diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall
index 85444ab71..d684f0d4b 100755
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@@ -4496,7 +4496,7 @@ setup_blacklist() {
createchain blacklst no
- [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
+ [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
for host in $hosts; do
interface=${host%%:*}
@@ -4851,7 +4851,7 @@ initialize_netfilter () {
fi
fi
- [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
+ [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
echo "Creating Interface Chains..."
diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version
index 372444575..660491f08 100644
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@@ -1 +1 @@
-2.0.3-RC1
+2.0.3-RC2
diff --git a/Shorewall-docs/Documentation.xml b/Shorewall-docs/Documentation.xml
index 4f8e2a240..befa85839 100644
--- a/Shorewall-docs/Documentation.xml
+++ b/Shorewall-docs/Documentation.xml
@@ -1232,13 +1232,40 @@ DNAT net loc:192.168.1.3 tcp ssh
The /etc/shorewall/rules file defines
exceptions to the policies established in the /etc/shorewall/policy
- file. There is one entry in /etc/shorewall/rules for each of these rules.
+ file. There is one entry in /etc/shorewall/rules for each of these rules.
+ Entries in this file only govern the establishment of new connections —
+ packets that are part of an existing connection or that establish a
+ connection that is related to an existing connection are automatically
+ accepted.
Shorewall automatically enables firewall->firewall traffic over
the loopback interface (lo) -- that traffic cannot be regulated using
rules and any rule that tries to regulate such traffic will generate a
warning and will be ignored.
+ Rules for each pair of zones (source zone, destination zone) are
+ evaluated in the order that they appear in the file — the first match
+ determines the disposition of the connection request with a couple of
+ caveats:
+
+
+
+ LOG rules cause the connection request to be logged then
+ processing continues with the next rule in the file.
+
+
+
+ QUEUE rules cause the connection request to be passed to
+ user-space -- the user-space application can later insert them back
+ into the stream for further processing by following rules.
+
+
+
+ CONTINUE rules may cause the connection request to be
+ reprocessed using a different (source zone, destination zone) pair.
+
+
+
Entries in the file have the following columns:
@@ -3115,7 +3142,8 @@ eth1 -
Revision History
- 1.122004-01-21TEAdd
+ 1.132004-02-13TEAdd
+ information about the order of rules evalution.1.122004-01-21TEAdd
masquerade destination list.1.122004-01-18TECorrect
typo.1.112004-01-05TEStandards
Compliance1.102004-01-05TEImproved
diff --git a/Shorewall-docs/FAQ.xml b/Shorewall-docs/FAQ.xml
index c38eff1f5..0373ee9b3 100644
--- a/Shorewall-docs/FAQ.xml
+++ b/Shorewall-docs/FAQ.xml
@@ -17,7 +17,7 @@
- 2004-01-25
+ 2004-03-04
2001-2004
@@ -529,6 +529,28 @@ eth2 192.168.2.0/24
See the Shorewall and FTP page.
+
+
+ (FAQ 33) From clients behind the firewall, connections to some
+ sites fail. Connections to the same sites from the firewall itself work
+ fine. What's wrong.
+
+ Answer: Most likely, you need to
+ set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf.
+
+
+
+ (FAQ 35) I have two Ethernet interfaces to my local network which
+ I have bridged. When Shorewall is started, I'm unable to pass
+ traffic through the bridge. I have defined the bridge interface (br0) as
+ the local interface in /etc/shorewall/interfaces; the bridged Ethernet
+ interfaces are not defined to Shorewall. How do I tell Shorewall to
+ allow traffic through the bridge?
+
+ Answer: Add the routeback option to
+ br0 in /etc/shorewall/interfaces.
+
@@ -576,7 +598,7 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p
http://gege.org/iptables
http://home.regit.org/ulogd-php.html
- I personnaly use Logwatch. It emails me a report each day from
+ I personally use Logwatch. It emails me a report each day from
my various systems with each report summarizing the logged activity on
the corresponding system.
@@ -1254,6 +1276,15 @@ Creating input Chains...
after that will be ignored. Check man iptables
and look
at the -I (--insert) command.
+
+
+ (FAQ 34) How can I speed up start (restart)?
+
+ Using a light-weight shell such as ash can
+ dramatically decrease the time required to start
+ or restart Shorewall. See the
+ SHOREWALL_SHELL variable in shorewall.conf.
+
@@ -1542,19 +1573,19 @@ iptables: Invalid argument
(FAQ 28) How do I use Shorewall as a Bridging Firewall?
- Basically, you don't. While there are kernel patches that
- allow you to route bridge traffic through Netfilter, the environment is
- so different from the Layer 3 firewalling environment that very little
- of Shorewall works. In fact, so much of Shorewall doesn't work that
- my official position is that Shorewall doesn't work with
- Layer 2 Bridging
.
+ Experimental Shorewall Bridging Firewall support is available —
+ check here for details.
Revision History
- 1.152004-01-25TEUpdated
+ 1.192004-03-05TEAdded
+ link to Bridge.1.182004-02-27TEAdded
+ FAQ 35.1.172004-02-15TEAdded
+ FAQ 34.1.162004-02-11TEAdded
+ FAQ 33.1.152004-01-25TEUpdated
FAQ 32 to mention masquerading. Remove tables.1.142004-01-24TEAdded
FAQ 27a regarding kernel/iptables incompatibility.1.132004-01-24TEAdd
a note about the detectnets interface
diff --git a/Shorewall-docs/IPSEC.xml b/Shorewall-docs/IPSEC.xml
index 09c651130..ee3f49fde 100644
--- a/Shorewall-docs/IPSEC.xml
+++ b/Shorewall-docs/IPSEC.xml
@@ -15,7 +15,7 @@
- 2004-01-22
+ 2004-03-20
2001-2004
@@ -52,24 +52,9 @@
configuring FreeS/Wan.
