forked from extern/shorewall_code
More standards work
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1061 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
d32a946a0f
commit
dfe1ffbd37
@ -21,10 +21,10 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-05-18</pubdate>
|
<pubdate>2004-01-05</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003</year>
|
<year>2003-2004</year>
|
||||||
|
|
||||||
<holder>Eric de Thoars and Tom Eastep</holder>
|
<holder>Eric de Thoars and Tom Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -62,94 +62,47 @@
|
|||||||
|
|
||||||
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
||||||
communicate with the systems in the 2002:488:999::/64 network. This is
|
communicate with the systems in the 2002:488:999::/64 network. This is
|
||||||
accomplished through use of the /etc/shorewall/tunnels file and the
|
accomplished through use of the <filename><filename>/etc/shorewall/tunnels</filename></filename>
|
||||||
<quote>ip</quote> utility for network interface and routing configuration.</para>
|
file and the <quote>ip</quote> utility for network interface and routing
|
||||||
|
configuration.</para>
|
||||||
|
|
||||||
<para>Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
|
<para>Unlike GRE and IPIP tunneling, the <filename>/etc/shorewall/policy</filename>,
|
||||||
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used.
|
<filename>/etc/shorewall/interfaces</filename> and <filename>/etc/shorewall/zones</filename>
|
||||||
There is no need to declare a zone to represent the remote IPv6 network.
|
files are not used. There is no need to declare a zone to represent the
|
||||||
This remote network is not visible on IPv4 interfaces and to iptables. All
|
remote IPv6 network. This remote network is not visible on IPv4 interfaces
|
||||||
that is visible on the IPv4 level is an IPv4 stream which contains IPv6
|
and to iptables. All that is visible on the IPv4 level is an IPv4 stream
|
||||||
traffic. Separate IPv6 interfaces and ip6tables rules need to be defined
|
which contains IPv6 traffic. Separate IPv6 interfaces and ip6tables rules
|
||||||
to handle this traffic.</para>
|
need to be defined to handle this traffic.</para>
|
||||||
|
|
||||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
<para>In <filename>/etc/shorewall/tunnels </filename>on system A, we need
|
||||||
|
the following:</para>
|
||||||
|
|
||||||
<informaltable>
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||||
<tgroup cols="4">
|
6to4 net 134.28.54.2</programlisting>
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">TYPE</entry>
|
|
||||||
|
|
||||||
<entry align="center">ZONE</entry>
|
<para>This entry in <filename>/etc/shorewall/tunnels</filename>, opens the
|
||||||
|
firewall so that the IPv6 encapsulation protocol (41) will be accepted
|
||||||
<entry align="center">GATEWAY</entry>
|
to/from the remote gateway.</para>
|
||||||
|
|
||||||
<entry align="center">GATEWAY ZONE</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>6to4</entry>
|
|
||||||
|
|
||||||
<entry>net</entry>
|
|
||||||
|
|
||||||
<entry>134.28.54.2</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</informaltable>
|
|
||||||
|
|
||||||
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
|
||||||
IPv6 encapsulation protocol (41) will be accepted to/from the remote
|
|
||||||
gateway.</para>
|
|
||||||
|
|
||||||
<para>Use the following commands to setup system A:</para>
|
<para>Use the following commands to setup system A:</para>
|
||||||
|
|
||||||
<programlisting>>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2
|
<programlisting>><command>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2</command>
|
||||||
>ip link set dev tun6to4 up
|
><command>ip link set dev tun6to4 up</command>
|
||||||
>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4
|
><command>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4</command>
|
||||||
>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</programlisting>
|
><command>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</command></programlisting>
|
||||||
|
|
||||||
<para>Similarly, in /etc/shorewall/tunnels on system B we have:</para>
|
<para>Similarly, in <filename>/etc/shorewall/tunnels</filename> on system
|
||||||
|
B we have:</para>
|
||||||
|
|
||||||
<informaltable>
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||||
<tgroup cols="4">
|
6to4 net 206.191.148.9</programlisting>
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">TYPE</entry>
|
|
||||||
|
|
||||||
<entry align="center">ZONE</entry>
|
|
||||||
|
|
||||||
<entry align="center">GATEWAY</entry>
|
|
||||||
|
|
||||||
<entry align="center">GATEWAY ZONE</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>6to4</entry>
|
|
||||||
|
|
||||||
