holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Changes for 1.3.13

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-01-14 20:32:45 +00:00
parent 5b9b519183
commit f04d58006f
57 changed files with 12980 additions and 11199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
Lrp/etc/init.d/shorewall
View File

@ -70,7 +70,7 @@ list_count() {
# #
# Mutual exclusion -- These functions are jackets for the mutual exclusion # Mutual exclusion -- These functions are jackets for the mutual exclusion
# routines in /usr/lib/shorewall/functions. They invoke # routines in $FUNCTIONS. They invoke
# the corresponding function in that file if the user did # the corresponding function in that file if the user did
# not specify "nolock" on the runline. # not specify "nolock" on the runline.
# #
@ -833,6 +833,11 @@ validate_rule() {
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
DNAT-)
target=ACCEPT
address=${address:=detect}
logtarget=DNAT
;;
REDIRECT) REDIRECT)
target=ACCEPT target=ACCEPT
address=${address:=all} address=${address:=all}
@ -983,6 +988,17 @@ validate_policy()
local zone1 local zone1
local pc local pc
local chain local chain
local policy
local loglevel
local synparams
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
}
all_policy_chains= all_policy_chains=
@ -1048,27 +1064,34 @@ validate_policy()
for zone1 in $zones $FW all; do for zone1 in $zones $FW all; do
eval pc=\$${zone}2${zone1}_policychain eval pc=\$${zone}2${zone1}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain eval ${zone}2${zone1}_policychain=$chain
print_policy $zone $zone1
fi
done done
done done
else else
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${zone}2${server}_policychain eval pc=\$${zone}2${server}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
fi
done done
fi fi
elif [ -n "$serverwild" ]; then elif [ -n "$serverwild" ]; then
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${client}2${zone}_policychain eval pc=\$${client}2${zone}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi
done done
else else
eval ${chain}_policychain=${chain} eval ${chain}_policychain=${chain}
print_policy $client $server
fi fi
done < $TMP_DIR/policy done < $TMP_DIR/policy
@ -1234,7 +1257,7 @@ stop_firewall() {
[ -n "$NAT_ENABLED" ] && delete_nat [ -n "$NAT_ENABLED" ] && delete_nat
delete_proxy_arp delete_proxy_arp
[ -n "$TC_ENABLED" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
setpolicy INPUT DROP setpolicy INPUT DROP
setpolicy OUTPUT DROP setpolicy OUTPUT DROP
@ -1344,12 +1367,18 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
else else
run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --dport 500 $options
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
fi fi
for z in `separate_list $3`; do for z in `separate_list $3`; do
if validate_zone $z; then if validate_zone $z; then
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options if [ $2 = ipsec ]; then
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
else
addrule ${z}2${FW} -p udp --dport 500 $options
addrule ${z}2${FW} -p udp --dport 4500 $options
fi
else else
error_message "Warning: Invalid gateway zone ($z)" \ error_message "Warning: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" may encounter keying problems" " -- Tunnel \"$tunnel\" may encounter keying problems"
@ -1820,6 +1849,7 @@ setup_tc() {
# #
delete_tc() delete_tc()
{ {
clear_one_tc() { clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null tc qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null tc qdisc del dev $1 ingress 2> /dev/null
@ -1830,11 +1860,11 @@ delete_tc()
run_ip link list | \ run_ip link list | \
while read inx interface details; do while read inx interface details; do
case $inx in case $inx in
[0-9]*) [0-9]*)
clear_one_tc ${interface%:} clear_one_tc ${interface%:}