- Do not use Proxy ARP and FreeS/Wan on the same system unless you
- are prepared to suffer the consequences. If you start or restart
- Shorewall with an IPSEC tunnel active, the proxied IP addresses are
- mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
- the interface that you specify in the INTERFACE column of
- /etc/shorewall/proxyarp. I haven't had the time to debug this
- problem so I can't say if it is a bug in the Kernel or in FreeS/Wan.
-
- You might be able to work around
- this problem using the following (I haven't tried it):
-
- In /etc/shorewall/init, include:
-
- qt service ipsec stop
-
- In /etc/shorewall/start, include:
-
- qt service ipsec start
+ IPSEC and Proxy ARP don't work well together unless you have
+ Shorewall version 1.4.10 with the approriate Errata
+ fix applied or are running Shorewall 1.4.10e or later.
diff --git a/Shorewall-docs/Install.xml b/Shorewall-docs/Install.xml
index fac4317e5..55664b3bd 100644
--- a/Shorewall-docs/Install.xml
+++ b/Shorewall-docs/Install.xml
@@ -15,7 +15,7 @@
- 2003-04-08
+ 2004-03-01
2001
@@ -24,6 +24,8 @@
2003
+ 2004
+
Thomas M. Eastep
@@ -37,21 +39,16 @@
-
- Before upgrading, be sure to review the Upgrade Issues.
-
-
-
- Before attempting installation, I strongly urge you to read and
- print a copy of the Shorewall
- QuickStart Guide for the configuration that most closely matches
- your own.
-
-
Install using RPM
+
+ Before attempting installation, I strongly urge you to read and
+ print a copy of the Shorewall
+ QuickStart Guide for the configuration that most closely matches
+ your own.
+
+
To install Shorewall using the RPM:
@@ -117,6 +114,13 @@
Install using tarball
+
+ Before attempting installation, I strongly urge you to read and
+ print a copy of the Shorewall
+ QuickStart Guide for the configuration that most closely matches
+ your own.
+
+
To install Shorewall using the tarball and install script:
@@ -186,6 +190,13 @@
Install the .lrp
+
+ Before attempting installation, I strongly urge you to read and
+ print a copy of the Shorewall
+ QuickStart Guide for the configuration that most closely matches
+ your own.
+
+
To install my version of Shorewall on a fresh Bering disk, simply
replace the shorwall.lrp
file on the image with the file
that you downloaded. See the two-interface
@@ -195,6 +206,11 @@
Upgrade using RPM
+
+ Before upgrading, be sure to review the Upgrade Issues.
+
+
If you already have the Shorewall RPM installed and are upgrading to
a new version:
@@ -264,6 +280,11 @@
Upgrade using tarball
+
+ Before upgrading, be sure to review the Upgrade Issues.
+
+
If you already have Shorewall installed and are upgrading to a new
version using the tarball:
@@ -348,6 +369,11 @@
Upgrade the .lrp
+
+ Before upgrading, be sure to review the Upgrade Issues.
+
+
If you already have a running Bering installation and wish to
upgrade to a later version of Shorewall:
diff --git a/Shorewall-docs/Shorewall_Doesnt.xml b/Shorewall-docs/Shorewall_Doesnt.xml
index 0a4e7f15f..66c6ec5f6 100755
--- a/Shorewall-docs/Shorewall_Doesnt.xml
+++ b/Shorewall-docs/Shorewall_Doesnt.xml
@@ -13,11 +13,13 @@
Eastep
- 2003-10-07
+ 2004-03-05
2003
+ 2004
+
Thomas M Eastep
@@ -36,7 +38,9 @@
- Be used to filter traffic through a Layer 2 Bridge
+ Be used to filter traffic through a Layer 2 Bridge (although
+ experimental Shorewall Bridge code is available — check here for details).
diff --git a/Shorewall-docs/Shorewall_Squid_Usage.xml b/Shorewall-docs/Shorewall_Squid_Usage.xml
index a9d52c482..3c94abebd 100644
--- a/Shorewall-docs/Shorewall_Squid_Usage.xml
+++ b/Shorewall-docs/Shorewall_Squid_Usage.xml
@@ -15,7 +15,7 @@
- 2004-02-04
+ 2004-04-19
2003-2004
@@ -153,7 +153,7 @@ REDIRECT loc 3228 tcp www - !206.124.146.
In /etc/shorewall/init, put:
if [ -z "`ip rule list | grep www.out`" ] ; then
- ip rule add fwmark 202 table www.out
+ ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
@@ -232,7 +232,7 @@ chkconfig --level 35 iptables on
In /etc/shorewall/init, put:
if [ -z "`ip rule list | grep www.out`" ] ; then
- ip rule add fwmark 202 table www.out
+ ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi
diff --git a/Shorewall-docs/blacklisting_support.xml b/Shorewall-docs/blacklisting_support.xml
index 684ffa45e..adade65a4 100644
--- a/Shorewall-docs/blacklisting_support.xml
+++ b/Shorewall-docs/blacklisting_support.xml
@@ -15,7 +15,7 @@
- 2004-01-17
+ 2004-02-17
2002-2004
@@ -57,7 +57,19 @@
- Only the source address is checked against the blacklists.
+
+ Only the source address is checked against
+ the blacklists. Blacklists only stop blacklisted hosts from
+ connecting to you — they do not stop you or your users from connecting
+ to blacklisted hosts .
+
+
+
+ Neither form of Shorewall blacklisting is
+ appropriate for blacklisting 1,000s of different addresses.
+ The blacklists will take forever to load and will have a very negative
+ effect on firewall performance.
+
diff --git a/Shorewall-docs/configuration_file_basics.xml b/Shorewall-docs/configuration_file_basics.xml
index e92cdc52d..a1b482de8 100644
--- a/Shorewall-docs/configuration_file_basics.xml
+++ b/Shorewall-docs/configuration_file_basics.xml
@@ -15,7 +15,7 @@
- 2004-01-05
+ 2004-02-20
2001-2004
@@ -383,7 +383,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100
numbers separated by colons.
