diff --git a/Lrp/etc/init.d/shorewall b/Lrp/etc/init.d/shorewall index fbbab24f3..e52387060 100755 --- a/Lrp/etc/init.d/shorewall +++ b/Lrp/etc/init.d/shorewall @@ -70,7 +70,7 @@ list_count() { # # Mutual exclusion -- These functions are jackets for the mutual exclusion -# routines in /usr/lib/shorewall/functions. They invoke +# routines in $FUNCTIONS. They invoke # the corresponding function in that file if the user did # not specify "nolock" on the runline. # @@ -833,6 +833,11 @@ validate_rule() { target=ACCEPT address=${address:=detect} ;; + DNAT-) + target=ACCEPT + address=${address:=detect} + logtarget=DNAT + ;; REDIRECT) target=ACCEPT address=${address:=all} @@ -983,6 +988,17 @@ validate_policy() local zone1 local pc local chain + local policy + local loglevel + local synparams + + print_policy() # $1 = source zone, $2 = destination zone + { + [ $command != check ] || \ + [ $1 = all ] || \ + [ $2 = all ] || \ + echo " Policy for $1 to $2 is $policy" + } all_policy_chains= @@ -1048,27 +1064,34 @@ validate_policy() for zone1 in $zones $FW all; do eval pc=\$${zone}2${zone1}_policychain - [ -n "$pc" ] || \ + if [ -z "$pc" ]; then eval ${zone}2${zone1}_policychain=$chain + print_policy $zone $zone1 + fi done done else for zone in $zones $FW all; do eval pc=\$${zone}2${server}_policychain - [ -n "$pc" ] || \ + if [ -z "$pc" ]; then eval ${zone}2${server}_policychain=$chain + print_policy $zone $server + fi done fi elif [ -n "$serverwild" ]; then for zone in $zones $FW all; do eval pc=\$${client}2${zone}_policychain - [ -n "$pc" ] || \ - eval ${client}2${zone}_policychain=$chain + if [ -z "$pc" ]; then + eval ${client}2${zone}_policychain=$chain + print_policy $client $zone + fi done else eval ${chain}_policychain=${chain} + print_policy $client $server fi done < $TMP_DIR/policy @@ -1234,7 +1257,7 @@ stop_firewall() { [ -n "$NAT_ENABLED" ] && delete_nat delete_proxy_arp - [ -n "$TC_ENABLED" ] && delete_tc + [ -n "$CLEAR_TC" ] && delete_tc setpolicy INPUT DROP setpolicy OUTPUT DROP @@ -1344,12 +1367,18 @@ setup_tunnels() # $1 = name of tunnels file run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options else run_iptables -A $inchain -p udp -s $1 --dport 500 $options + run_iptables -A $inchain -p udp -s $1 --dport 4500 $options fi for z in `separate_list $3`; do if validate_zone $z; then addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options - addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options + if [ $2 = ipsec ]; then + addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options + else + addrule ${z}2${FW} -p udp --dport 500 $options + addrule ${z}2${FW} -p udp --dport 4500 $options + fi else error_message "Warning: Invalid gateway zone ($z)" \ " -- Tunnel \"$tunnel\" may encounter keying problems" @@ -1820,6 +1849,7 @@ setup_tc() { # delete_tc() { + clear_one_tc() { tc qdisc del dev $1 root 2> /dev/null tc qdisc del dev $1 ingress 2> /dev/null @@ -1830,11 +1860,11 @@ delete_tc() run_ip link list | \ while read inx interface details; do case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; + [0-9]*) + clear_one_tc ${interface%:} + ;; + *) + ;; esac done } @@ -1846,7 +1876,7 @@ refresh_tc() { echo "Refreshing Traffic Control Rules..." - delete_tc + [ -n "$CLEAR_TC" ] && delete_tc [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre @@ -2152,7 +2182,7 @@ add_a_rule() add_nat_rule fi - if [ $chain != ${FW}2${FW} ]; then + if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then serv="${serv:+-d $serv}" if [ -n "$loglevel" ]; then @@ -2229,14 +2259,23 @@ process_rule() # $1 = target fi logtarget="$target" + dnat_only= # Convert 1.3 Rule formats to 1.2 format + [ "x$address" = "x-" ] && address= + case $target in DNAT) target=ACCEPT address=${address:=detect} ;; + DNAT-) + target=ACCEPT + address=${address:=detect} + dnat_only=Yes + logtarget=DNAT + ;; REDIRECT) target=ACCEPT address=${address:=all} @@ -2379,7 +2418,7 @@ process_rules() # $1 = name of rules file while read xtarget xclients xservers xprotocol xports xcports xaddress; do case "$xtarget" in - ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*) + ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*) expandv xclients xservers xprotocol xports xcports xaddress if [ "x$xclients" = xall ]; then @@ -3233,7 +3272,7 @@ initialize_netfilter () { run_iptables -t mangle -F && \ run_iptables -t mangle -X - [ -n "$TC_ENABLED" ] && delete_tc + [ -n "$CLEAR_TC" ] && delete_tc run_user_exit init @@ -3267,7 +3306,7 @@ initialize_netfilter () { run_user_exit newnotsyn if [ -n "$LOGNEWNOTSYN" ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then - run_iptables -A newnotsyn -j ULOG \ + run_iptables -A newnotsyn -j ULOG --ulog-prefix "Shorewall:newnotsyn:DROP:" else run_iptables -A newnotsyn -j LOG \ @@ -3352,7 +3391,7 @@ add_common_rules() { if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then echo "ULOG --ulog-prefix Shorewall:${1}:DROP:" else - echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level info" + echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL" fi } # @@ -4432,6 +4471,10 @@ do_initialize() { TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= MARK_IN_FORWARD_CHAIN= + SHARED_DIR=/usr/lib/shorewall + FUNCTIONS= + VERSION_FILE= + stopping= have_mutex= masq_seq=1 @@ -4445,31 +4488,35 @@ do_initialize() { trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 - functions=/usr/lib/shorewall/functions - - if [ -f $functions ]; then - . $functions + if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then + config=$SHOREWALL_DIR/shorewall.conf else - startup_error "$functions does not exist!" + config=/etc/shorewall/shorewall.conf + fi + + if [ -f $config ]; then + . $config + else + echo "$config does not exist!" >&2 + exit 2 fi - version_file=/usr/lib/shorewall/version + FUNCTIONS=$SHARED_DIR/functions - [ -f $version_file ] && version=`cat $version_file` - # - # Strip the files that we use often - # - strip_file interfaces - strip_file hosts + if [ -f $FUNCTIONS ]; then + . $FUNCTIONS + else + startup_error "$FUNCTIONS does not exist!" + fi - run_user_exit shorewall.conf - run_user_exit params + VERSION_FILE=$SHARED_DIR/version + + [ -f $VERSION_FILE ] && version=`cat $VERSION_FILE` [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -d $STATEDIR ] || mkdir -p $STATEDIR - [ -z "$FW" ] && FW=fw ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" @@ -4544,7 +4591,20 @@ do_initialize() { [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN` [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre + if [ -n "$TC_ENABLED" ]; then + CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC` + else + CLEAR_TC= + fi + + run_user_exit params + + # + # Strip the files that we use often + # + strip_file interfaces + strip_file hosts } # diff --git a/Lrp/etc/shorewall/rules b/Lrp/etc/shorewall/rules index 8554645d9..8a6244f55 100644 --- a/Lrp/etc/shorewall/rules +++ b/Lrp/etc/shorewall/rules @@ -24,6 +24,10 @@ # DNAT -- Forward the request to another # system (and optionally another # port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. # REDIRECT -- Redirect the request to a local # port on the firewall. # diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf index 522ad8445..8c2ec4f00 100644 --- a/Lrp/etc/shorewall/shorewall.conf +++ b/Lrp/etc/shorewall/shorewall.conf @@ -9,6 +9,13 @@ # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## # +# You should not have to change the variables in this section -- they are set +# by the packager of your Shorewall distribution +# +SHARED_DIR=/usr/lib/shorewall +# +############################################################################## +# # General note about log levels. Log levels are a method of describing # to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. @@ -51,7 +58,6 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # FW=fw - # # SUBSYSTEM LOCK FILE # diff --git a/Lrp/sbin/shorewall b/Lrp/sbin/shorewall index 0245eb4ae..8b0e6b04f 100755 --- a/Lrp/sbin/shorewall +++ b/Lrp/sbin/shorewall @@ -569,51 +569,65 @@ fi [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR -functions=/usr/lib/shorewall/functions +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +SHARED_DIR=/usr/lib/shorewall +MUTEX_TIMEOUT= -if [ -f $functions ]; then - . $functions +if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then + config=$SHOREWALL_DIR/shorewall.conf else - echo "$functions does not exist!" >&2 + config=/etc/shorewall/shorewall.conf +fi + +if [ -f $config ]; then + . $config +else + echo "$config does not exist!" >&2 exit 2 fi -firewall=/usr/lib/shorewall/firewall +[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall -if [ ! -f $firewall ]; then +FIREWALL=$SHARED_DIR/firewall +FUNCTIONS=$SHARED_DIR/functions +VERSION_FILE=$SHARED_DIR/version + +if [ -f $FUNCTIONS ]; then + . $FUNCTIONS +else + echo "$FUNCTIONS does not exist!" >&2 + exit 2 +fi + +if [ ! -f $FIREWALL ]; then echo "ERROR: Shorewall is not properly installed" - if [ -L $firewall ]; then - echo " $firewall is a symbolic link to a" + if [ -L $FIREWALL ]; then + echo " $FIREWALL is a symbolic link to a" echo " non-existant file" else - echo " The file /usr/lib/shorewall/firewall does not exist" + echo " The file $FIREWALL does not exist" fi exit 2 fi -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - -version_file=/usr/lib/shorewall/version - -if [ -f $version_file ]; then - version=`cat $version_file` +if [ -f $VERSION_FILE ]; then + version=`cat $VERSION_FILE` else echo "ERROR: Shorewall is not properly installed" - echo " The file /usr/lib/shorewall/version does not exist" + echo " The file $VERSION_FILE does not exist" exit 1 fi banner="Shorewall-$version Status at $HOSTNAME -" -get_statedir case `echo -e` in -e*) - RING_BELL="echo \'\a\'" + RING_BELL="echo \a" ;; *) - RING_BELL="echo -e \'\a\'" + RING_BELL="echo -e \a" ;; esac @@ -629,11 +643,11 @@ esac case "$1" in start|stop|restart|reset|clear|refresh|check) [ $# -ne 1 ] && usage 1 - exec $firewall $debugging $nolock $1 + exec $FIREWALL $debugging $nolock $1 ;; add|delete) [ $# -ne 3 ] && usage 1 - exec $firewall $debugging $nolock $1 $2 $3 + exec $FIREWALL $debugging $nolock $1 $2 $3 ;; show) [ $# -gt 2 ] && usage 1 diff --git a/Lrp/var/lib/lrpkg/shorwall.version b/Lrp/var/lib/lrpkg/shorwall.version index 90a7f6029..7962dcfdb 100644 --- a/Lrp/var/lib/lrpkg/shorwall.version +++ b/Lrp/var/lib/lrpkg/shorwall.version @@ -1 +1 @@ -1.3.12 +1.3.13 diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index c8272f626..0aa6ae5f1 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,43 +1,10 @@ -Changes since 1.3.11 +Changes since 1.3.12 -1. Fixed DNAT/REDIRECT bug with excluded sub-zones. +1. Added 'DNAT-' target. -2. "shorewall refresh" now refreshes the traffic shaping rules +2. Print policies in 'check' command. -3. Turned off debugging after error. +3. Added CLEAR_TC option. -4. Removed drop of INVALID state output ICMP packets. +4. Added SHARED_DIR option. -5. Replaced 'sed' invocation in separate_list() by shell code (speedup). - -6. Replaced 'wc' invocation in list_count() by shell code (speedup) - -7. Replaced 'sed' invocation in run_iptables() by shell code and - optomized (speedup) - -8. Only read the interfaces file once (speedup) - -9. Only read the policy file once (speedup) - -10. Removed redundant function input_chains() (duplicate of first_chains()) - -11. Generated an error if 'lo' is defined in the interfaces file. - -12. Clarified error message where ORIGINAL DEST is specified on an - ACCEPT, DROP or REJECT rule. - -13. Added "shorewall show classifiers" command and added packet - classification filter display to "shorewall monitor" - -14. Added an error message when the destination in a rule contained a - MAC address. - -15. Added ULOG target support. - -16. Add MARK_IN_FORWARD option. - -17. General Cleanup for Release - -18. Release changes and add init, start, stop and stopped files. - -19. Add headings to NAT and Mangle tables in "shorewall status" output diff --git a/STABLE/documentation/Documentation.htm b/STABLE/documentation/Documentation.htm index 26a605911..dd7eb53d9 100644 --- a/STABLE/documentation/Documentation.htm +++ b/STABLE/documentation/Documentation.htm @@ -1,255 +1,276 @@ - + + - + + - + + Shorewall 1.3 Documentation - + + - + + - + - - - + + - - - + + + + +
- +
+ +

Shorewall 1.3 Reference

-
- +

This documentation is intended primarily for reference. - Step-by-step instructions for configuring Shorewall in common -setups may be found in the QuickStart Guides.

- + +

Components

- +

Shorewall consists of the following components:

- + - +

/etc/shorewall/params

- +

You may use the file /etc/shorewall/params file to set shell variables - that you can then use in some of the other configuration files.

- + that you can then use in some of the other configuration files.

+

It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally - within the Shorewall programs

- + within the Shorewall programs

+

Example:

- +
 	NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918
- +

Example (/etc/shorewall/interfaces record):

- +
	net $NET_IF $NET_BCAST $NET_OPTIONS
- +

The result will be the same as if the record had been written

- +
	net eth0 130.252.100.255 noping,norfc1918
- +

Variables may be used anywhere in the other configuration - files.

- + files.

+ +

/etc/shorewall/zones

- +

This file is used to define the network zones. There is one entry - in /etc/shorewall/zones for each zone; Columns in an entry are:

- + in /etc/shorewall/zones for each zone; Columns in an entry are:

+ - +

The /etc/shorewall/zones file released with Shorewall is as follows:

- + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - + - +
ZONE DISPLAY COMMENTS
netNetInternet
locLocalLocal networks
dmzDMZDemilitarized zone
ZONE DISPLAY COMMENTS
netNetInternet
locLocalLocal networks
dmzDMZDemilitarized zone
- + +

You may add, delete and modify entries in the /etc/shorewall/zones file - as desired so long as you have at least one zone defined.

- + as desired so long as you have at least one zone defined.

+ +

Warning 1: If you rename or delete a zone, you should perform "shorewall - stop; shorewall start" to install the change rather than "shorewall - restart".

- + stop; shorewall start" to install the change rather than "shorewall + restart".

+

Warning 2: The order of entries in the /etc/shorewall/zones file is - significant in some cases.

- + significant in some cases.

+ +

/etc/shorewall/interfaces

- + +

This file is used to tell the firewall which of your firewall's network - interfaces are connected to which zone. There will be one entry in - /etc/shorewall/interfaces for each of your interfaces. Columns in an -entry are:

- + interfaces are connected to which zone. There will be one entry + in /etc/shorewall/interfaces for each of your interfaces. Columns +in an entry are:

+ - +

My recommendations concerning options:
-

- +

+ - +

- +

Example 1: You have a conventional firewall setup in which eth0 connects - to a Cable or DSL modem and eth1 connects to your local network and - eth0 gets its IP address via DHCP. You want to ignore ping requests -from the internet and you want to check all packets -entering from the internet against the black list. Your /etc/shorewall/interfaces file -would be as follows:

- - -
- - - - - - - - - - - - - - - - - - - - - - - - -
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,noping,norfc1918,blacklist
loceth1detect 
-
- - -

Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces - file would be:

+ would be as follows:

+ +
-
- - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + - +
ZONE INTERFACE BROADCAST OPTIONS
netppp0  
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,noping,norfc1918,blacklist
loceth1detect
+
-
+
- + +

Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:

+ + +
+ + + + + + + + + + + + + + + + + + + + + +
ZONE INTERFACE BROADCAST OPTIONS
netppp0
+

+
+
+ +

Example 3: You have local interface eth1 with two IP addresses - 192.168.1.1/24 and 192.168.12.1/24

- -
+ + +
+ - - - - - - - - - - - - - + + + + + + + + + + + + + + - + +
ZONE INTERFACE BROADCAST OPTIONS
loceth1192.168.1.255,192.168.12.255 
ZONE INTERFACE BROADCAST OPTIONS
loceth1192.168.1.255,192.168.12.255
+
-
+
- +

/etc/shorewall/hosts - Configuration

- + Configuration + +

For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/shorewall/hosts file.

- +

WARNING: 90% of Shorewall users don't need to put entries in this file and 80% of those who try to add such entries do it wrong. Unless you are ABSOLUTELY SURE that you need entries in this file, don't touch it.

- +

Columns in this file are:

- + - +
- + +
    -
  1. An IP address (example - eth1:192.168.1.3)
  2. +
  3. An IP address (example - eth1:192.168.1.3)
  4. -
  5. A subnet in CIDR notation - (example - eth2:192.168.2.0/24)
  6. +
  7. A subnet in CIDR notation + (example - eth2:192.168.2.0/24)
  8. - + +
- -

The interface name much match an entry in /etc/shorewall/interfaces.

-
- + +

The interface name much match an entry in /etc/shorewall/interfaces.

+ + + - +
- + +

routestopped - Beginning with Shorewall 1.3.4, this option is deprecated in favor of the /etc/shorewall/routestopped file. When the firewall is stopped, traffic to and from - this host (these hosts) will be accepted and routing will occur - between this host and other routestopped interfaces and hosts.
-
- maclist - Added in version 1.3.10. If specified, connection - requests from the hosts specified in this entry are subject to MAC Verification. This option is only valid - for ethernet interfaces.
-

-
+ this host (these hosts) will be accepted and routing will +occur between this host and other routestopped interfaces + and hosts.
+
+ maclist - Added in version 1.3.10. If specified, +connection requests from the hosts specified in this entry are subject +to MAC Verification. This option is only +valid for ethernet interfaces.
+

+ - +

If you don't define any hosts for a zone, the hosts in the zone default - to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces - to the zone.

+ to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the +interfaces to the zone.

- +

Note 1: You probably DON'T want to specify any hosts for your internet zone since the hosts that you specify will be the only ones that you will be able to access without adding additional rules.

- +

Note 2: The setting of the MERGE_HOSTS variable - in /etc/shorewall/shorewall.conf - has an important effect on how the host file - is processed. Please read the description of - that variable carefully.

+ in /etc/shorewall/shorewall.conf + has an important effect on how the host + file is processed. Please read the description + of that variable carefully.

- +

Example:

- +

Your local interface is eth1 and you have two groups of local hosts that - you want to make into separate zones:

+ you want to make into separate zones:

- + - +

Your /etc/shorewall/interfaces file might look like:

- +
- - - - - - - - - - - - - - - - - - - - - - - - - - -
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,noping,norfc1918
-eth1detect 
-
- - -

The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces - to multiple zones.

- - -

Your /etc/shorewall/hosts file might look like:

- - -
- - - - - - - - - - - - - - - - - - - - - - - -
ZONE HOST(S) OPTIONS
loc1eth1:192.168.1.0/25 
loc2eth1:192.168.1.128/25routestopped
-
- - -

Hosts in 'loc2' can communicate with the firewall while Shorewall is - stopped -- those in 'loc1' cannot.

- - -

Nested and Overlapping Zones

- - -

The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow -you to define nested or overlapping zones. Such overlapping/nested zones - are allowed and Shorewall processes zones in the order that they -appear in the /etc/shorewall/zones file. So if you have nested zones, -you want the sub-zone to appear before the super-zone and in the case -of overlapping zones, the rules that will apply to hosts that belong -to both zones is determined by which zone appears first in /etc/shorewall/zones.

- - -

Hosts that belong to more than one zone may be managed by the rules - of all of those zones. This is done through use of the special CONTINUE policy described below.

- - -

- /etc/shorewall/policy Configuration.

- - -

This file is used to describe the firewall policy regarding establishment - of connections. Connection establishment is described in terms of -clients who initiate connections and servers who receive - those connection requests. Policies defined in /etc/shorewall/policy -describe which zones are allowed to establish connections with other -zones.

- - -

Policies established in /etc/shorewall/policy can be viewed as default - policies. If no rule in /etc/shorewall/rules applies to a particular - connection request then the policy from /etc/shorewall/policy is applied.

- - -

Four policies are defined:

- - - - - -

For each policy specified in /etc/shorewall/policy, you can indicate - that you want a message sent to your system log each time that the - policy is applied.

- - -

Entries in /etc/shorewall/policy have four columns as follows:

- - -
    - -
  1. SOURCE - The name -of a client zone (a zone defined in the /etc/shorewall/zones - file , the name of the firewall zone or - "all").
  2. - -
  3. DEST - The name of - a destination zone (a zone defined in the /etc/shorewall/zones - file , the name of the firewall zone or -"all"). Shorewall automatically allows all traffic from the firewall to -itself so the name of the firewall zone cannot appear -in both the SOURCE and DEST columns.
  4. - -
  5. POLICY - The default - policy for connection requests from the SOURCE zone to the DESTINATION - zone.
  6. - -
  7. LOG LEVEL - Optional. - If left empty, no log message is generated when the policy is applied. - Otherwise, this column should contain an integer or name indicating - a syslog level.
  8. - -
  9. LIMIT:BURST - Optional. - If left empty, TCP connection requests from the SOURCE zone - to the DEST zone will not be rate-limited. Otherwise, this - column specifies the maximum rate at which TCP connection requests - will be accepted followed by a colon (":") followed by the maximum burst - size that will be tolerated. Example: 10/sec:40 specifies -that the maximum rate of TCP connection requests allowed will be 10 per -second and a burst of 40 connections will be tolerated. Connection requests -in excess of these limits will be dropped.
  10. - - -
- - -

In the SOURCE and DEST columns, you can enter "all" to indicate all - zones. 

- - -

The policy file installed by default is as follows:

- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SOURCEDEST POLICY LOG LEVELLIMIT:BURST
locnetACCEPT  
netallDROPinfo 
allallREJECTinfo 
-
- - -

This table may be interpreted as follows:

- - - -

WARNING:

- -

The firewall script processes  the - /etc/shorewall/policy file from top to bottom and uses the first - applicable policy that it finds. For example, in the following - policy file, the policy for (loc, loc) connections would be ACCEPT as - specified in the first entry even though the third entry in the file -specifies REJECT.

- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SOURCEDESTPOLICYLOG LEVELLIMIT:BURST
locallACCEPT  
netallDROPinfo 
loclocREJECTinfo 
-
- -

- The CONTINUE policy

- -

Where zones are nested or overlapping , the - CONTINUE policy allows hosts that are within multiple zones to be managed - under the rules of all of these zones. Let's look at an example:

- -

/etc/shorewall/zones:

- -
- - - + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - +
ZONE DISPLAY COMMENTS
samSamSam's system at home
netInternetThe Internet
locLocLocal Network
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,noping,norfc1918
-eth1detect
+
-
- -

/etc/shorewall/interfaces:

- -
- +
+ + +

The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.

+ + +

Your /etc/shorewall/hosts file might look like:

+ + +
+ + - + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + -
ZONE INTERFACE BROADCAST OPTIONS
-eth0detectdhcp,noping,norfc1918
loceth1detectroutestopped
ZONE HOST(S) OPTIONS
loc1eth1:192.168.1.0/25
+
loc2eth1:192.168.1.128/25routestopped
-
- -

/etc/shorewall/hosts:

- -
- +
+ + +

Hosts in 'loc2' can communicate with the firewall while Shorewall is + stopped -- those in 'loc1' cannot.

+ + +

Nested and Overlapping Zones

+ + +

The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow +you to define nested or overlapping zones. Such overlapping/nested zones + are allowed and Shorewall processes zones in the order that they + appear in the /etc/shorewall/zones file. So if you have nested zones, + you want the sub-zone to appear before the super-zone and in the + case of overlapping zones, the rules that will apply to hosts that + belong to both zones is determined by which zone appears first in +/etc/shorewall/zones.

+ + +

Hosts that belong to more than one zone may be managed by the rules + of all of those zones. This is done through use of the special CONTINUE policy described below.

+ + +

+ /etc/shorewall/policy Configuration.

+ + +

This file is used to describe the firewall policy regarding establishment + of connections. Connection establishment is described in terms + of clients who initiate connections and servers who + receive those connection requests. Policies defined in /etc/shorewall/policy + describe which zones are allowed to establish connections with other + zones.

+ + +

Policies established in /etc/shorewall/policy can be viewed as default + policies. If no rule in /etc/shorewall/rules applies to a particular + connection request then the policy from /etc/shorewall/policy is + applied.

+ + +

Four policies are defined:

+ + + + + +

For each policy specified in /etc/shorewall/policy, you can indicate + that you want a message sent to your system log each time that + the policy is applied.

+ + +

Entries in /etc/shorewall/policy have four columns as follows:

+ + +
    + +
  1. SOURCE - +The name of a client zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all").
  2. + +
  3. DEST - The + name of a destination zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). Shorewall automatically + allows all traffic from the firewall to itself so the name + of the firewall zone cannot appear in both the SOURCE and DEST columns.
  4. + +
  5. POLICY - +The default policy for connection requests from the SOURCE + zone to the DESTINATION zone.
  6. + +
  7. LOG LEVEL +- Optional. If left empty, no log message is generated when +the policy is applied. Otherwise, this column should contain an integer + or name indicating a syslog level.
  8. + +
  9. LIMIT:BURST - + Optional. If left empty, TCP connection requests from the SOURCE + zone to the DEST zone will not be rate-limited. Otherwise, + this column specifies the maximum rate at which TCP connection +requests will be accepted followed by a colon (":") followed by the +maximum burst size that will be tolerated. Example: 10/sec:40 +specifies that the maximum rate of TCP connection requests allowed +will be 10 per second and a burst of 40 connections will be tolerated. + Connection requests in excess of these limits will be dropped.
  10. + + +
+ + +

In the SOURCE and DEST columns, you can enter "all" to indicate all + zones.

+ + +

The policy file installed by default is as follows:

+ + +
+ + - + - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + +
ZONE HOST(S) OPTIONS
neteth0:0.0.0.0/0 
sameth0:206.191.149.197routestopped
SOURCEDEST POLICY LOG LEVELLIMIT:BURST
locnetACCEPT
+

+
netallDROPinfo
+
allallREJECTinfo
+
-
- -

Note that Sam's home system is a member of both the sam zone - and the net zone and - as described above , that means that sam -must be listed before net  in /etc/shorewall/zones.

- -

/etc/shorewall/policy:

- -
+ + +

This table may be interpreted as follows:

+ + + + +

WARNING:

+ +

The firewall script processes the + /etc/shorewall/policy file from top to bottom and uses the +first applicable policy that it finds. For example, in the following + policy file, the policy for (loc, loc) connections would be ACCEPT + as specified in the first entry even though the third entry in the +file specifies REJECT.

+ +
- + - + - - - - - - - - - - - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + - + +
SOURCE DEST POLICY LOG LEVEL
locnetACCEPT 
SOURCEDESTPOLICYLOG LEVELLIMIT:BURST
locallACCEPT
+

+
samallCONTINUE 
netallDROPinfo
allallREJECTinfo
netallDROPinfo
+
loclocREJECTinfo
+
-
- -

The second entry above says that when Sam is the client, connection - requests should first be process under rules where the source zone -is sam and if there is no match then the connection request should - be treated under rules where the source zone is net. It is important - that this policy be listed BEFORE the next policy (net to all).

- -

Partial /etc/shorewall/rules:

- -
- +
+ +

+ The CONTINUE policy

+ +

Where zones are nested or overlapping , the + CONTINUE policy allows hosts that are within multiple zones to be + managed under the rules of all of these zones. Let's look at an example:

+ +

/etc/shorewall/zones:

+ +
+ - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + +
ACTIONSOURCEDEST PROTODEST
- PORT(S)
SOURCE
- PORT(S)
ORIGINAL
- DEST
...      
DNATsamloc:192.168.1.3tcpssh- 
DNATnetloc:192.168.1.5tcpwww- 
...      
ZONE DISPLAY COMMENTS
samSamSam's system at home
netInternetThe Internet
locLocLocal Network
-
- -

Given these two rules, Sam can connect to the firewall's internet interface - with ssh and the connection request will be forwarded to 192.168.1.3. - Like all hosts in the net zone, Sam can connect to the firewall's - internet interface on TCP port 80 and the connection request will be - forwarded to 192.168.1.5. The order of the rules is not significant.

- -

Sometimes it is necessary to suppress port forwarding - for a sub-zone. For example, suppose that all hosts can SSH to the - firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects - to the firewall's external IP, he should be connected to the firewall - itself. Because of the way that Netfilter is constructed, this requires - two rules as follows:

- +
+ + +

/etc/shorewall/interfaces:

+ +
- -

 

- + + + ZONE + INTERFACE + BROADCAST + OPTIONS + + + - + eth0 + detect + dhcp,noping,norfc1918 + + + loc + eth1 + detect + routestopped + + + + + + + + + +
+ + +

/etc/shorewall/hosts:

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
ZONE HOST(S) OPTIONS
neteth0:0.0.0.0/0
+
sameth0:206.191.149.197routestopped
+
+ + +

Note that Sam's home system is a member of both the sam zone + and the net zone +and as described above , that means that sam + must be listed before net in /etc/shorewall/zones.

+ + +

/etc/shorewall/policy:

+ + +
- + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + +
ACTIONSOURCEDEST PROTODEST
- PORT(S)
SOURCE
- PORT(S)
ORIGINAL
- DEST
       
...      
DNATsamfwtcpssh- 
DNATnet!samloc:192.168.1.3tcpssh- 
...      
SOURCE DEST POLICY LOG LEVEL
locnetACCEPT
+
samallCONTINUE
+
netallDROPinfo
allallREJECTinfo
-
- + + + +

The second entry above says that when Sam is the client, connection + requests should first be process under rules where the source zone + is sam and if there is no match then the connection request +should be treated under rules where the source zone is net. +It is important that this policy be listed BEFORE the next policy +(net to all).

+ + +

Partial /etc/shorewall/rules:

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)
SOURCE
+ PORT(S)
ORIGINAL
+ DEST
...
+

+

+

+

+

+
DNATsamloc:192.168.1.3tcpssh-
+
DNATnetloc:192.168.1.5tcpwww-
+
...
+

+

+

+

+

+
+
+ + +

Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded to 192.168.1.3. + Like all hosts in the net zone, Sam can connect to the firewall's + internet interface on TCP port 80 and the connection request will + be forwarded to 192.168.1.5. The order of the rules is not significant.

+ + +

Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all hosts can SSH to + the firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam + connects to the firewall's external IP, he should be connected to +the firewall itself. Because of the way that Netfilter is constructed, + this requires two rules as follows:

+ + +
+ +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)
SOURCE
+ PORT(S)
ORIGINAL
+ DEST

+

+

+

+

+

+

+
...
+

+

+

+

+

+
DNATsamfwtcpssh-
+
DNATnet!samloc:192.168.1.3tcpssh-
+
...
+

+

+

+

+

+
+
+ +

The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the @@ -1207,428 +1342,460 @@ is sam and if there is no match then the connection request should connection port forwarded to 192.168.1.3. If you need to exclude more than one zone in this way, - you can list the zones separated - by commas (e.g., net!sam,joe,fred). - This technique also may -be used when the ACTION is -REDIRECT.

+ you can list the zones + separated by commas (e.g., + net!sam,joe,fred). This + technique also may be used when + the ACTION is REDIRECT.

- +

/etc/shorewall/rules

- +

The /etc/shorewall/rules file defines exceptions to the policies established - in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules - for each of these rules. 
-

- + in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules + for each of these rules.
+

+

Shorewall automatically enables firewall->firewall traffic over the - loopback interface (lo) -- that traffic cannot be regulated using rules -and any rule that tries to regulate such traffic will generate a warning -and will be ignored.
-

+ loopback interface (lo) -- that traffic cannot be regulated using rules + and any rule that tries to regulate such traffic will generate a warning + and will be ignored.
+

- +

Entries in the file have the following columns:

- + + + +

The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). This +causes the packet to be logged at the specified level prior to being +processed according to the specified ACTION.
+
+ The use of DNAT or REDIRECT requires that you have + NAT enabled.
+

+ +
  • SOURCE - Describes the source hosts to which + the rule applies.. The contents of this field must begin with + the name of a zone defined in /etc/shorewall/zones, $FW or "all". +If the ACTION is DNAT or REDIRECT, sub-zones may be excluded from +the rule by following the initial zone name with "!' and a comma-separated + list of those sub-zones to be excluded. There is an example above.
    -
    - If the source is not 'all' then the source may be further -restricted by adding a colon (":") followed by a comma-separated -list of qualifiers. Qualifiers are may include: - +
    + If the source is not 'all' then the source may be +further restricted by adding a colon (":") followed by a comma-separated + list of qualifiers. Qualifiers are may include: + +
      -
    • An interface name - refers to any connection requests - arriving on the specified interface (example loc:eth4). Beginning - with Shorwall 1.3.9, the interface name may optionally be followed by -a colon (":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, - net:eth0:192.0.2.0/24).
    • -
    • An IP address - refers to a connection request from -the host with the specified address (example net:155.186.235.151). - If the ACTION is DNAT, this must not be a DNS name.
    • -
    • A MAC Address in Shorewall format.
    • -
    • A subnet - refers to a connection request from any host - in the specified subnet (example net:155.186.235.0/24).
    • - +
    • An interface name - refers to any connection +requests arriving on the specified interface (example loc:eth4). + Beginning with Shorwall 1.3.9, the interface name may optionally be +followed by a colon (":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, + net:eth0:192.0.2.0/24).
    • +
    • An IP address - refers to a connection request + from the host with the specified address (example net:155.186.235.151). + If the ACTION is DNAT, this must not be a DNS name.
    • +
    • A MAC Address in Shorewall format.
    • +
    • A subnet - refers to a connection request from + any host in the specified subnet (example net:155.186.235.0/24).
    • + +
    -
  • -
  • DEST - Describes the destination host(s) to which - the rule applies. May take any of the forms described above for - SOURCE plus the following two additional forms: - +
  • +
  • DEST - Describes the destination host(s) + to which the rule applies. May take any of the forms described + above for SOURCE plus the following two additional forms: + +
      -
    • An IP address followed by a colon and the port number - that the server is listening on (service names from /etc/services - are not allowed - example loc:192.168.1.3:80).
      -
    • -
    • A single port number (again, service names are not allowed) - -- this form is only allowed if the ACTION is REDIRECT and refers - to a server running on the firewall itself and listening on -the specified port.
      -
    • - +
    • An IP address followed by a colon and the port + number that the server is listening on (service + names from /etc/services are not allowed - example loc:192.168.1.3:80). +
      +
    • +
    • A single port number (again, service names are + not allowed) -- this form is only allowed if the ACTION is REDIRECT + and refers to a server running on the firewall itself and + listening on the specified port.
      +
    • + +
    -
  • -
  • PROTO - Protocol. Must be a protocol name from - /etc/protocols, a number, "all" or "related". Specifies the protocol - of the connection request. "related" should be specified only -if you have given ALLOWRELATED="no" in /etc/shorewall/shorewall.conf -and you wish to override that setting for related connections originating - with the client(s) and server(s) specified in this rule. When "related" - is given for the protocol, the remainder of the columns should -be left blank.
  • -
  • DEST PORT(S) - Port or port range (<low - port>:<high port>) being connected to. May only be specified - if the protocol is tcp, udp or icmp. For icmp, this column's -contents are interpreted as an icmp type. If you don't want to specify - DEST PORT(S) but need to include information in one of the columns -to the right, enter "-" in this column. You may give a list of ports -and/or port ranges separated by commas. Port numbers may be either integers - or service names from /etc/services.
  • -
  • SOURCE PORTS(S) - May be used to restrict - the rule to a particular client port or port range (a port range -is specified as <low port number>:<high port number>). -If you don't want to restrict client ports but want to specify something - in the next column, enter "-" in this column. If you wish to specify - a list of port number or ranges, separate the list elements with -commas (with no embedded white space). Port numbers may be either -integers or service names from /etc/services.
  • -
  • ORIGINAL DEST - This column may only be non-empty - if the ACTION is DNAT or REDIRECT.
    -
    - If DNAT or REDIRECT is the ACTION and the ORIGINAL DEST column - is left empty, any connection request arriving at the firewall from - the SOURCE that matches the rule will be forwarded or redirected. -This works fine for connection requests arriving from the internet -where the firewall has only a single external IP address. When the -firewall has multiple external IP addresses or when the SOURCE is other -than the internet, there will usually be a desire for the rule to only -apply to those connection requests directed to a particular IP address -(see Example 2 below for another usage). That IP address (or a comma-separated - list of such addresses) is specified in the ORIGINAL DEST column.
    -
    - The IP address may be optionally followed by ":" and a - second IP address. This latter address, if present, is used as the source - address for packets forwarded to the server (This is called "Source -NAT" or SNAT).
    -
    - Note:  When using SNAT, it is a good idea to qualify +
  • +
  • PROTO - Protocol. Must be a protocol +name from /etc/protocols, a number, "all" or "related". Specifies + the protocol of the connection request. "related" should +be specified only if you have given ALLOWRELATED="no" in /etc/shorewall/shorewall.conf + and you wish to override that setting for related connections + originating with the client(s) and server(s) specified in this + rule. When "related" is given for the protocol, the remainder +of the columns should be left blank.
  • +
  • DEST PORT(S) - Port or port range +(<low port>:<high port>) being connected to. May only +be specified if the protocol is tcp, udp or icmp. For icmp, +this column's contents are interpreted as an icmp type. If you +don't want to specify DEST PORT(S) but need to include information +in one of the columns to the right, enter "-" in this column. You +may give a list of ports and/or port ranges separated by commas. Port +numbers may be either integers or service names from /etc/services.
  • +
  • SOURCE PORTS(S) - May be used + to restrict the rule to a particular client port or port range + (a port range is specified as <low port number>:<high +port number>). If you don't want to restrict client ports but + want to specify something in the next column, enter "-" in this column. +If you wish to specify a list of port number or ranges, separate +the list elements with commas (with no embedded white space). Port +numbers may be either integers or service names from /etc/services.
  • +
  • ORIGINAL DEST - This column may only be +non-empty if the ACTION is DNAT or REDIRECT.
    +
    + If DNAT or REDIRECT is the ACTION and the ORIGINAL +DEST column is left empty, any connection request arriving at the +firewall from the SOURCE that matches the rule will be forwarded +or redirected. This works fine for connection requests arriving +from the internet where the firewall has only a single external +IP address. When the firewall has multiple external IP addresses or + when the SOURCE is other than the internet, there will usually be +a desire for the rule to only apply to those connection requests +directed to a particular IP address (see Example 2 below for another +usage). That IP address (or a comma-separated list of such addresses) + is specified in the ORIGINAL DEST column.
    +
    + The IP address may be optionally followed by ":" and + a second IP address. This latter address, if present, is used as + the source address for packets forwarded to the server (This is +called "Source NAT" or SNAT).
    +
    + Note: When using SNAT, it is a good idea to qualify the source with an IP address or subnet. Otherwise, it is likely that SNAT will occur on connections other than those described in the rule. The reason for this is that SNAT occurs in the Netfilter POSTROUTING hook where it is not possible to restrict the scope of a rule by incoming interface.
    -
    -
    Example: DNAT     loc:192.168.1.0/24    - loc:192.168.1.3    tcp    www    -    206.124.146.179:192.168.1.3
    -
    -
    If SNAT is not used (no ":" and second IP address), - the original source address is used. If you want any destination - address to match the rule but want to specify SNAT, simply use a -colon followed by the SNAT address.
  • - +
    +
    Example: DNAT loc:192.168.1.0/24 + loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3
    +
    +
    If SNAT is not used (no ":" and second IP + address), the original source address is used. If you want +any destination address to match the rule but want to specify +SNAT, simply use a colon followed by the SNAT address. + - +

    Example 1. You wish to forward all - ssh connection requests from the internet to local system 192.168.1.3. 

    + ssh connection requests from the internet to local system 192.168.1.3. +

    - +
    - + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - + - +
    ACTIONSOURCEDEST PROTODEST
    - PORT(S)
    SOURCE
    - PORT(S)
    ORIGINAL
    - DEST
    DNATnetloc:192.168.1.3tcpssh  
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)
    SOURCE
    + PORT(S)
    ORIGINAL
    + DEST
    DNATnetloc:192.168.1.3tcpssh
    +

    +
    -
    + - +

    Example 2. You want to redirect all local www connection requests - EXCEPT those to your - own http server (206.124.146.177) - to a Squid transparent - proxy running on the firewall and listening on port 3128. Squid will - of course require access to remote web servers. This example shows yet - another use for the ORIGINAL - DEST column; here, connection - requests that were NOT - (notice -the "!") originally - destined to 206.124.146.177 are - redirected to local port 3128.

    + EXCEPT those to +your own http server + (206.124.146.177) to a Squid + transparent proxy running on the firewall and listening +on port 3128. Squid will of course require access to remote web servers. +This example shows yet +another use for the ORIGINAL + DEST column; here, connection + requests that were NOT + + (notice the "!") originally + destined to 206.124.146.177 are + redirected to local port +3128.

    - +
    - + - - - - - - - - - + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - -
    ACTIONSOURCEDEST PROTODEST
    - PORT(S)
    SOURCE
    - PORT(S)
    ORIGINAL
    - DEST
    REDIRECTloc3128tcpwww !206.124.146.177
    ACCEPTfwnettcpwww  
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)
    SOURCE
    + PORT(S)
    ORIGINAL
    + DEST
    REDIRECTloc3128tcpwww -
    +
    !206.124.146.177
    ACCEPTfwnettcpwww
    +

    +
    -
    - - -

    Example 3. You want to run a web server at 155.186.235.222 in -your DMZ and have it accessible remotely and locally. the DMZ is managed - by Proxy ARP or by classical sub-netting.

    - - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDEST PROTODEST
    - PORT(S)
    SOURCE
    - PORT(S)
    ORIGINAL
    - DEST
    ACCEPTnetdmz:155.186.235.222tcpwww- 
    ACCEPTlocdmz:155.186.235.222tcpwww  
    -
    - - -

    Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded - DMZ. Your internet interface address is 155.186.235.151 and you want - the FTP server to be accessible from the internet in addition to the - local 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. Note that - since the server is in the 192.168.2.0/24 subnetwork, we can assume -that access to the server from that subnet will not involve the firewall -(but see FAQ 2). Note that unless you - have more than one external - IP address, you can leave - the ORIGINAL DEST -column blank in the -first rule. You cannot -leave it blank in the - second rule though because - then all ftp connections - originating in the local - subnet 192.168.1.0/24 would - be sent to 192.168.2.2 - regardless of the site that - the user was trying to - connect to. That is - clearly not what you -want - .

    - - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ACTIONSOURCEDEST PROTODEST
    - PORT(S)
    SOURCE
    - PORT(S)
    ORIGINAL
    - DEST
    DNATnetdmz:192.168.2.2tcpftp  
    DNATloc:192.168.1.0/24dmz:192.168.2.2tcpftp-155.186.235.151
    -
    - - - -

    If you are running wu-ftpd, you should restrict the range of passive - in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions - so I use port range 65500-65535. In /etc/ftpaccess, this entry is -appropriate:

    - - - -
    - -

    passive ports  0.0.0.0/0 65500 65534

    -
    + + + + +

    Example 3. You want to run a web server at 155.186.235.222 in your + DMZ and have it accessible remotely and locally. the DMZ is managed + by Proxy ARP or by classical sub-netting.

    + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + +
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)
    SOURCE
    + PORT(S)
    ORIGINAL
    + DEST
    ACCEPTnetdmz:155.186.235.222tcpwww-
    +
    ACCEPTlocdmz:155.186.235.222tcpwww
    +

    +
    +
    + + +

    Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded + DMZ. Your internet interface address is 155.186.235.151 and you + want the FTP server to be accessible from the internet in addition + to the local 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. + Note that since the server is in the 192.168.2.0/24 subnetwork, we + can assume that access to the server from that subnet will not involve + the firewall (but see FAQ 2). Note that unless + you have more than +one external IP address, + you can leave the + ORIGINAL DEST column + blank in the first rule. You + cannot leave it blank in the + second rule though because + then all ftp connections + originating in the local + subnet 192.168.1.0/24 would + be sent to 192.168.2.2 + regardless of the + site that the user was + trying to connect to. + That is clearly not +what you want + .

    + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)
    SOURCE
    + PORT(S)
    ORIGINAL
    + DEST
    DNATnetdmz:192.168.2.2tcpftp
    +

    +
    DNATloc:192.168.1.0/24dmz:192.168.2.2tcpftp-155.186.235.151
    +
    + + + +

    If you are running wu-ftpd, you should restrict the range of passive + in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions + so I use port range 65500-65535. In /etc/ftpaccess, this entry + is appropriate:

    + + + +
    + + + +

    passive ports 0.0.0.0/0 65500 65534

    +
    + + +

    If you are running pure-ftpd, you would include "-p 65500:65534" on - the pure-ftpd runline.

    + the pure-ftpd runline.

    - +

    The important point here is to ensure that the port range used for FTP - passive connections is unique and will not overlap with any usage on - the firewall system.

    + passive connections is unique and will not overlap with any usage + on the firewall system.

    - +

    Example 5. You wish to allow unlimited DMZ access to the host @@ -1636,101 +1803,190 @@ appropriate:

    02:00:08:E3:FA:55.

    - +
    - + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - + + +
    ACTIONSOURCEDEST PROTODEST
    - PORT(S)
    SOURCE
    - PORT(S)
    ORIGINAL
    - DEST
    ACCEPTloc:~02-00-08-E3-FA-55dmzall   
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)
    SOURCE
    + PORT(S)
    ORIGINAL
    + DEST
    ACCEPTloc:~02-00-08-E3-FA-55dmzall
    +

    +

    +
    -
    + - Example 6. You wish - to allow access to the SMTP server in your DMZ from all zones.
    - -
    - - - - - - - - - - - - - - - - - - - - + Example 6. + You wish to allow access to the SMTP server in your DMZ from all zones.
    - +
    +
    ACTION
    -
    SOURCE
    -
    DEST
    -
    PROTO
    -
    DEST
    - PORTS(S)
    -
    SOURCE
    - PORT(S)
    -
    ORIGINAL
    - DEST
    -
    ACCEPT
    -
    all
    -
    dmz
    -
    tcp
    -
    25
    -

    -

    -
    + + + + + + + + + + + + + + + + + + + + +
    ACTION
    +
    SOURCE
    +
    DEST
    +
    PROTO
    +
    DEST
    + PORT(S)
    +
    SOURCE
    + PORT(S)
    +
    ORIGINAL
    + DEST
    +
    ACCEPT
    +
    all
    +
    dmz
    +
    tcp
    +
    25
    +

    +

    +
    -
    - Note: When 'all' is used as a source or destination, intra-zone traffic - is not affected. In this example, if there were two DMZ interfaces then the - above rule would NOT enable SMTP traffic between hosts on these interfaces.
    - +
    + Note: When 'all' is used as a source or destination, intra-zone + traffic is not affected. In this example, if there were two DMZ interfaces + then the above rule would NOT enable SMTP traffic between hosts on these + interfaces.
    + + Example 7 (For advanced users running Shorewall version 1.3.13 +or later). From the internet, you with to forward tcp port 25 directed + to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 in your DMZ. You also + want to allow access from the internet directly to tcp port 25 on 192.0.2.177. +
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTION
    +
    SOURCE
    +
    DEST
    +
    PROTO
    +
    DEST
    + PORT(S)
    +
    SOURCE
    + PORT(S)
    +
    ORIGINAL
    + DEST
    +
    DNAT-
    +
    net
    +
    dmz:192.0.2.177
    +
    tcp
    +
    25
    +
    0
    +
    192.0.2.178
    +
    DNAT-
    +
    net
    +
    dmz:192.0.2.177
    +
    tcp
    +
    25
    +
    0
    +
    192.0.2.179
    +
    ACCEPT
    +
    net
    +
    dmz:192.0.2.177
    +
    tcp
    +
    25
    +

    +

    +
    +
    + Using "DNAT-" rather than "DNAT" avoids two extra copies of the third + rule from being generated.
    +

    Look here for information on other services.

