holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More doc updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6676 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-25 23:37:55 +00:00
parent 611373bbb6
commit dbb555f56d
5 changed files with 188 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
docs/Actions.xml
View File

@ -414,7 +414,7 @@ Reject:REJECT #Default Action for REJECT policy</programlisting>
<para>If you dont want to define a test but need to specify anything <para>If you dont want to define a test but need to specify anything
in the following columns, place a "-" in this field.<simplelist> in the following columns, place a "-" in this field.<simplelist>
<member> ! — Inverts the test (not equal)</member> <member>! — Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
or connection mark.</member> or connection mark.</member>
@ -554,8 +554,27 @@ acton:info:test $FW net</programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>For an example of how to use these variables, see <ulink <para>Shorewall-perl sets lexical variables as follows:</para>
url="PortKnocking.html">this article</ulink>.</para>
<itemizedlist>
<listitem>
<para>$chainref is a reference to the chain-table entry for the chain
where your rules are to be placed.</para>
</listitem>
<listitem>
<para>$level is the log level. If false, no logging was
specified.</para>
</listitem>
<listitem>
<para>$tag is the log tag.</para>
</listitem>
</itemizedlist>
<para>For an example of how to use these variables in both Shorewall-shell
and Shorewall-perl, see <ulink url="PortKnocking.html">this
article</ulink>.</para>
</section> </section>
<section id="Extension"> <section id="Extension">
@ -583,7 +602,9 @@ acton:info:test $FW net</programlisting>
</blockquote>When using Shorewall-Perl:<blockquote> </blockquote>When using Shorewall-Perl:<blockquote>
<para>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains; <para>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains;
add_rule( $chainref, '-m pkttype --pkttype broadcast -j DROP' );</programlisting></para> add_rule( $chainref, '-m pkttype --pkttype broadcast -j DROP' );
1;</programlisting></para>
</blockquote></para> </blockquote></para>
</example> </example>

9
docs/FTP.xml
View File

@ -293,6 +293,15 @@ xt_tcpudp 3328 0
<section> <section>
<title>FTP on Non-standard Ports</title> <title>FTP on Non-standard Ports</title>
<note>
<para>If you are running <emphasis role="bold">kernel 2.6.20 or
later</emphasis>, replace <emphasis
role="bold">ip_conntrack_ftp</emphasis> with <emphasis
role="bold">nf_conntrack_ftp</emphasis> in the following instructions.
Similarly, replace <emphasis role="bold">ip_nat_ftp</emphasis> with
<emphasis role="bold">nf_nat_ftp</emphasis>.</para>
</note>
<para>The above discussion about commands and responses makes it clear <para>The above discussion about commands and responses makes it clear
that the FTP connection-tracking and NAT helpers must scan the traffic on that the FTP connection-tracking and NAT helpers must scan the traffic on
the control connection looking for PASV and PORT commands as well as PASV the control connection looking for PASV and PORT commands as well as PASV