- MAC Address of a NIC
+ MAC Address of an Ethernet Controller
[root@gateway root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde (~
) and consist
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
- the example above would be written ~02-00-08-E3-FA-55
.
+ the example above would be written ~02-00-08-E3-FA-55.
It is not necessary to use the special Shorewall notation in the
diff --git a/Shorewall-docs/errata.xml b/Shorewall-docs/errata.xml
index b0c4c2d77..cca1afe5e 100644
--- a/Shorewall-docs/errata.xml
+++ b/Shorewall-docs/errata.xml
@@ -13,7 +13,7 @@
- 2004-02-04
+ 2004-04-16
2001-2004
@@ -86,12 +86,55 @@
The maclist interface option
previously wasn't available on Atheros WiFi cards.
+
+
+ In the /etc/shorewall/masq entry eth0:!10.1.1.150
+ 0.0.0.0/0!10.1.0.0/16 10.1.2.16
,
+ the !10.1.0.0/16
is ignored.
+
+
+
+ A startup error occurs if an entry in the tcrules file has an
+ empty USER/GROUP column.
+
+
+
+ Specifying multiple excluded source zones in a REDIRECT or
+ DNAT rule produces a startup error. Example of problem rule:#ACTION SOURCE DEST PROTO DEST PORT(S)
+DNAT z1!z2,z3 z4:192.168.4.5 tcp 22
+
+
+
+ When using an Action in the ACTIONS column of a rule, you may
+ receive a warning message about the rule being a policy. While this
+ warning may be safely ignored, it may be eliminated by installing
+ the updated script linked below.
+
+
+
+ Thanks to Sean Mathews, a long-standing problem with Proxy ARP
+ and IPSEC has been corrected.
+
These problems have been corrected in this
firewall script which may be installed in
/usr/share/shorewall/firewall as described above.
+
+ The first two problem corrections were included in Shorewall
+ update 1.4.10a.
+
+ The first three problem corrections were included in Shorewall
+ update 1.4.10b.
+
+ The first four problem corrections were included in Shorewall
+ update 1.4.10c.
+
+ The first six problem corrections were included in Shorewall
+ update 1.4.10d.
+
+ All problem corrections were included in Shorewall update 1.4.10e.
@@ -503,7 +546,11 @@ Aborted (core dumped)
Revision History4
- 1.52004-02-05TEStartup
+ 1.92004-03-20TEProxy
+ ARP/IPSEC fix.1.82004-03-04TEMultiple
+ excluded zones problem..1.72004-02-15TETCrules
+ file problem..1.62004-02-09TEMasq
+ file exclusion problem.1.52004-02-05TEStartup
Problem1.42004-01-19TEIPV6
address problems. Make RFC1918 file section more prominent.1.32004-01-14TEConfusing
template file in 1.4.91.32004-01-03TEAdded
diff --git a/Shorewall-docs/images/network.png b/Shorewall-docs/images/network.png
index 714232481..e2c51aaba 100644
Binary files a/Shorewall-docs/images/network.png and b/Shorewall-docs/images/network.png differ
diff --git a/Shorewall-docs/images/network.vdx b/Shorewall-docs/images/network.vdx
index ef91d9375..87c5b1c3d 100755
--- a/Shorewall-docs/images/network.vdx
+++ b/Shorewall-docs/images/network.vdx
@@ -1,5 +1,5 @@
-
+
@@ -1249,8 +1249,8 @@ BAQP/////////////////////////////////////////////////////////////////////////
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
-//////////////////////////////////////////////////wAAAP//////////////////////
-/////////////////////////////////////////////////////////////////////////////
+//////////////////////////////////////////////////wAAAP///7+/v////7+/v////7+/
+v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////
///////////////
/////////////////////////////////////////////////////////////////////////////
////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCfnwkoKA
@@ -1261,9 +1261,9 @@ vzBAQP///////////////////////////////////////////////////////////////////////
AAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wBAQAD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////
/////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////wAAAP////////////////////
-/////////////////////////////////////////////////////////////////////////////
-/////////////////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////wAAAGBgYP///wAAAP///wAAAP
+///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wA
+AAP//////////////////////////////////////////////////////////////////////////
/////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
wD//wD//wB/fw5YWAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@@ -1273,8 +1273,8 @@ AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//w
AAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////wAAAP///
-/////////////////////////////////////////////////////////////////////////////
-/////////////////////////////////////////////////////////////////////////////
+wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
+///wAAAP///wAAAP/////////////////////////////////////////////////////////////
//////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wlgYACHhwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
@@ -1307,8 +1307,8 @@ AQAD//wBAQAD//wBAQAD//wBAQAD//wBwcAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////
///////////////
/////////////////////////////////////////////////////0BAQP///0BAQP///0BAQP///
-0BAQP///0BAQP///0BAQP///////wAAAH9/f////39/f////39/f////39/f////39/f////39/f/
-///39/f////39/f////39/f////39/f//////////////////////////////////////////////
+0BAQP///0BAQP///0BAQP///////wAAAP////////////////////////////////////////////
+/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
/wAAAAD//wD//wD//wCfnwD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAA
AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
@@ -1318,8 +1318,8 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wC/vzBAQP/
AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
-/////////9zc3Hl5eZWVlf///////////////////////wAAAP///wAAAP///wAAAP///wAAAP///
-wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP////////////////////////
+/////////9zc3Hl5eZWVlf///////////////////////wAAAP///////////////////////////
+/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
//////////////////wAAAAD//wD//wD//wD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD/
/wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wDPzwD//wD//wD//wD//wD//wD//
@@ -1329,8 +1329,8 @@ D//wD//wC/vzBAQP/////////////////////////////////////////////////////////////
/wD//wD//wCHhwD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBwcAD//wD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////
/////////////////////////////////////////////////////////////////////////////
-//////////////////////////3l5eTEzOVVVV25ucv///////////////////wAAAAAAAP///wAA
-AP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///////////
+//////////////////////////3l5eTEzOVVVV25ucv///////////////////wAAAP//////////
+/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
///////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
@@ -1384,22 +1384,22 @@ wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////////////
wC/vzBAQP////////////////////////////////////////////////////////////////////
///////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD
//wAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAJqampCQkA8eHgDn5wD//wD//wD//wD/