    - +

    /etc/shorewall/common

    - +

    Shorewall allows definition of rules that apply between all zones. @@ -1740,167 +1996,177 @@ appropriate:

    but may be modified to suit individual requirements. Rather - than modify - /etc/shorewall/common.def, - you should copy - that file to - /etc/shorewall/common - and modify that - file.

    + than modify + /etc/shorewall/common.def, + you should + copy that +file to /etc/shorewall/common + and modify + that file.

    - +

    The /etc/shorewall/common - file is expected - to contain iptables - commands; rather - than running - iptables directly, - you should run - it indirectly using the - Shorewall function 'run_iptables'. - That way, if iptables - encounters an error, the - firewall will be safely - stopped.

    + file is +expected to + contain iptables + commands; rather than + running iptables + directly, you should run + it indirectly using the + Shorewall function 'run_iptables'. + That way, if iptables + encounters an error, + the firewall will + be safely stopped.

    - +

    /etc/shorewall/masq

    - +

    The /etc/shorewall/masq file is used to define classical IP Masquerading - and Source Network Address Translation  (SNAT). There is one entry in - the file for each subnet that you want to masquerade. In order to make - use of this feature, you must have NAT enabled - .

    + and Source Network Address Translation (SNAT). There is one entry + in the file for each subnet that you want to masquerade. In order + to make use of this feature, you must have NAT + enabled .

    - +

    Columns are:

    - + - -

    Example 1: You have eth0 connected to a cable modem and eth1 - connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq - file would look like:    

    - - -
    - - - - - - - - - - - - - - - - - - - - - - -
    INTERFACE SUBNETADDRESS
    eth0192.168.9.0/24 
    -
    - - -

    Example 2: You have a number of IPSEC tunnels through ipsec0 - and you want to masquerade traffic from your 192.168.9.0/24 subnet - to the remote subnet 10.1.0.0/16 only.

    - - -
    - - - - - - - - - - - - - - - - - - - - -
    INTERFACE SUBNETADDRESS
    ipsec0:10.1.0.0/16192.168.9.0/24 
    -
    +

    Example 1: You have eth0 connected to a cable modem and eth1 + connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq + file would look like:

    + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    INTERFACE SUBNETADDRESS
    eth0192.168.9.0/24
    +
    +
    - -

    Example 3: You have a DSL line connected on eth0 and a local - network (192.168.10.0/24) - connected -to eth1. You - want all local->net - connections to use - source address - 206.124.146.176.

    -
    +

    Example 2: You have a number of IPSEC tunnels through ipsec0 + and you want to masquerade traffic from your 192.168.9.0/24 subnet + to the remote subnet 10.1.0.0/16 only.

    + + +
    + + + + + + + + + + + + + + + + + + + + + + + +
    INTERFACE SUBNETADDRESS
    ipsec0:10.1.0.0/16192.168.9.0/24
    +
    +
    + + +

    Example 3: You have a DSL line connected on eth0 and a local + network + (192.168.10.0/24) + connected to eth1. You + want all local->net + connections to use + source address + 206.124.146.176.

    + +
    - - - - - - - - - - - + + + + + + + + + + + - - + + +
    INTERFACE SUBNETADDRESS
    eth0192.168.10.0/24206.124.146.176
    INTERFACE SUBNETADDRESS
    eth0192.168.10.0/24206.124.146.176
    -
    +
    - +

    Example 4: Same as example 3 except that you wish @@ -1910,36 +2176,39 @@ to eth1. You the SNAT rule.

    - + +
    - + - - - - - - - - - - - + + + + + + + + + + + - - + + +
    INTERFACE SUBNETADDRESS
    eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176
    INTERFACE SUBNETADDRESS
    eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176
    -
    + - +

    /etc/shorewall/proxyarp

    - + +

    If you want to use proxy ARP on an entire sub-network, @@ -1948,30 +2217,31 @@ to eth1. You http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - If you decide - to use -the technique - described in that - HOWTO, you can set - the proxy_arp flag - for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) - by including - the proxyarp - option in - the interface's - record in - - /etc/shorewall/interfaces. - When using Proxy ARP - sub-netting, you do - NOT include - any entries in - /etc/shorewall/proxyarp. -

    + If you + decide to use + the technique + described in that + HOWTO, you can set + the proxy_arp flag + for an interface + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + by including + the +proxyarp option + in the interface's + record in + + /etc/shorewall/interfaces. + When using Proxy ARP + sub-netting, +you do NOT +include any entries +in /etc/shorewall/proxyarp. +

    - + +

    The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is typically used for @@ -1979,48 +2249,51 @@ the technique on a small set of systems since you need one entry - in this -file for each - system using proxy - ARP. Columns are:

    - + in this + file for each + system using proxy + ARP. Columns are:

    + - +

    Note: After you have made a change to the /etc/shorewall/proxyarp - file, you may need to flush the ARP cache of all routers on the LAN - segment connected to the interface specified in the EXTERNAL column -of the change/added entry(s). If you are having problems communicating - between an individual host (A) on that segment and a system whose entry - has changed, you may need to flush the ARP cache on host A as well.

    + file, you may need to flush the ARP cache of all routers on the + LAN segment connected to the interface specified in the EXTERNAL +column of the change/added entry(s). If you are having problems communicating + between an individual host (A) on that segment and a system whose + entry has changed, you may need to flush the ARP cache on host A as + well.

    - +

    ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump -nei <external interface> host <IP addr>"), it may take a long @@ -2029,95 +2302,104 @@ to delete a stale entry in order to restore a system to working order after changing my proxy ARP settings.

    - + +

    Example: You have public IP addresses 155.182.235.0/28. You configure your - firewall as follows:

    - + firewall as follows:

    + - + +

    In your DMZ, you want to install a Web/FTP server with public address - 155.186.235.4. On the Web server, you subnet just like the firewall's - eth0 and you configure 155.186.235.1 as the default gateway. In your - /etc/shorewall/proxyarp file, you will have:

    + 155.186.235.4. On the Web server, you subnet just like the firewall's + eth0 and you configure 155.186.235.1 as the default gateway. In + your /etc/shorewall/proxyarp file, you will have:

    - +
    - + - + - - - - - - - - - - - - + + + + + + + + + + + + - + + - +
    ADDRESS INTERFACE EXTERNALHAVEROUTE
    155.186.235.4eth2eth0No
    ADDRESS INTERFACE EXTERNALHAVEROUTE
    155.186.235.4eth2eth0No
    -
    - + + +

    Note: You may want to configure the servers in your DMZ with a subnet - that is smaller than the subnet of your internet interface. See the - Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) - for details. In this case you will want to place "Yes" in the HAVEROUTE - column.

    - + for details. In this case you will want to place "Yes" in the HAVEROUTE + column.

    + +

    To learn how I use Proxy ARP in my DMZ, see my configuration files.

    - + +

    Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless you are prepared to suffer the consequences. - If you start or restart Shorewall with an IPSEC tunnel active, the proxied - IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) - rather than to the interface that you specify in the INTERFACE column - of /etc/shorewall/proxyarp. I haven't had the time to debug this problem - so I can't say if it is a bug in the Kernel or in FreeS/Wan. 

    - + If you start or restart Shorewall with an IPSEC tunnel active, the + proxied IP addresses are mistakenly assigned to the IPSEC tunnel device + (ipsecX) rather than to the interface that you specify in the INTERFACE + column of /etc/shorewall/proxyarp. I haven't had the time to debug +this problem so I can't say if it is a bug in the Kernel or in FreeS/Wan. +

    +

    You might be able to work around this problem using the following - (I haven't tried it):

    - + (I haven't tried it):

    +

    In /etc/shorewall/init, include:

    - -

         qt service ipsec stop

    - + +

    qt service ipsec stop

    +

    In /etc/shorewall/start, include:

    - -

        qt service ipsec start

    + +

    qt service ipsec start

    - +

    /etc/shorewall/nat

    - + +

    The /etc/shorewall/nat file is used to define static NAT. There is one - entry in the file for each static NAT relationship that you wish to - define. In order to make use of this feature, you must have NAT enabled .

    - + +

    IMPORTANT: If @@ -2129,642 +2411,681 @@ files.

    static NAT. Port forwarding can be accomplished - with simple - entries in - the - rules file. - Also, in most - cases - - Proxy ARP - provides a - superior solution - to static NAT - because the - internal systems - are accessed using - the same IP - address internally - and externally.

    + with + simple entries in + the + + rules file. + Also, in most + cases + + Proxy ARP + provides a + superior solution + to static NAT + because the + internal systems + are accessed using + the same +IP address +internally + and externally.

    - + +

    Columns in an entry are:

    - + - +

    Look here for additional information and an example. -

    - +

    + +

    /etc/shorewall/tunnels

    - +

    The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP - and PPTP tunnels with end-points on your firewall. To use ipsec, you - must install version 1.9, 1.91 or the current FreeS/WAN development snapshot. 

    + and PPTP tunnels with end-points on your firewall. To use ipsec, + you must install version 1.9, 1.91 or the current FreeS/WAN development snapshot. +

    - +

    Note: For kernels 2.4.4 and above, you will need to use version 1.91 - or a development snapshot as patching with version 1.9 results in -kernel compilation errors.

    + or a development snapshot as patching with version 1.9 results + in kernel compilation errors.

    - +

    Instructions for setting up IPSEC tunnels may - be found here, instructions for IPIP -and GRE tunnels are here  and instructions - for PPTP tunnels are here.

    - + be found here, instructions for IPIP + and GRE tunnels are here and instructions + for PPTP tunnels are here.

    +

    /etc/shorewall/shorewall.conf

    - +

    This file is used to set the following firewall parameters:

    - + - + +

    /etc/shorewall/modules Configuration

    - + +

    The file /etc/shorewall/modules contains commands for loading the kernel - modules required by Shorewall-defined firewall rules. Shorewall will - source this file during start/restart provided that it exists and that - the directory specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf above).

    + modules required by Shorewall-defined firewall rules. Shorewall + will source this file during start/restart provided that it exists + and that the directory specified by the MODULESDIR parameter exists + (see /etc/shorewall/shorewall.conf above).

    - + +

    The file that is released with Shorewall calls the Shorewall function - "loadmodule" for the set of modules that I load.

    + "loadmodule" for the set of modules that I load.

    - + +

    The loadmodule function is called as follows:

    - -
    - - -

    loadmodule - <modulename> - [ <module parameters> ]

    -
    - - - - -

    where

    - - - - -
    - - - -

    <modulename>                

    - - - - -
    - - - -

    is the name of the modules without the trailing ".o" (example - ip_conntrack).

    -
    - - - - -

    <module parameters>

    - - - - -
    - - - -

    Optional parameters to the insmod utility.

    -
    -
    - - - - -

    The function determines if the module named by <modulename> - is already loaded and if not then the function determines if - the ".o" file corresponding to the module exists in the moduledirectory; - if so, then the following command is executed:

    - - - - +
    +

    loadmodule + <modulename> + [ <module parameters> ]

    +
    + + + + +

    where

    + + + + +
    + + + +

    <modulename>

    + + + + +
    + + + + +

    is the name of the modules without the trailing ".o" (example + ip_conntrack).

    +
    + + + + +

    <module parameters>

    + + + + +
    + + + + +

    Optional parameters to the insmod utility.

    +
    +
    + + + + +

    The function determines if the module named by <modulename> + is already loaded and if not then the function determines + if the ".o" file corresponding to the module exists in the moduledirectory; + if so, then the following command is executed:

    + + + + +
    + + + +

    insmod moduledirectory/<modulename>.o <module - parameters>

    -
    + parameters>

    + - +

    If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed @@ -2772,401 +3093,410 @@ it does, the function assumes that the running configuration supports compress - +

    - + +

    insmod moduledirectory/<modulename>.o.gz <module - parameters>

    -
    + parameters>

    + - +

    /etc/shorewall/tos Configuration

    - +

    The /etc/shorewall/tos file allows you to set the Type of Service field - in packet headers based on packet source, packet destination, protocol, - source port and destination port. In order for this file to be processed - by Shorewall, you must have mangle support - enabled .

    + in packet headers based on packet source, packet destination, + protocol, source port and destination port. In order for this +file to be processed by Shorewall, you must have mangle support enabled .

    - +

    Entries in the file have the following columns:

    - + - +
    - +
    - + +

    Minimize-Delay (16)
    - Maximize-Throughput (8)
    - Maximize-Reliability (4)
    - Minimize-Cost (2)
    - Normal-Service (0)

    -
    -
    + Maximize-Throughput (8)
    + Maximize-Reliability (4)
    + Minimize-Cost (2)
    + Normal-Service (0)

    + + - +

    The /etc/shorewall/tos file that is included with Shorewall contains - the following entries.

    + the following entries.

    - -
    + +
    - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + - + +
    SOURCEDESTPROTOCOLSOURCE
    - PORT(S)
    DEST PORT(S)TOS
    allalltcp-ssh16
    allalltcpssh-16
    allalltcp-ftp16
    allalltcpftp-16
    allalltcp-ftp-data8
    allalltcpftp-data-8
    SOURCEDESTPROTOCOLSOURCE
    + PORT(S)
    DEST PORT(S)TOS
    allalltcp-ssh16
    allalltcpssh-16
    allalltcp-ftp16
    allalltcpftp-16
    allalltcp-ftp-data8
    allalltcpftp-data-8
    -
    +
    - +

    WARNING: Users have reported that odd routing problems result from - adding the ESP and AH protocols to the /etc/shorewall/tos file.

    + adding the ESP and AH protocols to the /etc/shorewall/tos file. +

    - +

    /etc/shorewall/blacklist

    - +

    Each line in /etc/shorewall/blacklist contains - an - IP - address, a MAC address in Shorewall Format or subnet address. - Example:

    + Example:

    - +
          130.252.100.69
    206.124.146.0/24
    - +

    Packets from hosts listed in - the - blacklist - file - will - be + the + blacklist + file + will + be - disposed - of - according - to - the - value + disposed + of + according + to + the - assigned - to - the BLACKLIST_DISPOSITION + value + assigned + to + the BLACKLIST_DISPOSITION - and BLACKLIST_LOGLEVEL variables - in + and BLACKLIST_LOGLEVEL variables - /etc/shorewall/shorewall.conf. - Only - packets + in + /etc/shorewall/shorewall.conf. + Only + packets - arriving - on - interfaces - that - have - the + arriving + on + interfaces + that + have - 'blacklist' - option - in + the + 'blacklist' + option - /etc/shorewall/interfaces - are - checked - against + in + /etc/shorewall/interfaces + are + checked - the - blacklist. The black list is designed to prevent listed - hosts/subnets from accessing services on your network.
    -

    - + against + the + blacklist. The black list is designed to prevent +listed hosts/subnets from accessing services on your + network.
    +

    +

    Beginning with Shorewall 1.3.8, the blacklist file has three columns:
    -

    - +

    + - +

    Shorewall also has a dynamic blacklist - capability.

    + capability.

    - +

    IMPORTANT: The Shorewall blacklist file is NOT - designed to police your users' web browsing -- to do that, I suggest -that you install and configure Squid (http://www.squid-cache.org).

    - +

    /etc/shorewall/rfc1918 (Added in Version 1.3.1)

    - +

    This file lists the subnets affected by the norfc1918 - interface option. Columns in the file are:

    + interface option. Columns in the file are:

    - + - +

    /etc/shorewall/routestopped (Added in Version - 1.3.4)

    + 1.3.4) - +

    This file defines the hosts that are accessible from the firewall when - the firewall is stopped.  Columns in the file are:

    + the firewall is stopped. Columns in the file are:

    - + - +

    Example: When your firewall is stopped, you want firewall accessibility - from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces - through eth1 and your local hosts through eth2.

    + from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces + through eth1 and your local hosts through eth2.

    - +
    - + + - - + + - + - + - + - + - + - + - + - + - + - + - + - - + +
    INTERFACEINTERFACEHOST(S)HOST(S)
    eth2eth2192.168.1.0/24192.168.1.0/24
    eth1eth1--
    -
    + - +

    /etc/shorewall/maclist (Added in Version 1.3.10)

    - This file is described in the MAC Validation - Documentation.
    + This file is described in the MAC Validation Documentation.
    +
    + +

    Updated 1/13/2003 - Tom Eastep +

    + + + +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.

    - -

    Updated 12/20/2002 - Tom Eastep -

    - - - -

    Copyright - © 2001, 2002 Thomas M. Eastep.
    -

    - - - - -
    +

    +
    +
    +
    +


    diff --git a/STABLE/documentation/Documentation_Index.htm b/STABLE/documentation/Documentation_Index.htm index 60fcdafc8..f78703030 100644 --- a/STABLE/documentation/Documentation_Index.htm +++ b/STABLE/documentation/Documentation_Index.htm @@ -1,28 +1,31 @@ + - - - - - -The Documentation Index + + + + + + + + + The Documentation Index + - - - + +

    The Shorewall Documentation Index

    -

    has Moved -Here

    - -

    -Last updated 8/9/2002 - - - Tom Eastep -

    -

    - Copyright - © 2001, 2002 Thomas M. Eastep.

    - + +

    has Moved Here

    + +

    Last updated 8/9/2002 - + Tom Eastep

    + +

    Copyright © 2001, 2002 Thomas M. Eastep.

    +
    + - diff --git a/STABLE/documentation/FAQ.htm b/STABLE/documentation/FAQ.htm index 10242d846..376151c69 100644 --- a/STABLE/documentation/FAQ.htm +++ b/STABLE/documentation/FAQ.htm @@ -2,1017 +2,1088 @@ - + - + - + - + Shorewall FAQ - + - + - - - + + - + + - - + +
    +
    +

    Shorewall FAQs

    -
    - -

    1. I want to forward UDP - port 7777 to my my personal PC with IP address 192.168.1.5. - I've looked everywhere and can't find how to do it.

    - -

    1a. Ok -- I followed those instructions - but it doesn't work.
    -

    - -

    1b. I'm still having problems with - port forwarding

    - -

    2. I port forward www requests - to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 -in my local network. External clients can browse http://www.mydomain.com - but internal clients can't.

    - -

    2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses - to hosts in Z. Hosts in Z cannot communicate with each other using - their external (non-RFC1918 addresses) so they can't access -each other using their DNS names.

    - -

    3. I want to use Netmeeting/MSN - Messenger with Shorewall. What do I do?

    - -

    4. I just used an online port scanner - to check my firewall and it shows some ports as 'closed' -rather than 'blocked'. Why?

    - -

    4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!

    - -

    5. I've installed Shorewall and now - I can't ping through the firewall

    - -

    6. Where are the log messages - written and how do I change the destination?

    - -

    6a. Are there any log parsers - that work with Shorewall?

    - -

    7. When I stop Shorewall using - 'shorewall stop', I can't connect to anything. Why doesn't that command - work?

    - -

    8. When I try to start Shorewall - on RedHat I get messages about insmod failing -- what's -wrong?

    - -

    9. Why can't Shorewall detect - my interfaces properly?

    - -

    10. What distributions does - it work with?

    - -

    11. What features does it - support?

    - + +

    1. I want to forward UDP + port 7777 to my my personal PC with IP address 192.168.1.5. + I've looked everywhere and can't find how to do it.

    + +

    1a. Ok -- I followed those instructions + but it doesn't work.
    +

    + +

    1b. I'm still having problems with + port forwarding

    + +

    2. I port forward www requests + to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 + in my local network. External clients can browse http://www.mydomain.com + but internal clients can't.

    + +

    2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 addresses + to hosts in Z. Hosts in Z cannot communicate with each other + using their external (non-RFC1918 addresses) so they can't +access each other using their DNS names.

    + +

    3. I want to use Netmeeting +or MSN Instant Messenger with Shorewall. What do I +do?

    + +

    4. I just used an online port scanner + to check my firewall and it shows some ports as 'closed' + rather than 'blocked'. Why?

    + +

    4a. I just ran an nmap UDP scan + of my firewall and it showed 100s of ports as open!!!!

    + +

    5. I've installed Shorewall and now + I can't ping through the firewall

    + +

    6. Where are the log messages + written and how do I change the destination?

    + + +

    6a. Are there any log parsers + that work with Shorewall?

    +

    6b. DROP messages on port 10619 are flooding the logs with their connect +requests. Can i exclude these error messages for this port temporarily from +logging in Shorewall?
    +

    +

    6c. All day long I get a steady flow +of these DROP messages from port 53 to some high numbered port.  +They get dropped, but what the heck are they?
    +

    +

    7. When I stop Shorewall using +'shorewall stop', I can't connect to anything. Why doesn't that command + work?

    + +

    8. When I try to start Shorewall + on RedHat I get messages about insmod failing -- what's + wrong?

    + +

    9. Why can't Shorewall detect + my interfaces properly?

    + +

    10. What distributions does + it work with?

    + +

    11. What features does it +support?

    +

    12. Why isn't there a GUI

    - +

    13. Why do you call it "Shorewall"?

    - -

    14. I'm connected via a cable modem - and it has an internel web server that allows me to configure/monitor - it but as expected if I enable rfc1918 blocking for my -eth0 interface, it also blocks the cable modems web server.

    - -

    14a. Even though it assigns public - IP addresses, my ISP's DHCP server has an RFC 1918 address. -If I enable RFC 1918 filtering on my external interface, my -DHCP client cannot renew its lease.

    - -

    15. My local systems can't see - out to the net

    - -

    16. Shorewall is writing log messages - all over my console making it unusable!
    -

    - 17. How do I find - out why this traffic is getting logged?
    -
    - 18. Is there any way to use aliased - ip addresses with Shorewall, and maintain separate rulesets for - different IPs?
    -
    - 19. I have added entries to /etc/shorewall/tcrules - but they don't seem to do anything. Why?
    -
    - 20. I have just set up a server. Do -I have to change Shorewall to allow access to my server from the internet?
    -
    -
    21. I see these strange log entries -occasionally; what are they?
    -

    - 22. I have some iptables commands that I -want to run when Shorewall starts. Which file do I put them in?
    - -
    -

    1. I want to forward UDP port 7777 to - my my personal PC with IP address 192.168.1.5. I've looked everywhere - and can't find how to do it.

    - + +

    14. I'm connected via a cable modem + and it has an internel web server that allows me to configure/monitor + it but as expected if I enable rfc1918 blocking for +my eth0 interface, it also blocks the cable modems web server.

    + +

    14a. Even though it assigns public + IP addresses, my ISP's DHCP server has an RFC 1918 address. + If I enable RFC 1918 filtering on my external interface, my + DHCP client cannot renew its lease.

    + +

    15. My local systems can't see + out to the net

    + +

    16. Shorewall is writing log messages + all over my console making it unusable!
    +

    + 17. How do + I find out why this traffic is getting logged?
    +
    + 18. Is there any way to use + aliased ip addresses with Shorewall, and maintain separate + rulesets for different IPs?
    +
    + 19. I have added entries to +/etc/shorewall/tcrules but they don't seem to do anything. +Why?
    +
    + 20. I have just set up a server. + Do I have to change Shorewall to allow access to my server from +the internet?
    +
    +
    21. I see these strange log entries + occasionally; what are they?
    +

    + 22. I have some iptables commands that + I want to run when Shorewall starts. Which file do I put them in?
    +
    + 23. Why do you use such ugly fonts on + your web site?
    +
    + 24: How can I allow conections to let's +say the ssh port only from specific IP Addresses on the internet?
    + +
    +

    1. I want to forward UDP port 7777 to + my my personal PC with IP address 192.168.1.5. I've looked +everywhere and can't find how to do it.

    +

    Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format of a port-forwarding - rule to a local system is as follows:

    - -
    - + href="Documentation.htm#Rules">rules file documentation shows how to + do port forwarding under Shorewall. The format of a port-forwarding + rule to a local system is as follows:

    + +
    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:<local IP address>[:<local - port>]<protocol><port #>
    -

    -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:<local IP address>[:<local + port>]<protocol><port #>
    +

    +
    -
    - -

    So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:

    - -
    - +
    + +

    So to forward UDP port 7777 to internal system 192.168.1.5, + the rule is:

    + +
    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:192.168.1.5udp7777
    -

    -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:192.168.1.5udp7777
    +

    +
    -
    - -
    If - you want to forward requests directed to a particular address ( <external - IP> ) on your firewall to an internal system:
    - -
    - +
    + +
    If + you want to forward requests directed to a particular address ( <external + IP> ) on your firewall to an internal system:
    + +
    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:<local IP address>[:<local - port>]<protocol><port #>-<external IP>
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:<local IP address>[:<local + port>]<protocol><port #>-<external IP>
    -
    - -

    1a. Ok -- I followed those instructions - but it doesn't work

    - +
    + +

    1a. Ok -- I followed those instructions + but it doesn't work

    +

    Answer: That is usually the result of one of two things:

    - + - -

    1b. I'm still having problems with port - forwarding

    - Answer: To further diagnose this problem:
    - + +

    1b. I'm still having problems with port + forwarding

    + Answer: To further diagnose this problem:
    + - -

    2. I port forward www requests to www.mydomain.com - (IP 130.151.100.69) to system 192.168.1.5 in my local network. - External clients can browse http://www.mydomain.com but internal - clients can't.

    - + +

    2. I port forward www requests to www.mydomain.com + (IP 130.151.100.69) to system 192.168.1.5 in my local network. + External clients can browse http://www.mydomain.com but internal + clients can't.

    +

    Answer: I have two objections to this setup.

    - + - -

    If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your external -interface is eth0 and your internal interface is eth1 and that -eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do -the following:

    - -

    a) In /etc/shorewall/interfaces, specify "multi" as an option - for eth1 (No longer required as of Shorewall version 1.3.9).

    - -
    + +

    If you insist on an IP solution to the accessibility problem + rather than a DNS solution, then assuming that your external + interface is eth0 and your internal interface is eth1 and that + eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do + the following:

    + +

    a) In /etc/shorewall/interfaces, specify "multi" as an option + for eth1 (No longer required as of Shorewall version 1.3.9).

    + +

    b) In /etc/shorewall/rules, add:

    -
    - -
    -
    - +
    + +
    +
    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
    -
    -
    + +
    - -
    -

    That rule only works of course if you have a static external - IP address. If you have a dynamic IP address and are running - Shorewall 1.3.4 or later then include this in /etc/shorewall/params:

    -
    - -
    + +
    +

    That rule only works of course if you have a static external + IP address. If you have a dynamic IP address and are running + Shorewall 1.3.4 or later then include this in /etc/shorewall/params:

    +
    + +
         ETH0_IP=`find_interface_address eth0`
    -
    - -
    +
    + +

    and make your DNAT rule:

    -
    - -
    -
    - +
    + +
    +
    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
    -
    -
    - -
    -

    Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each time that you -get a new IP address.

    -
    - -

    2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses to - hosts in Z. Hosts in Z cannot communicate with each other using -their external (non-RFC1918 addresses) so they can't access each -other using their DNS names.

    - -

    Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both external and internal - clients to access a NATed host using the host's DNS name.

    - -

    Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 - addresses and can be accessed externally and internally using the - same address.

    - -

    If you don't like those solutions and prefer routing all -Z->Z traffic through your firewall then:

    - -

    a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces - (If you are running a Shorewall version earlier than 1.3.9).
    - b) Set the Z->Z policy to ACCEPT.
    - c) Masquerade Z to itself.
    -
    - Example:

    - + +
    + +
    +

    Using this technique, you will want to configure your DHCP/PPPoE + client to automatically restart Shorewall each time that you + get a new IP address.

    +
    + +

    2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 addresses + to hosts in Z. Hosts in Z cannot communicate with each other using + their external (non-RFC1918 addresses) so they can't access each + other using their DNS names.

    + +

    Answer: This is another problem that is best solved + using Bind Version 9 "views". It allows both external and internal + clients to access a NATed host using the host's DNS name.

    + +

    Another good way to approach this problem is to switch from + static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 + addresses and can be accessed externally and internally using + the same address.

    + +

    If you don't like those solutions and prefer routing all Z->Z +traffic through your firewall then:

    + +

    a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces + (If you are running a Shorewall version earlier than 1.3.9).
    + b) Set the Z->Z policy to ACCEPT.
    + c) Masquerade Z to itself.
    +
    + Example:

    +

    Zone: dmz
    - Interface: eth2
    - Subnet: 192.168.2.0/24

    - + Interface: eth2
    + Subnet: 192.168.2.0/24

    +

    In /etc/shorewall/interfaces:

    - -
    - + +
    + - - - - - - - - - - - - - + + + + + + + + + + + + + - - - + + +
    ZONEINTERFACEBROADCASTOPTIONS
    dmzeth2192.168.2.255multi
    ZONEINTERFACEBROADCASTOPTIONS
    dmzeth2192.168.2.255multi
    -
    - +
    +

    In /etc/shorewall/policy:

    - -
    - + +
    + - - - - - - - - - - - - - + + + + + + + + + + + + + - - - + + +
    SOURCE DESTINATIONPOLICYLIMIT:BURST
    dmzdmzACCEPT
    -
    SOURCE DESTINATIONPOLICYLIMIT:BURST
    dmzdmzACCEPT
    +
    -
    - -
    +
    + +
         dmz    dmz    ACCEPT
    -
    - + +

    In /etc/shorewall/masq:

    - -
    - + +
    + - - - - - - - - - - - + + + + + + + + + + + - - - + + +
    INTERFACE SUBNETADDRESS
    eth2192.168.2.0/24
    -
    INTERFACE SUBNETADDRESS
    eth2192.168.2.0/24
    +
    -
    - -

    3. I want to use Netmeeting/MSN Messenger - with Shorewall. What do I do?

    - +
    + +

    3. I want to use Netmeeting or MSN Instant +Messenger with Shorewall. What do I do?

    +

    Answer: There is an H.323 connection - tracking/NAT module that may help. Also check the Netfilter - mailing list archives at http://netfilter.samba.org. -

    - -

    4. I just used an online port scanner - to check my firewall and it shows some ports as 'closed' rather - than 'blocked'. Why?

    - -

    Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP port 113 rather -than dropping them. This is necessary to prevent outgoing connection - problems to services that use the 'Auth' mechanism for identifying - requesting users. Shorewall also rejects TCP ports 135, 137 and - 139 as well as UDP ports 137-139. These are ports that are used -by Windows (Windows can be configured to use the DCE cell locator - on port 135). Rejecting these connection requests rather than dropping - them cuts down slightly on the amount of Windows chatter on LAN segments - connected to the Firewall.

    - -

    If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web server in violation - of your Service Agreement.

    - -

    4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!

    - -

    Answer: Take a deep breath and read the nmap man page - section about UDP scans. If nmap gets nothing back -from your firewall then it reports the port as open. If you -want to see which UDP ports are really open, temporarily change -your net->all policy to REJECT, restart Shorewall and do the -nmap UDP scan again.

    - -

    5. I've installed Shorewall and now I - can't ping through the firewall

    - -

    Answer: If you want your firewall to be totally open - for "ping":

    - -

    a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.
    - b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
    - c) Add the following to /etc/shorewall/icmpdef: -

    - -
    - -

    run_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT
    + href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection + tracking/NAT module that may help with Netmeeting. Look +here for a solution for MSN +IM but be aware that there are significant security risks involved with this +solution. Also check the Netfilter mailing list archives at http://www.netfilter.org.

    -
    - For a complete description of Shorewall 'ping' management, see this page. - -

    6. Where are the log messages written - and how do I change the destination?

    - -

    Answer: NetFilter uses the kernel's equivalent of -syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) -facility (see "man openlog") and you get to choose the log level (again, -see "man syslog") in your policies - and rules. The destination for messaged - logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). - When you have changed /etc/syslog.conf, be sure to restart syslogd - (on a RedHat system, "service syslog restart").

    - -

    By default, older versions of Shorewall ratelimited log messages - through settings in /etc/shorewall/shorewall.conf - -- If you want to log all messages, set:

    - -
    + +

    4. I just used an online port scanner + to check my firewall and it shows some ports as 'closed' + rather than 'blocked'. Why?

    + +

    Answer: The common.def included with version 1.3.x + always rejects connection requests on TCP port 113 rather + than dropping them. This is necessary to prevent outgoing +connection problems to services that use the 'Auth' mechanism +for identifying requesting users. Shorewall also rejects TCP + ports 135, 137 and 139 as well as UDP ports 137-139. These are ports +that are used by Windows (Windows can be configured to use +the DCE cell locator on port 135). Rejecting these connection requests + rather than dropping them cuts down slightly on the amount of Windows + chatter on LAN segments connected to the Firewall.

    + +

    If you are seeing port 80 being 'closed', that's probably + your ISP preventing you from running a web server in violation + of your Service Agreement.

    + +

    4a. I just ran an nmap UDP scan of my + firewall and it showed 100s of ports as open!!!!

    + +

    Answer: Take a deep breath and read the nmap man page + section about UDP scans. If nmap gets nothing back + from your firewall then it reports the port as open. If you + want to see which UDP ports are really open, temporarily change + your net->all policy to REJECT, restart Shorewall and do the + nmap UDP scan again.

    + +

    5. I've installed Shorewall and now I + can't ping through the firewall

    + +

    Answer: If you want your firewall to be totally open + for "ping":

    + +

    a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.
    + b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
    + c) Add the following to /etc/shorewall/icmpdef: +

    + +
    + +

    run_iptables -A icmpdef -p ICMP --icmp-type echo-request + -j ACCEPT
    +

    +
    + For a complete description of Shorewall 'ping' management, see this page. + +

    6. Where are the log messages written + and how do I change the destination?

    + +

    Answer: NetFilter uses the kernel's equivalent of syslog +(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility +(see "man openlog") and you get to choose the log level (again, see "man +syslog") in your policies and rules. The destination for messaged +logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). + When you have changed /etc/syslog.conf, be sure to restart syslogd + (on a RedHat system, "service syslog restart").

    + +

    By default, older versions of Shorewall ratelimited log messages + through settings in /etc/shorewall/shorewall.conf + -- If you want to log all messages, set:

    + +
         LOGLIMIT=""
    LOGBURST=""

    Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages to a separate file.
    -
    - -

    6a. Are there any log parsers that work - with Shorewall?

    - -

    Answer: Here are several links that may be helpful: -

    - -
    - + href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file.
    +
    + +

    6a. Are there any log parsers that work + with Shorewall?

    + +

    Answer: Here are several links that may be helpful: +

    + +
    +

    http://www.shorewall.net/pub/shorewall/parsefw/
    - http://www.fireparse.com
    - http://www.fireparse.com
    + http://cert.uni-stuttgart.de/projects/fwlogwatch
    - http://www.logwatch.org

    -

    -
    - I personnaly use Logwatch. It emails me a report each day from my various - systems with each report summarizing the logged activity on the corresponding - system.  -

    7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't that command work?

    - -

    The 'stop' command is intended to place your firewall into - a safe state whereby only those hosts listed in /etc/shorewall/routestopped' -are activated. If you want to totally open up your firewall, you -must use the 'shorewall clear' command.

    - -

    8. When I try to start Shorewall on RedHat, -I get messages about insmod failing -- what's wrong?

    - -

    Answer: The output you will see looks something like - this:

    - + http://www.logwatch.org
    +

    + + I personnaly use Logwatch. It emails me a report each day from + my various systems with each report summarizing the logged activity on + the corresponding system. + +

    6b. DROP messages on port 10619 +are flooding the logs with their connect requests. Can i exclude these +error messages for this port temporarily from logging in Shorewall?

    +Temporarily add the following rule:
    +
    	DROP    net    fw    udp    10619
    +

    6c. All day long I get a steady flow +of these DROP messages from port 53 to some high numbered port.  They get +dropped, but what the heck are they?

    +
    Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00
    SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
    TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
    +Answer: There are two possibilities:
    +
      +
    1. They are late-arriving replies to DNS queries.
    2. +
    3. They are corrupted reply packets.
    4. +
    +You can distinguish the difference by setting the logunclean option +(/etc/shorewall/interfaces) on +your external interface (eth0 in the above example). If they get logged twice, +they are corrupted. I solve this problem by using an /etc/shorewall/common +file like this:
    +
    +
    #
    # Include the standard common.def file
    #
    . /etc/shorewall/common.def
    #
    # The following rule is non-standard and compensates for tardy
    # DNS replies
    #
    run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
    +
    +The above file is also include in all of my sample configurations available +in the Quick Start Guides.
    +

    7. When I stop Shorewall using 'shorewall + stop', I can't connect to anything. Why doesn't that command + work?

    + +

    The 'stop' command is intended to place your firewall into + a safe state whereby only those hosts listed in /etc/shorewall/routestopped' + are activated. If you want to totally open up your firewall, + you must use the 'shorewall clear' command.

    + +

    8. When I try to start Shorewall on RedHat, + I get messages about insmod failing -- what's wrong?

    + +

    Answer: The output you will see looks something like + this:

    +
         /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
    Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
    /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
    /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
    /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
    iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    - -

    This is usually cured by the following sequence of commands: -

    - -
    + +

    This is usually cured by the following sequence of commands: +

    + +
         service ipchains stop
    chkconfig --delete ipchains
    rmmod ipchains
    -
    - -
    -

    Also, be sure to check the errata - for problems concerning the version of iptables (v1.2.3) shipped - with RH7.2.

    -
    - +
    + +
    +

    Also, be sure to check the errata + for problems concerning the version of iptables (v1.2.3) shipped + with RH7.2.

    +
    +

    - -

    9. Why can't Shorewall detect my interfaces - properly?

    - -

    I just installed Shorewall and when I issue the start command, - I see the following:

    - -
    + +

    9. Why can't Shorewall detect my interfaces + properly?

    + +

    I just installed Shorewall and when I issue the start command, + I see the following:

    + +
         Processing /etc/shorewall/shorewall.conf ...
    Processing /etc/shorewall/params ...
    Starting Shorewall...
    Loading Modules...
    Initializing...
    Determining Zones...
    Zones: net loc
    Validating interfaces file...
    Validating hosts file...
    Determining Hosts in Zones...
    Net Zone: eth0:0.0.0.0/0
    Local Zone: eth1:0.0.0.0/0
    Deleting user chains...
    Creating input Chains...
    ...
    -
    - -
    +
    + +

    Why can't Shorewall detect my interfaces properly?

    -
    - -
    -

    Answer: The above output is perfectly normal. The -Net zone is defined as all hosts that are connected through eth0 and the -local zone is defined as all hosts connected through eth1

    -
    - -

    10. What Distributions does it work - with?

    - -

    Shorewall works with any GNU/Linux distribution that includes - the proper prerequisites.

    - +
    + +
    +

    Answer: The above output is perfectly normal. The Net + zone is defined as all hosts that are connected through eth0 and the local + zone is defined as all hosts connected through eth1

    +
    + +

    10. What Distributions does it work + with?

    + +

    Shorewall works with any GNU/Linux distribution that includes + the proper prerequisites.

    +

    11. What Features does it have?

    - -

    Answer: See the Shorewall - Feature List.

    - + +

    Answer: See the Shorewall + Feature List.

    +

    12. Why isn't there a GUI?

    - -

    Answer: Every time I've started to work on one, I -find myself doing other things. I guess I just don't care enough if -Shorewall has a GUI to invest the effort to create one myself. There -are several Shorewall GUI projects underway however and I will publish -links to them when the authors feel that they are ready.

    - + +

    Answer: Every time I've started to work on one, I find +myself doing other things. I guess I just don't care enough if Shorewall +has a GUI to invest the effort to create one myself. There are several +Shorewall GUI projects underway however and I will publish links to +them when the authors feel that they are ready.

    +

    13. Why do you call it "Shorewall"?

    - -

    Answer: Shorewall is a concatenation of "Shoreline" - (the city where -I live) and "Firewall". The full name of the product -is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.

    - -

    14. I'm connected via a cable modem - and it has an internal web server that allows me to configure/monitor - it but as expected if I enable rfc1918 blocking for my eth0 interface - (the internet one), it also blocks the cable modems web server.

    - -

    Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 address - of the modem in/out but still block all other rfc1918 addresses?

    - -

    Answer: If you are running a version of Shorewall -earlier than 1.3.1, create /etc/shorewall/start and in it, place the -following:

    - -
    + +

    Answer: Shorewall is a concatenation of "Shoreline" + (the city where + I live) and "Firewall". The full name of the product + is actually "Shoreline Firewall" but "Shorewall" is must more commonly +used.

    + +

    14. I'm connected via a cable modem + and it has an internal web server that allows me to configure/monitor + it but as expected if I enable rfc1918 blocking for my eth0 + interface (the internet one), it also blocks the cable modems +web server.

    + +

    Is there any way it can add a rule before the rfc1918 blocking + that will let all traffic to and from the 192.168.100.1 address + of the modem in/out but still block all other rfc1918 addresses?

    + +

    Answer: If you are running a version of Shorewall earlier +than 1.3.1, create /etc/shorewall/start and in it, place the following:

    + +
         run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT
    -
    - -
    -

    If you are running version 1.3.1 or later, simply add the - following to /etc/shorewall/rfc1918:

    -
    - -
    -
    - +
    + +
    +

    If you are running version 1.3.1 or later, simply add the + following to /etc/shorewall/rfc1918:

    +
    + +
    +
    + - - - - - - - - - + + + + + + + + + - - - -
    SUBNET TARGET
    192.168.100.1RETURN
    SUBNET TARGET
    192.168.100.1RETURN
    -
    -
    - -
    -

    Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
    -

    - -

    Note: If you add a second IP address to your external firewall - interface to correspond to the modem address, you must also make - an entry in /etc/shorewall/rfc1918 for that address. For example, - if you configure the address 192.168.100.2 on your firewall, then -you would add two entries to /etc/shorewall/rfc1918:
    -

    - -
    - - - - - - - - - - - - - - - - - - - -
    SUBNET
    -
    TARGET
    -
    192.168.100.1
    -
    RETURN
    -
    192.168.100.2
    -
    RETURN
    -
    -
    -
    - -
    -

    14a. Even though it assigns public -IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable -RFC 1918 filtering on my external interface, my DHCP client cannot renew -its lease.

    -
    - -
    -

    The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.

    -
    - -

    15. My local systems can't see out to - the net

    - -

    Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers with eyes - and what those computers will "see" when things are working properly. - That aside, the most common causes of this problem are:

    - -
      -
    1. - - -

      The default gateway on each local system isn't set to - the IP address of the local firewall interface.

      -
    2. -
    3. - - -

      The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.

      -
    4. -
    5. - - -

      The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall and hasn't enabled - UDP and TCP port 53 from the firewall to the internet.

      -
    6. - -
    - -

    16. Shorewall is writing log messages - all over my console making it unusable!

    - -

    Answer: "man dmesg" -- add a suitable 'dmesg' command - to your startup scripts or place it in /etc/shorewall/start. - Under RedHat, the max log level that is sent to the console -is specified in /etc/sysconfig/init in the LOGLEVEL variable.
    -

    - -

    17. How do I find out why this traffic is getting -logged?

    - Answer: Logging occurs out of a number of chains - (as indicated in the log message) in Shorewall:
    - -
      -
    1. man1918 - The destination address is listed - in /etc/shorewall/rfc1918 with a logdrop target -- see /etc/shorewall/rfc1918.
    2. -
    3. rfc1918 - The source address is listed in - /etc/shorewall/rfc1918 with a logdrop target -- see /etc/shorewall/rfc1918.
    4. -
    5. all2<zone>, <zone>2all -or all2all - You have a policy that specifies a log level - and this packet is being logged under that policy. If you intend to - ACCEPT this traffic then you need a rule - to that effect.
      -
    6. -
    7. <zone1>2<zone2> - Either you -have a policy for <zone1> - to <zone2> that specifies a log level and this -packet is being logged under that policy or this packet matches a - rule that includes a log level.
    8. -
    9. <interface>_mac - The packet is being logged - under the maclist interface option.
      -
    10. -
    11. logpkt - The packet is being logged under - the logunclean interface option.
    12. -
    13. badpkt - The packet is being logged under - the dropunclean interface option as specified - in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
    14. -
    15. blacklst - The packet is being logged because - the source IP is blacklisted in the /etc/shorewall/blacklist file.
    16. -
    17. newnotsyn - The packet is being logged because - it is a TCP packet that is not part of any current connection yet -it is not a syn packet. Options affecting the logging of such packets -include NEWNOTSYN and LOGNEWNOTSYN in - /etc/shorewall/shorewall.conf.
    18. -
    19. INPUT or FORWARD - The packet has -a source IP address that isn't in any of your defined zones ("shorewall - check" and look at the printed zone definitions) or the chain is FORWARD - and the destination IP isn't in any of your defined zones.
    20. -
    21. logflags - The packet is being logged because it failed - the checks implemented by the tcpflags interface option.
      -
    22. - -
    + + -

    18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for different IPs?

    - Answer: Yes. You simply use the IP address in your -rules (or if you use NAT, use the local IP address in your rules). -Note: The ":n" notation (e.g., eth0:0) is deprecated and will -disappear eventually. Neither iproute (ip and tc) nor iptables supports -that notation so neither does Shorewall.
    -
    - Example 1:
    -
    - /etc/shorewall/rules + + +
    + +
    +

    Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
    +

    + +

    Note: If you add a second IP address to your external firewall + interface to correspond to the modem address, you must also +make an entry in /etc/shorewall/rfc1918 for that address. For example, + if you configure the address 192.168.100.2 on your firewall, then + you would add two entries to /etc/shorewall/rfc1918:
    +

    + +
    + + + + + + + + + + + + + + + + + + + + +
    SUBNET
    +
    TARGET
    +
    192.168.100.1
    +
    RETURN
    +
    192.168.100.2
    +
    RETURN
    +
    +
    +
    + +
    +

    14a. Even though it assigns public IP + addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC +1918 filtering on my external interface, my DHCP client cannot renew its +lease.