67
docs/Install.xml
View File

@ -91,13 +91,27 @@
page</ulink>.</para> page</ulink>.</para>
<para>If you try to install the wrong package, it probably won't <para>If you try to install the wrong package, it probably won't
work.</para> work.<note>
<para>If you are installing Shorewall 4.0.0 or later then you need
to install at least two packages.<itemizedlist>
<listitem>
<para>Shorewall</para>
</listitem>
<listitem>
<para>Either Shorewall-shell (the classic shell-based
configuration compiler) and/or Shorewall-perl (the newer and
faster compiler written in Perl).</para>
</listitem>
</itemizedlist>If you are installing Shorewall for the first
time, we strongly suggest that you install Shorewall-perl.</para>
</note></para>
</listitem> </listitem>
<listitem> <listitem>
<para>Install the RPM</para> <para>Install the RPM</para>
<programlisting><command>rpm -ivh &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -ivh &lt;shorewall rpm&gt; &lt;compiler rpm&gt; ...</command></programlisting>
<caution> <caution>
<para>Some users are in the habit of using the <command>rpm <para>Some users are in the habit of using the <command>rpm
@ -115,7 +129,7 @@
though a 2.4 kernel is installed. If this happens, simply use the though a 2.4 kernel is installed. If this happens, simply use the
--nodeps option to rpm.</para> --nodeps option to rpm.</para>
<programlisting><filename><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></filename></programlisting> <programlisting><filename><command>rpm -ivh --nodeps &lt;rpms&gt;</command></filename></programlisting>
</note> </note>
<note> <note>
@ -129,7 +143,7 @@
package (see 1., above) but may be worked around by using the package (see 1., above) but may be worked around by using the
--nodeps option of rpm.</para> --nodeps option of rpm.</para>
<programlisting><command>rpm -ivh --nodeps &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -ivh --nodeps &lt;rpms&gt;</command></programlisting>
</note> </note>
</listitem> </listitem>
@ -165,6 +179,43 @@
<section id="Install_Tarball"> <section id="Install_Tarball">
<title>Install using tarball</title> <title>Install using tarball</title>
<note>
<para>If you are installing Shorewall 4.0.0 or later, then you need to
install one of the configuration compilers <emphasis
role="bold">before</emphasis> you install Shorewall itself. You can
choose to install one or both compilers:<itemizedlist>
<listitem>
<para>Shorewall-shell - the classic configuration compiler written
in Bourne Shell.</para>
</listitem>
<listitem>
<para>Shorewall-perl - a newer and faster compiler written in
Perl.</para>
</listitem>
</itemizedlist>If you are installing Shorewall for the first time, we
strongly suggest that you install Shorewall-perl.</para>
<para>To install Shorewall-perl:<orderedlist>
<listitem>
<para>unpack the tarball (tar -zxf
shorewall-perl-x.y.z.tgz).</para>
</listitem>
<listitem>
<para>cd to the shorewall-perl directory (the version is encoded
in the directory name as in
<quote>shorewall-perl-4.0.0</quote>).</para>
</listitem>
<listitem>
<para>Type:</para>
<programlisting><command>./install.sh</command></programlisting>
</listitem>
</orderedlist>Installing Shorewall-shell is similar.</para>
</note>
<para>To install Shorewall using the tarball and install script:</para> <para>To install Shorewall using the tarball and install script:</para>
<orderedlist> <orderedlist>
@ -312,7 +363,7 @@ Pin-Priority: 700</programlisting><emphasis role="bold"><emphasis>Then
<listitem> <listitem>
<para>Upgrade the RPM</para> <para>Upgrade the RPM</para>
<programlisting><command>rpm -Uvh &lt;shorewall rpm file&gt;</command></programlisting> <programlisting><command>rpm -Uvh &lt;shorewall rpm file&gt; &lt;compiler rpm file&gt; ...</command></programlisting>
<note> <note>
<para>Some <trademark>SUSE</trademark> users have encountered a <para>Some <trademark>SUSE</trademark> users have encountered a
@ -320,7 +371,7 @@ Pin-Priority: 700</programlisting><emphasis role="bold"><emphasis>Then
though a 2.4 kernel is installed. If this happens, simply use the though a 2.4 kernel is installed. If this happens, simply use the
--nodeps option to rpm.</para> --nodeps option to rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt; &lt;compiler rpm&gt; ...</command></programlisting>
</note> </note>
<note> <note>
@ -333,7 +384,7 @@ Pin-Priority: 700</programlisting><emphasis role="bold"><emphasis>Then
<para>This may be worked around by using the --nodeps option of <para>This may be worked around by using the --nodeps option of
rpm.</para> rpm.</para>
<programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt;</command></programlisting> <programlisting><command>rpm -Uvh --nodeps &lt;shorewall rpm&gt; &lt;compiler-rpm&gt; ...</command></programlisting>
</note> </note>
</listitem> </listitem>
@ -530,7 +581,7 @@ tar -xzvf /mnt/package2.lrp
</blockquote> </blockquote>
<para>For information on other LEAF/Bering upgrade tools, check out <ulink <para>For information on other LEAF/Bering upgrade tools, check out <ulink
url="http://leaf.cvs.sourceforge.net/*checkout*/leaf/devel/alexrh/lck/README.html">this url="http://leaf.cvs.sourceforge.net/*checkout*/leaf/devel/alexrh/lck/README.html">this
article by Alex Rhomberg</ulink>.</para> article by Alex Rhomberg</ulink>.</para>
</section> </section>

