Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code

This commit is contained in:
Tom Eastep 2016-02-15 10:51:31 -08:00
commit ddd4eb16b5
4 changed files with 174 additions and 134 deletions

View File

@ -74,16 +74,14 @@
have a web server in your DMZ connected to eth1, then to count HTTP
traffic in both directions requires two rules:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80</programlisting>
<para>Associating a counter with a chain allows for nice reporting. For
example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
web:COUNT - eth0 eth1 tcp 80
web:COUNT - eth1 eth0 tcp - 80
web:COUNT - eth0 eth1 tcp 443
@ -110,8 +108,7 @@
<para>Here is a slightly different example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
web - eth0 eth1 tcp 80
web - eth1 eth0 tcp - 80
web - eth0 eth1 tcp 443
@ -152,8 +149,7 @@
you have to reverse the rules below.</para>
</caution>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
web - eth0 - tcp 80
web - - eth0 tcp - 80
web - eth0 - tcp 443
@ -309,7 +305,7 @@
<para>Section headers have the form:</para>
<para><option>SECTION</option>
<para><option>?SECTION</option>
<replaceable>section-name</replaceable></para>
<para>When sections are enabled:</para>
@ -414,17 +410,17 @@
lives on the firewall itself.</para>
</caution>
<programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
# PORT(S) PORT(S) GROUP
SECTION INPUT
<programlisting>
#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
?SECTION INPUT
ACCOUNT(fw-net,$FW_NET) - COM_IF
ACCOUNT(dmz-net,$DMZ_NET) - COM_IF
SECTION OUTPUT
?SECTION OUTPUT
ACCOUNT(fw-net,$FW_NET) - - COM_IF
ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF
SECTION FORWARD
?SECTION FORWARD
ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF
ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
</programlisting>
@ -504,7 +500,7 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
is eth1 with network 172.20.1.0/24. To account for all traffic between the
WAN and LAN interfaces:</para>
<programlisting>#ACTION CHAIN SOURCE DEST ...
<programlisting>#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0</programlisting>

View File

@ -139,9 +139,8 @@
<para>Example:</para>
<programlisting>#SOURCE DEST POLICY LOG
# LEVEL
net fw DROP:audit</programlisting>
<programlisting>#SOURCE DEST POLICY
net $FW DROP:audit</programlisting>
<para>It is allowed to also specify a log level on audited policies
resulting in both auditing and logging.</para>
@ -330,11 +329,11 @@ A_ACCEPT:info loc net ...</programlisting>
<para> The parameters can be passed in the POLICY column of the policy
file. </para>
<programlisting>SOURCE DEST POLICY
<programlisting>#SOURCE DEST POLICY
net all DROP:Drop(audit):audit #Same as DROP:A_DROP:audit
</programlisting>
<programlisting>SOURCE DEST POLICY
<programlisting>#SOURCE DEST POLICY
net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth
</programlisting>

