to MAC verification.</li>
<li>The <b>maclist </b>option in <a <li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC is specified for a subnet, all traffic from that subnet is subject to
verification.</li> MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li> with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification. and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty requests that fail verification are to be logged. If set the the empty
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.<br> not logged.<br>
</li> </li>
</ol> </ol>
The columns in /etc/shorewall/maclist are:<br> The columns in /etc/shorewall/maclist are:<br>
<ul> <ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall <li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li> system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected <li>MAC - The MAC address of a device on the ethernet segment
by INTERFACE. It is not necessary to use the Shorewall MAC format in connected by INTERFACE. It is not necessary to use the Shorewall MAC format
this column although you may use that format if you so choose.</li> in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses <li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li> for the device whose MAC is listed in the MAC column.</li>
</ul> </ul>
<h3>Example 1: Here are my files:</h3> <h3>Example 1: Here are my files:</h3>
<b>/etc/shorewall/shorewall.conf:<br> <b>/etc/shorewall/shorewall.conf:<br>
</b> </b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre> <pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br> <b>/etc/shorewall/interfaces:</b><br>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,maclist<br> dmz eth1 192.168.2.255<br> net eth3 206.124.146.255 blacklist<br> - texas 192.168.9.255<br> loc ppp+<br></pre> <blockquote>
<b>/etc/shorewall/maclist:</b><br> <pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>wap eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre> <blockquote>
As shown above, I use MAC Verification on my local zone.<br> <pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>The WET11 is a somewhat curious device; when forwarding DHCP
traffic, it uses the MAC address of the host (TIPPER) but for other forwarded
traffic it uses it's own MAC address. Consequently, I don't assign the WET11
a fixed IP address in /etc/shorewall/maclist.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone Suppose now that I add a second wireless segment to my wireless
and gateway that segment via a router with MAC address 00:06:43:45:C6:15 zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.1.253. Hosts in the second segment have IP addresses and IP address 192.168.3.253. Hosts in the second segment have IP addresses
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br> file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router
(00:06:43:45:C6:15) and not that of the host sending the traffic.
<p><font size="2"> Updated 2/21/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/10/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

3433
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

645
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -12,376 +12,349 @@
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169"> bgcolor="#400169">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#400169"><a <td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
<td valign="middle" height="90" align="center" width="34%"><font <td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br> color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td> </td>
<td valign="middle" height="90" width="33%" align="right"><a <td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif" href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> alt="" width="100" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br> href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br> <a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" <img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle"> height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13"
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to
run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those /etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br> files, siimply create them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13"
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone height="13">
or in the local zone, that zone must be defined ONLY by its interface </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
-- no /etc/shorewall/hosts file entries. That is because the packets being or in the local zone, that zone must be defined ONLY by its interface --
no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br> routed to the Squid server still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13"
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
Squid server.<br> Squid server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13"
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your height="13">
/etc/shorewall/conf file<br> </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in
<br> your /etc/shorewall/conf file<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br> <br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br> color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br> <br>
Three different configurations are covered:<br> Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li> on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in
the local network</a></li> the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in
DMZ</a></li> the DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT You want to redirect all local www connection requests EXCEPT
those to your own those to your own
http server (206.124.146.177) http server (206.124.146.177)
to a Squid to a Squid transparent
transparent proxy running on the firewall and listening on port proxy running on the firewall and listening on port 3128. Squid
3128. Squid will of course require access to remote web servers.<br> will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
<td>loc</td> <td>loc</td>
<td>3128</td> <td>3128</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> -<br> <td> -<br>
</td> </td>
<td>!206.124.146.177</td> <td>!206.124.146.177</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a
transparent proxy Squid transparent
running in your local zone at 192.168.1.3 and listening on port 3128. proxy running in your local zone at 192.168.1.3 and listening on port
Your local interface is eth1. There may also be a web server running 3128. Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from the on 192.168.1.3. It is assumed that web access is already enabled from the
local zone to the internet.<br> local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, <b>I don't recommend it</b>.<br> and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p> </p>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre> <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre> <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please <li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
upgrade to Shorewall 1.4.2 or later.<br> please upgrade to Shorewall 1.4.2 or later.<br>
<br> <br>
</li> </li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br> <li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br> <br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ZONE<br> <td valign="top">ZONE<br>
</td> </td>
<td valign="top">INTERFACE<br> <td valign="top">INTERFACE<br>
</td> </td>
<td valign="top">BROADCAST<br> <td valign="top">BROADCAST<br>
</td> </td>
<td valign="top">OPTIONS<br> <td valign="top">OPTIONS<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth1<br> <td valign="top">eth1<br>
</td> </td>
<td valign="top">detect<br> <td valign="top">detect<br>
</td> </td>
<td valign="top"><b>routeback</b><br> <td valign="top"><b>routeback</b><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
</td> </td>
<td>loc</td> <td>loc</td>
<td>loc<br> <td>loc<br>
</td> </td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td><br> <td><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</li> </li>
<br> <br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the <li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br> following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>POLICY<br> <td valign="top"><b>POLICY<br>
</b></td> </b></td>
<td valign="top"><b>LOG LEVEL<br> <td valign="top"><b>LOG LEVEL<br>
</b></td> </b></td>
<td valign="top"><b>BURST PARAMETERS<br> <td valign="top"><b>BURST PARAMETERS<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/start add:<br> <li>In /etc/shorewall/start add:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to be executed <li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br> after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ You want to run both a web server and Squid on that system. Your DMZ interface
interface is eth1 and your local interface is eth2.<br> is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;Do<b> one </b>of the following:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
<br> <br>
A) In /etc/shorewall/start add<br> A) In /etc/shorewall/start add<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br> and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
@ -402,7 +375,7 @@ interface is eth1 and your local interface is eth2.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202:P<br> <td valign="top">202<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
@ -419,100 +392,140 @@ interface is eth1 and your local interface is eth2.<br>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</blockquote> C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules, you will need:</li> <li>In /etc/shorewall/rules, you will need:</li>
</ul> </ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">ACTION<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTO<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
PORT(S)<br> PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT<br>
PORT(2)<br> PORT(2)<br>
</td> </td>
<td valign="top">ORIGINAL<br> <td valign="top">ORIGINAL<br>
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following <li>On 192.0.2.177 (your Web/Squid server), arrange for the
command to be executed after networking has come up<br> following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 4/7/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy; <a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2003 Thomas M. Eastep.</font></a><br> <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br> <br>
</body> </body>
</html> </html>

136
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -12,7 +12,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -20,97 +21,114 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a <li> <a
href="download.htm">Download</a><br> href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br> <a href="Install.htm">Configuration</a><br>
</li> </li>
<li> <a <li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br> href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li>
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
<li> <a Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li> href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a
<li><a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a <li> <a
href="errata.htm">Errata</a></li> href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a <li> <a
href="support.htm">Getting help or Answers to Questions</a></li> href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br> href="http://lists.shorewall.net"> </a><br>
</li> </li>
<li><a href="1.3" target="_top">Shorewall <li><a href="1.3"
1.3 Site</a></li> target="_top">Shorewall 1.3 Site</a></li>
<li><a <li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
1.2 Site</a></li> Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a
href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a
href="http://shorewall.infohiiway.com">Texas, USA</a></li> target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a
href="http://germany.shorewall.net">Germany</a></li> target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> <li><a target="_top"
<li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li> <li><a href="http://shorewall.syachile.cl"
<li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br> target="_top">Chile</a></li>
</li> <li><a href="http://shorewall.greshko.com"
<li><a target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a <li> <a
href="News.htm">News Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a <li> <a
href="quotes.htm">Quotes from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li> <a <li>GSLUG Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
href="shoreline.htm">About the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

150
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -12,7 +12,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -20,105 +21,120 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td width="100%"
bgcolor="#ffffff"> bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a <li> <a
href="download.htm">Download</a><br> href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br> <a href="Install.htm">Configuration</a><br>
</li> </li>
<li> <a <li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br> href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li>
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation
<li> <a Index</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li> href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a
<li><a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Troubleshooting</a></li> href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a <li> <a
href="support.htm">Getting help or Answers to Questions</a> href="support.htm">Getting help or Answers to Questions</a>
</li> </li>
<li><a <li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br> href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li> </li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li> <li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a <li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2 href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
Site</a></li> 1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a
href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a
href="http://shorewall.infohiiway.com">Texas, USA</a></li> target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a
href="http://germany.shorewall.net">Germany</a></li> target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> <li><a target="_top"
<li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl" target="_top">Chile</a></li> <li><a href="http://shorewall.syachile.cl"
<li><a href="http://shorewall.greshko.com" target="_top">Taiwan</a><br> target="_top">Chile</a></li>
</li> <li><a href="http://shorewall.greshko.com"
<li><a target="_top">Taiwan</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News <li> <a
Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes <li>GSLUG Presentation</li>
from Users</a></li>
<li> <a <ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a
href="shoreline.htm">About the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><a size="2">2001-2003 Thomas M. Eastep.</font></a><br>
href="http://www.shorewall.net" target="_top"> </a></p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