<entry>net</entry>
|
|
||||||
|
|
||||||
<entry>206.191.148.9</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</informaltable>
|
|
||||||
|
|
||||||
<para>And use the following commands to setup system B:</para>
|
<para>And use the following commands to setup system B:</para>
|
||||||
|
|
||||||
<programlisting>>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9
|
<programlisting>><command>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9</command>
|
||||||
>ip link set dev tun6to4 up
|
><command>ip link set dev tun6to4 up</command>
|
||||||
>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4
|
><command>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4</command>
|
||||||
>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</programlisting>
|
><command>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</command></programlisting>
|
||||||
|
|
||||||
<para>On both systems, restart Shorewall and issue the configuration
|
<para>On both systems, restart Shorewall and issue the configuration
|
||||||
commands as listed above. The systems in both IPv6 subnetworks can now
|
commands as listed above. The systems in both IPv6 subnetworks can now
|
||||||
|
|||||||
@ -15,10 +15,10 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-12-06</pubdate>
|
<pubdate>2004-01-05</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2003</year>
|
<year>2003-2004</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -98,13 +98,13 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
|
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
|
||||||
/etc/protocols) or a protocol number.</para>
|
<filename>/etc/protocols</filename>) or a protocol number.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
|
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
|
||||||
number. Service name from /etc/services or port number. May only be
|
number. Service name from <filename>/etc/services</filename> or port
|
||||||
specified if the protocol is TCP or UDP (6 or 17).</para>
|
number. May only be specified if the protocol is TCP or UDP (6 or 17).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@ -15,10 +15,10 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-11-14</pubdate>
|
<pubdate>2004-01-05</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2002-2003</year>
|
<year>2002-2004</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -70,18 +70,18 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>You specify whether you want packets from blacklisted hosts
|
<para>You specify whether you want packets from blacklisted hosts
|
||||||
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
|
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
|
||||||
url="Documentation.htm#Config">/etc/shorewall/shorewall.conf.</ulink></para>
|
url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename>.</ulink></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>You specify whether you want packets from blacklisted hosts
|
<para>You specify whether you want packets from blacklisted hosts
|
||||||
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
|
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
|
||||||
in <ulink url="Documentation.htm#Config">/etc/shorewall/shorewall.conf</ulink>.</para>
|
in <ulink url="Documentation.htm#Config"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>You list the IP addresses/subnets that you wish to blacklist in
|
<para>You list the IP addresses/subnets that you wish to blacklist in
|
||||||
<ulink url="Documentation.htm#Blacklist">/etc/shorewall/blacklist</ulink>.
|
<ulink url="Documentation.htm#Blacklist"><filename>/etc/shorewall/blacklist</filename></ulink>.
|
||||||
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
|
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
|
||||||
and Port numbers/Service names in the blacklist file.</para>
|
and Port numbers/Service names in the blacklist file.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -89,13 +89,13 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>You specify the interfaces whose incoming packets you want
|
<para>You specify the interfaces whose incoming packets you want
|
||||||
checked against the blacklist using the <quote>blacklist</quote>
|
checked against the blacklist using the <quote>blacklist</quote>
|
||||||
option in <ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
|
option in <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The black list is refreshed from /etc/shorewall/blacklist by the
|
<para>The black list is refreshed from <filename>/etc/shorewall/blacklist</filename>
|
||||||
<quote><ulink url="starting_and_stopping_shorewall.htm">shorewall
|
by the <quote><ulink url="starting_and_stopping_shorewall.htm"><command>shorewall
|
||||||
refresh</ulink></quote> command.</para>
