From dfe1ffbd37f9c63a2af7c30a1c320dc20f604b02 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 6 Jan 2004 19:05:54 +0000 Subject: [PATCH] More standards work git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1061 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/6to4.xml | 109 +- Shorewall-docs/Accounting.xml | 10 +- Shorewall-docs/Documentation.xml | 2013 +++--------------- Shorewall-docs/blacklisting_support.xml | 24 +- Shorewall-docs/configuration_file_basics.xml | 140 +- Shorewall-docs/dhcp.xml | 11 +- Shorewall-docs/troubleshoot.xml | 15 +- 7 files changed, 396 insertions(+), 1926 deletions(-) diff --git a/Shorewall-docs/6to4.xml b/Shorewall-docs/6to4.xml index d6d2794b7..723f5c104 100644 --- a/Shorewall-docs/6to4.xml +++ b/Shorewall-docs/6to4.xml @@ -21,10 +21,10 @@ - 2003-05-18 + 2004-01-05 - 2003 + 2003-2004 Eric de Thoars and Tom Eastep @@ -62,94 +62,47 @@ We want systems in the 2002:100:333::/64 subnetwork to be able to communicate with the systems in the 2002:488:999::/64 network. This is - accomplished through use of the /etc/shorewall/tunnels file and the - ip utility for network interface and routing configuration. + accomplished through use of the /etc/shorewall/tunnels + file and the ip utility for network interface and routing + configuration. - Unlike GRE and IPIP tunneling, the /etc/shorewall/policy, - /etc/shorewall/interfaces and /etc/shorewall/zones files are not used. - There is no need to declare a zone to represent the remote IPv6 network. - This remote network is not visible on IPv4 interfaces and to iptables. All - that is visible on the IPv4 level is an IPv4 stream which contains IPv6 - traffic. Separate IPv6 interfaces and ip6tables rules need to be defined - to handle this traffic. + Unlike GRE and IPIP tunneling, the /etc/shorewall/policy, + /etc/shorewall/interfaces and /etc/shorewall/zones + files are not used. There is no need to declare a zone to represent the + remote IPv6 network. This remote network is not visible on IPv4 interfaces + and to iptables. All that is visible on the IPv4 level is an IPv4 stream + which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules + need to be defined to handle this traffic. - In /etc/shorewall/tunnels on system A, we need the following: + In /etc/shorewall/tunnels on system A, we need + the following: - - - - - TYPE + #TYPE ZONE GATEWAY GATEWAY ZONE +6to4 net 134.28.54.2 - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - 6to4 - - net - - 134.28.54.2 - - - - - - - - This entry in /etc/shorewall/tunnels, opens the firewall so that the - IPv6 encapsulation protocol (41) will be accepted to/from the remote - gateway. + This entry in /etc/shorewall/tunnels, opens the + firewall so that the IPv6 encapsulation protocol (41) will be accepted + to/from the remote gateway. Use the following commands to setup system A: - >ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2 ->ip link set dev tun6to4 up ->ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4 ->ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2 + >ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2 +>ip link set dev tun6to4 up +>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4 +>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2 - Similarly, in /etc/shorewall/tunnels on system B we have: + Similarly, in /etc/shorewall/tunnels on system + B we have: - - - - - TYPE - - ZONE - - GATEWAY - - GATEWAY ZONE - - - - - - 6to4 - - net - - 206.191.148.9 - - - - - - + #TYPE ZONE GATEWAY GATEWAY ZONE +6to4 net 206.191.148.9 And use the following commands to setup system B: - >ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9 ->ip link set dev tun6to4 up ->ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4 ->ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1 + >ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9 +>ip link set dev tun6to4 up +>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4 +>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1 On both systems, restart Shorewall and issue the configuration commands as listed above. The systems in both IPv6 subnetworks can now diff --git a/Shorewall-docs/Accounting.xml b/Shorewall-docs/Accounting.xml index cfc7ea3c1..c923f77ac 100755 --- a/Shorewall-docs/Accounting.xml +++ b/Shorewall-docs/Accounting.xml @@ -15,10 +15,10 @@ - 2003-12-06 + 2004-01-05 - 2003 + 2003-2004 Thomas M. Eastep @@ -98,13 +98,13 @@ PROTOCOL - A protocol name (from - /etc/protocols) or a protocol number. + /etc/protocols) or a protocol number. DEST PORT - Destination Port - number. Service name from /etc/services or port number. May only be - specified if the protocol is TCP or UDP (6 or 17). + number. Service name from /etc/services or port + number. May only be specified if the protocol is TCP or UDP (6 or 17). diff --git a/Shorewall-docs/Documentation.xml b/Shorewall-docs/Documentation.xml index 85b124a4d..9b20110f6 100644 --- a/Shorewall-docs/Documentation.xml +++ b/Shorewall-docs/Documentation.xml @@ -319,8 +319,9 @@
/etc/shorewall/params - You may use the file /etc/shorewall/params file to set shell - variables that you can then use in some of the other configuration files. + You may use the file /etc/shorewall/params file + to set shell variables that you can then use in some of the other + configuration files. It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall @@ -330,7 +331,7 @@ shell variables NET_IF=eth0 NET_BCAST=130.252.100.255 - NET_OPTIONS=blacklist,norfc1918 +NET_OPTIONS=blacklist,norfc1918 @@ -350,7 +351,8 @@ /etc/shorewall/zones This file is used to define the network zones. There is one entry in - /etc/shorewall/zones for each zone; Columns in an entry are: + /etc/shorewall/zones for each zone; Columns in an + entry are: @@ -388,60 +390,23 @@ - - /etc/shorewall/zones file released with Shorewall + #ZONE DISPLAY COMMENTS +net Net Internet +loc Local Local networks +dmz DMZ Demilitarized zone - - - - ZONE - - DISPLAY - - COMMENTS - - - - - - net - - Net - - Internet - - - - loc - - Local - - Local networks - - - - dmz - - DMZ - - Demilitarized zone - - - -
- - You may add, delete and modify entries in the /etc/shorewall/zones + You may add, delete and modify entries in the /etc/shorewall/zones file as desired so long as you have at least one zone defined. - If you rename or delete a zone, you should perform shorewall - stop; shorewall start to install the change rather than - shorewall restart. + If you rename or delete a zone, you should perform shorewall + stop; shorewall start to install the change rather + than shorewall restart. - The order of entries in the /etc/shorewall/zones file is - significant in some cases. + The order of entries in the /etc/shorewall/zones + file is significant in some cases.