-/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////wAAA
-P///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP////
-///////////////////3d3d2Jmcd/h5ZSe0p6lzs3Nzc3NzUxRaWtsbv///////////////wAAAP/
-//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP//////
-/////////////////////////////////////////////////////////////////////////////
+/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////wAAAP///wAAAP///wAAA
+P///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///w
+AAAP///wAAAP///////3d3d2Jmcd/h5ZSe0p6lzs3Nzc3NzUxRaWtsbv///////yAgIP///wAAAP/
+//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAA
+AP///0BAQP///////////////////////////////////////////////////////////////////
////////////////////////////wAAAAD//wD//wD//wD//wD//wCoqAEEBAcNDQcNDQcNDQcNDQ
cNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQYODgDKygD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wC/vzBAQP///////////////////////////////////////////////////
////////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAJqampqamjM/PwC
-fnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////
-/////////0BAQP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
-P///wAAAP///39/f////////////////////3d3d2Jmcd/h5ayy0c3Nzc3NzY6Yz46Yz2ZmZm1ucf
-///////0BAQP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
-//wAAAP///39/f///////////////////////////////////////////////////////////////
+fnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////0BAQP//
+/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
+P///wAAAP///wAAAP///wAAAP///39/f////3d3d2Jmcd/h5ayy0c3Nzc3NzY6Yz46Yz2ZmZm1ucf
+///////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
+//wAAAP///wAAAP///wAAAP//////////////////////////////////////////////////////
/////////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wA/PyAgI
JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkDQ7OxkoKADf3w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@@ -1407,10 +1407,10 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
/////////////////////////////////////////////////////////////////7+/vxBAQAD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAMDAwIODg6qqqsDAwMXFxcDAwMDAwMDAwMDAwA
AAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wx
-gYJ+fn////////////////////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v///
-/7+/v////7+/v////7+/v////7+/v////////////////////////3d3d2Jmcd/h5cTG0M3NzY6Yz
-46Yz83Nzc3NzUxRaW1ucf///////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7
-+/v////7+/v////7+/v////7+/v//////////////////////////////////////////////////
+gYJ+fn////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v///
+/7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////3d3d2Jmcd/h5cTG0M3NzY6Yz
+46Yz83Nzc3NzUxRaW1uccfHx////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7
++/v////7+/v////7+/v////7+/v////7+/v////8/Pz//////////////////////////////////
//////////////////////////////////////////////////////////////wAAAACvrwD//wD/
/wD//wD//wA/PyEhIWBgYGBgYLS0tMDAwMDAwMDAwMDAwMDAwMDAwMDAwJ2dnZiYmJiYmKKiopiYm
JiYmEBMTIeHhxMz
@@ -1567,9 +1567,9 @@ zBAQP////////////////////////////////////////////////////////////////////////
///////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wA
AADAwMCNLIwqRChwcHBwcHBMTEwcHBxUVFTAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////
-////////7+/v0BAQP///////////////////////////////////////0BAQP///0BAQP///0BAQP
-///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQJubmyQkJI+PjzMzM////0BAQP/////
-/////////////////////////////////////////////////////////////////////////////
+////////7+/v0BAQP///////////////////////////////0BAQP///0BAQP///0BAQP///0BAQP
+///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQJubmyQkJI+PjzMzM////0BAQP///0B
+AQP//////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@@ -1579,9 +1579,9 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
/////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
wAAADAwMBEZEQAoAAAAAAAAAAAAAAICAg4ODjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////
-//////////7+/v0BAQP///////////////////////////////////9/f3////wAAAP///wAAAP//
-/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgY
-P////////////////////////////////////////////////////////////////////////////
+//////////7+/v0BAQP///////////////////////////5+fn////wAAAP///wAAAP///wAAAP//
+/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
+P///yAgIP////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
//////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
@@ -1590,9 +1590,9 @@ D//wD//wD//wD//wC/vzBAQP/////////////////////////////////////////////////////
//////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wAAADAwMC4uLgAAAAAAAAAAAAAAAAAAAB4eHjAwMAAAAJqampqamjM/PwCfn
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////
-///////////////////////////7+/v0BAQP///////////////////////////////////////0B
+///////////////////////////7+/v0BAQP///////////////////////////////0BAQP///0B
AQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP//
-/0BAQP///0BAQP///////////////////////////////////////////////////////////////
+/0BAQP///0BAQP///0BAQP///////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
@@ -1613,8 +1613,8 @@ fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwBgYDBAQP///////////////////
///7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAADAwMB83HwjPCC4uLhISEgs
LCwMDAwoKCjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP///////
-////////////////////////////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
-///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////////////
+////////////////////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
+///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
6+vr39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f3
@@ -1624,8 +1624,8 @@ LCwMDAwoKCjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAADAwMC
kpKQAAAAAAAAAAAAAAAAAAABgYGDAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////////////
-/7+/v0BAQP///////////////////////////////////9/f3////wAAAP///wAAAP///wAAAP///
-wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////
+/7+/v0BAQP///////////////////////////5+fn////wAAAP///wAAAP///wAAAP///wAAAP///
+wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///yAgIP
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
@@ -1636,8 +1636,8 @@ wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////
//////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAFRU
VAAAAAAAAAAAAAAAAAAAAAAAAAAAAFRUVAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////
-///7+/v0BAQP///////////////////////////////////////39/f////39/f////39/f////39
-/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f///////////
+///7+/v0BAQP///////////////////////////////39/f////39/f////39/f////39/f////39
+/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f///
/////////////////////////////////////////////////////////////////////////////
////////////////////////////////8/PzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@@ -1659,8 +1659,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