;; ;;
*) *)
;; ;;
esac esac
done done
} }
@ -1846,7 +1876,7 @@ refresh_tc() {
echo "Refreshing Traffic Control Rules..." echo "Refreshing Traffic Control Rules..."
delete_tc [ -n "$CLEAR_TC" ] && delete_tc
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
@ -2152,7 +2182,7 @@ add_a_rule()
add_nat_rule add_nat_rule
fi fi
if [ $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
@ -2229,14 +2259,23 @@ process_rule() # $1 = target
fi fi
logtarget="$target" logtarget="$target"
dnat_only=
# Convert 1.3 Rule formats to 1.2 format # Convert 1.3 Rule formats to 1.2 format
[ "x$address" = "x-" ] && address=
case $target in case $target in
DNAT) DNAT)
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
DNAT-)
target=ACCEPT
address=${address:=detect}
dnat_only=Yes
logtarget=DNAT
;;
REDIRECT) REDIRECT)
target=ACCEPT target=ACCEPT
address=${address:=all} address=${address:=all}
@ -2379,7 +2418,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$xtarget" in case "$xtarget" in
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*) ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
expandv xclients xservers xprotocol xports xcports xaddress expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -3233,7 +3272,7 @@ initialize_netfilter () {
run_iptables -t mangle -F && \ run_iptables -t mangle -F && \
run_iptables -t mangle -X run_iptables -t mangle -X
[ -n "$TC_ENABLED" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
run_user_exit init run_user_exit init
@ -3267,7 +3306,7 @@ initialize_netfilter () {
run_user_exit newnotsyn run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG \ run_iptables -A newnotsyn -j ULOG
--ulog-prefix "Shorewall:newnotsyn:DROP:" --ulog-prefix "Shorewall:newnotsyn:DROP:"
else else
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG \
@ -3352,7 +3391,7 @@ add_common_rules() {
if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
echo "ULOG --ulog-prefix Shorewall:${1}:DROP:" echo "ULOG --ulog-prefix Shorewall:${1}:DROP:"
else else
echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level info" echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
fi fi
} }
# #
@ -4432,6 +4471,10 @@ do_initialize() {
TCP_FLAGS_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL= RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN= MARK_IN_FORWARD_CHAIN=
SHARED_DIR=/usr/lib/shorewall
FUNCTIONS=
VERSION_FILE=
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
@ -4445,31 +4488,35 @@ do_initialize() {
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
functions=/usr/lib/shorewall/functions if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
config=$SHOREWALL_DIR/shorewall.conf
if [ -f $functions ]; then
. $functions
else else
startup_error "$functions does not exist!" config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi fi
version_file=/usr/lib/shorewall/version FUNCTIONS=$SHARED_DIR/functions
[ -f $version_file ] && version=`cat $version_file` if [ -f $FUNCTIONS ]; then
# . $FUNCTIONS
# Strip the files that we use often else
# startup_error "$FUNCTIONS does not exist!"
strip_file interfaces fi
strip_file hosts
run_user_exit shorewall.conf VERSION_FILE=$SHARED_DIR/version
run_user_exit params
[ -f $VERSION_FILE ] && version=`cat $VERSION_FILE`
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw [ -z "$FW" ] && FW=fw
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
@ -4544,7 +4591,20 @@ do_initialize() {
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN` MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN`
[ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
if [ -n "$TC_ENABLED" ]; then
CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC`
else
CLEAR_TC=
fi
run_user_exit params
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
} }
# #