@@ -516,15 +481,15 @@ (Added in version 1.4.7) - This option causes - /proc/sys/net/ipv4/conf/<interface>/arp_filter to be - set with the result that this interface will only answer ARP - who-has requests from hosts that are routed out - of that interface. Setting this option facilitates testing of - your firewall where multiple firewall interfaces are connected - to the same HUB/Switch (all interface connected to the single - HUB/Switch should have this option specified). Note that using - such a configuration in a production environment is strongly - recommended against. + /proc/sys/net/ipv4/conf/<interface>/arp_filter + to be set with the result that this interface will only answer + ARP who-has requests from hosts that are routed + out of that interface. Setting this option facilitates testing + of your firewall where multiple firewall interfaces are + connected to the same HUB/Switch (all interface connected to + the single HUB/Switch should have this option specified). Note + that using such a configuration in a production environment is + strongly recommended against. @@ -598,9 +563,10 @@ source address that is reserved in RFC 1918 or in other RFCs will be dropped after being optionally logged. If packet mangling is enabled in - /etc/shorewall/shorewall.conf , then packets arriving - on this interface that have a destination address that is - reserved by one of these RFCs will also be logged and dropped. + /etc/shorewall/shorewall.conf , + then packets arriving on this interface that have a + destination address that is reserved by one of these RFCs will + also be logged and dropped. Addresses blocked by the standard rfc1918 file include those addresses @@ -751,109 +717,24 @@ from the internet against the black list. Your /etc/shorewall/interfaces file would be as follows: - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - net - - eth0 - - detect - - dhcp,norfc1918,blacklist - - - - loc - - eth1 - - detect - - - - - - + #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect dhcp,norfc1918,blacklist You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces file would be: - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - net - - ppp0 - - - - - - - - + #ZONE INTERFACE BROADCAST OPTIONS +net ppp0 You have local interface eth1 with two IP addresses - 192.168.1.1/24 and 192.168.12.1/24 - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - loc - - eth1 - - 192.168.1.255,192.168.12.255 - - - - - - + #ZONE INTERFACE BROADCAST OPTIONS +loc eth1 192.168.1.255,192.168.12.255 @@ -863,21 +744,23 @@ For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the - purpose of the /etc/shorewall/hosts file. + purpose of the /etc/shorewall/hosts file. - The only times that you need entries in /etc/shorewall/hosts are: + The only times that you need entries in /etc/shorewall/hosts + are: - You have more than one zone connecting through a single - interface; or + You have more than one zone + connecting through a single interface; or - You have a zone that has multiple subnetworks that connect - through a single interface and you want the Shorewall box to route - traffic between those subnetworks. + You have a zone + that has multiple subnetworks that connect through a single + interface and you want the Shorewall box to route traffic + between those subnetworks. @@ -914,12 +797,12 @@ The interface name much match an entry in - /etc/shorewall/interfaces. + /etc/shorewall/interfaces. If you are running a version of Shorewall earlier than 1.4.6, only a single host/subnet address may be specified in an - entry in /etc/shorewall/hosts. + entry in /etc/shorewall/hosts.
@@ -970,203 +853,57 @@ Your local interface is eth1 and you have two groups of local hosts that you want to make into separate zones: - 192.168.1.0/25 192.168.1.128/ + 192.168.1.0/25 192.168.1.128/25 Your /etc/shorewall/interfaces file might look like: - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - net - - eth0 - - detect - - dhcp,norfc1918 - - - - - - - eth1 - - 192.168.1.127,192.168.1.255 - - - - - - + #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect dhcp,norfc1918 +- eth1 192.168.1.127,192.168.1.255 The - in the ZONE column for eth1 tells Shorewall that eth1 interfaces to multiple zones. - - - - - ZONE - - HOST(S) - - OPTIONS - - - - - - loc1 - - eth1:192.168.1.0/25 - - - - - - loc2 - - eth1:192.168.1.128/25 - - - - - - + #ZONE HOST(S) OPTIONS +loc1 eth1:192.168.1.0/25 +loc2 eth1:192.168.1.128/25 You have local interface eth1 with two IP addresses - 192.168.1.1/24 and 192.168.12.1/24 - 192.168.1.0/25 192.168.1.128/25 - Your /etc/shorewall/interfaces file might look like: - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - net - - eth0 - - detect - - dhcp,norfc1918 - - - - loc - - eth1 - - 192.168.1.127,192.168.1.255 - - - - - - + #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect dhcp,norfc1918 +- eth1 192.168.1.255,192.168.12.255 Your /etc/shorewall/hosts file might look like: - - - - - ZONE - - HOST(S) - - OPTIONS - - - - - - loc - - eth1:192.168.1.0/25 - - - - - - loc - - eth1:192.168.1.128/25 - - - - - - + #ZONE HOST(S) OPTIONS +loc eth1:192.168.1.0/24 +loc eth1:192.168.12.0/24 If you are running Shorewall 1.4.6 or later, your hosts file may look like: - - - - - ZONE - - HOST(S) - - OPTIONS - - - - - - loc - - eth1:192.168.1.0/25,192.168.1.128/25 - - - - - - + #ZONE HOST(S) OPTIONS +loc eth1:192.168.1.0/24,192.168.12.0/24