223
STABLE/documentation/download.htm
View File

@ -17,76 +17,78 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p> <p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz <p>The documentation in HTML format is included in the .rpm and in the
packages below.</p> .tgz packages below.</p>
<p> Once you've printed the appropriate QuickStart Guide, download <u> <p> Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution <b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file <li>If you are running LRP, download the .lrp file
(you might also want to download the .tgz so you will have a (you might also want to download the .tgz so you will have a
copy of the documentation).</li> copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a
Testing Branch</a> and the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
Branch</a>.</li> Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li> module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.  The and there is an documentation .deb that also contains the documentation.  The
.rpm will install the documentation in your default document directory which .rpm will install the documentation in your default document directory
can be obtained using the following command:<br> which can be obtained using the following command:<br>
</p> </p>
<blockquote> <blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p> <p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote> </blockquote>
<p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font> <p>Please check the <font color="#ff0000"> <a href="errata.htm"> errata</a></font>
to see if there are updates that apply to the version to see if there are updates that apply to the version
that you have downloaded.</p> that you have downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p> <p><b></b></p>
@ -95,103 +97,96 @@ REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr> <tr>
<td valign="top">Taiwan<br> <td>Slovak Republic</td>
</td> <td>Shorewall.net</td>
<td valign="top">Greshko.com<br> <td><a
</td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td valign="top"><a <td> <a target="_blank"
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr> </tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td valign="top">Taiwan<br>
</td>
<td valign="top">Greshko.com<br>
</td>
<td valign="top"><a
href="http://shorewall.greshko.com/pub/shorewall/">Browse<br>
</a></td>
<td valign="top"><a
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there Shorewall component. There's no guarantee that what you find there
will work at all.<br> will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 3/24/2003 - <a <p align="left"><font size="2">Last Updated 3/24/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

335
STABLE/documentation/errata.htm
View File

@ -19,13 +19,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -33,58 +33,67 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can <p align="left"> <b>If you are installing Shorewall for the first
untar the archive, replace the 'firewall' script in the untarred directory time and plan to use the .tgz and install.sh script, you can untar
with the one you downloaded below, and then run install.sh.</b></p> the archive, replace the 'firewall' script in the untarred directory
</li> with the one you downloaded below, and then run install.sh.</b></p>
<li> </li>
<li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you firewall script in /usr/share/shorewall/firewall, you
may rename the existing file before copying in the new file.</b></p> may rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
For example, do NOT install the 1.3.9a firewall script if you are BELOW. For example, do NOT install the 1.3.9a firewall script if
running 1.3.7c.</font></b><br> you are running 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade <li><b><a href="upgrade_issues.htm">Upgrade
Issues</a></b></li> Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li> </li>
<li> <b><a <li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li> href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
RedHat iptables</a></b></li> iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with <li><b><a href="#Multiport">Problems with
iptables version 1.2.7 and MULTIPORT=Yes</a></b></li> iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 <li><b><a href="#NAT">Problems with RH Kernel
and NAT</a></b><br> 2.4.18-10 and NAT</a></b></li>
</li> <li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and REJECT
(also applies to 2.4.21-RC1) <img src="images/new10.gif" alt="(New)"
width="28" height="12" border="0">
</a><br>
</b></li>
</ul> </ul>
@ -93,95 +102,115 @@ iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<h3></h3> <h3></h3>
<h3>1.4.4-1.4.4a</h3> <h3>1.4.4b</h3>
<ul>
<li>Log messages are being displayed on the system console even though
the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
<h3>1.4.4<br>
</h3>
<ul> <ul>
<li> If you have zone names that are 5 characters long, you may experience <li>Shorewall is ignoring records in /etc/shorewall/routestopped that
problems starting Shorewall because the --log-prefix in a logging rule is have an empty second column (HOSTS). This problem may be corrected by installing
too long. Upgrade to Version 1.4.4a to fix this problem..</li> <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
target="_top">this functions script</a> in /usr/share/shorewall/functions.<br>
</li>
</ul>
<h3>1.4.4-1.4.4a</h3>
<ul>
<li>Log messages are being displayed on the system console even though
the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above.<br>
</li>
</ul>
<h3>1.4.4<br>
</h3>
<ul>
<li> If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule
is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
</ul> </ul>
<h3>1.4.3</h3> <h3>1.4.3</h3>
<ul> <ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended to <li>The LOGMARKER variable introduced in version 1.4.3 was intended
allow integration of Shorewall with Fireparse (http://www.firewparse.com). to allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem. I Unfortunately, LOGMARKER only solved part of the integration problem. I
have implimented a new LOGFORMAT variable which will replace LOGMARKER which have implimented a new LOGFORMAT variable which will replace LOGMARKER which
has completely solved this problem and is currently in production with fireparse has completely solved this problem and is currently in production with fireparse
here at shorewall.net. The updated files may be found at <a here at shorewall.net. The updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>. target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br> See the 0README.txt file for details.<br>
</li> </li>
</ul> </ul>
<h3>1.4.2</h3> <h3>1.4.2</h3>
<ul> <ul>
<li>When an 'add' or 'delete' command is executed, a temporary directory <li>When an 'add' or 'delete' command is executed, a temporary directory
created in /tmp is not being removed. This problem may be corrected by created in /tmp is not being removed. This problem may be corrected by
installing <a installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
as described above. <br> described above. <br>
</li> </li>
</ul> </ul>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3> <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul> <ul>
<li>Some TCP requests are rejected in the 'common' chain with an ICMP <li>Some TCP requests are rejected in the 'common' chain with an
port-unreachable response rather than the more appropriate TCP RST response. ICMP port-unreachable response rather than the more appropriate TCP RST
This problem is corrected in <a response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br> /etc/shorewall/common.def.<br>
</li> </li>
</ul> </ul>
<h3>1.4.1</h3> <h3>1.4.1</h3>
<ul> <ul>
<li>When a "shorewall check" command is executed, each "rule" produces <li>When a "shorewall check" command is executed, each "rule"
the harmless additional message:<br> produces the harmless additional message:<br>
<br> <br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator      /usr/share/shorewall/firewall: line 2174: [: =: unary operator
expected<br> expected<br>
<br> <br>
You may correct the problem by installing <a You may correct the problem by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
target="_top">this corrected script</a> in /usr/share/shorewall/firewall target="_top">this corrected script</a> in /usr/share/shorewall/firewall
as described above.<br> as described above.<br>
</li> </li>
</ul> </ul>
<h3>1.4.0</h3> <h3>1.4.0</h3>
<ul> <ul>
<li>When running under certain shells Shorewall will attempt to <li>When running under certain shells Shorewall will attempt
create ECN rules even when /etc/shorewall/ecn is empty. You may either to create ECN rules even when /etc/shorewall/ecn is empty. You may either
just remove /etc/shorewall/ecn or you can install <a just remove /etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br> correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li> </li>
</ul> </ul>
@ -193,72 +222,72 @@ just remove /etc/shorewall/ecn or you can install <a
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p> RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I corrected 1.2.3 rpm which you can download here</a>  and
have also built an <a I have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you
download from<font color="#ff6633"> <a can download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it
fine.</p> works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level which corrects a problem with parsing of the --log-level
specification while this <a specification while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
and RedHat iptables</h3> RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 this iptables RPM</a>. If you are already running a 1.2.5
version of iptables, you will need to specify the --oldpackage version of iptables, you will need to specify the --oldpackage
option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;= <p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the 2.2 yet you have a 2.4 kernel installed, simply use the
"--nodeps" option to rpm.</p> "--nodeps" option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
@ -266,48 +295,58 @@ and RedHat iptables</h3>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and <h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3> MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible <p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; change to the syntax used to specify multiport match rules;
as a consequence, if you install iptables 1.2.7 you must as a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p> be running Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or in /etc/shorewall/shorewall.conf;
</li> or </li>
<li>if you are <li>if you
running Shorewall 1.3.6 you may are running Shorewall 1.3.6 you may
install <a install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form /etc/shorewall/nat entries of the following form
will result in Shorewall being unable to start:<br> will result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. The solution is to put "no" in the LOCAL column.
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10 Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support under has disabled it. The 2.4.19 kernel contains corrected support
a new kernel configuraiton option; see <a under a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<p><font size="2"> Last updated 5/29/2003 - <a href="support.htm">Tom <h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
Eastep</a></font> </p> (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
is broken. The symptom most commonly seen is that REJECT rules act just like
DROP rules when dealing with TCP. A kernel patch and precompiled modules to
fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 6/13/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

