Changes for 1.3.13

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-01-14 20:32:45 +00:00
parent 5b9b519183
commit f04d58006f
57 changed files with 12980 additions and 11199 deletions

View File

@ -70,7 +70,7 @@ list_count() {
# #
# Mutual exclusion -- These functions are jackets for the mutual exclusion # Mutual exclusion -- These functions are jackets for the mutual exclusion
# routines in /usr/lib/shorewall/functions. They invoke # routines in $FUNCTIONS. They invoke
# the corresponding function in that file if the user did # the corresponding function in that file if the user did
# not specify "nolock" on the runline. # not specify "nolock" on the runline.
# #
@ -833,6 +833,11 @@ validate_rule() {
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
DNAT-)
target=ACCEPT
address=${address:=detect}
logtarget=DNAT
;;
REDIRECT) REDIRECT)
target=ACCEPT target=ACCEPT
address=${address:=all} address=${address:=all}
@ -983,6 +988,17 @@ validate_policy()
local zone1 local zone1
local pc local pc
local chain local chain
local policy
local loglevel
local synparams
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
}
all_policy_chains= all_policy_chains=
@ -1048,27 +1064,34 @@ validate_policy()
for zone1 in $zones $FW all; do for zone1 in $zones $FW all; do
eval pc=\$${zone}2${zone1}_policychain eval pc=\$${zone}2${zone1}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain eval ${zone}2${zone1}_policychain=$chain
print_policy $zone $zone1
fi
done done
done done
else else
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${zone}2${server}_policychain eval pc=\$${zone}2${server}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
fi
done done
fi fi
elif [ -n "$serverwild" ]; then elif [ -n "$serverwild" ]; then
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${client}2${zone}_policychain eval pc=\$${client}2${zone}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi
done done
else else
eval ${chain}_policychain=${chain} eval ${chain}_policychain=${chain}
print_policy $client $server
fi fi
done < $TMP_DIR/policy done < $TMP_DIR/policy
@ -1234,7 +1257,7 @@ stop_firewall() {
[ -n "$NAT_ENABLED" ] && delete_nat [ -n "$NAT_ENABLED" ] && delete_nat
delete_proxy_arp delete_proxy_arp
[ -n "$TC_ENABLED" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
setpolicy INPUT DROP setpolicy INPUT DROP
setpolicy OUTPUT DROP setpolicy OUTPUT DROP
@ -1344,12 +1367,18 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
else else
run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --dport 500 $options
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
fi fi
for z in `separate_list $3`; do for z in `separate_list $3`; do
if validate_zone $z; then if validate_zone $z; then
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
if [ $2 = ipsec ]; then
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
else
addrule ${z}2${FW} -p udp --dport 500 $options
addrule ${z}2${FW} -p udp --dport 4500 $options
fi
else else
error_message "Warning: Invalid gateway zone ($z)" \ error_message "Warning: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" may encounter keying problems" " -- Tunnel \"$tunnel\" may encounter keying problems"
@ -1820,6 +1849,7 @@ setup_tc() {
# #
delete_tc() delete_tc()
{ {
clear_one_tc() { clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null tc qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null tc qdisc del dev $1 ingress 2> /dev/null
@ -1846,7 +1876,7 @@ refresh_tc() {
echo "Refreshing Traffic Control Rules..." echo "Refreshing Traffic Control Rules..."
delete_tc [ -n "$CLEAR_TC" ] && delete_tc
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
@ -2152,7 +2182,7 @@ add_a_rule()
add_nat_rule add_nat_rule
fi fi
if [ $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
@ -2229,14 +2259,23 @@ process_rule() # $1 = target
fi fi
logtarget="$target" logtarget="$target"
dnat_only=
# Convert 1.3 Rule formats to 1.2 format # Convert 1.3 Rule formats to 1.2 format
[ "x$address" = "x-" ] && address=
case $target in case $target in
DNAT) DNAT)
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
DNAT-)
target=ACCEPT
address=${address:=detect}
dnat_only=Yes
logtarget=DNAT
;;
REDIRECT) REDIRECT)
target=ACCEPT target=ACCEPT
address=${address:=all} address=${address:=all}
@ -2379,7 +2418,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$xtarget" in case "$xtarget" in
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*) ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
expandv xclients xservers xprotocol xports xcports xaddress expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -3233,7 +3272,7 @@ initialize_netfilter () {
run_iptables -t mangle -F && \ run_iptables -t mangle -F && \
run_iptables -t mangle -X run_iptables -t mangle -X
[ -n "$TC_ENABLED" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
run_user_exit init run_user_exit init
@ -3267,7 +3306,7 @@ initialize_netfilter () {
run_user_exit newnotsyn run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG \ run_iptables -A newnotsyn -j ULOG
--ulog-prefix "Shorewall:newnotsyn:DROP:" --ulog-prefix "Shorewall:newnotsyn:DROP:"
else else
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG \
@ -3352,7 +3391,7 @@ add_common_rules() {
if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
echo "ULOG --ulog-prefix Shorewall:${1}:DROP:" echo "ULOG --ulog-prefix Shorewall:${1}:DROP:"
else else
echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level info" echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
fi fi
} }
# #
@ -4432,6 +4471,10 @@ do_initialize() {
TCP_FLAGS_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL= RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN= MARK_IN_FORWARD_CHAIN=
SHARED_DIR=/usr/lib/shorewall
FUNCTIONS=
VERSION_FILE=
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
@ -4445,31 +4488,35 @@ do_initialize() {
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
functions=/usr/lib/shorewall/functions if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
config=$SHOREWALL_DIR/shorewall.conf
if [ -f $functions ]; then
. $functions
else else
startup_error "$functions does not exist!" config=/etc/shorewall/shorewall.conf
fi fi
version_file=/usr/lib/shorewall/version if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi
[ -f $version_file ] && version=`cat $version_file` FUNCTIONS=$SHARED_DIR/functions
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
run_user_exit shorewall.conf if [ -f $FUNCTIONS ]; then
run_user_exit params . $FUNCTIONS
else
startup_error "$FUNCTIONS does not exist!"
fi
VERSION_FILE=$SHARED_DIR/version
[ -f $VERSION_FILE ] && version=`cat $VERSION_FILE`
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw [ -z "$FW" ] && FW=fw
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
@ -4544,7 +4591,20 @@ do_initialize() {
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN` MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN`
[ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
if [ -n "$TC_ENABLED" ]; then
CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC`
else
CLEAR_TC=
fi
run_user_exit params
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
} }
# #

View File

@ -24,6 +24,10 @@
# DNAT -- Forward the request to another # DNAT -- Forward the request to another
# system (and optionally another # system (and optionally another
# port). # port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# #

View File

@ -9,6 +9,13 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
# #
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
##############################################################################
#
# General note about log levels. Log levels are a method of describing # General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters # to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value. # in this file have log levels as their value.
@ -51,7 +58,6 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# #
FW=fw FW=fw
# #
# SUBSYSTEM LOCK FILE # SUBSYSTEM LOCK FILE
# #

View File

@ -569,51 +569,65 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
functions=/usr/lib/shorewall/functions PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHARED_DIR=/usr/lib/shorewall
MUTEX_TIMEOUT=
if [ -f $functions ]; then if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
. $functions config=$SHOREWALL_DIR/shorewall.conf
else else
echo "$functions does not exist!" >&2 config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2 exit 2
fi fi
firewall=/usr/lib/shorewall/firewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $firewall ]; then FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version
if [ -f $FUNCTIONS ]; then
. $FUNCTIONS
else
echo "$FUNCTIONS does not exist!" >&2
exit 2
fi
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $firewall ]; then if [ -L $FIREWALL ]; then
echo " $firewall is a symbolic link to a" echo " $FIREWALL is a symbolic link to a"
echo " non-existant file" echo " non-existant file"
else else
echo " The file /usr/lib/shorewall/firewall does not exist" echo " The file $FIREWALL does not exist"
fi fi
exit 2 exit 2
fi fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin if [ -f $VERSION_FILE ]; then
version=`cat $VERSION_FILE`
version_file=/usr/lib/shorewall/version
if [ -f $version_file ]; then
version=`cat $version_file`
else else
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
echo " The file /usr/lib/shorewall/version does not exist" echo " The file $VERSION_FILE does not exist"
exit 1 exit 1
fi fi
banner="Shorewall-$version Status at $HOSTNAME -" banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir
case `echo -e` in case `echo -e` in
-e*) -e*)
RING_BELL="echo \'\a\'" RING_BELL="echo \a"
;; ;;
*) *)
RING_BELL="echo -e \'\a\'" RING_BELL="echo -e \a"
;; ;;
esac esac
@ -629,11 +643,11 @@ esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $firewall $debugging $nolock $1 exec $FIREWALL $debugging $nolock $1
;; ;;
add|delete) add|delete)
[ $# -ne 3 ] && usage 1 [ $# -ne 3 ] && usage 1
exec $firewall $debugging $nolock $1 $2 $3 exec $FIREWALL $debugging $nolock $1 $2 $3
;; ;;
show) show)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1

View File

@ -1 +1 @@
1.3.12 1.3.13

View File

@ -1,43 +1,10 @@
Changes since 1.3.11 Changes since 1.3.12
1. Fixed DNAT/REDIRECT bug with excluded sub-zones. 1. Added 'DNAT-' target.
2. "shorewall refresh" now refreshes the traffic shaping rules 2. Print policies in 'check' command.
3. Turned off debugging after error. 3. Added CLEAR_TC option.
4. Removed drop of INVALID state output ICMP packets. 4. Added SHARED_DIR option.
5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
6. Replaced 'wc' invocation in list_count() by shell code (speedup)
7. Replaced 'sed' invocation in run_iptables() by shell code and
optomized (speedup)
8. Only read the interfaces file once (speedup)
9. Only read the policy file once (speedup)
10. Removed redundant function input_chains() (duplicate of first_chains())
11. Generated an error if 'lo' is defined in the interfaces file.
12. Clarified error message where ORIGINAL DEST is specified on an
ACCEPT, DROP or REJECT rule.
13. Added "shorewall show classifiers" command and added packet
classification filter display to "shorewall monitor"
14. Added an error message when the destination in a rule contained a
MAC address.
15. Added ULOG target support.
16. Add MARK_IN_FORWARD option.
17. General Cleanup for Release
18. Release changes and add init, start, stop and stopped files.
19. Add headings to NAT and Mangle tables in "shorewall status" output

File diff suppressed because it is too large Load Diff

View File

@ -1,28 +1,31 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>The Documentation Index</title>
</head>
<body> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>The Documentation Index</title>
</head>
<body>
<h1 align="center">The Shorewall Documentation Index</h1> <h1 align="center">The Shorewall Documentation Index</h1>
<h1 align="center">has Moved
<a href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
<p><font size="2"> <h1 align="center">has Moved <a
Last updated 8/9/2002 href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
-
<a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 8/9/2002 -
</p> <a href="support.htm">Tom Eastep</a></font> </p>
<p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p> <a href="copyright.htm"><font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
</body> </body>
</html> </html>