View File

@ -207,28 +207,26 @@
port-forwarding rule <emphasis>from the net</emphasis> to a local system
is as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis></programlisting>
<para>So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.5 udp 7777</programlisting>
<para>If you want to forward requests directed to a particular address (
<emphasis>external-IP</emphasis> ) on your firewall to an internal
system:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:<emphasis>local-IP-address</emphasis>&gt;[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis> - <emphasis>external-IP</emphasis></programlisting>
<para>If you want to forward requests from a particular Internet address
( <emphasis>address</emphasis> ):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis> protocol</emphasis> <emphasis>port-number</emphasis> -</programlisting>
<para>Finally, if you need to forward a range of ports, in the DEST PORT
@ -386,7 +384,7 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
<para><emphasis role="bold">Answer:</emphasis>In
/<filename>etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
</section>
@ -448,8 +446,7 @@ DNAT net fw:192.168.1.1:22 tcp 4104</programlisting>
</listitem>
<listitem>
<para>You have this rule on the Shorewall system:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
<para>You have this rule on the Shorewall system:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:192.168.1.4 tcp 21 - 206.124.146.176</programlisting></para>
</listitem>
@ -514,14 +511,22 @@ eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21</
that your Internet zone is named <emphasis>net</emphasis> and connects
on interface <filename class="devicefile">eth0</filename>:</para>
<para>In <filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
<para>In <filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176</programlisting></para>
<para>In <filename>/etc/shorewall/interfaces</filename>, specify the
<emphasis role="bold">routeback</emphasis> option on
eth0:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect <emphasis role="bold">routeback</emphasis></programlisting></para>
eth0:<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
net eth0 <emphasis role="bold">routeback</emphasis></programlisting></para>
<para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlisting></para>
@ -542,8 +547,7 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlistin
<para><emphasis role="bold">Answer</emphasis>: Use this rule.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
REDIRECT net 22 tcp 9022</programlisting>
<para>Note that the above rule will also allow connections from the
@ -617,8 +621,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
<para>Example:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net net:192.168.4.22 tcp 80,443 - <emphasis
role="bold">206.124.146.178</emphasis></programlisting>
</section>
@ -704,14 +707,15 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
<listitem>
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
loc eth1 <emphasis role="bold">routeback</emphasis></programlisting>
</listitem>
<listitem>
<para>In <filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S)
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
<emphasis role="bold">eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www</emphasis></programlisting>
<para>Note: The technique described here is known as
@ -721,15 +725,22 @@ loc eth1 detect <emphasis role="bold">routeback</emphasis>
<emphasis>external IP address</emphasis> be used as the
source:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S)
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</emphasis> tcp www</programlisting>
</listitem>
<listitem>
<para>In <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
<emphasis role="bold">DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69</emphasis></programlisting>
<para>That rule (and the second one in the previous bullet) only
@ -741,8 +752,15 @@ eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</em
<para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
DNAT loc loc:192.168.1.5 tcp www - <emphasis
role="bold">$ETH0_IP</emphasis></programlisting>
@ -825,13 +843,13 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis> </programlisting>
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
dmz eth2 <emphasis role="bold">routeback</emphasis> </programlisting>
<para>In <filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE: SOURCE ADDRESS
#ADDRESS
<programlisting>#INTERFACE SOURCE
eth2:192.168.1.2 192.168.2.0/24</programlisting>
<para>In <filename>/etc/shorewall/nat</filename>, be sure that you
@ -862,8 +880,15 @@ eth2:192.168.1.2 192.168.2.0/24</programlisting>
<para>You can enable access to the server from your local network
using the firewall's external IP address by adding this rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT DEST
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
<emphasis role="bold">DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</emphasis></programlisting>
<para>If your external IP address is dynamic, then you must do the
@ -875,8 +900,15 @@ eth2:192.168.1.2 192.168.2.0/24</programlisting>
<para>and make your DNAT rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST.
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