D//wD//wD//wD//wD//wD//wD//wCTkwMGBm9vb4GBgYGBgYGBgYGBgYGBgYGBgYGBgYqKimh3d5q
amjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///
/////////////////////////////////////7+/v0BAQP///////////////////////////////
-////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
-///wAAAP///wAAAP///wAAAP/////////////////////////////////////////////////////
+wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
+///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////////////////////////////
//////////////////////////////////////////////////////////////////7+/vxAQQAAA
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
@@ -1670,8 +1670,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////////////
xBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCoqAkPD8rKyubm5ubm5ubm5ubm5u
bm5ubm5ubm5ru7u2h3dzM+PgCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP//////////////
-/////////////////////9/f3////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
-wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////////////////////////////
+/////////////5+fn////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
+wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///yAgIP////////////////////////
/////////////////////////////////////////////////////////////////////////////
//////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA3wAA/wAAfwAA/wAAfwAA
/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAf
@@ -1681,8 +1681,8 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////
/////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCoqAkPD
zk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OSQkJBATEwCVlQD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0B
-AQP///////////////////////////////////////7+/v////7+/v////7+/v////7+/v////7+/
-v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////////////////
+AQP///////////////////////////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/
+v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////////
///////////////
/////////////////////////////////////////////////////////////////////////////
////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/w
@@ -1693,8 +1693,8 @@ A/wAAAAAA/wAA3wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
///////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wC
oqAA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwDg4AD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v
-0BAQP////////////////////////////////////f39////7+/v////7+/v////7+/v////7+/v/
-///7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////9fX1//////////////
+0BAQP///////////////////////////+fn5////7+/v////7+/v////7+/v////7+/v////7+/v/
+///7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////8fHx//////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAv
wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/w
@@ -1704,9 +1704,9 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////
-/////////////7+/v0BAQP///////////////////////////////////////wAAAP///wAAAP///
+/////////////7+/v0BAQP///////////////////////////////wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
-/////////////////////////////////////////////////////////////////////////////
+///wAAAP/////////////////////////////////////////////////////////////////////
//////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
@@ -1715,9 +1715,9 @@ A/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////////////////////////////////////
/////////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////
-//////////////////////////////7+/v0BAQP///////////////////////////////////9/f
-3////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
-wAAAP///wAAAP///2BgYP////////////////////////////////////////////////////////
+//////////////////////////////7+/v0BAQP///////////////////////////5+fn////wAA
+AP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
+wAAAP///wAAAP///wAAAP///yAgIP////////////////////////////////////////////////
///////////////////////////////////////////////////////////7+/vxAQQAAA/wAA/wA
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAxwAA/wAAvwAA/wAAvwAA/wAAvwAA
/wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
@@ -3206,8 +3206,8 @@ f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f
/////////////////////////////////////////////////////////////////////////////
/////////////w4AAAAUAAAAAAAAABAAAAAUAAAA
2002-08-11T08:58:32
-2003-12-29T07:34:23
-2003-12-29T07:34:13
+2004-02-13T16:20:19
+2004-02-13T16:11:36
2002-08-11T08:58:32
@@ -40781,7 +40781,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
-
+
85
@@ -40990,10 +40990,10 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
0
-206.124.146.176
-206.124.146.178
-206.124.146.179
-206.124.146.180
+206.124.146.176/24
+206.124.146.178/24
+206.124.146.179/24
+206.124.146.180/24
@@ -41731,8 +41731,8 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
-44
-45
+45.1
+43.1
15
3
7.5
@@ -41791,11 +41791,11 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
0
-192.168.1.254
+192.168.1.254/24
-45
+45.4
47.5
14
3
@@ -41855,7 +41855,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
0
-192.168.3.254
+192.168.3.254/24
@@ -41936,7 +41936,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
0
-192.168.2.254
+206.124.146.176/32
@@ -71384,7 +71384,7 @@ www.xxx.yyy.zzz/
-
+
1
1
0
diff --git a/Shorewall-docs/myfiles.xml b/Shorewall-docs/myfiles.xml
index 75acf2c68..de8df80b0 100644
--- a/Shorewall-docs/myfiles.xml
+++ b/Shorewall-docs/myfiles.xml
@@ -15,7 +15,7 @@
- 2004-01-20
+ 2004-02-13
2001-2004
@@ -51,10 +51,11 @@
I have DSL service and have 5 static IP addresses
- (206.124.146.176-180). My DSL modem
(Fujitsu Speedport) is
- connected to eth0. I have a local network connected to eth2 (subnet
- 192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless
- network connected to eth3 (192.168.3.0/24).
+ (206.124.146.176-180/24). My DSL modem
(Fujitsu Speedport)
+ is connected to eth0. I have a local network connected to eth2 (subnet
+ 192.168.1.0/24), a DMZ connected to eth1 (206.124.146.176/24) and a
+ Wireless network connected to eth3 (192.168.3.0/24). Note that the IP
+ address of eth1 is a duplicate of one on eth0.
I use:
@@ -202,7 +203,7 @@ tx Texas Peer Network in Dallas
#ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp
-dmz eth1 192.168.2.255
+dmz eth1 -
WiFi eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
@@ -453,33 +454,11 @@ ACCEPT dmz fw tcp
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
###############################################################################################################################################################################
-# DMZ to Internet
-#
-ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
-ACCEPT dmz net udp domain
-ACCEPT dmz net:$POPSERVERS tcp pop3
-#ACCEPT dmz net:206.191.151.2 tcp pop3
-#ACCEPT dmz net:66.216.26.115 tcp pop3
-#
-# Something is wrong with the FTP connection tracking code or there is some client out there
-# that is sending a PORT command which that code doesn't understand. Either way,
-# the following works around the problem.