View File

@ -30,6 +30,7 @@
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1> <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td> </td>
</tr> </tr>
@ -51,21 +52,22 @@
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
in my local network. <b>External clients can browse</b> http://www.mydomain.com in my local network. <b>External clients can browse</b> http://www.mydomain.com
but <b>internal clients can't</b>.</a></p> but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses
to hosts in Z. Hosts in Z cannot communicate with each other using to hosts in Z. Hosts in Z cannot communicate with each other
their external (non-RFC1918 addresses) so they <b>can't access using their external (non-RFC1918 addresses) so they <b>can't
each other using their DNS names.</b></a></p> access each other using their DNS names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting/MSN <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b>
Messenger </b>with Shorewall. What do I do?</a></p> or <b>MSN Instant Messenger </b>with Shorewall. What do I
do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner <p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner
to check my firewall and it shows <b>some ports as 'closed' to check my firewall and it shows <b>some ports as 'closed'
rather than 'blocked'.</b> Why?</a></p> rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> <p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p> of my firewall and it showed 100s of ports as open!!!!</a></p>
@ -76,16 +78,25 @@ rather than 'blocked'.</b> Why?</a></p>
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b> <p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
written and how do I <b>change the destination</b>?</a></p> written and how do I <b>change the destination</b>?</a></p>
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b> <p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
that work with Shorewall?</a></p> that work with Shorewall?</a></p>
<p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
requests. Can i exclude these error messages for this port temporarily from
logging in Shorewall?</a><br>
</p>
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>. 
They get dropped, but what the heck are they?</a><br>
</p>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command 'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p> work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat</b> I get messages about insmod failing -- what's on RedHat</b> I get messages about insmod failing -- what's
wrong?</a></p> wrong?</a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
my interfaces </b>properly?</a></p> my interfaces </b>properly?</a></p>
@ -94,7 +105,7 @@ wrong?</a></p>
it work with?</a></p> it work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p> support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p> <p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
@ -102,13 +113,13 @@ wrong?</a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to configure/monitor and it has an internel web server that allows me to configure/monitor
it but as expected if I enable <b> rfc1918 blocking</b> for my it but as expected if I enable <b> rfc1918 blocking</b> for
eth0 interface, it also blocks the <b>cable modems web server</b></a>.</p> my eth0 interface, it also blocks the <b>cable modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. IP addresses, my ISP's DHCP server has an RFC 1918 address.
If I enable RFC 1918 filtering on my external interface, <b>my If I enable RFC 1918 filtering on my external interface, <b>my
DHCP client cannot renew its lease</b>.</a></p> DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
out to the net</b></a></p> out to the net</b></a></p>
@ -116,29 +127,37 @@ DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages <p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!<br> all over my console</b> making it unusable!<br>
</a></p> </a></p>
<b>17</b>. <a href="#faq17">How do I find <b>17</b>. <a href="#faq17">How do
out <b>why this traffic is</b> getting <b>logged?</b></a><br> I find out <b>why this traffic is</b> getting <b>logged?</b></a><br>
<br> <br>
<b>18.</b> <a href="#faq18">Is there any way to use <b>aliased <b>18.</b> <a href="#faq18">Is there any way to use
ip addresses</b> with Shorewall, and maintain separate rulesets for <b>aliased ip addresses</b> with Shorewall, and maintain separate
different IPs?</a><br> rulesets for different IPs?</a><br>
<br> <br>
<b>19. </b><a href="#faq19">I have added <b>entries to /etc/shorewall/tcrules</b> <b>19. </b><a href="#faq19">I have added <b>entries to
but they <b>don't </b>seem to <b>do anything</b>. Why?</a><br> /etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do anything</b>.
Why?</a><br>
<br> <br>
<b>20. </b><a href="#faq20">I have just set up a server. <b>Do <b>20. </b><a href="#faq20">I have just set up a server.
I have to change Shorewall to allow access to my server from the internet?<br> <b>Do I have to change Shorewall to allow access to my server from
the internet?<br>
<br> <br>
</b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries </b></a><b>21. </b><a href="#faq21">I see these <b>strange log entries
</b>occasionally; what are they?<br> </b>occasionally; what are they?<br>
</a><br> </a><br>
<b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that I <b>22. </b><a href="#faq22">I have some <b>iptables commands </b>that
want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br> I want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
<br>
<b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b> on
your <b>web site</b>?</a><br>
<br>
<b>24: </b><a href="#faq24">How can I <b>allow conections</b> to let's
say the ssh port only<b> from specific IP Addresses</b> on the internet?</a><br>
<hr> <hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to <h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to
my my personal PC with IP address 192.168.1.5. I've looked everywhere my my personal PC with IP address 192.168.1.5. I've looked
and can't find how to do it.</h4> everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a <p align="left"><b>Answer: </b>The <a
href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#PortForward"> first example</a> in the <a
@ -258,11 +277,13 @@ want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p> <p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul> <ul>
<li>You are trying to test from inside your firewall <li>You are trying to test from inside
(no, that won't work -- see <a href="#faq2">FAQ #2</a>).</li> your firewall (no, that won't work -- see <a href="#faq2">FAQ
<li>You have a more basic problem with your local #2</a>).</li>
system such as an incorrect default gateway configured (it should <li>You have a more basic problem with
be set to the IP address of your firewall's internal interface).</li> your local system such as an incorrect default gateway configured
(it should be set to the IP address of your firewall's internal
interface).</li>
</ul> </ul>
@ -271,33 +292,36 @@ want to <b>run when Shorewall starts.</b> Which file do I put them in?</a><br>
<b>Answer: </b>To further diagnose this problem:<br> <b>Answer: </b>To further diagnose this problem:<br>
<ul> <ul>
<li>As root, type "iptables -t nat -Z". This clears the <li>As root, type "iptables -t nat -Z". This clears
NetFilter counters in the nat table.</li> the NetFilter counters in the nat table.</li>
<li>Try to connect to the redirected port from an external <li>Try to connect to the redirected port from an
host.</li> external host.</li>
<li>As root type "shorewall show nat"</li> <li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule. It will be in a chain <li>Locate the appropriate DNAT rule. It will be
called <i>zone</i>_dnat where <i>zone</i> is the zone that includes in a chain called <i>zone</i>_dnat where <i>zone</i> is the
the  ('net' in the above examples).</li> zone that includes the ('net' in the above examples).</li>
<li>Is the packet count in the first column non-zero? If <li>Is the packet count in the first column non-zero?
so, the connection request is reaching the firewall and is being redirected If so, the connection request is reaching the firewall and is being
to the server. In this case, the problem is usually a missing or incorrect redirected to the server. In this case, the problem is usually
default gateway setting on the server (the server's default gateway a missing or incorrect default gateway setting on the server (the
should be the IP address of the firewall's interface to the server).</li> server's default gateway should be the IP address of the firewall's
interface to the server).</li>
<li>If the packet count is zero:</li> <li>If the packet count is zero:</li>
<ul> <ul>
<li>the connection request is not reaching your server <li>the connection request is not reaching your
(possibly it is being blocked by your ISP); or</li> server (possibly it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary IP address <li>you are trying to connect to a secondary IP
on your firewall and your rule is only redirecting the primary IP address address on your firewall and your rule is only redirecting the primary
(You need to specify the secondary IP address in the "ORIG. DEST." column IP address (You need to specify the secondary IP address in the "ORIG.
in your DNAT rule); or</li> DEST." column in your DNAT rule); or</li>
<li>your DNAT rule doesn't match the connection request <li>your DNAT rule doesn't match the connection
in some other way. In that case, you may have to use a packet sniffer request in some other way. In that case, you may have to use a packet
such as tcpdump or ethereal to further diagnose the problem.<br> sniffer such as tcpdump or ethereal to further diagnose the problem.<br>
</li> </li>
</ul> </ul>
</ul> </ul>
@ -310,27 +334,28 @@ should be the IP address of the firewall's interface to the server).</li>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p> <p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul> <ul>
<li>Having an internet-accessible server in your <li>Having an internet-accessible server
local network is like raising foxes in the corner of your hen in your local network is like raising foxes in the corner
house. If the server is compromised, there's nothing between that of your hen house. If the server is compromised, there's nothing
server and your other internal systems. For the cost of another between that server and your other internal systems. For the
NIC and a cross-over cable, you can put your server in a DMZ cost of another NIC and a cross-over cable, you can put your
such that it is isolated from your local systems - assuming that server in a DMZ such that it is isolated from your local systems -
the Server can be located near the Firewall, of course :-)</li> assuming that the Server can be located near the Firewall, of course
<li>The accessibility problem is best solved using :-)</li>
<a href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> <li>The accessibility problem is best solved
(or using a separate DNS server for local clients) such that www.mydomain.com using <a href="shorewall_setup_guide.htm#DNS">Bind Version
resolves to 130.141.100.69 externally and 192.168.1.5 internally. 9 "views"</a> (or using a separate DNS server for local clients) such
That's what I do here at shorewall.net for my local systems that use that www.mydomain.com resolves to 130.141.100.69 externally and
static NAT.</li> 192.168.1.5 internally. That's what I do here at shorewall.net for
my local systems that use static NAT.</li>
</ul> </ul>
<p align="left">If you insist on an IP solution to the accessibility problem <p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external rather than a DNS solution, then assuming that your external
interface is eth0 and your internal interface is eth1 and that interface is eth0 and your internal interface is eth1 and that
eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do
the following:</p> the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option <p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option
for eth1 (No longer required as of Shorewall version 1.3.9).</p> for eth1 (No longer required as of Shorewall version 1.3.9).</p>
@ -423,14 +448,14 @@ the following:</p>
<div align="left"> <div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE <p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you client to automatically restart Shorewall each time that you
get a new IP address.</p> get a new IP address.</p>
</div> </div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918
subnet and I use static NAT to assign non-RFC1918 addresses to subnet and I use static NAT to assign non-RFC1918 addresses
hosts in Z. Hosts in Z cannot communicate with each other using to hosts in Z. Hosts in Z cannot communicate with each other using
their external (non-RFC1918 addresses) so they can't access each their external (non-RFC1918 addresses) so they can't access each
other using their DNS names.</h4> other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved <p align="left"><b>Answer: </b>This is another problem that is best solved
using Bind Version 9 "views". It allows both external and internal using Bind Version 9 "views". It allows both external and internal
@ -438,11 +463,11 @@ other using their DNS names.</h4>
<p align="left">Another good way to approach this problem is to switch from <p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918
addresses and can be accessed externally and internally using the addresses and can be accessed externally and internally using
same address. </p> the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all <p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
Z-&gt;Z traffic through your firewall then:</p> traffic through your firewall then:</p>
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces <p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
(If you are running a Shorewall version earlier than 1.3.9).<br> (If you are running a Shorewall version earlier than 1.3.9).<br>
@ -540,29 +565,32 @@ Z-&gt;Z traffic through your firewall then:</p>
</table> </table>
</blockquote> </blockquote>
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting/MSN Messenger <h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting or MSN Instant
with Shorewall. What do I do?</h4> Messenger with Shorewall. What do I do?</h4>
<p align="left"><b>Answer: </b>There is an <a <p align="left"><b>Answer: </b>There is an <a
href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection
tracking/NAT module</a> that may help. Also check the Netfilter tracking/NAT module</a> that may help with Netmeeting. Look
mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. <a href="http://linux-igd.sourceforge.net">here</a> for a solution for MSN
IM but be aware that there are significant security risks involved with this
solution. Also check the Netfilter mailing list archives at <a
href="http://www.netfilter.org">http://www.netfilter.org</a>.
</p> </p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner <h4 align="left"><a name="faq4"></a>4. I just used an online port scanner
to check my firewall and it shows some ports as 'closed' rather to check my firewall and it shows some ports as 'closed'
than 'blocked'. Why?</h4> rather than 'blocked'. Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x <p align="left"><b>Answer: </b>The common.def included with version 1.3.x
always rejects connection requests on TCP port 113 rather always rejects connection requests on TCP port 113 rather
than dropping them. This is necessary to prevent outgoing connection than dropping them. This is necessary to prevent outgoing
problems to services that use the 'Auth' mechanism for identifying connection problems to services that use the 'Auth' mechanism
requesting users. Shorewall also rejects TCP ports 135, 137 and for identifying requesting users. Shorewall also rejects TCP
139 as well as UDP ports 137-139. These are ports that are used ports 135, 137 and 139 as well as UDP ports 137-139. These are ports
by Windows (Windows <u>can</u> be configured to use the DCE cell locator that are used by Windows (Windows <u>can</u> be configured to use
on port 135). Rejecting these connection requests rather than dropping the DCE cell locator on port 135). Rejecting these connection requests
them cuts down slightly on the amount of Windows chatter on LAN segments rather than dropping them cuts down slightly on the amount of Windows
connected to the Firewall. </p> chatter on LAN segments connected to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably <p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server in violation your ISP preventing you from running a web server in violation
@ -573,10 +601,10 @@ by Windows (Windows <u>can</u> be configured to use the DCE cell locator
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page <p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page
section about UDP scans. If nmap gets <b>nothing</b> back section about UDP scans. If nmap gets <b>nothing</b> back
from your firewall then it reports the port as open. If you from your firewall then it reports the port as open. If you
want to see which UDP ports are really open, temporarily change want to see which UDP ports are really open, temporarily change
your net-&gt;all policy to REJECT, restart Shorewall and do the your net-&gt;all policy to REJECT, restart Shorewall and do the
nmap UDP scan again.</p> nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I <h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I
can't ping through the firewall</h4> can't ping through the firewall</h4>
@ -587,7 +615,7 @@ nmap UDP scan again.</p>
<p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br> <p align="left">a) Do NOT specify 'noping' on any interface in /etc/shorewall/interfaces.<br>
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br> b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
c) Add the following to /etc/shorewall/icmpdef: c) Add the following to /etc/shorewall/icmpdef:
</p> </p>
<blockquote> <blockquote>
@ -601,12 +629,12 @@ nmap UDP scan again.</p>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written <h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and how do I change the destination?</h4> and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of <p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
facility (see "man openlog") and you get to choose the log level (again, (see "man openlog") and you get to choose the log level (again, see "man
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a> syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart syslogd When you have changed /etc/syslog.conf, be sure to restart syslogd
(on a RedHat system, "service syslog restart"). </p> (on a RedHat system, "service syslog restart"). </p>
@ -616,7 +644,7 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
<div align="left"> <div align="left">
<pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a <pre align="left"> LOGLIMIT=""<br> LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
href="configuration_file_basics.htm#Levels">set up Shorewall to log all of its messages to a separate file</a>.<br></pre> href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
</div> </div>
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work <h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
@ -636,19 +664,45 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
http://www.logwatch.org</a><br> http://www.logwatch.org</a><br>
</p> </p>
</blockquote> </blockquote>
I personnaly use Logwatch. It emails me a report each day from my various I personnaly use Logwatch. It emails me a report each day from
systems with each report summarizing the logged activity on the corresponding my various systems with each report summarizing the logged activity on
system.  the corresponding system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
are <b>flooding the logs</b> with their connect requests. Can i exclude these
error messages for this port temporarily from logging in Shorewall?</h4>
Temporarily add the following rule:<br>
<pre> DROP    net    fw    udp    10619</pre>
<h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow
of these DROP messages from port 53 to some high numbered port.  They get
dropped, but what the heck are they?</h4>
<pre>Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br> SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br> TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
<b>Answer: </b>There are two possibilities:<br>
<ol>
<li>They are late-arriving replies to DNS queries.</li>
<li>They are corrupted reply packets.</li>
</ol>
You can distinguish the difference by setting the <b>logunclean</b> option
(<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) on
your external interface (eth0 in the above example). If they get logged twice,
they are corrupted. I solve this problem by using an /etc/shorewall/common
file like this:<br>
<blockquote>
<pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
</blockquote>
The above file is also include in all of my sample configurations available
in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?</h4> stop', I can't connect to anything. Why doesn't that command
work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into <p align="left">The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed in /etc/shorewall/routestopped' a safe state whereby only those hosts listed in /etc/shorewall/routestopped'
are activated. If you want to totally open up your firewall, you are activated. If you want to totally open up your firewall,
must use the 'shorewall clear' command. </p> you must use the 'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, <h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat,
I get messages about insmod failing -- what's wrong?</h4> I get messages about insmod failing -- what's wrong?</h4>
<p align="left"><b>Answer: </b>The output you will see looks something like <p align="left"><b>Answer: </b>The output you will see looks something like
this:</p> this:</p>
@ -685,9 +739,9 @@ I get messages about insmod failing -- what's wrong?</h4>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The <p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
Net zone is defined as all hosts that are connected through eth0 and the zone is defined as all hosts that are connected through eth0 and the local
local zone is defined as all hosts connected through eth1</p> zone is defined as all hosts connected through eth1</p>
</div> </div>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work <h4 align="left"><a name="faq10"></a>10. What Distributions does it work
@ -703,31 +757,32 @@ local zone is defined as all hosts connected through eth1</p>
<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4> <h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I <p align="left"><b>Answer: </b>Every time I've started to work on one, I find
find myself doing other things. I guess I just don't care enough if myself doing other things. I guess I just don't care enough if Shorewall
Shorewall has a GUI to invest the effort to create one myself. There has a GUI to invest the effort to create one myself. There are several
are several Shorewall GUI projects underway however and I will publish Shorewall GUI projects underway however and I will publish links to
links to them when the authors feel that they are ready. </p> them when the authors feel that they are ready. </p>
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4> <h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" <p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line"
(<a href="http://www.cityofshoreline.com">the city where (<a href="http://www.cityofshoreline.com">the city where
I live</a>) and "Fire<u>wall</u>". The full name of the product I live</a>) and "Fire<u>wall</u>". The full name of the product
is actually "Shoreline Firewall" but "Shorewall" is must more commonly used.</p> is actually "Shoreline Firewall" but "Shorewall" is must more commonly
used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem <h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me to configure/monitor and it has an internal web server that allows me to configure/monitor
it but as expected if I enable rfc1918 blocking for my eth0 interface it but as expected if I enable rfc1918 blocking for my eth0
(the internet one), it also blocks the cable modems web server.</h4> interface (the internet one), it also blocks the cable modems
web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking <p align="left">Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address that will let all traffic to and from the 192.168.100.1 address
of the modem in/out but still block all other rfc1918 addresses?</p> of the modem in/out but still block all other rfc1918 addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall <p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
earlier than 1.3.1, create /etc/shorewall/start and in it, place the than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
following:</p>
<div align="left"> <div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre> <pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
@ -766,10 +821,10 @@ following:</p>
</p> </p>
<p align="left">Note: If you add a second IP address to your external firewall <p align="left">Note: If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make interface to correspond to the modem address, you must also
an entry in /etc/shorewall/rfc1918 for that address. For example, make an entry in /etc/shorewall/rfc1918 for that address. For example,
if you configure the address 192.168.100.2 on your firewall, then if you configure the address 192.168.100.2 on your firewall, then
you would add two entries to /etc/shorewall/rfc1918: <br> you would add two entries to /etc/shorewall/rfc1918: <br>
</p> </p>
<blockquote> <blockquote>
@ -796,6 +851,7 @@ you would add two entries to /etc/shorewall/rfc1918: <br>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -803,10 +859,10 @@ you would add two entries to /etc/shorewall/rfc1918: <br>
</div> </div>
<div align="left"> <div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public <h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
RFC 1918 filtering on my external interface, my DHCP client cannot renew 1918 filtering on my external interface, my DHCP client cannot renew its
its lease.</h4> lease.</h4>
</div> </div>
<div align="left"> <div align="left">
@ -818,9 +874,9 @@ its lease.</h4>
the net</h4> the net</h4>
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to <p align="left"><b>Answer: </b>Every time I read "systems can't see out to
the net", I wonder where the poster bought computers with eyes the net", I wonder where the poster bought computers with
and what those computers will "see" when things are working properly. eyes and what those computers will "see" when things are working
That aside, the most common causes of this problem are:</p> properly. That aside, the most common causes of this problem are:</p>
<ol> <ol>
<li> <li>
@ -839,8 +895,8 @@ its lease.</h4>
<p align="left">The DNS settings on the local systems are wrong or the <p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled user is running a DNS server on the firewall and hasn't
UDP and TCP port 53 from the firewall to the internet.</p> enabled UDP and TCP port 53 from the firewall to the internet.</p>
</li> </li>
</ol> </ol>
@ -851,59 +907,60 @@ its lease.</h4>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent to the console Under RedHat, the max log level that is sent to the console
is specified in /etc/sysconfig/init in the LOGLEVEL variable.<br> is specified in /etc/sysconfig/init in the LOGLEVEL variable.<br>
</p> </p>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting <h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4> logged?</h4>
<b>Answer: </b>Logging occurs out of a number of chains <b>Answer: </b>Logging occurs out of a number
(as indicated in the log message) in Shorewall:<br> of chains (as indicated in the log message) in Shorewall:<br>
<ol> <ol>
<li><b>man1918 - </b>The destination address is listed <li><b>man1918 - </b>The destination address
in /etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a is listed in /etc/shorewall/rfc1918 with a <b>logdrop </b>target
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> -- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source address is listed in <li><b>rfc1918</b> - The source address is listed
/etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see <a in /etc/shorewall/rfc1918 with a <b>logdrop </b>target -- see
href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
or <b>all2all </b>- You have a<a or <b>all2all </b>- You have a<a
href="Documentation.htm#Policy"> policy</a> that specifies a log level href="Documentation.htm#Policy"> policy</a> that specifies a log level
and this packet is being logged under that policy. If you intend to and this packet is being logged under that policy. If you intend
ACCEPT this traffic then you need a <a href="Documentation.htm#Rules">rule</a> to ACCEPT this traffic then you need a <a
to that effect.<br> href="Documentation.htm#Rules">rule</a> to that effect.<br>
</li> </li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either you <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- Either
have a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt; you have a<a href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and this </b>to <b>&lt;zone2&gt;</b> that specifies a log level and
packet is being logged under that policy or this packet matches a this packet is being logged under that policy or this packet
<a href="Documentation.htm#Rules">rule</a> that includes a log level.</li> matches a <a href="Documentation.htm#Rules">rule</a> that includes
<li><b>&lt;interface&gt;_mac</b> - The packet is being logged a log level.</li>
under the <b>maclist</b> <a <li><b>&lt;interface&gt;_mac</b> - The packet is being
logged under the <b>maclist</b> <a
href="Documentation.htm#Interfaces">interface option</a>.<br> href="Documentation.htm#Interfaces">interface option</a>.<br>
</li> </li>
<li><b>logpkt</b> - The packet is being logged under <li><b>logpkt</b> - The packet is being logged
the <b>logunclean</b> <a under the <b>logunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a>.</li> href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is being logged under <li><b>badpkt </b>- The packet is being logged
the <b>dropunclean</b> <a under the <b>dropunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a> as specified href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li> <li><b>blacklst</b> - The packet is being logged
<li><b>blacklst</b> - The packet is being logged because because the source IP is blacklisted in the<a
the source IP is blacklisted in the<a
href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li> href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist </a>file.</li>
<li><b>newnotsyn </b>- The packet is being logged because <li><b>newnotsyn </b>- The packet is being logged
it is a TCP packet that is not part of any current connection yet because it is a TCP packet that is not part of any current connection
it is not a syn packet. Options affecting the logging of such packets yet it is not a syn packet. Options affecting the logging of such
include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN </b>in packets include <b>NEWNOTSYN </b>and <b>LOGNEWNOTSYN
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> </b>in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> - The packet has <li><b>INPUT</b> or <b>FORWARD</b> - The packet
a source IP address that isn't in any of your defined zones ("shorewall has a source IP address that isn't in any of your defined zones
check" and look at the printed zone definitions) or the chain is FORWARD ("shorewall check" and look at the printed zone definitions) or
and the destination IP isn't in any of your defined zones.</li> the chain is FORWARD and the destination IP isn't in any of your defined
<li><b>logflags </b>- The packet is being logged because it failed zones.</li>
the checks implemented by the <b>tcpflags </b><a <li><b>logflags </b>- The packet is being logged because
it failed the checks implemented by the <b>tcpflags </b><a
href="Documentation.htm#Interfaces">interface option</a>.<br> href="Documentation.htm#Interfaces">interface option</a>.<br>
</li> </li>
@ -911,11 +968,11 @@ a source IP address that isn't in any of your defined zones ("shorewall
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different IPs?</h4> with Shorewall, and maintain separate rulesets for different IPs?</h4>
<b>Answer: </b>Yes. You simply use the IP address in your <b>Answer: </b>Yes. You simply use the IP address
rules (or if you use NAT, use the local IP address in your rules). in your rules (or if you use NAT, use the local IP address in your
<b>Note:</b> The ":n" notation (e.g., eth0:0) is deprecated and will rules). <b>Note:</b> The ":n" notation (e.g., eth0:0) is deprecated
disappear eventually. Neither iproute (ip and tc) nor iptables supports and will disappear eventually. Neither iproute (ip and tc) nor iptables
that notation so neither does Shorewall. <br> supports that notation so neither does Shorewall. <br>
<br> <br>
<b>Example 1:</b><br> <b>Example 1:</b><br>
<br> <br>
@ -923,7 +980,8 @@ that notation so neither does Shorewall. <br>
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept AUTH but only on address 192.0.2.125<br><span <pre wrap=""><span class="moz-txt-citetags"></span> # Accept AUTH but only on address 192.0.2.125<br><span
class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span> ACCEPT net fw:192.0.2.125 tcp auth<br><span class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span> ACCEPT net fw:192.0.2.125 tcp auth<br><span
class="moz-txt-citetags"></span></pre> class="moz-txt-citetags"></span></pre>
<span class="moz-txt-citetags"></span><b>Example 2 (NAT):</b><br> <span class="moz-txt-citetags"></span><b>Example 2
(NAT):</b><br>
<br> <br>
<span class="moz-txt-citetags"></span>/etc/shorewall/nat<br> <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
@ -945,9 +1003,10 @@ that notation so neither does Shorewall. <br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the internet?</b><br> to change Shorewall to allow access to my server from the internet?</b><br>
</h4> </h4>
Yes. Consult the <a href="shorewall_quickstart_guide.htm">QuickStart Yes. Consult the <a
guide</a> that you used during your initial setup for information about href="shorewall_quickstart_guide.htm">QuickStart guide</a> that
how to set up rules for your server.<br> you used during your initial setup for information about how to set
up rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br> what are they?<br>
@ -956,64 +1015,76 @@ that notation so neither does Shorewall. <br>
<blockquote> <blockquote>
<pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre> <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br> SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br> [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
</blockquote> </blockquote>
192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal 192.0.2.3 is external on my firewall... 172.16.0.0/24 is
LAN<br> my internal LAN<br>
<br> <br>
<b>Answer: </b>While most people associate the Internet Control <b>Answer: </b>While most people associate the Internet Control
Message Protocol (ICMP) with 'ping', ICMP is a key piece of  the internet. Message Protocol (ICMP) with 'ping', ICMP is a key piece of the internet.
ICMP is used to report problems back to the sender of a packet; this is ICMP is used to report problems back to the sender of a packet; this
what is happening here. Unfortunately, where NAT is involved (including is what is happening here. Unfortunately, where NAT is involved (including
SNAT, DNAT and Masquerade), there are a lot of broken implementations. SNAT, DNAT and Masquerade), there are a lot of broken implementations.
That is what you are seeing with these messages.<br> That is what you are seeing with these messages.<br>
<br> <br>
Here is my interpretation of what is happening -- to confirm this Here is my interpretation of what is happening -- to confirm
analysis, one would have to have packet sniffers placed a both ends of this analysis, one would have to have packet sniffers placed a both
the connection.<br> ends of the connection.<br>
<br> <br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a
query to 192.0.2.3 and your DNS server tried to send a response (the UDP DNS query to 192.0.2.3 and your DNS server tried to send a response
response information is in the brackets -- note source port 53 which marks (the response information is in the brackets -- note source port 53 which
this as a DNS reply). When the response was returned to to 206.124.146.179, marks this as a DNS reply). When the response was returned to to 206.124.146.179,
it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to it rewrote the destination IP TO 172.16.1.10 and forwarded the packet
172.16.1.10 who no longer had a connection on UDP port 2857. This causes to 172.16.1.10 who no longer had a connection on UDP port 2857. This causes
a port unreachable (type 3, code 3) to be generated back to 192.0.2.3. a port unreachable (type 3, code 3) to be generated back to 192.0.2.3.
As this packet is sent back through 206.124.146.179, that box correctly As this packet is sent back through 206.124.146.179, that box correctly
changes the source address in the packet to 206.124.146.179 but doesn't changes the source address in the packet to 206.124.146.179 but doesn't
reset the DST IP in the original DNS response similarly. When the ICMP reset the DST IP in the original DNS response similarly. When the ICMP
reaches your firewall (192.0.2.3), your firewall has no record of having reaches your firewall (192.0.2.3), your firewall has no record of having
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related
to anything that was sent. The final result is that the packet gets logged to anything that was sent. The final result is that the packet gets logged
and dropped in the all2all chain. I have also seen cases where the source and dropped in the all2all chain. I have also seen cases where the source
IP in the ICMP itself isn't set back to the external IP of the remote NAT IP in the ICMP itself isn't set back to the external IP of the remote NAT
gateway; that causes your firewall to log and drop the packet out of the gateway; that causes your firewall to log and drop the packet out of the
rfc1918 chain because the source IP is reserved by RFC 1918.<br> rfc1918 chain because the source IP is reserved by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I put them in?</h4> I want to <b>run when Shorewall starts.</b> Which file do I put them
in?</h4>
You can place these commands in one of the <a You can place these commands in one of the <a
href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
sure that you look at the contents of the chain(s) that you will be modifying Be sure that you look at the contents of the chain(s) that you will be modifying
with your commands to be sure that the commands will do what they are intended. with your commands to be sure that the commands will do what they are
Many iptables commands published in HOWTOs and other instructional material intended. Many iptables commands published in HOWTOs and other instructional
use the -A command which adds the rules to the end of the chain. Most chains material use the -A command which adds the rules to the end of the chain.
that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT Most chains that Shorewall constructs end with an unconditional DROP,
rule and any rules that you add after that will be ignored. Check "man iptables" ACCEPT or REJECT rule and any rules that you add after that will be ignored.
and look at the -I (--insert) command.<br> Check "man iptables" and look at the -I (--insert) command.<br>
<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4>
The Shorewall web site is almost font neutral (it doesn't explicitly
specify fonts except on a few pages) so the fonts you see are largely the
default fonts configured in your browser. If you don't like them then reconfigure
your browser.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
In the SOURCE column of the rule, follow "net" by a colon and a list of
the host/subnet addresses as a comma-separated list.<br>
<pre>    net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
Example:<br>
<pre> ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22<br></pre>
<div align="left"> </div> <div align="left"> </div>
<font size="2">Last updated 12/13/2002 - <a <font size="2">Last updated 1/8/2003 - <a
href="support.htm">Tom Eastep</a></font> href="support.htm">Tom Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -188,8 +188,8 @@ system. The systems in the two masqueraded subnetworks can now talk to each
other</p> other</p>
<p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom <p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
Eastep</a> </font></p> Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
</body> </body>

View File

@ -359,8 +359,8 @@ script will issue the command":<br>
<p><font size="2">Last updated 10/23/2002 - </font><font size="2"> <p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2"> <p><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
<br> <br>
</body> </body>

View File

@ -199,8 +199,8 @@ by traffic control/shaping.</li>
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
<br> <br>
</body> </body>

View File

@ -28,23 +28,26 @@
<br> <br>
Beginning with Shorewall version 1.3.10, all traffic from an interface Beginning with Shorewall version 1.3.10, all traffic from an interface
or from a subnet on an interface can be verified to originate from a defined or from a subnet on an interface can be verified to originate from a defined
set of MAC addresses. Furthermore, each MAC address may be optionally associated set of MAC addresses. Furthermore, each MAC address may be optionally
with one or more IP addresses. <br> associated with one or more IP addresses. <br>
<br> <br>
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br> <b>You must have the iproute package (ip utility) installed to use MAC
<br> Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
There are four components to this facility.<br> - module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<ol> <ol>
<li>The <b>maclist</b> interface option in <a <li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li> to MAC verification.</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. <li>The <b>maclist </b>option in <a
When this option is specified for a subnet, all traffic from that subnet href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is subject to MAC verification.</li> is specified for a subnet, all traffic from that subnet is subject to MAC
verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses with MAC addresses with interfaces and to optionally associate IP addresses with
MAC addresses.</li> MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
@ -60,12 +63,12 @@ requests that fail verification are to be logged. If set the the empty value
<ul> <ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall <li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li> system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected <li>MAC - The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in this by INTERFACE. It is not necessary to use the Shorewall MAC format in this
column although you may use that format if you so choose.</li> column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses for <li>IP Address - An optional comma-separated list of IP addresses
the device whose MAC is listed in the MAC column.</li> for the device whose MAC is listed in the MAC column.</li>
</ul> </ul>
@ -78,35 +81,31 @@ system.</li>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre> <pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre>
<b>/etc/shorewall/maclist:</b><br> <b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre> <pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
As shown above, I use MAC Verification on <a href="myfiles.htm">my local As shown above, I use MAC Verification on <a href="myfiles.htm">my
zone</a>.<br> local zone</a>.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone and Suppose now that I add a second ethernet segment to my local zone and
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
IP address 192.168.1.253. Hosts in the second segment have IP addresses in IP address 192.168.1.253. Hosts in the second segment have IP addresses
the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br> file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre> <pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253) This entry accomodates traffic from the router itself (192.168.1.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) by the router so that traffic's MAC address will be that of the router
and not that of the host sending the traffic. (00:06:43:45:C6:15) and not that of the host sending the traffic.
<p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 1/7/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -1,43 +1,59 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<blockquote> <blockquote>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Static NAT</font></h1> <h1 align="center"><font color="#ffffff">Static NAT</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<p><font color="#FF0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static NAT. <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
Port forwarding can be accomplished with simple entries in the ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p> <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<p>Static NAT is a way to make systems behind a
firewall and configured with private IP addresses (those <p>Static NAT is a way to make systems behind a firewall and configured
reserved for private use in RFC1918) appear to have public IP with private IP addresses (those reserved for private use in RFC1918)
addresses.</p> appear to have public IP addresses. Before you try to use this technique,
<p>The following figure represents a static NAT I strongly recommend that you read the <a
environment.</p> href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p align="center"><strong>
<img src="images/staticnat.png" width="435" height="397"></strong></p> <p>The following figure represents a static NAT environment.</p>
<blockquote>
</blockquote> <p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397">
</strong></p>
<blockquote> </blockquote>
<p align="left">Static NAT can be used to make the systems with the <p align="left">Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
assume that the interface to the upper subnet is eth0, then the following we assume that the interface to the upper subnet is eth0, then the following
/etc/shorewall/NAT file would make the lower left-hand system appear to have /etc/shorewall/NAT file would make the lower left-hand system appear
IP address 130.252.100.18 and the right-hand one to have IP address to have IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.</p> 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr> <tr>
<td><b>EXTERNAL</b></td> <td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td> <td><b>INTERFACE</b></td>
@ -59,34 +75,40 @@
<td>yes</td> <td>yes</td>
<td>yes</td> <td>yes</td>
</tr> </tr>
</tbody>
</table> </table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above <p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p> or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The &quot;ALL INTERFACES&quot; column
is used to specify whether access to the external IP from all firewall <p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column
is used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this interface in the INTERFACE column should undergo NAT. If you leave this
column empty, &quot;Yes&quot; is assumed.&nbsp;The ALL INTERFACES column was column empty, "Yes" is assumed. The ALL INTERFACES column was added
added in version 1.1.6.</p> in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the <p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>=&quot;no&quot; specified interface unless you specify <a
(or &quot;No&quot;) in /etc/shorewall/shorewall.conf; If you do not set href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
ADD_IP_ALIASES or if you set it to &quot;Yes&quot; or &quot;yes&quot; then you must NOT configure your own alias(es).</p> /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
<p><a name="LocalPackets"></a>Note 3: The contents of the &quot;LOCAL&quot; you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p>
column determine whether packets originating on the firewall itself and
destined for the EXTERNAL address are redirected to the internal ADDRESS. If
this column contains &quot;yes&quot; or &quot;Yes&quot; (and the ALL
INTERFACES COLUMN also contains &quot;Yes&quot; or &quot;yes&quot;) then
such packets are redirected; otherwise, such packets are not redirected. The
LOCAL column was added in version 1.1.8.</p>
</blockquote>
<blockquote> <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
</blockquote> determine whether packets originating on the firewall itself and destined
for the EXTERNAL address are redirected to the internal ADDRESS. If this
column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains
"Yes" or "yes") then such packets are redirected; otherwise, such packets
are not redirected. The LOCAL column was added in version 1.1.8.</p>
</blockquote>
<p><font size="2">Last updated 3/27/2002 - </font><font size="2"> <blockquote> </blockquote>
<a href="support.htm">Tom
Eastep</a></font> </p> <p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> href="support.htm">Tom Eastep</a></font> </p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</body>
</html>