|
refresh</command></ulink></quote> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
@ -137,12 +137,12 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>Dynamic blacklisting is not dependent on the <quote>blacklist</quote>
|
<para>Dynamic blacklisting is not dependent on the <quote>blacklist</quote>
|
||||||
option in /etc/shorewall/interfaces.</para>
|
option in <filename>/etc/shorewall/interfaces</filename>.</para>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Ingore packets from a pair of systems</title>
|
<title>Ingore packets from a pair of systems</title>
|
||||||
|
|
||||||
<programlisting> shorewall drop 192.0.2.124 192.0.2.125</programlisting>
|
<programlisting> <command>shorewall drop 192.0.2.124 192.0.2.125</command></programlisting>
|
||||||
|
|
||||||
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
|
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
|
||||||
</example>
|
</example>
|
||||||
@ -150,7 +150,7 @@
|
|||||||
<example>
|
<example>
|
||||||
<title>Re-enable packetes from a system</title>
|
<title>Re-enable packetes from a system</title>
|
||||||
|
|
||||||
<programlisting> shorewall allow 192.0.2.125</programlisting>
|
<programlisting> <command>shorewall allow 192.0.2.125</command></programlisting>
|
||||||
|
|
||||||
<para>Re-enables traffic from 192.0.2.125.</para>
|
<para>Re-enables traffic from 192.0.2.125.</para>
|
||||||
</example>
|
</example>
|
||||||
|
|||||||
@ -15,10 +15,10 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2003-11-20</pubdate>
|
<pubdate>2004-01-05</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2003</year>
|
<year>2001-2004</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -43,45 +43,45 @@
|
|||||||
<section id="Files">
|
<section id="Files">
|
||||||
<title>Files</title>
|
<title>Files</title>
|
||||||
|
|
||||||
<para><itemizedlist><listitem><para>/etc/shorewall/shorewall.conf - used
|
<para><itemizedlist><listitem><para><filename>/etc/shorewall/shorewall.conf</filename>
|
||||||
to set several firewall parameters.</para></listitem><listitem><para>/etc/shorewall/params
|
- used to set several firewall parameters.</para></listitem><listitem><para><filename>/etc/shorewall/params</filename>
|
||||||
- use this file to set shell variables that you will expand in other
|
- use this file to set shell variables that you will expand in other
|
||||||
files.</para></listitem><listitem><para>/etc/shorewall/zones - partition
|
files.</para></listitem><listitem><para><filename>/etc/shorewall/zones</filename>
|
||||||
the firewall's view of the world into zones.</para></listitem><listitem><para>/etc/shorewall/policy
|
- partition the firewall's view of the world into zones.</para></listitem><listitem><para><filename>/etc/shorewall/policy</filename>
|
||||||
- establishes firewall high-level policy.</para></listitem><listitem><para>/etc/shorewall/interfaces
|
- establishes firewall high-level policy.</para></listitem><listitem><para><filename>/etc/shorewall/interfaces</filename>
|
||||||
- describes the interfaces on the firewall system.</para></listitem><listitem><para>/etc/shorewall/hosts
|
- describes the interfaces on the firewall system.</para></listitem><listitem><para><filename>/etc/shorewall/hosts</filename>
|
||||||
- allows defining zones in terms of individual hosts and subnetworks.</para></listitem><listitem><para>/etc/shorewall/masq
|
- allows defining zones in terms of individual hosts and subnetworks.</para></listitem><listitem><para><filename>/etc/shorewall/masq</filename>
|
||||||
- directs the firewall where to use many-to-one (dynamic) Network Address
|
- directs the firewall where to use many-to-one (dynamic) Network Address
|
||||||
Translation (a.k.a. Masquerading) and Source Network Address Translation
|
Translation (a.k.a. Masquerading) and Source Network Address Translation
|
||||||
(SNAT).</para></listitem><listitem><para>/etc/shorewall/modules - directs
|
(SNAT).</para></listitem><listitem><para><filename>/etc/shorewall/modules</filename>
|
||||||
the firewall to load kernel modules.</para></listitem><listitem><para>/etc/shorewall/rules
|
- directs the firewall to load kernel modules.</para></listitem><listitem><para><filename>/etc/shorewall/rules</filename>
|
||||||
- defines rules that are exceptions to the overall policies established in
|
- defines rules that are exceptions to the overall policies established in
|
||||||
/etc/shorewall/policy.</para></listitem><listitem><para>/etc/shorewall/nat
|
/etc/shorewall/policy.</para></listitem><listitem><para><filename>/etc/shorewall/nat</filename>
|
||||||
- defines one-to-one NAT rules.</para></listitem><listitem><para>/etc/shorewall/proxyarp
|
- defines one-to-one NAT rules.</para></listitem><listitem><para><filename>/etc/shorewall/proxyarp</filename>