-#
-ACCEPT:$LOG dmz net tcp 1024: 20
-###############################################################################################################################################################################
-# DMZ to Firewall -- ntp & snmp, Silently reject Auth
-#
-ACCEPT dmz fw udp ntp ntp
-ACCEPT dmz fw tcp snmp,ssh
-ACCEPT dmz fw udp snmp
-REJECT dmz fw tcp auth
-###############################################################################################################################################################################
-#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
-ACCEPT dmz loc tcp 111
-ACCEPT dmz loc udp
+ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
+ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp#
###############################################################################################################################################################################
# Internet to Firewall
#
@@ -555,10 +534,9 @@ ACCEPT all all icmp
...
auto eth1
iface eth1 inet static
- address 192.168.2.1
- netmask 255.255.255.0
- network 192.168.2.0
- broadcast 192.168.2.255
+ address 206.124.146.176
+ netmask 255.255.255.266
+ broadcast 0.0.0.0
up ip route add 206.124.146.177 dev eth1
...
diff --git a/Shorewall-docs/myfiles2.xml b/Shorewall-docs/myfiles2.xml
index 3cab2e321..4f33ce943 100644
--- a/Shorewall-docs/myfiles2.xml
+++ b/Shorewall-docs/myfiles2.xml
@@ -15,7 +15,7 @@
- 2004-02-08
+ 2004-02-22
2001-2004
@@ -47,15 +47,16 @@
The configuration shown here corresponds to Shorewall version
- 2.0.0-Beta1. It may use features not available in earlier Shorewall
+ 2.0.0-Beta2. It may use features not available in earlier Shorewall
releases.
I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL modem
(Fujitsu Speedport) is
connected to eth0. I have a local network connected to eth2 (subnet
- 192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless
- network connected to eth3 (192.168.3.0/24).
+ 192.168.1.0/24), a DMZ connected to eth1 (206.124.146.176/32) and a
+ Wireless network connected to eth3 (192.168.3.0/24). Note that the IP
+ address of eth1 is a duplicate of one on eth0.
I use:
@@ -204,7 +205,7 @@ tx Texas Peer Network in Dallas
#ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
loc eth2 192.168.1.255 dhcp,detectnets
-dmz eth1 192.168.2.255
+dmz eth1 -
WiFi eth3 192.168.3.255 dhcp,maclist,detectnets
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
@@ -261,6 +262,7 @@ eth3 192.168.3.0/24
#ADDRESS/SUBNET PROTOCOL PORT
0.0.0.0/0 udp 1434
0.0.0.0/0 tcp 1433
+0.0.0.0/0 tcp 3127
0.0.0.0/0 tcp 8081
0.0.0.0/0 tcp 57
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
@@ -292,7 +294,7 @@ all all REJECT $LOG # Reje
Although most of our internal systems use one-to-one NAT, my
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT)
- as does my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
+ as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
visitors with laptops.
#INTERFACE SUBNET ADDRESS
@@ -346,18 +348,7 @@ gre net $TEXAS
#ACTION
-DropSMB #Silently Drops Microsoft SMB Traffic
-RejectSMB #Silently Reject Microsoft SMB Traffic
-DropUPnP #Silently Drop UPnP Probes
-RejectAuth #Silently Reject Auth
-DropPing #Silently Drop Ping
-DropDNSrep #Silently Drop DNS Replies
-AllowPing #Accept Ping
-
Mirrors #Accept traffic from the Shorewall Mirror sites
-
-MyDrop:DROP #My DROP common action
-MyReject:REJECT #My REJECT common action
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
@@ -378,11 +369,11 @@ ACCEPT $MIRRORS
- action.MyDrop
+ /etc/shorewall/action.Drop
This is my common action for the DROP policy. It is like the
- standard Reject action except that it
+ standard Drop action except that it
allows Ping
.
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
@@ -398,12 +389,13 @@ DropDNSrep
- action.MyReject
+ /etc/shorewall/action.Reject
This is my common action for the REJECT policy. It is like the
- standard Drop action except that it
- allows Ping
.
+ standard Reject action except that it
+ allows Ping
and contains one rule that guards against
+ log flooding by broken software running in my local zone.
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
@@ -437,15 +429,12 @@ REJECT:$LOG loc net tcp
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
#
-DROP loc:!192.168.1.0/24 net
-
QUEUE loc net udp
QUEUE loc fw udp
QUEUE loc net tcp
###############################################################################################################################################################################
# Local Network to Firewall
#
-DROP loc:!192.168.1.0/24 fw
ACCEPT loc fw tcp ssh,time,10000,swat,137,139,445
ACCEPT loc fw udp snmp,ntp,445
ACCEPT loc fw udp 137:139
@@ -453,7 +442,6 @@ ACCEPT loc fw udp
###############################################################################################################################################################################
# Local Network to DMZ
#
-DROP loc:!192.168.1.0/24 dmz
REJECT loc dmz tcp 465
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 -
@@ -509,33 +497,11 @@ ACCEPT dmz fw tcp
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
###############################################################################################################################################################################
-# DMZ to Internet
-#
-ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
-ACCEPT dmz net udp domain
-ACCEPT dmz net:$POPSERVERS tcp pop3
-#ACCEPT dmz net:206.191.151.2 tcp pop3
-#ACCEPT dmz net:66.216.26.115 tcp pop3
-#
-# Something is wrong with the FTP connection tracking code or there is some client out there
-# that is sending a PORT command which that code doesn't understand. Either way,
-# the following works around the problem.
-#
-ACCEPT:$LOG dmz net tcp 1024: 20
-###############################################################################################################################################################################
-# DMZ to Firewall -- ntp & snmp, Silently reject Auth
-#
-ACCEPT dmz fw udp ntp ntp
-ACCEPT dmz fw tcp snmp,ssh
-ACCEPT dmz fw udp snmp
-REJECT dmz fw tcp auth
-###############################################################################################################################################################################
-#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
-ACCEPT dmz loc tcp 111
-ACCEPT dmz loc udp
+ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
+ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
###############################################################################################################################################################################
# Internet to Firewall
#
@@ -598,7 +564,7 @@ ACCEPT all all icmp
-
+
/etc/network/interfaces
@@ -611,10 +577,9 @@ ACCEPT all all icmp
...
auto eth1
iface eth1 inet static
- address 192.168.2.1
- netmask 255.255.255.0
- network 192.168.2.0
- broadcast 192.168.2.255
+ address 206.124.146.176
+ netmask 255.255.255.255
+ broadcast 0.0.0.0
up ip route add 206.124.146.177 dev eth1
...
diff --git a/Shorewall-docs/ports.xml b/Shorewall-docs/ports.xml
index 57644e95d..44ddb0783 100644
--- a/Shorewall-docs/ports.xml
+++ b/Shorewall-docs/ports.xml
@@ -13,7 +13,7 @@
- 2004-02-05
+ 2004-02-18
2001-2002
@@ -118,15 +118,9 @@ ACCEPT <destination> <source>
NFS
- I personally use the following rules for opening access from zone z1
- to a server with IP address a.b.c.d in zone z2. I have found though that
- different distributions behave differently so your milage may vary.