Nested and Overlapping Zones - The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow - you to define nested or overlapping zones. Such overlapping/nested zones - are allowed and Shorewall processes zones in the order that they appear - in the /etc/shorewall/zones file. So if you have nested zones, you want - the sub-zone to appear before the super-zone and in the case of - overlapping zones, the rules that will apply to hosts that belong to - both zones is determined by which zone appears first in - /etc/shorewall/zones. + The /etc/shorewall/interfaces and + /etc/shorewall/hosts file allow you to define + nested or overlapping zones. Such overlapping/nested zones are allowed + and Shorewall processes zones in the order that they appear in the + /etc/shorewall/zones file. So if you have nested + zones, you want the sub-zone to appear before the super-zone and in the + case of overlapping zones, the rules that will apply to hosts that + belong to both zones is determined by which zone appears first in + /etc/shorewall/zones. Hosts that belong to more than one zone may be managed by the rules of all of those zones. This is done through use of the special @@ -1181,13 +918,13 @@ establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. - Policies defined in /etc/shorewall/policy describe which zones are allowed - to establish connections with other zones. + Policies defined in /etc/shorewall/policy describe + which zones are allowed to establish connections with other zones. - Policies established in /etc/shorewall/policy can be viewed as - default policies. If no rule in /etc/shorewall/rules applies to a - particular connection request then the policy from /etc/shorewall/policy - is applied. + Policies established in /etc/shorewall/policy can + be viewed as default policies. If no rule in /etc/shorewall/rules applies + to a particular connection request then the policy from + /etc/shorewall/policy is applied. Four policies are defined: @@ -1313,63 +1050,13 @@ In the SOURCE and DEST columns, you can enter all to indicate all zones. - - policy file installed by default + The default /etc/shorewall/policy file is as + follows. - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - LIMIT:BURST - - - - - - loc - - net - - ACCEPT - - - - - - - - net - - all - - DROP - - info - - - - - - all - - all - - REJECT - - info - - - - - -
+ #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +loc net ACCEPT +net all DROP info +all all REJECT info This table may be interpreted as follows: @@ -1390,67 +1077,17 @@ - The firewall script processes the /etc/shorewall/policy file from - top to bottom and uses the first applicable policy - that it finds. For example, in the following policy file, the - policy for (loc, loc) connections would be ACCEPT as specified in the - first entry even though the third entry in the file specifies REJECT. + The firewall script processes the /etc/shorewall/policy + file from top to bottom and uses the first + applicable policy that it finds. For example, in the + following policy file, the policy for (loc, loc) connections would be + ACCEPT as specified in the first entry even though the third entry in + the file specifies REJECT. - - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - LIMIT:BURST - - - - - - loc - - all - - ACCEPT - - - - - - - - net - - all - - DROP - - info - - - - - - loc - - loc - - REJECT - - info - - - - - - + #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +loc all ACCEPT +net all DROP info +loc loc REJECT info
@@ -1494,189 +1131,40 @@ managed under the rules of all of these zones. Let's look at an example: - - /etc/shorewall/zones + /etc/shorewall/zones: - - - - ZONE + #ZONE DISPLAY COMMENTS +sam Sam Sam's system at home +net Internet The Internet +loc Local Local Network - DISPLAY + /etc/shorewall/interfaces: - COMMENTS - - + #ZONE INTERFACE BROADCAST OPTIONS +- eth0 detect dhcp,norfc1918 +loc eth1 detect - - - sam + /etc/shorewall/hosts: - Sam - - Sam's system at home - - - - net - - Internet - - The Internet - - - - loc - - Loc - - Local Network - - - -
- - - /etc/shorewall/interfaces - - - - - ZONE - - INTERFACE - - BROADCAST - - OPTIONS - - - - - - - - - eth0 - - detect - - dhcp,norfc1918 - - - - loc - - eth1 - - detect - - - - - -
- - - /etc/shorewall/hosts - - - - - ZONE - - HOST(S) - - OPTIONS - - - - - - net - - eth0:0.0.0.0/0 - - - - - - sam - - eth0:206.191.149.197 - - - - - -
+ #ZONE HOST(S) OPTIONS +net eth0:0.0.0.0/0 +sam eth0:206.191.149.197 Sam's home system is a member of both the sam zone and the net zone and as described above , that means that sam must be listed before - net in /etc/shorewall/zones. + net in /etc/shorewall/zones. - - /etc/shorewall/policy + /etc/shorewall/policy: - - - - SOURCE - - DEST - - POLICY - - LOG LEVEL - - - - - - loc - - net - - ACCEPT - - - - - - sam - - all - - CONTINUE - - - - - - net - - all - - DROP - - info - - - - all - - all - - REJECT - - info - - - -
+ #SOURCE DEST POLICY LOG LEVEL +loc net ACCEPT +sam all CONTINUE +net all DROP info +all all REJECT info The second entry above says that when Sam is the client, connection requests should first be process under rules where the source @@ -1686,115 +1174,13 @@ that this policy be listed BEFORE the next policy (net to all). - - Partial /etc/shorewall/rules + Partial /etc/shorewall/rules: - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - ... - - - - - - - - - - - - - - - - - - - - DNAT - - sam - - loc:192.168.1.3 - - tcp - - ssh - - - - - - - - - - - - - DNAT - - net - - loc:192.168.1.5 - - tcp - - www - - - - - - - - - - - - - ... - - - - - - - - - - - - - - - - - - - -
+ #ACTION SOURCE DEST PROTO DEST PORT(S) +... +DNAT sam loc:192.168.1.3 tcp ssh +DNAT net loc:192.168.1.5 tcp www +... Given these two rules, Sam can connect to the firewall's internet interface with ssh and the connection request will be forwarded @@ -1810,113 +1196,11 @@ firewall itself. Because of the way that Netfilter is constructed, this requires two rules as follows: - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - ... - - - - - - - - - - - - - - - - - - - - DNAT - - sam - - fw - - tcp - - ssh - - - - - - - - - - - - - DNAT - - net!sam - - loc:192.168.1.3 - - tcp - - ssh - - - - - - - - - - - - - ... - - - - - - - - - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +... +DNAT sam fw tcp ssh +DNAT net loc:192.168.1.3 tcp ssh +... The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the net zone with the exception of those @@ -1931,9 +1215,9 @@