4
Lrp/etc/shorewall/rules
View File

@ -24,6 +24,10 @@
# DNAT -- Forward the request to another # DNAT -- Forward the request to another
# system (and optionally another # system (and optionally another
# port). # port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# #

8
Lrp/etc/shorewall/shorewall.conf
View File

@ -9,6 +9,13 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
# #
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
##############################################################################
#
# General note about log levels. Log levels are a method of describing # General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters # to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value. # in this file have log levels as their value.
@ -51,7 +58,6 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
# #
FW=fw FW=fw
# #
# SUBSYSTEM LOCK FILE # SUBSYSTEM LOCK FILE
# #

56
Lrp/sbin/shorewall
View File

@ -569,51 +569,65 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
functions=/usr/lib/shorewall/functions PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHARED_DIR=/usr/lib/shorewall
MUTEX_TIMEOUT=
if [ -f $functions ]; then if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
. $functions config=$SHOREWALL_DIR/shorewall.conf
else else
echo "$functions does not exist!" >&2 config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2 exit 2
fi fi
firewall=/usr/lib/shorewall/firewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $firewall ]; then FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version
if [ -f $FUNCTIONS ]; then
. $FUNCTIONS
else
echo "$FUNCTIONS does not exist!" >&2
exit 2
fi
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $firewall ]; then if [ -L $FIREWALL ]; then
echo " $firewall is a symbolic link to a" echo " $FIREWALL is a symbolic link to a"
echo " non-existant file" echo " non-existant file"
else else
echo " The file /usr/lib/shorewall/firewall does not exist" echo " The file $FIREWALL does not exist"
fi fi
exit 2 exit 2
fi fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin if [ -f $VERSION_FILE ]; then
version=`cat $VERSION_FILE`
version_file=/usr/lib/shorewall/version
if [ -f $version_file ]; then
version=`cat $version_file`
else else
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
echo " The file /usr/lib/shorewall/version does not exist" echo " The file $VERSION_FILE does not exist"
exit 1 exit 1
fi fi
banner="Shorewall-$version Status at $HOSTNAME -" banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir
case `echo -e` in case `echo -e` in
-e*) -e*)
RING_BELL="echo \'\a\'" RING_BELL="echo \a"
;; ;;
*) *)
RING_BELL="echo -e \'\a\'" RING_BELL="echo -e \a"
;; ;;
esac esac
@ -629,11 +643,11 @@ esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $firewall $debugging $nolock $1 exec $FIREWALL $debugging $nolock $1
;; ;;
add|delete) add|delete)
[ $# -ne 3 ] && usage 1 [ $# -ne 3 ] && usage 1
exec $firewall $debugging $nolock $1 $2 $3 exec $FIREWALL $debugging $nolock $1 $2 $3
;; ;;
show) show)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.3.12 1.3.13

43
STABLE/changelog.txt
View File

@ -1,43 +1,10 @@
Changes since 1.3.11 Changes since 1.3.12
1. Fixed DNAT/REDIRECT bug with excluded sub-zones. 1. Added 'DNAT-' target.
2. "shorewall refresh" now refreshes the traffic shaping rules 2. Print policies in 'check' command.
3. Turned off debugging after error. 3. Added CLEAR_TC option.
4. Removed drop of INVALID state output ICMP packets. 4. Added SHARED_DIR option.
5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
6. Replaced 'wc' invocation in list_count() by shell code (speedup)
7. Replaced 'sed' invocation in run_iptables() by shell code and
optomized (speedup)
8. Only read the interfaces file once (speedup)
9. Only read the policy file once (speedup)
10. Removed redundant function input_chains() (duplicate of first_chains())
11. Generated an error if 'lo' is defined in the interfaces file.
12. Clarified error message where ORIGINAL DEST is specified on an
ACCEPT, DROP or REJECT rule.
13. Added "shorewall show classifiers" command and added packet
classification filter display to "shorewall monitor"
14. Added an error message when the destination in a rule contained a
MAC address.
15. Added ULOG target support.
16. Add MARK_IN_FORWARD option.
17. General Cleanup for Release
18. Release changes and add init, start, stop and stopped files.
19. Add headings to NAT and Mangle tables in "shorewall status" output

5302
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

47
STABLE/documentation/Documentation_Index.htm
View File

@ -1,28 +1,31 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>The Documentation Index</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>The Documentation Index</title>
</head> </head>
<body>
<body>
<h1 align="center">The Shorewall Documentation Index</h1> <h1 align="center">The Shorewall Documentation Index</h1>
<h1 align="center">has Moved
<a href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1> <h1 align="center">has Moved <a
href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
<p><font size="2">
Last updated 8/9/2002 <p><font size="2"> Last updated 8/9/2002 -
- <a href="support.htm">Tom Eastep</a></font> </p>
<a href="support.htm">Tom Eastep</a></font>
</p> <p> <a href="copyright.htm"><font size="2">Copyright</font> © <font
<p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body> </body>
</html> </html>

1859
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

6
STABLE/documentation/IPIP.htm
View File

@ -188,9 +188,9 @@ system. The systems in the two masqueraded subnetworks can now talk to each
other</p> other</p>
<p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom <p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
Eastep</a> </font></p> Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
</body> </body>
</html> </html>

4
STABLE/documentation/IPSEC.htm
View File

@ -359,8 +359,8 @@ script will issue the command":<br>
<p><font size="2">Last updated 10/23/2002 - </font><font size="2"> <p><font size="2">Last updated 10/23/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2"> <p><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
<br> <br>
</body> </body>

4
STABLE/documentation/Install.htm
View File

@ -199,8 +199,8 @@ by traffic control/shaping.</li>
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
<br> <br>
</body> </body>