70
docs/PortKnocking.xml
View File

@ -40,7 +40,7 @@
<para>The feature described in this article require '<ulink <para>The feature described in this article require '<ulink
url="http://snowman.net/projects/ipt_recent/">Recent Match</ulink>' in url="http://snowman.net/projects/ipt_recent/">Recent Match</ulink>' in
your iptables and kernel. See the output of <command>shorewall show your iptables and kernel. See the output of <command>shorewall show
capabilities</command> to see if you have that match. </para> capabilities</command> to see if you have that match.</para>
</note> </note>
<section> <section>
@ -88,7 +88,9 @@
<listitem> <listitem>
<para>Create /etc/shorewall/SSHKnock with the following <para>Create /etc/shorewall/SSHKnock with the following
contents:</para> contents.</para>
<para>If using Shorewall-shell:</para>
<programlisting>if [ -n "$LEVEL" ]; then <programlisting>if [ -n "$LEVEL" ]; then
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
@ -98,6 +100,35 @@ run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --seconds 60 --nam
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP</programlisting> run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP</programlisting>
<para>If using Shorewall-perl:<programlisting>use Shorewall::Chains;
if ( $level ) {
log_rule_limit( $level,
$chainref,
'SSHKnock',
'ACCEPT',
'',
$tag,
'add',
'-p tcp --dport 22 -m recent --rcheck --name SSH );
log_rule_limit( $level,
$chainref,
'SSHKnock'
'DROP'
'',
$tag,
'add',
'-p tcp --dport ! 22' );
}
add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport 1599 -m recent --name SSH --remove -j DROP' );
add_rule( $chainref, '-p tcp --dport 1600 -m recent --name SSH --set -j DROP' );
add_rule( $chainref, '-p tcp --dport 1601 -m recent --name SSH --remove -j DROP' );
1;</programlisting></para>
</listitem> </listitem>
<listitem> <listitem>
@ -240,14 +271,45 @@ else
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
fi fi
run_iptables -A $CHAIN -j ACCEPT run_iptables -A $CHAIN -j ACCEPT</programlisting>
</programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>In Shorewall 3.3, Limit is made into a built-in action; basically <para>In Shorewall 3.3, Limit is made into a built-in action; basically
that means that the above code now lives inside of Shorewall rather than that means that the above code now lives inside of Shorewall rather than
in a separate file.</para> in a separate file.</para>
<para>For completeness, here's the above
<filename>/usr/share/shorewall/Limit</filename> for use with
Shorewall-perl:</para>
<programlisting>my @tag = split /,/, $tag;
fatal_error 'Limit rules must include &lt;set name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
unless @tag == 3;
my $set = $tag[0];
for ( @tag[1,2] ) {
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
}
my $count = $tag[1] + 1;
add_rule $chainref, "-m recent --name $set --set";
if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref-&gt;{name}%";
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
add_rule $xchainref, '-j DROP';
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref-&gt;{name}";
} else {
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
}
add_rule $chainref, '-j ACCEPT';
1; </programlisting>
</section> </section>
</section> </section>
</article> </article>

32
docs/configuration_file_basics.xml
View File

@ -614,10 +614,25 @@ Shorewall has detected the following iptables/netfilter capabilities:
</section> </section>
<section id="Ports"> <section id="Ports">
<title>Port Numbers/Service Names</title> <title>Protocol Number/Names and Port Numbers/Service Names</title>
<para>Unless otherwise specified, when giving a port number you can use <para>Unless otherwise specified, when giving a protocol number you can
either an integer or a service name from /etc/services.</para> use either an integer or a protocol name from
<filename>/etc/protocols</filename>. Similarly, when giving a port number
you can use either an integer or a service name from
<filename>/etc/services</filename>.<note>
<para>Shorewall-perl translates protocol names to protocol numbers and
service names to port numbers itself. The mapping that it uses is
contained in the Perl module
<filename>/usr/share/shorewall-perl/Shorewall/Ports.pm</filename>.
That module is built when Shorewall is installed or upgraded using the
current <filename>/etc/protocols</filename> and
<filename>/etc/services</filename> files as input (if the build
program fails, a fallback version of the module is installed).</para>
<para>To generate a new Ports.pm module:<programlisting>cp /usr/share/shorewall-perl/Shorewall/Ports.pm /usr/share/shorewall-perl/Shorewall/Ports.pm.backup
/usr/share/shorewall/buildports.pm &gt; /usr/share/shorewall-perl/Shorewall/Ports.pm</programlisting></para>
</note></para>
</section> </section>
<section id="Ranges"> <section id="Ranges">
@ -661,6 +676,17 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
15.</para> 15.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<note>
<para>Shorewall-perl requires <emphasis role="bold">multiport</emphasis>
match in order to accept port lists in Shorewall configuration files. It
further requires Extended <emphasis role="bold">multiport</emphasis>
match in order to accept port ranges in port lists. Shorewall-perl will
never break a list longer than 15 ports (with each range counting as two
ports) into smaller lists. So you must be sure that your port lists can
be handled directly by the Netfilter/iptables capabilities
available.</para>
</note>
</section> </section>
<section id="Variables"> <section id="Variables">