/etc/shorewall/rules - The /etc/shorewall/rules file defines exceptions to the policies - established in the /etc/shorewall/policy file. There is one entry in - /etc/shorewall/rules for each of these rules. + The /etc/shorewall/rules file defines + exceptions to the policies established in the /etc/shorewall/policy + file. There is one entry in /etc/shorewall/rules for each of these rules. Shorewall automatically enables firewall->firewall traffic over the loopback interface (lo) -- that traffic cannot be regulated using @@ -2065,13 +1349,13 @@ rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with - < - <rate>/<interval>[:<burst>] > + < <rate>/<interval>[:<burst>] > - where <rate> is the number of connections per - <interval> (sec or min) and - <burst> is the largest burst permitted. If no burst value is - given, a value of 5 is assumed. + where <rate> is the number of + connections per <interval> (sec + or min) and <burst> is + the largest burst permitted. If no burst value is given, a value of + 5 is assumed. There may be no whitespace embedded in the specification. @@ -2306,8 +1590,9 @@ - DNAT loc:192.168.1.0/24 - loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3 + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT(S) PORT(S) DEST +DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3 @@ -2382,53 +1667,8 @@ to local system 192.168.1.3. You wish to limit the number of connections to 4/minute with a burst of 8 (Shorewall 1.4.7 and later only): - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - DNAT<4/min:8> - - net - - loc:192.168.1.3 - - tcp - - ssh - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +DNAT<4/min:8> net loc:192.168.1.3 tcp ssh @@ -2440,73 +1680,10 @@ were NOT (notice the !) originally destined to 206.124.146.177 are redirected to local port 3128. - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - REDIRECT - - loc - - 3128 - - tcp - - www - - - - - !206.124.146.177 - - - - - - - - ACCEPT - - fw - - net - - tcp - - www - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT(S) DEST +REDIRECT loc 3128 tcp www - !206.124.146.177 +ACCEPT fw net tcp www @@ -2514,73 +1691,9 @@ have it accessible remotely and locally. the DMZ is managed by Proxy ARP or by classical sub-netting. - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - ACCEPT - - net - - dmz:155.186.235.222 - - tcp - - www - - - - - - - - - - - - - ACCEPT - - loc - - dmz:155.186.235.222 - - tcp - - www - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT net dmz:155.186.235.222 tcp www +ACCEPT loc dmz:155.186.235.222 tcp www @@ -2599,73 +1712,10 @@ the site that the user was trying to connect to. That is clearly not what you want. - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - DNAT - - net - - dmz:192.168.2.2 - - tcp - - ftp - - - - - - - - - - - - DNAT - - loc:192.168.1.0/24 - - dmz:192.168.2.2 - - tcp - - ftp - - - - - 155.186.235.151 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT(S) DEST +DNAT net dmz:192.168.2.2 tcp ftp +DNAT loc:192.168.1.0/24 dmz:192.168.2.2 tcp ftp - 155.186.235.151 If you are running wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess file. I only need a few simultaneous FTP @@ -2686,106 +1736,16 @@ You wish to allow unlimited DMZ access to the host with MAC address 02:00:08:E3:FA:55. - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - ACCEPT - - loc:~02-00-08-E3-FA-55 - - dmz - - all - - - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT loc:~02-00-08-E3-FA-55 dmz all You wish to allow access to the SMTP server in your DMZ from all zones. - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - ACCEPT - - all - - dmz - - tcp - - 25 - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT all dmz tcp 25 When all is used as a source or destination, intra-zone traffic is not affected. In this example, if @@ -2797,53 +1757,8 @@ Your firewall's external interface has several IP addresses but you only want to accept SSH connections on address 206.124.146.176. - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - ACCEPT - - net - - fw:206.124.146.176 - - tcp - - 22 - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT net fw:206.124.146.176 tcp 22 @@ -2853,93 +1768,11 @@ want to allow access from the internet directly to tcp port 25 on 192.0.2.177. - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - DNAT- - - net - - dmz:192.0.2.177 - - tcp - - 25 - - 0 - - 192.0.2.178 - - - - - - - - DNAT- - - net - - dmz:192.0.2.177 - - tcp - - 25 - - 0 - - 192.0.2.179 - - - - - - - - ACCEPT - - net - - dmz:192.0.2.177 - - tcp - - 25 - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +# PORT(S) DEST +DNAT- net dmz:192.0.2.177 tcp 25 - 192.0.2.178 +DNAT- net dmz:192.0.2.177 tcp 25 - 192.0.2.179 +ACCEPT net dmz:192.0.2.177 tcp 25 Using DNAT- rather than DNAT avoids two extra copies of the third rule from being generated. @@ -2951,53 +1784,8 @@ distributed among your servers. The servers are 192.168.1.101-192.168.1.109. - - - - - ACTION - - SOURCE - - DEST - - PROTO - - DEST PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - RATE LIMIT - - USER SET - - - - - - DNAT - - net - - loc:192.168.1.101-192.168.1.109 - - tcp - - 80 - - - - - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +DNAT net loc:192.168.1.101-192.168.1.109 tcp 80 Look here for information on other services. @@ -3007,15 +1795,16 @@ /etc/shorewall/common Shorewall allows definition of rules that apply between all zones. - By default, these rules are defined in the file /etc/shorewall/common.def + By default, these rules are defined in the file /etc/shorewall/common.def but may be modified to suit individual requirements. Rather than modify - /etc/shorewall/common.def, you should copy that file to - /etc/shorewall/common and modify that file. + /etc/shorewall/common.def, you should copy that file + to /etc/shorewall/common and modify that file. - The /etc/shorewall/common file is expected to contain iptables - commands; rather than running iptables directly, you should run it - indirectly using the Shorewall function run_iptables. That - way, if iptables encounters an error, the firewall will be safely stopped. + The /etc/shorewall/common file is expected to + contain iptables commands; rather than running iptables directly, you + should run it indirectly using the Shorewall function run_iptables. + That way, if iptables encounters an error, the firewall will be safely + stopped.