-
- #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
-ACCEPT <z1> <z2>:a.b.c.d tcp 111
-ACCEPT <z1> <z2>:a.b.c.d udp 111
-ACCEPT <z1> <z2>:a.b.c.d udp 2049
-ACCEPT <z1> <z2>:a.b.c.d udp 32700:
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111
+ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp
@@ -136,6 +130,14 @@ ACCEPT <z1> <z2><source> <destination> udp 123
+
+ <trademark>PCAnywhere</trademark>
+
+ #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
+ACCEPT <source> <destination> udp 5632
+ACCEPT <source> <destination> tcp 5631
+
+
Pop3
@@ -255,7 +257,9 @@ ACCEPT <source> <destination>
Revision History
- 1.52004-02-05TEAdded
+ 1.72004-02-12TEMake
+ NFS work for everyone1.62004-02-12TEAdded
+ PCAnywhere1.52004-02-05TEAdded
information about VNC viewers in listen mode.1.42004-01-26TECorrect
ICQ.1.32004-01-04TEAlphabetize1.22004-01-03TEAdd
rules file entries.1.12002-07-30TEInitial
diff --git a/Shorewall-docs/support.xml b/Shorewall-docs/support.xml
index 401f76ed3..826105898 100755
--- a/Shorewall-docs/support.xml
+++ b/Shorewall-docs/support.xml
@@ -15,7 +15,7 @@
- 2004-01-01
+ 2004-02-19
2001-2004
@@ -121,6 +121,12 @@
questions but we can't do your job for you.
+
+ Please do NOT include the output of iptables -L
+ — the output of shorewall show or
+ shorewall status is much more useful.
+
+
When reporting a problem, ALWAYS
include this information:
@@ -296,7 +302,8 @@
Revision History
- 1.22003-01-01TERemoved
+ 1.32003-02-19TEAdmonish
+ against including "iptables -L" output.1.22003-01-01TERemoved
.GIF and moved note about unsupported releases. Move Revision History to
this Appendix.1.12003-12-19TECorrected
URL for Newbies List
diff --git a/Shorewall-docs/three-interface.xml b/Shorewall-docs/three-interface.xml
index f2340df52..ff6e9a15d 100644
--- a/Shorewall-docs/three-interface.xml
+++ b/Shorewall-docs/three-interface.xml
@@ -15,7 +15,7 @@
- 2004-12-05
+ 2004-02-12
2002
@@ -530,6 +530,10 @@ fw net ACCEPT
/etc/shorewall/masq
and change it to match your configuration.
+ If, despite all advice to the contrary, you are using this guide and
+ want to use one-to-one NAT or Proxy ARP for your DMZ, remove the entry for
+ eth2 from /etc/shorewall/masq.
+
If your external IP is static, you can enter it in the third column
diff --git a/Shorewall-docs/traffic_shaping.xml b/Shorewall-docs/traffic_shaping.xml
index a914ffc40..0989c0f27 100755
--- a/Shorewall-docs/traffic_shaping.xml
+++ b/Shorewall-docs/traffic_shaping.xml
@@ -15,7 +15,7 @@
- 2004-01-21
+ 2004-02-11
2001-2004
@@ -46,8 +46,7 @@
A new TC_ENABLED parameter in
- /etc/shorewall.conf. Traffic Shaping also requires that you enable
- packet mangling.
+ /etc/shorewall.conf.
@@ -229,12 +228,11 @@
column may only be non-empty if the SOURCE is the firewall itself.
When this column is non-empty, the rule applies only if the program
generating the output is running under the effective user and/or
- group. It may contain :
+ group. It may contain :
- [<user name or number>]:[<group name or number>]
-
+ [<user name or number>]:[<group name or number>]
- The colon is optionnal when specifying only a user.
+ The colon is optionnal when specifying only a user.
Examples : john: / john / :users / john:users
@@ -247,63 +245,11 @@
arriving on eth2 and eth3 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.
-
-
-
-
- MARK
-
- SOURCE
-
- DESTINATION
-
- PROTOCOL
-
-
-
-
-
- 1
-
- eth1
-
- 0.0.0.0/0
-
- all
-
-
-
- 2
-
- eth2
-
- 0.0.0.0/0
-
- all
-
-
-
- 2
-
- eth3
-
- 0.0.0.0/0
-
- all
-
-
-
- 3
-
- fw
-
- 0.0.0.0/0
-
- all
-
-
-
-
+ #MARK SOURCE DESTINATION PROTOCOL USER/GROUP
+1 eth1 0.0.0.0/0 all
+2 eth2 0.0.0.0/0 all
+2 eth3 0.0.0.0/0 all
+3 fw 0.0.0.0/0 all
@@ -312,33 +258,8 @@
All GRE (protocol 47) packets not originating on the firewall and
destined for 155.186.235.151 should be marked with 12.
-
-
-
-
- MARK
-
- SOURCE
-
- DESTINATION
-
- PROTOCOL
-
-
-
-
-
- 12
-
- 0.0.0.0/0
-
- 155.186.235.151
-
- 47
-
-
-
-
+ #MARK SOURCE DESTINATION PROTOCOL USER/GROUP
+12 0.0.0.0/0 155.182.235.151 47
@@ -347,37 +268,8 @@
All SSH packets originating in 192.168.1.0/24 and destined for
155.186.235.151 should be marked with 22.