|
||||||
- defines use of Proxy ARP.</para></listitem><listitem><para>/etc/shorewall/routestopped
|
- defines use of Proxy ARP.</para></listitem><listitem><para><filename>/etc/shorewall/routestopped</filename>
|
||||||
(Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is
|
(Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is
|
||||||
stopped.</para></listitem><listitem><para>/etc/shorewall/tcrules - defines
|
stopped.</para></listitem><listitem><para><filename>/etc/shorewall/tcrules
|
||||||
marking of packets for later use by traffic control/shaping or policy
|
</filename>- defines marking of packets for later use by traffic
|
||||||
routing.</para></listitem><listitem><para>/etc/shorewall/tos - defines
|
control/shaping or policy routing.</para></listitem><listitem><para><filename>/etc/shorewall/tos</filename>
|
||||||
rules for setting the TOS field in packet headers.</para></listitem><listitem><para>/etc/shorewall/tunnels
|
- defines rules for setting the TOS field in packet headers.</para></listitem><listitem><para><filename>/etc/shorewall/tunnels</filename>
|
||||||
- defines IPSEC, GRE and IPIP tunnels with end-points on the firewall
|
- defines IPSEC, GRE and IPIP tunnels with end-points on the firewall
|
||||||
system.</para></listitem><listitem><para>/etc/shorewall/blacklist - lists
|
system.</para></listitem><listitem><para><filename>/etc/shorewall/blacklist</filename>
|
||||||
blacklisted IP/subnet/MAC addresses.</para></listitem><listitem><para>/etc/shorewall/init
|
- lists blacklisted IP/subnet/MAC addresses.</para></listitem><listitem><para><filename>/etc/shorewall/init</filename>
|
||||||
- commands that you wish to execute at the beginning of a <quote>shorewall
|
- commands that you wish to execute at the beginning of a <quote>shorewall
|
||||||
start</quote> or <quote>shorewall restart</quote>.</para></listitem><listitem><para>/etc/shorewall/start
|
start</quote> or <quote>shorewall restart</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/start</filename>
|
||||||
- commands that you wish to execute at the completion of a <quote>shorewall
|
- commands that you wish to execute at the completion of a <quote>shorewall
|
||||||
start</quote> or <quote>shorewall restart</quote></para></listitem><listitem><para>/etc/shorewall/stop
|
start</quote> or <quote>shorewall restart</quote></para></listitem><listitem><para><filename>/etc/shorewall/stop
|
||||||
- commands that you wish to execute at the beginning of a <quote>shorewall
|
</filename>- commands that you wish to execute at the beginning of a
|
||||||
stop</quote>.</para></listitem><listitem><para>/etc/shorewall/stopped -
|
<quote>shorewall stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/stopped</filename>
|
||||||
commands that you wish to execute at the completion of a <quote>shorewall
|
- commands that you wish to execute at the completion of a <quote>shorewall
|
||||||
stop</quote>.</para></listitem><listitem><para>/etc/shorewall/ecn -
|
stop</quote>.</para></listitem><listitem><para><filename>/etc/shorewall/ecn</filename>
|
||||||
disable Explicit Congestion Notification (ECN - RFC 3168) to remote hosts
|
- disable Explicit Congestion Notification (ECN - RFC 3168) to remote
|
||||||
or networks.</para></listitem><listitem><para>/etc/shorewall/accounting -
|
hosts or networks.</para></listitem><listitem><para><filename>/etc/shorewall/accounting</filename>
|
||||||
define IP traffic accounting rules</para></listitem><listitem><para>/etc/shorewall/usersets
|
- define IP traffic accounting rules</para></listitem><listitem><para><filename>/etc/shorewall/usersets</filename>
|
||||||
and /etc/shorewall/users - define sets of users/groups with similar access
|
and /etc/shorewall/users - define sets of users/groups with similar access
|
||||||
rights</para></listitem><listitem><para>/etc/shorewall/actions and
|
rights</para></listitem><listitem><para><filename>/etc/shorewall/actions</filename>
|
||||||
/etc/shorewall/action.template - define your own actions for rules in
|
and <filename>/etc/shorewall/action.template</filename> - define your own
|
||||||
/etc/shorewall/rules (shorewall 1.4.9 and later).</para></listitem></itemizedlist></para>
|
actions for rules in /etc/shorewall/rules (shorewall 1.4.9 and later).</para></listitem></itemizedlist></para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Comments">
|
<section id="Comments">
|
||||||
@ -199,13 +199,13 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If your /etc/resolv.conf is wrong then your firewall won't
|
<para>If your <filename>/etc/resolv.conf </filename>is wrong then your
|
||||||
start.</para>
|
firewall won't start.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If your /etc/nsswitch.conf is wrong then your firewall won't