225
STABLE/documentation/mailing_list.htm
View File

@ -19,56 +19,59 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" <td width="33%" valign="middle"
align="left"> align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font><a
</td> href="http://razor.sourceforge.net/"><img src="images/razor.gif"
<td valign="middle" width="34%" align="center"> alt="(Razor Logo)" width="100" height="22" align="left" border="0">
</a> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <td valign="middle" width="33%">
<a href="http://www.postfix.org/"> <img <a href="http://www.postfix.org/"> <img
src="images/postfix-white.gif" align="right" border="0" width="124" src="images/postfix-white.gif" align="right" border="0" width="158"
height="66" alt="(Postfix Logo)"> height="84" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><b><font color="#ffffff"><br>
<b><font color="#ffffff"><br> </font></b><br>
   </font></b><br> </div>
</div> </td>
</td> </tr>
</tr>
</tbody> </tbody>
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br> Guide</a>.<br>
</h1> </h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:postmaster@shorewall.net">me</a> know</p> let <a href="mailto:postmaster@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
@ -80,48 +83,54 @@ hotmail dot com.</p>
<p>Please note that the mail server at shorewall.net checks <p>Please note that the mail server at shorewall.net checks
incoming mail:<br> incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> href="http://spamassassin.org">Spamassassin</a> (including <a
</li> href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
<li>to ensure that the sender address is fully </li>
qualified.</li> <li>to ensure that the sender address is fully
<li>to verify that the sender's domain has an A qualified.</li>
or MX record in DNS.</li> <li>to verify that the sender's domain has an
<li>to ensure that the host name in the HELO/EHLO A or MX record in DNS.</li>
command is a valid fully-qualified DNS name that resolves.</li> <li>to ensure that the host name in the HELO/EHLO
<li>to ensure that the client system has a valid PTR record in DNS.<br> command is a valid fully-qualified DNS name that resolves.</li>
</li> <li>to ensure that the sending system has a valid PTR record in DNS.</li>
</ol> </ol>
<big><font color="#cc0000"><b>This last point is important. If you run your
own outgoing mail server and it doesn't have a valid DNS PTR record, your
email won't reach the lists unless/until the postmaster notices that your
posts are being rejected. To avoid this problem, you should configure your
MTA to forward posts to shorewall.net through an MTA that <u>does</u> have
a valid PTR record (such as the one at your ISP). </b></font></big><br>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are
all HTML traffic. At least one MTA has gone so far as to blacklist rejecting all HTML traffic. At least one MTA has gone so far as to
shorewall.net "for continuous abuse" because it has been my policy blacklist shorewall.net "for continuous abuse" because it has been my
to allow HTML in list posts!!<br> policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to
spam and that the ultimate losers here are not the spammers but the control spam and that the ultimate losers here are not the spammers
list subscribers whose MTAs are bouncing all shorewall.net mail. As but the list subscribers whose MTAs are bouncing all shorewall.net
one list subscriber wrote to me privately "These e-mail admin's need mail. As one list subscriber wrote to me privately "These e-mail admin's
to get a <i>(explitive deleted)</i> life instead of trying to rid the need to get a <i>(explitive deleted)</i> life instead of trying to rid
planet of HTML based e-mail". Nevertheless, to allow subscribers to receive the planet of HTML based e-mail". Nevertheless, to allow subscribers
list posts as must as possible, I have now configured the list server to receive list posts as must as possible, I have now configured the
at shorewall.net to strip all HTML from outgoing posts. This means that list server at shorewall.net to strip all HTML from outgoing posts.
HTML-only posts will be bounced by the list server.<br> This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, If you find that you are missing an occasional list post,
your e-mail admin may be blocking mail whose <i>Received:</i> headers your e-mail admin may be blocking mail whose <i>Received:</i> headers
contain the names of certain ISPs. Again, I believe that such policies contain the names of certain ISPs. Again, I believe that such policies
hurt more than they help but I'm not prepared to go so far as to start hurt more than they help but I'm not prepared to go so far as to start
stripping <i>Received:</i> headers to circumvent those policies.<br> stripping <i>Received:</i> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -133,12 +142,12 @@ stripping <i>Received:</i> headers to circumvent those policies.<br>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -147,24 +156,24 @@ stripping <i>Received:</i> headers to circumvent those policies.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire <h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued If you want to trust X.509 certificates issued
by Shoreline Firewall (such as the one used on my web site), you by Shoreline Firewall (such as the one used on my web site),
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a> you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to then you can either use unencrypted access when subscribing to
Shorewall mailing lists or you can use secure access (SSL) and Shorewall mailing lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br> accept the server's certificate when prompted by your browser.<br>
@ -172,21 +181,21 @@ accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted of general interest to the Shorewall user community is also
to this list.</p> posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem the <a href="http://www.shorewall.net/support.htm">problem
reporting guidelines</a>.</b></p> reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -206,37 +215,37 @@ list may be found at <a
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for the exchange of ideas about the future of Shorewall and for
coordinating ongoing Shorewall Development.</p> coordinating ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -249,31 +258,34 @@ coordinating ongoing Shorewall Development.</p>
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted from Mailman-managed lists although Mailman 2.1 has attempted
to make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
a password reminder, or change your subscription options enter a password reminder, or change your subscription options enter
your subscription email address:". Enter your email address your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options" in the box and click on the "<b>Unsubscribe</b> or edit options"
button.</p> button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be there is another button that will cause your password to be
emailed to you.</p> emailed to you.</p>
</li> </li>
</ul> </ul>
@ -282,14 +294,11 @@ emailed to you.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 5/29/2003 - <a <p align="left"><font size="2">Last updated 6/14/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