151
STABLE/documentation/MAC_Validation.html
View File

@ -2,111 +2,110 @@
<html> <html>
<head> <head>
<title>MAC Verification</title> <title>MAC Verification</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br> <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Beginning with Shorewall version 1.3.10, all traffic from an interface Beginning with Shorewall version 1.3.10, all traffic from an interface
or from a subnet on an interface can be verified to originate from a defined or from a subnet on an interface can be verified to originate from a defined
set of MAC addresses. Furthermore, each MAC address may be optionally associated set of MAC addresses. Furthermore, each MAC address may be optionally
with one or more IP addresses. <br> associated with one or more IP addresses. <br>
<br> <br>
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br> <b>You must have the iproute package (ip utility) installed to use MAC
<br> Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
There are four components to this facility.<br> - module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<ol> <ol>
<li>The <b>maclist</b> interface option in <a <li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li> to MAC verification.</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. <li>The <b>maclist </b>option in <a
When this option is specified for a subnet, all traffic from that subnet href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is subject to MAC verification.</li> is specified for a subnet, all traffic from that subnet is subject to MAC
<li>The /etc/shorewall/maclist file. This file is used to associate verification.</li>
MAC addresses with interfaces and to optionally associate IP addresses with <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses with
MAC addresses.</li> MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
determines the disposition of connection requests that fail MAC verification. determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty value requests that fail verification are to be logged. If set the the empty value
(e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br> (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br>
</li> </li>
</ol> </ol>
The columns in /etc/shorewall/maclist are:<br> The columns in /etc/shorewall/maclist are:<br>
<ul> <ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall <li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li> system.</li>
<li>MAC - The MAC address of a device on the ethernet segment connected <li>MAC - The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in this by INTERFACE. It is not necessary to use the Shorewall MAC format in this
column although you may use that format if you so choose.</li> column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses for <li>IP Address - An optional comma-separated list of IP addresses
the device whose MAC is listed in the MAC column.</li> for the device whose MAC is listed in the MAC column.</li>
</ul> </ul>
<h3>Example 1: Here are my files:</h3> <h3>Example 1: Here are my files:</h3>
<b>/etc/shorewall/shorewall.conf:<br> <b>/etc/shorewall/shorewall.conf:<br>
</b> </b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre> <pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br> <b>/etc/shorewall/interfaces:</b><br>
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre> <pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre>
<b>/etc/shorewall/maclist:</b><br> <b>/etc/shorewall/maclist:</b><br>
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre> <pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
As shown above, I use MAC Verification on <a href="myfiles.htm">my local As shown above, I use MAC Verification on <a href="myfiles.htm">my
zone</a>.<br> local zone</a>.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Local Zone</h3>
Suppose now that I add a second ethernet segment to my local zone and Suppose now that I add a second ethernet segment to my local zone and
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
IP address 192.168.1.253. Hosts in the second segment have IP addresses in IP address 192.168.1.253. Hosts in the second segment have IP addresses
the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br> file:<br>
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre> <pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.1.253) This entry accomodates traffic from the router itself (192.168.1.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) by the router so that traffic's MAC address will be that of the router
and not that of the host sending the traffic. (00:06:43:45:C6:15) and not that of the host sending the traffic.
<p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> <p><font size="2"> Updated 1/7/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