File diff suppressed because it is too large Load Diff

View File

@ -891,8 +891,8 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> <p><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
<br> <br>
</body> </body>

View File

@ -1,42 +1,56 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title> <meta http-equiv="Content-Type"
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> content="text/html; charset=windows-1252">
<meta name="ProgId" content="FrontPage.Editor.Document"> <title>Shorewall Proxy ARP</title>
<meta name="Microsoft Theme" content="none">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head> </head>
<body>
<body> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Proxy ARP</font></h1> <h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
</td> </td>
</tr> </tr>
</table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers </tbody>
without changing their IP addresses and without having to re-subnet.</p> </table>
<p>The following figure represents a Proxy ARP
environment.</p> <p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p>
<blockquote> <blockquote>
<p align="center"><strong> <p align="center"><strong> <img src="images/proxyarp.png"
<img src="images/proxyarp.png" width="519" height="397"></strong></p> width="519" height="397">
<blockquote> </strong></p>
<blockquote> </blockquote>
</blockquote> </blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses <p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.&nbsp; Assuming that the upper firewall interface is eth0 and the subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries in lower interface is eth1, this is accomplished using the following entries
/etc/shorewall/proxyarp:</p> in /etc/shorewall/proxyarp:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr> <tr>
<td><b>ADDRESS</b></td> <td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td> <td><b>INTERFACE</b></td>
@ -55,52 +69,96 @@
<td>eth0</td> <td>eth0</td>
<td>no</td> <td>no</td>
</tr> </tr>
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19&nbsp; </tbody>
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
in the above example) are not included in any specification in in the above example) are not included in any specification in
/etc/shorewall/masq or /etc/shorewall/nat.</p> /etc/shorewall/masq or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
irrelevant. </p> irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that the <p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
Firewall system's eth0 is configured.</p> subnet mask and default gateway configured exactly the same way that
the Firewall system's eth0 is configured.</p>
<div align="left"> <div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure <p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet. You probably be HOURS before that system can communicate with the internet.
can call your ISP and ask them to purge the stale ARP cache entry but many There are a couple of things that you can try:<br>
either can't or won't purge individual entries. You can determine if your </p>
ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we <ol>
suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
On the firewall, run tcpdump as follows:</div> Vol 1</i> reveals that a <br>
<div align="left"> <br>
<pre> tcpdump -nei eth0 icmp</pre> "gratuitous" ARP packet should cause the ISP's router to refresh their ARP
</div> cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC
<div align="left"> address for its own IP; in addition to ensuring that the IP address isn't
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we will a duplicate...<br>
assume is 130.252.100.254):</div> <br>
<div align="left"> "if the host sending the gratuitous ARP has just changed its hardware address...,
<pre> ping 130.252.100.254</pre> this packet causes any other host...that has an entry in its cache for the
</div> old hardware address to update its ARP cache entry accordingly."<br>
<div align="left"> <br>
<p align="left">We can now observe the tcpdump output:</div> Which is, of course, exactly what you want to do when you switch a host from
<div align="left"> being exposed to the Internet to behind Shorewall using proxy ARP (or static
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF) NAT for that matter). Happily enough, recent versions of Redhat's iputils
13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre> package include "arping", whose "-U" flag does just that:<br>
</div> <br>
<div align="left">     <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied
<p align="left">Notice that the source MAC address in the echo request is IP&gt;</i></b></font><br>
different from the destination MAC address in the echo reply!! In this case     <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 <br>
was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still Stevens goes on to mention that not all systems respond correctly to gratuitous
associates 130.252.100.19 with the NIC in that system rather than with the firewall's ARPs, but googling for "arping -U" seems to support the idea that it works
eth0.</div> most of the time.<br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
<p><font size="2">Last updated 8/17/2002 - </font><font size="2"> <div align="left">
<a href="support.htm">Tom <pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
Eastep</a></font> </p> </div>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> <div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p>
</div>
<div align="left">
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</p>
</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
system rather than with the firewall's eth0.</p>
</div>
<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</body>
</html>

View File

@ -29,9 +29,9 @@
I can hardly justify paying $200US+ a year to a Certificate Authority such I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority (CA) I am who I am. I have therefore established my own Certificate Authority (CA)
and sign my own X.509 certificates. I use these certificates on my web server and sign my own X.509 certificates. I use these certificates on my mail server
(<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well (<a href="https://mail.shorewall.net">https://mail.shorewall.net</a>)
as on my mail server (mail.shorewall.net).<br> which hosts parts of this web site.<br>
<br> <br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
of establishing an SSL session (URL https://...), your browser verifies the of establishing an SSL session (URL https://...), your browser verifies the
@ -57,7 +57,7 @@ to accept the sleezy X.509 certificate being presented by my server. <br>
There are two things that you can do:<br> There are two things that you can do:<br>
<ol> <ol>
<li>You can accept the www.shorewall.net certificate when your browser <li>You can accept the mail.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.</li> only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed) CA <li>You can download and install <a href="ca.crt">my (self-signed) CA
@ -75,14 +75,14 @@ intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of your browser with a bogus certificate claiming that my server is that of
your bank.</li> your bank.</li>
<li>If you only accept my server's certificate when prompted then the <li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://www.shorewall.net, most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li> the server you are connecting to might not be mine.</li>
</ol> </ol>
I have my CA certificate loaded into all of my browsers but I certainly I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br> won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>

View File

@ -27,25 +27,26 @@
<br> <br>
Lots of people try to download the entire Shorewall website for off-line Lots of people try to download the entire Shorewall website for off-line
browsing, including the CVS portion. In addition to being an enormous volume browsing, including the CVS portion. In addition to being an enormous volume
of data (HTML versions of all versions of all Shorewall files), all of the of data (HTML versions of all versions of all Shorewall files), all of
pages in Shorewall CVS access are cgi-generated which places a tremendous the pages in Shorewall CVS access are cgi-generated which places a tremendous
load on my little server. I have therefore resorted to making CVS access load on my little server. I have therefore resorted to making CVS access
password controlled. When you are asked to log in, enter "Shorewall" (NOTE password controlled. When you are asked to log in, enter "Shorewall" (NOTE
THE CAPITALIZATION!!!!!) for both the user name and the password.<br> THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
<br> <br>
<div align="center"> <div align="center">
<h3><a href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi" <h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
target="_top">CVS Login</a> &nbsp;<br> target="_top">CVS Login</a> &nbsp;<br>
</h3> </h3>
</div> </div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
- <a href="support.htm">Tom Eastep</a> </font> - <a href="support.htm">Tom Eastep</a> </font>
</p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> &copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br> <br>
<br> <br>

View File

@ -0,0 +1,408 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Squid Usage</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td>
<td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br>
<a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start
and /etc/shorewall/init -- if you don't have those files, siimply create
them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
file entries. That is because the packets being routed to the Squid server
still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed
on your firewall.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the local
network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid
transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on
192.168.1.3. It is assumed that web access is already enabled from the local
zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, I don't recommend it.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>Alternativfely, you can have the following policy:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote>
<ul>
<li>&nbsp;In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 1/10/2003 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
</font></p>
<a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -37,9 +37,11 @@
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li> <li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li> </li>
@ -64,6 +66,7 @@
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -93,7 +96,8 @@
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li> <li> <a href="Shorewall_CVS_Access.html">CVS
Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
@ -123,7 +127,7 @@
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
@ -140,5 +144,7 @@
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

View File

@ -30,6 +30,7 @@
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
@ -37,6 +38,7 @@
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
@ -52,7 +54,8 @@
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li> <li> <a href="Documentation.htm">Reference
Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br> <li><a href="useful_links.html">Useful Links</a><br>
</li> </li>
@ -96,7 +99,7 @@
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS <li> <a href="Shorewall_CVS_Access.html">CVS
Repository</a></li> Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
@ -126,7 +129,7 @@ Repository</a></li>
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
@ -141,5 +144,7 @@ Repository</a></li>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

View File

@ -34,7 +34,7 @@
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
<h2>Files</h2> <h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
@ -44,20 +44,20 @@
<li>/etc/shorewall/params - use this file to set shell <li>/etc/shorewall/params - use this file to set shell
variables that you will expand in other files.</li> variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's <li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level <li>/etc/shorewall/policy - establishes firewall high-level
policy.</li> policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces <li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li> on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in <li>/etc/shorewall/hosts - allows defining zones in
terms of individual hosts and subnetworks.</li> terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where <li>/etc/shorewall/masq - directs the firewall where
to use many-to-one (dynamic) Network Address Translation (a.k.a. to use many-to-one (dynamic) Network Address Translation (a.k.a.
Masquerading) and Source Network Address Translation (SNAT).</li> Masquerading) and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to <li>/etc/shorewall/modules - directs the firewall
load kernel modules.</li> to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions <li>/etc/shorewall/rules - defines rules that are
to the overall policies established in /etc/shorewall/policy.</li> exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy <li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li> ARP.</li>
@ -68,22 +68,22 @@ ARP.</li>
<li>/etc/shorewall/tos - defines rules for setting <li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li> the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and <li>/etc/shorewall/tunnels - defines IPSEC, GRE and
IPIP tunnels with end-points on the firewall system.</li> IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li> addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the beginning <li>/etc/shorewall/init - commands that you wish to execute at the beginning
of a "shorewall start" or "shorewall restart".</li> of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the completion <li>/etc/shorewall/start - commands that you wish to execute at the completion
of a "shorewall start" or "shorewall restart"</li> of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning <li>/etc/shorewall/stop - commands that you wish to execute at the beginning
of a "shorewall stop".</li> of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the <li>/etc/shorewall/stopped - commands that you wish to execute at the
completion of a "shorewall stop".<br> completion of a "shorewall stop".<br>
</li> </li>
</ul> </ul>
<h2>Comments</h2> <h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at character a pound sign ("#"). You may also place comments at
@ -96,7 +96,7 @@ of the line with a pound sign.</p>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre> <pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2> <h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash <p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p> ("\") followed immediately by a new line character.</p>
@ -124,21 +124,21 @@ of the line with a pound sign.</p>
Names.<br> Names.<br>
<br> <br>
DNS names in iptables rules aren't nearly as useful as they DNS names in iptables rules aren't nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&gt;IP address relationship that into the rule. So changes in the DNS-&gt;IP address relationship that
occur after the firewall has started have absolutely no effect on the occur after the firewall has started have absolutely no effect on the
firewall's ruleset. </p> firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p> <p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't <li>If your /etc/resolv.conf is wrong then your firewall
start.</li> won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall <li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall <li>If your Name Server(s) is(are) down then your firewall
won't start.</li> won't start.</li>
<li>If your startup scripts try to start your firewall before <li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br> starting your DNS server then your firewall won't start.<br>
</li> </li>
@ -151,9 +151,9 @@ won't start.</li>
</ul> </ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum <p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed of two periods (although one may be trailing). This restriction is
by Shorewall to insure backward compatibility with existing configuration imposed by Shorewall to insure backward compatibility with existing
files.<br> configuration files.<br>
<br> <br>
Examples of valid DNS names:<br> Examples of valid DNS names:<br>
</p> </p>
@ -182,14 +182,14 @@ won't start.</li>
These restrictions are not imposed by Shorewall simply for These restrictions are not imposed by Shorewall simply for
your inconvenience but are rather limitations of iptables.<br> your inconvenience but are rather limitations of iptables.<br>
<h2>Complementing an Address or Subnet</h2> <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can <p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be example, !192.168.1.4 means "any host but 192.168.1.4". There must
no white space following the "!".</p> be no white space following the "!".</p>
<h2>Comma-separated Lists</h2> <h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
@ -199,29 +199,29 @@ no white space following the "!".</p>
Valid: routestopped,dhcp,norfc1918<br> Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li> Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated <li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there list, the continuation line(s) must begin in column 1 (or
would be embedded white space)</li> there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in <li>Entries in a comma-separated list may appear in
any order.</li> any order.</li>
</ul> </ul>
<h2>Port Numbers/Service Names</h2> <h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p> either an integer or a service name from /etc/services. </p>
<h2>Port Ranges</h2> <h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local if you want to forward the range of tcp ports 4000 through 4100 to
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
<h2>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
@ -261,7 +261,7 @@ any order.</li>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
<h2>Using MAC Addresses</h2> <h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature, source in several of the configuration files. To use this feature,
@ -290,129 +290,33 @@ series of 6 hex numbers separated by colons. Example:<br>
<br> <br>
Because Shorewall uses colons as a separator for address Because Shorewall uses colons as a separator for address
fields, Shorewall requires MAC addresses to be written in another fields, Shorewall requires MAC addresses to be written in another
way. In Shorewall, MAC addresses begin with a tilde ("~") and way. In Shorewall, MAC addresses begin with a tilde ("~") and consist
consist of 6 hex numbers separated by hyphens. In Shorewall, the of 6 hex numbers separated by hyphens. In Shorewall, the MAC address
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br> in the example above would be written "~02-00-08-E3-FA-55".<br>
</p> </p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation <p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p> </p>
<h2><a name="Levels"></a>Logging</h2> <h2><a name="Levels"></a>Shorewall Configurations</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
       7       debug<br>
       6       info<br>
       5       notice<br>
       4       warning<br>
       3       err<br>
       2       crit<br>
       1       alert<br>
       0       emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
log messages are generated by NetFilter and are logged using the <i>kern</i>
facility and the level that you specify. If you are unsure of the level
to choose, 6 (info) is a safe bet. You may specify levels by name or by
number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs to
log files is done in /etc/syslog.conf (5). If you make changes to this file,
you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a log
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
netfilter to log the related messages via the ULOG target which will send
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
and can be configured to log all Shorewall message to their own log file.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first five steps on another system then either NFS mount your
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that
you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
look for the log when processing its "show log", "logwatch" and "monitor"
commands.<br>
<h2><a name="Configs"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. <p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and The <a href="starting_and_stopping_shorewall.htm">shorewall start
restart</a> commands allow you to specify an alternate configuration and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate directory rather than the corresponding files in /etc/shorewall. The alternate
need not contain a complete configuration; those files not in the alternate directory need not contain a complete configuration; those files not
directory will be read from /etc/shorewall.</p> in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
<ol> <ol>
<li> copying the files that need modification from <li> copying the files that need modification from
/etc/shorewall to a separate directory;</li> /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory;
and</li> and</li>
<li> specifying the separate directory in a shorewall <li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li> restart</b></i> ).</li>
@ -422,7 +326,7 @@ and</li>
<p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 12/29/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
@ -432,5 +336,6 @@ and</li>
</p> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

View File

@ -1,34 +1,45 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Copyright</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head> </head>
<body>
<body> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Copyright</font></h1> <h1 align="center"><font color="#ffffff">Copyright</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp; 2000, 2001
Thomas M Eastep<br> <p align="left">Copyright <font face="Trebuchet MS">©</font>  2000, 2001,
&nbsp;</p> 2003 Thomas M Eastep<br>
 </p>
<blockquote> <blockquote>
<p align="left">Permission is granted to copy, distribute and/or modify this <p align="left">Permission is granted to copy, distribute and/or modify
document under the terms of the GNU Free Documentation License, Version 1.1 or this document under the terms of the GNU Free Documentation License, Version
any later version published by the Free Software Foundation; with no Invariant 1.1 or any later version published by the Free Software Foundation; with
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
license is included in the section entitled &quot;<a href="GnuCopyright.htm">GNU Free Documentation License</a>&quot;.<br> A copy of the license is included in the section entitled "<a
&nbsp;</p> href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
</blockquote>  </p>
</blockquote>
<br>
</body> </body>
</html> </html>

View File

@ -28,43 +28,46 @@
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p> <p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz <p>The documentation in HTML format is included in the .rpm and in the
packages below.</p> .tgz packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p> <p> Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with Linux PPC</b> or <b> TurboLinux</b> distribution with
a 2.4 kernel, you can use the RPM version (note: the RPM a 2.4 kernel, you can use the RPM version (note: the
should also work with other distributions that store init RPM should also work with other distributions that store
scripts in /etc/init.d and that include chkconfig or insserv). init scripts in /etc/init.d and that include chkconfig or
If you find that it works in other cases, let <a insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a> I can mention them here. See the <a href="Install.htm">Installation
if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might <li>If you are running LRP, download the .lrp file (you
also want to download the .tgz so you will have a copy of the documentation).</li> might also want to download the .tgz so you will have a copy of
the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both the and would like a .deb package, Shorewall is included in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li> module (.tgz)</li>
</ul> </ul>
@ -72,32 +75,32 @@ module (.tgz)</li>
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point release of a new version of Shorewall, the links below may
to a newer or an older version than is shown below.</p> point to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li> will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li> -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul> </ul>
<p><font face="Arial">Once you have verified the version, check the <p>Once you have verified the version, check the <font
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
face="Arial"> to see if there are updates that apply to the version if there are updates that apply to the version that you have
that you have downloaded.</font></p> downloaded.</p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
configuration of your firewall, you can enable startup by removing the of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates <p><b>Download Latest Version</b> (<b>1.3.13</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington to the mirrors occur 1-12 hours after an update to the Washington State
State site.</b></p> site.</b></p>
<blockquote> <blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
@ -236,9 +239,11 @@ State site.</b></p>
<td><a <td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br> href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br> href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a <a
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br> href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a <a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
@ -356,8 +361,8 @@ State site.</b></p>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" <td><a
target="_blank">Browse</a></td> href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr> </tr>
@ -371,17 +376,18 @@ State site.</b></p>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at component. There's no guarantee that what you find there will work
all.<br> at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 12/12/2002 - <a <p align="left"><font size="2">Last Updated 1/13/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>

View File

@ -49,21 +49,23 @@ untar the archive, replace the 'firewall' script in the untarred director
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>If you are running a Shorewall version earlier
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall than 1.3.11, when the instructions say to install a corrected firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
/etc/shorewall/firewall or /var/lib/shorewall/firewall before the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by your and /var/lib/shorewall/firewall are symbolic links that point
system initialization scripts to start Shorewall during boot. to the 'shorewall' file used by your system initialization scripts
It is that file that must be overwritten with the corrected to start Shorewall during boot. It is that file that must be overwritten
script.</b></p> with the corrected script. Beginning with Shorewall 1.3.11, you
may rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br> example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
</p> </p>
</li> </li>
@ -75,14 +77,15 @@ script.</b></p>
in Version 1.3</a></b></li> in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066"> <li> <b><font
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a <li> <b><font
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li> color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems <li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li> with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM <li><b><a href="#SuSE">Problems installing/upgrading RPM
on SuSE</a></b></li> on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version <li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li> 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br> <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
@ -93,33 +96,56 @@ on SuSE</a></b></li>
<hr> <hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2> <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.12</h3>
<ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the
same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected
by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
</li>
</ul>
<h3>Version 1.3.12 LRP</h3>
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file -- a new
lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
</li>
</ul>
<h3>Version 1.3.11a</h3> <h3>Version 1.3.11a</h3>
<ul> <ul>
<li><a <li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br> copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11</h3> <h3>Version 1.3.11</h3>
<ul> <ul>
<li>When installing/upgrading using the .rpm, you may receive the following <li>When installing/upgrading using the .rpm, you may receive the
warnings:<br> following warnings:<br>
<br> <br>
     user teastep does not exist - using root<br>      user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>      group teastep does not exist - using root<br>
<br> <br>
These warnings are harmless and may be ignored. Users downloading the These warnings are harmless and may be ignored. Users downloading the
.rpm from shorewall.net or mirrors should no longer see these warnings as .rpm from shorewall.net or mirrors should no longer see these warnings
the .rpm you will get from there has been corrected.</li> as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains <li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall ! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br> fails to start.<br>
<br> <br>
Install <a Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem. corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br> Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br> <br>
This problem is corrected in version 1.3.11a.<br> This problem is corrected in version 1.3.11a.<br>
</li> </li>
@ -130,7 +156,7 @@ Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<ul> <ul>
<li>If you experience problems connecting to a PPTP server running <li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where version of the firewall script</a> may help. Please report any cases where
@ -177,8 +203,8 @@ incorrectly when updating old configurations that had the file /etc/shorewall/f
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall
at <a script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
@ -188,7 +214,7 @@ incorrectly when updating old configurations that had the file /etc/shorewall/f
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
of the policy file doesn't work.</li> of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses <li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
</li> </li>
@ -230,22 +256,24 @@ but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:
<ol> <ol>
<li>If the firewall is running <li>If the firewall is running
a DHCP server, the client won't be able a DHCP server, the client won't be
to obtain an IP address lease from able to obtain an IP address lease from
that server.</li> that server.</li>
<li>With this order of checking, <li>With this order of checking,
the "dhcp" option cannot be used as the "dhcp" option cannot be used as
a noise-reduction measure where there a noise-reduction measure where there
are both dynamic and static clients on are both dynamic and static clients
a LAN segment.</li> on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p> in /var/lib/shorewall as described
above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
@ -269,7 +297,7 @@ a LAN segment.</li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an error occurs when the firewall script attempts to add
an SNAT alias. </p> an SNAT alias. </p>
</li> </li>
<li> <li>
@ -350,10 +378,10 @@ so it's a good idea to run that command after you have made configura
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces. that specifies an interface that you didn't include in
To correct this problem, you must add an entry to /etc/shorewall/interfaces. /etc/shorewall/interfaces. To correct this problem, you
Shorewall 1.3.3 and later versions produce a clearer error must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
message in this case.</p> later versions produce a clearer error message in this case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
@ -365,9 +393,9 @@ version has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface entry <li>The code to detect a duplicate interface entry
in /etc/shorewall/interfaces contained a typo that prevented in /etc/shorewall/interfaces contained a typo that prevented
it from working correctly. </li> it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved <li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li> just like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
@ -392,26 +420,26 @@ just like "NAT_BEFORE_RULES=Yes".</li>
<ul> <ul>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
each packet is sent through the limit chain twice).</li> each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes <li>An unnecessary jump to the policy chain is
generated for a CONTINUE policy.</li> sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface <li>When an option is given for more than one
in /etc/shorewall/interfaces then depending on the option, interface in /etc/shorewall/interfaces then depending
Shorewall may ignore all but the first appearence of the on the option, Shorewall may ignore all but the first
option. For example:<br> appearence of the option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the <li>Update 17 June 2002 - The bug described in
prior bullet affects the following options: dhcp, dropunclean, the prior bullet affects the following options: dhcp, dropunclean,
logunclean, norfc1918, routefilter, multi, filterping and logunclean, norfc1918, routefilter, multi, filterping and
noping. An additional bug has been found that affects only noping. An additional bug has been found that affects only
the 'routestopped' option.<br> the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script prior Users who downloaded the corrected script prior
to 1850 GMT today should download and install the corrected to 1850 GMT today should download and install the corrected
script again to ensure that this second problem is corrected.</li> script again to ensure that this second problem is corrected.</li>
</ul> </ul>
@ -424,10 +452,11 @@ to 1850 GMT today should download and install the corrected
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links on <li>Folks who downloaded 1.3.0 from the links
the download page before 23:40 GMT, 29 May 2002 may have on the download page before 23:40 GMT, 29 May 2002 may
downloaded 1.2.13 rather than 1.3.0. The "shorewall version" have downloaded 1.2.13 rather than 1.3.0. The "shorewall
command will tell you which version that you have installed.</li> version" command will tell you which version that you
have installed.</li>
<li>The documentation NAT.htm file uses non-existent <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
@ -446,10 +475,12 @@ command will tell you which version that you have installed.</
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also corrected 1.2.3 rpm which you can download here</a>  and I have also
@ -465,6 +496,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p> </font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
@ -473,6 +505,7 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
@ -540,27 +573,29 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result in Shorewall /etc/shorewall/nat entries of the following form will result in
being unable to start:<br> Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for The solution is to put "no" in the LOCAL column. Kernel support
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it.
2.4.19 kernel contains corrected support under a new kernel configuraiton The 2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 12/3/2002 - <p><font size="2"> Last updated 1/3/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -207,8 +207,8 @@ ignored<br>
<a href="support.htm">Tom Eastep</a></font> <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <p align="left"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
</body> </body>