211
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

472
STABLE/documentation/seattlefirewall_index.htm
View File

@ -7,8 +7,8 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -16,47 +16,30 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
<h1 align="center"> <font size="4"><i> <a <h1><font color="#ffffff">Shorewall 1.4</font><i><font
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
alt="Shorwall Logo" height="70" width="85" align="left" </td>
src="images/washington.jpg" border="0"> <td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
</a></i></font><a href="http://www.shorewall.net" target="_top"><img border="0" src="images/shorewall.jpg" width="119"
target="_top"><img border="1" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4"> height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <br>
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small> </td>
</tr>
<div align="center">
<h1><font color="#ffffff"> Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i><a
href="1.3" target="_top"><font color="#ffffff"><br>
</font></a><br>
</h1>
</div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td>
</tr>
</tbody> </tbody>
@ -67,11 +50,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -80,37 +63,37 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
firewall that can be used on a dedicated firewall system, a multi-function that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
GNU General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the hope This program is distributed in the
that it will be useful, but WITHOUT ANY hope that it will be useful, but WITHOUT
WARRANTY; without even the implied warranty ANY WARRANTY; without even the implied
of MERCHANTABILITY or FITNESS FOR A PARTICULAR warranty of MERCHANTABILITY or FITNESS
PURPOSE. See the GNU General Public License FOR A PARTICULAR PURPOSE. See the GNU General
for more details.<br> Public License for more details.<br>
<br> <br>
You should have received a copy of the You should have received a copy of
GNU General Public License along the GNU General Public License
with this program; if not, write to the Free along with this program; if not, write to
Software Foundation, Inc., 675 Mass the Free Software Foundation, Inc.,
Ave, Cambridge, MA 02139, USA</p> 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -125,16 +108,18 @@ GNU General Public License</a> as published by the Free Software
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to If so, almost <b>NOTHING </b>on this site will apply directly
your setup. If you want to use the documentation that you find here, it to your setup. If you want to use the documentation that you find here,
is best if you uninstall what you have and install a setup that matches it is best if you uninstall what you have and install a setup that
the documentation on this site. See the <a href="two-interface.htm">Two-interface matches the documentation on this site. See the <a
QuickStart Guide</a> for details.<br> href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2> <h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2>News</h2> <h2>News</h2>
@ -142,165 +127,213 @@ the documentation on this site. See the <a href="two-interface.htm">Two-inter
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b><b><img border="0" <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level <p>Problems Corrected:<br>
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p> </p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0" <ol>
src="images/new10.gif" width="28" height="12" alt="(New)"> <li>The command "shorewall debug try &lt;directory&gt;" now correctly
</b></p> traces the attempt.</li>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out <li>The INCLUDE directive now works properly in the zones file; previously,
that the code in 1.4.4 restricts the length of short zone names to 4 characters. INCLUDE in that file was ignored.</li>
I've produced version 1.4.4a that restores the previous 5-character limit <li>/etc/shorewall/routestopped records with an empty second column
by conditionally omitting the log rule number when the LOGFORMAT doesn't are no longer ignored.<br>
contain '%d'. </li>
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0" </ol>
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p> <p>New Features:<br>
I apologize for the rapid-fire releases but since there is a potential </p>
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br> <ol>
<br> <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
<b>    Problems corrected:</b><br> now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous
5-character limit by conditionally omitting the log rule number when
the LOGFORMAT doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b> Problems corrected:</b><br>
<blockquote>None.<br> <blockquote>None.<br>
</blockquote> </blockquote>
<b>    New Features:<br> <b> New Features:<br>
</b> </b>
<ol> <ol>
<li>A REDIRECT- rule target has been added. This target behaves <li>A REDIRECT- rule target has been added. This target
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter behaves for REDIRECT in the same way as DNAT- does for DNAT in that the
nat table REDIRECT rule is added but not the companion filter table ACCEPT Netfilter nat table REDIRECT rule is added but not the companion filter
rule.<br> table ACCEPT rule.<br>
<br> <br>
</li> </li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and has <li>The LOGMARKER variable has been renamed LOGFORMAT and
been changed to a 'printf' formatting template which accepts three arguments has been changed to a 'printf' formatting template which accepts three
(the chain name, logging rule number and the disposition). To use LOGFORMAT arguments (the chain name, logging rule number and the disposition).
with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>), To use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br> set it as:<br>
 <br> <br>
       LOGFORMAT="fp=%s:%d a=%s "<br> LOGFORMAT="fp=%s:%d a=%s "<br>
 <br> <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT <b>CAUTION: </b>/sbin/shorewall uses the leading part of the
string (up to but not including the first '%') to find log messages in the LOGFORMAT string (up to but not including the first '%') to find log
'show log', 'status' and 'hits' commands. This part should not be omitted messages in the 'show log', 'status' and 'hits' commands. This part should
(the LOGFORMAT should not begin with "%") and the leading part should be not be omitted (the LOGFORMAT should not begin with "%") and the leading
sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br> part should be sufficiently unique for /sbin/shorewall to identify Shorewall
<br> messages.<br>
</li> <br>
<li>When logging is specified on a DNAT[-] or REDIRECT[-] rule, </li>
the logging now takes place in the nat table rather than in the filter table. <li>When logging is specified on a DNAT[-] or REDIRECT[-]
This way, only those connections that actually undergo DNAT or redirection rule, the logging now takes place in the nat table rather than in the
will be logged.<br> filter table. This way, only those connections that actually undergo DNAT
</li> or redirection will be logged.<br>
</li>
</ol> </ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><br> <p><b>5/20/2003 - Shorewall-1.4.3a</b><br>
</p> </p>
This version primarily corrects the documentation included in the .tgz This version primarily corrects the documentation included in
and in the .rpm. In addition: <br> the .tgz and in the .rpm. In addition: <br>
<ol> <ol>
<li>(This change is in 1.4.3 but is not documented) If you <li>(This change is in 1.4.3 but is not documented) If
are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
reject replies as follows:<br> return reject replies as follows:<br>
   a) tcp - RST<br> a) tcp - RST<br>
   b) udp - ICMP port unreachable<br> b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br> c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br> d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's traditional If you are running earlier software, Shorewall will follow it's
convention:<br> traditional convention:<br>
   a) tcp - RST<br> a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li> b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def <li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br> policy is enforced.<br>
</li> </li>
</ol> </ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br> <p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p> </p>
    <b>Problems Corrected:<br> <b>Problems Corrected:<br>
</b> </b>
<ol> <ol>
<li>There were several cases where Shorewall would fail to <li>There were several cases where Shorewall would fail
remove a temporary directory from /tmp. These cases have been corrected.</li> to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface <li>The rules for allowing all traffic via the loopback
have been moved to before the rule that drops status=INVALID packets. interface have been moved to before the rule that drops status=INVALID
This insures that all loopback traffic is allowed even if Netfilter connection packets. This insures that all loopback traffic is allowed even if
tracking is confused.</li> Netfilter connection tracking is confused.</li>
</ol>
    <b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
now supported in the /etc/shorewall/tunnels file.</li>
<li>You may now change the leading portion of the --log-prefix
used by Shorewall using the LOGMARKER variable in shorewall.conf. By default,
"Shorewall:" is used.<br>
</li>
</ol> </ol>
<b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
now supported in the /etc/shorewall/tunnels file.</li>
<li>You may now change the leading portion of the --log-prefix
used by Shorewall using the LOGMARKER variable in shorewall.conf. By
default, "Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br> <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p> </p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b> </b></p>
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p> </p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p> <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p> </b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded <p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b> <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p> </b></p>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a <blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is in HTML format but was generated from Microsoft PowerPoint and
is best viewed using Internet Explorer (although Konqueror also seems is best viewed using Internet Explorer (although Konqueror also seems
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
Netscape work well to view the presentation.<br> Netscape work well to view the presentation.<br>
</blockquote> </blockquote>
<p><b></b></p>
<blockquote> <blockquote>
@ -309,8 +342,9 @@ Netscape work well to view the presentation.<br>
</ol> </ol>
</blockquote> </blockquote>
@ -325,101 +359,107 @@ Netscape work well to view the presentation.<br>
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak
a LEAF (router/firewall/gateway on a floppy, have a LEAF (router/firewall/gateway on
CD or compact flash) distribution called a floppy, CD or compact flash) distribution
<i>Bering</i> that features Shorewall-1.3.14 called <i>Bering</i> that features
and Kernel-2.4.20. You can find their Shorewall-1.3.14 and Kernel-2.4.20. You
work at: <a can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric on the recent release <b>Congratulations to Jacques and Eric on the recent release
of Bering 1.2!!! </b><br> of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c" valign="top"
align="center"> align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font color="#ffffff"><b>Note: <font
</b></font></strong><font color="#ffffff">Search is unavailable color="#ffffff"><b>Note: </b></font></strong><font
Daily 0200-0330 GMT.</font><br> color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font <font
face="Arial" size="-1"> <input type="text" name="words" face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial" size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden" type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font> name="config" value="htdig"> <input type="submit" value="Search"></font>
</p> </p>
<font <font
face="Arial"> <input type="hidden" name="exclude" face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a <p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tr> <tbody>
<td width="100%" style="margin-top: 1px;"> <tr>
<td width="100%" style="margin-top: 1px;"
valign="middle">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10" alt="(Starlight Logo)">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff"><br>
but if you try it and find it useful, please consider making a donation <font size="+2"> Shorewall is free but if you try it and find
to it useful, please consider making a donation
<a href="http://www.starlight.org"><font color="#ffffff">Starlight to <a
Children's Foundation.</font></a> Thanks!</font></p> href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>
</html> </html>

139
STABLE/documentation/shoreline.htm
View File

@ -17,83 +17,82 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/Tom.jpg"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom - June 2003" width="640" height="480">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tom -- June 2003<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a <li>BA Mathematics from <a
href="http://www.wsu.edu">Washington State University</a> 1967</li> href="http://www.wsu.edu">Washington State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, <li><a href="http://www.tandem.com">Tandem Computers,
Incorporated</a> (now part of the <a href="http://www.hp.com">The Incorporated</a> (now part of the <a
New HP</a>) 1980 - present</li> href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation operating <p>I am currently a member of the design team for the next-generation operating
system from the NonStop Enterprise Division of HP. </p> system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then Expanding on what I learned from Seattle Firewall, I then
designed and wrote Shorewall. </p> designed and wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
where I live with my wife Tarry.  </p> I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
&amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows 40GB &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal
system. Serves as a PPTP server for Road Warrior access. Dual boots <a Windows system. Serves as a PPTP server for Road Warrior access. Dual
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
NIC - My personal Linux System which runs Samba configured as LNE100TX(Tulip) NIC - My personal Linux System which runs Samba.
a WINS server. This system also has <a This system also has <a href="http://www.vmware.com/">VMware</a>
href="http://www.vmware.com/">VMware</a> installed and can run installed and can run both <a href="http://www.debian.org">Debian
both <a href="http://www.debian.org">Debian Woody</a> and <a Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
(Pure_ftpd), DNS server (Bind 9).</li> FTP (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD
3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.4a  and a DHCP server.</li> 1.4.4c, a DHCP server and Samba configured as a WINS server..</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li> NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
built-in EEPRO100, EEPRO100 in expansion base and LinkSys WAC11 - My HD, built-in EEPRO100, EEPRO100 in expansion base - My work system.</li>
work system.</li> <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and LinkSys LinkSys WET11 - Our Laptop.<br>
WET11 - Our Laptop.<br> </li>
</li>
</ul> </ul>
@ -106,39 +105,31 @@ both <a href="http://www.debian.org">Debian Woody</a> and <a
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> border="0" src="images/poweredbycompaqlog0.gif" hspace="3" width="83"
</a><a href="http://www.pureftpd.org"><img height="25">
</a><a href="http://www.pureftpd.org"><img
border="0" src="images/pure.jpg" width="88" height="31"> border="0" src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img </a><font size="4"><a
border="0" src="images/apache_pb1.gif" hspace="2" width="170" href="http://www.apache.org"><img border="0"
height="20"> src="images/apache_pb1.gif" hspace="2" width="170" height="20">
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" </a><img src="images/shorewall.jpg"
alt="Protected by Shorewall" width="125" height="40" hspace="4"> alt="Protected by Shorewall" width="125" height="40" hspace="4">
<a href="http://www.opera.com"><img src="images/opera.png" <a href="http://www.opera.com"><img src="images/opera.png"
alt="(Opera Logo)" width="102" height="39" border="0"> alt="(Opera Logo)" width="102" height="39" border="0">
</a>  <a href="http://www.hp.com"><img </a>  <a href="http://www.hp.com"><img
src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120" src="images/penquin_in_blue_racer_sm2.gif" alt="" width="120"
height="75" border="0"> height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p> </a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 5/8/2003 - </font><font size="2"> <a <p><font size="2">Last updated 6/15/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas href="copyright.htm"><font size="2">Copyright</font> © <font
M. Eastep.</font></a></font><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