192
STABLE/documentation/NAT.htm
View File

@ -1,92 +1,114 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall NAT</title> <meta http-equiv="Content-Type"
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> content="text/html; charset=windows-1252">
<meta name="ProgId" content="FrontPage.Editor.Document"> <title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body>
<body>
<blockquote>
<blockquote> <table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Static NAT</font></h1> <h1 align="center"><font color="#ffffff">Static NAT</font></h1>
</td> </td>
</tr> </tr>
</table>
<p><font color="#FF0000"><b>IMPORTANT: If all you want to do is forward </tbody>
ports to servers behind your firewall, you do NOT want to use static NAT. </table>
Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p> <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
<p>Static NAT is a way to make systems behind a ports to servers behind your firewall, you do NOT want to use static
firewall and configured with private IP addresses (those NAT. Port forwarding can be accomplished with simple entries in the
reserved for private use in RFC1918) appear to have public IP <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
addresses.</p>
<p>The following figure represents a static NAT <p>Static NAT is a way to make systems behind a firewall and configured
environment.</p> with private IP addresses (those reserved for private use in RFC1918)
<p align="center"><strong> appear to have public IP addresses. Before you try to use this technique,
<img src="images/staticnat.png" width="435" height="397"></strong></p> I strongly recommend that you read the <a
<blockquote> href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the <p>The following figure represents a static NAT environment.</p>
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we
assume that the interface to the upper subnet is eth0, then the following <p align="center"><strong> <img src="images/staticnat.png"
/etc/shorewall/NAT file would make the lower left-hand system appear to have width="435" height="397">
IP address 130.252.100.18 and the right-hand one to have IP address </strong></p>
<blockquote> </blockquote>
<p align="left">Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
we assume that the interface to the upper subnet is eth0, then the following
/etc/shorewall/NAT file would make the lower left-hand system appear
to have IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.</p> 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr> <tr>
<td><b>EXTERNAL</b></td> <td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td> <td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td> <td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td> <td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td> <td><b>LOCAL</b></td>
</tr> </tr>
<tr> <tr>
<td>130.252.100.18</td> <td>130.252.100.18</td>
<td>eth0</td> <td>eth0</td>
<td>10.1.1.2</td> <td>10.1.1.2</td>
<td>yes</td> <td>yes</td>
<td>yes</td> <td>yes</td>
</tr> </tr>
<tr> <tr>
<td>130.252.100.19</td> <td>130.252.100.19</td>
<td>eth0</td> <td>eth0</td>
<td>10.1.1.3</td> <td>10.1.1.3</td>
<td>yes</td> <td>yes</td>
<td>yes</td> <td>yes</td>
</tr> </tr>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above </tbody>
example) is (are) not included in any specification in /etc/shorewall/masq </table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p> or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The &quot;ALL INTERFACES&quot; column
is used to specify whether access to the external IP from all firewall <p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column
interfaces should undergo NAT (Yes or yes) or if only access from the is used to specify whether access to the external IP from all firewall
interface in the INTERFACE column should undergo NAT. If you leave this interfaces should undergo NAT (Yes or yes) or if only access from the
column empty, &quot;Yes&quot; is assumed.&nbsp;The ALL INTERFACES column was interface in the INTERFACE column should undergo NAT. If you leave this
added in version 1.1.6.</p> column empty, "Yes" is assumed. The ALL INTERFACES column was added
<p>Note 2: Shorewall will automatically add the external address to the in version 1.1.6.</p>
specified interface unless you specify <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>=&quot;no&quot;
(or &quot;No&quot;) in /etc/shorewall/shorewall.conf; If you do not set <p>Note 2: Shorewall will automatically add the external address to the
ADD_IP_ALIASES or if you set it to &quot;Yes&quot; or &quot;yes&quot; then you must NOT configure your own alias(es).</p> specified interface unless you specify <a
<p><a name="LocalPackets"></a>Note 3: The contents of the &quot;LOCAL&quot; href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
column determine whether packets originating on the firewall itself and /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
destined for the EXTERNAL address are redirected to the internal ADDRESS. If you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p>
this column contains &quot;yes&quot; or &quot;Yes&quot; (and the ALL
INTERFACES COLUMN also contains &quot;Yes&quot; or &quot;yes&quot;) then <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
such packets are redirected; otherwise, such packets are not redirected. The determine whether packets originating on the firewall itself and destined
LOCAL column was added in version 1.1.8.</p> for the EXTERNAL address are redirected to the internal ADDRESS. If this
</blockquote> column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains
"Yes" or "yes") then such packets are redirected; otherwise, such packets
<blockquote> are not redirected. The LOCAL column was added in version 1.1.8.</p>
</blockquote> </blockquote>
<p><font size="2">Last updated 3/27/2002 - </font><font size="2"> <blockquote> </blockquote>
<a href="support.htm">Tom
Eastep</a></font> </p> <p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> href="support.htm">Tom Eastep</a></font> </p>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</body>
</html>

2936
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

4
STABLE/documentation/PPTP.htm
View File

@ -891,8 +891,8 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> <p><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
<br> <br>
</body> </body>