View File

@ -70,5 +70,5 @@ type &quot;rpm -e shorewall&quot;.</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <p><font size="2">Last updated 3/26/2001 - </font><font size="2">
<a href="support.htm">Tom <a href="support.htm">Tom
Eastep</a></font> </p> Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>

View File

@ -21,7 +21,7 @@
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy <h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
Way</font></h1> Way</font></h1>
</td> </td>
</tr> </tr>
@ -39,17 +39,17 @@ Way</font></h1>
aliases file so that rest of mailman's mail handling processes will run aliases file so that rest of mailman's mail handling processes will run
with proper uid/gid. Postfix has an ability to run a command specified in with proper uid/gid. Postfix has an ability to run a command specified in
an alias as owner of that alias, thus mailman's wrapper is not needed here. an alias as owner of that alias, thus mailman's wrapper is not needed here.
The best method to invoke mailman's mail handling via aliases is to use The best method to invoke mailman's mail handling via aliases is to use
separate alias file especially for mailman, and made it owned by mailman separate alias file especially for mailman, and made it owned by mailman
and group mailman. Like:<br> and group mailman. Like:<br>
<br> <br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br> alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br> <br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this may Make sure that /var/mailman/aliases.db is owned by mailman user (this
be done by executing postalias as mailman userid).<br> may be done by executing postalias as mailman userid).<br>
<br> <br>
Next, instead of using mailman-suggested aliases entries with wrapper, use Next, instead of using mailman-suggested aliases entries with wrapper,
the following:<br> use the following:<br>
<br> <br>
instead of<br> instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br> mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
@ -63,14 +63,17 @@ the following:<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br> mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p> ...</p>
<h4>The Shorewall mailing lists are currently running Postfix 1.1.11 together <h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something
with the stock RedHat Mailman-2.0.13 RPM configured as shown above.</h4> very similar so that no workaround is necessary. See the README.POSTFIX file
included with Mailman-2.1. </h4>
<p align="left"><font size="2">Last updated 9/14/2002 - <a <p align="left"><font size="2">Last updated 12/29/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

Binary file not shown.

After

Width:  |  Height:  |  Size: 493 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.7 KiB

View File

@ -142,5 +142,5 @@ the options selected above built as modules:</p>
<p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <p><font size="2">Last updated 3/10/2002 - </font><font size="2">
<a href="support.htm">Tom <a href="support.htm">Tom
Eastep</a></font> </p> Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>

View File

@ -12,6 +12,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -21,38 +22,45 @@
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="33%" valign="middle">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a><a href="http://www.gnu.org/software/mailman/mailman.html"> </a></h1>
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
width="110" height="35">
</a><a href="http://www.postfix.org/"> <img
<h1 align="center"><a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt="">
</a></h1>
<p align="right"><br>
<font color="#ffffff"><b>   </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%">
<h1 align="center"><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45"> height="45" alt="(Postfix Logo)">
</a><font color="#ffffff">Shorewall Mailing Lists<a </a></h1>
href="http://www.inter7.com/courierimap/"><img <br>
src="images/courier-imap.png" alt="Courier-Imap" width="100"
height="38" align="right">
</a></font></h1>
<div align="right"><br>
<p align="right"><font color="#ffffff"><b><br> <b><font color="#ffffff">Powered by Postfix    </font></b><br>
</b></font></p> </div>
<p align="right"><font color="#ffffff"><b><br>
Powered by Postfix     </b></font> </p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
<h2 align="left">Not getting List Mail? -- <a <h2 align="left">Not getting List Mail? -- <a
href="mailing_list_problems.htm">Check Here</a></h2> href="mailing_list_problems.htm">Check Here</a></h2>
@ -64,9 +72,8 @@
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0" <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
src="images/but3.png" hspace="3" width="88" height="31"> href="http://osirusoft.com/"> </a></h2>
 </a><a href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
@ -74,38 +81,45 @@
</p> </p>
<ol> <ol>
<li>against the open relay databases at <a <li>against <a href="http://spamassassin.org">Spamassassin</a>
href="http://ordb.org">ordb.org.</a></li> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li> <li>to verify that the sender's domain has an A or MX record
<li>to ensure that the host name in the HELO/EHLO command is a valid in DNS.</li>
fully-qualified DNS name.</li> <li>to ensure that the host name in the HELO/EHLO command is
a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2>
While the list server here at shorewall.net accepts and distributes HTML
posts, a growing number of MTAs serving list subscribers are rejecting this
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse"!!<br>
<br>
I think that blocking all HTML is a rather draconian way to control spam
and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
can help by restricting your list posts to plain text.<br>
<br>
And as a bonus, subscribers who use email clients like pine and mutt will
be able to read your plain text posts whereas they are most likely simply
ignoring your HTML posts.<br>
<br>
A final bonus for the use of HTML is that it cuts down the size of messages
by a large percentage -- that is important when the same message must be
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
<h2></h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in list
posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from outgoing
posts. This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the names
of certain ISPs. Again, I believe that such policies hurt more than they
help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://mail.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
@ -127,65 +141,66 @@ sent 500 times over the slow DSL line connecting the list server to the internet
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig">
type="hidden" name="restrict" <input type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words"
type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire <h2 align="left"><font color="#ff0000">Please do not try to download the
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
stand the traffic. If I catch you, you'll be blacklisted.<br> won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall If you want to trust X.509 certificates issued by Shoreline
(such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing can either use unencrypted access when subscribing to Shorewall mailing
lists or you can use secure access (SSL) and accept the server's certificate lists or you can use secure access (SSL) and accept the server's certificate
when prompted by your browser.<br> when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of general to get answers to questions and to report problems. Information of
interest to the Shorewall user community is also posted to this list.</p> general interest to the Shorewall user community is also posted to this
list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p> the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-users" href="https://mail.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p> target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<p align="left">To post to the list, post to <a <p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p> href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
list may be found at <a may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to <a Shorewall community. To subscribe, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a> href="http://mail.shorewall.net/mailman/listinfo/shorewall-announce">http://mail.shorewall.net/mailman/listinfo/shorewall-announce</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-announce" href="https://mail.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br> target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-announce.<br>
</a><br> </a><br>
The list archives are at <a The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://mail.shorewall.net/pipermail/shorewall-announce">http://mail.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
@ -194,35 +209,39 @@ list may be found at <a
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a> href="http://mail.shorewall.net/mailman/listinfo/shorewall-devel">http://mail.shorewall.net/mailman/listinfo/shorewall-devel</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-devel" href="https://mail.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br> target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
To post to the list, post to <a To post to the list, post to <a
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p> href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://mail.shorewall.net/pipermail/shorewall-devel">http://mail.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p> from Mailman-managed lists although Mailman 2.1 has attempted to make
this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
"To change your subscription (set options like digest and delivery " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
modes, get a reminder of your password, <b>or unsubscribe</b> from reminder, or change your subscription options enter your subscription
&lt;name of list&gt;), enter your subscription email address:". Enter email address:". Enter your email address in the box and click
your email address in the box and click on the "Edit Options" button.</p> on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, there and click on "Unsubscribe"; if you have forgotten your password, there
is another button that will cause your password to be emailed to you.</p> is another button that will cause your password to be emailed to you.</p>
@ -235,12 +254,17 @@ your email address in the box and click on the "Edit Options" button.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 12/27/2002 - <a <p align="left"><font size="2">Last updated 12/31/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -40,21 +40,10 @@
<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a <p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font <p align="left"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p> size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></p>
<p align="left"> </p> <p align="left"> </p>
<br> <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -20,6 +20,7 @@
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1> <h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td> </td>
</tr> </tr>
@ -32,6 +33,13 @@
<h1>My Current Network </h1> <h1>My Current Network </h1>
<blockquote> <blockquote>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small>
use a combination of Static NAT and Proxy ARP, neither of which are relevant
to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here won't
apply to your setup so beware of copying parts of this configuration and
expecting them to work for you. They may or may not work in your setup. </small></b></big><br>
</p>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet is connected to eth0. I have a local network connected to eth2 (subnet
@ -43,10 +51,10 @@
<ul> <ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5 <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li> and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP <li>Proxy ARP for wookie (my Linux System). This system has two
addresses: 192.168.1.3/24 and 206.124.146.179/24.</li> IP addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for  <li>SNAT through the primary gateway address (206.124.146.176)
my Wife's system (tarry) and the Wireless Access Point (wap)</li> for  my Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul> </ul>
@ -62,8 +70,8 @@ the PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix, <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our (Pure-ftpd). The system also runs fetchmail to fetch our email from
old and current ISPs. That server is managed through Proxy ARP.</p> our old and current ISPs. That server is managed through Proxy ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local <p> The firewall system itself runs a DHCP server that serves the local
network.</p> network.</p>
@ -91,11 +99,14 @@ the PopTop server running on my firewall. </p>
below).</p> below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which <p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p> interfaces to my laptop (206.124.146.180).<br>
</p>
<p><font color="#ff0000" size="5"> Note: My files <p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
use features not available before Shorewall access.<br>
version 1.3.4.</font></p> </p>
<p><font color="#ff0000" size="5"></font></p>
</blockquote> </blockquote>
<h3>Shorewall.conf</h3> <h3>Shorewall.conf</h3>
@ -109,8 +120,8 @@ version 1.3.4.</font></p>
<h3>Interfaces File: </h3> <h3>Interfaces File: </h3>
<blockquote> <blockquote>
<p> This is set up so that I can start the firewall before bringing up <p> This is set up so that I can start the firewall before bringing up my
my Ethernet interfaces. </p> Ethernet interfaces. </p>
</blockquote> </blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -125,8 +136,7 @@ my Ethernet interfaces. </p>
<h3>Common File: </h3> <h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre> <pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
<h3>Policy File:</h3> <h3>Policy File:</h3>
<pre><font size="2" face="Courier"> <pre><font size="2" face="Courier">
@ -140,9 +150,10 @@ my Ethernet interfaces. </p>
<h3>Masq File: </h3> <h3>Masq File: </h3>
<blockquote> <blockquote>
<p> Although most of our internal systems use static NAT, my wife's system <p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p> laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote> </blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> <pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
@ -154,22 +165,23 @@ laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
<h3>Proxy ARP File:</h3> <h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font <pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><font face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><pre><font
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre></pre>
<h3>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):</h3>
<pre><small> #TYPE          ZONE    GATEWAY</small><small> <br> gre             net     $TEXAS</small><small><br> #LAST LINE -- DO NOT REMOVE<br></small></pre>
<h3>Rules File (The shell variables <h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3> are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> ACCEPT net loc:192.168.1.5 tcp 1723<br> ACCEPT net loc:192.168.1.5 gre<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 10/14/2002 - </font><font size="2"> <p><font size="2"> Last updated 1/12/2003 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font> ©
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

View File

@ -26,11 +26,11 @@ way. This page describes how it now works.<br>
There are several aspects to Shorewall Ping management:<br> There are several aspects to Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a <li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a <li>The <b>FORWARDPING</b> option in<a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a <li>Explicit rules in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
@ -81,10 +81,10 @@ then the request is responded to with an ICMP echo-reply.</li>
is either rejected or simply ignored.</li> is either rejected or simply ignored.</li>
</ol> </ol>
<p><font size="2">Updated 12/13/2002 - <a <p><font size="2">Updated 12/13/2002 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p> href="support.htm">Tom Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
</body> </body>
</html> </html>

View File

@ -187,8 +187,8 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a <p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
<br> <br>
<br> <br>
</body> </body>

View File

@ -5,6 +5,7 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -23,6 +24,7 @@
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -33,13 +35,15 @@
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 - </a></i></font><font color="#ffffff">Shorewall 1.3
<font size="4">"<i>iptables made easy"</i></font></font></h1> - <font size="4">"<i>iptables made easy"</i></font></font></h1>
@ -50,7 +54,9 @@
<div align="center"><a <div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
@ -60,6 +66,7 @@
</tbody> </tbody>
</table> </table>
@ -74,6 +81,7 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -84,6 +92,7 @@
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -114,18 +123,18 @@ General Public License</a> as published by the Free Software Foundation.<
<br> <br>
This program is distributed in the hope that it This program is distributed in the hope that
will be useful, but WITHOUT ANY WARRANTY; without it will be useful, but WITHOUT ANY WARRANTY;
even the implied warranty of MERCHANTABILITY or FITNESS without even the implied warranty of MERCHANTABILITY
FOR A PARTICULAR PURPOSE. See the GNU General Public or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
License for more details.<br> General Public License for more details.<br>
<br> <br>
You should have received a copy of the GNU General You should have received a copy of the GNU
Public License along with this program; if not, General Public License along with this program;
write to the Free Software Foundation, Inc., 675 if not, write to the Free Software Foundation,
Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -135,7 +144,8 @@ License for more details.<br>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -148,19 +158,22 @@ License for more details.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF </a>Jacques Nilo and Eric Wolzak have
(router/firewall/gateway on a floppy, CD or compact flash) distribution a LEAF (router/firewall/gateway on a floppy, CD or compact
called <i>Bering</i> that features Shorewall-1.3.10 flash) distribution called <i>Bering</i> that
and Kernel-2.4.18. You can find their work at: features Shorewall-1.3.10 and Kernel-2.4.18. You
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br> Bering 1.0 Final!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -174,6 +187,7 @@ Bering 1.0 Final!!! </b><br>
<h2>News</h2> <h2>News</h2>
@ -183,6 +197,7 @@ Bering 1.0 Final!!! </b><br>
<h2></h2> <h2></h2>
@ -190,52 +205,134 @@ Bering 1.0 Final!!! </b><br>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p>Just includes a few things that I had on the burner:<br>
</p>
<ol>
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
file. DNAT- is intended for advanced users who wish to minimize the number
of rules that connection requests must traverse.<br>
<br>
A Shorewall DNAT rule actually generates two iptables rules: a header rewriting
rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT-
rule only generates the first of these rules. This is handy when you have
several DNAT rules that would generate the same ACCEPT rule.<br>
<br>
   Here are three rules from my previous rules file:<br>
<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
<br>
   These three rules ended up generating _three_ copies of<br>
<br>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
<br>
   By writing the rules this way, I end up with only one copy of the ACCEPT
rule.<br>
<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br>
</li>
<li>The 'shorewall check' command now prints out the applicable policy
between each pair of zones.<br>
<br>
</li>
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
option is set to 'No' then Shorewall won't clear the current traffic control
rules during [re]start. This setting is intended for use by people that prefer
to configure traffic shaping when the network interfaces come up rather than
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
your traffic shaping rules can still use the 'fwmark' classifier based on
packet marking defined in /etc/shorewall/tcrules.<br>
<br>
</li>
<li>A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf
setting.<br>
</li>
</ol>
<p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p>
<p><b>Until further notice, I will not be involved in either Shorewall
Development or Shorewall Support</b></p>
<p><b>-Tom Eastep</b><br>
</p>
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p> </b></p>
<p> Features include:<br> <p> Features include:<br>
</p> </p>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules <li>"shorewall refresh" now reloads the traffic shaping rules
and tcstart).</li> (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after an <li>"shorewall debug [re]start" now turns off debugging after
error occurs. This places the point of the failure near the end of the an error occurs. This places the point of the failure near the end of
trace rather than up in the middle of it.</li> the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% with <li>"shorewall [re]start" has been speeded up by more than
my configuration. Your milage may vary.</li> 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which shows <li>A "shorewall show classifiers" command has been added
the current packet classification filters. The output from this command which shows the current packet classification filters. The output from
is also added as a separate page in "shorewall monitor"</li> this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog level <li>ULOG (must be all caps) is now accepted as a valid syslog
and causes the subject packets to be logged using the ULOG target rather level and causes the subject packets to be logged using the ULOG target
than the LOG target. This allows you to run ulogd (available from <a rather than the LOG target. This allows you to run ulogd (available from
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a and log all Shorewall messages <a href="shorewall_logging.html">to a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li> separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the mangle <li>If you are running a kernel that has a FORWARD chain
table ("shorewall show mangle" will show you the chains in the mangle table), in the mangle table ("shorewall show mangle" will show you the chains
you can set MARK_IN_FORWARD_CHAIN=Yes in <a in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading input packets based on their destination even when you are using Masquerading
or SNAT.</li> or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty 'init', <li>I have cluttered up the /etc/shorewall directory with
'start', 'stop' and 'stopped' files. If you already have a file with one empty 'init', 'start', 'stop' and 'stopped' files. If you already have
of these names, don't worry -- the upgrade process won't overwrite your file.</li> a file with one of these names, don't worry -- the upgrade process won't
overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a <li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in the the syslog level at which packets are logged as a result of entries in
/etc/shorewall/rfc1918 file. Previously, these packets were always logged the /etc/shorewall/rfc1918 file. Previously, these packets were always
at the 'info' level.<br> logged at the 'info' level.<br>
</li> </li>
</ol> </ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL This version corrects a problem with Blacklist logging. In Beta
was set to anything but ULOG, the firewall would fail to start and "shorewall 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
refresh" would also fail.<br> fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br> <p> You may download the Beta from:<br>
</p> </p>
@ -245,93 +342,106 @@ refresh" would also fail.<br>
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p> </b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta The first public Beta version of Shorewall 1.3.12 is now available
1 was made available to a limited audience). <br> (Beta 1 was made available to a limited audience). <br>
<br> <br>
Features include:<br> Features include:<br>
<br> <br>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping rules <li>"shorewall refresh" now reloads the traffic shaping
(tcrules and tcstart).</li> rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after <li>"shorewall debug [re]start" now turns off debugging
an error occurs. This places the point of the failure near the end of the after an error occurs. This places the point of the failure near the
trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% <li>"shorewall [re]start" has been speeded up by more
with my configuration. Your milage may vary.</li> than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which <li>A "shorewall show classifiers" command has been
shows the current packet classification filters. The output from this command added which shows the current packet classification filters. The output
is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog <li>ULOG (must be all caps) is now accepted as a valid
level and causes the subject packets to be logged using the ULOG target syslog level and causes the subject packets to be logged using the ULOG
rather than the LOG target. This allows you to run ulogd (available from target rather than the LOG target. This allows you to run ulogd (available
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a and log all Shorewall messages <a href="shorewall_logging.html">to a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li> separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in <li>If you are running a kernel that has a FORWARD chain
the mangle table ("shorewall show mangle" will show you the chains in the in the mangle table ("shorewall show mangle" will show you the chains
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
This allows for marking input packets based on their destination even when This allows for marking input packets based on their destination even
you are using Masquerading or SNAT.</li> when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty <li>I have cluttered up the /etc/shorewall directory
'init', 'start', 'stop' and 'stopped' files. If you already have a file with empty 'init', 'start', 'stop' and 'stopped' files. If you already
with one of these names, don't worry -- the upgrade process won't overwrite have a file with one of these names, don't worry -- the upgrade process
your file.</li> won't overwrite your file.</li>
</ol> </ol>
You may download the Beta from:<br> You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png" href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="21" border="0"> alt="Powered by Mandrake Linux" width="150" height="21" border="0">
</a></b></p> </a></b></p>
Shorewall is at the center of MandrakeSoft's recently-announced <a Shorewall is at the center of MandrakeSoft's recently-announced
<a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br> release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b> <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p> </b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in delivered. I have installed 9.0 on one of my systems and I am now
a position to support Shorewall users who run Mandrake 9.0.</p> in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p> </p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b> <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p> </b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
who don't need rules of this type need not upgrade to 1.3.11.</p> users who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
@ -339,30 +449,34 @@ a position to support Shorewall users who run Mandrake 9.0.</p>
</p> </p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p> </b></p>
<p>In this version:</p> <p>In this version:</p>
<ul> <ul>
<li>A 'tcpflags' option has been added to entries <li>A 'tcpflags' option has been added to
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li> header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or <li>It is now allowed to use 'all' in the
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
used, 'all' must appear by itself (in may not be qualified) and it does When used, 'all' must appear by itself (in may not be qualified) and
not enable intra-zone traffic. For example, the rule <br> it does not enable intra-zone traffic. For example, the rule <br>
<br> <br>
    ACCEPT loc all tcp 80<br>     ACCEPT loc all tcp 80<br>
<br> <br>
does not enable http traffic from 'loc' to 'loc'.</li> does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible <li>Shorewall's use of the 'echo' command
with bash clones such as ash and dash.</li> is now compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. <li>fw-&gt;fw policies now generate a startup
fw-&gt;fw rules generate a warning and are ignored</li> error. fw-&gt;fw rules generate a warning and are ignored</li>
</ul> </ul>
@ -370,6 +484,7 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<p><b></b><a href="News.htm">More News</a></p> <p><b></b><a href="News.htm">More News</a></p>
@ -380,6 +495,7 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
@ -392,6 +508,7 @@ used, 'all' must appear by itself (in may not be qualified) and it does
</tbody> </tbody>
</table> </table>
@ -405,7 +522,9 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -416,6 +535,7 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
@ -429,6 +549,7 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
@ -436,18 +557,20 @@ but if you try it and find it useful, please consider making a donation
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 1/13/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>