    +
    + +
    +

    The solution is the same as FAQ 14 above. Simply substitute + the IP address of your ISPs DHCP server.

    +
    + +

    15. My local systems can't see out to + the net

    + +

    Answer: Every time I read "systems can't see out to + the net", I wonder where the poster bought computers with +eyes and what those computers will "see" when things are working +properly. That aside, the most common causes of this problem are:

    + +
      +
    1. + + +

      The default gateway on each local system isn't set to + the IP address of the local firewall interface.

      +
    2. +
    3. + + +

      The entry for the local network in the /etc/shorewall/masq + file is wrong or missing.

      +
    4. +
    5. + + +

      The DNS settings on the local systems are wrong or the + user is running a DNS server on the firewall and hasn't +enabled UDP and TCP port 53 from the firewall to the internet.

      +
    6. + +
    + +

    16. Shorewall is writing log messages + all over my console making it unusable!

    + +

    Answer: "man dmesg" -- add a suitable 'dmesg' command + to your startup scripts or place it in /etc/shorewall/start. + Under RedHat, the max log level that is sent to the console + is specified in /etc/sysconfig/init in the LOGLEVEL variable.
    +

    + +

    17. How do I find out why this traffic is getting + logged?

    + Answer: Logging occurs out of a number +of chains (as indicated in the log message) in Shorewall:
    + +
      +
    1. man1918 - The destination address +is listed in /etc/shorewall/rfc1918 with a logdrop target + -- see /etc/shorewall/rfc1918.
    2. +
    3. rfc1918 - The source address is listed + in /etc/shorewall/rfc1918 with a logdrop target -- see + /etc/shorewall/rfc1918.
    4. +
    5. all2<zone>, <zone>2all + or all2all - You have a policy that specifies a log level + and this packet is being logged under that policy. If you intend + to ACCEPT this traffic then you need a rule to that effect.
      +
    6. +
    7. <zone1>2<zone2> - Either + you have a policy for <zone1> + to <zone2> that specifies a log level and +this packet is being logged under that policy or this packet +matches a rule that includes +a log level.
    8. +
    9. <interface>_mac - The packet is being + logged under the maclist interface option.
      +
    10. +
    11. logpkt - The packet is being logged + under the logunclean interface option.
    12. +
    13. badpkt - The packet is being logged + under the dropunclean interface option as specified + in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
    14. +
    15. blacklst - The packet is being logged + because the source IP is blacklisted in the /etc/shorewall/blacklist file.
    16. +
    17. newnotsyn - The packet is being logged + because it is a TCP packet that is not part of any current connection + yet it is not a syn packet. Options affecting the logging of such + packets include NEWNOTSYN and LOGNEWNOTSYN + in /etc/shorewall/shorewall.conf.
    18. +
    19. INPUT or FORWARD - The packet + has a source IP address that isn't in any of your defined zones + ("shorewall check" and look at the printed zone definitions) or +the chain is FORWARD and the destination IP isn't in any of your defined + zones.
    20. +
    21. logflags - The packet is being logged because + it failed the checks implemented by the tcpflags interface option.
      +
    22. + +
    + +

    18. Is there any way to use aliased ip addresses + with Shorewall, and maintain separate rulesets for different IPs?

    + Answer: Yes. You simply use the IP address +in your rules (or if you use NAT, use the local IP address in your +rules). Note: The ":n" notation (e.g., eth0:0) is deprecated +and will disappear eventually. Neither iproute (ip and tc) nor iptables +supports that notation so neither does Shorewall.
    +
    + Example 1:
    +
    + /etc/shorewall/rules
         # Accept AUTH but only on address 192.0.2.125

    ACCEPT net fw:192.0.2.125 tcp auth
    - Example 2 (NAT):
    -
    - /etc/shorewall/nat
    - + Example 2 +(NAT):
    +
    + /etc/shorewall/nat
    +
         192.0.2.126	eth0	10.1.1.126
    - /etc/shorewall/rules + /etc/shorewall/rules
         # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)

    ACCEPT net loc:10.1.1.126 tcp www
    - Example 3 (DNAT):
    -
    + Example 3 (DNAT):
    +
         # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127

    DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.127
    - -

    19. I have added entries to /etc/shorewall/tcrules - but they don't seem to do anything. Why?

    - You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf - so the contents of the tcrules file are simply being ignored.
    - -

    20. I have just set up a server. Do I have - to change Shorewall to allow access to my server from the internet?
    -

    - Yes. Consult the QuickStart - guide that you used during your initial setup for information about - how to set up rules for your server.
    - -

    21. I see these strange log entries occasionally; - what are they?
    -

    - -
    + +

    19. I have added entries to /etc/shorewall/tcrules + but they don't seem to do anything. Why?

    + You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf + so the contents of the tcrules file are simply being ignored.
    + +

    20. I have just set up a server. Do I have + to change Shorewall to allow access to my server from the internet?
    +

    + Yes. Consult the QuickStart guide that +you used during your initial setup for information about how to set + up rules for your server.
    + +

    21. I see these strange log entries occasionally; + what are they?
    +

    + +
    Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00
    SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3
    [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]
    -
    - 192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal - LAN
    -
    - Answer: While most people associate the Internet Control -Message Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. -ICMP is used to report problems back to the sender of a packet; this is -what is happening here. Unfortunately, where NAT is involved (including -SNAT, DNAT and Masquerade), there are a lot of broken implementations. -That is what you are seeing with these messages.
    -
    - Here is my interpretation of what is happening -- to confirm this -analysis, one would have to have packet sniffers placed a both ends of -the connection.
    -
    - Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS - query to 192.0.2.3 and your DNS server tried to send a response (the -response information is in the brackets -- note source port 53 which marks -this as a DNS reply). When the response was returned to to 206.124.146.179, -it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to -172.16.1.10 who no longer had a connection on UDP port 2857. This causes -a port unreachable (type 3, code 3) to be generated back to 192.0.2.3. -As this packet is sent back through 206.124.146.179, that box correctly -changes the source address in the packet to 206.124.146.179 but doesn't -reset the DST IP in the original DNS response similarly. When the ICMP -reaches your firewall (192.0.2.3), your firewall has no record of having -sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related -to anything that was sent. The final result is that the packet gets logged -and dropped in the all2all chain. I have also seen cases where the source -IP in the ICMP itself isn't set back to the external IP of the remote NAT -gateway; that causes your firewall to log and drop the packet out of the -rfc1918 chain because the source IP is reserved by RFC 1918.
    - -

    22. I have some iptables commands that -I want to run when Shorewall starts. Which file do I put them in?

    - You can place these commands in one of the Shorewall Extension Scripts. Be -sure that you look at the contents of the chain(s) that you will be modifying -with your commands to be sure that the commands will do what they are intended. -Many iptables commands published in HOWTOs and other instructional material -use the -A command which adds the rules to the end of the chain. Most chains -that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT -rule and any rules that you add after that will be ignored. Check "man iptables" -and look at the -I (--insert) command.
    -
    - +
    + 192.0.2.3 is external on my firewall... 172.16.0.0/24 is +my internal LAN
    +
    + Answer: While most people associate the Internet Control + Message Protocol (ICMP) with 'ping', ICMP is a key piece of the internet. + ICMP is used to report problems back to the sender of a packet; this + is what is happening here. Unfortunately, where NAT is involved (including + SNAT, DNAT and Masquerade), there are a lot of broken implementations. + That is what you are seeing with these messages.
    +
    + Here is my interpretation of what is happening -- to confirm + this analysis, one would have to have packet sniffers placed a both +ends of the connection.
    +
    + Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a +UDP DNS query to 192.0.2.3 and your DNS server tried to send a response + (the response information is in the brackets -- note source port 53 which + marks this as a DNS reply). When the response was returned to to 206.124.146.179, + it rewrote the destination IP TO 172.16.1.10 and forwarded the packet +to 172.16.1.10 who no longer had a connection on UDP port 2857. This causes + a port unreachable (type 3, code 3) to be generated back to 192.0.2.3. + As this packet is sent back through 206.124.146.179, that box correctly + changes the source address in the packet to 206.124.146.179 but doesn't + reset the DST IP in the original DNS response similarly. When the ICMP + reaches your firewall (192.0.2.3), your firewall has no record of having + sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related + to anything that was sent. The final result is that the packet gets logged + and dropped in the all2all chain. I have also seen cases where the source + IP in the ICMP itself isn't set back to the external IP of the remote NAT + gateway; that causes your firewall to log and drop the packet out of the + rfc1918 chain because the source IP is reserved by RFC 1918.
    + +

    22. I have some iptables commands that + I want to run when Shorewall starts. Which file do I put them +in?

    + You can place these commands in one of the Shorewall Extension Scripts. +Be sure that you look at the contents of the chain(s) that you will be modifying + with your commands to be sure that the commands will do what they are +intended. Many iptables commands published in HOWTOs and other instructional +material use the -A command which adds the rules to the end of the chain. +Most chains that Shorewall constructs end with an unconditional DROP, +ACCEPT or REJECT rule and any rules that you add after that will be ignored. +Check "man iptables" and look at the -I (--insert) command.
    + +

    23. Why do you use such ugly fonts on your + web site?

    + The Shorewall web site is almost font neutral (it doesn't explicitly + specify fonts except on a few pages) so the fonts you see are largely the + default fonts configured in your browser. If you don't like them then reconfigure + your browser.
    + +

    24. How can I allow conections to let's say + the ssh port only from specific IP Addresses on the internet?

    + In the SOURCE column of the rule, follow "net" by a colon and a list of + the host/subnet addresses as a comma-separated list.
    + +
        net:<ip1>,<ip2>,...
    + Example:
    + +
        ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22
    +
    - Last updated 12/13/2002 - Tom Eastep - -

    Copyright - © 2001, 2002 Thomas M. Eastep.
    -

    -
    -
    -
    -
    -
    + Last updated 1/8/2003 - Tom Eastep + +

    Copyright2001, 2002, 2003 Thomas M. Eastep.
    +



    diff --git a/STABLE/documentation/IPIP.htm b/STABLE/documentation/IPIP.htm index a0a350ea7..0813f4ff6 100644 --- a/STABLE/documentation/IPIP.htm +++ b/STABLE/documentation/IPIP.htm @@ -188,9 +188,9 @@ system. The systems in the two masqueraded subnetworks can now talk to each other

    Updated 8/22/2002 - Tom Eastep

    -

    Copyright2001, 2002 Thomas M. Eastep.

    +

    Copyright2001, 2002 Thomas M. Eastep.

    - \ No newline at end of file + diff --git a/STABLE/documentation/IPSEC.htm b/STABLE/documentation/IPSEC.htm index e3518fd2e..98e7d4852 100644 --- a/STABLE/documentation/IPSEC.htm +++ b/STABLE/documentation/IPSEC.htm @@ -359,8 +359,8 @@ script will issue the command":

    Last updated 10/23/2002 - Tom Eastep

    -

    - Copyright © 2001, 2002 Thomas M. Eastep.

    +

    + Copyright © 2001, 2002 Thomas M. Eastep.



    diff --git a/STABLE/documentation/Install.htm b/STABLE/documentation/Install.htm index 1b7565f5a..1c3c4f4bf 100644 --- a/STABLE/documentation/Install.htm +++ b/STABLE/documentation/Install.htm @@ -199,8 +199,8 @@ by traffic control/shaping.

    Updated 10/28/2002 - Tom Eastep

    -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    +

    Copyright + © 2001, 2002 Thomas M. Eastep.



    diff --git a/STABLE/documentation/MAC_Validation.html b/STABLE/documentation/MAC_Validation.html index 49be690fa..c4770f15b 100644 --- a/STABLE/documentation/MAC_Validation.html +++ b/STABLE/documentation/MAC_Validation.html @@ -2,111 +2,110 @@ MAC Verification - + - + - + - - - + + - - - + +
    + + + +
    - +
    +

    MAC Verification
    -

    -
    -
    -
    - Beginning with Shorewall version 1.3.10, all traffic from an interface - or from a subnet on an interface can be verified to originate from a defined - set of MAC addresses. Furthermore, each MAC address may be optionally associated - with one or more IP addresses.
    -
    -You must have the iproute package (ip utility) installed to use MAC Verification.
    -
    -There are four components to this facility.
    - +
    + Beginning with Shorewall version 1.3.10, all traffic from an interface + or from a subnet on an interface can be verified to originate from a defined + set of MAC addresses. Furthermore, each MAC address may be optionally +associated with one or more IP addresses.
    +
    + You must have the iproute package (ip utility) installed to use MAC +Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC +- module name ipt_mac.o).
    +
    + There are four components to this facility.
    +
      -
    1. The maclist interface option in The maclist interface option in /etc/shorewall/interfaces. When this option is specified, all traffic arriving on the interface is subjet to MAC verification.
    2. -
    3. The maclist option in /etc/shorewall/hosts. - When this option is specified for a subnet, all traffic from that subnet - is subject to MAC verification.
    4. -
    5. The /etc/shorewall/maclist file. This file is used to associate -MAC addresses with interfaces and to optionally associate IP addresses with +
    6. The maclist option in /etc/shorewall/hosts. When this option +is specified for a subnet, all traffic from that subnet is subject to MAC +verification.
    7. +
    8. The /etc/shorewall/maclist file. This file is used to associate + MAC addresses with interfaces and to optionally associate IP addresses with MAC addresses.
    9. -
    10. The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables - in /etc/shorewall/shorewall.conf. +
    11. The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables + in /etc/shorewall/shorewall.conf. The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection requests that fail verification are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.
      -
    12. - + +
    - The columns in /etc/shorewall/maclist are:
    - + The columns in /etc/shorewall/maclist are:
    + - +

    Example 1: Here are my files:

    - /etc/shorewall/shorewall.conf:
    -
    + /etc/shorewall/shorewall.conf:
    +
         MACLIST_DISPOSITION=REJECT
    MACLIST_LOG_LEVEL=info
    - /etc/shorewall/interfaces:
    - + /etc/shorewall/interfaces:
    +
         #ZONE           INTERFACE       BROADCAST       OPTIONS
    net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist
    loc eth2 192.168.1.255 dhcp,filterping,maclist
    dmz eth1 192.168.2.255 filterping
    net eth3 206.124.146.255 filterping,blacklist
    - texas 192.168.9.255 filterping
    loc ppp+ - filterping
    - /etc/shorewall/maclist:
    - -
         #INTERFACE              MAC                     IP ADDRESSES (Optional)
    eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie
    eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry
    eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa
    eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)
    eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap
    - As shown above, I use MAC Verification on my local - zone.
    - + /etc/shorewall/maclist:
    + +
         #INTERFACE              MAC                     IP ADDRESSES (Optional)
    eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie
    eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry
    eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa
    eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa
    eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)
    eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap
    + As shown above, I use MAC Verification on my +local zone.
    +

    Example 2: Router in Local Zone

    - Suppose now that I add a second ethernet segment to my local zone and -gateway that segment via a router with MAC address 00:06:43:45:C6:15 and -IP address 192.168.1.253. Hosts in the second segment have IP addresses in -the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist - file:
    - + Suppose now that I add a second ethernet segment to my local zone and + gateway that segment via a router with MAC address 00:06:43:45:C6:15 and + IP address 192.168.1.253. Hosts in the second segment have IP addresses +in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist + file:
    +
         eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24
    - This entry accomodates traffic from the router itself (192.168.1.253) -and from the second LAN segment (192.168.2.0/24). Remember that all traffic - being sent to my firewall from the 192.168.2.0/24 segment will be forwarded - by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) - and not that of the host sending the traffic. -

    Updated 12/22/2002 - Tom Eastep -

    + This entry accomodates traffic from the router itself (192.168.1.253) + and from the second LAN segment (192.168.2.0/24). Remember that all traffic + being sent to my firewall from the 192.168.2.0/24 segment will be forwarded + by the router so that traffic's MAC address will be that of the router +(00:06:43:45:C6:15) and not that of the host sending the traffic. + +

    Updated 1/7/2002 - Tom Eastep +

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    -
    -
    -
    -
    -
    -
    + +

    Copyright © +2001, 2002, 2003 Thomas M. Eastep.
    +

    diff --git a/STABLE/documentation/NAT.htm b/STABLE/documentation/NAT.htm index c72bf1388..4a8c9a130 100644 --- a/STABLE/documentation/NAT.htm +++ b/STABLE/documentation/NAT.htm @@ -1,92 +1,114 @@ + - - -Shorewall NAT - - + + + Shorewall NAT + + + + - - - -
    - + + +
    +
    + - - -
    -

    Static NAT

    -
    -

    IMPORTANT: If all you want to do is forward - ports to servers behind your firewall, you do NOT want to use static NAT. - Port forwarding can be accomplished with simple entries in the - rules file.

    -

    Static NAT is a way to make systems behind a - firewall and configured with private IP addresses (those - reserved for private use in RFC1918) appear to have public IP - addresses.

    -

    The following figure represents a static NAT - environment.

    -

    -

    -
    -
    -

    Static NAT can be used to make the systems with the - 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we - assume that the interface to the upper subnet is eth0, then the following - /etc/shorewall/NAT file would make the lower left-hand system appear to have - IP address 130.252.100.18 and the right-hand one to have IP address + +

    Static NAT

    + + + + + + +

    IMPORTANT: If all you want to do is forward + ports to servers behind your firewall, you do NOT want to use static +NAT. Port forwarding can be accomplished with simple entries in the + rules file.

    + +

    Static NAT is a way to make systems behind a firewall and configured +with private IP addresses (those reserved for private use in RFC1918) +appear to have public IP addresses. Before you try to use this technique, +I strongly recommend that you read the Shorewall Setup Guide.

    + +

    The following figure represents a static NAT environment.

    + +

    +

    + +
    + +

    Static NAT can be used to make the systems with the + 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If +we assume that the interface to the upper subnet is eth0, then the following + /etc/shorewall/NAT file would make the lower left-hand system appear +to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.19.

    - + +
    + - - - - - - - - - - - - - - - - - - - - -
    EXTERNALINTERFACEINTERNALALL INTERFACESLOCAL
    130.252.100.18eth010.1.1.2yesyes
    130.252.100.19eth010.1.1.3yesyes
    -

    Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above - example) is (are) not included in any specification in /etc/shorewall/masq + EXTERNAL + INTERFACE + INTERNAL + ALL INTERFACES + LOCAL + + + 130.252.100.18 + eth0 + 10.1.1.2 + yes + yes + + + 130.252.100.19 + eth0 + 10.1.1.3 + yes + yes + + + + + +

    Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above + example) is (are) not included in any specification in /etc/shorewall/masq or /etc/shorewall/proxyarp.

    -

    Note 1: The "ALL INTERFACES" column - is used to specify whether access to the external IP from all firewall - interfaces should undergo NAT (Yes or yes) or if only access from the - interface in the INTERFACE column should undergo NAT. If you leave this - column empty, "Yes" is assumed. The ALL INTERFACES column was - added in version 1.1.6.

    -

    Note 2: Shorewall will automatically add the external address to the - specified interface unless you specify ADD_IP_ALIASES="no" - (or "No") in /etc/shorewall/shorewall.conf; If you do not set - ADD_IP_ALIASES or if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).

    -

    Note 3: The contents of the "LOCAL" - column determine whether packets originating on the firewall itself and - destined for the EXTERNAL address are redirected to the internal ADDRESS. If - this column contains "yes" or "Yes" (and the ALL - INTERFACES COLUMN also contains "Yes" or "yes") then - such packets are redirected; otherwise, such packets are not redirected. The - LOCAL column was added in version 1.1.8.

    -
    - -
    -
    - -

    Last updated 3/27/2002 - -Tom -Eastep

    -Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file + +

    Note 1: The "ALL INTERFACES" column +is used to specify whether access to the external IP from all firewall + interfaces should undergo NAT (Yes or yes) or if only access from the + interface in the INTERFACE column should undergo NAT. If you leave this + column empty, "Yes" is assumed. The ALL INTERFACES column was added +in version 1.1.6.

    + +

    Note 2: Shorewall will automatically add the external address to the + specified interface unless you specify ADD_IP_ALIASES="no" (or "No") in +/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if +you set it to "Yes" or "yes" then you must NOT configure your own alias(es).

    + +

    Note 3: The contents of the "LOCAL" column +determine whether packets originating on the firewall itself and destined +for the EXTERNAL address are redirected to the internal ADDRESS. If this +column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains +"Yes" or "yes") then such packets are redirected; otherwise, such packets +are not redirected. The LOCAL column was added in version 1.1.8.

    + + +
    + +

    Last updated 1/11/2003 - Tom Eastep

    + Copyright © 2001, 2002, 2003 Thomas M. Eastep.
    + + diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm index 72cba3084..e46e810a4 100644 --- a/STABLE/documentation/News.htm +++ b/STABLE/documentation/News.htm @@ -2,1866 +2,1978 @@ - + Shorewall News - + + - + - + - - - + + - + + - - + +
    +
    - +

    Shorewall News Archive

    -
    - -

    12/27/2002 - Shorewall 1.3.12 Released

    -

    Features include:
    -

    + +

    1/13/2003 - Shorewall 1.3.13
    +

    +

    Just includes a few things that I had on the burner:
    +

      -
    1. "shorewall refresh" now reloads the traffic shaping rules (tcrules - and tcstart).
    2. -
    3. "shorewall debug [re]start" now turns off debugging after an error - occurs. This places the point of the failure near the end of the trace rather - than up in the middle of it.
    4. -
    5. "shorewall [re]start" has been speeded up by more than 40% with my - configuration. Your milage may vary.
    6. -
    7. A "shorewall show classifiers" command has been added which shows -the current packet classification filters. The output from this command is - also added as a separate page in "shorewall monitor"
    8. -
    9. ULOG (must be all caps) is now accepted as a valid syslog level and - causes the subject packets to be logged using the ULOG target rather than - the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a separate log file.
    10. -
    11. If you are running a kernel that has a FORWARD chain in the mangle - table ("shorewall show mangle" will show you the chains in the mangle table), - you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking - input packets based on their destination even when you are using Masquerading - or SNAT.
    12. -
    13. I have cluttered up the /etc/shorewall directory with empty 'init', - 'start', 'stop' and 'stopped' files. If you already have a file with one - of these names, don't worry -- the upgrade process won't overwrite your file.
    14. -
    15. I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies -the syslog level at which packets are logged as a result of entries in the -/etc/shorewall/rfc1918 file. Previously, these packets were always logged -at the 'info' level.
      +
    16. A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules +file. DNAT- is intended for advanced users who wish to minimize the number +of rules that connection requests must traverse.
      +
      +A Shorewall DNAT rule actually generates two iptables rules: a header rewriting +rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- +rule only generates the first of these rules. This is handy when you have +several DNAT rules that would generate the same ACCEPT rule.
      +
      +   Here are three rules from my previous rules file:
      +
      +        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
      +        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
      +        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
      +
      +   These three rules ended up generating _three_ copies of
      +
      +         ACCEPT net  dmz:206.124.146.177 tcp smtp
      +
      +   By writing the rules this way, I end up with only one copy of the ACCEPT +rule.
      +
      +        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
      +        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
      +        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
      +
      +
    17. +
    18. The 'shorewall check' command now prints out the applicable policy +between each pair of zones.
      +
      +
    19. +
    20. A new CLEAR_TC option has been added to shorewall.conf. If this option +is set to 'No' then Shorewall won't clear the current traffic control rules +during [re]start. This setting is intended for use by people that prefer +to configure traffic shaping when the network interfaces come up rather than +when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes +and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, +your traffic shaping rules can still use the 'fwmark' classifier based on +packet marking defined in /etc/shorewall/tcrules.
      +
      +
    21. +
    22. A new SHARED_DIR variable has been added that allows distribution packagers +to easily move the shared directory (default /usr/lib/shorewall). Users should +never have a need to change the value of this shorewall.conf setting.
    -

    12/20/2002 - Shorewall 1.3.12 Beta 3
    -

    - This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL -was set to anything but ULOG, the firewall would fail to start and "shorewall -refresh" would also fail.
    - -

    12/20/2002 - Shorewall 1.3.12 Beta 2

    - -

    The first public Beta version of Shorewall 1.3.12 is now available (Beta - 1 was made available only to a limited audience).
    -

    - Features include:
    - +

    1/6/2003 - BURNOUT (New) +

    + +

    Until further notice, I will not be involved in either Shorewall Development +or Shorewall Support

    + +

    -Tom Eastep
    +

    + +

    12/30/2002 - Shorewall Documentation in PDF Format

    + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. + the PDF may be downloaded from

    + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    +     http://slovakia.shorewall.net/pub/shorewall/pdf/
    +

    + +

    12/27/2002 - Shorewall 1.3.12 Released

    + +

    Features include:
    +

    +
      -
    1. "shorewall refresh" now reloads the traffic shaping rules (tcrules - and tcstart).
    2. -
    3. "shorewall debug [re]start" now turns off debugging after an error - occurs. This places the point of the failure near the end of the trace rather - than up in the middle of it.
    4. -
    5. "shorewall [re]start" has been speeded up by more than 40% with - my configuration. Your milage may vary.
    6. -
    7. A "shorewall show classifiers" command has been added which shows - the current packet classification filters. The output from this command -is also added as a separate page in "shorewall monitor"
    8. -
    9. ULOG (must be all caps) is now accepted as a valid syslog level - and causes the subject packets to be logged using the ULOG target rather - than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a separate log file.
    10. -
    11. If you are running a kernel that has a FORWARD chain in the mangle - table ("shorewall show mangle" will show you the chains in the mangle table), - you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for - marking input packets based on their destination even when you are using - Masquerading or SNAT.
    12. -
    13. I have cluttered up the /etc/shorewall directory with empty 'init', - 'start', 'stop' and 'stopped' files. If you already have a file with one - of these names, don't worry -- the upgrade process won't overwrite your file.
    14. - +
    15. "shorewall refresh" now reloads the traffic shaping rules (tcrules + and tcstart).
    16. +
    17. "shorewall debug [re]start" now turns off debugging after an error + occurs. This places the point of the failure near the end of the trace +rather than up in the middle of it.
    18. +
    19. "shorewall [re]start" has been speeded up by more than 40% with + my configuration. Your milage may vary.
    20. +
    21. A "shorewall show classifiers" command has been added which shows + the current packet classification filters. The output from this command + is also added as a separate page in "shorewall monitor"
    22. +
    23. ULOG (must be all caps) is now accepted as a valid syslog level + and causes the subject packets to be logged using the ULOG target rather + than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a +separate log file.
    24. +
    25. If you are running a kernel that has a FORWARD chain in the mangle + table ("shorewall show mangle" will show you the chains in the mangle +table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking + input packets based on their destination even when you are using Masquerading + or SNAT.
    26. +
    27. I have cluttered up the /etc/shorewall directory with empty 'init', + 'start', 'stop' and 'stopped' files. If you already have a file with +one of these names, don't worry -- the upgrade process won't overwrite +your file.
    28. +
    29. I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies + the syslog level at which packets are logged as a result of entries in the + /etc/shorewall/rfc1918 file. Previously, these packets were always logged + at the 'info' level.
      +
    30. +
    - You may download the Beta from:
    - + +

    12/20/2002 - Shorewall 1.3.12 Beta 3
    +

    + This version corrects a problem with Blacklist logging. In Beta 2, if +BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail +to start and "shorewall refresh" would also fail.
    + +

    12/20/2002 - Shorewall 1.3.12 Beta 2

    + +

    The first public Beta version of Shorewall 1.3.12 is now available (Beta + 1 was made available only to a limited audience).
    +

    + Features include:
    + +
      +
    1. "shorewall refresh" now reloads the traffic shaping rules (tcrules + and tcstart).
    2. +
    3. "shorewall debug [re]start" now turns off debugging after an + error occurs. This places the point of the failure near the end of the + trace rather than up in the middle of it.
    4. +
    5. "shorewall [re]start" has been speeded up by more than 40% +with my configuration. Your milage may vary.
    6. +
    7. A "shorewall show classifiers" command has been added which +shows the current packet classification filters. The output from this command + is also added as a separate page in "shorewall monitor"
    8. +
    9. ULOG (must be all caps) is now accepted as a valid syslog level + and causes the subject packets to be logged using the ULOG target rather + than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a +separate log file.
    10. +
    11. If you are running a kernel that has a FORWARD chain in the +mangle table ("shorewall show mangle" will show you the chains in the mangle +table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This +allows for marking input packets based on their destination even when you +are using Masquerading or SNAT.
    12. +
    13. I have cluttered up the /etc/shorewall directory with empty +'init', 'start', 'stop' and 'stopped' files. If you already have a file +with one of these names, don't worry -- the upgrade process won't overwrite +your file.
    14. + +
    + You may download the Beta from:
    +
    http://www.shorewall.net/pub/shorewall/Beta
    - ftp://ftp.shorewall.net/pub/shorewall/Beta
    -
    - + +

    12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux -

    - Shorewall is at the center of MandrakeSoft's recently-announced Multi - Network Firewall (MNF) product. Here is the press - release.
    - +

    + Shorewall is at the center of MandrakeSoft's recently-announced + Multi + Network Firewall (MNF) product. Here is the press + release.
    +

    12/7/2002 - Shorewall Support for Mandrake 9.0

    - -

    Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. - I have installed 9.0 on one of my systems and I am now in a position to - support Shorewall users who run Mandrake 9.0.

    - + +

    Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. + I have installed 9.0 on one of my systems and I am now in a position + to support Shorewall users who run Mandrake 9.0.

    +

    12/6/2002 - Debian 1.3.11a Packages Available
    -

    - +

    +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    12/3/2002 - Shorewall 1.3.11a

    - -

    This is a bug-fix roll up which includes Roger Aich's fix for DNAT with - excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who - don't need rules of this type need not upgrade to 1.3.11.

    - + +

    This is a bug-fix roll up which includes Roger Aich's fix for DNAT with + excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users +who don't need rules of this type need not upgrade to 1.3.11.

    +

    11/24/2002 - Shorewall 1.3.11

    - +

    In this version:

    - + - +

    11/14/2002 - Shorewall Documentation in PDF Format

    - -

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. - the PDF may be downloaded from

    - + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. + the PDF may be downloaded from

    +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    -     http://slovakia.shorewall.net/pub/shorewall/pdf/
    -

    - -

    11/09/2002 - Shorewall is Back at SourceForge -

    - +

    + +

    11/09/2002 - Shorewall is Back at SourceForge +

    +

    The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
    -

    - +

    +

    11/09/2002 - Shorewall 1.3.10

    - +

    In this version:

    - + - +

    10/24/2002 - Shorewall is now in Gentoo Linux
    -

    - Alexandru Hartmann reports that his Shorewall package is -now a part of the Gentoo Linux distribution. - Thanks Alex!
    - +

    + Alexandru Hartmann reports that his Shorewall package +is now a part of the Gentoo Linux distribution. + Thanks Alex!
    +

    10/23/2002 - Shorewall 1.3.10 Beta 1

    - In this version:
    + In this version:
    + + + You may download the Beta from:
    + + + +

    10/10/2002 -  Debian 1.3.9b Packages Available
    +

    + +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    + +

    10/9/2002 - Shorewall 1.3.9b

    + This release rolls up fixes to the installer and to +the firewall script.
    + +

    10/6/2002 - Shorewall.net now running on RH8.0
    +

    + The firewall and server here at shorewall.net are +now running RedHat release 8.0.
    +
    + 9/30/2002 - Shorewall 1.3.9a

    + Roles up the fix for broken tunnels.
    + +

    9/30/2002 - TUNNELS Broken in 1.3.9!!!

    + There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.
    + +

    9/28/2002 - Shorewall 1.3.9

    + +

    In this version:
    +

    - You may download the Beta from:
    - - - -

    10/10/2002 -  Debian 1.3.9b Packages Available
    -

    - -

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - -

    10/9/2002 - Shorewall 1.3.9b

    - This release rolls up fixes to the installer and to the -firewall script.
    - -

    10/6/2002 - Shorewall.net now running on RH8.0
    -

    - The firewall and server here at shorewall.net are now -running RedHat release 8.0.
    -
    - 9/30/2002 - Shorewall 1.3.9a

    - Roles up the fix for broken tunnels.
    - -

    9/30/2002 - TUNNELS Broken in 1.3.9!!!

    - There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
    - -

    9/28/2002 - Shorewall 1.3.9

    - -

    In this version:
    -

    - - - -

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
    -

    - 9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
    +

    + Brown Paper Bag - A couple of recent configuration changes at www.shorewall.net - broke the Search facility:
    + A couple of recent configuration changes at + www.shorewall.net broke the Search facility:
    - -
    - + +
    +
      -
    1. Mailing List Archive Search was not available.
    2. -
    3. The Site Search index was incomplete
    4. -
    5. Only one page of matches was presented.
    6. - - -
    -
    - Hopefully these problems are now corrected. - -

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
    -

    - A couple of recent configuration changes at www.shorewall.net - had the negative effect of breaking the Search facility:
    - -
      -
    1. Mailing List Archive Search was not available.
    2. -
    3. The Site Search index was incomplete
    4. -
    5. Only one page of matches was presented.
    6. - -
    - Hopefully these problems are now corrected.
    - -

    9/18/2002 -  Debian 1.3.8 Packages Available
    -

    - -

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - -

    9/16/2002 - Shorewall 1.3.8

    - -

    In this version:
    -

    - -
    + Hopefully these problems are now corrected. + +

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
    +

    + A couple of recent configuration changes at +www.shorewall.net had the negative effect of breaking the Search +facility:
    - - +
      +
    1. Mailing List Archive Search was not available.
    2. +
    3. The Site Search index was incomplete
    4. +
    5. Only one page of matches was presented.
    6. + +
    + Hopefully these problems are now corrected.
    + +

    9/18/2002 -  Debian 1.3.8 Packages Available
    +

    + +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    + +

    9/16/2002 - Shorewall 1.3.8

    + +

    In this version:
    +

    + - + + + +

    9/11/2002 - Debian 1.3.7c Packages Available

    - +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    9/2/2002 - Shorewall 1.3.7c

    - -

    This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).

    + +

    This is a role up of a fix for "DNAT" rules where the source zone is $FW + (fw).

    - +

    8/31/2002 - I'm not available

    - -

    I'm currently on vacation  -- please respect my need for a couple of - weeks free of Shorewall problem reports.

    + +

    I'm currently on vacation  -- please respect my need for a couple of +weeks free of Shorewall problem reports.

    - +

    -Tom

    - +

    8/26/2002 - Shorewall 1.3.7b

    - -

    This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" checking.

    + +

    This is a role up of the "shorewall refresh" bug fix and the change which + reverses the order of "dhcp" and "norfc1918" checking.

    - +

    8/26/2002 - French FTP Mirror is Operational

    - +

    ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.

    + href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall + is now available.

    - +

    8/25/2002 - Shorewall Mirror in France

    - -

    Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at http://france.shorewall.net.

    + +

    Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored + at http://france.shorewall.net.

    - +

    8/25/2002 - Shorewall 1.3.7a Debian Packages Available

    - -

    Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at Lorenzo Martignoni reports that the packages for version 1.3.7a are available + at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - -

    8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author - -- Shorewall 1.3.7a released8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author + -- Shorewall 1.3.7a released -

    +

    - -

    1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.

    + +

    1.3.7a corrects problems occurring in rules file processing when starting + Shorewall 1.3.7.

    - +

    8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

    - +

    Features in this release include:

    - + - -

    I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That input has led to - marked improvement in Shorewall in the last two releases.

    + +

    I would like to thank John Distler for his valuable input regarding TCP + SYN and ICMP treatment in Shorewall. That input has led +to marked improvement in Shorewall in the last two releases.

    - +

    8/13/2002 - Documentation in the CVS Repository

    - -

    The Shorewall-docs project now contains just the HTML and image files - -the Frontpage files have been removed.

    + +

    The Shorewall-docs project now contains just the HTML and image files +- the Frontpage files have been removed.

    - +

    8/7/2002 - STABLE branch added to CVS Repository

    - -

    This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch to get the latest - stable tree.

    + +

    This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest + stable tree.

    - -

    8/7/2002 - Upgrade Issues section added - to the Errata Page

    + +

    8/7/2002 - Upgrade Issues section +added to the Errata Page

    - -

    Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.

    + +

    Now there is one place to go to look for issues involved with upgrading + to recent versions of Shorewall.

    - +

    8/7/2002 - Shorewall 1.3.6

    - +

    This is primarily a bug-fix rollup with a couple of new features:

    - + - +

    7/30/2002 - Shorewall 1.3.5b Released

    - +

    This interim release:

    - + - +

    7/29/2002 - New Shorewall Setup Guide Available

    - +

    The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people who are setting up - Shorewall to manage multiple public IP addresses and by people - who want to learn more about Shorewall than is described in the - single-address guides. Feedback on the new guide is welcome.

    + href="http://www.shorewall.net/shorewall_setup_guide.htm"> http://www.shorewall.net/shorewall_setup_guide.htm. + The guide is intended for use by people who are setting +up Shorewall to manage multiple public IP addresses and by +people who want to learn more about Shorewall than is described +in the single-address guides. Feedback on the new guide is welcome.

    - +

    7/28/2002 - Shorewall 1.3.5 Debian Package Available

    - -

    Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at Lorenzo Martignoni reports that the packages are version 1.3.5a and are + available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/27/2002 - Shorewall 1.3.5a Released

    - +

    This interim release restores correct handling of REDIRECT rules.

    - +

    7/26/2002 - Shorewall 1.3.5 Released

    - -

    This will be the last Shorewall release for a while. I'm going to be - focusing on rewriting a lot of the documentation.

    + +

    This will be the last Shorewall release for a while. I'm going to be +focusing on rewriting a lot of the documentation.

    - +

     In this version:

    - + - +

    7/16/2002 - New Mirror in Argentina

    - -

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!

    + +

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!

    - +

    7/16/2002 - Shorewall 1.3.4 Released

    - +

    In this version:

    - + - +

    7/8/2002 - Shorewall 1.3.3 Debian Package Available

    - +

    Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/6/2002 - Shorewall 1.3.3 Released

    - +

    In this version:

    - + - +

    6/25/2002 - Samples Updated for 1.3.2

    - -

    The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall 1.3.2.

    + +

    The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall 1.3.2.

    - +

    6/25/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/19/2002 - Documentation Available in PDF Format

    - -

    Thanks to Mike Martinez, the Shorewall Documentation is now available for - download in Adobe - PDF format.

    + +

    Thanks to Mike Martinez, the Shorewall Documentation is now available +for download in Adobe PDF format.

    - +

    6/16/2002 - Shorewall 1.3.2 Released

    - +

    In this version:

    - + - +

    6/6/2002 - Why CVS Web access is Password Protected

    - -

    Last weekend, I installed the CVS Web package to provide brower-based access - to the Shorewall CVS repository. Since then, I have had several instances -where my server was almost unusable due to the high load generated by website -copying tools like HTTrack and WebStripper. These mindless tools:

    + +

    Last weekend, I installed the CVS Web package to provide brower-based +access to the Shorewall CVS repository. Since then, I have had several +instances where my server was almost unusable due to the high load generated +by website copying tools like HTTrack and WebStripper. These mindless tools:

    - + - -

    These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link in the cgi-generated - HTML resulting in 1000s of executions of the cvsweb.cgi script. - Yesterday, I spend several hours implementing measures to block - these tools but unfortunately, these measures resulted in my server - OOM-ing under even moderate load.

    + +

    These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in the cgi-generated + HTML resulting in 1000s of executions of the cvsweb.cgi script. + Yesterday, I spend several hours implementing measures to +block these tools but unfortunately, these measures resulted +in my server OOM-ing under even moderate load.

    - -

    Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), CVS Web access will - remain Password Protected.

    + +

    Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web access will + remain Password Protected.

    - +

    6/5/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/2/2002 - Samples Corrected

    - -

    The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These problems have been - corrected in the 1.3.1 - samples.

    + +

    The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems have +been corrected in the 1.3.1 samples.

    - +

    6/1/2002 - Shorewall 1.3.1 Released

    - +

    Hot on the heels of 1.3.0, this release:

    - + - +

    5/29/2002 - Shorewall 1.3.0 Released

    - -

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 - includes:

    + +

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:

    - + - +

    5/23/2002 - Shorewall 1.3 RC1 Available

    - -

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) - incorporates the following:

    + +

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:

    - + - +

    5/19/2002 - Shorewall 1.3 Beta 2 Available

    - -

    In addition to the changes in Beta 1, this release which carries the - designation 1.2.91 adds:

    + +

    In addition to the changes in Beta 1, this release which carries the +designation 1.2.91 adds:

    - + - +

    5/17/2002 - Shorewall 1.3 Beta 1 Available

    - -

    Beta 1 carries the version designation 1.2.90 and implements the following - features:

    + +

    Beta 1 carries the version designation 1.2.90 and implements the following + features:

    - + - +

    5/4/2002 - Shorewall 1.2.13 is Available

    - +

    In this version:

    - + - +

    4/30/2002 - Shorewall Debian News

    - -

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian -Testing Branch and the Debian -Unstable Branch.

    + +

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the +Debian + Testing Branch and the Debian + Unstable Branch.

    - +

    4/20/2002 - Shorewall 1.2.12 is Available

    - + - +

    4/17/2002 - Shorewall Debian News

    - +

    Lorenzo Marignoni reports that:

    - + - +

    Thanks, Lorenzo!

    - +

    4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

    - -

    Thanks to Stefan Mohr, there - is now a Shorewall 1.2.11 - SuSE RPM available.

    + +

    Thanks to Stefan Mohr, there + is now a Shorewall 1.2.11 + SuSE RPM available.

    - +

    4/13/2002 - Shorewall 1.2.11 Available

    - +

    In this version:

    - + - +

    4/13/2002 - Hamburg Mirror now has FTP

    - +

    Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  - Thanks Stefan!

    + href="ftp://germany.shorewall.net/pub/shorewall"> ftp://germany.shorewall.net/pub/shorewall.  + Thanks Stefan!

    - +

    4/12/2002 - New Mirror in Hamburg

    - -

    Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website at http://germany.shorewall.net. -

    + +

    Thanks to Stefan Mohr, there + is now a mirror of the Shorewall website at http://germany.shorewall.net. +

    - +

    4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

    - -

    Version 1.1 of the QuickStart - Guide is now available. Thanks to those who have read -version 1.0 and offered their suggestions. Corrections have also -been made to the sample scripts.

    + +

    Version 1.1 of the QuickStart + Guide is now available. Thanks to those who have read + version 1.0 and offered their suggestions. Corrections have + also been made to the sample scripts.

    - +

    4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

    - -

    Version 1.0 of the QuickStart - Guide is now available. This Guide and its accompanying - sample configurations are expected to provide a replacement -for the recently withdrawn parameterized samples.

    + +

    Version 1.0 of the QuickStart + Guide is now available. This Guide and its accompanying + sample configurations are expected to provide a replacement + for the recently withdrawn parameterized samples.

    - +

    4/8/2002 - Parameterized Samples Withdrawn

    - +

    Although the parameterized - samples have allowed people to get a firewall up and running - quickly, they have unfortunately set the wrong level of expectation - among those who have used them. I am therefore withdrawing -support for the samples and I am recommending that they not -be used in new Shorewall installations.

    + href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized + samples have allowed people to get a firewall up and + running quickly, they have unfortunately set the wrong level + of expectation among those who have used them. I am therefore + withdrawing support for the samples and I am recommending that + they not be used in new Shorewall installations.

    - +

    4/2/2002 - Updated Log Parser

    - -

    John Lodge has provided an updated - version of his CGI-based - log parser with corrected date handling.

    + +

    John Lodge has provided an updated + version of his CGI-based + log parser with corrected date handling.

    - +

    3/30/2002 - Shorewall Website Search Improvements

    - -

    The quick search on the home page now excludes the mailing list archives. - The Extended Search allows - excluding the archives or restricting the search to just the - archives. An archive search form is also available on the mailing list information page.

    + +

    The quick search on the home page now excludes the mailing list archives. + The Extended Search allows + excluding the archives or restricting the search to just +the archives. An archive search form is also available on the +mailing list information page.

    - +

    3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

    - + - +

    3/25/2002 - Log Parser Available

    - +

    John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.

    + href="pub/shorewall/parsefw/">CGI-based log parser for Shorewall. Thanks + John.

    - +

    3/20/2002 - Shorewall 1.2.10 Released

    - +

    In this version:

    - + - +

    3/11/2002 - Shorewall 1.2.9 Released

    - +

    In this version:

    - + - +

    3/1/2002 - 1.2.8 Debian Package is Available

    - +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/25/2002 - New Two-interface Sample

    - -

    I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    - + +

    I've enhanced the two interface sample to allow access from the firewall + to servers in the local zone - + http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    +

    2/23/2002 - Shorewall 1.2.8 Released

    - -

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects - problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. My apologies for -any inconvenience my carelessness may have caused.

    + +

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My apologies for + any inconvenience my carelessness may have caused.

    - +

    2/22/2002 - Shorewall 1.2.7 Released

    - +

    In this version:

    - + - +

    2/18/2002 - 1.2.6 Debian Package is Available

    - +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/8/2002 - Shorewall 1.2.6 Released

    - +

    In this version:

    - + - +

    2/4/2002 - Shorewall 1.2.5 Debian Package Available

    - +

    see http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/1/2002 - Shorewall 1.2.5 Released

    - -

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall - 1.2.5. Sorry for the rapid-fire development.

    + +

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall + 1.2.5. Sorry for the rapid-fire development.

    - +

    In version 1.2.5:

    - + - +

    1/28/2002 - Shorewall 1.2.4 Released

    - + - +

    1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    1/20/2002 - Corrected firewall script available 

    - -

    Corrects a problem with BLACKLIST_LOGLEVEL. See the - errata for details.

    + +

    Corrects a problem with BLACKLIST_LOGLEVEL. See the + errata for details.

    - +

    1/19/2002 - Shorewall 1.2.3 Released

    - +

    This is a minor feature and bugfix release. The single new feature is:

    - + - +

    The following problems were corrected:

    - + - +

    1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

    - -

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution - that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo - for details.

    + +

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution + that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo + for details.

    - +

    1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. There is a link to - Lorenzo's site from the Shorewall download - page.

    + href="mailto:lorenzo.martignoni@milug.org">Lorenzo Martignoni, a 1.2.2 + Shorewall Debian package is now available. There is a link + to Lorenzo's site from the Shorewall +download page.

    - +

    1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.

    + href="/pub/shorewall/errata/1.2.2/shorewall">This corrected version restores + the "shorewall status" command to health.

    - +

    1/8/2002 - Shorewall 1.2.2 Released

    - +

    In version 1.2.2

    - + - -

    1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There are two new rules -added:

    - - - - -

    See the README file for upgrade instructions.

    - -

    1/1/2002 - Shorewall Mailing List Moving

    - - -

    The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. If you are a current - subscriber to the list at Sourceforge, please see these instructions. - If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

    - - -

    12/31/2001 - Shorewall 1.2.1 Released

    - - -

    In version 1.2.1:

    - - - - -

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing -1.2 on 12/21/2001

    - - -

    Version 1.2 contains the following new features:

    - - - - -

    For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version 1.1.x users will - not be forced into a quick upgrade to 1.2.0 just to have access - to bug fixes.