256
STABLE/documentation/ProxyARP.htm
View File

@ -1,106 +1,164 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title> <meta http-equiv="Content-Type"
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> content="text/html; charset=windows-1252">
<meta name="ProgId" content="FrontPage.Editor.Document"> <title>Shorewall Proxy ARP</title>
<meta name="Microsoft Theme" content="none">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
</td>
</tr>
</tbody>
</table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/proxyarp.png"
width="519" height="397">
</strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries
in /etc/shorewall/proxyarp:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr> <tr>
<td width="100%"> <td><b>ADDRESS</b></td>
<h1 align="center"><font color="#FFFFFF">Proxy ARP</font></h1> <td><b>INTERFACE</b></td>
</td> <td><b>EXTERNAL</b></td>
</tr> <td><b>HAVEROUTE</b></td>
</table> </tr>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers <tr>
without changing their IP addresses and without having to re-subnet.</p> <td>130.252.100.18</td>
<p>The following figure represents a Proxy ARP <td>eth1</td>
environment.</p> <td>eth0</td>
<td>no</td>
<blockquote> </tr>
<p align="center"><strong> <tr>
<img src="images/proxyarp.png" width="519" height="397"></strong></p> <td>130.252.100.19</td>
<blockquote> <td>eth1</td>
</blockquote> <td>eth0</td>
</blockquote> <td>no</td>
</tr>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) </tbody>
subnet.&nbsp; Assuming that the upper firewall interface is eth0 and the </table>
lower interface is eth1, this is accomplished using the following entries in </blockquote>
/etc/shorewall/proxyarp:</p>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
<blockquote> in the above example) are not included in any specification in
<table border="2" cellpadding="2" style="border-collapse: collapse"> /etc/shorewall/masq or /etc/shorewall/nat.</p>
<tr>
<td><b>ADDRESS</b></td> <p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
<td><b>INTERFACE</b></td> irrelevant. </p>
<td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td> <p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
</tr> subnet mask and default gateway configured exactly the same way that
<tr> the Firewall system's eth0 is configured.</p>
<td>130.252.100.18</td>
<td>eth1</td> <div align="left">
<td>eth0</td> <p align="left">A word of warning is in order here. ISPs typically configure
<td>no</td> their routers with a long ARP cache timeout. If you move a system from
</tr> parallel to your firewall to behind your firewall with Proxy ARP, it will
<tr> probably be HOURS before that system can communicate with the internet.
<td>130.252.100.19</td> There are a couple of things that you can try:<br>
<td>eth1</td> </p>
<td>eth0</td> <ol>
<td>no</td> <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
</tr> Vol 1</i> reveals that a <br>
</table> <br>
</blockquote> "gratuitous" ARP packet should cause the ISP's router to refresh their ARP
cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19&nbsp; address for its own IP; in addition to ensuring that the IP address isn't
in the above example) are not included in any specification in a duplicate...<br>
/etc/shorewall/masq or /etc/shorewall/nat.</p> <br>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is "if the host sending the gratuitous ARP has just changed its hardware address...,
irrelevant. </p> this packet causes any other host...that has an entry in its cache for the
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their old hardware address to update its ARP cache entry accordingly."<br>
subnet mask and default gateway configured exactly the same way that the <br>
Firewall system's eth0 is configured.</p> Which is, of course, exactly what you want to do when you switch a host from
<div align="left"> being exposed to the Internet to behind Shorewall using proxy ARP (or static
<p align="left">A word of warning is in order here. ISPs typically configure NAT for that matter). Happily enough, recent versions of Redhat's iputils
their routers with a long ARP cache timeout. If you move a system from package include "arping", whose "-U" flag does just that:<br>
parallel to your firewall to behind your firewall with Proxy ARP, it will <br>
probably be HOURS before that system can communicate with the internet. You     <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied
can call your ISP and ask them to purge the stale ARP cache entry but many IP&gt;</i></b></font><br>
either can't or won't purge individual entries. You can determine if your     <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we <br>
suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. Stevens goes on to mention that not all systems respond correctly to gratuitous
On the firewall, run tcpdump as follows:</div> ARPs, but googling for "arping -U" seems to support the idea that it works
<div align="left"> most of the time.<br>
<pre> tcpdump -nei eth0 icmp</pre> <br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p>
</div> </div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we will <div align="left">
assume is 130.252.100.254):</div> <pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
<div align="left"> </div>
<pre> ping 130.252.100.254</pre>
<div align="left">
<p align="left">We can now observe the tcpdump output:</p>
</div> </div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</div> <div align="left">
<div align="left"> <pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF) </div>
13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
system rather than with the firewall's eth0.</p>
</div> </div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is <p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
different from the destination MAC address in the echo reply!! In this case href="support.htm">Tom Eastep</a></font> </p>
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 <a href="copyright.htm"><font size="2">Copyright</font> © <font
was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
associates 130.252.100.19 with the NIC in that system rather than with the firewall's </body>
eth0.</div> </html>
<p><font size="2">Last updated 8/17/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