|
<para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
|
||||||
start.</para>
|
your firewall won't start.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -274,7 +274,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>In the /etc/shorewall/nat file.</para>
|
<para>In the <filename>/etc/shorewall/nat</filename> file.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -299,8 +299,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,norfc1918
|
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,norfc1918
|
||||||
Invalid: routefilter,     dhcp,     norfc1818
|
Invalid: routefilter,     dhcp,     norfc1818</programlisting></para>
|
||||||
</programlisting></para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -330,45 +329,8 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
want to forward the range of tcp ports 4000 through 4100 to local host
|
want to forward the range of tcp ports 4000 through 4100 to local host
|
||||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||||
|
|
||||||
<informaltable>
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
||||||
<tgroup cols="7">
|
DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||||||
<thead>
|
|
||||||
<row>
|
|
||||||
<entry align="center">ACTION</entry>
|
|
||||||
|
|
||||||
<entry align="center">SOURCE</entry>
|
|
||||||
|
|
||||||
<entry align="center">DESTINATION</entry>
|
|
||||||
|
|
||||||
<entry align="center">PROTOCOL</entry>
|
|
||||||
|
|
||||||
<entry align="center">PORT(S)</entry>
|
|
||||||
|
|
||||||
<entry align="center">SOURCE PORT(S)</entry>
|
|
||||||
|
|
||||||
<entry align="center">ORIGINAL DEST</entry>
|
|
||||||
</row>
|
|
||||||
</thead>
|
|
||||||
|
|
||||||
<tbody>
|
|
||||||
<row>
|
|
||||||
<entry>DNAT</entry>
|
|
||||||
|
|
||||||
<entry>net</entry>
|
|
||||||
|
|
||||||
<entry>loc:192.168.1.3 tcp</entry>
|
|
||||||
|
|
||||||
<entry>tcp</entry>
|
|
||||||
|
|
||||||
<entry>4000:4100</entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
|
|
||||||
<entry></entry>
|
|
||||||
</row>
|
|
||||||
</tbody>
|
|
||||||
</tgroup>
|
|
||||||
</informaltable>
|
|
||||||
|
|
||||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||||
omit the high port number, a value of 65535 is assumed.</para>
|
omit the high port number, a value of 65535 is assumed.</para>
|
||||||
@ -423,7 +385,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
|||||||
<example>
|
<example>
|
||||||
<title>MAC Address of a NIC</title>
|
<title>MAC Address of a NIC</title>
|
||||||
|
|
||||||
<programlisting>      [root@gateway root]# ifconfig eth0
|
<programlisting>      [root@gateway root]# <command>ifconfig eth0</command>
|
||||||
     eth0 Link encap:Ethernet HWaddr <emphasis
|
     eth0 Link encap:Ethernet HWaddr <emphasis
|
||||||
role="bold">02:00:08:E3:FA:55</emphasis>
|
role="bold">02:00:08:E3:FA:55</emphasis>
|
||||||
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
|
     inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
|
||||||
@ -444,7 +406,8 @@ role="bold">02:00:08:E3:FA:55</emphasis>
|
|||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>It is not necessary to use the special Shorewall notation in the
|
<para>It is not necessary to use the special Shorewall notation in the
|
||||||
<ulink url="MAC_Validation.html">/etc/shorewall/maclist</ulink> file.</para>
|
<filename><ulink url="MAC_Validation.html">/etc/shorewall/maclist</ulink></filename>
|
||||||
|
file.</para>
|
||||||
</note>
|
</note>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -452,12 +415,13 @@ role="bold">02:00:08:E3:FA:55</emphasis>
|
|||||||
<title>Shorewall Configurations</title>
|
<title>Shorewall Configurations</title>
|
||||||
|
|
||||||
<para>Shorewall allows you to have configuration directories other than
|
<para>Shorewall allows you to have configuration directories other than
|
||||||
/etc/shorewall. The shorewall check, start and restart commands allow you
|
<filename class="directory">/etc/shorewall</filename>. The shorewall
|
||||||
to specify an alternate configuration directory and Shorewall will use the
|
check, start and restart commands allow you to specify an alternate
|
||||||
files in the alternate directory rather than the corresponding files in
|
configuration directory and Shorewall will use the files in the alternate
|
||||||
/etc/shorewall. The alternate directory need not contain a complete
|
directory rather than the corresponding files in /etc/shorewall. The
|
||||||
configuration; those files not in the alternate directory will be read
|
alternate directory need not contain a complete configuration; those files
|
||||||
from /etc/shorewall.</para>
|
not in the alternate directory will be read from <filename
|
||||||
|
class="directory">/etc/shorewall</filename>.</para>
|
||||||
|