    - -

    For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading to 1.2.0:

    - -
    - -

    rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

    -
    - - -

    12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror in Texas. This - web site is mirrored at http://www.infohiiway.com/shorewall - and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    - - -

    11/30/2001 - A new set of the parameterized Sample -Configurations has been released. In this version:

    - - - - -

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    - - -

    In this version:

    - - - - - -

    11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall mirror in the -Slovak Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall - and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    - - -

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. - There are three sample configurations:

    - - - + + +
  • A LOGFILE specification has + been added to /etc/shorewall/shorewall.conf. LOGFILE is used + to tell the /sbin/shorewall program where to look for Shorewall + messages.
  • + + + +

    1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates + to the previously-released samples. There are two new rules + added:

    + + + + +

    See the README file for upgrade instructions.

    + +

    1/1/2002 - Shorewall Mailing List Moving

    + + +

    The Shorewall mailing list hosted at + Sourceforge is moving to Shorewall.net. If you are a +current subscriber to the list at Sourceforge, please see these instructions. + If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

    + + +

    12/31/2001 - Shorewall 1.2.1 Released

    + + +

    In version 1.2.1:

    + + + + +

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist +releasing 1.2 on 12/21/2001

    + + +

    Version 1.2 contains the following new features:

    + + + + +

    For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x users will + not be forced into a quick upgrade to 1.2.0 just to have access + to bug fixes.

    + +

    For those of you who have installed one of the Beta RPMS, you will need + to use the "--oldpackage" option when upgrading to 1.2.0:

    + +
    + +

    rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

    +
    + + +

    12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall mirror in Texas. This + web site is mirrored at http://www.infohiiway.com/shorewall + and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    + + +

    11/30/2001 - A new set of the parameterized Sample + Configurations has been released. In this version:

    + + + + +

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    + + +

    In this version:

    + + + + + +

    11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror in the + Slovak Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    + + +

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + There are three sample configurations:

    + + + + +

    Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 - . See the README file for instructions.

    + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + . See the README file for instructions.

    - -

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend - this to be the last of the 1.1 Shorewall releases.

    + +

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend + this to be the last of the 1.1 Shorewall releases.

    - +

    In this version:

    - + + +

    10/22/2001 - The current version of Shorewall is 1.1.16. In this + version:

    + + + +

    10/15/2001 - The current version of Shorewall is 1.1.15. In this + version:

    + + -

    10/22/2001 - The current version of Shorewall is 1.1.16. In this - version:

    - - +

    10/4/2001 - The current version of Shorewall is 1.1.14. In this + version

    -

    10/15/2001 - The current version of Shorewall is 1.1.15. In this - version:

    - - -

    10/4/2001 - The current version of Shorewall is 1.1.14. In this - version

    - - - -

    9/12/2001 - The current version of Shorewall is 1.1.13. In this - version

    - + +

    9/12/2001 - The current version of Shorewall is 1.1.13. In this + version

    + - -

    8/28/2001 - The current version of Shorewall is 1.1.12. In this - version

    - + +

    8/28/2001 - The current version of Shorewall is 1.1.12. In this + version

    + - -

    7/28/2001 - The current version of Shorewall is 1.1.11. In this - version

    - + +

    7/28/2001 - The current version of Shorewall is 1.1.11. In this + version

    + - -

    7/6/2001 - The current version of Shorewall is 1.1.10. In this version

    - + +

    7/6/2001 - The current version of Shorewall is 1.1.10. In this +version

    + - -

    6/23/2001 - The current version of Shorewall is 1.1.9. In this version

    - + +

    6/23/2001 - The current version of Shorewall is 1.1.9. In this +version

    + - -

    6/18/2001 - The current version of Shorewall is 1.1.8. In this version

    - + +

    6/18/2001 - The current version of Shorewall is 1.1.8. In this +version

    + - +

    6/2/2001 - The current version of Shorewall is 1.1.7. In this version

    - + - -

    5/25/2001 - The current version of Shorewall is 1.1.6. In this version

    - + +

    5/25/2001 - The current version of Shorewall is 1.1.6. In this +version

    + - -

    5/20/2001 - The current version of Shorewall is 1.1.5. In this version

    - + +

    5/20/2001 - The current version of Shorewall is 1.1.5. In this +version

    + - -

    5/10/2001 - The current version of Shorewall is 1.1.4. In this version

    - + +

    5/10/2001 - The current version of Shorewall is 1.1.4. In this +version

    + - -

    4/28/2001 - The current version of Shorewall is 1.1.3. In this version

    - + +

    4/28/2001 - The current version of Shorewall is 1.1.3. In this +version

    + - -

    4/12/2001 - The current version of Shorewall is 1.1.2. In this version

    - + +

    4/12/2001 - The current version of Shorewall is 1.1.2. In this +version

    + - +

    4/8/2001 - Shorewall is now affiliated with the Leaf Project -

    - +

    +

    4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

    - + - +

    3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

    - + - +

    3/19/2001 - The current version of Shorewall is 1.0.4. This version:

    - + - -

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix - release with no new features.

    - + +

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + release with no new features.

    + - -

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels and it supports - IPSEC tunnels with end-points on the firewall. There is also + +

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and it supports + IPSEC tunnels with end-points on the firewall. There is also a .lrp available now.

    - -

    Updated 12/27/2002 - Tom Eastep -

    - -

    Copyright2001, 2002 Thomas M. Eastep.
    -

    + +

    Updated 1/13/2003 - Tom Eastep +

    + +

    Copyright © 2001, 2002 Thomas M. Eastep.
    +

    +
    +
    +

    diff --git a/STABLE/documentation/PPTP.htm b/STABLE/documentation/PPTP.htm index 21aa4560b..a2cca4472 100644 --- a/STABLE/documentation/PPTP.htm +++ b/STABLE/documentation/PPTP.htm @@ -891,8 +891,8 @@ yet and reject the initial TCP connection request if I enable ECN :-(

    Last modified 10/23/2002 - Tom Eastep

    -

    Copyright2001, 2002 Thomas M. Eastep.

    +

    Copyright2001, 2002 Thomas M. Eastep.



    diff --git a/STABLE/documentation/ProxyARP.htm b/STABLE/documentation/ProxyARP.htm index c42ae0a9d..e0021cd3d 100644 --- a/STABLE/documentation/ProxyARP.htm +++ b/STABLE/documentation/ProxyARP.htm @@ -1,106 +1,164 @@ + - - -Shorewall Proxy ARP - - - + + + Shorewall Proxy ARP + + + + + + - - - - + + +
    + + + + + + +
    +

    Proxy ARP

    +
    + +

    Proxy ARP allows you to insert a firewall in front of a set of servers + without changing their IP addresses and without having to re-subnet. +Before you try to use this technique, I strongly recommend that you read +the Shorewall Setup Guide.

    + +

    The following figure represents a Proxy ARP environment.

    + +
    +

    +

    + +
    +
    + +

    Proxy ARP can be used to make the systems with addresses + 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) + subnet.  Assuming that the upper firewall interface is eth0 and the + lower interface is eth1, this is accomplished using the following entries +in /etc/shorewall/proxyarp:

    + +
    + + - - -
    -

    Proxy ARP

    -
    -

    Proxy ARP allows you to insert a firewall in front of a set of servers - without changing their IP addresses and without having to re-subnet.

    -

    The following figure represents a Proxy ARP - environment.

    - -
    -

    -

    -
    -
    -
    - -

    Proxy ARP can be used to make the systems with addresses - 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) - subnet.  Assuming that the upper firewall interface is eth0 and the - lower interface is eth1, this is accomplished using the following entries in - /etc/shorewall/proxyarp:

    - -
    - - - - - - - - - - - - - - - - - - - -
    ADDRESSINTERFACEEXTERNALHAVEROUTE
    130.252.100.18eth1eth0no
    130.252.100.19eth1eth0no
    -
    - -

    Be sure that the internal systems (130.242.100.18 and 130.252.100.19  - in the above example) are not included in any specification in - /etc/shorewall/masq or /etc/shorewall/nat.

    -

    Note that I've used an RFC1918 IP address for eth1 - that IP address is - irrelevant.

    -

    The lower systems (130.252.100.18 and 130.252.100.19) should have their - subnet mask and default gateway configured exactly the same way that the - Firewall system's eth0 is configured.

    -
    -

    A word of warning is in order here. ISPs typically configure - their routers with a long ARP cache timeout. If you move a system from - parallel to your firewall to behind your firewall with Proxy ARP, it will - probably be HOURS before that system can communicate with the internet. You - can call your ISP and ask them to purge the stale ARP cache entry but many - either can't or won't purge individual entries. You can determine if your - ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we - suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. - On the firewall, run tcpdump as follows:

    -
    -
    	tcpdump -nei eth0 icmp
    + ADDRESS + INTERFACE + EXTERNAL + HAVEROUTE + + + 130.252.100.18 + eth1 + eth0 + no + + + 130.252.100.19 + eth1 + eth0 + no + + + + +
    + +

    Be sure that the internal systems (130.242.100.18 and 130.252.100.19  + in the above example) are not included in any specification in +/etc/shorewall/masq or /etc/shorewall/nat.

    + +

    Note that I've used an RFC1918 IP address for eth1 - that IP address is + irrelevant.

    + +

    The lower systems (130.252.100.18 and 130.252.100.19) should have their + subnet mask and default gateway configured exactly the same way that +the Firewall system's eth0 is configured.

    + +
    +

    A word of warning is in order here. ISPs typically configure + their routers with a long ARP cache timeout. If you move a system from + parallel to your firewall to behind your firewall with Proxy ARP, it will + probably be HOURS before that system can communicate with the internet. +There are a couple of things that you can try:
    +

    +
      +
    1. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated, +Vol 1 reveals that a
      +
      +"gratuitous" ARP packet should cause the ISP's router to refresh their ARP +cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC +address for its own IP; in addition to ensuring that the IP address isn't +a duplicate...
      +
      +"if the host sending the gratuitous ARP has just changed its hardware address..., +this packet causes any other host...that has an entry in its cache for the +old hardware address to update its ARP cache entry accordingly."
      +
      +Which is, of course, exactly what you want to do when you switch a host from +being exposed to the Internet to behind Shorewall using proxy ARP (or static +NAT for that matter). Happily enough, recent versions of Redhat's iputils +package include "arping", whose "-U" flag does just that:
      +
      +    arping -U -I <net if> <newly proxied +IP>
      +    arping -U -I eth0 66.58.99.83 # for example
      +
      +Stevens goes on to mention that not all systems respond correctly to gratuitous +ARPs, but googling for "arping -U" seems to support the idea that it works +most of the time.
      +
      +
    2. +
    3. You can call your ISP and ask them to purge the stale ARP cache +entry but many either can't or won't purge individual entries.
    4. +
    +You can determine if your ISP's gateway ARP cache is stale using ping +and tcpdump. Suppose that we suspect that the gateway router has a stale +ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:
    + +
    +
    	tcpdump -nei eth0 icmp
    +
    + +
    +

    Now from 130.252.100.19, ping the ISP's gateway (which we +will assume is 130.252.100.254):

    -
    -

    Now from 130.252.100.19, ping the ISP's gateway (which we will - assume is 130.252.100.254):

    -
    -
    	ping 130.252.100.254
    + +
    +
    	ping 130.252.100.254
    +
    + +
    +

    We can now observe the tcpdump output:

    -
    -

    We can now observe the tcpdump output:

    -
    -
    	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
    -	13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply
    + +
    +
    	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
    13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply
    +
    + +
    +

    Notice that the source MAC address in the echo request is + different from the destination MAC address in the echo reply!! In this +case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + was the MAC address of the system on the lower left. In other words, the +gateway's ARP cache still associates 130.252.100.19 with the NIC in that +system rather than with the firewall's eth0.

    -
    -

    Notice that the source MAC address in the echo request is - different from the destination MAC address in the echo reply!! In this case - 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 - was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still - associates 130.252.100.19 with the NIC in that system rather than with the firewall's - eth0.

    - -

    Last updated 8/17/2002 - -Tom -Eastep

    -Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file + +

    Last updated 1/11/2003 - Tom Eastep

    + Copyright © 2001, 2002, 2003 Thomas M. Eastep.
    + + diff --git a/STABLE/documentation/Shorewall_CA_html.html b/STABLE/documentation/Shorewall_CA_html.html index 50fc2aec9..10f1e9a18 100644 --- a/STABLE/documentation/Shorewall_CA_html.html +++ b/STABLE/documentation/Shorewall_CA_html.html @@ -29,9 +29,9 @@ I can hardly justify paying $200US+ a year to a Certificate Authority such as Thawte (A Division of VeriSign) for an X.509 certificate to prove that I am who I am. I have therefore established my own Certificate Authority (CA) -and sign my own X.509 certificates. I use these certificates on my web server -(http://www.shorewall.net) as well -as on my mail server (mail.shorewall.net).
    +and sign my own X.509 certificates. I use these certificates on my mail server +(https://mail.shorewall.net) +which hosts parts of this web site.

    X.509 certificates are the basis for the Secure Socket Layer (SSL). As part of establishing an SSL session (URL https://...), your browser verifies the @@ -57,7 +57,7 @@ to accept the sleezy X.509 certificate being presented by my server.
    There are two things that you can do:
      -
    1. You can accept the www.shorewall.net certificate when your browser +
    2. You can accept the mail.shorewall.net certificate when your browser asks -- your acceptence of the certificate can be temporary (for that access only) or perminent.
    3. You can download and install my (self-signed) CA @@ -75,14 +75,14 @@ intented to go to your bank's server to one of my systems that will present your browser with a bogus certificate claiming that my server is that of your bank.
    4. If you only accept my server's certificate when prompted then the -most that you have to loose is that when you connect to https://www.shorewall.net, +most that you have to loose is that when you connect to https://mail.shorewall.net, the server you are connecting to might not be mine.
    I have my CA certificate loaded into all of my browsers but I certainly won't be offended if you decline to load it into yours... :-)
    -

    Last Updated 11/14/2002 - Tom Eastep

    +

    Last Updated 12/29/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    diff --git a/STABLE/documentation/Shorewall_CVS_Access.html b/STABLE/documentation/Shorewall_CVS_Access.html index 7e1182e98..2bdd36ba8 100644 --- a/STABLE/documentation/Shorewall_CVS_Access.html +++ b/STABLE/documentation/Shorewall_CVS_Access.html @@ -2,50 +2,51 @@ Shorewall CVS Access - + - + - + - - - - - - + + + + + +
    -

    Shorewall CVS Access -

    -
    -
    +

    Shorewall CVS Access +

    +
    +
    -
    - Lots of people try to download the entire Shorewall website for off-line - browsing, including the CVS portion. In addition to being an enormous volume - of data (HTML versions of all versions of all Shorewall files), all of the - pages in Shorewall CVS access are cgi-generated which places a tremendous - load on my little server. I have therefore resorted to making CVS access -password controlled. When you are asked to log in, enter "Shorewall" (NOTE -THE CAPITALIZATION!!!!!) for both the user name and the password.
    -
    - -
    -

    + Lots of people try to download the entire Shorewall website for off-line + browsing, including the CVS portion. In addition to being an enormous volume + of data (HTML versions of all versions of all Shorewall files), all of +the pages in Shorewall CVS access are cgi-generated which places a tremendous + load on my little server. I have therefore resorted to making CVS access + password controlled. When you are asked to log in, enter "Shorewall" (NOTE + THE CAPITALIZATION!!!!!) for both the user name and the password.
    +
    + +
    +

    CVS Login  
    -

    -
    - -

    Updated 9/23/2002 - - Tom Eastep -

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    +

    +
    + +

    Updated 1/14/2002 + - Tom Eastep +

    + +

    Copyright + © 2001, 2002, 2003 Thomas M. Eastep.

    +



    diff --git a/STABLE/documentation/Shorewall_Squid_Usage.html b/STABLE/documentation/Shorewall_Squid_Usage.html new file mode 100644 index 000000000..6a35828e7 --- /dev/null +++ b/STABLE/documentation/Shorewall_Squid_Usage.html @@ -0,0 +1,408 @@ + + + + Shorewall Squid Usage + + + + + + + + + + + + + + + +
    +
    +
    Using Shorewall with Squid
    +
    +
    +
    +
    + This page covers Shorewall configuration to use with Squid running as a Transparent + Proxy
    +
    + Caution +     Please observe the following general requirements:
    +
    + +     In all cases, Squid should be configured to run +as a transparent proxy as described at http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html.
    +
    +
    +     The following instructions mention the files /etc/shorewall/start + and /etc/shorewall/init -- if you don't have those files, siimply create +them.
    +
    + +     When the Squid server is in the DMZ zone or in +the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts + file entries. That is because the packets being routed to the Squid server + still have their original destination IP addresses.
    +
    + +     You must have iproute2 (ip utility) installed + on your firewall.
    +
    + +     You must have iptables installed on your Squid +server.
    +
    + +     You must have NAT and MANGLE enabled in your /etc/shorewall/conf + file
    +
    +         NAT_ENABLED=Yes
    +
            MANGLE_ENABLED=Yes
    +
    + Three different configurations are covered:
    + +
      +
    1. Squid running on the +Firewall.
    2. +
    3. Squid running in the local +network
    4. +
    5. Squid running in the DMZ
    6. + +
    + +

    Squid Running on the Firewall

    + You want to redirect all local www connection requests EXCEPT + those to your own + http server (206.124.146.177) + to a Squid transparent + proxy running on the firewall and listening on port 3128. Squid + will of course require access to remote web servers.
    +
    + In /etc/shorewall/rules:
    +
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDEST PROTODEST
    + PORT(S)
    SOURCE
    + PORT(S)
    ORIGINAL
    + DEST
    REDIRECTloc3128tcpwww -
    +
    !206.124.146.177
    ACCEPTfwnettcpwww
    +

    +
    +
    +
    + +

    Squid Running in the local network

    + You want to redirect all local www connection requests to a Squid + transparent proxy +running in your local zone at 192.168.1.3 and listening on port 3128. +Your local interface is eth1. There may also be a web server running on +192.168.1.3. It is assumed that web access is already enabled from the local +zone to the internet.
    + +

    WARNING: This setup may conflict with + other aspects of your gateway including but not limited to traffic shaping + and route redirection. For that reason, I don't recommend it.
    +

    + +
      +
    • On your firewall system, issue the following command
      +
    • + +
    + +
    +
    echo 202 www.out >> /etc/iproute2/rt_tables
    +
    + +
      +
    • In /etc/shorewall/init, put:
      +
    • + +
    + +
    +
    if [ -z "`ip rule list | grep www.out`" ] ; then
    ip rule add fwmark 202 table www.out
    ip route add default via 192.168.1.3 dev eth1 table www.out
    ip route flush cache
    echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
    fi
    +
    + +
      +
    • In /etc/shorewall/rules:
      +
      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      ACTIONSOURCEDEST PROTODEST
      + PORT(S)
      SOURCE
      + PORT(S)
      ORIGINAL
      + DEST
      ACCEPT
      +
      locloc
      +
      tcpwww
      +

      +
      +
      +
    • +
    • Alternativfely, you can have the following policy:
      +
      + + + + + + + + + + + + + + + + + + + +
      SOURCE
      +
      DESTINATION
      +
      POLICY
      +
      LOG LEVEL
      +
      BURST PARAMETERS
      +
      loc
      +
      loc
      +
      ACCEPT
      +

      +

      +
      +
      +
    • +
    • In /etc/shorewall/start add:
      +
    • + +
    + +
    +
    iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
    +
    + +
      +
    • On 192.168.1.3, arrange for the following command to be executed +after networking has come up
      + +
      iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128
      +
    • + +
    + +
    If you are running RedHat on the server, you can simply execute + the following commands after you have typed the iptables command above:
    +
    + +
    +
    + +
    iptables-save > /etc/sysconfig/iptables
    chkconfig --level 35 iptables start
    +
    + +
    + +

    Squid Running in the DMZ (This is what I do)

    + You have a single Linux system in your DMZ with IP address 192.0.2.177. + You want to run both a web server and Squid on that system. Your DMZ interface + is eth1 and your local interface is eth2.
    + +
      +
    • On your firewall system, issue the following command
      +
    • + +
    + +
    +
    echo 202 www.out >> /etc/iproute2/rt_tables
    +
    + +
      +
    • In /etc/shorewall/init, put:
      +
    • + +
    + +
    +
    if [ -z "`ip rule list | grep www.out`" ] ; then
    ip rule add fwmark 202 table www.out
    ip route add default via 192.0.2.177 dev eth1 table www.out
    ip route flush cache
    fi

    +
    + +
      +
    •  In /etc/shorewall/start add:
      +
    • + +
    + +
    +
    iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202
    +
    + +
      +
    • In /etc/shorewall/rules, you will need:
    • + +
    + +
    + + + + + + + + + + + + + + + + + + + + + + +
    ACTION
    +
    SOURCE
    +
    DEST
    +
    PROTO
    +
    DEST
    + PORT(S)
    +
    CLIENT
    + PORT(2)
    +
    ORIGINAL
    + DEST
    +
    ACCEPT
    +
    dmz
    +
    net
    +
    tcp
    +
    80
    +

    +

    +
    +
    +
    + +
      +
    • On 192.0.2.177 (your Web/Squid server), arrange for the following + command to be executed after networking has come up
      + +
      iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128
      +
    • + +
    + +
    If you are running RedHat on the server, you can simply execute + the following commands after you have typed the iptables command above:
    +
    + +
    +
    + +
    iptables-save > /etc/sysconfig/iptables
    chkconfig --level 35 iptables start
    +
    + +
    + +

    Updated 1/10/2003 - Tom Eastep +

    + + + Copyright © 2003 Thomas M. Eastep.
    +
    +
    +
    +
    + + diff --git a/STABLE/documentation/Shorewall_index_frame.htm b/STABLE/documentation/Shorewall_index_frame.htm index dc947d50f..14531ec23 100644 --- a/STABLE/documentation/Shorewall_index_frame.htm +++ b/STABLE/documentation/Shorewall_index_frame.htm @@ -2,143 +2,149 @@ - + - + - + - + Shorewall Index - - + + - + - - - + + - - - + + + - + + - - + +
    +
    - +

    Shorewall

    -
    +
    - + + - + -
    - +

    - Note:
    Search is unavailable Daily 0200-0330 - GMT.
    - - + Note: Search is unavailable Daily 0200-0330 + GMT.
    + +

    Quick Search
    -

    - -
    - + + +

    Extended Search

    - +

    Copyright © 2001, 2002 Thomas M. Eastep.

    - +

    -
    -
    -

    +
    +
    +

    +
    +



    -
    + diff --git a/STABLE/documentation/Shorewall_sfindex_frame.htm b/STABLE/documentation/Shorewall_sfindex_frame.htm index dcb22fac4..7b454b747 100644 --- a/STABLE/documentation/Shorewall_sfindex_frame.htm +++ b/STABLE/documentation/Shorewall_sfindex_frame.htm @@ -2,144 +2,149 @@ - + - + - + - + Shorewall Index - - + + - + - - - + + - - - + + + - + + - - + +
    +
    - + +

    Shorewall

    -
    +
    - + + - + -
    - +

    - Note:
    Search is unavailable Daily 0200-0330 - GMT.
    - - + Note: Search is unavailable Daily 0200-0330 + GMT.
    + +

    Quick Search
    -

    - -
    - + + +

    Extended Search

    - +

    Copyright © 2001, 2002 Thomas M. Eastep.

    - +


    -

    +

    +
    +




    -
    + diff --git a/STABLE/documentation/configuration_file_basics.htm b/STABLE/documentation/configuration_file_basics.htm index cfb645017..fd526e0e4 100644 --- a/STABLE/documentation/configuration_file_basics.htm +++ b/STABLE/documentation/configuration_file_basics.htm @@ -1,435 +1,340 @@ - + - + - + - + Configuration File Basics - + - - - + + - - - + + + +
    - +
    +

    Configuration Files

    -
    - -

    Warning: If you copy or edit your - configuration files on a system running Microsoft Windows, you must - run them through dos2unix - before you use them with Shorewall.

    - -

    Files

    - + +

    Warning: If you copy or edit your + configuration files on a system running Microsoft Windows, you must + run them through dos2unix + before you use them with Shorewall.

    + +

    Files

    +

    Shorewall's configuration files are in the directory /etc/shorewall.

    - +
      -
    • /etc/shorewall/shorewall.conf - used to set several - firewall parameters.
    • -
    • /etc/shorewall/params - use this file to set shell +
    • /etc/shorewall/shorewall.conf - used to set several + firewall parameters.
    • +
    • /etc/shorewall/params - use this file to set shell variables that you will expand in other files.
    • -
    • /etc/shorewall/zones - partition the firewall's -view of the world into zones.
    • -
    • /etc/shorewall/policy - establishes firewall high-level - policy.
    • -
    • /etc/shorewall/interfaces - describes the interfaces +
    • /etc/shorewall/zones - partition the firewall's + view of the world into zones.
    • +
    • /etc/shorewall/policy - establishes firewall high-level + policy.
    • +
    • /etc/shorewall/interfaces - describes the interfaces on the firewall system.
    • -
    • /etc/shorewall/hosts - allows defining zones in -terms of individual hosts and subnetworks.
    • -
    • /etc/shorewall/masq - directs the firewall where - to use many-to-one (dynamic) Network Address Translation (a.k.a. - Masquerading) and Source Network Address Translation (SNAT).
    • -
    • /etc/shorewall/modules - directs the firewall to - load kernel modules.
    • -
    • /etc/shorewall/rules - defines rules that are exceptions - to the overall policies established in /etc/shorewall/policy.
    • -
    • /etc/shorewall/nat - defines static NAT rules.
    • -
    • /etc/shorewall/proxyarp - defines use of Proxy +
    • /etc/shorewall/hosts - allows defining zones in + terms of individual hosts and subnetworks.
    • +
    • /etc/shorewall/masq - directs the firewall where + to use many-to-one (dynamic) Network Address Translation (a.k.a. + Masquerading) and Source Network Address Translation (SNAT).
    • +
    • /etc/shorewall/modules - directs the firewall +to load kernel modules.
    • +
    • /etc/shorewall/rules - defines rules that are +exceptions to the overall policies established in /etc/shorewall/policy.
    • +
    • /etc/shorewall/nat - defines static NAT rules.
    • +
    • /etc/shorewall/proxyarp - defines use of Proxy ARP.
    • -
    • /etc/shorewall/routestopped (Shorewall 1.3.4 and +
    • /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is stopped.
    • -
    • /etc/shorewall/tcrules - defines marking of packets - for later use by traffic control/shaping or policy routing.
    • -
    • /etc/shorewall/tos - defines rules for setting +
    • /etc/shorewall/tcrules - defines marking of packets + for later use by traffic control/shaping or policy routing.
    • +
    • /etc/shorewall/tos - defines rules for setting the TOS field in packet headers.
    • -
    • /etc/shorewall/tunnels - defines IPSEC, GRE and -IPIP tunnels with end-points on the firewall system.
    • -
    • /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC +
    • /etc/shorewall/tunnels - defines IPSEC, GRE and + IPIP tunnels with end-points on the firewall system.
    • +
    • /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
    • -
    • /etc/shorewall/init - commands that you wish to execute at the beginning -of a "shorewall start" or "shorewall restart".
    • -
    • /etc/shorewall/start - commands that you wish to execute at the completion -of a "shorewall start" or "shorewall restart"
    • -
    • /etc/shorewall/stop - commands that you wish to execute at the beginning -of a "shorewall stop".
    • -
    • /etc/shorewall/stopped - commands that you wish to execute at the +
    • /etc/shorewall/init - commands that you wish to execute at the beginning + of a "shorewall start" or "shorewall restart".
    • +
    • /etc/shorewall/start - commands that you wish to execute at the completion + of a "shorewall start" or "shorewall restart"
    • +
    • /etc/shorewall/stop - commands that you wish to execute at the beginning + of a "shorewall stop".
    • +
    • /etc/shorewall/stopped - commands that you wish to execute at the completion of a "shorewall stop".
      -
    • - + +
    - -

    Comments

    - -

    You may place comments in configuration files by making the first non-whitespace - character a pound sign ("#"). You may also place comments at -the end of any line, again by delimiting the comment from the rest + +

    Comments

    + +

    You may place comments in configuration files by making the first non-whitespace + character a pound sign ("#"). You may also place comments at +the end of any line, again by delimiting the comment from the rest of the line with a pound sign.

    - +

    Examples:

    - +
    # This is a comment
    - +
    ACCEPT	net	fw	tcp	www	#This is an end-of-line comment
    - -

    Line Continuation

    - -

    You may continue lines in the configuration files using the usual backslash - ("\") followed immediately by a new line character.

    - + +

    Line Continuation

    + +

    You may continue lines in the configuration files using the usual backslash + ("\") followed immediately by a new line character.

    +

    Example:

    - +
    ACCEPT	net	fw	tcp \
    smtp,www,pop3,imap #Services running on the firewall
    - +

    Using DNS Names

    - -

    - -

    WARNING: I personally recommend strongly against - using DNS names in Shorewall configuration files. If you use DNS names - and you are called out of bed at 2:00AM because Shorewall won't start - as a result of DNS problems then don't say that you were not forewarned. -
    -

    - -

        -Tom
    -

    - -

    Beginning with Shorwall 1.3.9, Host addresses in Shorewall - configuration files may be specified as either IP addresses or DNS - Names.
    -
    - DNS names in iptables rules aren't nearly as useful as they -first appear. When a DNS name appears in a rule, the iptables utility -resolves the name to one or more IP addresses and inserts those addresses -into the rule. So changes in the DNS->IP address relationship that -occur after the firewall has started have absolutely no effect on the - firewall's ruleset.

    - -

    If your firewall rules include DNS names then:

    +

    + +

    WARNING: I personally recommend strongly against + using DNS names in Shorewall configuration files. If you use DNS names + and you are called out of bed at 2:00AM because Shorewall won't start + as a result of DNS problems then don't say that you were not forewarned. +
    +

    + +

        -Tom
    +

    + +

    Beginning with Shorwall 1.3.9, Host addresses in Shorewall + configuration files may be specified as either IP addresses or DNS + Names.
    +
    + DNS names in iptables rules aren't nearly as useful as they + first appear. When a DNS name appears in a rule, the iptables utility + resolves the name to one or more IP addresses and inserts those addresses + into the rule. So changes in the DNS->IP address relationship that + occur after the firewall has started have absolutely no effect on the + firewall's ruleset.

    + +

    If your firewall rules include DNS names then:

    +
      -
    • If your /etc/resolv.conf is wrong then your firewall won't - start.
    • -
    • If your /etc/nsswitch.conf is wrong then your firewall +
    • If your /etc/resolv.conf is wrong then your firewall won't start.
    • -
    • If your Name Server(s) is(are) down then your firewall -won't start.
    • -
    • If your startup scripts try to start your firewall before +
    • If your /etc/nsswitch.conf is wrong then your firewall + won't start.
    • +
    • If your Name Server(s) is(are) down then your firewall + won't start.
    • +
    • If your startup scripts try to start your firewall before starting your DNS server then your firewall won't start.
      -
    • -
    • Factors totally outside your control (your ISP's router +
    • +
    • Factors totally outside your control (your ISP's router is down for example), can prevent your firewall from starting.
    • -
    • You must bring up your network interfaces prior to starting - your firewall.
      -
    • - -
    +
  • You must bring up your network interfaces prior to starting + your firewall.
    +
  • -

    Each DNS name much be fully qualified and include a minumum - of two periods (although one may be trailing). This restriction is imposed - by Shorewall to insure backward compatibility with existing configuration - files.
    -
    - Examples of valid DNS names:
    -

    - -
      -
    • mail.shorewall.net
    • -
    • shorewall.net. (note the trailing period).
    • -
    - Examples of invalid DNS names:
    + +

    Each DNS name much be fully qualified and include a minumum + of two periods (although one may be trailing). This restriction is +imposed by Shorewall to insure backward compatibility with existing +configuration files.
    +
    + Examples of valid DNS names:
    +

      -
    • mail (not fully qualified)
    • -
    • shorewall.net (only one period)
    • - -
    - DNS names may not be used as:
    +
  • mail.shorewall.net
  • +
  • shorewall.net. (note the trailing period).
  • + + Examples of invalid DNS names:
    +
      -
    • The server address in a DNAT rule (/etc/shorewall/rules +
    • mail (not fully qualified)
    • +
    • shorewall.net (only one period)
    • + +
    + DNS names may not be used as:
    + +
      +
    • The server address in a DNAT rule (/etc/shorewall/rules file)
    • -
    • In the ADDRESS column of an entry in /etc/shorewall/masq.
    • -
    • In the /etc/shorewall/nat file.
    • - -
    - These restrictions are not imposed by Shorewall simply for -your inconvenience but are rather limitations of iptables.
    - -

    Complementing an Address or Subnet

    - -

    Where specifying an IP address, a subnet or an interface, you can - precede the item with "!" to specify the complement of the item. For - example, !192.168.1.4 means "any host but 192.168.1.4". There must be -no white space following the "!".

    - -

    Comma-separated Lists

    - -

    Comma-separated lists are allowed in a number of contexts within the - configuration files. A comma separated list:

    - -
      -
    • Must not have any embedded white space.
      - Valid: routestopped,dhcp,norfc1918
      - Invalid: routestopped,     dhcp,     norfc1818
    • -
    • If you use line continuation to break a comma-separated - list, the continuation line(s) must begin in column 1 (or there - would be embedded white space)
    • -
    • Entries in a comma-separated list may appear in -any order.
    • +
    • In the ADDRESS column of an entry in /etc/shorewall/masq.
    • +
    • In the /etc/shorewall/nat file.
    - -

    Port Numbers/Service Names

    - -

    Unless otherwise specified, when giving a port number you can use - either an integer or a service name from /etc/services.

    - -

    Port Ranges

    - -

    If you need to specify a range of ports, the proper syntax is <low - port number>:<high port number>. For example, - if you want to forward the range of tcp ports 4000 through 4100 to local - host 192.168.1.3, the entry in /etc/shorewall/rules is:
    -

    - + These restrictions are not imposed by Shorewall simply for +your inconvenience but are rather limitations of iptables.
    + +

    Complementing an Address or Subnet

    + +

    Where specifying an IP address, a subnet or an interface, you can + precede the item with "!" to specify the complement of the item. For + example, !192.168.1.4 means "any host but 192.168.1.4". There must +be no white space following the "!".

    + +

    Comma-separated Lists

    + +

    Comma-separated lists are allowed in a number of contexts within the + configuration files. A comma separated list:

    + +
      +
    • Must not have any embedded white space.
      + Valid: routestopped,dhcp,norfc1918
      + Invalid: routestopped,     dhcp,     norfc1818
    • +
    • If you use line continuation to break a comma-separated + list, the continuation line(s) must begin in column 1 (or +there would be embedded white space)
    • +
    • Entries in a comma-separated list may appear in + any order.
    • + +
    + +

    Port Numbers/Service Names

    + +

    Unless otherwise specified, when giving a port number you can use + either an integer or a service name from /etc/services.

    + +

    Port Ranges

    + +

    If you need to specify a range of ports, the proper syntax is <low + port number>:<high port number>. For example, + if you want to forward the range of tcp ports 4000 through 4100 to +local host 192.168.1.3, the entry in /etc/shorewall/rules is:
    +

    +
         DNAT	net	loc:192.168.1.3	tcp	4000:4100
    - -

    Using Shell Variables

    - -

    You may use the /etc/shorewall/params file to set shell variables - that you can then use in some of the other configuration files.

    - + +

    Using Shell Variables

    + +

    You may use the /etc/shorewall/params file to set shell variables + that you can then use in some of the other configuration files.

    +

    It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally - within the Shorewall programs

    - + size="1"> to distinguish them from variables used internally + within the Shorewall programs

    +

    Example:

    - -
    - -
    NET_IF=eth0
    NET_BCAST=130.252.100.255
    NET_OPTIONS=noping,norfc1918
    -
    - -


    - Example (/etc/shorewall/interfaces record):

    - - -
    - -
    net $NET_IF $NET_BCAST $NET_OPTIONS
    -
    -
    - -

    The result will be the same as if the record had been written

    - - -
    - -
    net eth0 130.252.100.255 noping,norfc1918
    -
    -
    - -

    Variables may be used anywhere in the other configuration - files.

    - -

    Using MAC Addresses

    - -

    Media Access Control (MAC) addresses can be used to specify packet - source in several of the configuration files. To use this feature, - your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) - included.

    - -

    MAC addresses are 48 bits wide and each Ethernet Controller has a - unique MAC address.
    -
    - In GNU/Linux, MAC addresses are usually written as a -series of 6 hex numbers separated by colons. Example:
    -
    -      [root@gateway root]# ifconfig eth0
    -      eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
    -      inet addr:206.124.146.176 Bcast:206.124.146.255 - Mask:255.255.255.0
    -      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    -      RX packets:2398102 errors:0 dropped:0 overruns:0 - frame:0
    -      TX packets:3044698 errors:0 dropped:0 overruns:0 - carrier:0
    -      collisions:30394 txqueuelen:100
    -      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 - (1582.8 Mb)
    -      Interrupt:11 Base address:0x1800
    -
    - Because Shorewall uses colons as a separator for address - fields, Shorewall requires MAC addresses to be written in another - way. In Shorewall, MAC addresses begin with a tilde ("~") and -consist of 6 hex numbers separated by hyphens. In Shorewall, the -MAC address in the example above would be written "~02-00-08-E3-FA-55".
    -

    - -

    Note: It is not necessary to use the special Shorewall notation - in the /etc/shorewall/maclist file.
    -

    - -

    Logging

    - By default, Shorewall directs NetFilter to log using syslog (8). Syslog - classifies log messages by a facility and a priority (using - the notation facility.priority).
    -
    - The facilities defined by syslog are auth, authpriv, cron, daemon, -kern, lpr, mail, mark, news, syslog, user, uucp and local0 through -local7.
    -
    - Throughout the Shorewall documentation, I will use the term level - rather than priority since level is the term used by NetFilter. - The syslog documentation uses the term priority.
    - -

    Syslog Levels
    -

    - Syslog levels are a method of describing to syslog (8) the importance - of a message and a number of Shorewall parameters have a syslog level -as their value.
    -
    - Valid levels are:
    -
    -        7       debug
    -        6       info
    -        5       notice
    -        4       warning
    -        3       err
    -        2       crit
    -        1       alert
    -        0       emerg
    -
    - For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall - log messages are generated by NetFilter and are logged using the kern - facility and the level that you specify. If you are unsure of the level - to choose, 6 (info) is a safe bet. You may specify levels by name or by - number.
    -
    - Syslogd writes log messages to files (typically in /var/log/*) based -on their facility and level. The mapping of these facility/level pairs to -log files is done in /etc/syslog.conf (5). If you make changes to this file, - you must restart syslogd before the changes can take effect.
    - -

    Configuring a Separate Log for Shorewall Messages

    - There are a couple of limitations to syslogd-based logging:
    - -
      -
    1. If you give, for example, kern.info it's own log destination then - that destination will also receive all kernel messages of levels 5 (notice) - through 0 (emerg).
    2. -
    3. All kernel.info messages will go to that destination and not just - those from NetFilter.
      -
    4. - -
    - Beginning with Shorewall version 1.3.12, if your kernel has ULOG target - support (and most vendor-supplied kernels do), you may also specify a log -level of ULOG (must be all caps). When ULOG is used, Shorewall will direct -netfilter to log the related messages via the ULOG target which will send -them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd -and can be configured to log all Shorewall message to their own log file.
    -
    - Download the ulod tar file and:
    - -
      -
    1. cd /usr/local/src (or wherever you do your builds)
    2. -
    3. tar -zxf source-tarball-that-you-downloaded
    4. -
    5. cd ulogd-version
      -
    6. -
    7. ./configure
    8. -
    9. make
    10. -
    11. make install
      -
    12. - -
    - If you are like me and don't have a development environment on your firewall, -you can do the first five steps on another system then either NFS mount your -/usr/local/src directory or tar up the /usr/local/src/ulogd-version -directory and move it to your firewall system.
    -
    - Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:
    - -
      -
    1. syslogfile <file that you wish to log to>
    2. -
    3. syslogsync 1
    4. - -
    - I also copied the file /usr/local/src/ulogd-version/ulogd.init to -/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" -to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig ---level 3 ulogd on" starts ulogd during boot up. Your init system may need -something else done to activate the script.
    -
    - Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<file that -you wish to log to>. This tells the /sbin/shorewall program where to -look for the log when processing its "show log", "logwatch" and "monitor" -commands.
    + +
    -

    Shorewall Configurations

    - -

    Shorewall allows you to have configuration directories other than /etc/shorewall. - The shorewall start and - restart commands allow you to specify an alternate configuration - directory and Shorewall will use the files in the alternate directory - rather than the corresponding files in /etc/shorewall. The alternate directory - need not contain a complete configuration; those files not in the alternate - directory will be read from /etc/shorewall.

    - -

    This facility permits you to easily create a test or temporary configuration - by:

    - +
    NET_IF=eth0
    NET_BCAST=130.252.100.255
    NET_OPTIONS=noping,norfc1918
    +
    + +


    + Example (/etc/shorewall/interfaces record):

    + + +
    + +
    net $NET_IF $NET_BCAST $NET_OPTIONS
    +
    +
    + +

    The result will be the same as if the record had been written

    + + +
    + +
    net eth0 130.252.100.255 noping,norfc1918
    +
    +
    + +

    Variables may be used anywhere in the other configuration + files.

    + +

    Using MAC Addresses

    + +

    Media Access Control (MAC) addresses can be used to specify packet + source in several of the configuration files. To use this feature, + your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) + included.

    + +

    MAC addresses are 48 bits wide and each Ethernet Controller has a + unique MAC address.
    +
    + In GNU/Linux, MAC addresses are usually written as a +series of 6 hex numbers separated by colons. Example:
    +
    +      [root@gateway root]# ifconfig eth0
    +      eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
    +      inet addr:206.124.146.176 Bcast:206.124.146.255 + Mask:255.255.255.0
    +      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    +      RX packets:2398102 errors:0 dropped:0 overruns:0 + frame:0
    +      TX packets:3044698 errors:0 dropped:0 overruns:0 + carrier:0
    +      collisions:30394 txqueuelen:100
    +      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 + (1582.8 Mb)
    +      Interrupt:11 Base address:0x1800
    +
    + Because Shorewall uses colons as a separator for address + fields, Shorewall requires MAC addresses to be written in another + way. In Shorewall, MAC addresses begin with a tilde ("~") and consist + of 6 hex numbers separated by hyphens. In Shorewall, the MAC address + in the example above would be written "~02-00-08-E3-FA-55".
    +

    + +

    Note: It is not necessary to use the special Shorewall notation + in the /etc/shorewall/maclist file.
    +

    + +

    Shorewall Configurations

    + +

    Shorewall allows you to have configuration directories other than /etc/shorewall. + The shorewall start +and restart commands allow you to specify an alternate configuration + directory and Shorewall will use the files in the alternate directory + rather than the corresponding files in /etc/shorewall. The alternate +directory need not contain a complete configuration; those files not +in the alternate directory will be read from /etc/shorewall.

    + +

    This facility permits you to easily create a test or temporary configuration + by:

    +
      -
    1. copying the files that need modification from -/etc/shorewall to a separate directory;
    2. -
    3. modify those files in the separate directory; -and
    4. -
    5. specifying the separate directory in a shorewall - start or shorewall restart command (e.g., shorewall -c /etc/testconfig - restart ).
    6. - +
    7. copying the files that need modification from + /etc/shorewall to a separate directory;
    8. +
    9. modify those files in the separate directory; + and
    10. +
    11. specifying the separate directory in a shorewall + start or shorewall restart command (e.g., shorewall -c /etc/testconfig + restart ).
    12. +
    - -

    Updated 12/20/2002 - Tom Eastep + +

    Updated 12/29/2002 - Tom Eastep

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.
    -

    + +

    Copyright + © 2001, 2002 Thomas M. Eastep.
    +

    +


    diff --git a/STABLE/documentation/copyright.htm b/STABLE/documentation/copyright.htm index b4af82bdd..f2877a9c6 100644 --- a/STABLE/documentation/copyright.htm +++ b/STABLE/documentation/copyright.htm @@ -1,34 +1,45 @@ + - - - - - -Copyright + + + + + + + + + Copyright - - - - - - - + + +
    -

    Copyright

    -
    + + + + + +
    +

    Copyright

    +
    -

    Copyright ©  2000, 2001 -Thomas M Eastep

    -
    -

    Permission is granted to copy, distribute and/or modify this - document under the terms of the GNU Free Documentation License, Version 1.1 or - any later version published by the Free Software Foundation; with no Invariant - Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the - license is included in the section entitled "GNU Free Documentation License".

    -
    - + +

    Copyright ©  2000, 2001, +2003 Thomas M Eastep
    +  

    + +
    +

    Permission is granted to copy, distribute and/or modify +this document under the terms of the GNU Free Documentation License, Version +1.1 or any later version published by the Free Software Foundation; with +no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. +A copy of the license is included in the section entitled "GNU Free Documentation License".
    +  

    +
    +
    - - \ No newline at end of file + diff --git a/STABLE/documentation/download.htm b/STABLE/documentation/download.htm index cb46fa42b..b003501cf 100644 --- a/STABLE/documentation/download.htm +++ b/STABLE/documentation/download.htm @@ -1,387 +1,393 @@ - + - + - + - + Download - + - - - + + - - - + + + +
    - +
    +

    Shorewall Download

    -
    +

    I strongly urge you to read and print a copy of the Shorewall QuickStart Guide - for the configuration that most closely matches your own.
    -

    - -

    The entire set of Shorewall documentation is available in PDF format at:

    - + href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide + for the configuration that most closely matches your own.
    +

    + +

    The entire set of Shorewall documentation is available in PDF format +at:

    +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    -     http://slovakia.shorewall.net/pub/shorewall/pdf/
    -     rsync://slovakia.shorewall.net/shorewall/pdf/ +     http://slovakia.shorewall.net/pub/shorewall/pdf/
    +     rsync://slovakia.shorewall.net/shorewall/pdf/

    - -

    The documentation in HTML format is included in the .rpm and in the .tgz -packages below.

    - + +

    The documentation in HTML format is included in the .rpm and in the +.tgz packages below.

    +

    Once you've done that, download one of the modules:

    - +
      -
    • If you run a RedHat, SuSE, Mandrake, - Linux PPC or TurboLinux distribution with - a 2.4 kernel, you can use the RPM version (note: the RPM - should also work with other distributions that store init -scripts in /etc/init.d and that include chkconfig or insserv). -If you find that it works in other cases, let me know so that - I can mention them here. See the Installation Instructions - if you have problems installing the RPM.
    • -
    • If you are running LRP, download the .lrp file (you might - also want to download the .tgz so you will have a copy of the documentation).
    • -
    • If you run Debian - and would like a .deb package, Shorewall is included in both the - Debian - Testing Branch and the Debian -Unstable Branch.
    • -
    • Otherwise, download the shorewall -module (.tgz)
    • - +
    • If you run a RedHat, SuSE, Mandrake, + Linux PPC or TurboLinux distribution with + a 2.4 kernel, you can use the RPM version (note: the +RPM should also work with other distributions that store +init scripts in /etc/init.d and that include chkconfig or +insserv). If you find that it works in other cases, let me know so that + I can mention them here. See the Installation +Instructions if you have problems installing the RPM.
    • +
    • If you are running LRP, download the .lrp file (you +might also want to download the .tgz so you will have a copy of +the documentation).
    • +
    • If you run Debian + and would like a .deb package, Shorewall is included in both the + Debian + Testing Branch and the Debian + Unstable Branch.
    • +
    • Otherwise, download the shorewall + module (.tgz)
    • +
    - -

    The documentation in HTML format is included in the .tgz and .rpm files - and there is an documentation .deb that also contains the documentation.