@@ -3103,29 +1892,8 @@ your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq file would look like: - - - - - INTERFACE - - SUBNET - - ADDRESS - - - - - - eth0 - - 192.168.9.0/24 - - - - - - + #INTERFACE SUBNET ADDRESS +eth0 192.168.9.0/24 @@ -3133,29 +1901,8 @@ masquerade traffic from your 192.168.9.0/24 subnet to the remote subnet 10.1.0.0/16 only. - - - - - INTERFACE - - SUBNET - - ADDRESS - - - - - - ipsec0:10.1.0.0/16 - - 192.168.9.0/24 - - - - - - + #INTERFACE SUBNET ADDRESS +ipsec0:10.1.0.0/16 192.168.9.0/24 @@ -3163,58 +1910,16 @@ (192.168.10.0/24) connected to eth1. You want all local->net connections to use source address 206.124.146.176. - - - - - INTERFACE - - SUBNET - - ADDRESS - - - - - - eth0 - - 192.168.10.0/24 - - 206.124.146.176 - - - - + #INTERFACE SUBNET ADDRESS +eth0 192.168.10.0/24 206.124.146.176 Same as example 3 except that you wish to exclude 192.168.10.44 and 192.168.10.45 from the SNAT rule. - - - - - INTERFACE - - SUBNET - - ADDRESS - - - - - - eth0 - - 192.168.10.0/24!192.168.10.44,192.168.10.45 - - 206.124.146.176 - - - - + #INTERFACE SUBNET ADDRESS +eth0 192.168.10.0/24!192.168.10.44,192.168.10.45 206.124.146.176 @@ -3224,29 +1929,8 @@ address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes in . - - - - - INTERFACE - - SUBNET - - ADDRESS - - - - - - eth0:0 - - 192.168.12.0/24 - - 206.124.146.177 - - - - + #INTERFACE SUBNET ADDRESS +eth0:0 192.168.12.0/24 206.124.146.177 @@ -3255,29 +1939,8 @@ subnet 192.168.12.0/24. Each address will be used on alternate outbound connections. - - - - - INTERFACE - - SUBNET - - ADDRESS - - - - - - eth0 - - 192.168.12.0/24 - - 206.124.146.177,206.124.146.179 - - - - + #INTERFACE SUBNET ADDRESS +eth0 192.168.12.0/24 206.124.146.177,206.124.146.179
@@ -3288,17 +1951,16 @@ that you look at the Proxy ARP Subnet Mini HOWTO. If you decide to use the technique described in that - HOWTO, you can set the proxy_arp flag for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + HOWTO, you can set the proxy_arp flag for an interface (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) by including the proxyarp option in the interface's record in . When using Proxy ARP sub-netting, you do NOT include any entries in /etc/shorewall/proxyarp.
- The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is typically used for - enabling Proxy ARP on a small set of systems since you need one entry in - this file for each system using proxy ARP. Columns are: + The /etc/shorewall/proxyarp file is used to + define Proxy ARP. The file is typically + used for enabling Proxy ARP on a small set of systems since you need one + entry in this file for each system using proxy ARP. Columns are: @@ -3367,35 +2029,11 @@ In your DMZ, you want to install a Web/FTP server with public address 155.186.235.4. On the Web server, you subnet just like the firewall's eth0 and you configure 155.186.235.1 as the default - gateway. In your /etc/shorewall/proxyarp file, you will have: + gateway. In your /etc/shorewall/proxyarp file, you + will have: - - - - - ADDRESS - - INTERFACE - - EXTERNAL - - HAVEROUTE - - - - - - 155.186.235.4 - - eth2 - - eth0 - - No - - - - + #ADDRESS INTERFACE EXTERNAL HAVEROUTE +155.186.235.4 eth2 eth0 NO You may want to configure the servers in your DMZ with a subnet that is smaller than the subnet of your internet interface. See @@ -3410,29 +2048,30 @@ Shorewall with an IPSEC tunnel active, the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to the interface that you specify in the INTERFACE column of - /etc/shorewall/proxyarp. I haven't had the time to debug this - problem so I can't say if it is a bug in the Kernel or in FreeS/Wan. + /etc/shorewall/proxyarp. I haven't had the time + to debug this problem so I can't say if it is a bug in the Kernel or + in FreeS/Wan. You might be able to work around this problem using the following (I haven't tried it): - In /etc/shorewall/init, include: + In /etc/shorewall/init, include: - qt service ipsec stop + qt /etc/init.d/ipsec stop - In /etc/shorewall/start, include: + In /etc/shorewall/start, include: - qt service ipsec start + qt /etc/init.d/ipsec start
/etc/shorewall/nat - The /etc/shorewall/nat file is used to define one-to-one NAT. There - is one entry in the file for each one-to-one NAT relationship that you - wish to define. In order to make use of this feature, you must have NAT - enabled. + The /etc/shorewall/nat file is used to define + one-to-one NAT. There is one entry in the file for each one-to-one NAT + relationship that you wish to define. In order to make use of this + feature, you must have NAT enabled. If all you want to do is forward ports to servers behind your @@ -3545,6 +2184,17 @@ This file is used to set the following firewall parameters: + + MODULE_SUFFIX + + + (Added at version 1.4.9) - The value of this variable + determines the possible file extensions of kernel modules. The + default value is "o gz ko and o.gz". See for more details. + + + ADMINISABSENTMINDED @@ -3594,13 +2244,14 @@ assumed. - /sbin/shorewall uses the leading part of the LOGFORMAT - string (up to but not including the first %) to - find log messages in the show log, status - and hits commands. This part should not be omitted - (the LOGFORMAT should not begin with %) and the - leading part should be sufficiently unique for /sbin/shorewall to - identify Shorewall messages. + /sbin/shorewall uses the leading part of + the LOGFORMAT string (up to but not including