View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -58,7 +59,7 @@ present</li>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p> Shorewall. </p>
@ -69,22 +70,23 @@ present</li>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li> Serves as a PPTP server for Road Warrior access. Also has <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a WINS NIC - My personal Linux System which runs Samba configured as a
server. This system also has <a href="http://www.vmware.com/">VMware</a> WINS server. This system also has <a
installed and can run both <a href="http://www.debian.org">Debian href="http://www.vmware.com/">VMware</a> installed and can run
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual both <a href="http://www.debian.org">Debian Woody</a> and <a
machines.</li> href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS - Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd),
server (Bind).</li> DNS server (Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.12+  and a
server.  Also runs PoPToP for road warrior access.</li> DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
wife's personal system.</li> wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li> work system.</li>
@ -114,11 +116,10 @@ work system.</li>
width="125" height="40" hspace="4"> width="125" height="40" hspace="4">
</font></p> </font></p>
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a <p><font size="2">Last updated 1/7/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
<br> M. Eastep.</font></a></font><br>
<br>
</body> </body>
</html> </html>

View File

@ -0,0 +1,156 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Logging</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
debug<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
notice<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
warning<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
err<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
crit<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
alert<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are unsure
of the level to choose, 6 (info) is a safe bet. You may specify levels
by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs
to log files is done in /etc/syslog.conf (5). If you make changes to this
file, you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which will
send them to a process called 'ulogd'. The ulogd program is available from
http://www.gnumonks.org/projects/ulogd and can be configured to log all
Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from
syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely
no effect on your Shorewall logging (except for Shorewall status messages
which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first six steps on another system then either NFS mount
your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy,
rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
<p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
</body>
</html>

View File

@ -24,7 +24,9 @@
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
Version 3.1</font></h1> Version 3.1</font></h1>
</td> </td>
</tr> </tr>
@ -32,8 +34,8 @@
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that we
we must all first walk before we can run.</p> must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
@ -44,8 +46,8 @@ we must all first walk before we can run.</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System <li><a href="two-interface.htm">Two-interface</a> Linux
acting as a firewall/router for a small local network</li> System acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux <li><a href="three-interface.htm">Three-interface</a> Linux
System acting as a firewall/router for a small local network and System acting as a firewall/router for a small local network and
a DMZ.</li> a DMZ.</li>
@ -61,22 +63,23 @@ a DMZ.</li>
than is explained in the single-address guides above.</b></p> than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network <li><a href="shorewall_setup_guide.htm#Interfaces">3.0
Interfaces</a></li> Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, <li><a href="shorewall_setup_guide.htm#Addressing">4.0
Subnets and Routing</a> Addressing, Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP <li><a href="shorewall_setup_guide.htm#Addresses">4.1
Addresses</a></li> IP Addresses</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol</a></li> Resolution Protocol</a></li>
</ul> </ul>
@ -84,7 +87,7 @@ Resolution Protocol</a></li>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li> 1918</a></li>
</ul> </ul>
@ -100,23 +103,27 @@ Resolution Protocol</a></li>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> <li><a href="shorewall_setup_guide.htm#NonRouted">5.2
Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li> Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li> NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li> Odds and Ends</a></li>
</ul> </ul>
@ -132,12 +139,13 @@ Odds and Ends</a></li>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p> to use this documentation directly.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
@ -149,18 +157,26 @@ to use this documentation directly.</p>
file features</a> file features</a>
<ul> <ul>
<li>Comments in configuration files</li> <li><a href="configuration_file_basics.htm#Comments">Comments
<li>Line Continuation</li> in configuration files</a></li>
<li>Port Numbers/Service Names</li> <li><a
<li>Port Ranges</li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li>Using Shell Variables</li> <li><a href="configuration_file_basics.htm#Ports">Port
<li>Using DNS Names<br> Numbers/Service Names</a></li>
</li> <li><a href="configuration_file_basics.htm#Ranges">Port
<li>Complementing an IP address or Subnet</li> Ranges</a></li>
<li>Shorewall Configurations (making a test configuration)</li> <li><a
<li>Using MAC Addresses in Shorewall</li> href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li>Logging<br> <li><a href="configuration_file_basics.htm#dnsnames">Using
DNS Names</a><br>
</li> </li>
<li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a href="configuration_file_basics.htm#Configs">Shorewall
Configurations (making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using
MAC Addresses in Shorewall</a></li>
</ul> </ul>
@ -203,15 +219,18 @@ to use this documentation directly.</p>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
to extend Shorewall without modifying Shorewall code)</li> (How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li> <li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="configuration_file_basics.htm#Levels">Logging</a><br> <li><a href="shorewall_logging.html">Logging</a><br>
</li> </li>
<li><a href="myfiles.htm">My Configuration Files</a> (How <li><a href="MAC_Validation.html">MAC Verification</a><br>
I personally use Shorewall)</li> </li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="ports.htm">Port Information</a>
@ -235,7 +254,10 @@ I personally use Shorewall)</li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy with
Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN <li>VPN
<ul> <ul>
@ -249,21 +271,19 @@ I personally use Shorewall)</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White List <li><a href="whitelisting_under_shorewall.htm">White List
Creation</a></li> Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 1/9/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br> <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -58,12 +58,12 @@
more about Shorewall than is contained in the <a more about Shorewall than is contained in the <a
href="shorewall_quickstart_guide.htm">single-address guides</a>. Because href="shorewall_quickstart_guide.htm">single-address guides</a>. Because
the range of possible applications is so broad, the Guide will give you the range of possible applications is so broad, the Guide will give you
general guidelines and will point you to other resources as necessary.</p> general guidelines and will point you to other resources as necessary.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you run LEAF Bering, your Shorewall configuration is NOT what I     If you run LEAF Bering, your Shorewall configuration is NOT what
release -- I suggest that you consider installing a stock Shorewall lrp from I release -- I suggest that you consider installing a stock Shorewall lrp
the shorewall.net site before you proceed.</p> from the shorewall.net site before you proceed.</p>
<p>This guide assumes that you have the iproute/iproute2 package installed <p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
@ -81,16 +81,16 @@ for this program:</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must     If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must run save them as Unix files if your editor supports that option or you must
them through dos2unix before trying to use them with Shorewall. Similarly, run them through dos2unix before trying to use them with Shorewall. Similarly,
if you copy a configuration file from your Windows hard drive to a floppy if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p> disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
@ -142,8 +142,8 @@ in this guide. Skeleton files are created during the <a
<p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning <p>With the exception of <b>fw</b>, Shorewall attaches absolutely no meaning
to zone names. Zones are entirely what YOU make of them. That means that to zone names. Zones are entirely what YOU make of them. That means that
you should not expect Shorewall to do something special "because this is you should not expect Shorewall to do something special "because this
the internet zone" or "because that is the DMZ".</p> is the internet zone" or "because that is the DMZ".</p>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    Edit the /etc/shorewall/zones file and make any changes necessary.</p>     Edit the /etc/shorewall/zones file and make any changes necessary.</p>
@ -152,8 +152,8 @@ in this guide. Skeleton files are created during the <a
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one zone to <li>You express your default policy for connections from one zone
another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <a <li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
@ -166,7 +166,7 @@ another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
tracking function</a> that allows what is often referred to as <i>stateful tracking function</a> that allows what is often referred to as <i>stateful
inspection</i> of packets. This stateful property allows firewall rules inspection</i> of packets. This stateful property allows firewall rules
to be defined in terms of <i>connections</i> rather than in terms of to be defined in terms of <i>connections</i> rather than in terms of
packets. With Shorewall, you:</p> packets. With Shorewall, you:</p>
<ol> <ol>
<li> Identify the source zone.</li> <li> Identify the source zone.</li>
@ -174,9 +174,9 @@ packets. With Shorewall, you:</p>
<li> If the POLICY from the client's zone to the server's zone <li> If the POLICY from the client's zone to the server's zone
is what you want for this client/server pair, you need do nothing is what you want for this client/server pair, you need do nothing
further.</li> further.</li>
<li> If the POLICY is not what you want, then you must add a <li> If the POLICY is not what you want, then you must add
rule. That rule is expressed in terms of the client's zone and the a rule. That rule is expressed in terms of the client's zone and
server's zone.</li> the server's zone.</li>
</ol> </ol>
@ -238,18 +238,18 @@ the request is first checked against the rules in /etc/shorewall/common.def.</
<ol> <ol>
<li>allow all connection requests from your local network to the internet</li> <li>allow all connection requests from your local network to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to your
firewall or local network and log a message at the <i>info</i> level firewall or local network and log a message at the <i>info</i> level
(<a href="configuration_file_basics.htm#Levels">here</a> is a description (<a href="shorewall_logging.html">here</a> is a description of log levels).</li>
of log levels).</li> <li>reject all other connection requests and log a message at the
<li>reject all other connection requests and log a message at the <i>info</i> <i>info</i> level. When a request is rejected, the firewall will
level. When a request is rejected, the firewall will return an RST (if return an RST (if the protocol is TCP) or an ICMP port-unreachable packet
the protocol is TCP) or an ICMP port-unreachable packet for other protocols.</li> for other protocols.</li>
</ol> </ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_.gif" width="13" height="13">
    At this point, edit your /etc/shorewall/policy and make any changes     At this point, edit your /etc/shorewall/policy and make any changes
that you wish.</p> that you wish.</p>
<h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2> <h2 align="left"><a name="Interfaces"></a>3.0 Network Interfaces</h2>
@ -261,11 +261,11 @@ that you wish.</p>
<ul> <ul>
<li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used <li>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
to isolate your internet-accessible servers from your local systems so to isolate your internet-accessible servers from your local systems so
that if one of those servers is compromised, you still have the firewall that if one of those servers is compromised, you still have the firewall
between the compromised system and your local systems. </li> between the compromised system and your local systems. </li>
<li>The Local Zone consists of systems Local 1, Local 2 and Local 3. <li>The Local Zone consists of systems Local 1, Local 2 and Local
</li> 3. </li>
<li>All systems from the ISP outward comprise the Internet Zone. </li> <li>All systems from the ISP outward comprise the Internet Zone. </li>
</ul> </ul>
@ -275,8 +275,8 @@ between the compromised system and your local systems. </li>
</p> </p>
<p align="left">The simplest way to define zones is to simply associate the <p align="left">The simplest way to define zones is to simply associate the
zone name (previously defined in /etc/shorewall/zones) with a network interface. zone name (previously defined in /etc/shorewall/zones) with a network
This is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> interface. This is done in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</p> file.</p>
<p align="left">The firewall illustrated above has three network interfaces. <p align="left">The firewall illustrated above has three network interfaces.
@ -284,33 +284,33 @@ between the compromised system and your local systems. </li>
Interface</i> will be the Ethernet adapter that is connected to that "Modem" Interface</i> will be the Ethernet adapter that is connected to that "Modem"
(e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External Interface <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
will be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
modem, your External Interface will also be <b>ppp0</b>. If you connect via a regular modem, your External Interface will also be <b>ppp0</b>.
using ISDN, you external interface will be <b>ippp0.</b></p> If you connect using ISDN, you external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you     If your external interface is <b>ppp0</b> or <b>ippp0 </b>then you
will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p> will want to set CLAMPMSS=yes in <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0, <p align="left">Your <i>Local Interface</i> will be an Ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local computers eth1 or eth2) and will be connected to a hub or switch. Your local computers
will be connected to the same switch (note: If you have only a single local will be connected to the same switch (note: If you have only a single
system, you can connect the firewall directly to the computer using a <i>cross-over local system, you can connect the firewall directly to the computer using
</i> cable).</p> a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an Ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ
computers will be connected to the same switch (note: If you have only a computers will be connected to the same switch (note: If you have only
single DMZ system, you can connect the firewall directly to the computer a single DMZ system, you can connect the firewall directly to the computer
using a <i>cross-over </i> cable).</p> using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect more than one interface to the same hub or switch </b></u>Do not connect more than one interface to the same hub or switch
(even for testing). It won't work the way that you expect it to and you (even for testing). It won't work the way that you expect it to and you
will end up confused and believing that Linux networking doesn't work at will end up confused and believing that Linux networking doesn't work at
all.</p> all.</p>
<p align="left">For the remainder of this Guide, we will assume that:</p> <p align="left">For the remainder of this Guide, we will assume that:</p>
@ -370,7 +370,8 @@ all.</p>
    Edit the /etc/shorewall/interfaces file and define the network interfaces     Edit the /etc/shorewall/interfaces file and define the network interfaces
on your firewall and associate each interface with a zone. If you have on your firewall and associate each interface with a zone. If you have
a zone that is interfaced through more than one interface, simply include a zone that is interfaced through more than one interface, simply include
one entry for each interface and repeat the zone name as many times as necessary.</p> one entry for each interface and repeat the zone name as many times as
necessary.</p>
<p align="left">Example:</p> <p align="left">Example:</p>
@ -446,10 +447,10 @@ one entry for each interface and repeat the zone name as many times as necessar
<h2 align="left"><a name="Addressing"></a>4.0 Addressing, Subnets and Routing</h2> <h2 align="left"><a name="Addressing"></a>4.0 Addressing, Subnets and Routing</h2>
<p align="left">Normally, your ISP will assign you a set of <i> Public</i> <p align="left">Normally, your ISP will assign you a set of <i> Public</i>
IP addresses. You will configure your firewall's external interface to use IP addresses. You will configure your firewall's external interface to
one of those addresses permanently and you will then have to decide how use one of those addresses permanently and you will then have to decide
you are going to use the rest of your addresses. Before we tackle that question how you are going to use the rest of your addresses. Before we tackle that
though, some background is in order.</p> question though, some background is in order.</p>
<p align="left">If you are thoroughly familiar with IP addressing and routing, <p align="left">If you are thoroughly familiar with IP addressing and routing,
you may <a href="#Options">go to the next section</a>.</p> you may <a href="#Options">go to the next section</a>.</p>
@ -481,8 +482,8 @@ value "w", the next byte has value "x", etc. If we take the address 192.0.2.14
<p align="left">You will still hear the terms "Class A network", "Class B <p align="left">You will still hear the terms "Class A network", "Class B
network" and "Class C network". In the early days of IP, networks only network" and "Class C network". In the early days of IP, networks only
came in three sizes (there were also Class D networks but they were used came in three sizes (there were also Class D networks but they were used
differently):</p> differently):</p>
<blockquote> <blockquote>
<p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p> <p align="left">Class A - netmask 255.0.0.0, size = 2 ** 24</p>
@ -495,10 +496,10 @@ differently):</p>
<p align="left">The class of a network was uniquely determined by the value <p align="left">The class of a network was uniquely determined by the value
of the high order byte of its address so you could look at an IP address of the high order byte of its address so you could look at an IP address
and immediately determine the associated <i>netmask</i>. The netmask is and immediately determine the associated <i>netmask</i>. The netmask is
a number that when logically ANDed with an address isolates the <i>network a number that when logically ANDed with an address isolates the <i>network
number</i>; the remainder of the address is the <i>host number</i>. For number</i>; the remainder of the address is the <i>host number</i>. For
example, in the Class C address 192.0.2.14, the network number is hex C00002 example, in the Class C address 192.0.2.14, the network number is hex C00002
and the host number is hex 0E.</p> and the host number is hex 0E.</p>
<p align="left">As the internet grew, it became clear that such a gross partitioning <p align="left">As the internet grew, it became clear that such a gross partitioning
of the 32-bit address space was going to be very limiting (early on, large of the 32-bit address space was going to be very limiting (early on, large
@ -533,15 +534,15 @@ to as
<p align="left">As you can see by this definition, in each subnet of size <p align="left">As you can see by this definition, in each subnet of size
<b>n</b> there are (<b>n</b> - 2) usable addresses (addresses that can <b>n</b> there are (<b>n</b> - 2) usable addresses (addresses that can
be assigned to hosts). The first and last address in the subnet are used be assigned to hosts). The first and last address in the subnet are
for the subnet address and subnet broadcast address respectively. Consequently, used for the subnet address and subnet broadcast address respectively.
small subnetworks are more wasteful of IP addresses than are large ones. Consequently, small subnetworks are more wasteful of IP addresses than
</p> are large ones. </p>
<p align="left">Since <b>n</b> is a power of two, we can easily calculate <p align="left">Since <b>n</b> is a power of two, we can easily calculate
the <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more common the <i>Natural Logarithm</i> (<b>log2</b>) of <b>n</b>. For the more
subnet sizes, the size and its natural logarithm are given in the following common subnet sizes, the size and its natural logarithm are given in the
table:</p> following table:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -630,7 +631,7 @@ to as
<p align="left">You will notice that the above table also contains a column <p align="left">You will notice that the above table also contains a column
for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet for (32 - log2 <b>n</b>). That number is the <i>Variable Length Subnet
Mask</i> for a network of size <b>n</b>. From the above table, we can Mask</i> for a network of size <b>n</b>. From the above table, we can
derive the following one which is a little easier to use.</p> derive the following one which is a little easier to use.</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -738,12 +739,13 @@ subnet mask has 26 leading one bits:</p>
<p align="left">The subnet mask has the property that if you logically AND <p align="left">The subnet mask has the property that if you logically AND
the subnet mask with an address in the subnet, the result is the subnet the subnet mask with an address in the subnet, the result is the subnet
address. Just as important, if you logically AND the subnet mask with address. Just as important, if you logically AND the subnet mask with
an address outside the subnet, the result is NOT the subnet address. As an address outside the subnet, the result is NOT the subnet address.
we will see below, this property of subnet masks is very useful in routing.</p> As we will see below, this property of subnet masks is very useful in
routing.</p>
<p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose <p align="left">For a subnetwork whose address is <b>a.b.c.d</b> and whose
Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork as Variable Length Subnet Mask is <b>/v</b>, we denote the subnetwork as
"<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.  </p> "<b>a.b.c.d/v</b>" using <i>CIDR</i> <i>Notation</i>.  </p>
<p align="left">Example:</p> <p align="left">Example:</p>
@ -835,9 +837,9 @@ to VLSM <b>/v</b>.</p>
the Dallas, Texas area.<br> the Dallas, Texas area.<br>
<br> <br>
The first three routes are <i>host routes</i> since they indicate how The first three routes are <i>host routes</i> since they indicate how
to get to a single host. In the 'netstat' output this can be seen by the to get to a single host. In the 'netstat' output this can be seen by the
"Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the Flags column. "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the Flags column.
The remainder are 'net' routes since they tell the kernel how to route The remainder are 'net' routes since they tell the kernel how to route
packets to a subnetwork. The last route is the <i>default route</i> and packets to a subnetwork. The last route is the <i>default route</i> and
the gateway mentioned in that route is called the <i>default gateway</i>.</p> the gateway mentioned in that route is called the <i>default gateway</i>.</p>
@ -883,8 +885,8 @@ router at your ISP.</p>
<p align="left">Lets take an example. Suppose that we want to route a packet <p align="left">Lets take an example. Suppose that we want to route a packet
to 192.168.1.5. That address clearly doesn't match any of the host routes to 192.168.1.5. That address clearly doesn't match any of the host routes
in the table but if we logically and that address with 255.255.255.0, the in the table but if we logically and that address with 255.255.255.0,
result is 192.168.1.0 which matches this routing table entry:</p> the result is 192.168.1.0 which matches this routing table entry:</p>
<div align="left"> <div align="left">
<blockquote> <blockquote>
@ -956,11 +958,11 @@ with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.</p>
</blockquote> </blockquote>
<p align="left">The leading question marks are a result of my having specified <p align="left">The leading question marks are a result of my having specified
the 'n' option (Windows 'arp' doesn't allow that option) which causes the the 'n' option (Windows 'arp' doesn't allow that option) which causes
'arp' program to forego IP-&gt;DNS name translation. Had I not given that the 'arp' program to forego IP-&gt;DNS name translation. Had I not given
option, the question marks would have been replaced with the FQDN corresponding that option, the question marks would have been replaced with the FQDN
to each IP address. Notice that the last entry in the table records the corresponding to each IP address. Notice that the last entry in the table
information we saw using tcpdump above.</p> records the information we saw using tcpdump above.</p>
<h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3> <h3 align="left"><a name="RFC1918"></a>4.5 RFC 1918</h3>
@ -971,7 +973,7 @@ information we saw using tcpdump above.</p>
sub-Sahara Africa is delegated to the <i><a href="http://www.arin.net">American sub-Sahara Africa is delegated to the <i><a href="http://www.arin.net">American
Registry for Internet Numbers</a> </i>(ARIN). These RIRs may in turn delegate Registry for Internet Numbers</a> </i>(ARIN). These RIRs may in turn delegate
to national registries. Most of us don't deal with these registrars but to national registries. Most of us don't deal with these registrars but
rather get our IP addresses from our ISP.</p> rather get our IP addresses from our ISP.</p>
<p align="left">It's a fact of life that most of us can't afford as many <p align="left">It's a fact of life that most of us can't afford as many
Public IP addresses as we have devices to assign them to so we end up making Public IP addresses as we have devices to assign them to so we end up making
@ -985,9 +987,9 @@ ranges for this purpose:</p>
<div align="left"> <div align="left">
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. This is understandable forward packets which have an RFC-1918 destination address. This is understandable
given that anyone can select any of these addresses for their private given that anyone can select any of these addresses for their private
use.</p> use.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1005,7 +1007,7 @@ more organizations (including ISPs) are beginning to use RFC 1918 addresses
<li> <li>
<p align="left">You don't want to use addresses that are being used by <p align="left">You don't want to use addresses that are being used by
your ISP or by another organization with whom you want to establish your ISP or by another organization with whom you want to establish
a VPN relationship. </p> a VPN relationship. </p>
</li> </li>
</ul> </ul>
@ -1033,9 +1035,9 @@ your ISP will handle that set of addresses in one of two ways:</p>
<li> <li>
<p align="left"><b>Routed - </b>Traffic to any of your addresses will <p align="left"><b>Routed - </b>Traffic to any of your addresses will
be routed through a single <i>gateway address</i>. This will generally be routed through a single <i>gateway address</i>. This will generally
only be done if your ISP has assigned you a complete subnet (/29 or larger). only be done if your ISP has assigned you a complete subnet (/29 or
In this case, you will assign the gateway address as the IP address of larger). In this case, you will assign the gateway address as the IP
your firewall/router's external interface. </p> address of your firewall/router's external interface. </p>
</li> </li>
<li> <li>
<p align="left"><b>Non-routed - </b>Your ISP will send traffic to each <p align="left"><b>Non-routed - </b>Your ISP will send traffic to each
@ -1048,18 +1050,22 @@ your ISP will handle that set of addresses in one of two ways:</p>
<div align="left"> <div align="left">
<p align="left">In the subsections that follow, we'll look at each of these <p align="left">In the subsections that follow, we'll look at each of these
separately.<br> separately.<br>
</p> </p>
<p align="left">Before we begin, there is one thing for you to check:</p> <p align="left">Before we begin, there is one thing for you to check:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change file to ensure that the following are set correctly; if they are not, change
them appropriately:<br> them appropriately:<br>
</p> </p>
<ul> <ul>
<li>NAT_ENABLED=Yes</li> <li>NAT_ENABLED=Yes</li>
<li>IP_FORWARDING=On<br> <li>IP_FORWARDING=On<br>
</li> </li>
</ul> </ul>
</div> </div>
@ -1092,12 +1098,12 @@ the local network would be 192.0.2.73.</p>
<div align="left"> <div align="left">
<p align="left">Notice that this arrangement is rather wasteful of public <p align="left">Notice that this arrangement is rather wasteful of public
IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet addresses, IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet
192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and 192.0.2.66 addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses
and 168.0.2.73 for internal addresses on the firewall/router. Nevertheless, and 192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router.
it shows how subnetting can work and if we were dealing with a /24 rather Nevertheless, it shows how subnetting can work and if we were dealing
than a /28 network, the use of 6 IP addresses out of 256 would be justified with a /24 rather than a /28 network, the use of 6 IP addresses out
because of the simplicity of the setup.</p> of 256 would be justified because of the simplicity of the setup.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1116,10 +1122,10 @@ routing table on DMZ 1 will look like this:</p>
<div align="left"> <div align="left">
<p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65" <p align="left">This means that DMZ 1 will send an ARP "who-has 192.0.2.65"
request and no device on the DMZ Ethernet segment has that IP address. request and no device on the DMZ Ethernet segment has that IP address.
Oddly enough, the firewall will respond to the request with the MAC address Oddly enough, the firewall will respond to the request with the MAC
of its <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames addressed address of its <u>DMZ Interface!!</u> DMZ 1 can then send Ethernet frames
to that MAC address and the frames will be received (correctly) by the addressed to that MAC address and the frames will be received (correctly)
firewall/router.</p> by the firewall/router.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1128,8 +1134,8 @@ the Linux Kernel that prompts the warning earlier in this guide regarding
the connecting of multiple firewall/router interfaces to the same hub the connecting of multiple firewall/router interfaces to the same hub
or switch. When an ARP request for one of the firewall/router's IP addresses or switch. When an ARP request for one of the firewall/router's IP addresses
is sent by another system connected to the hub/switch, all of the firewall's is sent by another system connected to the hub/switch, all of the firewall's
interfaces that connect to the hub/switch can respond! It is then a race interfaces that connect to the hub/switch can respond! It is then a
as to which "here-is" response reaches the sender first.</p> race as to which "here-is" response reaches the sender first.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1152,7 +1158,7 @@ IP addresses to set up our networks as shown in the preceding example
<div align="left"> <div align="left">
<p align="left"><b>For the remainder of this section, assume that your ISP <p align="left"><b>For the remainder of this section, assume that your ISP
has assigned you IP addresses 192.0.2.176-180 and has told you to use has assigned you IP addresses 192.0.2.176-180 and has told you to use
netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p> netmask 255.255.255.0 and default gateway 192.0.2.254.</b></p>
</div> </div>
<div align="left"> <div align="left">
@ -1196,17 +1202,17 @@ these will be discussed in the sections that follow.</p>
<p align="left">With SNAT, an internal LAN segment is configured using RFC <p align="left">With SNAT, an internal LAN segment is configured using RFC
1918 addresses. When a host <b>A </b>on this internal segment initiates 1918 addresses. When a host <b>A </b>on this internal segment initiates
a connection to host <b>B</b> on the internet, the firewall/router rewrites a connection to host <b>B</b> on the internet, the firewall/router rewrites
the IP header in the request to use one of your public IP addresses as the IP header in the request to use one of your public IP addresses
the source address. When <b>B</b> responds and the response is received as the source address. When <b>B</b> responds and the response is received
by the firewall, the firewall changes the destination address back to by the firewall, the firewall changes the destination address back to
the RFC 1918 address of <b>A</b> and forwards the response back to <b>A.</b></p> the RFC 1918 address of <b>A</b> and forwards the response back to <b>A.</b></p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Let's suppose that you decide to use SNAT on your local zone <p align="left">Let's suppose that you decide to use SNAT on your local zone
and use public address 192.0.2.176 as both your firewall's external IP and use public address 192.0.2.176 as both your firewall's external
address and the source IP address of internet requests sent from that IP address and the source IP address of internet requests sent from
zone.</p> that zone.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1223,7 +1229,7 @@ zone.</p>
<div align="left"> <img border="0" src="images/BD21298_2.gif" <div align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    The systems in the local zone would be configured with a default     The systems in the local zone would be configured with a default
gateway of 192.168.201.1 (the IP address of the firewall's local interface).</div> gateway of 192.168.201.1 (the IP address of the firewall's local interface).</div>
<div align="left">  </div> <div align="left">  </div>
@ -1255,11 +1261,11 @@ gateway of 192.168.201.1 (the IP address of the firewall's local interface).<
<div align="left"> <div align="left">
<p align="left">This example used the normal technique of assigning the same <p align="left">This example used the normal technique of assigning the same
public IP address for the firewall external interface and for SNAT. If public IP address for the firewall external interface and for SNAT.
you wanted to use a different IP address, you would either have to use If you wanted to use a different IP address, you would either have to
your distributions network configuration tools to add that IP address use your distributions network configuration tools to add that IP address
to the external interface or you could set ADD_SNAT_ALIASES=Yes in to the external interface or you could set ADD_SNAT_ALIASES=Yes in
/etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p> /etc/shorewall/shorewall.conf and Shorewall will add the address for you.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1268,9 +1274,9 @@ to the external interface or you could set ADD_SNAT_ALIASES=Yes in
<div align="left"> <div align="left">
<p align="left">When SNAT is used, it is impossible for hosts on the internet <p align="left">When SNAT is used, it is impossible for hosts on the internet
to initiate a connection to one of the internal systems since those systems to initiate a connection to one of the internal systems since those
do not have a public IP address. DNAT provides a way to allow selected systems do not have a public IP address. DNAT provides a way to allow
connections from the internet.</p> selected connections from the internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1368,8 +1374,8 @@ will respond (with the MAC if the firewall interface to <b>H</b>). </p>
<div align="left"> Here, we've assigned the IP addresses 192.0.2.177 to <div align="left"> Here, we've assigned the IP addresses 192.0.2.177 to
system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned
an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface
on the firewall. That address and netmask isn't relevant - just be sure on the firewall. That address and netmask isn't relevant - just be sure
it doesn't overlap another subnet that you've defined.</div> it doesn't overlap another subnet that you've defined.</div>
<div align="left">  </div> <div align="left">  </div>
@ -1409,32 +1415,74 @@ it doesn't overlap another subnet that you've defined.</div>
<div align="left"> <div align="left">
<p align="left">Because the HAVE ROUTE column contains No, Shorewall will <p align="left">Because the HAVE ROUTE column contains No, Shorewall will
add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.</p> add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.<br>
</p>
<p align="left">The ethernet interfaces on DMZ 1 and DMZ 2 should be configured
to have the IP addresses shown but should have the same default gateway as
the firewall itself -- namely 192.0.2.254.<br>
</p>
</div> </div>
<div align="left">
<p align="left"></p>
</div>
<div align="left">
<div align="left"> <div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure <p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it parallel to your firewall to behind your firewall with Proxy ARP, it will
will probably be HOURS before that system can communicate with the internet. probably be HOURS before that system can communicate with the internet.
You can call your ISP and ask them to purge the stale ARP cache entry There are a couple of things that you can try:<br>
but many either can't or won't purge individual entries. You can determine </p>
if your ISP's gateway ARP cache is stale using ping and tcpdump. Suppose
that we suspect that the gateway router has a stale ARP cache entry for <ol>
192.0.2.177. On the firewall, run tcpdump as follows:</p> <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their ARP
cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC
address for its own IP; in addition to ensuring that the IP address isn't
a duplicate,...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware address...,
this packet causes any other host...that has an entry in its cache for the
old hardware address to update its ARP cache entry accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP (or
static NAT for that matter). Happily enough, recent versions of Redhat's iputils
package include "arping", whose "-U" flag does just that:<br>
<br>
    <font color="#009900"><b>arping -U -I &lt;net if&gt; &lt;newly proxied
IP&gt;</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to gratuitous
ARPs, but googling for "arping -U" seems to support the idea that it works
most of the time.<br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div> </div>
<div align="left"> <div align="left">
<pre> tcpdump -nei eth0 icmp</pre> <p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Now from 192.0.2.177, ping the default gateway (which we <pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
are assuming is 192.0.2.254):</p>
</div> </div>
<div align="left">
<pre> ping 192.0.2.254</pre>
</div> </div>
<div align="left"> <div align="left">
@ -1450,8 +1498,8 @@ are assuming is 192.0.2.254):</p>
different from the destination MAC address in the echo reply!! In this different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of DMZ 1. In other words, the gateway's ARP cache was the MAC address of DMZ 1. In other words, the gateway's ARP cache
still associates 192.0.2.177 with the NIC in DMZ 1 rather than with the still associates 192.0.2.177 with the NIC in DMZ 1 rather than with the
firewall's eth0.</p> firewall's eth0.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1503,8 +1551,9 @@ firewall's eth0.</p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Suppose now that you have decided to give your daughter her own     Suppose now that you have decided to give your daughter her own
IP address (192.0.2.179) for both inbound and outbound connections. You IP address (192.0.2.179) for both inbound and outbound connections.
would do that by adding an entry in <a href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p> You would do that by adding an entry in <a
href="Documentation.htm#NAT">/etc/shorewall/nat</a>.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1540,10 +1589,10 @@ would do that by adding an entry in <a href="Documentation.htm#NAT">/etc/sho
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Once the relationship between 192.0.2.179 and 192.168.201.4 is established     Once the relationship between 192.0.2.179 and 192.168.201.4 is
by the nat file entry above, it is no longer appropriate to use a established by the nat file entry above, it is no longer appropriate
DNAT rule for you daughter's web server -- you would rather just use to use a DNAT rule for you daughter's web server -- you would rather just
an ACCEPT rule:</p> use an ACCEPT rule:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1582,12 +1631,13 @@ an ACCEPT rule:</p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    With the default policies, your local systems (Local 1-3) can access     With the default policies, your local systems (Local 1-3) can
any servers on the internet and the DMZ can't access any other host (including access any servers on the internet and the DMZ can't access any other
the firewall). With the exception of <a href="#DNAT">DNAT rules</a> which host (including the firewall). With the exception of <a
cause address translation and allow the translated connection request href="#DNAT">DNAT rules</a> which cause address translation and allow
to pass through the firewall, the way to allow connection requests through the translated connection request to pass through the firewall, the way
your firewall is to use ACCEPT rules.</p> to allow connection requests through your firewall is to use ACCEPT
rules.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1887,8 +1937,9 @@ I prefer to use NAT only in cases where a system that is part of an RFC
    If you haven't already, it would be a good idea to browse through     If you haven't already, it would be a good idea to browse through
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> just <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> just
to see if there is anything there that might be of interest. You might to see if there is anything there that might be of interest. You might
also want to look at the other configuration files that you haven't touched also want to look at the other configuration files that you haven't
yet just to get a feel for the other things that Shorewall can do.</p> touched yet just to get a feel for the other things that Shorewall can
do.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1939,10 +1990,10 @@ site-specific).</p>
<div align="left"> <div align="left">
<p align="left">The setup described here requires that your network interfaces <p align="left">The setup described here requires that your network interfaces
be brought up before Shorewall can start. This opens a short window during be brought up before Shorewall can start. This opens a short window
which you have no firewall protection. If you replace 'detect' with the during which you have no firewall protection. If you replace 'detect'
actual broadcast addresses in the entries above, you can bring up Shorewall with the actual broadcast addresses in the entries above, you can bring
before you bring up your network interfaces.</p> up Shorewall before you bring up your network interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
@ -2289,11 +2340,11 @@ DNS servers. You can combine the two into a single BIND 9 server using
<div align="left"> <div align="left">
<p align="left">Suppose that your domain is foobar.net and you want the two <p align="left">Suppose that your domain is foobar.net and you want the two
DMZ systems named www.foobar.net and mail.foobar.net and you want the DMZ systems named www.foobar.net and mail.foobar.net and you want the
three local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net. three local systems named "winken.foobar.net, blinken.foobar.net and
You want your firewall to be known as firewall.foobar.net externally nod.foobar.net. You want your firewall to be known as firewall.foobar.net
and it's interface to the local network to be know as gateway.foobar.net externally and it's interface to the local network to be know as gateway.foobar.net
and its interface to the dmz as dmz.foobar.net. Let's have the DNS server and its interface to the dmz as dmz.foobar.net. Let's have the DNS server
on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p> on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div> </div>
<div align="left"> <div align="left">
@ -2307,7 +2358,7 @@ on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
</div> </div>
<div align="left"> <div align="left">
<pre>#<br># This is the view presented to our internal systems<br>#<br><br>view "internal" {<br> #<br> # These are the clients that see this view<br> #<br> match-clients { 192.168.201.0/29;<br> 192.168.202.0/29;<br> 127.0.0/24;<br> 192.0.2.176/32; <br> 192.0.2.178/32;<br> 192.0.2.179/32;<br> 192.0.2.180/32; };<br> #<br> # If this server can't complete the request, it should use outside<br> # servers to do so<br> #<br> recursion yes;<br><br> zone "." in {<br> type hint;<br> file "int/root.cache";<br> };<br><br> zone "foobar.net" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.foobar";<br> };<br><br> zone "0.0.127.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.127.0.0"; <br> };<br><br> zone "201.168.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.192.168.201";<br> };<br><br> zone "202.168.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.192.168.202";<br> };<br><br> zone "176.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.176";<br> };<br><br> zone "177.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.177";<br> };<br><br> zone "178.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.178";<br> };<br><br> zone "179.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.206.124.146.179";<br> };<br><br>};<br>#<br># This is the view that we present to the outside world<br>#<br>view "external" {<br> match-clients { any; };<br> #<br> # If we can't answer the query, we tell the client so<br> #<br> recursion no;<br><br> zone "foobar.net" in {<br> type master;<br> notify yes;<br> allow-update {none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "ext/db.foobar";<br> };<br><br> zone "176.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.176";<br> };<br><br> zone "177.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.177";<br> };<br><br> zone "178.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.178";<br> };<br><br> zone "179.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.179";<br> };<br>};</pre> <pre>#<br># This is the view presented to our internal systems<br>#<br><br>view "internal" {<br> #<br> # These are the clients that see this view<br> #<br> match-clients { 192.168.201.0/29;<br> 192.168.202.0/29;<br> 127.0.0/24;<br> 192.0.2.176/32; <br> 192.0.2.178/32;<br> 192.0.2.179/32;<br> 192.0.2.180/32; };<br> #<br> # If this server can't complete the request, it should use outside<br> # servers to do so<br> #<br> recursion yes;<br><br> zone "." in {<br> type hint;<br> file "int/root.cache";<br> };<br><br> zone "foobar.net" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.foobar";<br> };<br><br> zone "0.0.127.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.127.0.0"; <br> };<br><br> zone "201.168.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.192.168.201";<br> };<br><br> zone "202.168.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "int/db.192.168.202";<br> };<br><br> zone "176.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.176";<br> };<br> (or status NAT for that matter)<br> zone "177.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.177";<br> };<br><br> zone "178.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.192.0.2.178";<br> };<br><br> zone "179.2.0.192.in-addr.arpa" in {<br> type master;<br> notify no;<br> allow-update { none; };<br> file "db.206.124.146.179";<br> };<br><br>};<br>#<br># This is the view that we present to the outside world<br>#<br>view "external" {<br> match-clients { any; };<br> #<br> # If we can't answer the query, we tell the client so<br> #<br> recursion no;<br><br> zone "foobar.net" in {<br> type master;<br> notify yes;<br> allow-update {none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "ext/db.foobar";<br> };<br><br> zone "176.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.176";<br> };<br><br> zone "177.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.177";<br> };<br><br> zone "178.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.178";<br> };<br><br> zone "179.2.0.192.in-addr.arpa" in {<br> type master;<br> notify yes;<br> allow-update { none; };<br> allow-transfer { <i>&lt;secondary NS IP&gt;</i>; };<br> file "db.192.0.2.179";<br> };<br>};</pre>
</div> </div>
</blockquote> </blockquote>
</div> </div>
@ -2430,26 +2481,28 @@ on 192.0.2.177 which will also be known by the name ns1.foobar.net.</p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    Edit the /etc/shorewall/routestopped file and configure those systems     Edit the /etc/shorewall/routestopped file and configure those
that you want to be able to access the firewall when it is stopped.</p> systems that you want to be able to access the firewall when it is stopped.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="Documentation.htm#Configs">alternate configuration</a></i> an <i><a href="Documentation.htm#Configs">alternate configuration</a></i>
and test it using the <a href="Documentation.htm#Starting">"shorewall and test it using the <a href="Documentation.htm#Starting">"shorewall
try" command</a>.</p> try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 12/13/2002 - <a <p align="left"><font size="2">Last updated 1/13/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>