    - -

    Please verify the version that you have downloaded -- during the - release of a new version of Shorewall, the links below may point - to a newer or an older version than is shown below.

    - + +

    The documentation in HTML format is included in the .tgz and .rpm files + and there is an documentation .deb that also contains the documentation.

    + +

    Please verify the version that you have downloaded -- during the + release of a new version of Shorewall, the links below may + point to a newer or an older version than is shown below.

    +
      -
    • RPM - "rpm -qip LATEST.rpm"
    • -
    • TARBALL - "tar -ztf LATEST.tgz" (the directory name +
    • RPM - "rpm -qip LATEST.rpm"
    • +
    • TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain the version)
    • -
    • LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar --zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
    • - +
    • LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar + -zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version" +
    • +
    - -

    Once you have verified the version, check the - errata to see if there are updates that apply to the version - that you have downloaded.

    - -

    WARNING - YOU CAN NOT SIMPLY - INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION - IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed - configuration of your firewall, you can enable startup by removing the - file /etc/shorewall/startup_disabled.

    - -

    Download Latest Version (1.3.12): Remember that updates - to the mirrors occur 1-12 hours after an update to the Washington -State site.

    - -
    + +

    Once you have verified the version, check the errata to see +if there are updates that apply to the version that you have + downloaded.

    + +

    WARNING - YOU CAN NOT SIMPLY INSTALL +THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration + of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.

    + +

    Download Latest Version (1.3.13): Remember that updates + to the mirrors occur 1-12 hours after an update to the Washington State +site.

    + +
    - + + + + + + + - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + +
    SERVER LOCATIONDOMAINHTTPFTP
    SERVER LOCATIONDOMAINHTTPFTP
    SourceForge
    -
    sf.net
    -
    SourceForge
    +
    sf.net
    +
    Download
    -

    -
    Slovak RepublicShorewall.netDownload .rpm
    - Download - .tgz 
    - Download - .lrp
    - - Download.md5sums
    Download - .rpm  
    - Download - .tgz 
    - Download - .rpm
    - - Download.md5sums
    Texas, USAInfohiiway.comDownload - .rpm
    - Download - .tgz 
    - Download - .lrp
    - - Download.md5sums
    Download .rpm  
    - Download - .tgz 
    - Download - .lrp
    - - Download.md5sums
    Hamburg, GermanyShorewall.net Download - .rpm
    - Download - .tgz
    - Download - .lrp
    - - Download.md5sums
    Download - .rpm  
    - Download - .tgz 
    - Download - .lrp
    - Download - .md5sums
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar Download - .rpm  
    - Download - .tgz 
    - - Download .lrp
    - Download - .md5sums
    Download - .rpm  
    - Download - .tgz 
    - - Download .lrp
    - Download - .md5sums
    Paris, FranceShorewall.netDownload .rpm
    - Download .tgz 
    - Download .lrp
    - Download - .md5sums
    Download - .rpm  
    - Download - .tgz 
    - Download - .lrp
    - Download - .md5sums
    Washington State, USA
    -
    Shorewall.net
    -
    Download .rpm
    - Download - .tgz 
    - Download - .lrp
    - Download - .md5sums
    -
    - Download .rpm 
    - Download - .tgz 
    - Download - .lrp
    - Download - .md5sums
    -

    +
    Slovak RepublicShorewall.netDownload .rpm
    + Download + .tgz 
    + Download + .lrp
    + + Download.md5sums
    Download + .rpm  
    + Download + .tgz 
    + Download + .rpm
    + + Download.md5sums
    Texas, USAInfohiiway.comDownload + .rpm
    + Download + .tgz 
    + Download + .lrp
    + + Download.md5sums
    Download .rpm  
    + Download + .tgz 
    + Download + .lrp
    + + Download.md5sums
    Hamburg, GermanyShorewall.net Download + .rpm
    + Download + .tgz
    + Download + .lrp
    + + Download.md5sums
    Download + .rpm  
    + Download + .tgz 
    + Download + .lrp
    + Download + .md5sums
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar Download + .rpm  
    + Download + .tgz 
    + + Download .lrp
    + Download + .md5sums
    Download + .rpm  
    + Download + .tgz 
    + + Download .lrp
    + Download + .md5sums
    Paris, FranceShorewall.netDownload .rpm
    + Download +.tgz 
    + Download +.lrp
    + Download + .md5sums
    Download + .rpm  
    + Download + .tgz 
    + Download + .lrp
    + Download + .md5sums
    Washington State, USA
    +
    Shorewall.net
    +
    Download .rpm
    + Download + .tgz 
    + Download + .lrp
    + Download + .md5sums
    +
    + Download .rpm 
    + Download + .tgz 
    + Download + .lrp
    + Download + .md5sums
    +
    -
    - +
    +

    Browse Download Sites:

    - -
    + +
    - - - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + +
    SERVER LOCATIONDOMAINHTTPFTP
    SourceForge
    -
    sf.net +
    SERVER LOCATIONDOMAINHTTPFTP
    SourceForge
    +
    sf.netBrowseN/A
    Slovak RepublicShorewall.netBrowse Browse
    Texas, USAInfohiiway.comBrowseBrowse
    Hamburg, GermanyShorewall.netBrowseBrowse
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.arBrowse Browse
    FranceShorewall.netBrowse Browse
    N/A
    Washington State, USAShorewall.netBrowseBrowseSlovak RepublicShorewall.netBrowse Browse
    Texas, USAInfohiiway.comBrowseBrowse
    Hamburg, GermanyShorewall.netBrowseBrowse
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.arBrowse Browse
    FranceShorewall.netBrowse Browse
    Washington State, USAShorewall.netBrowseBrowse
    -
    - +
    +

    CVS:

    - -
    + +

    The CVS repository at - cvs.shorewall.net contains the latest snapshots of the each Shorewall - component. There's no guarantee that what you find there will work at - all.
    -

    -
    - -

    Last Updated 12/12/2002 - CVS repository at + cvs.shorewall.net contains the latest snapshots of the each Shorewall + component. There's no guarantee that what you find there will work +at all.
    +

    +
    + +

    Last Updated 1/13/2003 - Tom Eastep

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.
    -

    + +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.
    +

    +

    diff --git a/STABLE/documentation/errata.htm b/STABLE/documentation/errata.htm index f9bc052e0..d5228db74 100644 --- a/STABLE/documentation/errata.htm +++ b/STABLE/documentation/errata.htm @@ -1,214 +1,240 @@ - + Shorewall 1.3 Errata - + - - + + - + - - - + + - - - + + + +
    - +
    +

    Shorewall Errata/Upgrade Issues

    -
    - +

    IMPORTANT

    - +
      -
    1. - +
    2. +

      If you use a Windows system to download - a corrected script, be sure to run the script through - + dos2unix after you have moved - it to your Linux system.

      -
    3. -
    4. - + it to your Linux system.

      +
    5. +
    6. +

      If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory - with the one you downloaded below, and then run install.sh.

      -
    7. -
    8. - -

      When the instructions say to install a corrected - firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall - or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to -overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD -/etc/shorewall/firewall or /var/lib/shorewall/firewall before -you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall - are symbolic links that point to the 'shorewall' file used by your - system initialization scripts to start Shorewall during boot. -It is that file that must be overwritten with the corrected -script.

      -
    9. -
    10. -

      DO NOT INSTALL CORRECTED COMPONENTS - ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For - example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.
      -

      -
    11. - -
    - -
    - + - - - + + + + - + + + - + + - +
    +
    - + +

    -   -

    +   +

    @@ -428,28 +548,31 @@ used, 'all' must appear by itself (in may not be qualified) and it does - + +

    Shorewall is free but if you try it and find it useful, please consider making a donation - to Starlight Children's Foundation. Thanks!

    -
    - -

    Updated 12/27/2002 - Tom Eastep + +

    Updated 1/13/2003 - Tom Eastep -
    +


    diff --git a/STABLE/documentation/shoreline.htm b/STABLE/documentation/shoreline.htm index 88ed7007e..3a7104254 100644 --- a/STABLE/documentation/shoreline.htm +++ b/STABLE/documentation/shoreline.htm @@ -1,124 +1,125 @@ - + About the Shorewall Author + - - + + - + - - - + + - - - + + + +
    - +
    +

    Tom Eastep

    -
    - +

    Tom on the PCT - 1991 -

    - +

    +

    Tarry & Tom -- August 2002
    -
    -

    - +
    +

    + - -

    I am currently a member of the design team for the next-generation - operating system from the NonStop Enterprise Division of HP.

    - -

    I became interested in Internet Security when I established a home office - in 1999 and had DSL service installed in our home. I investigated - ipchains and developed the scripts which are now collectively known as - Seattle Firewall. Expanding - on what I learned from Seattle Firewall, I then designed and wrote - Shorewall.

    - -

    I telework from our home in Shoreline, - Washington where I live with my wife Tarry.

    - -

    Our current home network consists of:

    +
  • Married 1969 - no children.
  • - - + +

    I am currently a member of the design team for the next-generation + operating system from the NonStop Enterprise Division of HP.

    + +

    I became interested in Internet Security when I established a home office + in 1999 and had DSL service installed in our home. I investigated + ipchains and developed the scripts which are now collectively known as + Seattle Firewall. Expanding + on what I learned from Seattle Firewall, I then designed and wrote + Shorewall.

    + +

    I telework from our home in Shoreline, + Washington where I live with my wife Tarry.

    + +

    Our current home network consists of:

    + + +

    For more about our network see my Shorewall Configuration.

    - +

    All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.

    - +

    - - - - Powered by Mandrake - Protected by ShorewallProtected by Shorewall -

    - -

    Last updated 12/7/2002 -

    + +

    Last updated 1/7/2003 - Tom Eastep

    - Copyright © 2001, 2002 Thomas M. Eastep.
    -
    -
    + Copyright © 2001, 2002, 2003 Thomas +M. Eastep.
    diff --git a/STABLE/documentation/shorewall_logging.html b/STABLE/documentation/shorewall_logging.html new file mode 100755 index 000000000..03ddeae62 --- /dev/null +++ b/STABLE/documentation/shorewall_logging.html @@ -0,0 +1,156 @@ + + + + Shorewall Logging + + + + + + + + + + + + + + +
    + + +

    Logging

    +
    +
    + By default, Shorewall directs NetFilter to log using syslog (8). Syslog + classifies log messages by a facility and a priority (using + the notation facility.priority).
    +
    + The facilities defined by syslog are auth, authpriv, cron, daemon, + kern, lpr, mail, mark, news, syslog, user, uucp and local0 through + local7.
    +
    + Throughout the Shorewall documentation, I will use the term level + rather than priority since level is the term used by NetFilter. + The syslog documentation uses the term priority.
    + +

    Syslog Levels
    +

    + Syslog levels are a method of describing to syslog (8) the importance + of a message and a number of Shorewall parameters have a syslog level +as their value.
    +
    + Valid levels are:
    +
    +        7       + debug
    +        6       + info
    +        5       + notice
    +        4       + warning
    +        3       + err
    +        2       + crit
    +        1       + alert
    +        0       + emerg
    +
    + For most Shorewall logging, a level of 6 (info) is appropriate. +Shorewall log messages are generated by NetFilter and are logged using +the kern facility and the level that you specify. If you are unsure +of the level to choose, 6 (info) is a safe bet. You may specify levels +by name or by number.
    +
    + Syslogd writes log messages to files (typically in /var/log/*) based + on their facility and level. The mapping of these facility/level pairs +to log files is done in /etc/syslog.conf (5). If you make changes to this +file, you must restart syslogd before the changes can take effect.
    + +

    Configuring a Separate Log for Shorewall Messages

    + There are a couple of limitations to syslogd-based logging:
    + +
      +
    1. If you give, for example, kern.info it's own log destination then + that destination will also receive all kernel messages of levels 5 (notice) + through 0 (emerg).
    2. +
    3. All kernel.info messages will go to that destination and not just + those from NetFilter.
      +
    4. + +
    + Beginning with Shorewall version 1.3.12, if your kernel has ULOG +target support (and most vendor-supplied kernels do), you may also specify +a log level of ULOG (must be all caps). When ULOG is used, Shorewall will +direct netfilter to log the related messages via the ULOG target which will +send them to a process called 'ulogd'. The ulogd program is available from +http://www.gnumonks.org/projects/ulogd and can be configured to log all +Shorewall message to their own log file.
    +
    + Note: The ULOG logging mechanism is completely separate from +syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely +no effect on your Shorewall logging (except for Shorewall status messages +which still go to syslog).
    +
    +You will need to have the kernel source available to compile ulogd.
    +
    +Download the ulod tar file and:
    + +
      +
    1. Be sure that /usr/src/linux is linked to your kernel source tree
      +
    2. +
    3. cd /usr/local/src (or wherever you do your builds)
    4. +
    5. tar -zxf source-tarball-that-you-downloaded
    6. +
    7. cd ulogd-version
      +
    8. +
    9. ./configure
    10. +
    11. make
    12. +
    13. make install
      +
    14. + +
    + If you are like me and don't have a development environment on your firewall, + you can do the first six steps on another system then either NFS mount +your /usr/local/src directory or tar up the /usr/local/src/ulogd-version + directory and move it to your firewall system.
    +
    + Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:
    + +
      +
    1. syslogfile <file that you wish to log to>
    2. +
    3. syslogsync 1
    4. + +
    + I also copied the file /usr/local/src/ulogd-version/ulogd.init +to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" + to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple +"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system +may need something else done to activate the script.
    +
    + You will need to change all instances of log levels (usually 'info') in +your configuration files to 'ULOG' - this includes entries in the policy, +rules and shorewall.conf files. Here's what I have:
    + +
    	[root@gateway shorewall]# grep ULOG *
    policy:loc  fw   REJECT  ULOG
    policy:net  all  DROP    ULOG   10/sec:40
    policy:all  all  REJECT  ULOG
    rules:REJECT:ULOG loc net tcp 6667
    shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG
    shorewall.conf:RFC1918_LOG_LEVEL=ULOG
    [root@gateway shorewall]#
    + Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<file + that you wish to log to>. This tells the /sbin/shorewall program +where to look for the log when processing its "show log", "logwatch" and +"monitor" commands.
    + +

    Updated 1/11/2003 - Tom Eastep +

    + + + +

    Copyright © +2001, 2002, 2003 Thomas M. Eastep
    +

    + + + diff --git a/STABLE/documentation/shorewall_quickstart_guide.htm b/STABLE/documentation/shorewall_quickstart_guide.htm index 564fbaf64..4e34d188e 100644 --- a/STABLE/documentation/shorewall_quickstart_guide.htm +++ b/STABLE/documentation/shorewall_quickstart_guide.htm @@ -1,268 +1,288 @@ - + - + - + - + Shorewall QuickStart Guide - + - + - - - - - - + + + + + +
    - -

    Shorewall QuickStart Guides
    - Version 3.1

    -
    + + +

    Shorewall QuickStart Guides +(HOWTO's)
    + Version 3.1

    +
    - -

    With thanks to Richard who reminded me once again that -we must all first walk before we can run.

    - + +

    With thanks to Richard who reminded me once again that we +must all first walk before we can run.

    +

    The Guides

    - -

    These guides provide step-by-step instructions for configuring Shorewall - in common firewall setups.

    - + +

    These guides provide step-by-step instructions for configuring Shorewall + in common firewall setups.

    +

    The following guides are for users who have a single public IP address:

    - +
      -
    • Standalone Linux System
    • -
    • Two-interface Linux System - acting as a firewall/router for a small local network
    • -
    • Three-interface Linux - System acting as a firewall/router for a small local network and +
    • Standalone Linux System
    • +
    • Two-interface Linux +System acting as a firewall/router for a small local network
    • +
    • Three-interface Linux + System acting as a firewall/router for a small local network and a DMZ.
    • - +
    - -

    The above guides are designed to get your first firewall up and running - quickly in the three most common Shorewall configurations.

    - -

    The Shorewall Setup Guide outlines - the steps necessary to set up a firewall where there are multiple - public IP addresses involved or if you want to learn more about Shorewall - than is explained in the single-address guides above.

    - + +

    The above guides are designed to get your first firewall up and running + quickly in the three most common Shorewall configurations.

    + +

    The Shorewall Setup Guide outlines + the steps necessary to set up a firewall where there are multiple + public IP addresses involved or if you want to learn more about Shorewall + than is explained in the single-address guides above.

    + - +

    Documentation Index

    - -

    The following documentation covers a variety of topics and supplements - the QuickStart Guides -described above. Please review the appropriate guide before trying -to use this documentation directly.

    - + +

    The following documentation covers a variety of topics and supplements + the QuickStart Guides + described above. Please review the appropriate guide before trying + to use this documentation directly.

    + - +

    If you use one of these guides and have a suggestion for improvement please let me know.

    - -

    Last modified 12/13/2002 - Tom Eastep

    - -

    Copyright 2002 Thomas M. Eastep
    -

    -
    -
    -
    + +

    Last modified 1/9/2003 - Tom Eastep

    + +

    Copyright 2002, 2003 Thomas M. +Eastep
    +



    diff --git a/STABLE/documentation/shorewall_setup_guide.htm b/STABLE/documentation/shorewall_setup_guide.htm index 9a72e16e0..872073076 100644 --- a/STABLE/documentation/shorewall_setup_guide.htm +++ b/STABLE/documentation/shorewall_setup_guide.htm @@ -1,423 +1,206 @@ - + - + - + - + Shorewall Setup Guide - + - +

    Shorewall Setup Guide

    - +

    1.0 Introduction
    - 2.0 Shorewall Concepts
    - 3.0 Network Interfaces
    - 4.0 Addressing, Subnets and Routing

    - -
    + 2.0 Shorewall Concepts
    + 3.0 Network Interfaces
    + 4.0 Addressing, Subnets and Routing

    + +

    4.1 IP Addresses
    - 4.2 Subnets
    - 4.3 Routing
    - 4.4 Address Resolution Protocol
    - 4.5 RFC 1918

    -
    - -

    5.0 Setting up your Network

    - -
    -

    5.1 Routed
    - 5.2 Non-routed

    - -
    -

    5.2.1 SNAT
    - 5.2.2 DNAT
    - 5.2.3 Proxy ARP
    - 5.2.4 Static NAT

    + 4.2 Subnets
    + 4.3 Routing
    + 4.4 Address Resolution Protocol
    + 4.5 RFC 1918

    +

    5.0 Setting up your Network

    + +
    +

    5.1 Routed
    + 5.2 Non-routed

    + +
    +

    5.2.1 SNAT
    + 5.2.2 DNAT
    + 5.2.3 Proxy ARP
    + 5.2.4 Static NAT

    +
    +

    5.3 Rules
    - 5.4 Odds and Ends

    -
    - + 5.4 Odds and Ends

    +
    +

    6.0 DNS
    - 7.0 Starting and Stopping the Firewall

    - + 7.0 Starting and Stopping the Firewall

    +

    1.0 Introduction

    - +

    This guide is intended for users who are setting up Shorewall in an environment - where a set of public IP addresses must be managed or who want to know + where a set of public IP addresses must be managed or who want to know more about Shorewall than is contained in the single-address guides. Because - the range of possible applications is so broad, the Guide will give you -general guidelines and will point you to other resources as necessary.

    - + the range of possible applications is so broad, the Guide will give you + general guidelines and will point you to other resources as necessary.

    +

    -     If you run LEAF Bering, your Shorewall configuration is NOT what I -release -- I suggest that you consider installing a stock Shorewall lrp from -the shorewall.net site before you proceed.

    - +     If you run LEAF Bering, your Shorewall configuration is NOT what +I release -- I suggest that you consider installing a stock Shorewall lrp +from the shorewall.net site before you proceed.

    +

    This guide assumes that you have the iproute/iproute2 package installed - (on RedHat, the package is called iproute). You can tell + (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:

    - +
         [root@gateway root]# which ip
    /sbin/ip
    [root@gateway root]#
    - +

    I recommend that you first read through the guide to familiarize yourself - with what's involved then go back through it again making your configuration - changes. Points at which configuration changes are recommended are flagged - with - .

    - + with what's involved then go back through it again making your configuration + changes. Points at which configuration changes are recommended are flagged + with + .

    +

    -     If you edit your configuration files on a Windows system, you must -save them as Unix files if your editor supports that option or you must run -them through dos2unix before trying to use them with Shorewall. Similarly, -if you copy a configuration file from your Windows hard drive to a floppy -disk, you must run dos2unix against the copy before using it with Shorewall.

    - +     If you edit your configuration files on a Windows system, you must + save them as Unix files if your editor supports that option or you must +run them through dos2unix before trying to use them with Shorewall. Similarly, + if you copy a configuration file from your Windows hard drive to a floppy + disk, you must run dos2unix against the copy before using it with Shorewall.

    + - +

    2.0 Shorewall Concepts

    - +

    The configuration files for Shorewall are contained in the directory /etc/shorewall -- for most setups, you will only need to deal with a few of these as described in this guide. Skeleton files are created during the Shorewall Installation Process.

    - +

    As each file is introduced, I suggest that you look through the actual - file on your system -- each file contains detailed configuration instructions - and some contain default entries.

    - + file on your system -- each file contains detailed configuration instructions + and some contain default entries.

    +

    Shorewall views the network where it is running as being composed of a - set of zones. In the default installation, the following zone names - are used:

    - + set of zones. In the default installation, the following zone names + are used:

    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    NameDescription
    netThe Internet
    locYour Local Network
    dmzDemilitarized Zone
    NameDescription
    netThe Internet
    locYour Local Network
    dmzDemilitarized Zone
    - +

    Zones are defined in the /etc/shorewall/zones - file.

    - + file.

    +

    Shorewall also recognizes the firewall system as its own zone - by default, - the firewall itself is known as fw but that may be changed in the - /etc/shorewall/shorewall.conf file. - In this guide, the default name (fw) will be used.

    - + the firewall itself is known as fw but that may be changed in the + /etc/shorewall/shorewall.conf file. + In this guide, the default name (fw) will be used.

    +

    With the exception of fw, Shorewall attaches absolutely no meaning - to zone names. Zones are entirely what YOU make of them. That means that - you should not expect Shorewall to do something special "because this is - the internet zone" or "because that is the DMZ".

    - + to zone names. Zones are entirely what YOU make of them. That means that + you should not expect Shorewall to do something special "because this +is the internet zone" or "because that is the DMZ".

    +

    -     Edit the /etc/shorewall/zones file and make any changes necessary.

    - +     Edit the /etc/shorewall/zones file and make any changes necessary.

    +

    Rules about what traffic to allow and what traffic to deny are expressed - in terms of zones.

    - + in terms of zones.

    + - +

    Shorewall is built on top of the Netfilter - kernel facility. Netfilter implements a connection - tracking function that allows what is often referred to as stateful - inspection of packets. This stateful property allows firewall rules - to be defined in terms of connections rather than in terms of -packets. With Shorewall, you:

    - + tracking function that allows what is often referred to as stateful + inspection of packets. This stateful property allows firewall rules + to be defined in terms of connections rather than in terms of + packets. With Shorewall, you:

    +
      -
    1. Identify the source zone.
    2. -
    3. Identify the destination zone.
    4. -
    5. If the POLICY from the client's zone to the server's zone - is what you want for this client/server pair, you need do nothing +
    6. Identify the source zone.
    7. +
    8. Identify the destination zone.
    9. +
    10. If the POLICY from the client's zone to the server's zone + is what you want for this client/server pair, you need do nothing further.
    11. -
    12. If the POLICY is not what you want, then you must add a -rule. That rule is expressed in terms of the client's zone and the -server's zone.
    13. - +
    14. If the POLICY is not what you want, then you must add +a rule. That rule is expressed in terms of the client's zone and +the server's zone.
    15. +
    - +

    Just because connections of a particular type are allowed from zone A to the firewall and are also allowed from the firewall to zone B DOES NOT mean that these connections are allowed - from zone A to zone B. It rather means that you can have - a proxy running on the firewall that accepts a connection from zone A + from zone A to zone B. It rather means that you can have + a proxy running on the firewall that accepts a connection from zone A and then establishes its own separate connection from the firewall to zone B.

    - +

    For each connection request entering the firewall, the request is first - checked against the /etc/shorewall/rules file. If no rule in that file + checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied. If that policy is REJECT or DROP  the request is first checked against the rules in /etc/shorewall/common.def.

    - +

    The default /etc/shorewall/policy file has the following policies:

    - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  
    netallDROPinfo 
    allallREJECTinfo 
    -
    - -

    The above policy will:

    - -
      -
    1. allow all connection requests from your local network to the internet
    2. -
    3. drop (ignore) all connection requests from the internet to your -firewall or local network and log a message at the info level -(here is a description -of log levels).
    4. -
    5. reject all other connection requests and log a message at the info - level. When a request is rejected, the firewall will return an RST (if - the protocol is TCP) or an ICMP port-unreachable packet for other protocols.
    6. - -
    - -

    -     At this point, edit your /etc/shorewall/policy and make any changes -that you wish.

    - -

    3.0 Network Interfaces

    - -

    For the remainder of this guide, we'll refer to the following - diagram. While it may not look like your own network, it can be used to - illustrate the important aspects of Shorewall configuration.

    - -

    In this diagram:

    - -
      -
    • The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used -to isolate your internet-accessible servers from your local systems so -that if one of those servers is compromised, you still have the firewall -between the compromised system and your local systems.
    • -
    • The Local Zone consists of systems Local 1, Local 2 and Local 3. -
    • -
    • All systems from the ISP outward comprise the Internet Zone.
    • - -
    - -

    -

    - -

    The simplest way to define zones is to simply associate the - zone name (previously defined in /etc/shorewall/zones) with a network interface. - This is done in the /etc/shorewall/interfaces - file.

    - -

    The firewall illustrated above has three network interfaces. - Where Internet connectivity is through a cable or DSL "Modem", the External - Interface will be the Ethernet adapter that is connected to that "Modem" - (e.g., eth0unless you connect via Point-to-Point - Protocol over Ethernet (PPPoE) or Point-to-Point - Tunneling Protocol (PPTP) in which case the External Interface - will be a ppp interface (e.g., ppp0). If you connect via a regular - modem, your External Interface will also be ppp0. If you connect -using ISDN, you external interface will be ippp0.

    - -

    -     If your external interface is ppp0 or ippp0 then you -will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.

    - -

    Your Local Interface will be an Ethernet adapter (eth0, - eth1 or eth2) and will be connected to a hub or switch. Your local computers - will be connected to the same switch (note: If you have only a single local - system, you can connect the firewall directly to the computer using a cross-over - cable).

    - -

    Your DMZ Interface will also be an Ethernet adapter - (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ -computers will be connected to the same switch (note: If you have only a -single DMZ system, you can connect the firewall directly to the computer -using a cross-over cable).

    - -

    - Do not connect more than one interface to the same hub or switch - (even for testing). It won't work the way that you expect it to and you -will end up confused and believing that Linux networking doesn't work at -all.

    - -

    For the remainder of this Guide, we will assume that:

    - -
      -
    • -

      The external interface is eth0.

      -
    • -
    • -

      The Local interface is eth1.

      -
    • -
    • -

      The DMZ interface is eth2.

      -
    • - -
    - -

    The Shorewall default configuration does not define the contents - of any zone. To define the above configuration using the /etc/shorewall/interfaces - file, that file would might contain:

    - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918
    loceth1detect 
    dmzeth2detect 
    -
    - -

    -     Edit the /etc/shorewall/interfaces file and define the network interfaces - on your firewall and associate each interface with a zone. If you have -a zone that is interfaced through more than one interface, simply include -one entry for each interface and repeat the zone name as many times as necessary.

    - -

    Example:

    - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918
    loceth1detect 
    loceth2detectdhcp
    -
    - -
    -

    When you have more than one interface to a zone, you will - usually want a policy that permits intra-zone traffic:

    -
    - -
    -
    + +
    - + @@ -426,80 +209,298 @@ one entry for each interface and repeat the zone name as many times as necessar - + - - + + + + + + + + + + + + + + + +
    Source Zone Destination Zone Policy
    loclocnet ACCEPT    
    netallDROPinfo 
    allallREJECTinfo 
    -
    - + +

    The above policy will:

    + +
      +
    1. allow all connection requests from your local network to the internet
    2. +
    3. drop (ignore) all connection requests from the internet to your + firewall or local network and log a message at the info level +(here is a description of log levels).
    4. +
    5. reject all other connection requests and log a message at the + info level. When a request is rejected, the firewall will +return an RST (if the protocol is TCP) or an ICMP port-unreachable packet +for other protocols.
    6. + +
    + +

    +     At this point, edit your /etc/shorewall/policy and make any changes + that you wish.

    + +

    3.0 Network Interfaces

    + +

    For the remainder of this guide, we'll refer to the following + diagram. While it may not look like your own network, it can be used to + illustrate the important aspects of Shorewall configuration.

    + +

    In this diagram:

    + +
      +
    • The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used + to isolate your internet-accessible servers from your local systems so +that if one of those servers is compromised, you still have the firewall +between the compromised system and your local systems.
    • +
    • The Local Zone consists of systems Local 1, Local 2 and Local +3.
    • +
    • All systems from the ISP outward comprise the Internet Zone.
    • + +
    + +

    +

    + +

    The simplest way to define zones is to simply associate the + zone name (previously defined in /etc/shorewall/zones) with a network +interface. This is done in the /etc/shorewall/interfaces + file.

    + +

    The firewall illustrated above has three network interfaces. + Where Internet connectivity is through a cable or DSL "Modem", the External + Interface will be the Ethernet adapter that is connected to that "Modem" + (e.g., eth0unless you connect via Point-to-Point + Protocol over Ethernet (PPPoE) or Point-to-Point + Tunneling Protocol (PPTP) in which case the External +Interface will be a ppp interface (e.g., ppp0). If you connect +via a regular modem, your External Interface will also be ppp0. +If you connect using ISDN, you external interface will be ippp0.

    + +

    +     If your external interface is ppp0 or ippp0 then you + will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.

    + +

    Your Local Interface will be an Ethernet adapter (eth0, + eth1 or eth2) and will be connected to a hub or switch. Your local computers + will be connected to the same switch (note: If you have only a single +local system, you can connect the firewall directly to the computer using +a cross-over cable).

    + +

    Your DMZ Interface will also be an Ethernet adapter + (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ + computers will be connected to the same switch (note: If you have only +a single DMZ system, you can connect the firewall directly to the computer + using a cross-over cable).

    + +

    + Do not connect more than one interface to the same hub or switch + (even for testing). It won't work the way that you expect it to and you + will end up confused and believing that Linux networking doesn't work at +all.

    + +

    For the remainder of this Guide, we will assume that:

    + +
      +
    • +

      The external interface is eth0.

      +
    • +
    • +

      The Local interface is eth1.

      +
    • +
    • +

      The DMZ interface is eth2.

      +
    • + +
    + +

    The Shorewall default configuration does not define the contents + of any zone. To define the above configuration using the /etc/shorewall/interfaces + file, that file would might contain:

    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918
    loceth1detect 
    dmzeth2detect 
    +
    +

    -     You may define more complicated zones using the + +

    Example:

    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918
    loceth1detect 
    loceth2detectdhcp
    +
    + +
    +

    When you have more than one interface to a zone, you will + usually want a policy that permits intra-zone traffic:

    +
    + +
    +
    + + + + + + + + + + + + + + + + + + +
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    loclocACCEPT  
    +
    +
    + +

    +     You may define more complicated zones using the /etc/shorewall/hosts file but in most - cases, that isn't necessary.

    - + cases, that isn't necessary.

    +

    4.0 Addressing, Subnets and Routing

    - +

    Normally, your ISP will assign you a set of Public - IP addresses. You will configure your firewall's external interface to use - one of those addresses permanently and you will then have to decide how -you are going to use the rest of your addresses. Before we tackle that question - though, some background is in order.

    - + IP addresses. You will configure your firewall's external interface to +use one of those addresses permanently and you will then have to decide +how you are going to use the rest of your addresses. Before we tackle that +question though, some background is in order.

    +

    If you are thoroughly familiar with IP addressing and routing, - you may go to the next section.

    - + you may go to the next section.

    +

    The following discussion barely scratches the surface of addressing and routing. If you are interested in learning more about this subject, I highly recommend "IP Fundamentals: What Everyone Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    - +

    4.1 IP Addresses

    - +

    IP version 4 (IPv4) addresses are 32-bit numbers. - The notation w.x.y.z refers to an address where the high-order byte has + The notation w.x.y.z refers to an address where the high-order byte has value "w", the next byte has value "x", etc. If we take the address 192.0.2.14 - and express it in hexadecimal, we get:

    - -
    + and express it in hexadecimal, we get:

    + +

    C0.00.02.0E

    -
    - +
    +

    or looking at it as a 32-bit integer

    - -
    + +

    C000020E

    -
    - +
    +

    4.2 Subnets

    - +

    You will still hear the terms "Class A network", "Class B - network" and "Class C network". In the early days of IP, networks only -came in three sizes (there were also Class D networks but they were used -differently):

    - -
    + network" and "Class C network". In the early days of IP, networks only + came in three sizes (there were also Class D networks but they were used + differently):

    + +

    Class A - netmask 255.0.0.0, size = 2 ** 24

    - +

    Class B - netmask 255.255.0.0, size = 2 ** 16

    - +

    Class C - netmask 255.255.255.0, size = 256

    -
    - +
    +

    The class of a network was uniquely determined by the value - of the high order byte of its address so you could look at an IP address - and immediately determine the associated netmask. The netmask is -a number that when logically ANDed with an address isolates the network - number; the remainder of the address is the host number. For -example, in the Class C address 192.0.2.14, the network number is hex C00002 -and the host number is hex 0E.

    - + of the high order byte of its address so you could look at an IP address + and immediately determine the associated netmask. The netmask is + a number that when logically ANDed with an address isolates the network + number; the remainder of the address is the host number. For + example, in the Class C address 192.0.2.14, the network number is hex C00002 + and the host number is hex 0E.

    +

    As the internet grew, it became clear that such a gross partitioning of the 32-bit address space was going to be very limiting (early on, large corporations and universities were assigned their own class A network!). @@ -507,1950 +508,2002 @@ After some false starts, the current technique of subnetting these networks into smaller subnetworks evolved; that technique is referred to as Classless InterDomain Routing (CIDR). Today, any system that you are likely to work with will understand CIDR and Class-based networking - is largely a thing of the past.

    - + is largely a thing of the past.

    +

    A subnetwork (often referred to as a subnet) is - a contiguous set of IP addresses such that:

    - + a contiguous set of IP addresses such that:

    +
      -
    1. +
    2. The number of addresses in the set is a power of 2; and

      -
    3. -
    4. +
    5. +
    6. The first address in the set is a multiple of the set - size.

      -
    7. -
    8. + size.

      +
    9. +
    10. The first address in the subnet is reserved and is referred - to as the subnet address.

      -
    11. -
    12. + to as the subnet address.

      +
    13. +
    14. The last address in the subnet is reserved as the subnet's - broadcast address.

      -
    15. - + broadcast address.

      + +
    - +

    As you can see by this definition, in each subnet of size - n there are (n - 2) usable addresses (addresses that can - be assigned to hosts). The first and last address in the subnet are used - for the subnet address and subnet broadcast address respectively. Consequently, - small subnetworks are more wasteful of IP addresses than are large ones. -

    - + n there are (n - 2) usable addresses (addresses that can + be assigned to hosts). The first and last address in the subnet are +used for the subnet address and subnet broadcast address respectively. +Consequently, small subnetworks are more wasteful of IP addresses than +are large ones.

    +

    Since n is a power of two, we can easily calculate - the Natural Logarithm (log2) of n. For the more common - subnet sizes, the size and its natural logarithm are given in the following - table:

    - -
    + the Natural Logarithm (log2) of n. For the more +common subnet sizes, the size and its natural logarithm are given in the + following table:

    + +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    nlog2 n(32 - log2 n)
    8329
    16428
    32527
    64626
    128725
    256824
    512923
    10241022
    20481121
    40961220
    81921319
    163841418
    327681517
    655361616
    nlog2 n(32 - log2 n)
    8329
    16428
    32527
    64626
    128725
    256824
    512923
    10241022
    20481121
    40961220
    81921319
    163841418
    327681517
    655361616
    -
    - +
    +

    You will notice that the above table also contains a column - for (32 - log2 n). That number is the Variable Length Subnet - Mask for a network of size n. From the above table, we can -derive the following one which is a little easier to use.

    - -
    + for (32 - log2 n). That number is the Variable Length Subnet + Mask for a network of size n. From the above table, we can + derive the following one which is a little easier to use.

    + +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Size of SubnetVLSMSubnet Mask
    8/29255.255.255.248
    16/28255.255.255.240
    32/27255.255.255.224
    64/26255.255.255.192
    128/25255.255.255.128
    256/24255.255.255.0
    512/23255.255.254.0
    1024/22255.255.252.0
    2048/21255.255.248.0
    4096/20255.255.240.0
    8192/19255.255.224.0
    16384/18255.255.192.0
    32768/17255.255.128.0
    65536/16255.255.0.0
    2 ** 24/8255.0.0.0
    Size of SubnetVLSMSubnet Mask
    8/29255.255.255.248
    16/28255.255.255.240
    32/27255.255.255.224
    64/26255.255.255.192
    128/25255.255.255.128
    256/24255.255.255.0
    512/23255.255.254.0
    1024/22255.255.252.0
    2048/21255.255.248.0
    4096/20255.255.240.0
    8192/19255.255.224.0
    16384/18255.255.192.0
    32768/17255.255.128.0
    65536/16255.255.0.0
    2 ** 24/8255.0.0.0
    -
    - +
    +

    Notice that the VLSM is written with a slash ("/") -- you - will often hear a subnet of size 64 referred to as a "slash 26" subnet - and one of size 8 referred to as a "slash 29".

    - + will often hear a subnet of size 64 referred to as a "slash 26" subnet + and one of size 8 referred to as a "slash 29".

    +

    The subnet's mask (also referred to as its netmask) is - simply a 32-bit number with the first "VLSM" bits set to one and the + simply a 32-bit number with the first "VLSM" bits set to one and the remaining bits set to zero. For example, for a subnet of size 64, the subnet mask has 26 leading one bits:

    - -
    + +

    11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 - = 255.255.255.192

    -
    - + = 255.255.255.192

    +
    +

    The subnet mask has the property that if you logically AND - the subnet mask with an address in the subnet, the result is the subnet - address. Just as important, if you logically AND the subnet mask with -an address outside the subnet, the result is NOT the subnet address. As -we will see below, this property of subnet masks is very useful in routing.

    - + the subnet mask with an address in the subnet, the result is the subnet + address. Just as important, if you logically AND the subnet mask with + an address outside the subnet, the result is NOT the subnet address. +As we will see below, this property of subnet masks is very useful in +routing.

    +

    For a subnetwork whose address is a.b.c.d and whose - Variable Length Subnet Mask is /v, we denote the subnetwork as -"a.b.c.d/v" using CIDR Notation

    - + Variable Length Subnet Mask is /v, we denote the subnetwork as + "a.b.c.d/v" using CIDR Notation

    +

    Example:

    - -
    + +
    - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + +
    Subnet:10.10.10.0 - 10.10.10.127
    Subnet Size:128
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.127
    CIDR Notation:10.10.10.0/25
    Subnet:10.10.10.0 - 10.10.10.127
    Subnet Size:128
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.127
    CIDR Notation:10.10.10.0/25
    -
    - +
    +

    There are two degenerate subnets that need mentioning; namely, - the subnet with one member and the subnet with 2 ** 32 members.

    - -
    + the subnet with one member and the subnet with 2 ** 32 members.

    + +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    Size of SubnetworkVLSM LengthSubnet MaskCIDR Notation
    132255.255.255.255a.b.c.d/32
    2 ** 3200.0.0.00.0.0.0/0
    Size of SubnetworkVLSM LengthSubnet MaskCIDR Notation
    132255.255.255.255a.b.c.d/32
    2 ** 3200.0.0.00.0.0.0/0
    -
    - +
    +

    So any address a.b.c.d may also be written a.b.c.d/32 - and the set of all possible IP addresses is written 0.0.0.0/0.

    - + and the set of all possible IP addresses is written 0.0.0.0/0.

    +

    Later in this guide, you will see the notation a.b.c.d/v - used to describe the ip configuration of a network interface (the 'ip' + used to describe the ip configuration of a network interface (the 'ip' utility also uses this syntax). This simply means that the interface is configured with ip address a.b.c.d and with the netmask that corresponds to VLSM /v.

    - +

    Example: 192.0.2.65/29

    - +

        The interface is configured with IP address 192.0.2.65 - and netmask 255.255.255.248.

    - + and netmask 255.255.255.248.

    +

    4.3 Routing

    - +

    One of the purposes of subnetting is that it forms the basis - for routing. Here's the routing table on my firewall:

    - -
    -
    + for routing. Here's the routing table on my firewall:

    + +
    +
    [root@gateway root]# netstat -nr
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    192.168.9.1 0.0.0.0 255.255.255.255 UH 40 0 0 texas
    206.124.146.177 0.0.0.0 255.255.255.255 UH 40 0 0 eth1
    206.124.146.180 0.0.0.0 255.255.255.255 UH 40 0 0 eth3
    192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth3
    192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
    192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2
    206.124.146.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
    192.168.9.0 192.0.2.223 255.255.255.0 UG 40 0 0 texas
    127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
    0.0.0.0 206.124.146.254 0.0.0.0 UG 40 0 0 eth0
    [root@gateway root]#
    -
    -
    - +
    +
    +

    The device texas is a GRE tunnel to a peer site in - the Dallas, Texas area.
    -
    - The first three routes are host routes since they indicate how -to get to a single host. In the 'netstat' output this can be seen by the -"Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the Flags column. -The remainder are 'net' routes since they tell the kernel how to route + the Dallas, Texas area.
    +
    + The first three routes are host routes since they indicate how + to get to a single host. In the 'netstat' output this can be seen by the + "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the Flags column. + The remainder are 'net' routes since they tell the kernel how to route packets to a subnetwork. The last route is the default route and the gateway mentioned in that route is called the default gateway.

    - +

    When the kernel is trying to send a packet to IP address A, it starts at the top of the routing table and:

    - +
      -
    • +
    • A is logically ANDed with the 'Genmask' value in the table entry.

      -
    • -
    • +
    • +
    • The result is compared with the 'Destination' value in - the table entry.

      -
    • -
    • + the table entry.

      +
    • +
    • If the result and the 'Destination' value are the same, - then:

      - + then:

      +
        -
      • +
      • If the 'Gateway' column is non-zero, the packet is - sent to the gateway over the interface named in the 'Iface' column.

        -
      • -
      • + sent to the gateway over the interface named in the 'Iface' column.

        +
      • +
      • Otherwise, the packet is sent directly to A over - the interface named in the 'iface' column.

        -
      • - + the interface named in the 'iface' column.

        + +
      -
    • -
    • +
    • +
    • Otherwise, the above steps are repeated on the next entry - in the table.

      -
    • - + in the table.

      + +
    - +

    Since the default route matches any IP address (A land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table entries are sent to the default gateway which is usually a router at your ISP.

    - +

    Lets take an example. Suppose that we want to route a packet - to 192.168.1.5. That address clearly doesn't match any of the host routes - in the table but if we logically and that address with 255.255.255.0, the - result is 192.168.1.0 which matches this routing table entry:

    - -
    -
    + to 192.168.1.5. That address clearly doesn't match any of the host routes + in the table but if we logically and that address with 255.255.255.0, +the result is 192.168.1.0 which matches this routing table entry:

    + +
    +
    192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
    -
    - +
    +

    So to route a packet to 192.168.1.5, the packet is sent directly over eth2.

    -
    - +
    +

    One more thing needs to be emphasized -- all outgoing packet - are sent using the routing table and reply packets are not a special case. - There seems to be a common mis-conception whereby people think that request - packets are like salmon and contain a genetic code that is magically transferred - to reply packets so that the replies follow the reverse route taken by + are sent using the routing table and reply packets are not a special case. + There seems to be a common mis-conception whereby people think that request + packets are like salmon and contain a genetic code that is magically transferred + to reply packets so that the replies follow the reverse route taken by the request. That isn't the case; the replies may take a totally different route back to the client than was taken by the requests -- they are totally independent.

    - +

    4.4 Address Resolution Protocol

    - +

    When sending packets over Ethernet, IP addresses aren't used. - Rather Ethernet addressing is based on Media Access Control (MAC) - addresses. Each Ethernet device has it's own unique  MAC address which + Rather Ethernet addressing is based on Media Access Control (MAC) + addresses. Each Ethernet device has it's own unique  MAC address which is burned into a PROM on the device during manufacture. You can obtain the MAC of an Ethernet device using the 'ip' utility:

    - -
    -
    + +
    +
    [root@gateway root]# ip addr show eth0
    2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0
    inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
    [root@gateway root]#
    -
    -
    - -
    +
    +
    + +

    As you can see from the above output, the MAC is 6 bytes (48 bits) wide. A card's MAC is usually also printed on a label attached to the card itself.

    -
    - -
    +
    + +

    Because IP uses IP addresses and Ethernet uses MAC addresses, - a mechanism is required to translate an IP address into a MAC address; - that is the purpose of the Address Resolution Protocol (ARP). + a mechanism is required to translate an IP address into a MAC address; + that is the purpose of the Address Resolution Protocol (ARP). Here is ARP in action:

    -
    - -
    -
    -
    +
    + +
    +
    +
    [root@gateway root]# tcpdump -nei eth2 arp
    tcpdump: listening on eth2
    09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254
    09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0

    2 packets received by filter
    0 packets dropped by kernel
    [root@gateway root]#
    -
    -
    -
    - +
    + + +

    In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants - to know the MAC of the device with IP address 192.168.1.19. The system + to know the MAC of the device with IP address 192.168.1.19. The system having that IP address is responding that the MAC address of the device with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.

    - +

    In order to avoid having to exchange ARP information each - time that an IP packet is to be sent, systems maintain an ARP cache - of IP<->MAC correspondences. You can see the ARP cache on your system - (including your Windows system) using the 'arp' command:

    - -
    -
    + time that an IP packet is to be sent, systems maintain an ARP cache + of IP<->MAC correspondences. You can see the ARP cache on your system + (including your Windows system) using the 'arp' command:

    + +
    +
    [root@gateway root]# arp -na
    ? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
    ? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
    ? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
    ? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
    ? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
    -
    -
    - +
    +
    +

    The leading question marks are a result of my having specified - the 'n' option (Windows 'arp' doesn't allow that option) which causes the - 'arp' program to forego IP->DNS name translation. Had I not given that - option, the question marks would have been replaced with the FQDN corresponding - to each IP address. Notice that the last entry in the table records the -information we saw using tcpdump above.