12
STABLE/documentation/Shorewall_CA_html.html
View File

@ -29,9 +29,9 @@
I can hardly justify paying $200US+ a year to a Certificate Authority such I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority (CA) I am who I am. I have therefore established my own Certificate Authority (CA)
and sign my own X.509 certificates. I use these certificates on my web server and sign my own X.509 certificates. I use these certificates on my mail server
(<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well (<a href="https://mail.shorewall.net">https://mail.shorewall.net</a>)
as on my mail server (mail.shorewall.net).<br> which hosts parts of this web site.<br>
<br> <br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
of establishing an SSL session (URL https://...), your browser verifies the of establishing an SSL session (URL https://...), your browser verifies the
@ -57,7 +57,7 @@ to accept the sleezy X.509 certificate being presented by my server. <br>
There are two things that you can do:<br> There are two things that you can do:<br>
<ol> <ol>
<li>You can accept the www.shorewall.net certificate when your browser <li>You can accept the mail.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.</li> only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed) CA <li>You can download and install <a href="ca.crt">my (self-signed) CA
@ -75,14 +75,14 @@ intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of your browser with a bogus certificate claiming that my server is that of
your bank.</li> your bank.</li>
<li>If you only accept my server's certificate when prompted then the <li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://www.shorewall.net, most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li> the server you are connecting to might not be mine.</li>
</ol> </ol>
I have my CA certificate loaded into all of my browsers but I certainly I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br> won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>

69
STABLE/documentation/Shorewall_CVS_Access.html
View File

@ -2,50 +2,51 @@
<html> <html>
<head> <head>
<title>Shorewall CVS Access</title> <title>Shorewall CVS Access</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font> <h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
</h1> </h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Lots of people try to download the entire Shorewall website for off-line Lots of people try to download the entire Shorewall website for off-line
browsing, including the CVS portion. In addition to being an enormous volume browsing, including the CVS portion. In addition to being an enormous volume
of data (HTML versions of all versions of all Shorewall files), all of the of data (HTML versions of all versions of all Shorewall files), all of
pages in Shorewall CVS access are cgi-generated which places a tremendous the pages in Shorewall CVS access are cgi-generated which places a tremendous
load on my little server. I have therefore resorted to making CVS access load on my little server. I have therefore resorted to making CVS access
password controlled. When you are asked to log in, enter "Shorewall" (NOTE password controlled. When you are asked to log in, enter "Shorewall" (NOTE
THE CAPITALIZATION!!!!!) for both the user name and the password.<br> THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
<br> <br>
<div align="center"> <div align="center">
<h3><a href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi" <h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
target="_top">CVS Login</a> &nbsp;<br> target="_top">CVS Login</a> &nbsp;<br>
</h3> </h3>
</div> </div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
- <a href="support.htm">Tom Eastep</a> </font> - <a href="support.htm">Tom Eastep</a> </font>
</p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> &copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br> <br>
<br> <br>

408
STABLE/documentation/Shorewall_Squid_Usage.html Normal file
View File

@ -0,0 +1,408 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Squid Usage</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td>
<td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br>
<a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start
and /etc/shorewall/init -- if you don't have those files, siimply create
them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
file entries. That is because the packets being routed to the Squid server
still have their original destination IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed
on your firewall.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the local
network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid
transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on
192.168.1.3. It is assumed that web access is already enabled from the local
zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, I don't recommend it.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>Alternativfely, you can have the following policy:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote>
<ul>
<li>&nbsp;In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 1/10/2003 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
</font></p>
<a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
</body>
</html>

158
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -2,143 +2,149 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li> <li> <a
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
</li> <li> <a href="download.htm">Download</a><br>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> </li>
<a href="Install.htm">Configuration</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
</li> <a href="Install.htm">Configuration</a><br>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart </li>
Guides (HOWTOs)</a><br> <li> <a href="shorewall_quickstart_guide.htm">QuickStart
</li> Guides (HOWTOs)</a><br>
<li> <b><a </li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li> <li> <a href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br> <li><a href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li> <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li> <li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington <li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br> State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li> <li> <a href="Shorewall_CVS_Access.html">CVS
<li> <a href="quotes.htm">Quotes from Users</a></li> Repository</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a <li> <a href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 <b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br> GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0"> src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br> </a><br>
<br> <br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