82
STABLE/documentation/shorewall_mirrors.htm
View File

@ -17,74 +17,80 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left"><b>Remember that updates to the mirrors are often delayed <p align="left"><b>Remember that updates to the mirrors are often delayed
for 6-12 hours after an update to the primary rsync site. For HTML content, for 6-12 hours after an update to the primary rsync site. For HTML content,
the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>) the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p> is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a <p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
and is located in California, USA. It is mirrored at:</p> and is located in California, USA. It is mirrored at:</p>
<ul> <ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a> <li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a>
(Slovak Republic).</li> (Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" <li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li> target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a> <li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
(Hamburg, Germany)</li> (Hamburg, Germany)</li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> <li><a target="_top"
(Martinez (Zona Norte - GBA), Argentina)</li> href="http://france.shorewall.net">http://france.shorewall.net</a>
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a> (Paris, France)</li>
(Paris, France)</li> <li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl </a>(Santiago Chile)</li>
</a>(Santiago Chile)<br> <li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
</li> (Taipei, Taiwan)<br>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> </li>
(Washington State, USA)<br> <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
</li> (Washington State, USA)<br>
</li>
</ul> </ul>
<p align="left">The rsync site is mirrored via FTP at:</p> <p align="left">The rsync site is mirrored via FTP at:</p>
<ul> <ul>
<li><a target="_blank" <li><a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a> href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li> (Slovak Republic).</li>
<li> <a <li> <a
href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a> href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).</li> (Texas, USA).</li>
<li><a target="_blank" <li><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a> href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall</a>
(Hamburg, Germany)</li> (Hamburg, Germany)</li>
<li> <a target="_blank" <li> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a>
(Martinez (Zona Norte - GBA), Argentina)</li>
<li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
</li>
</ul> </ul>
Search results and the mailing list archives are always fetched from the Search results and the mailing list archives are always fetched from
site in Washington State.<br> the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 5/8/2003 - <a <p align="left"><font size="2">Last Updated 6/5/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

3398
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

438
STABLE/documentation/sourceforge_index.htm
View File

@ -8,7 +8,7 @@
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -16,29 +16,29 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
<h1 align="center"> <font size="4"><i> <a <h1><font color="#ffffff">Shorewall 1.4</font><i><font
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
alt="Shorwall Logo" height="70" width="85" align="left" </td>
src="images/washington.jpg" border="0"> <td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
</a></i></font><font color="#ffffff">Shorewall 1.4 target="_top"><br>
- <font size="4">"<i>iptables made easy"</i></font></font><br> </a></h1>
<a target="_top" href="1.3/index.html"><font <br>
color="#ffffff"> </font></a><a target="_top" </td>
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br> </tr>
</small></small></small></font></a>
</h1>
</td>
</tr>
</tbody> </tbody>
@ -49,11 +49,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -63,37 +63,37 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> a <a href="http://www.netfilter.org">Netfilter</a>
(iptables) based firewall that can be used (iptables) based firewall that can be used
on a dedicated firewall system, a multi-function on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the hope This program is distributed in the
that it will be useful, but WITHOUT ANY hope that it will be useful, but WITHOUT
WARRANTY; without even the implied warranty ANY WARRANTY; without even the implied
of MERCHANTABILITY or FITNESS FOR A PARTICULAR warranty of MERCHANTABILITY or FITNESS
PURPOSE. See the GNU General Public License FOR A PARTICULAR PURPOSE. See the GNU General
for more details.<br> Public License for more details.<br>
<br> <br>
You should have received a copy of the You should have received a copy of
GNU General Public License along the GNU General Public License
with this program; if not, write to the along with this program; if not, write to
Free Software Foundation, Inc., 675 the Free Software Foundation, Inc.,
Mass Ave, Cambridge, MA 02139, USA</p> 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -103,180 +103,232 @@ Free Software Foundation, Inc., 675
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to If so, almost <b>NOTHING </b>on this site will apply directly
your setup. If you want to use the documentation that you find here, it to your setup. If you want to use the documentation that you find here,
is best if you uninstall what you have and install a setup that matches it is best if you uninstall what you have and install a setup that matches
the documentation on this site. See the <a href="two-interface.htm">Two-interface the documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br> QuickStart Guide</a> for details.<br>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<b> </b> <b> </b>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b><b><img border="0" <p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level <p>Problems Corrected:<br>
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p> </p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b><b><img border="0" <ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly
traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously,
INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column
are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may
now contain a list of addresses. If the list begins with "!' then the rule
will take effect only if the original destination address in the connection
request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to 4 <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
characters. I've produced version 1.4.4a that restores the previous 5-character version 1.4.4.</p>
limit by conditionally omitting the log rule number when the LOGFORMAT doesn't
contain '%d'. <p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> <p>Groan -- This version corrects a problem whereby the --log-level
</b><b> </b></p> was not being set when logging via syslog. The most commonly reported symptom
I apologize for the rapid-fire releases but since there is a potential was that Shorewall messages were being written to the console even though
configuration change required to go from 1.4.3a to 1.4.4, I decided to make console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
it a full release rather than just a bug-fix release. <br> 16</a>.<br>
<br> </p>
<b>    Problems corrected:</b><br>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous 5-character
limit by conditionally omitting the log rule number when the LOGFORMAT
doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b>    Problems corrected:</b><br>
<blockquote>None.<br> <blockquote>None.<br>
</blockquote> </blockquote>
<b>    New Features:<br> <b>    New Features:<br>
</b> </b>
<ol> <ol>
<li>A REDIRECT- rule target has been added. This target behaves <li>A REDIRECT- rule target has been added. This target behaves
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
nat table REDIRECT rule is added but not the companion filter table ACCEPT nat table REDIRECT rule is added but not the companion filter table ACCEPT
rule.<br> rule.<br>
<br> <br>
</li> </li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and has <li>The LOGMARKER variable has been renamed LOGFORMAT and
been changed to a 'printf' formatting template which accepts three arguments has been changed to a 'printf' formatting template which accepts three
(the chain name, logging rule number and the disposition). To use LOGFORMAT arguments (the chain name, logging rule number and the disposition). To
with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>), use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br> set it as:<br>
 <br>  <br>
       LOGFORMAT="fp=%s:%d a=%s "<br>        LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>  <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the LOGFORMAT <b>CAUTION: </b>/sbin/shorewall uses the leading part of the
string (up to but not including the first '%') to find log messages in the LOGFORMAT string (up to but not including the first '%') to find log messages
'show log', 'status' and 'hits' commands. This part should not be omitted in the 'show log', 'status' and 'hits' commands. This part should not
(the LOGFORMAT should not begin with "%") and the leading part should be be omitted (the LOGFORMAT should not begin with "%") and the leading part
sufficiently unique for /sbin/shorewall to identify Shorewall messages.<br> should be sufficiently unique for /sbin/shorewall to identify Shorewall
<br> messages.<br>
</li> <br>
<li>When logging is specified on a DNAT[-] or REDIRECT[-] rule, </li>
the logging now takes place in the nat table rather than in the filter table. <li>When logging is specified on a DNAT[-] or REDIRECT[-]
This way, only those connections that actually undergo DNAT or redirection rule, the logging now takes place in the nat table rather than in the filter
will be logged.</li> table. This way, only those connections that actually undergo DNAT or redirection
will be logged.</li>
</ol> </ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b> <p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b>
</b><br> </b><br>
</p> </p>
This version primarily corrects the documentation included in the .tgz This version primarily corrects the documentation included in the
and in the .rpm. In addition: <br> .tgz and in the .rpm. In addition: <br>
<ol> <ol>
<li>(This change is in 1.4.3 but is not documented) If you <li>(This change is in 1.4.3 but is not documented) If
are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
reject replies as follows:<br> return reject replies as follows:<br>
   a) tcp - RST<br>    a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>    b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>    c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>    d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's traditional If you are running earlier software, Shorewall will follow it's
convention:<br> traditional convention:<br>
   a) tcp - RST<br>    a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>    b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def <li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br> policy is enforced.<br>
</li> </li>
</ol> </ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br> <p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p> </p>
    <b>Problems Corrected:<br>     <b>Problems Corrected:<br>
</b> </b>
<ol> <ol>
<li>There were several cases where Shorewall would fail to <li>There were several cases where Shorewall would fail
remove a temporary directory from /tmp. These cases have been corrected.</li> to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface <li>The rules for allowing all traffic via the loopback
have been moved to before the rule that drops status=INVALID packets. interface have been moved to before the rule that drops status=INVALID
This insures that all loopback traffic is allowed even if Netfilter connection packets. This insures that all loopback traffic is allowed even if Netfilter
tracking is confused.</li> connection tracking is confused.</li>
</ol> </ol>
    <b>New Features:<br>     <b>New Features:<br>
</b> </b>
<ol> <ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 <li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
(6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li> (6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels
<li value="2">You may now change the leading portion of the file.</li>
--log-prefix used by Shorewall using the LOGMARKER variable in shorewall.conf. <li value="2">You may now change the leading portion
By default, "Shorewall:" is used.<br> of the --log-prefix used by Shorewall using the LOGMARKER variable in
</li> shorewall.conf. By default, "Shorewall:" is used.<br>
</li>
</ol> </ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br> <p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p> </p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p> <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p> </p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p> <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p> </b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded <p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b> <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p> </b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm" <blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and is in HTML format but was generated from Microsoft PowerPoint
is best viewed using Internet Explorer (although Konqueror also seems and is best viewed using Internet Explorer (although Konqueror also
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor seems to work reasonably well as does Opera 7.1.0). Neither Opera
Netscape work well to view the presentation.</blockquote> 6 nor Netscape work well to view the presentation.</blockquote>
<p><b></b></p> <p><b></b></p>
<blockquote> <blockquote>
<ol> <ol>
@ -285,22 +337,23 @@ Netscape work well to view the presentation.</blockquote>
</ol> </ol>
</blockquote> </blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
@ -308,63 +361,66 @@ Netscape work well to view the presentation.</blockquote>
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway on have a LEAF (router/firewall/gateway
a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You Shorewall-1.3.14 and Kernel-2.4.20. You
can find their work at: <a can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric <b>Congratulations to Jacques and
on the recent release of Bering 1.2!!! </b><br> Eric on the recent release of Bering 1.2!!!
</b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1> </a></b></h1>
<b> </b> <b> </b>
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td> <b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c" valign="top"
align="center"> align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br> <p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330 <font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br> GMT.</font><br>
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font><font type="text" name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input <input type="hidden" name="config" value="htdig"> <input
type="submit" value="Search"></font> </p> type="submit" value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
@ -373,31 +429,32 @@ a floppy, CD or compact flash) distribution
<p><font color="#ffffff"><b> <a <p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top" <a target="_top"
href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff"> href="file:///vfat/Shorewall-docs/1.3/index.html"><font color="#ffffff">
</font></a><a target="_top" </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;">
<td width="100%" style="margin-top: 1px;">
@ -405,27 +462,28 @@ a floppy, CD or compact flash) distribution
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff"><br>
but if you try it and find it useful, please consider making a donation <font size="+2">Shorewall is free but if you try it and find
to it useful, please consider making a donation
<a href="http://www.starlight.org"><font color="#ffffff">Starlight to <a
Children's Foundation.</font></a> Thanks!</font></p> href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>
</html> </html>