View File

@ -13,7 +13,8 @@
<base target="_self"> <base
target="_self">
</head> </head>
<body> <body>
@ -35,14 +36,16 @@
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 - </a></i></font><font color="#ffffff">Shorewall
<font size="4">"<i>iptables made easy"</i></font></font><a 1.3 - <font size="4">"<i>iptables made
href="http://www.sf.net"> </a></h1> easy"</i></font></font><a href="http://www.sf.net"> </a></h1>
@ -84,6 +87,7 @@
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -94,9 +98,10 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall <p>The Shoreline Firewall, more commonly known as "Shorewall", is
that can be used on a dedicated firewall system, a multi-function a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -107,24 +112,25 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
Public License</a> as published by the Free Software Foundation.<br> General Public License</a> as published by the Free Software Foundation.<br>
<br> <br>
This program is distributed in the hope that This program is distributed in the
it will be useful, but WITHOUT ANY WARRANTY; without hope that it will be useful, but WITHOUT ANY
even the implied warranty of MERCHANTABILITY or WARRANTY; without even the implied warranty of MERCHANTABILITY
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General or FITNESS FOR A PARTICULAR PURPOSE. See the
Public License for more details.<br> GNU General Public License for more details.<br>
<br> <br>
You should have received a copy of the GNU You should have received a copy of the
General Public License along with this program; GNU General Public License along with this
if not, write to the Free Software Foundation, program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -135,7 +141,9 @@ Public License</a> as published by the Free Software Foundation.<br>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -149,16 +157,17 @@ Public License</a> as published by the Free Software Foundation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak
a LEAF (router/firewall/gateway on a floppy, CD or compact have a LEAF (router/firewall/gateway on a floppy, CD
flash) distribution called <i>Bering</i> that or compact flash) distribution called <i>Bering</i>
features Shorewall-1.3.10 and Kernel-2.4.18. You that features Shorewall-1.3.10 and Kernel-2.4.18.
can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent <b>Congratulations to Jacques and Eric on
release of Bering 1.0 Final!!! <br> the recent release of Bering 1.0 Final!!! <br>
</b> </b>
<h2>News</h2> <h2>News</h2>
@ -172,109 +181,242 @@ Public License</a> as published by the Free Software Foundation.<br>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
was set to anything but ULOG, the firewall would fail to start and "shorewall <p>Just includes a few things that I had on the burner:<br>
refresh" would also fail.<br> </p>
<ol>
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
file. DNAT- is intended for advanced users who wish to minimize the number
of rules that connection requests must traverse.<br>
<br>
A Shorewall DNAT rule actually generates two iptables rules: a header rewriting
rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT-
rule only generates the first of these rules. This is handy when you have
several DNAT rules that would generate the same ACCEPT rule.<br>
<br>
   Here are three rules from my previous rules file:<br>
<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
<br>
   These three rules ended up generating _three_ copies of<br>
<br>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
<br>
   By writing the rules this way, I end up with only one copy of the ACCEPT
rule.<br>
<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br>
</li>
<li>The 'shorewall check' command now prints out the applicable policy
between each pair of zones.<br>
<br>
</li>
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
option is set to 'No' then Shorewall won't clear the current traffic control
rules during [re]start. This setting is intended for use by people that prefer
to configure traffic shaping when the network interfaces come up rather than
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
your traffic shaping rules can still use the 'fwmark' classifier based on
packet marking defined in /etc/shorewall/tcrules.<br>
<br>
</li>
<li>A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf
setting.</li>
</ol>
<p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p>
<p><b>Until further notice, I will not be involved in either Shorewall
Development or Shorewall Support</b></p>
<p><b>-Tom Eastep</b><br>
</p>
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p>
<p> Features include:<br>
</p>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of
the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than
40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added
which shows the current packet classification filters. The output from
this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target
rather than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a href="shorewall_logging.html">to a
separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain
in the mangle table ("shorewall show mangle" will show you the chains
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with
empty 'init', 'start', 'stop' and 'stopped' files. If you already have
a file with one of these names, don't worry -- the upgrade process won't
overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in
the /etc/shorewall/rfc1918 file. Previously, these packets were always
logged at the 'info' level.</li>
</ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p>
This version corrects a problem with Blacklist logging. In Beta
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br> <p> You may download the Beta from:<br>
</p> </p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p> </b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta The first public Beta version of Shorewall 1.3.12 is now available
1 was made available only to a limited audience). <br> (Beta 1 was made available only to a limited audience). <br>
<br> <br>
Features include:<br> Features include:<br>
<br> <br>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping rules <li>"shorewall refresh" now reloads the traffic shaping
(tcrules and tcstart).</li> rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after <li>"shorewall debug [re]start" now turns off debugging
an error occurs. This places the point of the failure near the end of the after an error occurs. This places the point of the failure near the
trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% <li>"shorewall [re]start" has been speeded up by more
with my configuration. Your milage may vary.</li> than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which <li>A "shorewall show classifiers" command has been
shows the current packet classification filters. The output from this command added which shows the current packet classification filters. The output
is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog <li>ULOG (must be all caps) is now accepted as a valid
level and causes the subject packets to be logged using the ULOG target rather syslog level and causes the subject packets to be logged using the ULOG
than the LOG target. This allows you to run ulogd (available from target rather than the LOG target. This allows you to run ulogd (available
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a and log all Shorewall messages <a href="shorewall_logging.html">to a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li> separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in the <li>If you are running a kernel that has a FORWARD chain
mangle table ("shorewall show mangle" will show you the chains in the mangle in the mangle table ("shorewall show mangle" will show you the chains
table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
for marking input packets based on their destination even when you are using This allows for marking input packets based on their destination even
Masquerading or SNAT.</li> when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty <li>I have cluttered up the /etc/shorewall directory
'init', 'start', 'stop' and 'stopped' files. If you already have a file with with empty 'init', 'start', 'stop' and 'stopped' files. If you already
one of these names, don't worry -- the upgrade process won't overwrite your have a file with one of these names, don't worry -- the upgrade process
file.</li> won't overwrite your file.</li>
</ol> </ol>
You may download the Beta from:<br> You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png" href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="23" border="0"> alt="Powered by Mandrake Linux" width="150" height="23" border="0">
</a></b></p> </a></b></p>
Shorewall is at the center of MandrakeSofts's recently-announced <a Shorewall is at the center of MandrakeSofts's recently-announced
<a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br> release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b> <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p> </b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in a delivered. I have installed 9.0 on one of my systems and I am now
position to support Shorewall users who run Mandrake 9.0.</p> in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p> </p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b> <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p> </b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
who don't need rules of this type need not upgrade to 1.3.11.</p> users who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
@ -282,43 +424,50 @@ Masquerading or SNAT.</li>
</p> </p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p> </b></p>
<p>In this version:</p> <p>In this version:</p>
<ul> <ul>
<li>A 'tcpflags' option has been added to entries <li>A 'tcpflags' option has been added to
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li> header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or <li>It is now allowed to use 'all' in the
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
used, 'all' must appear by itself (in may not be qualified) and it does When used, 'all' must appear by itself (in may not be qualified)
not enable intra-zone traffic. For example, the rule <br> and it does not enable intra-zone traffic. For example, the rule <br>
<br> <br>
    ACCEPT loc all tcp 80<br>     ACCEPT loc all tcp 80<br>
<br> <br>
does not enable http traffic from 'loc' to 'loc'.</li> does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible <li>Shorewall's use of the 'echo' command
with bash clones such as ash and dash.</li> is now compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error. <li>fw-&gt;fw policies now generate a startup
fw-&gt;fw rules generate a warning and are ignored</li> error. fw-&gt;fw rules generate a warning and are ignored</li>
</ul> </ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
@ -326,20 +475,24 @@ used, 'all' must appear by itself (in may not be qualified) and it does
</p> </p>
<p><b></b></p> <p><b></b></p>
<ul> <ul>
</ul> </ul>
<p><b></b><a href="News.htm">More News</a></p> <p><b></b><a href="News.htm">More News</a></p>
@ -351,10 +504,12 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<h2> </h2> <h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -362,21 +517,24 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<h4> </h4> <h4> </h4>
<h2>This site is hosted by the generous folks at <a <h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2> href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c"
align="center"> <br> valign="top" align="center"> <br>
</td> </td>
</tr> </tr>
@ -412,6 +570,7 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
@ -426,11 +585,12 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
@ -446,9 +606,10 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 1/6/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