the first + %) to find log messages in the show log, + status and hits commands. This part + should not be omitted (the LOGFORMAT should not begin with + %) and the leading part should be sufficiently + unique for /sbin/shorewall to identify + Shorewall messages. @@ -3615,10 +2266,10 @@ people that prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do - not supply an /etc/shorewall/tcstart file. That way, your traffic - shaping rules can still use the fwmark classifier - based on packet marking defined in /etc/shorewall/tcrules. If not - specified, CLEAR_TC=Yes is assumed. + not supply an /etc/shorewall/tcstart file. That + way, your traffic shaping rules can still use the fwmark + classifier based on packet marking defined in + /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed. @@ -3633,10 +2284,10 @@ that chain rather than in the PREROUTING chain. This permits you to mark inbound traffic based on its destination address when SNAT or Masquerading are in use. To determine if your kernel has a FORWARD - chain in the mangle table, use the /sbin/shorewall show - mangle command; if a FORWARD chain is displayed then your - kernel will support this option. If this option is not specified or - if it is given the empty value (e.g., + chain in the mangle table, use the /sbin/shorewall + show mangle command; if a FORWARD chain is + displayed then your kernel will support this option. If this option + is not specified or if it is given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. @@ -4086,19 +2737,18 @@
/etc/shorewall/modules Configuration - The file /etc/shorewall/modules contains commands for loading the - kernel modules required by Shorewall-defined firewall rules. Shorewall - will source this file during start/restart provided that it exists and - that the directory specified by the MODULESDIR parameter exists (see above). + The file /etc/shorewall/modules contains + commands for loading the kernel modules required by Shorewall-defined + firewall rules. Shorewall will source this file during start/restart + provided that it exists and that the directory specified by the MODULESDIR + parameter exists (see above). The file that is released with Shorewall calls the Shorewall function loadmodule for the set of modules that I load. The loadmodule function is called as follows: - loadmodule <modulename> [ - <module parameters> ] + loadmodule <modulename> [ <module parameters> ] where @@ -4124,11 +2774,10 @@ The function determines if the module named by <modulename> is already loaded and if not then the function determines if the .o file corresponding to the module exists in the - moduledirectory; if so, then the following command is - executed: + <moduledirectory>; if so, then the following + command is executed: - insmod moduledirectory/<modulename>.o - <module parameters> + insmod <moduledirectory>/<modulename>.o <module parameters> If the file doesn't exist, the function determines of the .o.gz file corresponding to the module exists in the @@ -4136,17 +2785,26 @@ that the running configuration supports compressed modules and execute the following command: - insmod moduledirectory/<modulename>.o.gz - <module parameters> + insmod <moduledirectory>/<modulename>.o.gz <module parameters> + + Beginning with the 1.4.9 Shorewall release, the value of the + MODULE_SUFFIX option in determines which files the loadmodule function + looks for if the named module doesn't exist. For each file + <extension> listed in MODULE_SUFFIX (default + "o gz ko o.gz"), the function will append a period (".") + and the extension and if the resulting file exists then the following + command will be executed: + + insmod moduledirectory/<modulename>.<extension> <module parameters>
/etc/shorewall/tos Configuration - The /etc/shorewall/tos file allows you to set the Type of Service - field in packet headers based on packet source, packet destination, - protocol, source port and destination port. In order for this file to be - processed by Shorewall, you must have mangle support enabled. + The /etc/shorewall/tos file allows you to set + the Type of Service field in packet headers based on packet source, packet + destination, protocol, source port and destination port. In order for this + file to be processed by Shorewall, you must have mangle support enabled. Entries in the file have the following columns: @@ -4181,8 +2839,8 @@ PROTOCOL - The name of a protocol in /etc/protocols or the protocol's - number. + The name of a protocol in /etc/protocols or + the protocol's number. @@ -4225,130 +2883,35 @@ - - /etc/shorewall/tos file that is included with Shorewall + /etc/shorewall/tos file that is included with + Shorewall - - - - SOURCE - - DEST - - PROTOCOL - - SOURCE PORT(S) - - DEST PORT(S) - - TOS - - - - - - all - - all - - tcp - - - - - ssh - - 16 - - - - all - - all - - tcp - - ssh - - - - - 16 - - - - all - - all - - tcp - - - - - ftp - - 16 - - - - all - - all - - tcp - - ftp - - - - - 16 - - - - all - - all - - tcp - - - - - ftp-data - - 8 - - - - all - - all - - tcp - - ftp-data - - - - - 8 - - - -
+ #SOURCE DEST PROTOCOL SOURCE PORTS(S) DEST PORTS(S) TOS +all all tcp - ssh 16 +all all tcp ssh - 16 +all all tcp - ftp 16 +all all tcp ftp - 16 +all all tcp - ftp-data 8 +all all tcp ftp-data - 8 Users have reported that odd routing problems result from adding - the ESP and AH protocols to the /etc/shorewall/tos file. + the ESP and AH protocols to the /etc/shorewall/tos + file.