    - + the 'n' option (Windows 'arp' doesn't allow that option) which causes +the 'arp' program to forego IP->DNS name translation. Had I not given +that option, the question marks would have been replaced with the FQDN +corresponding to each IP address. Notice that the last entry in the table +records the information we saw using tcpdump above.

    +

    4.5 RFC 1918

    - +

    IP addresses are allocated by the Internet Assigned Number Authority (IANA) - who delegates allocations on a geographic basis to Regional Internet - Registries (RIRs). For example, allocation for the Americas and for + who delegates allocations on a geographic basis to Regional Internet + Registries (RIRs). For example, allocation for the Americas and for sub-Sahara Africa is delegated to the American - Registry for Internet Numbers (ARIN). These RIRs may in turn delegate - to national registries. Most of us don't deal with these registrars but -rather get our IP addresses from our ISP.

    - + Registry for Internet Numbers (ARIN). These RIRs may in turn delegate + to national registries. Most of us don't deal with these registrars but + rather get our IP addresses from our ISP.

    +

    It's a fact of life that most of us can't afford as many Public IP addresses as we have devices to assign them to so we end up making use of Private IP addresses. RFC 1918 reserves several IP address ranges for this purpose:

    - -
    + +
         10.0.0.0    - 10.255.255.255
    172.16.0.0 - 172.31.255.255
    192.168.0.0 - 192.168.255.255
    -
    - -
    +
    + +

    The addresses reserved by RFC 1918 are sometimes referred - to as non-routable because the Internet backbone routers don't -forward packets which have an RFC-1918 destination address. This is understandable - given that anyone can select any of these addresses for their private -use.

    -
    - -
    + to as non-routable because the Internet backbone routers don't + forward packets which have an RFC-1918 destination address. This is understandable + given that anyone can select any of these addresses for their private + use.

    +
    + +

    When selecting addresses from these ranges, there's a couple - of things to keep in mind:

    -
    - -
    + of things to keep in mind:

    +
    + +
      -
    • +
    • As the IPv4 address space becomes depleted, more and more organizations (including ISPs) are beginning to use RFC 1918 addresses - in their infrastructure.

      -
    • -
    • + in their infrastructure.

      +
    • +
    • You don't want to use addresses that are being used by - your ISP or by another organization with whom you want to establish -a VPN relationship.

      -
    • - + your ISP or by another organization with whom you want to establish + a VPN relationship.

      + +
    -
    - -
    +
    + +

    So it's a good idea to check with your ISP to see if they - are using (or are planning to use) private addresses before you decide - the addresses that you are going to use.

    -
    - -
    + are using (or are planning to use) private addresses before you decide + the addresses that you are going to use.

    +
    + +

    5.0 Setting up your Network

    -
    - -
    +
    + +

    The choice of how to set up your network depends primarily - on how many Public IP addresses you have vs. how many addressable entities - you have in your network. Regardless of how many addresses you have, + on how many Public IP addresses you have vs. how many addressable entities + you have in your network. Regardless of how many addresses you have, your ISP will handle that set of addresses in one of two ways:

    -
    - -
    +
    + +
      -
    1. +
    2. Routed - Traffic to any of your addresses will - be routed through a single gateway address. This will generally - only be done if your ISP has assigned you a complete subnet (/29 or larger). - In this case, you will assign the gateway address as the IP address of - your firewall/router's external interface.

      -
    3. -
    4. + be routed through a single gateway address. This will generally + only be done if your ISP has assigned you a complete subnet (/29 or +larger). In this case, you will assign the gateway address as the IP +address of your firewall/router's external interface.

      +
    5. +
    6. Non-routed - Your ISP will send traffic to each - of your addresses directly.

      -
    7. - + of your addresses directly.

      + +
    -
    - -
    +
    + +

    In the subsections that follow, we'll look at each of these - separately.
    -

    + separately.
    +

    +

    Before we begin, there is one thing for you to check:

    +

    -     If you are using the Debian package, please check your shorewall.conf -file to ensure that the following are set correctly; if they are not, change -them appropriately:
    -

    +     If you are using the Debian package, please check your shorewall.conf + file to ensure that the following are set correctly; if they are not, change + them appropriately:
    +

    +
      -
    • NAT_ENABLED=Yes
    • -
    • IP_FORWARDING=On
      -
    • +
    • NAT_ENABLED=Yes
    • +
    • IP_FORWARDING=On
      +
    • +
    -
    - -
    +
    + +

    5.1 Routed

    -
    - -
    +
    + +

    Let's assume that your ISP has assigned you the subnet 192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses - 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address + 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is 192.0.2.65. Your ISP has also told you that you should use a netmask of 255.255.255.0 (so your /28 is part of a larger /24). With this many IP addresses, you are able to subnet your /28 into two /29's and set up your network as shown in the following diagram.

    -
    - -
    +
    + +

    -

    -
    - -
    +

    +
    + +

    Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ would be configured to 192.0.2.66 and the default gateway for hosts in the local network would be 192.0.2.73.

    -
    - -
    +
    + +

    Notice that this arrangement is rather wasteful of public - IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet addresses, - 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and 192.0.2.66 - and 168.0.2.73 for internal addresses on the firewall/router. Nevertheless, - it shows how subnetting can work and if we were dealing with a /24 rather - than a /28 network, the use of 6 IP addresses out of 256 would be justified - because of the simplicity of the setup.

    -
    - -
    + IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet +addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses +and 192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router. +Nevertheless, it shows how subnetting can work and if we were dealing +with a /24 rather than a /28 network, the use of 6 IP addresses out +of 256 would be justified because of the simplicity of the setup.

    +
    + +

    The astute reader may have noticed that the Firewall/Router's - external interface is actually part of the DMZ subnet (192.0.2.64/29). - What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The + external interface is actually part of the DMZ subnet (192.0.2.64/29). + What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing table on DMZ 1 will look like this:

    -
    - -
    -
    +
    + +
    +
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    192.0.2.64 0.0.0.0 255.255.255.248 U 40 0 0 eth0
    0.0.0.0 192.0.2.66 0.0.0.0 UG 40 0 0 eth0
    -
    -
    - -
    + +
    + +

    This means that DMZ 1 will send an ARP "who-has 192.0.2.65" - request and no device on the DMZ Ethernet segment has that IP address. - Oddly enough, the firewall will respond to the request with the MAC address - of its DMZ Interface!! DMZ 1 can then send Ethernet frames addressed - to that MAC address and the frames will be received (correctly) by the - firewall/router.

    -
    - -
    + request and no device on the DMZ Ethernet segment has that IP address. + Oddly enough, the firewall will respond to the request with the MAC +address of its DMZ Interface!! DMZ 1 can then send Ethernet frames +addressed to that MAC address and the frames will be received (correctly) +by the firewall/router.

    +
    + +

    It is this rather unexpected ARP behavior on the part of the Linux Kernel that prompts the warning earlier in this guide regarding the connecting of multiple firewall/router interfaces to the same hub or switch. When an ARP request for one of the firewall/router's IP addresses is sent by another system connected to the hub/switch, all of the firewall's - interfaces that connect to the hub/switch can respond! It is then a race - as to which "here-is" response reaches the sender first.

    -
    - -
    + interfaces that connect to the hub/switch can respond! It is then a +race as to which "here-is" response reaches the sender first.

    +
    + +

    5.2 Non-routed

    -
    - -
    +
    + +

    If you have the above situation but it is non-routed, you can configure your network exactly as described above with one additional - twist; simply specify the "proxyarp" option on all three firewall interfaces - in the /etc/shorewall/interfaces file.

    -
    - -
    + twist; simply specify the "proxyarp" option on all three firewall interfaces + in the /etc/shorewall/interfaces file.

    +
    + +

    Most of us don't have the luxury of having enough public IP addresses to set up our networks as shown in the preceding example (even if the setup is routed).

    -
    - -
    +
    + +

    For the remainder of this section, assume that your ISP - has assigned you IP addresses 192.0.2.176-180 and has told you to use -netmask 255.255.255.0 and default gateway 192.0.2.254.

    -
    - -
    + has assigned you IP addresses 192.0.2.176-180 and has told you to use + netmask 255.255.255.0 and default gateway 192.0.2.254.

    +
    + +

    Clearly, that set of addresses doesn't comprise a subnetwork - and there aren't enough addresses for all of the network interfaces. + and there aren't enough addresses for all of the network interfaces. There are four different techniques that can be used to work around this problem.

    -
    - -
    +
    + +
      -
    • +
    • Source Network Address Translation (SNAT).

      -
    • -
    • +
    • +
    • Destination Network Address Translation (DNAT) - also known as Port Forwarding.

      -
    • -
    • + also known as Port Forwarding.

      +
    • +
    • Proxy ARP.

      -
    • -
    • +
    • +
    • Network Address Translation (NAT) also referred - to as Static NAT.

      -
    • - + to as Static NAT.

      + +
    -
    - -
    +
    + +

    Often a combination of these techniques is used. Each of these will be discussed in the sections that follow.

    -
    - -
    +
    + +

     5.2.1 SNAT

    -
    - -
    +
    + +

    With SNAT, an internal LAN segment is configured using RFC - 1918 addresses. When a host A on this internal segment initiates - a connection to host B on the internet, the firewall/router rewrites - the IP header in the request to use one of your public IP addresses as - the source address. When B responds and the response is received - by the firewall, the firewall changes the destination address back to -the RFC 1918 address of A and forwards the response back to A.

    -
    - -
    + 1918 addresses. When a host A on this internal segment initiates + a connection to host B on the internet, the firewall/router rewrites + the IP header in the request to use one of your public IP addresses +as the source address. When B responds and the response is received + by the firewall, the firewall changes the destination address back to + the RFC 1918 address of A and forwards the response back to A.

    +
    + +

    Let's suppose that you decide to use SNAT on your local zone - and use public address 192.0.2.176 as both your firewall's external IP - address and the source IP address of internet requests sent from that -zone.

    -
    - -
    + and use public address 192.0.2.176 as both your firewall's external +IP address and the source IP address of internet requests sent from +that zone.

    +
    + +

    -

    -
    - + +
    +
    The local zone has been subnetted as 192.168.201.0/29 - (netmask 255.255.255.248).
    - + (netmask 255.255.255.248). +
     
    - +
    -     The systems in the local zone would be configured with a default -gateway of 192.168.201.1 (the IP address of the firewall's local interface).
    - +     The systems in the local zone would be configured with a default + gateway of 192.168.201.1 (the IP address of the firewall's local interface). +
     
    - +
    -     SNAT is configured in Shorewall using the /etc/shorewall/masq file.
    - -
    -
    + +
    +
    - - - - - - - - - - - - - + + + + + + + + + + + + +
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    -
    -
    - -
    +
    +
    + +

    This example used the normal technique of assigning the same - public IP address for the firewall external interface and for SNAT. If - you wanted to use a different IP address, you would either have to use - your distributions network configuration tools to add that IP address -to the external interface or you could set ADD_SNAT_ALIASES=Yes in -/etc/shorewall/shorewall.conf and Shorewall will add the address for you.

    -
    - -
    + public IP address for the firewall external interface and for SNAT. +If you wanted to use a different IP address, you would either have to +use your distributions network configuration tools to add that IP address + to the external interface or you could set ADD_SNAT_ALIASES=Yes in + /etc/shorewall/shorewall.conf and Shorewall will add the address for you.

    +
    + +

    5.2.2 DNAT

    -
    - -
    +
    + +

    When SNAT is used, it is impossible for hosts on the internet - to initiate a connection to one of the internal systems since those systems - do not have a public IP address. DNAT provides a way to allow selected - connections from the internet.

    -
    - -
    + to initiate a connection to one of the internal systems since those +systems do not have a public IP address. DNAT provides a way to allow +selected connections from the internet.

    +
    + +

    -      Suppose that your daughter wants to run a web server on her system - "Local 3". You could allow connections to the internet to her server +      Suppose that your daughter wants to run a web server on her system + "Local 3". You could allow connections to the internet to her server by adding the following entry in /etc/shorewall/rules:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    DNATnetloc:192.168.201.4tcpwww-192.0.2.176
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    DNATnetloc:192.168.201.4tcpwww-192.0.2.176
    -
    -
    - -
    + +
    + +

    If one of your daughter's friends at address A wants - to access your daughter's server, she can connect to http://192.0.2.176 (the firewall's external - IP address) and the firewall will rewrite the destination IP address + IP address) and the firewall will rewrite the destination IP address to 192.168.201.4 (your daughter's system) and forward the request. When your daughter's server responds, the firewall will rewrite the source address back to 192.0.2.176 and send the response back to A.

    -
    - -
    +
    + +

    This example used the firewall's external IP address for DNAT. You can use another of your public IP addresses but Shorewall will not add that address to the firewall's external interface for you.

    -
    - -
    +
    + +

    5.2.3 Proxy ARP

    -
    - -
    +
    + +

    The idea behind proxy ARP is that:

    -
    - -
    +
    + +
      -
    • +
    • A host H behind your firewall is assigned one of your public IP addresses (A) and is assigned the same netmask (M) as the firewall's external interface.

      -
    • -
    • +
    • +
    • The firewall responds to ARP "who has" requests for A. -

      -
    • -
    • +

      +
    • +
    • When H issues an ARP "who has" request for an address in the subnetwork defined by A and M, the firewall will respond (with the MAC if the firewall interface to H).

      -
    • - + +
    -
    - -
    +
    + +

    Let suppose that we decide to use Proxy ARP on the DMZ in - our example network.

    -
    - -
    + our example network.

    +
    + +

    -

    -
    - +

    + +
    Here, we've assigned the IP addresses 192.0.2.177 to - system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned - an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface -on the firewall. That address and netmask isn't relevant - just be sure -it doesn't overlap another subnet that you've defined.
    - + system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned + an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface + on the firewall. That address and netmask isn't relevant - just be sure + it doesn't overlap another subnet that you've defined. +
     
    - +
    -     The Shorewall configuration of Proxy ARP is done using the /etc/shorewall/proxyarp file.
    - -
    -
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No
    ADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No
    -
    -
    - -
    +
    +
    + +

    Because the HAVE ROUTE column contains No, Shorewall will - add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.

    + add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.
    +

    +

    The ethernet interfaces on DMZ 1 and DMZ 2 should be configured +to have the IP addresses shown but should have the same default gateway as +the firewall itself -- namely 192.0.2.254.
    +

    +
    + +
    +

    +
    + +
    +
    +

    A word of warning is in order here. ISPs typically configure + their routers with a long ARP cache timeout. If you move a system from + parallel to your firewall to behind your firewall with Proxy ARP, it will + probably be HOURS before that system can communicate with the internet. +There are a couple of things that you can try:
    +

    + +
      +
    1. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated, +Vol 1 reveals that a
      +
      + "gratuitous" ARP packet should cause the ISP's router to refresh their ARP +cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC +address for its own IP; in addition to ensuring that the IP address isn't +a duplicate,...
      +
      + "if the host sending the gratuitous ARP has just changed its hardware address..., + this packet causes any other host...that has an entry in its cache for the + old hardware address to update its ARP cache entry accordingly."
      +
      + Which is, of course, exactly what you want to do when you switch a host +from being exposed to the Internet to behind Shorewall using proxy ARP (or +static NAT for that matter). Happily enough, recent versions of Redhat's iputils +package include "arping", whose "-U" flag does just that:
      +
      +     arping -U -I <net if> <newly proxied +IP>
      +     arping -U -I eth0 66.58.99.83 # for example
      +
      + Stevens goes on to mention that not all systems respond correctly to gratuitous + ARPs, but googling for "arping -U" seems to support the idea that it works + most of the time.
      +
      +
    2. +
    3. You can call your ISP and ask them to purge the stale ARP cache +entry but many either can't or won't purge individual entries.
    4. + +
    + You can determine if your ISP's gateway ARP cache is stale using ping +and tcpdump. Suppose that we suspect that the gateway router has a stale +ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:
    + +
    +
    	tcpdump -nei eth0 icmp
    - -
    -

    A word of warning is in order here. ISPs typically configure - their routers with a long ARP cache timeout. If you move a system from - parallel to your firewall to behind your firewall with Proxy ARP, it -will probably be HOURS before that system can communicate with the internet. - You can call your ISP and ask them to purge the stale ARP cache entry -but many either can't or won't purge individual entries. You can determine - if your ISP's gateway ARP cache is stale using ping and tcpdump. Suppose - that we suspect that the gateway router has a stale ARP cache entry for - 192.0.2.177. On the firewall, run tcpdump as follows:

    + +
    +

    Now from 130.252.100.19, ping the ISP's gateway (which we +will assume is 130.252.100.254):

    +
    + +
    +
    	ping 130.252.100.254
    - -
    -
    	tcpdump -nei eth0 icmp
    -
    - -
    -

    Now from 192.0.2.177, ping the default gateway (which we -are assuming is 192.0.2.254):

    -
    - -
    -
    	ping 192.0.2.254
    -
    - -
    +
    + +

    We can now observe the tcpdump output:

    -
    - -
    +
    + +
    	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF)
    13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo reply
    -
    - -
    +
    + +

    Notice that the source MAC address in the echo request is - different from the destination MAC address in the echo reply!! In this - case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 - was the MAC address of DMZ 1. In other words, the gateway's ARP cache -still associates 192.0.2.177 with the NIC in DMZ 1 rather than with the -firewall's eth0.

    -
    - -
    + different from the destination MAC address in the echo reply!! In this + case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + was the MAC address of DMZ 1. In other words, the gateway's ARP cache + still associates 192.0.2.177 with the NIC in DMZ 1 rather than with the + firewall's eth0.

    +
    + +

    5.2.4 Static NAT

    -
    - -
    +
    + +

    With static NAT, you assign local systems RFC 1918 addresses - then establish a one-to-one mapping between those addresses and public - IP addresses. For outgoing connections SNAT occurs and on incoming connections - DNAT occurs. Let's go back to our earlier example involving your daughter's - web server running on system Local 3.

    -
    - -
    + then establish a one-to-one mapping between those addresses and public + IP addresses. For outgoing connections SNAT occurs and on incoming connections + DNAT occurs. Let's go back to our earlier example involving your daughter's + web server running on system Local 3.

    +
    + +

    -

    -
    - -
    +

    +
    + +

    Recall that in this setup, the local network is using SNAT - and is sharing the firewall external IP (192.0.2.176) for outbound connections. - This is done with the following entry in /etc/shorewall/masq:

    -
    - -
    -
    + and is sharing the firewall external IP (192.0.2.176) for outbound connections. + This is done with the following entry in /etc/shorewall/masq:

    +
    + +
    +
    - - - - - - - - - - - - - + + + + + + + + + + + + +
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    -
    -
    - -
    + +
    + +

    -     Suppose now that you have decided to give your daughter her own -IP address (192.0.2.179) for both inbound and outbound connections. You -would do that by adding an entry in /etc/shorewall/nat.

    -
    - -
    -
    +     Suppose now that you have decided to give your daughter her own + IP address (192.0.2.179) for both inbound and outbound connections. +You would do that by adding an entry in /etc/shorewall/nat.

    +
    + +
    +
    - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo
    -
    -
    - -
    + +
    + +

    With this entry in place, you daughter has her own IP address - and the other two local systems share the firewall's IP address.

    -
    - -
    + and the other two local systems share the firewall's IP address.

    +
    + +

    -     Once the relationship between 192.0.2.179 and 192.168.201.4 is established - by the nat file entry above, it is no longer appropriate to use a -DNAT rule for you daughter's web server -- you would rather just use -an ACCEPT rule:

    -
    - -
    -
    +     Once the relationship between 192.0.2.179 and 192.168.201.4 is +established by the nat file entry above, it is no longer appropriate +to use a DNAT rule for you daughter's web server -- you would rather just +use an ACCEPT rule:

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    ACCEPTnetloc:192.168.201.4tcpwww  
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    ACCEPTnetloc:192.168.201.4tcpwww  
    -
    -
    - -
    + +
    + +

    5.3 Rules

    -
    - -
    +
    + +

    -     With the default policies, your local systems (Local 1-3) can access - any servers on the internet and the DMZ can't access any other host (including - the firewall). With the exception of DNAT rules which - cause address translation and allow the translated connection request -to pass through the firewall, the way to allow connection requests through - your firewall is to use ACCEPT rules.

    -
    - -
    +     With the default policies, your local systems (Local 1-3) can +access any servers on the internet and the DMZ can't access any other +host (including the firewall). With the exception of DNAT rules which cause address translation and allow +the translated connection request to pass through the firewall, the way +to allow connection requests through your firewall is to use ACCEPT +rules.

    +
    + +

    NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't - used in this section, they won't be shown

    -
    - -
    + used in this section, they won't be shown

    +
    + +

    You probably want to allow ping between your zones:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORT
    ACCEPTnetdmzicmpecho-request
    ACCEPTnetlocicmpecho-request
    ACCEPTdmzlocicmpecho-request
    ACCEPTlocdmzicmpecho-request
    ACTIONSOURCEDESTINATIONPROTOCOLPORT
    ACCEPTnetdmzicmpecho-request
    ACCEPTnetlocicmpecho-request
    ACCEPTdmzlocicmpecho-request
    ACCEPTlocdmzicmpecho-request
    -
    -
    - -
    + +
    + +

    Let's suppose that you run mail and pop3 servers on DMZ 2 - and a Web Server on DMZ 1. The rules that you would need are:

    -
    - -
    -
    + and a Web Server on DMZ 1. The rules that you would need are:

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.177tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.177tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.177tcphttps# Secure HTTP from the Local Net
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.177tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.177tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.177tcphttps# Secure HTTP from the Local Net
    -
    -
    - -
    + +
    + +

    If you run a public DNS server on 192.0.2.177, you would need to add the following rules:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    -
    -
    - -
    + +
    + +

    You probably want some way to communicate with your firewall - and DMZ systems from the local network -- I recommend SSH which through - its scp utility can also do publishing and software update distribution.

    -
    - -
    -
    + and DMZ systems from the local network -- I recommend SSH which through + its scp utility can also do publishing and software update distribution.

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the Firewall
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the Firewall
    -
    -
    - -
    + +
    + +

    5.4 Odds and Ends

    -
    - -
    +
    + +

    The above discussion reflects my personal preference for using Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I prefer to use NAT only in cases where a system that is part of an RFC 1918 subnet needs to have it's own public IP. 

    -
    - -
    +
    + +

    -     If you haven't already, it would be a good idea to browse through - /etc/shorewall/shorewall.conf just - to see if there is anything there that might be of interest. You might - also want to look at the other configuration files that you haven't touched - yet just to get a feel for the other things that Shorewall can do.

    -
    - -
    +     If you haven't already, it would be a good idea to browse through + /etc/shorewall/shorewall.conf just + to see if there is anything there that might be of interest. You might + also want to look at the other configuration files that you haven't +touched yet just to get a feel for the other things that Shorewall can +do.

    +
    + +

    In case you haven't been keeping score, here's the final set of configuration files for our sample network. Only those that were modified from the original installation are shown.

    -
    - -
    +
    + +

    /etc/shorewall/interfaces (The "options" will be very site-specific).

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918,routefilter
    loceth1detect 
    dmzeth2detect 
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918,routefilter
    loceth1detect 
    dmzeth2detect 
    -
    -
    - -
    + +
    + +

    The setup described here requires that your network interfaces - be brought up before Shorewall can start. This opens a short window during - which you have no firewall protection. If you replace 'detect' with the - actual broadcast addresses in the entries above, you can bring up Shorewall - before you bring up your network interfaces.

    -
    - -
    -
    + be brought up before Shorewall can start. This opens a short window +during which you have no firewall protection. If you replace 'detect' +with the actual broadcast addresses in the entries above, you can bring +up Shorewall before you bring up your network interfaces.

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZoneInterfaceBroadcastOptions
    neteth0192.0.2.255norfc1918,routefilter
    loceth1192.168.201.7 
    dmzeth2192.168.202.7 
    ZoneInterfaceBroadcastOptions
    neteth0192.0.2.255norfc1918,routefilter
    loceth1192.168.201.7 
    dmzeth2192.168.202.7 
    -
    -
    - -
    + +
    + +

    /etc/shorewall/masq - Local subnet

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - + + + + + + + + + + + + +
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    -
    -
    - -
    + +
    + +

    /etc/shorewall/proxyarp - DMZ

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No
    ADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No
    -
    -
    - -
    + +
    + +

    /etc/shorewall/nat- Daughter's System

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo
    -
    -
    - -
    + +
    + +

    /etc/shorewall/rules

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.178tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.178tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.178tcphttps# Secure HTTP from the Local Net
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    ACCEPTnetdmzicmpecho-request# Ping
    ACCEPTnetlocicmpecho-request#  "
    ACCEPTdmzlocicmpecho-request# "
    ACCEPTlocdmzicmpecho-request# "
    ACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the Firewall
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.178tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.178tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.178tcphttps# Secure HTTP from the Local Net
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    ACCEPTnetdmzicmpecho-request# Ping
    ACCEPTnetlocicmpecho-request#  "
    ACCEPTdmzlocicmpecho-request# "
    ACCEPTlocdmzicmpecho-request# "
    ACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the Firewall
    -
    -
    - -
    + +
    + +

    6.0 DNS

    -
    - -
    +
    + +

    Given the collection of RFC 1918 and public addresses in this setup, it only makes sense to have separate internal and external DNS servers. You can combine the two into a single BIND 9 server using Views. If you are not interested in Bind 9 views, you can go to the next section.

    -
    - -
    +
    + +

    Suppose that your domain is foobar.net and you want the two - DMZ systems named www.foobar.net and mail.foobar.net and you want the -three local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net. - You want your firewall to be known as firewall.foobar.net externally -and it's interface to the local network to be know as gateway.foobar.net + DMZ systems named www.foobar.net and mail.foobar.net and you want the + three local systems named "winken.foobar.net, blinken.foobar.net and +nod.foobar.net. You want your firewall to be known as firewall.foobar.net +externally and it's interface to the local network to be know as gateway.foobar.net and its interface to the dmz as dmz.foobar.net. Let's have the DNS server -on 192.0.2.177 which will also be known by the name ns1.foobar.net.

    -
    - -
    + on 192.0.2.177 which will also be known by the name ns1.foobar.net.

    +
    + +

    The /etc/named.conf file would look like this:

    -
    - -
    -
    -
    +
    + +
    +
    +
    options {
    directory "/var/named";
    listen-on { 127.0.0.1 ; 192.0.2.177; };
    };

    logging {
    channel xfer-log {
    file "/var/log/named/bind-xfer.log";
    print-category yes;
    print-severity yes;
    print-time yes;
    severity info;
    };
    category xfer-in { xfer-log; };
    category xfer-out { xfer-log; };
    category notify { xfer-log; };
    };
    -
    - -
    -
    #
    # This is the view presented to our internal systems
    #

    view "internal" {
    #
    # These are the clients that see this view
    #
    match-clients { 192.168.201.0/29;
    192.168.202.0/29;
    127.0.0/24;
    192.0.2.176/32;
    192.0.2.178/32;
    192.0.2.179/32;
    192.0.2.180/32; };
    #
    # If this server can't complete the request, it should use outside
    # servers to do so
    #
    recursion yes;

    zone "." in {
    type hint;
    file "int/root.cache";
    };

    zone "foobar.net" in {
    type master;
    notify no;
    allow-update { none; };
    file "int/db.foobar";
    };

    zone "0.0.127.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "int/db.127.0.0";
    };

    zone "201.168.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "int/db.192.168.201";
    };

    zone "202.168.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "int/db.192.168.202";
    };

    zone "176.2.0.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "db.192.0.2.176";
    };

    zone "177.2.0.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "db.192.0.2.177";
    };

    zone "178.2.0.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "db.192.0.2.178";
    };

    zone "179.2.0.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "db.206.124.146.179";
    };

    };
    #
    # This is the view that we present to the outside world
    #
    view "external" {
    match-clients { any; };
    #
    # If we can't answer the query, we tell the client so
    #
    recursion no;

    zone "foobar.net" in {
    type master;
    notify yes;
    allow-update {none; };
    allow-transfer { <secondary NS IP>; };
    file "ext/db.foobar";
    };

    zone "176.2.0.192.in-addr.arpa" in {
    type master;
    notify yes;
    allow-update { none; };
    allow-transfer { <secondary NS IP>; };
    file "db.192.0.2.176";
    };

    zone "177.2.0.192.in-addr.arpa" in {
    type master;
    notify yes;
    allow-update { none; };
    allow-transfer { <secondary NS IP>; };
    file "db.192.0.2.177";
    };

    zone "178.2.0.192.in-addr.arpa" in {
    type master;
    notify yes;
    allow-update { none; };
    allow-transfer { <secondary NS IP>; };
    file "db.192.0.2.178";
    };

    zone "179.2.0.192.in-addr.arpa" in {
    type master;
    notify yes;
    allow-update { none; };
    allow-transfer { <secondary NS IP>; };
    file "db.192.0.2.179";
    };
    };
    -
    -
    -
    - -
    +
    + +
    +
    #
    # This is the view presented to our internal systems
    #

    view "internal" {
    #
    # These are the clients that see this view
    #
    match-clients { 192.168.201.0/29;
    192.168.202.0/29;
    127.0.0/24;
    192.0.2.176/32;
    192.0.2.178/32;
    192.0.2.179/32;
    192.0.2.180/32; };
    #
    # If this server can't complete the request, it should use outside
    # servers to do so
    #
    recursion yes;

    zone "." in {
    type hint;
    file "int/root.cache";
    };

    zone "foobar.net" in {
    type master;
    notify no;
    allow-update { none; };
    file "int/db.foobar";
    };

    zone "0.0.127.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "int/db.127.0.0";
    };

    zone "201.168.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "int/db.192.168.201";
    };

    zone "202.168.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "int/db.192.168.202";
    };

    zone "176.2.0.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "db.192.0.2.176";
    };
    (or status NAT for that matter)
    zone "177.2.0.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "db.192.0.2.177";
    };

    zone "178.2.0.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "db.192.0.2.178";
    };

    zone "179.2.0.192.in-addr.arpa" in {
    type master;
    notify no;
    allow-update { none; };
    file "db.206.124.146.179";
    };

    };
    #
    # This is the view that we present to the outside world
    #
    view "external" {
    match-clients { any; };
    #
    # If we can't answer the query, we tell the client so
    #
    recursion no;

    zone "foobar.net" in {
    type master;
    notify yes;
    allow-update {none; };
    allow-transfer { <secondary NS IP>; };
    file "ext/db.foobar";
    };

    zone "176.2.0.192.in-addr.arpa" in {
    type master;
    notify yes;
    allow-update { none; };
    allow-transfer { <secondary NS IP>; };
    file "db.192.0.2.176";
    };

    zone "177.2.0.192.in-addr.arpa" in {
    type master;
    notify yes;
    allow-update { none; };
    allow-transfer { <secondary NS IP>; };
    file "db.192.0.2.177";
    };

    zone "178.2.0.192.in-addr.arpa" in {
    type master;
    notify yes;
    allow-update { none; };
    allow-transfer { <secondary NS IP>; };
    file "db.192.0.2.178";
    };

    zone "179.2.0.192.in-addr.arpa" in {
    type master;
    notify yes;
    allow-update { none; };
    allow-transfer { <secondary NS IP>; };
    file "db.192.0.2.179";
    };
    };
    +
    +
    +
    + +

    Here are the files in /var/named (those not shown are usually - included in your bind disbribution).

    - + included in your bind disbribution).

    +

    db.192.0.2.176 - This is the reverse zone for the firewall's - external interface

    - -
    + external interface

    + +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32
    ; Filename: db.192.0.2.176
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    2001102303 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @ 604800 IN NS ns1.foobar.net.
    @ 604800 IN NS <name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.
    -
    -
    - -
    + +
    + +
    db.192.0.2.177 - This is the reverse zone for the www/DNS - server -
    + server +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32
    ; Filename: db.192.0.2.177
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    2001102303 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @ 604800 IN NS ns1.foobar.net.
    @ 604800 IN NS <name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.
    -
    -
    -
    - -
    + +
    +
    + +
    db.192.0.2.178 - This is the reverse zone for the mail - server -
    + server +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32
    ; Filename: db.192.0.2.178
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    2001102303 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @ 604800 IN NS ns1.foobar.net.
    @ 604800 IN NS <name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.
    -
    -
    -
    - -
    + +
    +
    + +
    db.192.0.2.179 - This is the reverse zone for daughter's - web server's public IP -
    + web server's public IP +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32
    ; Filename: db.192.0.2.179
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    2001102303 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @ 604800 IN NS ns1.foobar.net.
    @ 604800 IN NS <name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.
    -
    -
    -
    - -
    + +
    + + +

    int/db.127.0.0 - The reverse zone for localhost

    -
    - -
    -
    +
    + +
    +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8
    ; Filename: db.127.0.0
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    2001092901 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ) ; minimum (1 day)
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @ 604800 IN NS ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1 86400 IN PTR localhost.foobar.net.
    -
    -
    - -
    + +
    + +

    int/db.192.168.201 - Reverse zone for the local net. This - is only shown to internal clients

    -
    - -
    -
    + is only shown to internal clients

    +
    + +
    +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29
    ; Filename: db.192.168.201
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
    2002032501 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ) ; minimum (1 day)

    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @ 604800 IN NS ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1 86400 IN PTR gateway.foobar.net.
    2 86400 IN PTR winken.foobar.net.
    3 86400 IN PTR blinken.foobar.net.
    4 86400 IN PTR nod.foobar.net.
    -
    -
    - -
    + +
    + +

    int/db.192.168.202 - Reverse zone for the firewall's DMZ interface

    -
    - -
    -
    -
    +
    + +
    +
    +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29
    ; Filename: db.192.168.202
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
    2002032501 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ) ; minimum (1 day)

    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @ 604800 IN NS ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1 86400 IN PTR dmz.foobar.net.
    -
    -
    -
    - -
    +
    +
    +
    + +

    int/db.foobar - Forward zone for use by internal clients.

    -
    - -
    -
    +
    + +
    +
    ;##############################################################
    ; Start of Authority for foobar.net.
    ; Filename: db.foobar
    ;##############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    2002071501 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ); minimum (1 day)
    ;############################################################
    ; foobar.net Nameserver Records (NS)
    ;############################################################
    @ 604800 IN NS ns1.foobar.net.

    ;############################################################
    ; Foobar.net Office Records (ADDRESS)
    ;############################################################
    localhost 86400 IN A 127.0.0.1

    firewall 86400 IN A 192.0.2.176
    www 86400 IN A 192.0.2.177
    ns1 86400 IN A 192.0.2.177
    www 86400 IN A 192.0.2.177

    gateway 86400 IN A 192.168.201.1
    winken 86400 IN A 192.168.201.2
    blinken 86400 IN A 192.168.201.3
    nod 86400 IN A 192.168.201.4
    -
    -
    - -
    + +
    + +

    ext/db.foobar - Forward zone for external clients

    -
    - -
    -
    -
    +
    + +
    +
    +
    ;##############################################################
    ; Start of Authority for foobar.net.
    ; Filename: db.foobar
    ;##############################################################
    @ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    2002052901 ; serial
    10800 ; refresh (3 hour)
    3600 ; retry (1 hour)
    604800 ; expire (7 days)
    86400 ); minimum (1 day)
    ;############################################################
    ; Foobar.net Nameserver Records (NS)
    ;############################################################
    @ 86400 IN NS ns1.foobar.net.
    @ 86400 IN NS <secondary NS>.
    ;############################################################
    ; Foobar.net Foobar Wa Office Records (ADDRESS)
    ;############################################################
    localhost 86400 IN A 127.0.0.1
    ;
    ; The firewall itself
    ;
    firewall 86400 IN A 192.0.2.176
    ;
    ; The DMZ
    ;
    ns1 86400 IN A 192.0.2.177
    www 86400 IN A 192.0.2.177
    mail 86400 IN A 192.0.2.178
    ;
    ; The Local Network
    ;
    nod 86400 IN A 192.0.2.179

    ;############################################################
    ; Current Aliases for foobar.net (CNAME)
    ;############################################################

    ;############################################################
    ; foobar.net MX Records (MAIL EXCHANGER)
    ;############################################################
    foobar.net. 86400 IN A 192.0.2.177
    86400 IN MX 0 mail.foobar.net.
    86400 IN MX 1 <backup MX>.
    -
    -
    -
    - -
    +
    +
    +
    + +

    7.0 Starting and Stopping - Your Firewall

    -
    - -
    + Your Firewall +
    + +

    The installation procedure configures - your system to start Shorewall at system boot.

    -
    - -
    + your system to start Shorewall at system boot.

    +
    + +

    The firewall is started using the "shorewall start" command - and stopped using "shorewall stop". When the firewall is stopped, routing - is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A - running firewall may be restarted using the "shorewall restart" command. - If you want to totally remove any trace of Shorewall from your Netfilter - configuration, use "shorewall clear".

    -
    - -
    + running firewall may be restarted using the "shorewall restart" command. + If you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".

    +
    + +

    -     Edit the /etc/shorewall/routestopped file and configure those systems - that you want to be able to access the firewall when it is stopped.

    -
    - -
    +     Edit the /etc/shorewall/routestopped file and configure those +systems that you want to be able to access the firewall when it is stopped.

    +
    + +

    WARNING: If you are connected to your firewall from - the internet, do not issue a "shorewall stop" command unless you have -added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. Also, I don't recommend using "shorewall restart"; it is better to create - an alternate configuration - and test it using the "shorewall -try" command.

    -
    - -

    Last updated 12/13/2002 - alternate configuration + and test it using the "shorewall + try" command.

    + + +

    Last updated 1/13/2003 - Tom Eastep

    - -

    Copyright 2002 Thomas - M. Eastep

    -
    + +

    Copyright 2002, 2003 +Thomas M. Eastep

    +
    +
    +


    diff --git a/STABLE/documentation/sourceforge_index.htm b/STABLE/documentation/sourceforge_index.htm index 490cf2c67..846e87f39 100644 --- a/STABLE/documentation/sourceforge_index.htm +++ b/STABLE/documentation/sourceforge_index.htm @@ -5,7 +5,7 @@ - + Shoreline Firewall (Shorewall) 1.3 @@ -13,36 +13,38 @@ - + - + - + - + - - - - - - - -
    + - + +

    Shorwall Logo - Shorewall 1.3 - - "iptables made easy"

    + Shorewall + 1.3 - "iptables made + easy" @@ -50,32 +52,33 @@ - + + -
    + + -
    - -
    - + + + + + + +
    + +
    + - + - + - + - + - + - - - + + +
    + @@ -83,7 +86,8 @@ - + +

    What is it?

    @@ -93,39 +97,12 @@ - -

    The Shoreline Firewall, more commonly known as "Shorewall", is a - Netfilter (iptables) based firewall - that can be used on a dedicated firewall system, a multi-function - gateway/router/server or on a standalone GNU/Linux system.

    - - - - - - - -

    This program is free software; you can redistribute it and/or modify - it under the terms of Version 2 of the GNU General -Public License as published by the Free Software Foundation.
    - -
    - - This program is distributed in the hope that - it will be useful, but WITHOUT ANY WARRANTY; without - even the implied warranty of MERCHANTABILITY or - FITNESS FOR A PARTICULAR PURPOSE. See the GNU General - Public License for more details.
    - -
    - - You should have received a copy of the GNU - General Public License along with this program; - if not, write to the Free Software Foundation, - Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    +

    The Shoreline Firewall, more commonly known as "Shorewall", is +a Netfilter (iptables) based +firewall that can be used on a dedicated firewall system, a multi-function + gateway/router/server or on a standalone GNU/Linux system.

    @@ -134,8 +111,40 @@ Public License as published by the Free Software Foundation.
    - -

    Copyright 2001, 2002 Thomas M. Eastep

    + + +

    This program is free software; you can redistribute it and/or modify + it under the terms of Version 2 of the GNU +General Public License as published by the Free Software Foundation.
    + +
    + + This program is distributed in the +hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details.
    + +
    + + You should have received a copy of the + GNU General Public License along with this + program; if not, write to the Free Software Foundation, + Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    + + + + + + + + + + +

    Copyright 2001, 2002, 2003 Thomas M. Eastep

    + + @@ -144,21 +153,21 @@ Public License as published by the Free Software Foundation.
    -

    - Jacques Nilo and Eric Wolzak have - a LEAF (router/firewall/gateway on a floppy, CD or compact - flash) distribution called Bering that - features Shorewall-1.3.10 and Kernel-2.4.18. You - can find their work at: Jacques Nilo and Eric Wolzak + have a LEAF (router/firewall/gateway on a floppy, CD + or compact flash) distribution called Bering + that features Shorewall-1.3.10 and Kernel-2.4.18. + You can find their work at: http://leaf.sourceforge.net/devel/jnilo

    - Congratulations to Jacques and Eric on the recent - release of Bering 1.0 Final!!!
    -
    - + Congratulations to Jacques and Eric on +the recent release of Bering 1.0 Final!!!
    +
    + +

    News

    @@ -171,175 +180,319 @@ Public License as published by the Free Software Foundation.
    - -

    12/20/2002 - Shorewall 1.3.12 Beta 3 (New) -
    + + +

    1/13/2003 - Shorewall 1.3.13 (New) +

    - This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL -was set to anything but ULOG, the firewall would fail to start and "shorewall -refresh" would also fail.
    - -

    You may download the Beta from:
    -

    -
    http://www.shorewall.net/pub/shorewall/Beta
    - ftp://ftp.shorewall.net/pub/shorewall/Beta
    -
    - -

    12/20/2002 - Shorewall 1.3.12 Beta 2 (New) -

    - The first public Beta version of Shorewall 1.3.12 is now available (Beta -1 was made available only to a limited audience).
    -
    - Features include:
    -
    - + +

    Just includes a few things that I had on the burner:
    +

    +
      -
    1. "shorewall refresh" now reloads the traffic shaping rules -(tcrules and tcstart).
    2. -
    3. "shorewall debug [re]start" now turns off debugging after -an error occurs. This places the point of the failure near the end of the -trace rather than up in the middle of it.
    4. -
    5. "shorewall [re]start" has been speeded up by more than 40% - with my configuration. Your milage may vary.
    6. -
    7. A "shorewall show classifiers" command has been added which - shows the current packet classification filters. The output from this command - is also added as a separate page in "shorewall monitor"
    8. -
    9. ULOG (must be all caps) is now accepted as a valid syslog -level and causes the subject packets to be logged using the ULOG target rather -than the LOG target. This allows you to run ulogd (available from - http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a separate log file.
    10. -
    11. If you are running a kernel that has a FORWARD chain in the - mangle table ("shorewall show mangle" will show you the chains in the mangle - table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows -for marking input packets based on their destination even when you are using -Masquerading or SNAT.
    12. -
    13. I have cluttered up the /etc/shorewall directory with empty - 'init', 'start', 'stop' and 'stopped' files. If you already have a file with - one of these names, don't worry -- the upgrade process won't overwrite your - file.
    14. - +
    15. A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules +file. DNAT- is intended for advanced users who wish to minimize the number +of rules that connection requests must traverse.
      +
      + A Shorewall DNAT rule actually generates two iptables rules: a header rewriting +rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- +rule only generates the first of these rules. This is handy when you have +several DNAT rules that would generate the same ACCEPT rule.
      +
      +    Here are three rules from my previous rules file:
      +
      +         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
      +         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
      +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
      +
      +    These three rules ended up generating _three_ copies of
      +
      +          ACCEPT net  dmz:206.124.146.177 tcp smtp
      +
      +    By writing the rules this way, I end up with only one copy of the ACCEPT +rule.
      +
      +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
      +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
      +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
      +
      +
    16. +
    17. The 'shorewall check' command now prints out the applicable policy +between each pair of zones.
      +
      +
    18. +
    19. A new CLEAR_TC option has been added to shorewall.conf. If this +option is set to 'No' then Shorewall won't clear the current traffic control +rules during [re]start. This setting is intended for use by people that prefer +to configure traffic shaping when the network interfaces come up rather than +when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes +and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way, +your traffic shaping rules can still use the 'fwmark' classifier based on +packet marking defined in /etc/shorewall/tcrules.
      +
      +
    20. +
    21. A new SHARED_DIR variable has been added that allows distribution +packagers to easily move the shared directory (default /usr/lib/shorewall). +Users should never have a need to change the value of this shorewall.conf +setting.
    - You may download the Beta from:
    - +

    1/6/2003 - BURNOUT +

    + +

    Until further notice, I will not be involved in either Shorewall + Development or Shorewall Support

    + +

    -Tom Eastep
    +

    + +

    12/30/2002 - Shorewall Documentation in PDF Format +

    + + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 + documenation. the PDF may be downloaded from

    + + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    +     http://slovakia.shorewall.net/pub/shorewall/pdf/
    +

    + + +

    12/27/2002 - Shorewall 1.3.12 Released +

    + +

    Features include:
    +

    + +
      +
    1. "shorewall refresh" now reloads the traffic shaping rules + (tcrules and tcstart).
    2. +
    3. "shorewall debug [re]start" now turns off debugging after + an error occurs. This places the point of the failure near the end of + the trace rather than up in the middle of it.
    4. +
    5. "shorewall [re]start" has been speeded up by more than + 40% with my configuration. Your milage may vary.
    6. +
    7. A "shorewall show classifiers" command has been added +which shows the current packet classification filters. The output from +this command is also added as a separate page in "shorewall monitor"
    8. +
    9. ULOG (must be all caps) is now accepted as a valid syslog + level and causes the subject packets to be logged using the ULOG target + rather than the LOG target. This allows you to run ulogd (available from + http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a + separate log file.
    10. +
    11. If you are running a kernel that has a FORWARD chain +in the mangle table ("shorewall show mangle" will show you the chains +in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking + input packets based on their destination even when you are using Masquerading + or SNAT.
    12. +
    13. I have cluttered up the /etc/shorewall directory with +empty 'init', 'start', 'stop' and 'stopped' files. If you already have +a file with one of these names, don't worry -- the upgrade process won't +overwrite your file.
    14. +
    15. I have added a new RFC1918_LOG_LEVEL variable to shorewall.conf. This variable specifies + the syslog level at which packets are logged as a result of entries in + the /etc/shorewall/rfc1918 file. Previously, these packets were always +logged at the 'info' level.
    16. + +
    + +

    12/20/2002 - Shorewall 1.3.12 Beta 3
    +

    + This version corrects a problem with Blacklist logging. In Beta +2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would + fail to start and "shorewall refresh" would also fail.
    + +

    You may download the Beta from:
    +

    +
    http://www.shorewall.net/pub/shorewall/Beta
    - ftp://ftp.shorewall.net/pub/shorewall/Beta
    -
    - + + + +

    12/20/2002 - Shorewall 1.3.12 Beta 2 +

    + The first public Beta version of Shorewall 1.3.12 is now available + (Beta 1 was made available only to a limited audience).
    +
    + Features include:
    +
    + + +
      +
    1. "shorewall refresh" now reloads the traffic shaping + rules (tcrules and tcstart).
    2. +
    3. "shorewall debug [re]start" now turns off debugging + after an error occurs. This places the point of the failure near the + end of the trace rather than up in the middle of it.
    4. +
    5. "shorewall [re]start" has been speeded up by more + than 40% with my configuration. Your milage may vary.
    6. +
    7. A "shorewall show classifiers" command has been +added which shows the current packet classification filters. The output +from this command is also added as a separate page in "shorewall monitor"
    8. +
    9. ULOG (must be all caps) is now accepted as a valid + syslog level and causes the subject packets to be logged using the ULOG + target rather than the LOG target. This allows you to run ulogd (available + from http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a + separate log file.
    10. +
    11. If you are running a kernel that has a FORWARD chain + in the mangle table ("shorewall show mangle" will show you the chains + in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. + This allows for marking input packets based on their destination even + when you are using Masquerading or SNAT.
    12. +
    13. I have cluttered up the /etc/shorewall directory +with empty 'init', 'start', 'stop' and 'stopped' files. If you already +have a file with one of these names, don't worry -- the upgrade process +won't overwrite your file.
    14. + + +
    + You may download the Beta from:
    + + +
    http://www.shorewall.net/pub/shorewall/Beta
    + ftp://ftp.shorewall.net/pub/shorewall/Beta
    +
    + +

    12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux -

    - Shorewall is at the center of MandrakeSofts's recently-announced Multi - Network Firewall (MNF) product. Here is the press - release.
    - -

    12/7/2002 - Shorewall Support for Mandrake 9.0 -

    +

    + Shorewall is at the center of MandrakeSofts's recently-announced + Multi + Network Firewall (MNF) product. Here is the press + release.
    + + +

    12/7/2002 - Shorewall Support for Mandrake 9.0 +

    + + +

    Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally + delivered. I have installed 9.0 on one of my systems and I am now + in a position to support Shorewall users who run Mandrake 9.0.