367
STABLE/documentation/support.htm
View File

@ -13,47 +13,47 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td <td
width="100%"> width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There There
are a number of sources of Shorewall information. Please try these are a number of sources of Shorewall information. Please try these
before you post. before you post.
<ul> <ul>
<li>Shorewall versions earlier <li>Shorewall versions earlier
that 1.3.0 are no longer supported.<br> that 1.3.0 are no longer supported.<br>
</li> </li>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a><br> Index</a><br>
</li> </li>
<li> <li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
solutions to more than 20 common problems. </li> solutions to more than 20 common problems. </li>
<li> The <li> The
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to help Information contains a number of tips to
you solve common problems. </li> help you solve common problems. </li>
<li> The <li> The
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links <a href="http://www.shorewall.net/errata.htm"> Errata</a> has links
to download updated components. </li> to download updated components. </li>
<li> The <li> The
Site and Mailing List Archives search facility can locate Site and Mailing List Archives search facility can locate
documents and posts about similar problems: </li> documents and posts about similar problems: </li>
</ul> </ul>
@ -68,13 +68,13 @@ documents and posts about similar problems: </li>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -84,7 +84,7 @@ documents and posts about similar problems: </li>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" </font><input type="hidden" name="config"
value="htdig"><input type="hidden" name="restrict" value=""><font value="htdig"><input type="hidden" name="restrict" value=""><font
size="-1"> Include Mailing List Archives: size="-1"> Include Mailing List Archives:
@ -92,97 +92,99 @@ documents and posts about similar problems: </li>
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"><br> value=""> <input type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what <li>Please remember we only know
is posted in your message. Do not leave out any information what is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail contained a small error. We tend to be skeptics where detail
is lacking.<br> is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're <li>Please keep in mind that you're
asking for <strong>free</strong> technical support. asking for <strong>free</strong> technical support.
Any help we offer is an act of generosity, not an obligation. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is better error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br> than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> <li>
Please don't describe your environment and then ask Please don't describe your environment and then ask
us to send you custom configuration files. We're us to send you custom configuration files. We're
here to answer your questions but we can't do here to answer your questions but we can't do
your job for you.<br> your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li> include this information:</li>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall <li>the exact version of Shorewall
you are running.<br> you are running.<br>
<br> <br>
<b><font color="#009900">shorewall <b><font color="#009900">shorewall
version</font><br> version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you <li>the exact kernel version you
are running<br> are running<br>
<br> <br>
<font color="#009900"><b>uname <font color="#009900"><b>uname
-a<br> -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output
<br> of<br>
<font color="#009900"><b>ip addr <br>
show<br> <font color="#009900"><b>ip
<br> addr show<br>
</b></font></li> <br>
</b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output
<br> of<br>
<font color="#009900"><b>ip route <br>
show<br> <font color="#009900"><b>ip
<br> route show<br>
</b></font></li> <br>
</b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, <li>If your kernel is modularized,
the exact output from<br> the exact output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
</li> </li>
</ul> </ul>
@ -192,74 +194,74 @@ are running<br>
<ul> <ul>
<ul> <ul>
<li><font color="#ff0000"><u><i><big><b>If you are having <li><font color="#ff0000"><u><i><big><b>If you are having
connection problems of any kind then:</b></big></i></u></font><br> connection problems of any kind then:</b></big></i></u></font><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status 3.<b><font color="#009900"> /sbin/shorewall status
&gt; /tmp/status.txt</font></b><br> &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using <li><b>If you are running Shorewall under Mandrake using
the Mandrake installation of Shorewall, please say so.<br> the Mandrake installation of Shorewall, please say so.<br>
<br> <br>
</b></li> </b></li>
</ul> </ul>
<li>As
a general matter, please <strong>do not edit the diagnostic <li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time, secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained in a hacker could derive them anyway from information contained
the SMTP headers of your post).<br> in the SMTP headers of your post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font <li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, you exercise the function that is giving you problems? If
include the message(s) in your post along with a copy of your /etc/shorewall/interfaces so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration <li>Please include any of the Shorewall configuration
files (especially the /etc/shorewall/hosts file files (especially the /etc/shorewall/hosts file
if you have modified that file) that you think are if you have modified that file) that you think are
relevant. If you include /etc/shorewall/rules, please include relevant. If you include /etc/shorewall/rules, please include
/etc/shorewall/policy as well (rules are meaningless unless one /etc/shorewall/policy as well (rules are meaningless unless
also knows the policies).<br> one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a trace color="#009900"><b>shorewall start</b></font>", include a trace
(See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> (See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't <li><b>The list server limits posts to 120kb so don't
post GIFs of your network layout, etc. post GIFs of your network layout, etc.
to the Mailing List -- your post will be rejected.</b></li> to the Mailing List -- your post will be rejected.</b></li>
</ul> </ul>
<blockquote> The author gratefully acknowleges that the above list was <blockquote> The author gratefully acknowleges that the above list was
heavily plagiarized from the excellent LEAF document by <i>Ray</i> heavily plagiarized from the excellent LEAF document by <i>Ray</i>
<em>Olszewski</em> found at <a <em>Olszewski</em> found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
@ -267,52 +269,63 @@ to the Mailing List -- your post will be rejected.</b></li>
rejecting all HTML traffic. At least one MTA has gone so far as to rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br> my policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML I think that blocking all HTML
is a Draconian way to control spam and that the ultimate is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber whose MTAs are bouncing all shorewall.net mail. As one list
wrote to me privately "These e-mail admin's need to get a <i>(expletive subscriber wrote to me privately "These e-mail admin's need
deleted)</i> life instead of trying to rid the planet of HTML based to get a <i>(expletive deleted)</i> life instead of trying to
e-mail". Nevertheless, to allow subscribers to receive list posts rid the planet of HTML based e-mail". Nevertheless, to allow
as must as possible, I have now configured the list server at subscribers to receive list posts as must as possible, I have now
shorewall.net to strip all HTML from outgoing posts.<br> configured the list server at shorewall.net to strip all HTML from
</blockquote> outgoing posts.<br>
<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists
unless/until the postmaster notices that your posts are being rejected. To
avoid this problem, you should configure your MTA to forward posts to shorewall.net
through an MTA that <u>does</u> have a valid PTR record (such as the one
at your ISP). </b></font></big><br>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a to the <a
href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4> list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft <b>If you run Shorewall under
Multi Network Firewall (MNF) and you have not purchased MandrakeSoft Multi Network Firewall (MNF) and you have
an MNF license from MandrakeSoft then you can post non MNF-specific not purchased an MNF license from MandrakeSoft then you can
Shorewall questions to the </b><a post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list.</b><br> list</a>. <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>If you have a question, you may post it on the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Forum</a>:
<font color="#ff6666"><b>DO NOT USE THE FORUM FOR REPORTING PROBLEMS OR
ASKING FOR HELP WITH PROBLEMS.<br>
</b></font><br>
Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> .</p> list</a> .</p>
<p> To Subscribe to the mailing list go to <a <p> To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote> </blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 5/28/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 6/14/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
</body> </body>
</html> </html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.4b VERSION=1.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