/etc/shorewall/blacklist - Each line in /etc/shorewall/blacklist contains an IP address, a MAC - address in Shorewall Format or subnet address. + Each line in /etc/shorewall/blacklist contains + an IP address, a MAC address in Shorewall Format or subnet address. - 130.252.100.69 206.124.146.0/24 + 130.252.100.69 +206.124.146.0/24 Packets from hosts listed in the @@ -4356,9 +2919,10 @@ BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf. Only packets arriving on interfaces that have the blacklist - option in /etc/shorewall/interfaces are checked against the blacklist. The - black list is designed to prevent listed hosts/subnets from accessing - services on your network. + option in /etc/shorewall/interfaces are checked + against the blacklist. The black list is designed to prevent listed + hosts/subnets from accessing services on your + network. Beginning with Shorewall 1.3.8, the blacklist file has three columns: @@ -4490,31 +3054,9 @@ from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces through eth1 and your local hosts through eth2. - - - - - INTERFACE - - HOST(S) - - - - - - eth2 - - 192.168.1.0/24 - - - - eth1 - - - - - - - + #INTERFACE HOST(S) +eth2 192.168.1.0/24 +eth1 -
@@ -4549,7 +3091,8 @@ Revision History - 1.102004-01-05TEImproved + 1.112005-01-05TEStandards + Compliance1.102004-01-05TEImproved formatting of DNAT- and REDIRECT- for clarity1.92003-12-25MNInitial Docbook Conversion Complete diff --git a/Shorewall-docs/blacklisting_support.xml b/Shorewall-docs/blacklisting_support.xml index 65f188da7..494adfff0 100644 --- a/Shorewall-docs/blacklisting_support.xml +++ b/Shorewall-docs/blacklisting_support.xml @@ -15,10 +15,10 @@ - 2003-11-14 + 2004-01-05 - 2002-2003 + 2002-2004 Thomas M. Eastep @@ -70,18 +70,18 @@ You specify whether you want packets from blacklisted hosts dropped or rejected using the BLACKLIST_DISPOSITION setting in /etc/shorewall/shorewall.conf. + url="Documentation.htm#Config">/etc/shorewall/shorewall.conf. You specify whether you want packets from blacklisted hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting - in /etc/shorewall/shorewall.conf. + in /etc/shorewall/shorewall.conf. You list the IP addresses/subnets that you wish to blacklist in - /etc/shorewall/blacklist. + /etc/shorewall/blacklist. Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service names in the blacklist file. @@ -89,13 +89,13 @@ You specify the interfaces whose incoming packets you want checked against the blacklist using the blacklist - option in /etc/shorewall/interfaces. + option in /etc/shorewall/interfaces. - The black list is refreshed from /etc/shorewall/blacklist by the - shorewall - refresh command. + The black list is refreshed from /etc/shorewall/blacklist + by the shorewall + refresh command.
@@ -137,12 +137,12 @@ Dynamic blacklisting is not dependent on the blacklist - option in /etc/shorewall/interfaces. + option in /etc/shorewall/interfaces. Ingore packets from a pair of systems - shorewall drop 192.0.2.124 192.0.2.125 + shorewall drop 192.0.2.124 192.0.2.125 Drops packets from hosts 192.0.2.124 and 192.0.2.125 @@ -150,7 +150,7 @@ Re-enable packetes from a system - shorewall allow 192.0.2.125 + shorewall allow 192.0.2.125 Re-enables traffic from 192.0.2.125. diff --git a/Shorewall-docs/configuration_file_basics.xml b/Shorewall-docs/configuration_file_basics.xml index 17a9a5fb0..e92cdc52d 100644 --- a/Shorewall-docs/configuration_file_basics.xml +++ b/Shorewall-docs/configuration_file_basics.xml @@ -15,10 +15,10 @@ - 2003-11-20 + 2004-01-05 - 2001-2003 + 2001-2004 Thomas M. Eastep @@ -43,45 +43,45 @@
Files - /etc/shorewall/shorewall.conf - used - to set several firewall parameters./etc/shorewall/params + /etc/shorewall/shorewall.conf + - used to set several firewall parameters./etc/shorewall/params - use this file to set shell variables that you will expand in other - files./etc/shorewall/zones - partition - the firewall's view of the world into zones./etc/shorewall/policy - - establishes firewall high-level policy./etc/shorewall/interfaces - - describes the interfaces on the firewall system./etc/shorewall/hosts - - allows defining zones in terms of individual hosts and subnetworks./etc/shorewall/masq + files./etc/shorewall/zones + - partition the firewall's view of the world into zones./etc/shorewall/policy + - establishes firewall high-level policy./etc/shorewall/interfaces + - describes the interfaces on the firewall system./etc/shorewall/hosts + - allows defining zones in terms of individual hosts and subnetworks./etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation - (SNAT)./etc/shorewall/modules - directs - the firewall to load kernel modules./etc/shorewall/rules + (SNAT)./etc/shorewall/modules + - directs the firewall to load kernel modules./etc/shorewall/rules - defines rules that are exceptions to the overall policies established in - /etc/shorewall/policy./etc/shorewall/nat - - defines one-to-one NAT rules./etc/shorewall/proxyarp - - defines use of Proxy ARP./etc/shorewall/routestopped + /etc/shorewall/policy./etc/shorewall/nat + - defines one-to-one NAT rules./etc/shorewall/proxyarp + - defines use of Proxy ARP./etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is - stopped./etc/shorewall/tcrules - defines - marking of packets for later use by traffic control/shaping or policy - routing./etc/shorewall/tos - defines - rules for setting the TOS field in packet headers./etc/shorewall/tunnels + stopped./etc/shorewall/tcrules + - defines marking of packets for later use by traffic + control/shaping or policy routing./etc/shorewall/tos + - defines rules for setting the TOS field in packet headers./etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on the firewall - system./etc/shorewall/blacklist - lists - blacklisted IP/subnet/MAC addresses./etc/shorewall/init + system./etc/shorewall/blacklist + - lists blacklisted IP/subnet/MAC addresses./etc/shorewall/init - commands that you wish to execute at the beginning of a shorewall - start or shorewall restart./etc/shorewall/start + start or shorewall restart./etc/shorewall/start - commands that you wish to execute at the completion of a shorewall - start or shorewall restart/etc/shorewall/stop - - commands that you wish to execute at the beginning of a shorewall - stop./etc/shorewall/stopped - - commands that you wish to execute at the completion of a shorewall - stop./etc/shorewall/ecn - - disable Explicit Congestion Notification (ECN - RFC 3168) to remote hosts - or networks./etc/shorewall/accounting - - define IP traffic accounting rules/etc/shorewall/usersets + start or shorewall restart/etc/shorewall/stop + - commands that you wish to execute at the beginning of a + shorewall stop./etc/shorewall/stopped + - commands that you wish to execute at the completion of a shorewall + stop./etc/shorewall/ecn + - disable Explicit Congestion Notification (ECN - RFC 3168) to remote + hosts or networks./etc/shorewall/accounting + - define IP traffic accounting rules/etc/shorewall/usersets and /etc/shorewall/users - define sets of users/groups with similar access - rights/etc/shorewall/actions and - /etc/shorewall/action.template - define your own actions for rules in - /etc/shorewall/rules (shorewall 1.4.9 and later). + rights/etc/shorewall/actions + and /etc/shorewall/action.template - define your own + actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and later).