    - -

    Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally - delivered. I have installed 9.0 on one of my systems and I am now in a - position to support Shorewall users who run Mandrake 9.0.

    -

    12/6/2002 -  Debian 1.3.11a Packages Available
    -

    +

    - + +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - -

    12/3/2002 - Shorewall 1.3.11a -

    - -

    This is a bug-fix roll up which includes Roger Aich's fix for DNAT - with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users - who don't need rules of this type need not upgrade to 1.3.11.

    + +

    12/3/2002 - Shorewall 1.3.11a +

    - -

    11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format -

    - -

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 - documenation. the PDF may be downloaded from

    + +

    This is a bug-fix roll up which includes Roger Aich's fix for DNAT + with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 + users who don't need rules of this type need not upgrade to 1.3.11.

    + + + +

    11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format +

    - -

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    -     http://slovakia.shorewall.net/pub/shorewall/pdf/
    -

    -

    11/24/2002 - Shorewall 1.3.11 -

    +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 + documenation. the PDF may be downloaded from

    - + + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    +     http://slovakia.shorewall.net/pub/shorewall/pdf/
    +

    + + + +

    11/24/2002 - Shorewall 1.3.11 +

    + + +

    In this version:

    - -
      -
    • A 'tcpflags' option has been added to entries -in /etc/shorewall/interfaces. - This option causes Shorewall to make a set of sanity check on TCP packet -header flags.
    • -
    • It is now allowed to use 'all' in the SOURCE or - DEST column in a rule. When -used, 'all' must appear by itself (in may not be qualified) and it does - not enable intra-zone traffic. For example, the rule
      -
      -     ACCEPT loc all tcp 80
      -
      - does not enable http traffic from 'loc' to 'loc'.
    • -
    • Shorewall's use of the 'echo' command is now compatible - with bash clones such as ash and dash.
    • -
    • fw->fw policies now generate a startup error. - fw->fw rules generate a warning and are ignored
    • - + +
        +
      • A 'tcpflags' option has been added to +entries in /etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP packet + header flags.
      • +
      • It is now allowed to use 'all' in the +SOURCE or DEST column in a rule. + When used, 'all' must appear by itself (in may not be qualified) +and it does not enable intra-zone traffic. For example, the rule
        +
        +     ACCEPT loc all tcp 80
        +
        + does not enable http traffic from 'loc' to 'loc'.
      • +
      • Shorewall's use of the 'echo' command +is now compatible with bash clones such as ash and dash.
      • +
      • fw->fw policies now generate a startup + error. fw->fw rules generate a warning and are ignored
      • + + +
      - -

      11/14/2002 - Shorewall Documentation in PDF Format -

      - -

      Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 - documenation. the PDF may be downloaded from

      + +

      11/14/2002 - Shorewall Documentation in PDF Format +

      - + + +

      Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 + documenation. the PDF may be downloaded from

      + + +

          ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
      -     http://slovakia.shorewall.net/pub/shorewall/pdf/
      -

      +

      - + +

      - + +
        - + +
      - + +

      More News

      @@ -349,61 +502,66 @@ used, 'all' must appear by itself (in may not be qualified) and it does - + +

      - + +

      SourceForge Logo -

      + - + +

      - + +

      This site is hosted by the generous folks at SourceForge.net

      - + +

      Donations

      -

    -

    +
    -
    +
    -
    + - + - + - + - + + + + + + + + -

    Shorewall is free but -if you try it and find it useful, please consider making a donation - to Starlight Children's -Foundation. Thanks!

    - - - - - - - - - - -
    + @@ -411,12 +569,13 @@ used, 'all' must appear by itself (in may not be qualified) and it does - + +

    -

    +

    @@ -425,30 +584,32 @@ used, 'all' must appear by itself (in may not be qualified) and it does + + +

    Shorewall is free +but if you try it and find it useful, please consider making a donation + to Starlight +Children's Foundation. Thanks!

    + +
    - -

    Updated 12/22/2002 - Tom Eastep - -
    -

    + +

    Updated 1/6/2003 - Tom Eastep + +
    +

    +
    diff --git a/STABLE/documentation/starting_and_stopping_shorewall.htm b/STABLE/documentation/starting_and_stopping_shorewall.htm index 8ad370401..ad749c6b4 100644 --- a/STABLE/documentation/starting_and_stopping_shorewall.htm +++ b/STABLE/documentation/starting_and_stopping_shorewall.htm @@ -1,13 +1,13 @@ - + - + - + - + Starting and Stopping Shorewall @@ -15,231 +15,238 @@ - + - - + + - +

    Starting/Stopping and Monitoring + the Firewall

    - + - - + + + +
    - -

    Starting/Stopping and Monitoring - the Firewall

    +
    -
    - -

    If you have a permanent internet connection such as DSL or Cable, - I recommend that you start the firewall automatically at boot. Once -you have installed "firewall" in your init.d directory, simply type - "chkconfig --add firewall". This will start the firewall in run levels - 2-5 and stop it in run levels 1 and 6. If you want to configure your -firewall differently from this default, you can use the "--level" option -in chkconfig (see "man chkconfig") or using your favorite graphical -run-level editor.

    - - - - - - - -

    Important Notes:
    -

    - -
      -
    1. Shorewall startup is disabled by default. Once you have configured - your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. - Note: Users of the .deb package must edit /etc/default/shorewall and set - 'startup=1'.
      -
    2. -
    3. If you use dialup, you may want to start the firewall in your - /etc/ppp/ip-up.local script. I recommend just placing "shorewall restart" - in that script.
    4. - -
    - -

    -

    - - - -

    You can manually start and stop Shoreline Firewall using the "shorewall" +

    If you have a permanent internet connection such as DSL or Cable, + I recommend that you start the firewall automatically at boot. Once + you have installed "firewall" in your init.d directory, simply type + "chkconfig --add firewall". This will start the firewall in run +levels 2-5 and stop it in run levels 1 and 6. If you want to configure +your firewall differently from this default, you can use the "--level" +option in chkconfig (see "man chkconfig") or using your favorite +graphical run-level editor.

    + + + + + + + +

    Important Notes:
    +

    + +
      +
    1. Shorewall startup is disabled by default. Once you have configured + your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. + Note: Users of the .deb package must edit /etc/default/shorewall and set + 'startup=1'.
      +
    2. +
    3. If you use dialup, you may want to start the firewall in your + /etc/ppp/ip-up.local script. I recommend just placing "shorewall restart" + in that script.
    4. + +
    + +

    +

    + + + + +

    You can manually start and stop Shoreline Firewall using the "shorewall" shell program:

    - +
      -
    • shorewall start - starts the firewall
    • -
    • shorewall stop - stops the firewall
    • -
    • shorewall restart - stops the firewall (if it's running) - and then starts it again
    • -
    • shorewall reset - reset the packet and byte counters - in the firewall
    • -
    • shorewall clear - remove all rules and chains installed - by Shoreline Firewall
    • -
    • shorewall refresh - refresh the rules involving the broadcast +
    • shorewall start - starts the firewall
    • +
    • shorewall stop - stops the firewall
    • +
    • shorewall restart - stops the firewall (if it's running) + and then starts it again
    • +
    • shorewall reset - reset the packet and byte counters + in the firewall
    • +
    • shorewall clear - remove all rules and chains installed + by Shoreline Firewall
    • +
    • shorewall refresh - refresh the rules involving the broadcast addresses of firewall interfaces and the black and white lists.
    • - +
    +If you include the keyword debug as the first argument, then a shell +trace of the command is produced as in:
    +
    	shorewall debug start 2> /tmp/trace
    - + +

    The above command would trace the 'start' command and place the trace +information in the file /tmp/trace

    The "shorewall" program may also be used to monitor the firewall.

    - +
      -
    • shorewall status - produce a verbose report about the firewall - (iptables -L -n -v)
    • -
    • shorewall show chain - produce a verbose report about chain - (iptables -L chain -n -v)
    • -
    • shorewall show nat - produce a verbose report about the nat table - (iptables -t nat -L -n -v)
    • -
    • shorewall show tos - produce a verbose report about the mangle -table (iptables -t mangle -L -n -v)
    • -
    • shorewall show log - display the last 20 packet log entries.
    • -
    • shorewall show connections - displays the IP connections currently - being tracked by the firewall.
    • -
    • shorewall - show - tc - displays information - about the traffic control/shaping configuration.
    • -
    • shorewall monitor [ delay ] - Continuously display the firewall - status, last 20 log entries and nat. When the log entry display - changes, an audible alarm is sounded.
    • -
    • shorewall hits - Produces several reports about the Shorewall +
    • shorewall status - produce a verbose report about the firewall + (iptables -L -n -v)
    • +
    • shorewall show chain - produce a verbose report about + chain (iptables -L chain -n -v)
    • +
    • shorewall show nat - produce a verbose report about the nat table + (iptables -t nat -L -n -v)
    • +
    • shorewall show tos - produce a verbose report about the mangle + table (iptables -t mangle -L -n -v)
    • +
    • shorewall show log - display the last 20 packet log entries.
    • +
    • shorewall show connections - displays the IP connections currently + being tracked by the firewall.
    • +
    • shorewall + show + tc - displays information + about the traffic control/shaping configuration.
    • +
    • shorewall monitor [ delay ] - Continuously display the firewall + status, last 20 log entries and nat. When the log entry display + changes, an audible alarm is sounded.
    • +
    • shorewall hits - Produces several reports about the Shorewall packet log messages in the current /var/log/messages file.
    • -
    • shorewall version - Displays the installed version number.
    • -
    • shorewall check - Performs a cursory validation of -the zones, interfaces, hosts, rules and policy files. The "check" command does not parse and validate the - generated iptables commands so even though the "check" command completes - successfully, the configuration may fail to start. See the recommended - way to make configuration changes described below.
    • -
    • shorewall try configuration-directory [ timeout -] - Restart shorewall using the specified configuration and if an error - occurs or if the timeout option is given and the new configuration - has been up for that many seconds then shorewall is restarted using the - standard configuration.
    • -
    • shorewall deny, shorewall reject, shorewall accept and shorewall - save implement dynamic blacklisting.
    • -
    • shorewall logwatch (added in version 1.3.2) - Monitors the - LOGFILE and produces an audible alarm when new Shorewall - messages are logged.
    • - +
    • shorewall version - Displays the installed version number.
    • +
    • shorewall check - Performs a cursory validation of + the zones, interfaces, hosts, rules and policy files. The "check" command does not parse and validate +the generated iptables commands so even though the "check" command +completes successfully, the configuration may fail to start. See the + recommended way to make configuration changes described below. +
    • +
    • shorewall try configuration-directory [ timeout +] - Restart shorewall using the specified configuration and if an error + occurs or if the timeout option is given and the new configuration + has been up for that many seconds then shorewall is restarted using +the standard configuration.
    • +
    • shorewall deny, shorewall reject, shorewall accept and shorewall + save implement dynamic blacklisting.
    • +
    • shorewall logwatch (added in version 1.3.2) - Monitors the + LOGFILE and produces an audible alarm when new Shorewall + messages are logged.
    • +
    - Finally, the "shorewall" program may be used to dynamically alter the contents -of a zone.
    - -
      -
    • shorewall add interface[:host] zone - Adds the -specified interface (and host if included) to the specified zone.
    • -
    • shorewall delete interface[:host] zone - Deletes -the specified interface (and host if included) from the specified zone.
    • - -
    - -
    Examples:
    + Finally, the "shorewall" program may be used to dynamically alter the contents + of a zone.
    -
    shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 -from interface ipsec0 to the zone vpn1
    - shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 -from interface ipsec0 from zone vpn1
    -
    -
    +
      +
    • shorewall add interface[:host] zone - Adds the + specified interface (and host if included) to the specified zone.
    • +
    • shorewall delete interface[:host] zone - Deletes + the specified interface (and host if included) from the specified zone.
    • + +
    + +
    Examples:
    + +
    shorewall add ipsec0:192.0.2.24 vpn1 +-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
    + shorewall delete ipsec0:192.0.2.24 vpn1 +-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1
    +
    +
    - -

    The shorewall start, shorewall restart, shorewall check  and + +

    The shorewall start, shorewall restart, shorewall check  and shorewall try commands allow you to specify which Shorewall configuration + href="configuration_file_basics.htm#Configs"> Shorewall configuration to use:

    - -
    - + +
    +

    shorewall [ -c configuration-directory ] {start|restart|check}
    - shorewall try configuration-directory

    -
    + shorewall try configuration-directory

    +
    - -

    If a configuration-directory is specified, each time that Shorewall - is going to use a file in /etc/shorewall it will first look in the configuration-directory - . If the file is present in the configuration-directory, that -file will be used; otherwise, the file in /etc/shorewall will be used.

    + +

    If a configuration-directory is specified, each time that Shorewall + is going to use a file in /etc/shorewall it will first look in the configuration-directory + . If the file is present in the configuration-directory, that file + will be used; otherwise, the file in /etc/shorewall will be used.

    - -

    When changing the configuration of a production firewall, I recommend - the following:

    + +

    When changing the configuration of a production firewall, I recommend + the following:

    - +
      -
    • mkdir /etc/test
    • +
    • mkdir /etc/test
    • -
    • cd /etc/test
    • +
    • cd /etc/test
    • -
    • <copy any files that you need to change from /etc/shorewall - to . and change them here>
    • +
    • <copy any files that you need to change from /etc/shorewall + to . and change them here>
    • -
    • shorewall -c . check
    • +
    • shorewall -c . check
    • -
    • <correct any errors found by check and check again>
    • +
    • <correct any errors found by check and check again>
    • -
    • /sbin/shorewall try .
    • - +
    • /sbin/shorewall try .
    • +
    - -

    If the configuration starts but doesn't work, just "shorewall restart" - to restore the old configuration. If the new configuration fails to start, - the "try" command will automatically start the old one for you.

    + +

    If the configuration starts but doesn't work, just "shorewall restart" + to restore the old configuration. If the new configuration fails to start, + the "try" command will automatically start the old one for you.

    - +

    When the new configuration works then just

    - +
      -
    • cp * /etc/shorewall
    • +
    • cp * /etc/shorewall
    • -
    • cd
    • +
    • cd
    • -
    • rm -rf /etc/test
    • - +
    • rm -rf /etc/test
    • +
    - -

    Updated 11/21/2002 - Tom Eastep + +

    Updated 1/9/2003 - Tom Eastep

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    + +

    Copyright + © 2001, 2002, 2003 Thomas M. Eastep.

    -
    +
    +



    diff --git a/STABLE/documentation/support.htm b/STABLE/documentation/support.htm index 13e6171fc..36cd9125c 100644 --- a/STABLE/documentation/support.htm +++ b/STABLE/documentation/support.htm @@ -2,121 +2,120 @@ - + - + - + - + Support - + - + - - - + + - + + + - - + +
    +
    - + +

    Shorewall Support -

    -
    - -


    -

    - -

    I don't look at problems sent to me directly - but I try to spend some amount of time each day responding to problems - posted on the Shorewall mailing list.

    - -

    -Tom

    - + +

    Due to "Shorewall burnout", I am currently + not involved in either Shorewall development or Shorewall support. Nevertheless, + the mailing list is being ably manned by other Shorewall users.

    + +

    -Tom Eastep

    +

    Before Reporting a Problem

    - -

    There are a number of sources for problem solution information. Please - try these before you post.

    + There are a number of sources for problem + solution information. Please try these before you post.

    - +

    - +
      -
    • -

      The FAQ has solutions to more than 20 common - problems.

      +
    • More than half of the questions posted on the support list + have answers directly accessible from the Documentation Index
      +
    • - +
    • The FAQ +has solutions to more than 20 common problems.
    • +
    - +

    - +
      -
    • -

      The Troubleshooting Information - contains a number of tips to help you solve common problems.

      -
    • - +
    • The Troubleshooting Information contains + a number of tips to help you solve common problems.
    • +
    - +

    - +
      -
    • -

      The Errata has links to download - updated components.

      -
    • - +
    • The Errata has links to download updated + components.
    • +
    - +

    - +
      -
    • -

      The Mailing List Archives search facility can locate posts - about similar problems:

      -
    • - +
    • The Mailing List Archives + search facility can locate posts about similar problems: +
    • +
    - +

    - -

    Mailing List Archive Search

    - -
    +

    Mailing List Archive Search

    + + + +

    Match: - + - Format: - + Format: + - Sort by: - + Sort by: + -
    - Search:

    -
    - -

    Problem Reporting Guidelines

    - "Let me see if I can translate your message into a real-world example.  - It would be like saying that you have three rooms at home, and when you -walk into one of the rooms, you detect this strange smell.  Can anyone tell -you what that strange smell is?
    -
    - Now, all of us could do some wonderful guessing as to the smell and even - what's causing it.  You would be absolutely amazed at the range and variety - of smells we could come up with.  Even more amazing is that all of the explanations - for the smells would be completely plausible."
    -

    - -
       - Russell Mosemann
    -
    -
    - + Search:

    + + +

    Problem Reporting Guidelines

    + "Let me see if I can translate your message into a real-world + example. It would be like saying that you have three rooms at home, +and when you walk into one of the rooms, you detect this strange smell. + Can anyone tell you what that strange smell is?
    +
    + Now, all of us could do some wonderful guessing as to the smell +and even what's causing it. You would be absolutely amazed at the range +and variety of smells we could come up with. Even more amazing is that +all of the explanations for the smells would be completely plausible."
    +

    + +
    - Russell Mosemann on the Postfix mailing list
    +
    +
    +

    - +
      -
    • -

      When reporting a problem, give as much information as you can. - Reports that say "I tried XYZ and it didn't work" are not at all helpful.

      -
    • - +
    • Please remember we only know what is posted in your message. Do + not leave out any information that appears to be correct, or was mentioned + in a previous post. There have been countless posts by people who were +sure that some part of their configuration was correct when it actually +contained a small error. We tend to be skeptics where detail is lacking.
      +
      +
    • +
    • Please keep in mind that you're asking for free + technical support. Any help we offer is an act of generosity, not an obligation. + Try to make it easy for us to help you. Follow good, courteous practices + in writing and formatting your e-mail. Provide details that we need if +you expect good answers. Exact quoting of error messages, log +entries, command output, and other output is better than a paraphrase or +summary.
      +
      +
    • +
    • Please don't describe your environment + and then ask us to send you custom configuration files. + We're here to answer your questions but we can't do your + job for you.
      +
      +
    • +
    • When reporting a problem, ALWAYS include this +information:
    • +
    - + +
      + +
        +
      • the exact version of Shorewall you are running.
        +
        + shorewall version
        +

        +
      • + +
      + +
        +
      • the exact kernel version you are running
        +
        + uname -a
        +
        +
      • + +
      + +
        +
      • the complete, exact output of
        +
        + ip addr show
        +
        +
      • + +
      + +
        +
      • the complete, exact output of
        +
        + ip route show
        +
        +
      • + +
      + +
        +
      • If your kernel is modularized, the exact output from
        +
        + lsmod
        +
        +
      • +
      • the exact wording of any ping failure responses.
        +
        +
      • + +
      + +
    + +
      +
    • NEVER include the output of "iptables + -L". Instead, please post the exact output of
      +
      + /sbin/shorewall status
      +
      +
      Since that command generates a lot of output, we suggest + that you redirect the output to a file and attach the file to your post
      +
      + /sbin/shorewall status > /tmp/status.txt
      +
      +
    • +
    • As a general matter, please do not edit the diagnostic +information in an attempt to conceal your IP address, netmask, +nameserver addresses, domain name, etc. These aren't secrets, and concealing +them often misleads us (and 80% of the time, a hacker could derive them +anyway from information contained in the SMTP headers of your post).
    • + +
    + +
      + +
    +

    - +
      -
    • -

      Please don't describe your environment and then ask us to send - you custom configuration files. We're here to answer your - questions but we can't do your job for you.

      -
    • - +
    - +

    - +
      -
    • -

      Do you see any "Shorewall" messages in /var/log/messages - when you exercise the function that is giving you problems?

      -
    • - +
    • Do you see any "Shorewall" + messages ("/sbin/shorewall show log") + when you exercise the function that is giving you problems? If +so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces + file.
      +
      +
    • +
    • Please include any of the Shorewall configuration files (especially + the /etc/shorewall/hosts file if you have modified that file) + that you think are relevant. If you include /etc/shorewall/rules, + please include /etc/shorewall/policy as well (rules are meaningless unless + one also knows the policies).
    • +
    - +

    - +
      -
    • -

      Have you looked at the packet flow with a tool like tcpdump - to try to understand what is going on?

      -
    • - -
    - -

    - -
      -
    • -

      Have you tried using the diagnostic capabilities of the - application that isn't working? For example, if "ssh" isn't able - to connect, using the "-v" option gives you a lot of valuable diagnostic - information.

      -
    • - -
    - -

    - -
      -
    • -

      Please include any of the Shorewall configuration files (especially - the /etc/shorewall/hosts file if you have modified that file) -that you think are relevant.

      -
    • -
    • -

      If an error occurs when you try to "shorewall start", include -a trace (See the Troubleshooting section -for instructions).

      -
    • - -
    - -

    - -
      -
    • -

      The list server limits posts to 120kb so don't post GIFs of - your network layout, etc to the Mailing List -- your post - will be rejected.

      -
    • - -
    - -

    - -

    Please post in plain text

    -
    -

    While the list server here at shorewall.net accepts and distributes -HTML posts, a growing number of MTAs serving list subscribers are rejecting -this HTML list traffic. At least one MTA has gone so far as to blacklist -shorewall.net "for continuous abuse"!!

    -

    I think that blocking all HTML is a rather draconian way to control -spam and that the unltimate loser here is not the spammers but the list subscribers -whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can -help by restricting your list posts to plain text.

    -

    And as a bonus, subscribers who use email clients like pine and -mutt will be able to read your plain text posts whereas they are most likely -simply ignoring your HTML posts.

    -

    A final bonus for the use of HTML is that it cuts down the size -of messages by a large percentage -- that is important when the same message -must be sent 500 times over the slow DSL line connecting the list server -to the internet.

    -
    -

    Where to Send your Problem Report or to Ask for Help

    -

    - -
    + + +

    + +
      +
    • If an error occurs when +you try to "shorewall start", + include a trace (See the Troubleshooting + section for instructions).
    • + +
    + +

    + +
      +
    • +

      The list server limits posts to 120kb so don't post GIFs of + your network layout, etc. to the Mailing List -- your +post will be rejected.

      +
    • + +
    + The author gratefully acknowleges that the above list was heavily plagiarized + from the excellent LEAF document by Ray Olszewski found +at http://leaf-project.org/pub/doc/docmanager/docid_1891.html.
    + +

    Please post in plain text

    + +
    + A growing number of MTAs serving list subscribers are rejecting all + HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net + "for continuous abuse" because it has been my policy to allow HTML in list + posts!!
    +
    + I think that blocking all HTML is a Draconian way to control spam + and that the ultimate losers here are not the spammers but the list subscribers + whose MTAs are bouncing all shorewall.net mail. As one list subscriber + wrote to me privately "These e-mail admin's need to get a (expletive +deleted) life instead of trying to rid the planet of HTML based e-mail". +Nevertheless, to allow subscribers to receive list posts as must as possible, +I have now configured the list server at shorewall.net to strip all HTML +from outgoing posts.
    + +

    Where to Send your Problem Report or to Ask for Help

    + +

    If you run Shorewall under Bering -- please post your question or problem - to the LEAF Users mailing - list.

    - + to the LEAF Users mailing + list. + If you run Shorewall under MandrakeSoft Multi Network Firewall + (MNF) and you have not purchased an MNF license from MandrakeSoft then +you can post non MNF-specific Shorewall questions to the Shorewall users mailing list. + Do not expect to get free MNF support on the list.
    +

    Otherwise, please post your question or problem to the Shorewall users mailing list.

    -
    +
    - -

    - +

    To Subscribe to the mailing list go to http://www.shorewall.net/mailman/listinfo/shorewall-users - .

    + href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users + .

    - -

    Last Updated 12/27/2002 - Tom Eastep

    - + +

    Last Updated 1/9/2002 - Tom Eastep

    +

    Copyright © 2001, 2002 Thomas M. Eastep.
    -

    -
    -
    -
    + size="2">Copyright
    © 2001, 2002, 2003 Thomas M. Eastep.

    +


    -
    + diff --git a/STABLE/documentation/traffic_shaping.htm b/STABLE/documentation/traffic_shaping.htm index 7b9d95f9b..d1888baa0 100644 --- a/STABLE/documentation/traffic_shaping.htm +++ b/STABLE/documentation/traffic_shaping.htm @@ -1,293 +1,324 @@ - + - + - + - + Traffic Shaping - + - - - + + - - - + + + +
    - +
    +

    Traffic Shaping/Control

    -
    - +

    Beginning with version 1.2.0, Shorewall has limited support - for traffic shaping/control. In order to use traffic shaping under Shorewall, - it is essential that you get a copy of the Linux Advanced Routing and Shaping HOWTO, - version 0.3.0 or later. You must also install the iproute (iproute2) package - to provide the "ip" and "tc" utilities.

    - + version 0.3.0 or later. You must also install the iproute (iproute2) package + to provide the "ip" and "tc" utilities.

    +

    Shorewall traffic shaping support consists of the following:

    - +
      -
    • A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic - Shaping also requires that you enable packet mangling.
      -
    • -
    • /etc/shorewall/tcrules - A file where you can specify firewall - marking of packets. The firewall mark value may be used to classify - packets for traffic shaping/control.
      -
    • -
    • /etc/shorewall/tcstart - A user-supplied file that is sourced - by Shorewall during "shorewall start" and which you can use to define - your traffic shaping disciplines and classes. I have provided a sample that does - table-driven CBQ shaping but if you read the traffic shaping sections of - the HOWTO mentioned above, you can probably code your own faster than - you can learn how to use my sample. I personally use HTB (see below). HTB - support may eventually become an integral part of Shorewall since -HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, +
    • A new TC_ENABLED parameter in /etc/shorewall.conf. +Traffic Shaping also requires that you enable packet mangling.
    • +
    • A new CLEAR_TC parameter in /etc/shorewall.conf (Added in Shorewall +1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the setting of +this variable determines whether Shorewall clears the traffic shaping configuration +during Shorewall [re]start and Shorewall stop.
      +
    • +
    • /etc/shorewall/tcrules - A file where you can specify + firewall marking of packets. The firewall mark value may be used to +classify packets for traffic shaping/control.
      +
    • +
    • /etc/shorewall/tcstart - A user-supplied file that +is sourced by Shorewall during "shorewall start" and which you can + use to define your traffic shaping disciplines and classes. I have +provided a sample +that does table-driven CBQ shaping but if you read the traffic shaping +sections of the HOWTO mentioned above, you can probably code your +own faster than you can learn how to use my sample. I personally use + HTB (see below). +HTB support may eventually become an integral part of Shorewall since + HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a standard part of the kernel but iproute2 must be patched in order to use it.
      -
      - In tcstart, when you want to run the 'tc' utility, use the run_tc - function supplied by shorewall if you want tc errors to stop the firewall.
      -
      - You can generally use off-the-shelf traffic shaping scripts by simply copying - them to /etc/shorewall/tcstart. I use + In tcstart, when you want to run the 'tc' utility, use the +run_tc function supplied by shorewall if you want tc errors to stop +the firewall.
      +
      + You can generally use off-the-shelf traffic shaping scripts by simply +copying them to /etc/shorewall/tcstart. I use
      The Wonder Shaper (HTB version) -that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and + that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and modified it according to the Wonder Shaper README). WARNING: If you use use Masquerading or SNAT (i.e., you only have one external IP address) then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] script won't work. Traffic shaping occurs after SNAT has already been applied so when traffic shaping happens, all outbound traffic will have as a source -address the IP addresss of your firewall's external interface.
      -
    • -
    • /etc/shorewall/tcclear - A user-supplied file that is sourced - by Shorewall when it is clearing traffic shaping. This file is normally - not required as Shorewall's method of clearing qdisc and filter definitions - is pretty general.
    • - + address the IP addresss of your firewall's external interface.
      + +
    • /etc/shorewall/tcclear - A user-supplied file that +is sourced by Shorewall when it is clearing traffic shaping. This +file is normally not required as Shorewall's method of clearing qdisc +and filter definitions is pretty general.
    • +
    - +Shorewall allows you to start traffic shaping when Shorewall itself starts +or it allows you to bring up traffic shaping when you bring up your interfaces.
    +
    +To start traffic shaping when Shorewall starts:
    +
      +
    1. Set TC_ENABLED=Yes and CLEAR_TC=Yes
    2. +
    3. Supply an /etc/shorewall/tcstart script to configure your traffic shaping +rules.
    4. +
    5. Optionally supply an /etc/shorewall/tcclear script to stop traffic +shaping. That is usually unnecessary.
    6. +
    7. If your tcstart script uses the 'fwmark' classifier, you can mark packets +using entries in /etc/shorewall/tcrules.
    8. +
    +To start traffic shaping when you bring up your network interfaces, you will +have to arrange for your traffic shaping configuration script to be run at +that time. How you do that is distribution dependent and will not be covered +here. You then should:
    +
      +
    1. Set TC_ENABLED=Yes and CLEAR_TC=No
    2. +
    3. Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.
    4. +
    5. If your tcstart script uses the 'fwmark' classifier, you +can mark packets using entries in /etc/shorewall/tcrules.
    6. +
    +

    Kernel Configuration

    - +

    This screen shot show how I've configured QoS in my Kernel:

    - +

    -

    - +

    +

    /etc/shorewall/tcrules

    - +

    The fwmark classifier provides a convenient way to classify - packets for traffic shaping. The /etc/shorewall/tcrules file provides -a means for specifying these marks in a tabular fashion.
    -

    + packets for traffic shaping. The /etc/shorewall/tcrules file provides + a means for specifying these marks in a tabular fashion.
    +

    +

    Normally, packet marking occurs in the PREROUTING chain before -any address rewriting takes place. This makes it impossible to mark inbound -packets based on their destination address when SNAT or Masquerading are + any address rewriting takes place. This makes it impossible to mark inbound + packets based on their destination address when SNAT or Masquerading are being used. Beginning with Shorewall 1.3.12, you can cause packet marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
    -

    - +

    +

    Columns in the file are as follows:

    - +
      -
    • MARK - Specifies the mark value is to be assigned in case of - a match. This is an integer in the range 1-255.
      -
      - Example - 5
      -
    • -
    • SOURCE - The source of the packet. If the packet originates - on the firewall, place "fw" in this column. Otherwise, this is a -comma-separated list of interface names, IP addresses, MAC addresses in +
    • MARK - Specifies the mark value is to be assigned in case +of a match. This is an integer in the range 1-255.
      +
      + Example - 5
      +
    • +
    • SOURCE - The source of the packet. If the packet originates + on the firewall, place "fw" in this column. Otherwise, this is a + comma-separated list of interface names, IP addresses, MAC addresses in Shorewall Format and/or Subnets.
      -
      - Examples
      -     eth0
      -     192.168.2.4,192.168.1.0/24
      -
    • -
    • DEST -- Destination of the packet. Comma-separated list of - IP addresses and/or subnets.
      -
    • -
    • PROTO - Protocol - Must be the name of a protocol from -/etc/protocol, a number or "all"
      -
    • -
    • PORT(S) - Destination Ports. A comma-separated list of Port - names (from /etc/services), port numbers or port ranges (e.g., 21:22); - if the protocol is "icmp", this column is interpreted as the destination - icmp type(s).
      -
    • -
    • CLIENT PORT(S) - (Optional) Port(s) used by the client. If - omitted, any source port is acceptable. Specified as a comma-separate - list of port names, port numbers or port ranges.
    • - +
      + Examples
      +     eth0
      +     192.168.2.4,192.168.1.0/24
      + +
    • DEST -- Destination of the packet. Comma-separated list of + IP addresses and/or subnets.
      +
    • +
    • PROTO - Protocol - Must be the name of a protocol from + /etc/protocol, a number or "all"
      +
    • +
    • PORT(S) - Destination Ports. A comma-separated list of Port + names (from /etc/services), port numbers or port ranges (e.g., 21:22); + if the protocol is "icmp", this column is interpreted as the +destination icmp type(s).
      +
    • +
    • CLIENT PORT(S) - (Optional) Port(s) used by the client. If + omitted, any source port is acceptable. Specified as a comma-separate + list of port names, port numbers or port ranges.
    • +
    - +

    Example 1 - All packets arriving on eth1 should be marked - with 1. All packets arriving on eth2 and eth3 should be marked with 2. -All packets originating on the firewall itself should be marked with 3.

    - + with 1. All packets arriving on eth2 and eth3 should be marked with 2. + All packets originating on the firewall itself should be marked with 3.

    + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    1eth10.0.0.0/0all  
    2eth20.0.0.0/0all  
    2
    -
    eth3
    -
    0.0.0.0/0
    -
    all
    -

    -

    -
    3fw0.0.0.0/0all  
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    1eth10.0.0.0/0all  
    2eth20.0.0.0/0all  
    2
    +
    eth3
    +
    0.0.0.0/0
    +
    all
    +

    +

    +
    3fw0.0.0.0/0all  
    - +

    Example 2 - All GRE (protocol 47) packets not originating - on the firewall and destined for 155.186.235.151 should be marked with -12.

    - + on the firewall and destined for 155.186.235.151 should be marked with + 12.

    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    120.0.0.0/0155.186.235.15147  
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    120.0.0.0/0155.186.235.15147  
    - +

    Example 3 - All SSH packets originating in 192.168.1.0/24 - and destined for 155.186.235.151 should be marked with 22.

    - + and destined for 155.186.235.151 should be marked with 22.

    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    22192.168.1.0/24155.186.235.151tcp22 
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    22192.168.1.0/24155.186.235.151tcp22 
    - +

    My Setup
    -

    - + +

    While I am currently using the HTB version of The Wonder Shaper (I just copied -wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper -README), I have also run with the following set of hand-crafted rules in -my tcstart file:
    -

    - -
    + wshaper.htb to /etc/shorewall/tcstart and modified it as shown in +the Wondershaper README), I have also run with the following set of hand-crafted +rules in my /etc/shorewall/tcstart file:
    +

    + +
    run_tc qdisc add dev eth0 root handle 1: htb default 30

    run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k

    echo "   Added Top Level Class -- rate 384kbit"
    - +
    run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
    run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
    run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1
    - +
    echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
    - +
    run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
    run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
    run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
    - +
    echo "   Enabled PFIFO on Second Level Classes"
    - +
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
    - +
    echo "   Defined fwmark filters"
    -
    - +
    +

    My tcrules file that went with this tcstart file is shown in Example 1 - above. You can look at my network configuration - to get an idea of why I wanted these particular rules.
    -

    - + above. You can look at my network configuration + to get an idea of why I wanted these particular rules.
    +

    +
      -
    1. I wanted to allow up to 140kbits/second for traffic outbound from - my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic +
    2. I wanted to allow up to 140kbits/second for traffic outbound from + my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic can use all available bandwidth if there is no traffic from the local systems - or from my laptop or firewall).
    3. -
    4. My laptop and local systems could use up to 224kbits/second.
    5. -
    6. My firewall could use up to 20kbits/second.
      -
    7. - + or from my laptop or firewall). +
    8. My laptop and local systems could use up to 224kbits/second.
    9. +
    10. My firewall could use up to 20kbits/second.
      +
    11. +
    + +

    Last Updated 12/31/2002 - Tom Eastep

    -

    Last Updated 12/20/2002 - Tom Eastep

    -

    Copyright - © 2001, 2002 Thomas M. Eastep.
    -

    + © 2001, 2002 Thomas M. Eastep.

    +

    +
    +
    diff --git a/STABLE/documentation/troubleshoot.htm b/STABLE/documentation/troubleshoot.htm index 7fc06d028..cc4d05907 100644 --- a/STABLE/documentation/troubleshoot.htm +++ b/STABLE/documentation/troubleshoot.htm @@ -1,234 +1,237 @@ - + Shorewall Troubleshooting - + - + - + - - - + + - - - + + + + +
    - +
    +

    Shorewall TroubleshootingBeating head on table -

    -
    - +

    Check the Errata

    - -

    Check the Shorewall Errata to be - sure that there isn't an update that you are missing for your version + +

    Check the Shorewall Errata to be + sure that there isn't an update that you are missing for your version of the firewall.

    - +

    Check the FAQs

    - -

    Check the FAQs for solutions to common + +

    Check the FAQs for solutions to common problems.

    - +

    If the firewall fails to start

    - If you receive an error message when starting or restarting the - firewall and you can't determine the cause, then do the following: - -
      -
    • Make a note of the error message that you see.
      -
    • -
    • shorewall debug start 2> /tmp/trace
    • -
    • Look at the /tmp/trace file and see if that helps you -determine what the problem is. Be sure you find the place in the log where -the error message you saw is generated -- in 99.9% of the cases, it will -not be near the end of the log because after startup errors, Shorewall goes -through a "shorewall stop" phase which will also be traced.
    • -
    • If you still can't determine what's wrong then see the - support page.
    • - -
    -Here's an example. During startup, a user sees the following:
    -
    -
    Adding Common Rules
    iptables: No chain/target/match by that name
    Terminated
    -
    -A search through the trace for "No chain/target/match by that name" turned -up the following:  -
    -
    + echo 'Adding Common Rules'
    + add_common_rules
    + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
    ++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
    ++ sed 's/!/! /g'
    + iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
    iptables: No chain/target/match by that name
    -
    -The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with -tcp-reset". In this case, the user had compiled his own kernel and had forgotten -to include REJECT target support (see kernel.htm) - -

    Your network environment

    - -

    Many times when people have problems with Shorewall, the problem is - actually an ill-conceived network setup. Here are several popular snafus: -

    - -
      -
    • Port Forwarding where client and server are in the - same subnet. See FAQ 2.
    • -
    • Changing the IP address of a local system to be in the external - subnet, thinking that Shorewall will suddenly believe that the system - is in the 'net' zone.
    • -
    • Multiple interfaces connected to the same HUB or Switch. Given - the way that the Linux kernel respond to ARP "who-has" requests, this - type of setup does NOT work the way that you expect it to.
    • - -
    - -

    If you are having connection problems:

    - -

    If the appropriate policy for the connection that you are - trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING - TO MAKE IT WORK. Such additional rules will NEVER make it work, they add - clutter to your rule set and they represent a big security hole in the event - that you forget to remove them later.

    - -

    I also recommend against setting all of your policies to - ACCEPT in an effort to make something work. That robs you of one of - your best diagnostic tools - the "Shorewall" messages that Netfilter - will generate when you try to connect in a way that isn't permitted - by your rule set.

    - -

    Check your log ("/sbin/shorewall show log"). If you don't - see Shorewall messages, then your problem is probably NOT a Shorewall problem. - If you DO see packet messages, it may be an indication that you are missing - one or more rules -- see FAQ 17.

    - -

    While you are troubleshooting, it is a good idea to clear - two variables in /etc/shorewall/shorewall.conf:

    - -

    LOGRATE=""
    - LOGBURST=""

    - -

    This way, you will see all of the log messages being - generated (be sure to restart shorewall after clearing these variables).

    - -

    Example:

    - - -

    Jun 27 15:37:56 gateway kernel: - Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 - LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 -LEN=47

    -
    -

    Let's look at the important parts of this message:

    - -
      -
    • all2all:REJECT - This packet was REJECTed out of the all2all - chain -- the packet was rejected under the "all"->"all" REJECT policy - (see FAQ 17).
    • -
    • IN=eth2 - the packet entered the firewall via eth2
    • -
    • OUT=eth1 - if accepted, the packet would be sent on eth1
    • -
    • SRC=192.168.2.2 - the packet was sent by 192.168.2.2
    • -
    • DST=192.168.1.3 - the packet is destined for 192.168.1.3
    • -
    • PROTO=UDP - UDP Protocol
    • -
    • DPT=53 - DNS
    • - -
    - -

    In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 - is in the "loc" zone. I was missing the rule:

    - -

    ACCEPT    dmz    loc    udp    53
    -

    + If you receive an error message when starting or restarting +the firewall and you can't determine the cause, then do the following: -

    See FAQ 17 for additional information - about how to interpret the chain name appearing in a Shorewall log message.
    -

    - -

    Other Gotchas

    -
      -
    • Seeing rejected/dropped packets logged out of the INPUT or -FORWARD chains? This means that: +
    • Make a note of the error message that you see.
      +
    • +
    • shorewall debug start 2> /tmp/trace
    • +
    • Look at the /tmp/trace file and see if that helps you + determine what the problem is. Be sure you find the place in the log +where the error message you saw is generated -- in 99.9% of the cases, it +will not be near the end of the log because after startup errors, Shorewall +goes through a "shorewall stop" phase which will also be traced.
    • +
    • If you still can't determine what's wrong then see the + support page.
    • + +
    + Here's an example. During startup, a user sees the following:
    + +
    +
    Adding Common Rules
    iptables: No chain/target/match by that name
    Terminated
    +
    + A search through the trace for "No chain/target/match by that name" turned +up the following:  +
    +
    + echo 'Adding Common Rules'
    + add_common_rules
    + run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
    ++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset
    ++ sed 's/!/! /g'
    + iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
    iptables: No chain/target/match by that name
    +
    + The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with +tcp-reset". In this case, the user had compiled his own kernel and had forgotten +to include REJECT target support (see kernel.htm) + +

    Your network environment

    + +

    Many times when people have problems with Shorewall, the problem is +actually an ill-conceived network setup. Here are several popular snafus: +

    + +
      +
    • Port Forwarding where client and server are in +the same subnet. See FAQ 2.
    • +
    • Changing the IP address of a local system to be in the external + subnet, thinking that Shorewall will suddenly believe that the system + is in the 'net' zone.
    • +
    • Multiple interfaces connected to the same HUB or Switch. +Given the way that the Linux kernel respond to ARP "who-has" requests, +this type of setup does NOT work the way that you expect it to.
    • + +
    + +

    If you are having connection problems:

    + +

    If the appropriate policy for the connection that you are + trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING + TO MAKE IT WORK. Such additional rules will NEVER make it work, they +add clutter to your rule set and they represent a big security hole in +the event that you forget to remove them later.

    + +

    I also recommend against setting all of your policies to + ACCEPT in an effort to make something work. That robs you of one of + your best diagnostic tools - the "Shorewall" messages that Netfilter + will generate when you try to connect in a way that isn't permitted + by your rule set.

    + +

    Check your log ("/sbin/shorewall show log"). If you don't + see Shorewall messages, then your problem is probably NOT a Shorewall +problem. If you DO see packet messages, it may be an indication that you +are missing one or more rules -- see FAQ 17.

    + +

    While you are troubleshooting, it is a good idea to clear + two variables in /etc/shorewall/shorewall.conf:

    + +

    LOGRATE=""
    + LOGBURST=""

    + +

    This way, you will see all of the log messages being + generated (be sure to restart shorewall after clearing these variables).

    + +

    Example:

    + + +

    Jun 27 15:37:56 gateway kernel: + Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 + LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 +LEN=47

    +
    +

    Let's look at the important parts of this message:

    + +
      +
    • all2all:REJECT - This packet was REJECTed out of the all2all + chain -- the packet was rejected under the "all"->"all" REJECT +policy (see FAQ 17).
    • +
    • IN=eth2 - the packet entered the firewall via eth2
    • +
    • OUT=eth1 - if accepted, the packet would be sent on eth1
    • +
    • SRC=192.168.2.2 - the packet was sent by 192.168.2.2
    • +
    • DST=192.168.1.3 - the packet is destined for 192.168.1.3
    • +
    • PROTO=UDP - UDP Protocol
    • +
    • DPT=53 - DNS
    • + +
    + +

    In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 + is in the "loc" zone. I was missing the rule:

    + +

    ACCEPT    dmz    loc    udp    53
    +

    + +

    See FAQ 17 for additional information + about how to interpret the chain name appearing in a Shorewall log message.
    +

    + +

    'Ping' Problems?