-
-
-
-
- MARK
-
- SOURCE
-
- DESTINATION
-
- PROTOCOL
-
- PORT(S)
-
-
-
-
-
- 22
-
- 192.168.1.0/24
-
- 155.186.235.151
-
- tcp
-
- 22
-
-
-
-
+ #MARK SOURCE DESTINATION PROTOCOL USER/GROUP
+22 192.168.1.0/24 155.182.235.151 tcp 22
diff --git a/Shorewall-docs/troubleshoot.xml b/Shorewall-docs/troubleshoot.xml
index 80a88ddc4..fd0a58914 100644
--- a/Shorewall-docs/troubleshoot.xml
+++ b/Shorewall-docs/troubleshoot.xml
@@ -13,7 +13,7 @@
Eastep
- 2004-01-06
+ 2004-02-02
2001-2004
@@ -119,6 +119,50 @@ iptables: No chain/target/match by that name
+
+ Some Things to Keep in Mind
+
+
+
+ You cannot test your firewall from the
+ inside. Just because you send requests to your firewall
+ external IP address does not mean that the request will be associated
+ with the external interface or the net
zone. Any
+ traffic that you generate from the local network will be associated
+ with your local interface and will be treated as loc->fw traffic.
+
+
+
+ IP addresses are properties of systems,
+ not of interfaces. It is a mistake to believe that your
+ firewall is able to forward packets just because you can ping the IP
+ address of all of the firewall's interfaces from the local
+ network. The only conclusion you can draw from such pinging success is
+ that the link between the local system and the firewall works and that
+ you probably have the local system's default gateway set
+ correctly.
+
+
+
+ Reply packets do NOT automatically follow
+ the reverse path of the one taken by the original request.
+ All packets are routed according to the routing table of the host at
+ each step of the way. This issue commonly comes up when people install
+ a Shorewall firewall parallel to an existing gateway and try to use
+ DNAT through Shorewall without changing the default gateway of the
+ system receiving the forwarded requests. Requests come in through the
+ Shorewall firewall where the destination IP address gets rewritten but
+ replies go out unmodified through the old gateway.
+
+
+
+ Shorewall itself has no notion of inside
+ or outside. These concepts are embodied in how Shorewall is
+ configured.
+
+
+
+
Your Network Environment
@@ -355,7 +399,8 @@ DROP net fw icmp echo-request
Revision History
- 1.62005-01-06TEAdd
+ 1.72005-02-02TEAdd
+ hint about testing from inside the firewall.1.62005-01-06TEAdd
pointer to Site and Mailing List Archives Searches.1.52004-01-01TEAdded
information about eliminating ping-generated log messages.1.42003-12-22TEInitial
Docbook Conversion
diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml
index 10c51298f..c4076eed2 100644
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@@ -17,7 +17,7 @@
- 2004-06-11
+ 2004-06-18
2001-2004
@@ -58,9 +58,9 @@
class="directory">/etc/shorewall and modify the copies.
Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf
- and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even if you do not modify
- those files.
+ and /usr/share/doc/shorewall/default-config/modules
+ to /etc/shorewall even if you do
+ not modify those files.
@@ -407,16 +407,17 @@ eth2 192.168.2.0/24
following:
- > I know PoM -ng is going to address this issue, but till it
- is ready, and > all the extras are ported to it, is there any way
- to use the h.323 > contrack module kernel patch with a 2.6 kernel?
- > Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade
- is not > an option... The module is not ported yet to 2.6, sorry.
- > Do I have any options besides a gatekeeper app (does not work in
- my > network) or a proxy (would prefer to avoid them)? I suggest
- everyone to setup a proxy (gatekeeper) instead: the module is really
- dumb and does not deserve to exist at all. It was an excellent tool to
- debug/develop the newnat interface.
+ > I know PoM -ng is going to address this issue, but till it is ready, and
+> all the extras are ported to it, is there any way to use the h.323
+> contrack module kernel patch with a 2.6 kernel?
+> Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not
+> an option... The module is not ported yet to 2.6, sorry.
+> Do I have any options besides a gatekeeper app (does not work in my
+> network) or a proxy (would prefer to avoid them)?
+
+I suggest everyone to setup a proxy (gatekeeper) instead: the module is
+really dumb and does not deserve to exist at all. It was an excellent tool
+to debug/develop the newnat interface.
Look here
@@ -1734,7 +1735,8 @@ iptables: Invalid argument
Revision History
- 1.262004-05-18TEDelete
+ 1.272004-06-18TECorrect
+ formatting in H323 quote.1.262004-05-18TEDelete
obsolete ping information.1.252004-05-18TEEmpty
/etc/shorewall on Debian.1.252004-05-08TEUpdate
for Shorewall 2.0.21.242004-04-25TEAdd
diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh
index 10eb41c05..68e249476 100755
--- a/Shorewall2/fallback.sh
+++ b/Shorewall2/fallback.sh
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=2.0.3-RC1
+VERSION=2.0.3-RC2
usage() # $1 = exit status
{
diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh
index d24c30a5c..deac6f96d 100755
--- a/Shorewall2/install.sh
+++ b/Shorewall2/install.sh
@@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
-VERSION=2.0.3-RC1
+VERSION=2.0.3-RC2
usage() # $1 = exit status
{
diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec
index e9ee14922..f056f6d6f 100644
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@@ -1,6 +1,6 @@
%define name shorewall
%define version 2.0.3
-%define release 0RC1
+%define release 0RC2
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -141,6 +141,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
+* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.0.2-0RC2
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC1
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net
diff --git a/Shorewall2/uninstall.sh b/Shorewall2/uninstall.sh
index fbfb8de5e..1bb31dd23 100755
--- a/Shorewall2/uninstall.sh
+++ b/Shorewall2/uninstall.sh
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.0.3-RC1
+VERSION=2.0.3-RC2
usage() # $1 = exit status
{