191
STABLE/firewall
View File

@ -354,11 +354,11 @@ setpolicy() # $1 = name of chain, $2 = policy
} }
# #
# Set a standard chain to enable established connections # Set a standard chain to enable established and related connections
# #
setcontinue() # $1 = name of chain setcontinue() # $1 = name of chain
{ {
run_iptables -A $1 -m state --state ESTABLISHED -j ACCEPT run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
} }
# #
@ -1000,7 +1000,7 @@ stop_firewall() {
while read interface host; do while read interface host; do
expandv interface host expandv interface host
[ "x$host" = "x-" -o -z "$hosts" ] && host=0.0.0.0/0 [ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in `separate_list $host`; do for h in `separate_list $host`; do
hosts="$hosts $interface:$h" hosts="$hosts $interface:$h"
done done
@ -1793,19 +1793,13 @@ refresh_tc() {
# #
add_nat_rule() { add_nat_rule() {
local chain local chain
local excludedests=
# Be sure we should and can NAT # Be sure we can NAT
case $logtarget in if [ -z "$NAT_ENABLED" ]; then
DNAT|REDIRECT) fatal_error "Rule \"$rule\" requires NAT which is disabled"
if [ -z "$NAT_ENABLED" ]; then fi
fatal_error "Rule \"$rule\" requires NAT which is disabled"
fi
;;
*)
fatal_error "Only DNAT and REDIRECT rules may specify port mapping; rule \"$rule\""
;;
esac
# Parse SNAT address if any # Parse SNAT address if any
@ -1823,14 +1817,20 @@ add_nat_rule() {
addr= addr=
;; ;;
detect) detect)
addr= addr=
if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
eval interfaces=\$${source}_interfaces eval interfaces=\$${source}_interfaces
for interface in $interfaces; do for interface in $interfaces; do
addr="`find_interface_address $interface` $addr" addr=${addr:+$addr,}`find_interface_address $interface`
done done
fi fi
;; ;;
!*)
if [ `list_count $addr` -gt 1 ]; then
excludedests="`separate_list ${addr#\!}`"
addr=
fi
;;
esac esac
addr=${addr:-0.0.0.0/0} addr=${addr:-0.0.0.0/0}
@ -1844,42 +1844,75 @@ add_nat_rule() {
target1="REDIRECT --to-port $servport" target1="REDIRECT --to-port $servport"
fi fi
if [ $source = $FW ]; then
[ -n "$excludezones" ] && fatal_error "Invalid Source in rule \"$rule\""
fi
# Generate nat table rules # Generate nat table rules
if [ $command != check ]; then if [ $command != check ]; then
if [ "$source" = "$FW" ]; then if [ "$source" = "$FW" ]; then
run_iptables2 -t nat -A OUTPUT $proto $sports -d $addr \ if [ -n "$excludedests" ]; then
$multiport $dports -j $target1
else
chain=`dnat_chain $source`
if [ -n "$excludezones" ]; then
chain=nonat${nonat_seq} chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1)) nonat_seq=$(($nonat_seq + 1))
createnatchain $chain createnatchain $chain
addnatrule `dnat_chain $source` -j $chain run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain
for adr in $excludedests; do
addnatrule $chain -d $adr -j RETURN
done
if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget -t nat
fi
addnatrule $chain -j $target1
else
for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
$multiport $dports -j $target1
done
fi
else
chain=`dnat_chain $source`
if [ -n "${excludezones}${excludedests}" ]; then
chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1))
createnatchain $chain
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -j $chain
for z in $excludezones; do for z in $excludezones; do
eval hosts=\$${z}_hosts eval hosts=\$${z}_hosts
for host in $hosts; do for host in $hosts; do
for adr in $addr; do for adr in `separate_list $addr`; do
addnatrule $chain $proto -s ${host#*:} \ addnatrule $chain -s ${host#*:} -d $adr -j RETURN
$multiport $sports -d $adr $dports -j RETURN
done done
done done
done done
for adr in $excludedests; do
addnatrule $chain -d $adr -j RETURN
done
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
fi
addnatrule $chain -d $adr -j $target1
done
else
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then
ensurenatchain $chain
log_rule $loglevel $chain $logtarget -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports`
fi
addnatrule $chain $proto $cli $sports \
-d $adr $multiport $dports -j $target1
done
fi fi
for adr in $addr; do
if [ -n "$loglevel" ]; then
ensurenatchain $chain
log_rule $loglevel $chain $logtarget -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports`
loglevel=
fi
addnatrule $chain $proto $cli $sports \
-d $adr $multiport $dports -j $target1
done
fi fi
fi fi
@ -1930,11 +1963,13 @@ add_nat_rule() {
# #
add_a_rule() add_a_rule()
{ {
# Set source variables local natrule=
# Set source variables. The 'cli' variable will hold the client match predicate(s).
cli= cli=
[ -n "$client" ] && case "$client" in case "$client" in
-) -)
;; ;;
*:*) *:*)
@ -1947,16 +1982,16 @@ add_a_rule()
cli=`mac_match $client` cli=`mac_match $client`
;; ;;
*) *)
cli="-i $client" [ -n "$client" ] && cli="-i $client"
;; ;;
esac esac
# Set destination variables # Set destination variables - 'serv' and 'dest_interface' hold the server match predicate(s).
dest_interface= dest_interface=
serv= serv=
[ -n "$server" ] && case "$server" in case "$server" in
-) -)
;; ;;
*.*.*) *.*.*)
@ -1966,7 +2001,7 @@ add_a_rule()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address" fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;; ;;
*) *)
dest_interface="-o $server" [ -n "$server" ] && dest_interface="-o $server"
;; ;;
esac esac
@ -2032,10 +2067,12 @@ add_a_rule()
[ -n "$serv" ] && startup_error "REDIRECT rules cannot"\ [ -n "$serv" ] && startup_error "REDIRECT rules cannot"\
" specify a server IP; rule: \"$rule\"" " specify a server IP; rule: \"$rule\""
servport=${servport:=$port} servport=${servport:=$port}
natrule=Yes
;; ;;
DNAT) DNAT)
[ -n "$serv" ] || fatal_error "DNAT rules require a" \ [ -n "$serv" ] || fatal_error "DNAT rules require a" \
" server address; rule: \"$rule\"" " server address; rule: \"$rule\""
natrule=Yes
;; ;;
LOG) LOG)
[ -z "$loglevel" ] && fatal_error "LOG requires log level" [ -z "$loglevel" ] && fatal_error "LOG requires log level"
@ -2044,7 +2081,7 @@ add_a_rule()
# Complain if the rule is really a policy # Complain if the rule is really a policy
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" ]; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a "$logtarget" != LOG ]; then
error_message "Warning -- Rule \"$rule\" is a POLICY" error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file" error_message " -- and should be moved to the policy file"
fi fi
@ -2054,15 +2091,16 @@ add_a_rule()
# A specific server or server port given # A specific server or server port given
if [ -n "$addr" -a "$addr" != "$serv" ]; then if [ -n "$natrule" ]; then
add_nat_rule
elif [ -n "$servport" -a "$servport" != "$port" ]; then
add_nat_rule add_nat_rule
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
fi fi
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \ log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli $serv $dports` `fix_bang $proto $sports $multiport $state $cli $serv $dports`
fi fi
@ -2126,7 +2164,12 @@ process_rule() # $1 = target
logtarget="$target" logtarget="$target"
dnat_only= dnat_only=
# Convert 1.3 Rule formats to 1.2 format # Tranform the rule:
#
# - set 'target' to the filter table target.
# - make $FW the destination for REDIRECT
# - remove '-' suffix from logtargets while setting 'dnat_only'
# - clear 'address' if it has been set to '-'
[ "x$address" = "x-" ] && address= [ "x$address" = "x-" ] && address=
@ -2185,9 +2228,7 @@ process_rule() # $1 = target
fatal_error "Exclude list only allowed with DNAT or REDIRECT" fatal_error "Exclude list only allowed with DNAT or REDIRECT"
fi fi
if ! validate_zone $clientzone; then validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
fatal_error "Undefined Client Zone in rule \"$rule\""
fi
# Parse and validate destination # Parse and validate destination
@ -2220,7 +2261,7 @@ process_rule() # $1 = target
dest=$serverzone dest=$serverzone
# Create canonical chain if necessary # Ensure that this rule doesn't apply to a NONE policy pair of zones
chain=${source}2${dest} chain=${source}2${dest}
@ -2229,11 +2270,14 @@ process_rule() # $1 = target
[ $policy = NONE ] && \ [ $policy = NONE ] && \
fatal_error "Rules may not override a NONE policy: rule \"$rule\"" fatal_error "Rules may not override a NONE policy: rule \"$rule\""
[ $command = check ] || ensurechain $chain # Be sure that this isn't a fw->fw rule.
if [ "x$chain" = x${FW}2${FW} ]; then if [ "x$chain" = x${FW}2${FW} ]; then
case $logtarget in case $logtarget in
REDIRECT) REDIRECT|DNAT)
#
# Redirect rules that have the firewall as the source are fw->fw rules
#
;; ;;
*) *)
error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored" error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
@ -2241,6 +2285,9 @@ process_rule() # $1 = target
;; ;;
esac esac
else else
# Create the canonical chain if it doesn't already exist
[ $command = check ] || ensurechain $chain [ $command = check ] || ensurechain $chain
fi fi
@ -2252,15 +2299,25 @@ process_rule() # $1 = target
`list_count $ports` -le 15 -a \ `list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ] `list_count $cports` -le 15 ]
then then
#
# MULTIPORT is enabled, there are no port ranges in the rule and less than
# 16 ports are listed - use multiport match.
#
multioption="-m multiport" multioption="-m multiport"
for client in `separate_list ${clients:=-}`; do for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do for server in `separate_list ${servers:=-}`; do
#
# add_a_rule() modifies these so we must set their values each time
#
port=${ports:=-} port=${ports:=-}
cport=${cports:=-} cport=${cports:=-}
add_a_rule add_a_rule
done done
done done
else else
#
# MULTIPORT is disabled or the rule isn't compatible with multiport match
#
multioption= multioption=
for client in `separate_list ${clients:=-}`; do for client in `separate_list ${clients:=-}`; do
for server in `separate_list ${servers:=-}`; do for server in `separate_list ${servers:=-}`; do
@ -2272,7 +2329,9 @@ process_rule() # $1 = target
done done
done done
fi fi
#
# Report Result
#
if [ $command = check ]; then if [ $command = check ]; then
echo " Rule \"$rule\" checked." echo " Rule \"$rule\" checked."
else else
@ -3774,9 +3833,11 @@ activate_rules()
complete_standard_chain INPUT all $FW complete_standard_chain INPUT all $FW
complete_standard_chain OUTPUT $FW all complete_standard_chain OUTPUT $FW all
complete_standard_chain FORWARD all all complete_standard_chain FORWARD all all
#
# Remove rules added to keep the firewall alive during [re]start"
#
for chain in INPUT OUTPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
run_iptables -D $chain -m state --state ESTABLISHED -j ACCEPT run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D $chain -p udp --dport 53 -j ACCEPT run_iptables -D $chain -p udp --dport 53 -j ACCEPT
done done
} }