@@ -199,13 +199,13 @@ smtp,www,pop3,imap #Services running on the firewall - If your /etc/resolv.conf is wrong then your firewall won't - start. + If your /etc/resolv.conf is wrong then your + firewall won't start. - If your /etc/nsswitch.conf is wrong then your firewall won't - start. + If your /etc/nsswitch.conf is wrong then + your firewall won't start. @@ -274,7 +274,7 @@ smtp,www,pop3,imap #Services running on the firewall - In the /etc/shorewall/nat file. + In the /etc/shorewall/nat file. @@ -299,8 +299,7 @@ smtp,www,pop3,imap #Services running on the firewall Must not have any embedded white space. Valid: routefilter,dhcp,norfc1918 - Invalid: routefilter,     dhcp,     norfc1818 - + Invalid: routefilter,     dhcp,     norfc1818 @@ -330,45 +329,8 @@ smtp,www,pop3,imap #Services running on the firewall want to forward the range of tcp ports 4000 through 4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - DNAT - - net - - loc:192.168.1.3 tcp - - tcp - - 4000:4100 - - - - - - - - + #ACTION SOURCE DESTINATION PROTO DEST PORTS(S) +DNAT net loc:192.168.1.3 tcp 4000:4100 If you omit the low port number, a value of zero is assumed; if you omit the high port number, a value of 65535 is assumed. @@ -423,7 +385,7 @@ smtp,www,pop3,imap #Services running on the firewall MAC Address of a NIC -      [root@gateway root]# ifconfig eth0 +      [root@gateway root]# ifconfig eth0      eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0 @@ -444,7 +406,8 @@ role="bold">02:00:08:E3:FA:55 It is not necessary to use the special Shorewall notation in the - /etc/shorewall/maclist file. + /etc/shorewall/maclist + file.
@@ -452,12 +415,13 @@ role="bold">02:00:08:E3:FA:55 Shorewall Configurations Shorewall allows you to have configuration directories other than - /etc/shorewall. The shorewall check, start and restart commands allow you - to specify an alternate configuration directory and Shorewall will use the - files in the alternate directory rather than the corresponding files in - /etc/shorewall. The alternate directory need not contain a complete - configuration; those files not in the alternate directory will be read - from /etc/shorewall. + /etc/shorewall. The shorewall + check, start and restart commands allow you to specify an alternate + configuration directory and Shorewall will use the files in the alternate + directory rather than the corresponding files in /etc/shorewall. The + alternate directory need not contain a complete configuration; those files + not in the alternate directory will be read from /etc/shorewall. This facility permits you to easily create a test or temporary configuration by @@ -474,8 +438,8 @@ role="bold">02:00:08:E3:FA:55 specifying the separate directory in a shorewall start or - shorewall restart command (e.g., shorewall -c - /etc/testconfig restart ) + shorewall restart command (e.g., shorewall -c /etc/testconfig + restart ) diff --git a/Shorewall-docs/dhcp.xml b/Shorewall-docs/dhcp.xml index b64b5678d..bb32bca75 100644 --- a/Shorewall-docs/dhcp.xml +++ b/Shorewall-docs/dhcp.xml @@ -41,14 +41,15 @@ Specify the dhcp option on each interface to be - served by your server in the /etc/shorewall/interfaces file. This will - generate rules that will allow DHCP to and from your firewall system. + served by your server in the /etc/shorewall/interfaces + file. This will generate rules that will allow DHCP to and from your + firewall system. When starting dhcpd, you need to list those interfaces on the run line. On a RedHat system, this is done by - modifying /etc/sysconfig/dhcpd. + modifying /etc/sysconfig/dhcpd.
@@ -59,7 +60,7 @@ Specify the dhcp option for this interface in the - /etc/shorewall/interfaces + /etc/shorewall/interfaces file. This will generate rules that will allow DHCP to and from your firewall system. @@ -74,7 +75,7 @@ If you don't know the subnet address in advance, you should specify detect for the interface's subnet address - in the /etc/shorewall/interfaces + in the /etc/shorewall/interfaces file and start Shorewall after the interface has started. diff --git a/Shorewall-docs/troubleshoot.xml b/Shorewall-docs/troubleshoot.xml index 60b951f7e..80a88ddc4 100644 --- a/Shorewall-docs/troubleshoot.xml +++ b/Shorewall-docs/troubleshoot.xml @@ -13,7 +13,7 @@ Eastep - 2004-01-01 + 2004-01-06 2001-2004 @@ -51,6 +51,14 @@ sure that there isn't an update that you are missing for your version of the firewall. + +
+ Try Searching the Shorewall Site and Mailing List Archives + + The Site + and Mailing List Archives search facility can locate documents + and posts about similar problems. +
@@ -347,8 +355,9 @@ DROP net fw icmp echo-request Revision History - 1.22004-01-01TEAdded - information about eliminating ping-generated log messages.1.12003-12-22TEInitial + 1.62005-01-06TEAdd + pointer to Site and Mailing List Archives Searches.1.52004-01-01TEAdded + information about eliminating ping-generated log messages.1.42003-12-22TEInitial Docbook Conversion \ No newline at end of file