View File

@ -41,12 +41,12 @@
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels "chkconfig --add firewall". This will start the firewall in run
2-5 and stop it in run levels 1 and 6. If you want to configure your levels 2-5 and stop it in run levels 1 and 6. If you want to configure
firewall differently from this default, you can use the "--level" option your firewall differently from this default, you can use the "--level"
in chkconfig (see "man chkconfig") or using your favorite graphical option in chkconfig (see "man chkconfig") or using your favorite
run-level editor.</p> graphical run-level editor.</p>
@ -92,22 +92,27 @@ run-level editor.</p>
addresses of firewall interfaces and the black and white lists.</li> addresses of firewall interfaces and the black and white lists.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, then a shell
trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace</p>
<p> The "shorewall" program may also be used to monitor the firewall.</p> <p> The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the firewall <li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain <li>shorewall show <i>chain</i> - produce a verbose report about
</i>(iptables -L <i>chain</i> -n -v)</li> <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table <li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li> (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle <li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li> table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently <li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li> being tracked by the firewall.</li>
@ -122,16 +127,17 @@ table (iptables -t mangle -L -n -v)</li>
packet log messages in the current /var/log/messages file.</li> packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li> <li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of <li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files. <font size="4" the zones, interfaces, hosts, rules and policy files. <font
color="#ff6666"><b>The "check" command does not parse and validate the size="4" color="#ff6666"><b>The "check" command does not parse and validate
generated iptables commands so even though the "check" command completes the generated iptables commands so even though the "check" command
successfully, the configuration may fail to start. See the recommended completes successfully, the configuration may fail to start. See the
way to make configuration changes described below. </b></font> </li> recommended way to make configuration changes described below. </b></font>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if an error ] - Restart shorewall using the specified configuration and if an error
occurs or if the<i> timeout </i> option is given and the new configuration occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using the has been up for that many seconds then shorewall is restarted using
standard configuration.</li> the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall <li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li> save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <li>shorewall logwatch (added in version 1.3.2) - Monitors the
@ -140,22 +146,22 @@ the zones, interfaces, hosts, rules and policy files. <font size="4"
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the contents Finally, the "shorewall" program may be used to dynamically alter the contents
of a zone.<br> of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
specified interface (and host if included) to the specified zone.</li> specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
the specified interface (and host if included) from the specified zone.</li> the specified interface (and host if included) from the specified zone.</li>
</ul> </ul>
<blockquote>Examples:<br> <blockquote>Examples:<br>
<blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
from interface ipsec0 to the zone vpn1<br> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 <font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
from interface ipsec0 from zone vpn1<br> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote> </blockquote>
</blockquote> </blockquote>
@ -175,8 +181,8 @@ from interface ipsec0 from zone vpn1<br>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that . If the file is present in the <i>configuration-directory</i>, that file
file will be used; otherwise, the file in /etc/shorewall will be used.</p> will be used; otherwise, the file in /etc/shorewall will be used.</p>
@ -189,18 +195,18 @@ file will be used; otherwise, the file in /etc/shorewall will be used.</p>
<ul> <ul>
<li>mkdir /etc/test</li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li>cd /etc/test</li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall <li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li> to . and change them here&gt;</li>
<li>shorewall -c . check</li> <li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li>/sbin/shorewall try .</li> <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul> </ul>
@ -219,29 +225,30 @@ file will be used; otherwise, the file in /etc/shorewall will be used.</p>
<ul> <ul>
<li>cp * /etc/shorewall</li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li>cd</li> <li><font color="#009900"><b>cd</b></font></li>
<li>rm -rf /etc/test</li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 1/9/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