28
STABLE/functions
View File

@ -83,29 +83,23 @@ find_display() # $1 = zone, $2 = name of the zone file
[ "x$1" = "x$z" ] && echo $display [ "x$1" = "x$z" ] && echo $display
done done
} }
#
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
#
determine_zones() determine_zones()
{ {
local zonefile=`find_file zones` local zonefile=`find_file zones`
multi_display=Multi-zone multi_display=Multi-zone
strip_file zones $zonefile
zones=`find_zones $TMP_DIR/zones`
zones=`echo $zones` # Remove extra trash
if [ -f $zonefile ]; then for zone in $zones; do
zones=`find_zones $zonefile` dsply=`find_display $zone $TMP_DIR/zones`
zones=`echo $zones` # Remove extra trash eval ${zone}_display=\$dsply
done
for zone in $zones; do
dsply=`find_display $zone $zonefile`
eval ${zone}_display=\$dsply
done
else
zones="net local dmz gw"
net_display=Net
local_display=Local
dmz_display=DMZ
gw_display=Gateway
fi
} }
# #

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.4b VERSION=1.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {

39
STABLE/releasenotes.txt
View File

@ -2,32 +2,19 @@ This is a minor release of Shorewall.
Problems Corrected: Problems Corrected:
1) The command "shorewall debug try <directory>" now correctly traces
the attempt.
2) The INCLUDE directive now works properly in the zones file;
previously, INCLUDE in that file was ignored.
3) /etc/shorewall/routestopped records with an empty second column are no
longer ignored.
New Features: New Features:
1) A REDIRECT- rule target has been added. This target behaves for 1) The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now
REDIRECT in the same was as DNAT- does for DNAT in that the contain a list of addresses. If the list begins with "!' then the
Netfilter nat table REDIRECT rule is added but not the companion rule will take effect only if the original destination address in
filter table ACCEPT rule. the connection request does not match any of the addresses listed.
2) The LOGMARKER variable has been renamed LOGFORMAT and has been
changed to a 'printf' formatting template which accepts three
arguments (the chain name, logging rule number (optional) and the
disposition). The logging rule number is included if the LOGFORMAT
value contains '%d'. For example, to use LOGFORMAT with fireparse,
set it as:
LOGFORMAT="fp=%s:%d a=%s "
CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT
string (up to but not including the first '%') to find log messages
in the 'show log', 'status' and 'hits' commands. This part should
not be omitted (the LOGFORMAT should not begin with "%") and the
leading part should be sufficiently unique for /sbin/shorewall to
identify Shorewall messages.
3) When logging is specified on a DNAT[-] or REDIRECT[-] rule, the
logging now takes place in the nat table rather than in the filter
table. This way, only those connections that actually undergo DNAT
or redirection will be logged.

21
STABLE/rules
View File

@ -31,6 +31,11 @@
# the companion ACCEPT rule. # the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
# CONTINUE -- (For experts only). Do not process # CONTINUE -- (For experts only). Do not process
# any of the following rules for this # any of the following rules for this
# (source zone,destination zone). If # (source zone,destination zone). If
@ -157,14 +162,24 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
# REDIRECT) If included and different from the IP # REDIRECT[-]) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to
# that address will be forwarded to the IP and port # that address will be forwarded to the IP and port
# specified in the DEST column. # specified in the DEST column.
# #
# The address may optionally be followed by # A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# The address (list) may optionally be followed by
# a colon (":") and a second IP address. This causes # a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source # Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall # address in forwarded packets. See the Shorewall

15
STABLE/shorewall
View File

@ -348,7 +348,16 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
timeout=$1 timeout=$1
fi fi
qt which awk && { haveawk=Yes; determine_zones; } || haveawk=
if qt which awk; then
TMP_DIR=/tmp/shorewall-$$
mkdir $TMP_DIR
haveawk=Yes
determine_zones
rm -rf $TMP_DIR
else
haveawk=
fi
while true; do while true; do
display_chains display_chains
@ -756,7 +765,7 @@ case "$1" in
echo " HITS PORT SERVICE(S)" echo " HITS PORT SERVICE(S)"
echo " ---- ----- ----------" echo " ---- ----- ----------"
grep '${LOGFORMAT}.*DPT' $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \ grep "$LOGFORMAT.*DPT" $LOGFILE | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
while read count port ; do while read count port ; do
# List all services defined for the given port # List all services defined for the given port
srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u` srv=`grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | sort -u`
@ -776,7 +785,7 @@ case "$1" in
try) try)
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
[ $# -lt 2 -o $# -gt 3 ] && usage 1 [ $# -lt 2 -o $# -gt 3 ] && usage 1
if ! $0 -c $2 restart; then if ! $0 $debugging -c $2 restart; then
if ! iptables -L shorewall > /dev/null 2> /dev/null; then if ! iptables -L shorewall > /dev/null 2> /dev/null; then
$0 start $0 start
fi fi

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.4b %define version 1.4.5
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Tue Jun 17 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.5-1
* Thu May 29 2003 Tom Eastep <tom@shorewall.net> * Thu May 29 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.4b-1 - Changed version to 1.4.4b-1
* Tue May 27 2003 Tom Eastep <tom@shorewall.net> * Tue May 27 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.4b VERSION=1.4.5
usage() # $1 = exit status usage() # $1 = exit status
{ {