DNAT loc dmz:192.168.2.4 tcp 80 - <emphasis
role="bold">$ETH0_IP</emphasis></programlisting>
@ -1433,16 +1465,23 @@ net-fw DROP eth2 5 packets from 61.158.162.9 to 206.124.146.177</programlisting
<para><emphasis role="bold">Answer:</emphasis> Temporarily add the
following rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DROP net fw udp 10619</programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
<para>Alternatively, if you do not set BLACKLIST_LOGLEVEL and you have
specifed the 'blacklist' option on your external interface in
<filename>/etc/shorewall/interfaces</filename>, then you can blacklist
the port. In <filename>/etc/shorewall/blacklist</filename>:</para>
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
- udp 10619</programlisting>
DROP net $FW udp 10619</programlisting>
<para>Alternatively, if you do not set BLACKLIST_LOGLEVEL you can blacklist
the port. In <filename>/etc/shorewall/blrules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
DROP net $FW udp 10619</programlisting>
</section>
<section id="faq6d">
@ -2361,12 +2400,11 @@ gateway:~# </programlisting>
<para><emphasis role="bold">Answer:</emphasis> Suppose that you want all
traffic to go out through ISP1 (mark 1) unless you specify otherwise.
Then simply add these two rules as the first marking rules in your
<filename>/etc/shorewall/mangle</filename>
(<filename>/etc/shorewall/tcrules</filename>) file:</para>
<filename>/etc/shorewall/mangle</filename> (was tcrules) file:</para>
<programlisting>#ACTION SOURCE DEST
1:P 0.0.0.0/0
1 $FW
MARK(1):P 0.0.0.0/0
MARK(1) $FW
<emphasis>other MARK rules</emphasis></programlisting>
<para>Now any traffic that isn't marked by one of your other MARK rules
@ -2449,7 +2487,7 @@ root@gateway:~#</programlisting>
at 10-12kb and adjust as necessary. Example (simple traffic
shaping):</para>
<programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
<programlisting>#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:<emphasis
role="bold">10kb</emphasis>
</programlisting>
@ -2495,8 +2533,7 @@ root@gateway:/etc/shorewall#
<para>Example from /etc/shorewall/tcdevices:</para>
<programlisting>#NUMBER: IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
#INTERFACE
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
1:COMB_IF <emphasis role="bold">~20mbit:250ms:4sec</emphasis> ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0</programlisting>
<para>To create a rate-estimated filter, precede the bandwidth with a
@ -2674,7 +2711,15 @@ VS3=fw:192.168.2.14</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
ACCEPT $VS1 net tcp 25
DNAT net $VS1 tcp 25
etc...</programlisting>
@ -2925,7 +2970,7 @@ else
<section id="faq26">
<title>(FAQ 26) When I try to use any of the SYN options in nmap on or
behind the firewall, I get <quote>operation not permitted</quote>. How
can I use nmap with Shorewall?"</title>
can I use nmap with Shorewall?</title>
<para><emphasis role="bold">Answer:</emphasis> Temporarily remove any
<emphasis role="bold">rejNotSyn</emphasis>, <emphasis
@ -2993,8 +3038,8 @@ REJECT fw net:pagead2.googlesyndication.com all</programlisting
was equivalent to:</para>
<para><programlisting>#ACTION SOURCE DEST PROTO
REJECT fw net:216.239.37.99 all
REJECT fw net:216.239.39.99 all</programlisting>Given that
REJECT $FW net:216.239.37.99 all
REJECT $FW net:216.239.39.99 all</programlisting>Given that
name-based multiple hosting is a common practice (another example:
lists.shorewall.net and www1.shorewall.net are both hosted on the same
system with a single IP address), it is not possible to filter
@ -3079,10 +3124,9 @@ gateway:~# </programlisting>
<para><emphasis role="bold">Answer:</emphasis> Add these two
policies:</para>
<programlisting>#SOURCE DESTINATION POLICY LOG LIMIT:BURST
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
$FW loc ACCEPT
loc $FW ACCEPT </programlisting>
loc $FW ACCEPT</programlisting>
<para>You should also delete any ACCEPT rules from $FW-&gt;loc and
loc-&gt;$FW since those rules are redundant with the above
@ -3161,7 +3205,7 @@ EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
<programlisting>#INTERFACE SOURCE ADDRESS
COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html
COMMENT DSL Modem
EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
</programlisting>
@ -3193,6 +3237,7 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
role="bold">fw</emphasis>:</para>
<programlisting>#ZONE TYPE OPTIONS
<emphasis role="bold">fw</emphasis> firewall</programlisting>
<para>So, using the default or sample configurations, writing <emphasis
@ -3203,6 +3248,7 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
<emphasis role="bold">gate</emphasis>.</para>
<programlisting>#ZONE TYPE OPTIONS
<emphasis role="bold">gate</emphasis> firewall</programlisting>
<section id="faq95a">

View File

@ -92,7 +92,7 @@
<orderedlist>
<listitem>
<para>Beginning with Shorewall 4.6.0, ection headers are now preceded
<para>Beginning with Shorewall 4.6.0, section headers are now preceded
by '?' (e.g., '?SECTION ...'). If your configuration contains any bare
'SECTION' entries, the following warning is issued:</para>
@ -1139,8 +1139,7 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
<para>Example:</para>
<programlisting>#SOURCE DEST POLICY LOG
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL
loc net ACCEPT
net all DROP:MyDrop info
#