    +Either can't ping when you think you should be able to or are able to ping +when you think that you shouldn't be allowed? Shorewall's 'Ping' Management is described here.
    +

    Other Gotchas

    + +
      +
    • Seeing rejected/dropped packets logged out of the INPUT or + FORWARD chains? This means that: +
        -
      1. your zone definitions are screwed up and the host that is - sending the packets or the destination host isn't in any zone (using - an /etc/shorewall/hosts file -are you?); or
      2. -
      3. the source and destination hosts are both connected to the - same interface and that interface doesn't have the 'multi' option - specified in /etc/shorewall/interfaces.
      4. - +
      5. your zone definitions are screwed up and the host that +is sending the packets or the destination host isn't in any zone +(using an /etc/shorewall/hosts +file are you?); or
      6. +
      7. the source and destination hosts are both connected to +the same interface and that interface doesn't have the 'multi' +option specified in /etc/shorewall/interfaces.
      8. +
      -
    • -
    • Remember that Shorewall doesn't automatically allow ICMP - type 8 ("ping") requests to be sent between zones. If you want pings - to be allowed between zones, you need a rule of the form:
      -
      -     ACCEPT    <source zone>    <destination zone>    - icmp    echo-request
      -
      - The ramifications of this can be subtle. For example, if you +
    • +
    • Remember that Shorewall doesn't automatically allow ICMP + type 8 ("ping") requests to be sent between zones. If you want pings + to be allowed between zones, you need a rule of the form:
      +
      +     ACCEPT    <source zone>    <destination zone>    + icmp    echo-request
      +
      + The ramifications of this can be subtle. For example, if you have the following in /etc/shorewall/nat:
      -
      -     10.1.1.2    eth0    130.252.100.18
      -
      - and you ping 130.252.100.18, unless you have allowed icmp type - 8 between the zone containing the system you are pinging from and -the zone containing 10.1.1.2, the ping requests will be dropped. This -is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.
    • -
    • If you specify "routefilter" for an interface, that interface +
      +     10.1.1.2    eth0    130.252.100.18
      +
      + and you ping 130.252.100.18, unless you have allowed icmp type + 8 between the zone containing the system you are pinging from and the + zone containing 10.1.1.2, the ping requests will be dropped. This is + true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.
    • +
    • If you specify "routefilter" for an interface, that interface must be up prior to starting the firewall.
    • -
    • Is your routing correct? For example, internal systems usually - need to be configured with their default gateway set to the IP address - of their nearest firewall interface. One often overlooked aspect of - routing is that in order for two hosts to communicate, the routing between - them must be set up in both directions. So when setting up routing - between A and B, be sure to verify that the route from - B back to A is defined.
    • -
    • Some versions of LRP (EigerStein2Beta for example) have a +
    • Is your routing correct? For example, internal systems usually + need to be configured with their default gateway set to the IP address + of their nearest firewall interface. One often overlooked aspect +of routing is that in order for two hosts to communicate, the routing +between them must be set up in both directions. So when setting +up routing between A and B, be sure to verify that the +route from B back to A is defined.
    • +
    • Some versions of LRP (EigerStein2Beta for example) have a shell with broken variable expansion. You can get a corrected + href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected shell from the Shorewall Errata download site.
    • -
    • Do you have your kernel properly configured? Do you have your kernel properly configured? Click here to see my kernel configuration.
    • -
    • Some features require the "ip" program. That program is - generally included in the "iproute" package which should be included - with your distribution (though many distributions don't install iproute +
    • Some features require the "ip" program. That program +is generally included in the "iproute" package which should be included + with your distribution (though many distributions don't install iproute by default). You may also download the latest source tarball from ftp://ftp.inr.ac.ru/ip-routing - .
    • -
    • If you have any entry for a zone in /etc/shorewall/hosts - then the zone must be entirely defined in /etc/shorewall/hosts unless - you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). - For example, if a zone has two interfaces but only one interface has -an entry in /etc/shorewall/hosts then hosts attached to the other interface + href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing + .
    • +
    • If you have any entry for a zone in /etc/shorewall/hosts + then the zone must be entirely defined in /etc/shorewall/hosts unless + you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). + For example, if a zone has two interfaces but only one interface has an + entry in /etc/shorewall/hosts then hosts attached to the other interface will not be considered part of the zone.
    • -
    • Problems with NAT? Be sure that you let Shorewall add all +
    • Problems with NAT? Be sure that you let Shorewall add all external addresses to be use with NAT unless you have set ADD_IP_ALIASES =No in /etc/shorewall/shorewall.conf.
    • - +
    - +

    Still Having Problems?

    - -

    See the support page.

    - - + +

    See the support page.
    +

    + +
    -
    -

    Last updated 12/4/2002 - Tom Eastep

    - -

    Copyright + +

    Last updated 1/7/2003 - Tom Eastep

    + +

    Copyright © 2001, 2002 Thomas M. Eastep.
    -

    -
    -
    -
    -
    +

    diff --git a/STABLE/documentation/two-interface.htm b/STABLE/documentation/two-interface.htm index 03faf63fb..6262e83d1 100644 --- a/STABLE/documentation/two-interface.htm +++ b/STABLE/documentation/two-interface.htm @@ -1,948 +1,952 @@ - + - + - + - + Two-Interface Firewall - + - + - - - + + - - - + + + +
    - +
    +

    Basic Two-Interface Firewall

    -
    - -

    Setting up a Linux system as a firewall for a small network - is a fairly straight-forward task if you understand the basics and follow - the documentation.

    - -

    This guide doesn't attempt to acquaint you with all of the features of - Shorewall. It rather focuses on what is required to configure Shorewall - in its most common configuration:

    - + +

    Setting up a Linux system as a firewall for a small network + is a fairly straight-forward task if you understand the basics and +follow the documentation.

    + +

    This guide doesn't attempt to acquaint you with all of the features of + Shorewall. It rather focuses on what is required to configure Shorewall + in its most common configuration:

    +
      -
    • Linux system used as a firewall/router for a small local +
    • Linux system used as a firewall/router for a small local network.
    • -
    • Single public IP address.
    • -
    • Internet connection through cable modem, DSL, ISDN, Frame -Relay, dial-up ...
    • - +
    • Single public IP address.
    • +
    • Internet connection through cable modem, DSL, ISDN, Frame + Relay, dial-up ...
    • +
    - +

    Here is a schematic of a typical installation.

    - +

    -

    - -

    If you are running Shorewall under Mandrake 9.0 or later, you can easily - configure the above setup using the Mandrake "Internet Connection Sharing" - applet. From the Mandrake Control Center, select "Network & Internet" - then "Connection Sharing". You should not need to refer to this guide.
    -

    - -

    This guide assumes that you have the iproute/iproute2 package installed - (on RedHat, the package is called iproute). You can tell - if this package is installed by the presence of an ip program on - your firewall system. As root, you can use the 'which' command to check - for this program:

    - +

    + +

    If you are running Shorewall under Mandrake 9.0 or later, you can easily + configure the above setup using the Mandrake "Internet Connection Sharing" + applet. From the Mandrake Control Center, select "Network & Internet" + then "Connection Sharing". You should not need to refer to this guide.
    +

    + +

    This guide assumes that you have the iproute/iproute2 package installed + (on RedHat, the package is called iproute). You can tell + if this package is installed by the presence of an ip program +on your firewall system. As root, you can use the 'which' command to +check for this program:

    +
         [root@gateway root]# which ip
    /sbin/ip
    [root@gateway root]#
    - -

    I recommend that you first read through the guide to familiarize yourself - with what's involved then go back through it again making your configuration - changes. Points at which configuration changes are recommended are flagged - with I recommend that you first read through the guide to familiarize yourself + with what's involved then go back through it again making your configuration + changes. Points at which configuration changes are recommended are +flagged with - .

    - + .

    +

    -     If you edit your configuration files on a Windows system, you - must save them as Unix files if your editor supports that option or you - must run them through dos2unix before trying to use them. Similarly, if - you copy a configuration file from your Windows hard drive to a floppy -disk, you must run dos2unix against the copy before using it with Shorewall.

    - +     If you edit your configuration files on a Windows system, +you must save them as Unix files if your editor supports that option +or you must run them through dos2unix before trying to use them. Similarly, +if you copy a configuration file from your Windows hard drive to a floppy + disk, you must run dos2unix against the copy before using it with Shorewall.

    + - +

    Shorewall Concepts

    - +

    -     The configuration files for Shorewall are contained in the directory - /etc/shorewall -- for simple setups, you will only need to deal with a -few of these as described in this guide. After you have installed Shorewall, download the two-interface sample, - un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall - (these files will replace files with the same name).

    - -

    As each file is introduced, I suggest that you look through the actual - file on your system -- each file contains detailed configuration instructions - and default entries.

    - -

    Shorewall views the network where it is running as being composed of a - set of zones. In the two-interface sample configuration, the following - zone names are used:

    - + href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample, + un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall + (these files will replace files with the same name).

    + +

    As each file is introduced, I suggest that you look through the actual + file on your system -- each file contains detailed configuration instructions + and default entries.

    + +

    Shorewall views the network where it is running as being composed of a + set of zones. In the two-interface sample configuration, the +following zone names are used:

    + - + + + + + - - - - - - - - - - - - - + + + + + + + + +
    NameDescription
    NameDescription
    netThe Internet
    locYour Local Network
    netThe Internet
    locYour Local Network
    - -

    Zones are defined in the /etc/shorewall/zones - file.

    - -

    Shorewall also recognizes the firewall system as its own zone - by default, - the firewall itself is known as fw.

    - -

    Rules about what traffic to allow and what traffic to deny are expressed - in terms of zones.

    - + +

    Zones are defined in the /etc/shorewall/zones + file.

    + +

    Shorewall also recognizes the firewall system as its own zone - by default, + the firewall itself is known as fw.

    + +

    Rules about what traffic to allow and what traffic to deny are expressed + in terms of zones.

    + - -

    For each connection request entering the firewall, the request is first - checked against the /etc/shorewall/rules file. If no rule in that file - matches the connection request then the first policy in /etc/shorewall/policy - that matches the request is applied. If that policy is REJECT or DROP  - the request is first checked against the rules in /etc/shorewall/common - (the samples provide that file for you).

    - -

    The /etc/shorewall/policy file included with the two-interface sample has -the following policies:

    - -
    + +

    For each connection request entering the firewall, the request is first + checked against the /etc/shorewall/rules file. If no rule in that file + matches the connection request then the first policy in /etc/shorewall/policy + that matches the request is applied. If that policy is REJECT or DROP  + the request is first checked against the rules in /etc/shorewall/common + (the samples provide that file for you).

    + +

    The /etc/shorewall/policy file included with the two-interface sample +has the following policies:

    + +
    - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + +
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  
    netallDROPinfo 
    allallREJECTinfo 
    locnetACCEPT  
    netallDROPinfo 
    allallREJECTinfo 
    -
    - -
    -

    In the two-interface sample, the line below is included but commented - out. If you want your firewall system to have full access to servers -on the internet, uncomment that line.

    - +
    + +
    +

    In the two-interface sample, the line below is included but commented + out. If you want your firewall system to have full access to servers + on the internet, uncomment that line.

    + - + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + +
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    fwnetACCEPT  
    fwnetACCEPT  
    -
    - +
    +

    The above policy will:

    - +
      -
    1. allow all connection requests from your local network to +
    2. allow all connection requests from your local network to the internet
    3. -
    4. drop (ignore) all connection requests from the internet to - your firewall or local network
    5. -
    6. optionally accept all connection requests from the firewall - to the internet (if you uncomment the additional policy)
    7. -
    8. reject all other connection requests.
    9. - +
    10. drop (ignore) all connection requests from the internet +to your firewall or local network
    11. +
    12. optionally accept all connection requests from the firewall + to the internet (if you uncomment the additional policy)
    13. +
    14. reject all other connection requests.
    15. +
    - +

    -     At this point, edit your /etc/shorewall/policy and make any +     At this point, edit your /etc/shorewall/policy and make any changes that you wish.

    - +

    Network Interfaces

    - +

    -

    - -

    The firewall has two network interfaces. Where Internet -connectivity is through a cable or DSL "Modem", the External Interface - will be the ethernet adapter that is connected to that "Modem" (e.g., eth0)  - unless you connect via Point-to-Point Protocol - over Ethernet (PPPoE) or Point-to-Point Tunneling - Protocol (PPTP) in which case the External Interface will -be a ppp interface (e.g., ppp0). If you connect via a regular modem, - your External Interface will also be ppp0. If you connect via ISDN, - your external interface will be ippp0.

    - +

    + +

    The firewall has two network interfaces. Where Internet connectivity +is through a cable or DSL "Modem", the External Interface will be +the ethernet adapter that is connected to that "Modem" (e.g., eth0)  + unless you connect via Point-to-Point Protocol + over Ethernet (PPPoE) or Point-to-Point +Tunneling Protocol (PPTP) in which case the External +Interface will be a ppp interface (e.g., ppp0). If you connect +via a regular modem, your External Interface will also be ppp0. +If you connect via ISDN, your external interface will be ippp0.

    +

    -     If your external interface is ppp0 or ippp0  +     If your external interface is ppp0 or ippp0  then you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.

    - -

    Your Internal Interface will be an ethernet adapter - (eth1 or eth0) and will be connected to a hub or switch. Your other computers - will be connected to the same hub/switch (note: If you have only a single - internal system, you can connect the firewall directly to the computer - using a cross-over cable).

    - + +

    Your Internal Interface will be an ethernet adapter + (eth1 or eth0) and will be connected to a hub or switch. Your other +computers will be connected to the same hub/switch (note: If you have +only a single internal system, you can connect the firewall directly +to the computer using a cross-over cable).

    +

    - Do not connect the internal and external interface to the - same hub or switch (even for testing). It won't work the way that you think - that it will and you will end up confused and believing that Shorewall - doesn't work at all.

    - + Do not connect the internal and external interface to +the same hub or switch (even for testing). It won't work the way that +you think that it will and you will end up confused and believing that +Shorewall doesn't work at all.

    +

    -     The Shorewall two-interface sample configuration assumes that - the external interface is eth0 and the internal interface is -eth1. If your configuration is different, you will have to modify -the sample /etc/shorewall/interfaces -file accordingly. While you are there, you may wish to review the list -of options that are specified for the interfaces. Some hints:

    - +     The Shorewall two-interface sample configuration assumes that + the external interface is eth0 and the internal interface is eth1. + If your configuration is different, you will have to modify the sample + /etc/shorewall/interfaces file + accordingly. While you are there, you may wish to review the list of +options that are specified for the interfaces. Some hints:

    +
      -
    • -

      If your external interface is ppp0 or ippp0, - you can replace the "detect" in the second column with "-".

      -
    • -
    • -

      If your external interface is ppp0 or ippp0 - or if you have a static IP address, you can remove "dhcp" from the -option list.

      -
    • - +
    • +

      If your external interface is ppp0 or ippp0, + you can replace the "detect" in the second column with "-".

      +
    • +
    • +

      If your external interface is ppp0 or ippp0 + or if you have a static IP address, you can remove "dhcp" from the + option list.

      +
    • +
    - +

    IP Addresses

    - -

    Before going further, we should say a few words about Internet - Protocol (IP) addresses. Normally, your ISP will assign you a -single Public IP address. This address may be assigned via the -Dynamic Host Configuration Protocol (DHCP) or as part of establishing -your connection when you dial in (standard modem) or establish your PPP -connection. In rare cases, your ISP may assign you a static IP address; -that means that you configure your firewall's external interface to use -that address permanently. However your external address is assigned, -it will be shared by all of your systems when you access the Internet. -You will have to assign your own addresses in your internal network (the -Internal Interface on your firewall plus your other computers). RFC 1918 -reserves several Private IP address ranges for this purpose:

    - -
    + +

    Before going further, we should say a few words about Internet + Protocol (IP) addresses. Normally, your ISP will assign you +a single Public IP address. This address may be assigned via +the Dynamic Host Configuration Protocol (DHCP) or as part of +establishing your connection when you dial in (standard modem) or establish +your PPP connection. In rare cases, your ISP may assign you a static +IP address; that means that you configure your firewall's external interface +to use that address permanently. However your external address is +assigned, it will be shared by all of your systems when you access the +Internet. You will have to assign your own addresses in your internal network +(the Internal Interface on your firewall plus your other computers). RFC +1918 reserves several Private IP address ranges for this purpose:

    + +
         10.0.0.0    - 10.255.255.255
    172.16.0.0 - 172.31.255.255
    192.168.0.0 - 192.168.255.255
    -
    - -
    +
    + +

    -     Before starting Shorewall, you should look at the IP address - of your external interface and if it is one of the above ranges, you - should remove the 'norfc1918' option from the external interface's +     Before starting Shorewall, you should look at the IP address + of your external interface and if it is one of the above ranges, you + should remove the 'norfc1918' option from the external interface's entry in /etc/shorewall/interfaces.

    -
    - -
    -

    You will want to assign your addresses from the same - sub-network (subnet).  For our purposes, we can consider a subnet - to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet - will have a Subnet Mask of 255.255.255.0. The address x.y.z.0 - is reserved as the Subnet Address and x.y.z.255 is reserved as - the Subnet Broadcast Address. In Shorewall, a subnet is - described using Classless -InterDomain Routing (CIDR) notation with consists of the subnet -address followed by "/24". The "24" refers to the number of consecutive +

    + +
    +

    You will want to assign your addresses from the same + sub-network (subnet).  For our purposes, we can consider a subnet + to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet + will have a Subnet Mask of 255.255.255.0. The address x.y.z.0 + is reserved as the Subnet Address and x.y.z.255 is reserved +as the Subnet Broadcast Address. In Shorewall, a subnet +is described using Classless +InterDomain Routing (CIDR) notation with consists of the subnet +address followed by "/24". The "24" refers to the number of consecutive leading "1" bits from the left of the subnet mask.

    -
    - -
    +
    + +

    Example sub-network:

    -
    - -
    -
    +
    + +
    +
    - - - - - + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
    Range:10.10.10.0 - 10.10.10.255
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.255
    CIDR Notation:10.10.10.0/24
    Range:10.10.10.0 - 10.10.10.255
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.255
    CIDR Notation:10.10.10.0/24
    -
    + +
    + +
    +

    It is conventional to assign the internal interface either + the first usable address in the subnet (10.10.10.1 in the above example) + or the last usable address (10.10.10.254).

    - -
    -

    It is conventional to assign the internal interface either - the first usable address in the subnet (10.10.10.1 in the above example) - or the last usable address (10.10.10.254).

    -
    - -
    -

    One of the purposes of subnetting is to allow all computers - in the subnet to understand which other computers can be communicated - with directly. To communicate with systems outside of the subnetwork, - systems send packets through a  gateway  (router).

    -
    - -
    + +
    +

    One of the purposes of subnetting is to allow all computers + in the subnet to understand which other computers can be communicated + with directly. To communicate with systems outside of the subnetwork, + systems send packets through a  gateway  (router).

    +
    + +

    -     Your local computers (computer 1 and computer 2 in the above - diagram) should be configured with their default gateway to -be the IP address of the firewall's internal interface.      +     Your local computers (computer 1 and computer 2 in the above + diagram) should be configured with their default gateway to +be the IP address of the firewall's internal interface.     

    -
    - -

    The foregoing short discussion barely scratches the surface - regarding subnetting and routing. If you are interested in learning more - about IP addressing and routing, I highly recommend "IP Fundamentals: - What Everyone Needs to Know about Addressing & Routing", Thomas - A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    - -

    The remainder of this quide will assume that you have configured - your network as shown here:

    - +
    + +

    The foregoing short discussion barely scratches the surface + regarding subnetting and routing. If you are interested in learning +more about IP addressing and routing, I highly recommend "IP Fundamentals: + What Everyone Needs to Know about Addressing & Routing", Thomas + A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    + +

    The remainder of this quide will assume that you have configured + your network as shown here:

    +

    -

    - +

    +

    The default gateway for computer's 1 & 2 would be 10.10.10.254.

    - +

    IP Masquerading (SNAT)

    - -

    The addresses reserved by RFC 1918 are sometimes referred - to as non-routable because the Internet backbone routers don't -forward packets which have an RFC-1918 destination address. When one of -your local systems (let's assume computer 1) sends a connection request -to an internet host, the firewall must perform Network Address Translation - (NAT). The firewall rewrites the source address in the packet to -be the address of the firewall's external interface; in other words, the -firewall makes it look as if the firewall itself is initiating the connection.  -This is necessary so that the destination host will be able to route return -packets back to the firewall (remember that packets whose destination -address is reserved by RFC 1918 can't be routed across the internet so -the remote host can't address its response to computer 1). When the firewall -receives a return packet, it rewrites the destination address back to 10.10.10.1 - and forwards the packet on to computer 1.

    - -

    On Linux systems, the above process is often referred to as - IP Masquerading but you will also see the term Source Network Address - Translation (SNAT) used. Shorewall follows the convention used with - Netfilter:

    - + +

    The addresses reserved by RFC 1918 are sometimes referred + to as non-routable because the Internet backbone routers don't + forward packets which have an RFC-1918 destination address. When one +of your local systems (let's assume computer 1) sends a connection request + to an internet host, the firewall must perform Network Address Translation + (NAT). The firewall rewrites the source address in the packet to + be the address of the firewall's external interface; in other words, +the firewall makes it look as if the firewall itself is initiating the +connection.  This is necessary so that the destination host will be able +to route return packets back to the firewall (remember that packets whose +destination address is reserved by RFC 1918 can't be routed across the +internet so the remote host can't address its response to computer 1). +When the firewall receives a return packet, it rewrites the destination +address back to 10.10.10.1 and forwards the packet on to computer 1.

    + +

    On Linux systems, the above process is often referred to +as IP Masquerading but you will also see the term Source Network +Address Translation (SNAT) used. Shorewall follows the convention used +with Netfilter:

    +
      -
    • -

      Masquerade describes the case where you let your - firewall system automatically detect the external interface address. -

      -
    • -
    • -

      SNAT refers to the case when you explicitly specify - the source address that you want outbound packets from your local network - to use.

      -
    • - +
    • +

      Masquerade describes the case where you let your + firewall system automatically detect the external interface address. +

      +
    • +
    • +

      SNAT refers to the case when you explicitly specify + the source address that you want outbound packets from your local +network to use.

      +
    • +
    - -

    In Shorewall, both Masquerading and SNAT are configured with - entries in the /etc/shorewall/masq file. You will normally use Masquerading - if your external IP is dynamic and SNAT if the IP is static.

    - + +

    In Shorewall, both Masquerading and SNAT are configured with + entries in the /etc/shorewall/masq file. You will normally use Masquerading + if your external IP is dynamic and SNAT if the IP is static.

    +

    -     If your external firewall interface is eth0, you do not - need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq - and change the first column to the name of your external interface and - the second column to the name of your internal interface.

    - +     If your external firewall interface is eth0, you do +not need to modify the file provided with the sample. Otherwise, edit + /etc/shorewall/masq and change the first column to the name of your +external interface and the second column to the name of your internal +interface.

    +

    -     If your external IP is static, you can enter it in the third - column in the /etc/shorewall/masq entry if you like although your firewall - will work fine if you leave that column empty. Entering your static -IP in column 3 makes processing outgoing packets a little more efficient.
    -
    - -     If you are using the Debian package, please check your shorewall.conf -file to ensure that the following are set correctly; if they are not, change -them appropriately:
    -

    - +     If your external IP is static, you can enter it in the third + column in the /etc/shorewall/masq entry if you like although your firewall + will work fine if you leave that column empty. Entering your static IP + in column 3 makes processing outgoing packets a little more efficient.
    +
    + +     If you are using the Debian package, please check your shorewall.conf + file to ensure that the following are set correctly; if they are not, change + them appropriately:
    +

    +
      -
    • NAT_ENABLED=Yes
    • -
    • IP_FORWARDING=On
      -
    • - +
    • NAT_ENABLED=Yes
    • +
    • IP_FORWARDING=On
      +
    • +
    - +

    Port Forwarding (DNAT)

    - -

    One of your goals may be to run one or more servers on your - local computers. Because these computers have RFC-1918 addresses, it -is not possible for clients on the internet to connect directly to them. -It is rather necessary for those clients to address their connection requests - to the firewall who rewrites the destination address to the address of - your server and forwards the packet to that server. When your server responds, - the firewall automatically performs SNAT to rewrite the source address - in the response.

    - -

    The above process is called Port Forwarding or - Destination Network Address Translation (DNAT). You configure port + +

    One of your goals may be to run one or more servers on your + local computers. Because these computers have RFC-1918 addresses, it + is not possible for clients on the internet to connect directly to them. + It is rather necessary for those clients to address their connection +requests to the firewall who rewrites the destination address to the +address of your server and forwards the packet to that server. When +your server responds, the firewall automatically performs SNAT to rewrite +the source address in the response.

    + +

    The above process is called Port Forwarding or + Destination Network Address Translation (DNAT). You configure port forwarding using DNAT rules in the /etc/shorewall/rules file.

    - -

    The general form of a simple port forwarding rule in /etc/shorewall/rules - is:

    - -
    + +

    The general form of a simple port forwarding rule in /etc/shorewall/rules + is:

    + +
    - + + + + + + + + + + - - - - - - - - - - - - + + - - - - - - - + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetloc:<server local ip address> [:<server + DNATnetloc:<server local ip address> [:<server port>]<protocol><port>  
    <protocol><port>  
    -
    - -

    Example - you run a Web Server on computer 2 and you want to forward incoming - TCP port 80 to that system:

    - -
    +
    + +

    Example - you run a Web Server on computer 2 and you want to forward incoming + TCP port 80 to that system:

    + +
    - + + + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetloc:10.10.10.2tcp80  
    DNATnetloc:10.10.10.2tcp80  
    -
    - +
    +

    A couple of important points to keep in mind:

    - +
      -
    • You must test the above rule from a client outside of your - local network (i.e., don't test from a browser running on computers - 1 or 2 or on the firewall). If you want to be able to access your web +
    • You must test the above rule from a client outside of your + local network (i.e., don't test from a browser running on computers + 1 or 2 or on the firewall). If you want to be able to access your web server using the IP address of your external interface, see Shorewall FAQ #2.
    • -
    • Many ISPs block incoming connection requests to port 80. -If you have problems connecting to your web server, try the following -rule and try connecting to port 5000.
    • - +
    • Many ISPs block incoming connection requests to port 80. +If you have problems connecting to your web server, try the following + rule and try connecting to port 5000.
    • +
    - -
    + +
    - + + + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetloc:10.10.10.2:80tcp5000  
    DNATnetloc:10.10.10.2:80tcp5000  
    -
    - +
    +

    -     At this point, modify /etc/shorewall/rules to add any DNAT +     At this point, modify /etc/shorewall/rules to add any DNAT rules that you require.

    - +

    Domain Name Server (DNS)

    - -

    Normally, when you connect to your ISP, as part of getting - an IP address your firewall's Domain Name Service (DNS) resolver - will be automatically configured (e.g., the /etc/resolv.conf file will - be written). Alternatively, your ISP may have given you the IP address -of a pair of DNS name servers for you to manually configure as your - primary and secondary name servers. Regardless of how DNS gets configured - on your firewall, it is your responsibility to configure the resolver - in your internal systems. You can take one of two approaches:

    - + +

    Normally, when you connect to your ISP, as part of getting + an IP address your firewall's Domain Name Service (DNS) resolver + will be automatically configured (e.g., the /etc/resolv.conf file will + be written). Alternatively, your ISP may have given you the IP address + of a pair of DNS name servers for you to manually configure as +your primary and secondary name servers. Regardless of how DNS gets +configured on your firewall, it is your responsibility to configure +the resolver in your internal systems. You can take one of two approaches:

    +
      -
    • -

      You can configure your internal systems to use your ISP's - name servers. If you ISP gave you the addresses of their servers or - if those addresses are available on their web site, you can configure - your internal systems to use those addresses. If that information isn't - available, look in /etc/resolv.conf on your firewall system -- the name - servers are given in "nameserver" records in that file.

      -
    • -
    • +
    • +

      You can configure your internal systems to use your ISP's + name servers. If you ISP gave you the addresses of their servers +or if those addresses are available on their web site, you can configure + your internal systems to use those addresses. If that information +isn't available, look in /etc/resolv.conf on your firewall system +-- the name servers are given in "nameserver" records in that file. +

      +
    • +
    • -     You can configure a Caching Name Server on your firewall. - Red Hat has an RPM for a caching name server (the RPM also -requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If -you take this approach, you configure your internal systems to use the -firewall itself as their primary (and only) name server. You use the internal -IP address of the firewall (10.10.10.254 in the example above) for the -name server address. To allow your local systems to talk to your caching -name server, you must open port 53 (both UDP and TCP) from the local -network to the firewall; you do that by adding the following rules in -/etc/shorewall/rules.

      -
    • - +     You can configure a Caching Name Server on your firewall. + Red Hat has an RPM for a caching name server (the RPM also + requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. +If you take this approach, you configure your internal systems to use +the firewall itself as their primary (and only) name server. You use the +internal IP address of the firewall (10.10.10.254 in the example above) +for the name server address. To allow your local systems to talk to +your caching name server, you must open port 53 (both UDP and TCP) from +the local network to the firewall; you do that by adding the following +rules in /etc/shorewall/rules.

      + +
    - -
    + +
    - + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp53  
    ACCEPTlocfwudp53  
    ACCEPTlocfwtcp53  
    ACCEPTlocfwudp53  
    -
    - -
    +
    + +

    Other Connections

    -
    - -
    +
    + +

    The two-interface sample includes the following rules:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTfwnettcp53  
    ACCEPTfwnetudp53  
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTfwnettcp53  
    ACCEPTfwnetudp53  
    -
    + +
    + +
    +

    Those rules allow DNS access from your firewall and may be + removed if you uncommented the line in /etc/shorewall/policy allowing + all connections from the firewall to the internet.

    - -
    -

    Those rules allow DNS access from your firewall and may be - removed if you uncommented the line in /etc/shorewall/policy allowing - all connections from the firewall to the internet.

    -
    - -
    + +

    The sample also includes:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - + - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp22  
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp22  
    -
    + +
    + +
    +

    That rule allows you to run an SSH server on your firewall + and connect to that server from your local systems.

    - -
    -

    That rule allows you to run an SSH server on your firewall - and connect to that server from your local systems.

    -
    - -
    -

    If you wish to enable other connections between your firewall - and other systems, the general format is:

    -
    - -
    -
    + +
    +

    If you wish to enable other connections between your firewall + and other systems, the general format is:

    +
    + +
    +
    - - - - - - - - - - + - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPT<source zone><destination zone><protocol><port>  
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPT<source zone><destination zone><protocol><port>  
    -
    +
    +
    + +
    +

    Example - You want to run a Web Server on your firewall + system:

    - -
    -

    Example - You want to run a Web Server on your firewall - system:

    -
    - -
    -
    + +
    +
    - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp80#Allow web accessfrom the internet
    ACCEPTlocfwtcp80#Allow web accessfrom the local network
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp80#Allow web accessfrom the internet
    ACCEPTlocfwtcp80#Allow web accessfrom the local network
    -
    +
    +
    + +
    +

    Those two rules would of course be in addition to the rules + listed above under "You can configure a Caching Name Server on your + firewall"

    - -
    -

    Those two rules would of course be in addition to the rules - listed above under "You can configure a Caching Name Server on your - firewall"

    -
    - -
    -

    If you don't know what port and protocol a particular application -uses, look here.

    -
    - -
    -

    Important: I don't recommend enabling telnet to/from - the internet because it uses clear text (even for login!). If you want - shell access to your firewall from the internet, use SSH:

    -
    - -
    -
    + +
    +

    If you don't know what port and protocol a particular +application uses, look here.

    +
    + +
    +

    Important: I don't recommend enabling telnet to/from + the internet because it uses clear text (even for login!). If you +want shell access to your firewall from the internet, use SSH:

    +
    + +
    +
    - - - - - - - - - - + - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp22  
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp22  
    -
    -
    - -
    +
    +
    + +

    -     Now edit your /etc/shorewall/rules file to add or delete +     Now edit your /etc/shorewall/rules file to add or delete other connections as required.

    -
    - -
    -

    Starting and Stopping Your Firewall

    - -
    + +
    +

    Starting and Stopping Your Firewall

    +
    + +

    Arrow -     The installation procedure configures - your system to start Shorewall at system boot  but beginning with Shorewall - version 1.3.9 startup is disabled so that your system won't try to start - Shorewall before configuration is complete. Once you have completed configuration - of your firewall, you can enable Shorewall startup by removing the file +     The installation procedure configures + your system to start Shorewall at system boot  but beginning with Shorewall + version 1.3.9 startup is disabled so that your system won't try to start + Shorewall before configuration is complete. Once you have completed configuration + of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.
    -

    - +

    +

    IMPORTANT: Users of the .deb package must edit /etc/default/shorewall + color="#ff0000">Users of the .deb package must edit /etc/default/shorewall and set 'startup=1'.
    -

    +

    +
    + +
    +

    The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, +routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. + If you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".

    - -
    -

    The firewall is started using the "shorewall start" command - and stopped using "shorewall stop". When the firewall is stopped, routing - is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A - running firewall may be restarted using the "shorewall restart" command. - If you want to totally remove any trace of Shorewall from your Netfilter - configuration, use "shorewall clear".

    -
    - -
    + +

    -     The two-interface sample assumes that you want to enable -routing to/from eth1 (the local network) when Shorewall is stopped. -If your local network isn't connected to eth1 or if you wish to -enable access to/from other hosts, change /etc/shorewall/routestopped +     The two-interface sample assumes that you want to enable + routing to/from eth1 (the local network) when Shorewall is stopped. +If your local network isn't connected to eth1 or if you wish to +enable access to/from other hosts, change /etc/shorewall/routestopped accordingly.

    -
    - -
    -

    WARNING: If you are connected to your firewall from - the internet, do not issue a "shorewall stop" command unless you have - added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. - Also, I don't recommend using "shorewall restart"; it is better to create - an alternate configuration - and test it using the + +

    - +
    +

    Last updated 12/20/2002 - Tom Eastep

    - -

    Copyright 2002 Thomas - M. Eastep

    -
    + +

    Copyright 2002 Thomas + M. Eastep

    +
    +



    diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index ca3e10a6b..4d827f543 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.3.12 +VERSION=1.3.13 usage() # $1 = exit status { diff --git a/STABLE/firewall b/STABLE/firewall index b4844d7cb..e52387060 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -70,7 +70,7 @@ list_count() { # # Mutual exclusion -- These functions are jackets for the mutual exclusion -# routines in /usr/lib/shorewall/functions. They invoke +# routines in $FUNCTIONS. They invoke # the corresponding function in that file if the user did # not specify "nolock" on the runline. # @@ -833,6 +833,11 @@ validate_rule() { target=ACCEPT address=${address:=detect} ;; + DNAT-) + target=ACCEPT + address=${address:=detect} + logtarget=DNAT + ;; REDIRECT) target=ACCEPT address=${address:=all} @@ -983,6 +988,17 @@ validate_policy() local zone1 local pc local chain + local policy + local loglevel + local synparams + + print_policy() # $1 = source zone, $2 = destination zone + { + [ $command != check ] || \ + [ $1 = all ] || \ + [ $2 = all ] || \ + echo " Policy for $1 to $2 is $policy" + } all_policy_chains= @@ -1048,27 +1064,34 @@ validate_policy() for zone1 in $zones $FW all; do eval pc=\$${zone}2${zone1}_policychain - [ -n "$pc" ] || \ + if [ -z "$pc" ]; then eval ${zone}2${zone1}_policychain=$chain + print_policy $zone $zone1 + fi done done else for zone in $zones $FW all; do eval pc=\$${zone}2${server}_policychain - [ -n "$pc" ] || \ + if [ -z "$pc" ]; then eval ${zone}2${server}_policychain=$chain + print_policy $zone $server + fi done fi elif [ -n "$serverwild" ]; then for zone in $zones $FW all; do eval pc=\$${client}2${zone}_policychain - [ -n "$pc" ] || \ - eval ${client}2${zone}_policychain=$chain + if [ -z "$pc" ]; then + eval ${client}2${zone}_policychain=$chain + print_policy $client $zone + fi done else eval ${chain}_policychain=${chain} + print_policy $client $server fi done < $TMP_DIR/policy @@ -1234,7 +1257,7 @@ stop_firewall() { [ -n "$NAT_ENABLED" ] && delete_nat delete_proxy_arp - [ -n "$TC_ENABLED" ] && delete_tc + [ -n "$CLEAR_TC" ] && delete_tc setpolicy INPUT DROP setpolicy OUTPUT DROP @@ -1344,12 +1367,18 @@ setup_tunnels() # $1 = name of tunnels file run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options else run_iptables -A $inchain -p udp -s $1 --dport 500 $options + run_iptables -A $inchain -p udp -s $1 --dport 4500 $options fi for z in `separate_list $3`; do if validate_zone $z; then addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options - addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options + if [ $2 = ipsec ]; then + addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options + else + addrule ${z}2${FW} -p udp --dport 500 $options + addrule ${z}2${FW} -p udp --dport 4500 $options + fi else error_message "Warning: Invalid gateway zone ($z)" \ " -- Tunnel \"$tunnel\" may encounter keying problems" @@ -1820,6 +1849,7 @@ setup_tc() { # delete_tc() { + clear_one_tc() { tc qdisc del dev $1 root 2> /dev/null tc qdisc del dev $1 ingress 2> /dev/null @@ -1830,11 +1860,11 @@ delete_tc() run_ip link list | \ while read inx interface details; do case $inx in - [0-9]*) - clear_one_tc ${interface%:} - ;; - *) - ;; + [0-9]*) + clear_one_tc ${interface%:} + ;; + *) + ;; esac done } @@ -1846,7 +1876,7 @@ refresh_tc() { echo "Refreshing Traffic Control Rules..." - delete_tc + [ -n "$CLEAR_TC" ] && delete_tc [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre @@ -2152,7 +2182,7 @@ add_a_rule() add_nat_rule fi - if [ $chain != ${FW}2${FW} ]; then + if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then serv="${serv:+-d $serv}" if [ -n "$loglevel" ]; then @@ -2229,14 +2259,23 @@ process_rule() # $1 = target fi logtarget="$target" + dnat_only= # Convert 1.3 Rule formats to 1.2 format + [ "x$address" = "x-" ] && address= + case $target in DNAT) target=ACCEPT address=${address:=detect} ;; + DNAT-) + target=ACCEPT + address=${address:=detect} + dnat_only=Yes + logtarget=DNAT + ;; REDIRECT) target=ACCEPT address=${address:=all} @@ -2379,7 +2418,7 @@ process_rules() # $1 = name of rules file while read xtarget xclients xservers xprotocol xports xcports xaddress; do case "$xtarget" in - ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*) + ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*) expandv xclients xservers xprotocol xports xcports xaddress if [ "x$xclients" = xall ]; then @@ -3233,7 +3272,7 @@ initialize_netfilter () { run_iptables -t mangle -F && \ run_iptables -t mangle -X - [ -n "$TC_ENABLED" ] && delete_tc + [ -n "$CLEAR_TC" ] && delete_tc run_user_exit init @@ -3267,7 +3306,7 @@ initialize_netfilter () { run_user_exit newnotsyn if [ -n "$LOGNEWNOTSYN" ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then - run_iptables -A newnotsyn -j ULOG \ + run_iptables -A newnotsyn -j ULOG --ulog-prefix "Shorewall:newnotsyn:DROP:" else run_iptables -A newnotsyn -j LOG \ @@ -4432,6 +4471,10 @@ do_initialize() { TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= MARK_IN_FORWARD_CHAIN= + SHARED_DIR=/usr/lib/shorewall + FUNCTIONS= + VERSION_FILE= + stopping= have_mutex= masq_seq=1 @@ -4445,31 +4488,35 @@ do_initialize() { trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 - functions=/usr/lib/shorewall/functions - - if [ -f $functions ]; then - . $functions + if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then + config=$SHOREWALL_DIR/shorewall.conf else - startup_error "$functions does not exist!" + config=/etc/shorewall/shorewall.conf + fi + + if [ -f $config ]; then + . $config + else + echo "$config does not exist!" >&2 + exit 2 fi - version_file=/usr/lib/shorewall/version + FUNCTIONS=$SHARED_DIR/functions - [ -f $version_file ] && version=`cat $version_file` - # - # Strip the files that we use often - # - strip_file interfaces - strip_file hosts + if [ -f $FUNCTIONS ]; then + . $FUNCTIONS + else + startup_error "$FUNCTIONS does not exist!" + fi - run_user_exit shorewall.conf - run_user_exit params + VERSION_FILE=$SHARED_DIR/version + + [ -f $VERSION_FILE ] && version=`cat $VERSION_FILE` [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -d $STATEDIR ] || mkdir -p $STATEDIR - [ -z "$FW" ] && FW=fw ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" @@ -4544,7 +4591,20 @@ do_initialize() { [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN` [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre + if [ -n "$TC_ENABLED" ]; then + CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC` + else + CLEAR_TC= + fi + + run_user_exit params + + # + # Strip the files that we use often + # + strip_file interfaces + strip_file hosts } # diff --git a/STABLE/install.sh b/STABLE/install.sh index 166ddc017..53315b252 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.3.12 +VERSION=1.3.13 usage() # $1 = exit status { diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index ce2580b87..f9f09cad3 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -2,39 +2,48 @@ This is a minor release of Shorewall that has a couple of new features. New features include: -1) "shorewall refresh" now reloads the traffic shaping rules (tcrules - and tcstart). +1) A new 'DNAT-' action has been added for entries in the + /etc/shorewall/rules file. DNAT- is intended for advanced users who + wish to minimize the number of rules that connection requests must + traverse. + + A Shorewall DNAT rule actually generates two iptables rules: a + header rewriting rule in the 'nat' table and an ACCEPT rule in the + 'filter' table. A DNAT- rule only generates the first of these + rules. This is handy when you have several DNAT rules that would + generate the same ACCEPT rule. -2) "shorewall debug [re]start" now turns off debugging after an error - occurs. This places the point of the failure near the end of the - trace rather than up in the middle of it. + Here are three rules from my previous rules file: + + DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178 + DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179 + ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,... -3) "shorewall [re]start" has been speeded up by more than 40% with - my configuration. Your milage may vary. + These three rules ended up generating _three_ copies of -4) A "shorewall show classifiers" command has been added which shows - the current packet classification filters. The output from this - command is also added as a separate page in "shorewall monitor" + ACCEPT net dmz:206.124.146.177 tcp smtp -5) ULOG (must be all caps) is now accepted as a valid syslog level and - causes the subject packets to be logged using the ULOG target rather - than the LOG target. This allows you to run ulogd (available from - www.gnumonks.org/projects/ulogd) and log all Shorewall messages to - a separate log file. + By writing the rules this way, I end up with only one copy of the + ACCEPT rule. -6) If you are running a kernel that has a FORWARD chain in the mangle - table ("shorewall show mangle" will show you the chains in the - mangle table), you can set MARK_IN_FORWARD=Yes in - shorewall.conf. This allows for marking inbound packets based on - their destination even when you are using Masquerading or SNAT. + DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178 + DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179 + ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,... -7) I have cluttered up the /etc/shorewall directory with empty 'init', - 'start', 'stop' and 'stopped' files. If you already have a file with - one of these names, don't worry -- the upgrade process won't - overwrite your file. +2) The 'shorewall check' command now prints out the applicable policy + between each pair of zones. -8) I have added a new RFC1918_LOG_LEVEL variable to - shorewall.conf. This variable specifies the syslog level at which - packets are logged as a result of entries in the - /etc/shorewall/rfc1918 file. Previously, these packets were always - logged at the 'info' level. +3. A new CLEAR_TC option has been added to shorewall.conf. If this + option is set to 'No' then Shorewall won't clear the current + traffic control rules during [re]start. This setting is intended + for use by people that prefer to configure traffic shaping when + the network interfaces come up rather than when the firewall + is started. If that is what you want to do, set TC_ENABLED=Yes and + CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That + way, your traffic shaping rules can still use the 'fwmark' + classifier based on packet marking defined in /etc/shorewall/tcrules. + +4. A new SHARED_DIR variable has been added that allows distribution + packagers to easily move the shared directory (default + /usr/lib/shorewall). Users should never have a need to change the + value of this shorewall.conf setting. diff --git a/STABLE/rules b/STABLE/rules index 8554645d9..8a6244f55 100644 --- a/STABLE/rules +++ b/STABLE/rules @@ -24,6 +24,10 @@ # DNAT -- Forward the request to another # system (and optionally another # port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. # REDIRECT -- Redirect the request to a local # port on the firewall. # diff --git a/STABLE/shorewall b/STABLE/shorewall index 0245eb4ae..8b0e6b04f 100755 --- a/STABLE/shorewall +++ b/STABLE/shorewall @@ -569,51 +569,65 @@ fi [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR -functions=/usr/lib/shorewall/functions +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin +SHARED_DIR=/usr/lib/shorewall +MUTEX_TIMEOUT= -if [ -f $functions ]; then - . $functions +if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then + config=$SHOREWALL_DIR/shorewall.conf else - echo "$functions does not exist!" >&2 + config=/etc/shorewall/shorewall.conf +fi + +if [ -f $config ]; then + . $config +else + echo "$config does not exist!" >&2 exit 2 fi -firewall=/usr/lib/shorewall/firewall +[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall -if [ ! -f $firewall ]; then +FIREWALL=$SHARED_DIR/firewall +FUNCTIONS=$SHARED_DIR/functions +VERSION_FILE=$SHARED_DIR/version + +if [ -f $FUNCTIONS ]; then + . $FUNCTIONS +else + echo "$FUNCTIONS does not exist!" >&2 + exit 2 +fi + +if [ ! -f $FIREWALL ]; then echo "ERROR: Shorewall is not properly installed" - if [ -L $firewall ]; then - echo " $firewall is a symbolic link to a" + if [ -L $FIREWALL ]; then + echo " $FIREWALL is a symbolic link to a" echo " non-existant file" else - echo " The file /usr/lib/shorewall/firewall does not exist" + echo " The file $FIREWALL does not exist" fi exit 2 fi -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin - -version_file=/usr/lib/shorewall/version - -if [ -f $version_file ]; then - version=`cat $version_file` +if [ -f $VERSION_FILE ]; then + version=`cat $VERSION_FILE` else echo "ERROR: Shorewall is not properly installed" - echo " The file /usr/lib/shorewall/version does not exist" + echo " The file $VERSION_FILE does not exist" exit 1 fi banner="Shorewall-$version Status at $HOSTNAME -" -get_statedir case `echo -e` in -e*) - RING_BELL="echo \'\a\'" + RING_BELL="echo \a" ;; *) - RING_BELL="echo -e \'\a\'" + RING_BELL="echo -e \a" ;; esac @@ -629,11 +643,11 @@ esac case "$1" in start|stop|restart|reset|clear|refresh|check) [ $# -ne 1 ] && usage 1 - exec $firewall $debugging $nolock $1 + exec $FIREWALL $debugging $nolock $1 ;; add|delete) [ $# -ne 3 ] && usage 1 - exec $firewall $debugging $nolock $1 $2 $3 + exec $FIREWALL $debugging $nolock $1 $2 $3 ;; show) [ $# -gt 2 ] && usage 1 diff --git a/STABLE/shorewall.conf b/STABLE/shorewall.conf index f0981141a..ea84b080a 100644 --- a/STABLE/shorewall.conf +++ b/STABLE/shorewall.conf @@ -9,6 +9,13 @@ # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## # +# You should not have to change the variables in this section -- they are set +# by the packager of your Shorewall distribution +# +SHARED_DIR=/usr/lib/shorewall +# +############################################################################## +# # General note about log levels. Log levels are a method of describing # to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index 05b8bcaf1..e77c3cbf2 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.3.12 +%define version 1.3.13 %define release 1 %define prefix /usr @@ -105,6 +105,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Mon Jan 13 2003 Tom Eastep +- Changes version to 1.3.13 * Fri Dec 27 2002 Tom Eastep - Changes version to 1.3.12 * Sun Dec 22 2002 Tom Eastep diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index 6bb0492cc..c4d83c1fa 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.3.12 +VERSION=1.3.13 usage() # $1 = exit status {