View File

@ -30,6 +30,7 @@
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support<img <h1 align="center"><font color="#ffffff">Shorewall Support<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
@ -40,58 +41,55 @@
</tbody> </tbody>
</table> </table>
<p> <br> <p> <b><big><big><font color="#ff0000">Due to "Shorewall burnout", I am currently
<span style="font-weight: 400;"></span></p> not involved in either Shorewall development or Shorewall support. Nevertheless,
the mailing list is being ably manned by other Shorewall users.</font></big><span
style="font-weight: 400;"></span></big></b></p>
<h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
but I try to spend some amount of time each day responding to problems
posted on the Shorewall mailing list.</b></font></big></h2>
<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
<h2>Before Reporting a Problem</h2> <h2>Before Reporting a Problem</h2>
There are a number of sources for problem
<h3>T<b>here are a number of sources for problem solution information. Please solution information. Please try these before you post.
try these before you post.</b></h3>
<h3> </h3> <h3> </h3>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li>More than half of the questions posted on the support list
<h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common have answers directly accessible from the <a
problems.</b></h3> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br>
</li> </li>
<li> The <a href="FAQ.htm">FAQ</a>
has solutions to more than 20 common problems. </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li> The <a
<h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information href="troubleshoot.htm">Troubleshooting</a> Information contains
contains a number of tips to help you solve common problems.</b></h3> a number of tips to help you solve common problems. </li>
</li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li> The <a
<h3><b>The <a href="errata.htm"> Errata</a> has links to download href="errata.htm"> Errata</a> has links to download updated
updated components.</b></h3> components. </li>
</li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li> The Mailing List Archives
<h3><b>The Mailing List Archives search facility can locate posts search facility can locate posts about similar problems:
about similar problems:</b></h3>
</li> </li>
</ul> </ul>
@ -102,6 +100,7 @@
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
@ -127,94 +126,172 @@
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30"
value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2>Problem Reporting Guidelines</h2> <h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a real-world example.  <i>"Let me see if I can translate your message into a real-world
It would be like saying that you have three rooms at home, and when you example. It would be like saying that you have three rooms at home,
walk into one of the rooms, you detect this strange smell.  Can anyone tell and when you walk into one of the rooms, you detect this strange smell.
you what that strange smell is?<br> Can anyone tell you what that strange smell is?<br>
<br> <br>
Now, all of us could do some wonderful guessing as to the smell and even Now, all of us could do some wonderful guessing as to the smell
what's causing it.  You would be absolutely amazed at the range and variety and even what's causing it. You would be absolutely amazed at the range
of smells we could come up with.  Even more amazing is that all of the explanations and variety of smells we could come up with. Even more amazing is that
for the smells would be completely plausible."<br> all of the explanations for the smells would be completely plausible."<br>
</i><br> </i><br>
<div align="center">   - Russell Mosemann<br> <div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div> </div>
<br> <br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li>Please remember we only know what is posted in your message. Do
<h3><b>When reporting a problem, give as much information as you can. not leave out any information that appears to be correct, or was mentioned
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3> in a previous post. There have been countless posts by people who were
sure that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is lacking.<br>
<br>
</li> </li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous practices
in writing and formatting your e-mail. Provide details that we need if
you expect good answers. <em>Exact quoting </em> of error messages, log
entries, command output, and other output is better than a paraphrase or
summary.<br>
<br>
</li>
<li> Please don't describe your environment
and then ask us to send you custom configuration files.
We're here to answer your questions but we can't do your
job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include this
information:</li>
</ul>
<ul>
<ul>
<li>the exact version of Shorewall you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses.<br>
<br>
</li>
</ul>
</ul>
<ul>
<li><b>NEVER </b>include the output of "<b><font color="#009900">iptables
-L</font></b>". Instead, please post the exact output of<br>
<br>
<b><font color="#009900">/sbin/shorewall status<br>
<br>
</font></b>Since that command generates a lot of output, we suggest
that you redirect the output to a file and attach the file to your post<br>
<br>
<b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
</li>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
</ul>
<ul>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>
<h3><b>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your
questions but we can't do your job for you.</b></h3>
</li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li> Do you see any "Shorewall"
<h3><b>Do you see any "Shorewall" messages in /var/log/messages messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?</b></h3> when you exercise the function that is giving you problems? If
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li> </li>
<li>Please include any of the Shorewall configuration files (especially
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file) the /etc/shorewall/hosts file if you have modified that file)
that you think are relevant.</b></h3> that you think are relevant. If you include /etc/shorewall/rules,
</li> please include /etc/shorewall/policy as well (rules are meaningless unless
<li> one also knows the policies). </li>
<h3><b>If an error occurs when you try to "shorewall start", include
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section </ul>
for instructions).</b></h3>
</li> <h3> </h3>
<ul>
</ul>
<h3> </h3>
<ul>
<li> If an error occurs when
you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li>
</ul> </ul>
@ -223,41 +300,44 @@ for instructions).</b></h3>
<ul> <ul>
<li> <li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of <h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post your network layout, etc. to the Mailing List -- your
will be rejected.</b></h3> post will be rejected.</b></h3>
</li> </li>
</ul> </ul>
The author gratefully acknowleges that the above list was heavily plagiarized
<h3> </h3> from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found
at <a href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
<blockquote>
<h3><b> While the list server here at shorewall.net accepts and distributes
HTML posts, a growing number of MTAs serving list subscribers are rejecting
this HTML list traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse"!!</b></h3>
<h3><b> I think that blocking all HTML is a rather draconian way to control
spam and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
help by restricting your list posts to plain text.</b></h3>
<h3><b> And as a bonus, subscribers who use email clients like pine and
mutt will be able to read your plain text posts whereas they are most likely
simply ignoring your HTML posts.</b></h3>
<h3><b> A final bonus for the use of HTML is that it cuts down the size
of messages by a large percentage -- that is important when the same message
must be sent 500 times over the slow DSL line connecting the list server
to the internet.</b> </h3>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<h3></h3> <blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in list
posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam
and that the ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber
wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
Nevertheless, to allow subscribers to receive list posts as must as possible,
I have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4> list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall
(MNF) and you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a>
<b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p> href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
@ -265,23 +345,18 @@ to the internet.</b> </h3>
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 1/9/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -38,46 +38,74 @@
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Shaping also requires that you enable packet mangling.<br> Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in Shorewall
1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the setting of
this variable determines whether Shorewall clears the traffic shaping configuration
during Shorewall [re]start and Shorewall stop. <br>
</li> </li>
<li>/etc/shorewall/tcrules - A file where you can specify firewall <li><b>/etc/shorewall/tcrules</b> - A file where you can specify
marking of packets. The firewall mark value may be used to classify firewall marking of packets. The firewall mark value may be used to
packets for traffic shaping/control.<br> classify packets for traffic shaping/control.<br>
</li> </li>
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that
by Shorewall during "shorewall start" and which you can use to define is sourced by Shorewall during "shorewall start" and which you can
your traffic shaping disciplines and classes. I have provided a <a use to define your traffic shaping disciplines and classes. I have
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does provided a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>
table-driven CBQ shaping but if you read the traffic shaping sections of that does table-driven CBQ shaping but if you read the traffic shaping
the HOWTO mentioned above, you can probably code your own faster than sections of the HOWTO mentioned above, you can probably code your
you can learn how to use my sample. I personally use <a own faster than you can learn how to use my sample. I personally use
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
support may eventually become an integral part of Shorewall since HTB support may eventually become an integral part of Shorewall since
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br> order to use it.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use the run_tc In tcstart, when you want to run the 'tc' utility, use the
function supplied by shorewall if you want tc errors to stop the firewall.<br> run_tc function supplied by shorewall if you want tc errors to stop
the firewall.<br>
<br> <br>
You can generally use off-the-shelf traffic shaping scripts by simply copying You can generally use off-the-shelf traffic shaping scripts by simply
them to /etc/shorewall/tcstart. I use <a copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
use use Masquerading or SNAT (i.e., you only have one external IP address) use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br> address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that
by Shorewall when it is clearing traffic shaping. This file is normally is sourced by Shorewall when it is clearing traffic shaping. This
not required as Shorewall's method of clearing qdisc and filter definitions file is normally not required as Shorewall's method of clearing qdisc
is pretty general.</li> and filter definitions is pretty general.</li>
</ul> </ul>
Shorewall allows you to start traffic shaping when Shorewall itself starts
or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic shaping
rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can mark packets
using entries in /etc/shorewall/tcrules.</li>
</ol>
To start traffic shaping when you bring up your network interfaces, you will
have to arrange for your traffic shaping configuration script to be run at
that time. How you do that is distribution dependent and will not be covered
here. You then should:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier, you
can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
<h3 align="left">Kernel Configuration</h3> <h3 align="left">Kernel Configuration</h3>
@ -91,27 +119,28 @@ address the IP addresss of your firewall's external interface.<br>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br> a means for specifying these marks in a tabular fashion.<br>
</p> </p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before <p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br> <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p> </p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in case of <li>MARK - Specifies the mark value is to be assigned in case
a match. This is an integer in the range 1-255.<br> of a match. This is an integer in the range 1-255.<br>
<br> <br>
Example - 5<br> Example - 5<br>
</li> </li>
<li>SOURCE - The source of the packet. If the packet originates <li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in comma-separated list of interface names, IP addresses, MAC addresses in
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
@ -122,12 +151,12 @@ comma-separated list of interface names, IP addresses, MAC addresses in
IP addresses and/or subnets.<br> IP addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from <li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br> /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port <li>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22); names (from /etc/services), port numbers or port ranges (e.g., 21:22);
if the protocol is "icmp", this column is interpreted as the destination if the protocol is "icmp", this column is interpreted as the
icmp type(s).<br> destination icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a comma-separate omitted, any source port is acceptable. Specified as a comma-separate
@ -137,7 +166,7 @@ comma-separated list of interface names, IP addresses, MAC addresses in
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with 2. with 1. All packets arriving on eth2 and eth3 should be marked with 2.
All packets originating on the firewall itself should be marked with 3.</p> All packets originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -193,7 +222,7 @@ All packets originating on the firewall itself should be marked with 3.</p>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating <p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with on the firewall and destined for 155.186.235.151 should be marked with
12.</p> 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -247,9 +276,9 @@ All packets originating on the firewall itself should be marked with 3.</p>
<p>While I am currently using the HTB version of <a <p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown in
README), I have also run with the following set of hand-crafted rules in the Wondershaper README), I have also run with the following set of hand-crafted
my tcstart file:<br> rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p> </p>
<blockquote> <blockquote>
@ -284,10 +313,12 @@ can use all available bandwidth if there is no traffic from the local systems
</ol> </ol>
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last Updated 12/31/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -41,50 +41,51 @@
problems.</p> problems.</p>
<h3 align="left">If the firewall fails to start</h3> <h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the If you receive an error message when starting or restarting
firewall and you can't determine the cause, then do the following: the firewall and you can't determine the cause, then do the following:
<ul> <ul>
<li>Make a note of the error message that you see.<br> <li>Make a note of the error message that you see.<br>
</li> </li>
<li>shorewall debug start 2&gt; /tmp/trace</li> <li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you <li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log where determine what the problem is. Be sure you find the place in the log
the error message you saw is generated -- in 99.9% of the cases, it will where the error message you saw is generated -- in 99.9% of the cases, it
not be near the end of the log because after startup errors, Shorewall goes will not be near the end of the log because after startup errors, Shorewall
through a "shorewall stop" phase which will also be traced.</li> goes through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the <li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li> <a href="support.htm">support page</a>.</li>
</ul> </ul>
Here's an example. During startup, a user sees the following:<br> Here's an example. During startup, a user sees the following:<br>
<blockquote> <blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre> <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote> </blockquote>
A search through the trace for "No chain/target/match by that name" turned A search through the trace for "No chain/target/match by that name" turned
up the following:  up the following: 
<blockquote> <blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre> <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote> </blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>) to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3> <h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is <p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus: actually an ill-conceived network setup. Here are several popular snafus:
</p> </p>
<ul> <ul>
<li>Port Forwarding where client and server are in the <li>Port Forwarding where client and server are in
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li> the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external <li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li> is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given <li>Multiple interfaces connected to the same HUB or Switch.
the way that the Linux kernel respond to ARP "who-has" requests, this Given the way that the Linux kernel respond to ARP "who-has" requests,
type of setup does NOT work the way that you expect it to.</li> this type of setup does NOT work the way that you expect it to.</li>
</ul> </ul>
@ -92,9 +93,9 @@ to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<p align="left">If the appropriate policy for the connection that you are <p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add TO MAKE IT WORK. Such additional rules will NEVER make it work, they
clutter to your rule set and they represent a big security hole in the event add clutter to your rule set and they represent a big security hole in
that you forget to remove them later.</p> the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to <p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of ACCEPT in an effort to make something work. That robs you of one of
@ -103,9 +104,9 @@ to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
by your rule set.</p> by your rule set.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't <p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall problem. see Shorewall messages, then your problem is probably NOT a Shorewall
If you DO see packet messages, it may be an indication that you are missing problem. If you DO see packet messages, it may be an indication that you
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p> are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear <p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p> two variables in /etc/shorewall/shorewall.conf:</p>
@ -128,8 +129,8 @@ LEN=47</font></p>
<ul> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all <li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy chain -- the packet was rejected under the "all"-&gt;"all" REJECT
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li> policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li> <li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li> <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li> <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -149,19 +150,24 @@ LEN=47</font></p>
about how to interpret the chain name appearing in a Shorewall log message.<br> about how to interpret the chain name appearing in a Shorewall log message.<br>
</p> </p>
<h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to ping
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3> <h3 align="left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or <li>Seeing rejected/dropped packets logged out of the INPUT or
FORWARD chains? This means that: FORWARD chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that is <li>your zone definitions are screwed up and the host that
sending the packets or the destination host isn't in any zone (using is sending the packets or the destination host isn't in any zone
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file (using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
are you?); or</li> file are you?); or</li>
<li>the source and destination hosts are both connected to the <li>the source and destination hosts are both connected to
same interface and that interface doesn't have the 'multi' option the same interface and that interface doesn't have the 'multi'
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> option specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol> </ol>
</li> </li>
@ -178,26 +184,26 @@ have the following in /etc/shorewall/nat:<br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
and you ping 130.252.100.18, unless you have allowed icmp type and you ping 130.252.100.18, unless you have allowed icmp type
8 between the zone containing the system you are pinging from and 8 between the zone containing the system you are pinging from and the
the zone containing 10.1.1.2, the ping requests will be dropped. This zone containing 10.1.1.2, the ping requests will be dropped. This is
is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li> true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface <li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li> must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually <li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of of their nearest firewall interface. One often overlooked aspect
routing is that in order for two hosts to communicate, the routing between of routing is that in order for two hosts to communicate, the routing
them must be set up <u>in both directions.</u> So when setting up routing between them must be set up <u>in both directions.</u> So when setting
between <b>A</b> and<b> B</b>, be sure to verify that the route from up routing between <b>A</b> and<b> B</b>, be sure to verify that the
<b>B</b> back to <b>A</b> is defined.</li> route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a <li>Some versions of LRP (EigerStein2Beta for example) have a
shell with broken variable expansion. <a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is <li>Some features require the "ip" program. That program
generally included in the "iproute" package which should be included is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
@ -205,8 +211,8 @@ is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts <li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has For example, if a zone has two interfaces but only one interface has an
an entry in /etc/shorewall/hosts then hosts attached to the other interface entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li> will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all <li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a external addresses to be use with NAT unless you have set <a
@ -216,19 +222,16 @@ an entry in /etc/shorewall/hosts then hosts attached to the other interface
<h3>Still Having Problems?</h3> <h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p> <p>See the<a href="support.htm"> support page.<br>
</a></p>
<font face="Century Gothic, Arial, Helvetica"> <font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p> <p><font size="2">Last updated 1/7/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -31,8 +31,8 @@
</table> </table>
<p align="left">Setting up a Linux system as a firewall for a small network <p align="left">Setting up a Linux system as a firewall for a small network
is a fairly straight-forward task if you understand the basics and follow is a fairly straight-forward task if you understand the basics and
the documentation.</p> follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
@ -43,7 +43,7 @@
network.</li> network.</li>
<li>Single public IP address.</li> <li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame <li>Internet connection through cable modem, DSL, ISDN, Frame
Relay, dial-up ...</li> Relay, dial-up ...</li>
</ul> </ul>
@ -61,32 +61,32 @@ Relay, dial-up ...</li>
<p>This guide assumes that you have the iproute/iproute2 package installed <p>This guide assumes that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program on if this package is installed by the presence of an <b>ip</b> program
your firewall system. As root, you can use the 'which' command to check on your firewall system. As root, you can use the 'which' command to
for this program:</p> check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself <p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are flagged changes. Points at which configuration changes are recommended are
with <img border="0" src="images/BD21298_.gif" width="13" flagged with <img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you     If you edit your configuration files on a Windows system,
must save them as Unix files if your editor supports that option or you you must save them as Unix files if your editor supports that option
must run them through dos2unix before trying to use them. Similarly, if or you must run them through dos2unix before trying to use them. Similarly,
you copy a configuration file from your Windows hard drive to a floppy if you copy a configuration file from your Windows hard drive to a floppy
disk, you must run dos2unix against the copy before using it with Shorewall.</p> disk, you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li> Version of dos2unix</a></li>
<li><a <li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li> of dos2unix</a></li>
</ul> </ul>
@ -95,8 +95,8 @@ Version of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a /etc/shorewall -- for simple setups, you will only need to deal with a few
few of these as described in this guide. After you have <a of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
@ -107,8 +107,8 @@ few of these as described in this guide. After you have <a
and default entries.</p> and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a <p>Shorewall views the network where it is running as being composed of a
set of <i>zones.</i> In the two-interface sample configuration, the following set of <i>zones.</i> In the two-interface sample configuration, the
zone names are used:</p> following zone names are used:</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -154,8 +154,8 @@ zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorew
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has <p>The /etc/shorewall/policy file included with the two-interface sample
the following policies:</p> has the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -197,7 +197,7 @@ the following policies:</p>
<blockquote> <blockquote>
<p>In the two-interface sample, the line below is included but commented <p>In the two-interface sample, the line below is included but commented
out. If you want your firewall system to have full access to servers out. If you want your firewall system to have full access to servers
on the internet, uncomment that line.</p> on the internet, uncomment that line.</p>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
@ -226,8 +226,8 @@ on the internet, uncomment that line.</p>
<ol> <ol>
<li>allow all connection requests from your local network to <li>allow all connection requests from your local network to
the internet</li> the internet</li>
<li>drop (ignore) all connection requests from the internet to <li>drop (ignore) all connection requests from the internet
your firewall or local network</li> to your firewall or local network</li>
<li>optionally accept all connection requests from the firewall <li>optionally accept all connection requests from the firewall
to the internet (if you uncomment the additional policy)</li> to the internet (if you uncomment the additional policy)</li>
<li>reject all other connection requests.</li> <li>reject all other connection requests.</li>
@ -244,15 +244,15 @@ changes that you wish.</p>
height="635"> height="635">
</p> </p>
<p align="left">The firewall has two network interfaces. Where Internet <p align="left">The firewall has two network interfaces. Where Internet connectivity
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> is through a cable or DSL "Modem", the <i>External Interface</i> will be
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>)  the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
be a ppp interface (e.g., <b>ppp0</b>). If you connect via a regular modem, Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
your External Interface will also be <b>ppp0</b>. If you connect via ISDN, via a regular modem, your External Interface will also be <b>ppp0</b>.
your external interface will be <b>ippp0.</b></p> If you connect via ISDN, your external interface will be <b>ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
@ -261,26 +261,26 @@ then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other computers (eth1 or eth0) and will be connected to a hub or switch. Your other
will be connected to the same hub/switch (note: If you have only a single computers will be connected to the same hub/switch (note: If you have
internal system, you can connect the firewall directly to the computer only a single internal system, you can connect the firewall directly
using a <i>cross-over </i> cable).</p> to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect the internal and external interface to the </b></u>Do not connect the internal and external interface to
same hub or switch (even for testing). It won't work the way that you think the same hub or switch (even for testing). It won't work the way that
that it will and you will end up confused and believing that Shorewall you think that it will and you will end up confused and believing that
doesn't work at all.</p> Shorewall doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
    The Shorewall two-interface sample configuration assumes that     The Shorewall two-interface sample configuration assumes that
the external interface is <b>eth0</b> and the internal interface is the external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
<b>eth1</b>. If your configuration is different, you will have to modify If your configuration is different, you will have to modify the sample
the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
file accordingly. While you are there, you may wish to review the list accordingly. While you are there, you may wish to review the list of
of options that are specified for the interfaces. Some hints:</p> options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
@ -290,7 +290,7 @@ of options that are specified for the interfaces. Some hints:</p>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the or if you have a static IP address, you can remove "dhcp" from the
option list. </p> option list. </p>
</li> </li>
</ul> </ul>
@ -298,17 +298,17 @@ option list. </p>
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet <p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
single <i> Public</i> IP address. This address may be assigned via the<i> a single <i> Public</i> IP address. This address may be assigned via
Dynamic Host Configuration Protocol</i> (DHCP) or as part of establishing the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
your connection when you dial in (standard modem) or establish your PPP establishing your connection when you dial in (standard modem) or establish
connection. In rare cases, your ISP may assign you a<i> static</i> IP address; your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
that means that you configure your firewall's external interface to use IP address; that means that you configure your firewall's external interface
that address permanently.<i> </i>However your external address is assigned, to use that address permanently.<i> </i>However your external address is
it will be shared by all of your systems when you access the Internet. assigned, it will be shared by all of your systems when you access the
You will have to assign your own addresses in your internal network (the Internet. You will have to assign your own addresses in your internal network
Internal Interface on your firewall plus your other computers). RFC 1918 (the Internal Interface on your firewall plus your other computers). RFC
reserves several <i>Private </i>IP address ranges for this purpose:</p> 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -328,9 +328,9 @@ entry in /etc/shorewall/interfaces.</p>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet
will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 will have a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0
is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved as is reserved as the <i>Subnet Address</i> and x.y.z.255 is reserved
the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet is as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, a subnet
described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless is described using <a href="shorewall_setup_guide.htm#Subnets"><i>Classless
InterDomain Routing </i>(CIDR) notation</a> with consists of the subnet InterDomain Routing </i>(CIDR) notation</a> with consists of the subnet
address followed by "/24". The "24" refers to the number of consecutive address followed by "/24". The "24" refers to the number of consecutive
leading "1" bits from the left of the subnet mask. </p> leading "1" bits from the left of the subnet mask. </p>
@ -390,8 +390,8 @@ be the IP address of the firewall's internal interface.<i>
</div> </div>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more regarding subnetting and routing. If you are interested in learning
about IP addressing and routing, I highly recommend <i>"IP Fundamentals: more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
@ -408,23 +408,23 @@ be the IP address of the firewall's internal interface.<i>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one of forward packets which have an RFC-1918 destination address. When one
your local systems (let's assume computer 1) sends a connection request of your local systems (let's assume computer 1) sends a connection request
to an internet host, the firewall must perform <i>Network Address Translation to an internet host, the firewall must perform <i>Network Address Translation
</i>(NAT). The firewall rewrites the source address in the packet to </i>(NAT). The firewall rewrites the source address in the packet to
be the address of the firewall's external interface; in other words, the be the address of the firewall's external interface; in other words,
firewall makes it look as if the firewall itself is initiating the connection.  the firewall makes it look as if the firewall itself is initiating the
This is necessary so that the destination host will be able to route return connection.  This is necessary so that the destination host will be able
packets back to the firewall (remember that packets whose destination to route return packets back to the firewall (remember that packets whose
address is reserved by RFC 1918 can't be routed across the internet so destination address is reserved by RFC 1918 can't be routed across the
the remote host can't address its response to computer 1). When the firewall internet so the remote host can't address its response to computer 1).
receives a return packet, it rewrites the destination address back to 10.10.10.1 When the firewall receives a return packet, it rewrites the destination
and forwards the packet on to computer 1. </p> address back to 10.10.10.1 and forwards the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i> <p align="left">On Linux systems, the above process is often referred to
IP Masquerading</i> but you will also see the term <i>Source Network Address as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Translation </i>(SNAT) used. Shorewall follows the convention used with Address Translation </i>(SNAT) used. Shorewall follows the convention used
Netfilter:</p> with Netfilter:</p>
<ul> <ul>
<li> <li>
@ -434,8 +434,8 @@ receives a return packet, it rewrites the destination address back to 10.10.10
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify <p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your local network the source address that you want outbound packets from your local
to use. </p> network to use. </p>
</li> </li>
</ul> </ul>
@ -446,22 +446,24 @@ receives a return packet, it rewrites the destination address back to 10.10.10
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>, you do not     If your external firewall interface is <b>eth0</b>, you do
need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq not need to modify the file provided with the sample. Otherwise, edit
and change the first column to the name of your external interface and /etc/shorewall/masq and change the first column to the name of your
the second column to the name of your internal interface.</p> external interface and the second column to the name of your internal
interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    If your external IP is static, you can enter it in the third     If your external IP is static, you can enter it in the third
column in the /etc/shorewall/masq entry if you like although your firewall column in the /etc/shorewall/masq entry if you like although your firewall
will work fine if you leave that column empty. Entering your static will work fine if you leave that column empty. Entering your static IP
IP in column 3 makes processing outgoing packets a little more efficient.<br> in column 3 makes processing outgoing packets a little more efficient.<br>
<br> <br>
<img border="0" src="images/BD21298_.gif" width="13" height="13" alt=""> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    If you are using the Debian package, please check your shorewall.conf     If you are using the Debian package, please check your shorewall.conf
file to ensure that the following are set correctly; if they are not, change file to ensure that the following are set correctly; if they are not, change
them appropriately:<br> them appropriately:<br>
</p> </p>
<ul> <ul>
@ -475,12 +477,12 @@ them appropriately:<br>
<p align="left">One of your goals may be to run one or more servers on your <p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, it local computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to them. is not possible for clients on the internet to connect directly to them.
It is rather necessary for those clients to address their connection requests It is rather necessary for those clients to address their connection
to the firewall who rewrites the destination address to the address of requests to the firewall who rewrites the destination address to the
your server and forwards the packet to that server. When your server responds, address of your server and forwards the packet to that server. When
the firewall automatically performs SNAT to rewrite the source address your server responds, the firewall automatically performs SNAT to rewrite
in the response.</p> the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure port Destination Network Address Translation</i> (DNAT). You configure port
@ -557,7 +559,7 @@ It is rather necessary for those clients to address their connection requests
href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li> href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. <li>Many ISPs block incoming connection requests to port 80.
If you have problems connecting to your web server, try the following If you have problems connecting to your web server, try the following
rule and try connecting to port 5000.</li> rule and try connecting to port 5000.</li>
</ul> </ul>
@ -598,33 +600,34 @@ rules that you require.</p>
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file will will be automatically configured (e.g., the /etc/resolv.conf file will
be written). Alternatively, your ISP may have given you the IP address be written). Alternatively, your ISP may have given you the IP address
of a pair of DNS <i> name servers</i> for you to manually configure as your of a pair of DNS <i> name servers</i> for you to manually configure as
primary and secondary name servers. Regardless of how DNS gets configured your primary and secondary name servers. Regardless of how DNS gets
on your firewall, it is <u>your</u> responsibility to configure the resolver configured on your firewall, it is <u>your</u> responsibility to configure
in your internal systems. You can take one of two approaches:</p> the resolver in your internal systems. You can take one of two approaches:</p>
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers or name servers. If you ISP gave you the addresses of their servers
if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information isn't your internal systems to use those addresses. If that information
available, look in /etc/resolv.conf on your firewall system -- the name isn't available, look in /etc/resolv.conf on your firewall system
servers are given in "nameserver" records in that file. </p> -- the name servers are given in "nameserver" records in that file.
</p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    You can configure a<i> Caching Name Server </i>on your firewall.<i>     You can configure a<i> Caching Name Server </i>on your firewall.<i>
</i>Red Hat has an RPM for a caching name server (the RPM also </i>Red Hat has an RPM for a caching name server (the RPM also
requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If requires the 'bind' RPM) and for Bering users, there is dnscache.lrp.
you take this approach, you configure your internal systems to use the If you take this approach, you configure your internal systems to use
firewall itself as their primary (and only) name server. You use the internal the firewall itself as their primary (and only) name server. You use the
IP address of the firewall (10.10.10.254 in the example above) for the internal IP address of the firewall (10.10.10.254 in the example above)
name server address. To allow your local systems to talk to your caching for the name server address. To allow your local systems to talk to
name server, you must open port 53 (both UDP and TCP) from the local your caching name server, you must open port 53 (both UDP and TCP) from
network to the firewall; you do that by adding the following rules in the local network to the firewall; you do that by adding the following
/etc/shorewall/rules. </p> rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -839,14 +842,14 @@ network to the firewall; you do that by adding the following rules in
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular application <p align="left">If you don't know what port and protocol a particular
uses, look <a href="ports.htm">here</a>.</p> application uses, look <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want the internet because it uses clear text (even for login!). If you
shell access to your firewall from the internet, use SSH:</p> want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -908,8 +911,8 @@ other connections as required.</p>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, routing and stopped using "shorewall stop". When the firewall is stopped,
is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
@ -920,7 +923,7 @@ other connections as required.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    The two-interface sample assumes that you want to enable     The two-interface sample assumes that you want to enable
routing to/from <b>eth1 </b>(the local network) when Shorewall is stopped. routing to/from <b>eth1 </b>(the local network) when Shorewall is stopped.
If your local network isn't connected to <b>eth1</b> or if you wish to If your local network isn't connected to <b>eth1</b> or if you wish to
enable access to/from other hosts, change /etc/shorewall/routestopped enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p> accordingly.</p>
@ -928,9 +931,9 @@ accordingly.</p>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you
added an entry for the IP address that you are connected from to <a have added an entry for the IP address that you are connected from
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a and test it using the <a
@ -952,5 +955,6 @@ accordingly.</p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.12 VERSION=1.3.13
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -70,7 +70,7 @@ list_count() {
# #
# Mutual exclusion -- These functions are jackets for the mutual exclusion # Mutual exclusion -- These functions are jackets for the mutual exclusion
# routines in /usr/lib/shorewall/functions. They invoke # routines in $FUNCTIONS. They invoke
# the corresponding function in that file if the user did # the corresponding function in that file if the user did
# not specify "nolock" on the runline. # not specify "nolock" on the runline.
# #
@ -833,6 +833,11 @@ validate_rule() {
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
DNAT-)
target=ACCEPT
address=${address:=detect}
logtarget=DNAT
;;
REDIRECT) REDIRECT)
target=ACCEPT target=ACCEPT
address=${address:=all} address=${address:=all}
@ -983,6 +988,17 @@ validate_policy()
local zone1 local zone1
local pc local pc
local chain local chain
local policy
local loglevel
local synparams
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
}
all_policy_chains= all_policy_chains=
@ -1048,27 +1064,34 @@ validate_policy()
for zone1 in $zones $FW all; do for zone1 in $zones $FW all; do
eval pc=\$${zone}2${zone1}_policychain eval pc=\$${zone}2${zone1}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain eval ${zone}2${zone1}_policychain=$chain
print_policy $zone $zone1
fi
done done
done done
else else
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${zone}2${server}_policychain eval pc=\$${zone}2${server}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
fi
done done
fi fi
elif [ -n "$serverwild" ]; then elif [ -n "$serverwild" ]; then
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${client}2${zone}_policychain eval pc=\$${client}2${zone}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi
done done
else else
eval ${chain}_policychain=${chain} eval ${chain}_policychain=${chain}
print_policy $client $server
fi fi
done < $TMP_DIR/policy done < $TMP_DIR/policy
@ -1234,7 +1257,7 @@ stop_firewall() {
[ -n "$NAT_ENABLED" ] && delete_nat [ -n "$NAT_ENABLED" ] && delete_nat
delete_proxy_arp delete_proxy_arp
[ -n "$TC_ENABLED" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
setpolicy INPUT DROP setpolicy INPUT DROP
setpolicy OUTPUT DROP setpolicy OUTPUT DROP
@ -1344,12 +1367,18 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
else else
run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --dport 500 $options
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
fi fi
for z in `separate_list $3`; do for z in `separate_list $3`; do
if validate_zone $z; then if validate_zone $z; then
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
if [ $2 = ipsec ]; then
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
else
addrule ${z}2${FW} -p udp --dport 500 $options
addrule ${z}2${FW} -p udp --dport 4500 $options
fi
else else
error_message "Warning: Invalid gateway zone ($z)" \ error_message "Warning: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" may encounter keying problems" " -- Tunnel \"$tunnel\" may encounter keying problems"
@ -1820,6 +1849,7 @@ setup_tc() {
# #
delete_tc() delete_tc()
{ {
clear_one_tc() { clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null tc qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null tc qdisc del dev $1 ingress 2> /dev/null
@ -1846,7 +1876,7 @@ refresh_tc() {
echo "Refreshing Traffic Control Rules..." echo "Refreshing Traffic Control Rules..."
delete_tc [ -n "$CLEAR_TC" ] && delete_tc
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
@ -2152,7 +2182,7 @@ add_a_rule()
add_nat_rule add_nat_rule
fi fi
if [ $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
@ -2229,14 +2259,23 @@ process_rule() # $1 = target
fi fi
logtarget="$target" logtarget="$target"
dnat_only=
# Convert 1.3 Rule formats to 1.2 format # Convert 1.3 Rule formats to 1.2 format
[ "x$address" = "x-" ] && address=
case $target in case $target in
DNAT) DNAT)
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
DNAT-)
target=ACCEPT
address=${address:=detect}
dnat_only=Yes
logtarget=DNAT
;;
REDIRECT) REDIRECT)
target=ACCEPT target=ACCEPT
address=${address:=all} address=${address:=all}
@ -2379,7 +2418,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$xtarget" in case "$xtarget" in
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*) ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
expandv xclients xservers xprotocol xports xcports xaddress expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -3233,7 +3272,7 @@ initialize_netfilter () {
run_iptables -t mangle -F && \ run_iptables -t mangle -F && \
run_iptables -t mangle -X run_iptables -t mangle -X
[ -n "$TC_ENABLED" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
run_user_exit init run_user_exit init
@ -3267,7 +3306,7 @@ initialize_netfilter () {
run_user_exit newnotsyn run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG \ run_iptables -A newnotsyn -j ULOG
--ulog-prefix "Shorewall:newnotsyn:DROP:" --ulog-prefix "Shorewall:newnotsyn:DROP:"
else else
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG \
@ -4432,6 +4471,10 @@ do_initialize() {
TCP_FLAGS_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL= RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN= MARK_IN_FORWARD_CHAIN=
SHARED_DIR=/usr/lib/shorewall
FUNCTIONS=
VERSION_FILE=
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
@ -4445,31 +4488,35 @@ do_initialize() {
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
functions=/usr/lib/shorewall/functions if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
config=$SHOREWALL_DIR/shorewall.conf
if [ -f $functions ]; then
. $functions
else else
startup_error "$functions does not exist!" config=/etc/shorewall/shorewall.conf
fi fi
version_file=/usr/lib/shorewall/version if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi
[ -f $version_file ] && version=`cat $version_file` FUNCTIONS=$SHARED_DIR/functions
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
run_user_exit shorewall.conf if [ -f $FUNCTIONS ]; then
run_user_exit params . $FUNCTIONS
else
startup_error "$FUNCTIONS does not exist!"
fi
VERSION_FILE=$SHARED_DIR/version
[ -f $VERSION_FILE ] && version=`cat $VERSION_FILE`
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw [ -z "$FW" ] && FW=fw
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
@ -4544,7 +4591,20 @@ do_initialize() {
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN` MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN`
[ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
if [ -n "$TC_ENABLED" ]; then
CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC`
else
CLEAR_TC=
fi
run_user_exit params
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
} }
# #

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.12 VERSION=1.3.13
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -2,39 +2,48 @@ This is a minor release of Shorewall that has a couple of new features.
New features include: New features include:
1) "shorewall refresh" now reloads the traffic shaping rules (tcrules 1) A new 'DNAT-' action has been added for entries in the
and tcstart). /etc/shorewall/rules file. DNAT- is intended for advanced users who
wish to minimize the number of rules that connection requests must
traverse.
2) "shorewall debug [re]start" now turns off debugging after an error A Shorewall DNAT rule actually generates two iptables rules: a
occurs. This places the point of the failure near the end of the header rewriting rule in the 'nat' table and an ACCEPT rule in the
trace rather than up in the middle of it. 'filter' table. A DNAT- rule only generates the first of these
rules. This is handy when you have several DNAT rules that would
generate the same ACCEPT rule.
3) "shorewall [re]start" has been speeded up by more than 40% with Here are three rules from my previous rules file:
my configuration. Your milage may vary.
4) A "shorewall show classifiers" command has been added which shows DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
the current packet classification filters. The output from this DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
command is also added as a separate page in "shorewall monitor" ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
5) ULOG (must be all caps) is now accepted as a valid syslog level and These three rules ended up generating _three_ copies of
causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
a separate log file.
6) If you are running a kernel that has a FORWARD chain in the mangle ACCEPT net dmz:206.124.146.177 tcp smtp
table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD=Yes in
shorewall.conf. This allows for marking inbound packets based on
their destination even when you are using Masquerading or SNAT.
7) I have cluttered up the /etc/shorewall directory with empty 'init', By writing the rules this way, I end up with only one copy of the
'start', 'stop' and 'stopped' files. If you already have a file with ACCEPT rule.
one of these names, don't worry -- the upgrade process won't
overwrite your file.
8) I have added a new RFC1918_LOG_LEVEL variable to DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
shorewall.conf. This variable specifies the syslog level at which DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
packets are logged as a result of entries in the ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
/etc/shorewall/rfc1918 file. Previously, these packets were always
logged at the 'info' level. 2) The 'shorewall check' command now prints out the applicable policy
between each pair of zones.
3. A new CLEAR_TC option has been added to shorewall.conf. If this
option is set to 'No' then Shorewall won't clear the current
traffic control rules during [re]start. This setting is intended
for use by people that prefer to configure traffic shaping when
the network interfaces come up rather than when the firewall
is started. If that is what you want to do, set TC_ENABLED=Yes and
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
way, your traffic shaping rules can still use the 'fwmark'
classifier based on packet marking defined in /etc/shorewall/tcrules.
4. A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default
/usr/lib/shorewall). Users should never have a need to change the
value of this shorewall.conf setting.

View File

@ -24,6 +24,10 @@
# DNAT -- Forward the request to another # DNAT -- Forward the request to another
# system (and optionally another # system (and optionally another
# port). # port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# #

View File

@ -569,51 +569,65 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
functions=/usr/lib/shorewall/functions PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHARED_DIR=/usr/lib/shorewall
MUTEX_TIMEOUT=
if [ -f $functions ]; then if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
. $functions config=$SHOREWALL_DIR/shorewall.conf
else else
echo "$functions does not exist!" >&2 config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2 exit 2
fi fi
firewall=/usr/lib/shorewall/firewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $firewall ]; then FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version
if [ -f $FUNCTIONS ]; then
. $FUNCTIONS
else
echo "$FUNCTIONS does not exist!" >&2
exit 2
fi
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $firewall ]; then if [ -L $FIREWALL ]; then
echo " $firewall is a symbolic link to a" echo " $FIREWALL is a symbolic link to a"
echo " non-existant file" echo " non-existant file"
else else
echo " The file /usr/lib/shorewall/firewall does not exist" echo " The file $FIREWALL does not exist"
fi fi
exit 2 exit 2
fi fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin if [ -f $VERSION_FILE ]; then
version=`cat $VERSION_FILE`
version_file=/usr/lib/shorewall/version
if [ -f $version_file ]; then
version=`cat $version_file`
else else
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
echo " The file /usr/lib/shorewall/version does not exist" echo " The file $VERSION_FILE does not exist"
exit 1 exit 1
fi fi
banner="Shorewall-$version Status at $HOSTNAME -" banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir
case `echo -e` in case `echo -e` in
-e*) -e*)
RING_BELL="echo \'\a\'" RING_BELL="echo \a"
;; ;;
*) *)
RING_BELL="echo -e \'\a\'" RING_BELL="echo -e \a"
;; ;;
esac esac
@ -629,11 +643,11 @@ esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $firewall $debugging $nolock $1 exec $FIREWALL $debugging $nolock $1
;; ;;
add|delete) add|delete)
[ $# -ne 3 ] && usage 1 [ $# -ne 3 ] && usage 1
exec $firewall $debugging $nolock $1 $2 $3 exec $FIREWALL $debugging $nolock $1 $2 $3
;; ;;
show) show)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1

View File

@ -9,6 +9,13 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
# #
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
##############################################################################
#
# General note about log levels. Log levels are a method of describing # General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters # to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value. # in this file have log levels as their value.

View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.12 %define version 1.3.13
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.13
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net> * Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12 - Changes version to 1.3.12
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net> * Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.12 VERSION=1.3.13
usage() # $1 = exit status usage() # $1 = exit status
{ {