|
||||||
<para>This facility permits you to easily create a test or temporary
|
<para>This facility permits you to easily create a test or temporary
|
||||||
configuration by</para>
|
configuration by</para>
|
||||||
@ -474,8 +438,8 @@ role="bold">02:00:08:E3:FA:55</emphasis>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>specifying the separate directory in a shorewall start or
|
<para>specifying the separate directory in a shorewall start or
|
||||||
shorewall restart command (e.g., <emphasis role="bold">shorewall -c
|
shorewall restart command (e.g., <command>shorewall -c /etc/testconfig
|
||||||
/etc/testconfig restart</emphasis> )</para>
|
restart</command> )</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
|
|||||||
@ -41,14 +41,15 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Specify the <quote>dhcp</quote> option on each interface to be
|
<para>Specify the <quote>dhcp</quote> option on each interface to be
|
||||||
served by your server in the /etc/shorewall/interfaces file. This will
|
served by your server in the <filename>/etc/shorewall/interfaces</filename>
|
||||||
generate rules that will allow DHCP to and from your firewall system.</para>
|
file. This will generate rules that will allow DHCP to and from your
|
||||||
|
firewall system.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When starting <quote>dhcpd</quote>, you need to list those
|
<para>When starting <quote>dhcpd</quote>, you need to list those
|
||||||
interfaces on the run line. On a RedHat system, this is done by
|
interfaces on the run line. On a RedHat system, this is done by
|
||||||
modifying /etc/sysconfig/dhcpd.</para>
|
modifying <filename>/etc/sysconfig/dhcpd</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
@ -59,7 +60,7 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Specify the <quote>dhcp</quote> option for this interface in the
|
<para>Specify the <quote>dhcp</quote> option for this interface in the
|
||||||
<ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>
|
<ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||||
file. This will generate rules that will allow DHCP to and from
|
file. This will generate rules that will allow DHCP to and from
|
||||||
your firewall system.</para>
|
your firewall system.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -74,7 +75,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>If you don't know the subnet address in advance, you should
|
<para>If you don't know the subnet address in advance, you should
|
||||||
specify <quote>detect</quote> for the interface's subnet address
|
specify <quote>detect</quote> for the interface's subnet address
|
||||||
in the <ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>
|
in the <ulink url="Documentation.htm#Interfaces"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||||
file and start Shorewall after the interface has started.</para>
|
file and start Shorewall after the interface has started.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
|||||||
@ -13,7 +13,7 @@
|
|||||||
<surname>Eastep</surname>
|
<surname>Eastep</surname>
|
||||||
</author>
|
</author>
|
||||||
|
|
||||||
<pubdate>2004-01-01</pubdate>
|
<pubdate>2004-01-06</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2004</year>
|
<year>2001-2004</year>
|
||||||
@ -51,6 +51,14 @@
|
|||||||
sure that there isn't an update that you are missing for your
|
sure that there isn't an update that you are missing for your
|
||||||
version of the firewall.</para>
|
version of the firewall.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Try Searching the Shorewall Site and Mailing List Archives</title>
|
||||||
|
|
||||||
|
<para>The <ulink url="http://lists.shorewall.net/htdig/search.html">Site
|
||||||
|
and Mailing List Archives search facility</ulink> can locate documents
|
||||||
|
and posts about similar problems.</para>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -347,8 +355,9 @@ DROP net fw icmp echo-request</programlist
|
|||||||
<appendix>
|
<appendix>
|
||||||
<title>Revision History</title>
|
<title>Revision History</title>
|
||||||
|
|
||||||
<para><revhistory><revision><revnumber>1.2</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
|
<para><revhistory><revision><revnumber>1.6</revnumber><date>2005-01-06</date><authorinitials>TE</authorinitials><revremark>Add
|
||||||
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
|
pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
|
||||||
|
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||||
Docbook Conversion</revremark></revision></revhistory></para>
|
Docbook Conversion</revremark></revision></revhistory></para>
|
||||||
</appendix>
|
</appendix>
|
||||||
</article>
|
</article>
|
||||||
Loading…
Reference in New Issue
Block a user