157
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -2,144 +2,149 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a href="seattlefirewall_index.htm">Home</a></li> <li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li> <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br> <a href="Install.htm">Configuration</a><br>
</li> </li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart <li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br> Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference Manual</a></li> <li> <a href="Documentation.htm">Reference
<li> <a href="FAQ.htm">FAQs</a></li> Manual</a></li>
<li><a href="useful_links.html">Useful Links</a><br> <li> <a href="FAQ.htm">FAQs</a></li>
</li> <li><a href="useful_links.html">Useful Links</a><br>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> </li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="mailing_list.htm">Mailing Lists</a></li> <li> <a href="support.htm">Support</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" target="_top">Washington <li><a href="http://www.shorewall.net" target="_top">Washington
State, USA</a><br> State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS <li> <a href="Shorewall_CVS_Access.html">CVS
Repository</a></li> Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from Users</a></li>
<li> <a href="shoreline.htm">About the Author</a></li> <li> <a href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="sourceforge_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily 0200-0330 <b>Note: </b></strong>Search is unavailable Daily 0200-0330
GMT.<br> GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> </a><br> <p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

651
STABLE/documentation/configuration_file_basics.htm
View File

@ -1,435 +1,340 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Configuration File Basics</title> <title>Configuration File Basics</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
<h2>Files</h2> <h2><a name="Files"></a>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several <li>/etc/shorewall/shorewall.conf - used to set several
firewall parameters.</li> firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell <li>/etc/shorewall/params - use this file to set shell
variables that you will expand in other files.</li> variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's <li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level <li>/etc/shorewall/policy - establishes firewall high-level
policy.</li> policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces <li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li> on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in <li>/etc/shorewall/hosts - allows defining zones in
terms of individual hosts and subnetworks.</li> terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where <li>/etc/shorewall/masq - directs the firewall where
to use many-to-one (dynamic) Network Address Translation (a.k.a. to use many-to-one (dynamic) Network Address Translation (a.k.a.
Masquerading) and Source Network Address Translation (SNAT).</li> Masquerading) and Source Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to <li>/etc/shorewall/modules - directs the firewall
load kernel modules.</li> to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions <li>/etc/shorewall/rules - defines rules that are
to the overall policies established in /etc/shorewall/policy.</li> exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy <li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li> ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
later) - defines hosts accessible when Shorewall is stopped.</li> later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets <li>/etc/shorewall/tcrules - defines marking of packets
for later use by traffic control/shaping or policy routing.</li> for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting <li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li> the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and <li>/etc/shorewall/tunnels - defines IPSEC, GRE and
IPIP tunnels with end-points on the firewall system.</li> IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
addresses.</li> addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the beginning <li>/etc/shorewall/init - commands that you wish to execute at the beginning
of a "shorewall start" or "shorewall restart".</li> of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the completion <li>/etc/shorewall/start - commands that you wish to execute at the completion
of a "shorewall start" or "shorewall restart"</li> of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning <li>/etc/shorewall/stop - commands that you wish to execute at the beginning
of a "shorewall stop".</li> of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the <li>/etc/shorewall/stopped - commands that you wish to execute at the
completion of a "shorewall stop".<br> completion of a "shorewall stop".<br>
</li> </li>
</ul> </ul>
<h2>Comments</h2> <h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at character a pound sign ("#"). You may also place comments at
the end of any line, again by delimiting the comment from the rest the end of any line, again by delimiting the comment from the rest
of the line with a pound sign.</p> of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
<pre># This is a comment</pre> <pre># This is a comment</pre>
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre> <pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2> <h2><a name="Continuation"></a>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash <p>You may continue lines in the configuration files using the usual backslash
("\") followed immediately by a new line character.</p> ("\") followed immediately by a new line character.</p>
<p>Example:</p> <p>Example:</p>
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre> <pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
<h2><a name="dnsnames"></a>Using DNS Names</h2> <h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&gt;IP address relationship that
occur after the firewall has started have absolutely no effect on the
firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names
and you are called out of bed at 2:00AM because Shorewall won't start
as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
</b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&gt;IP address relationship that
occur after the firewall has started have absolutely no effect on the
firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't <li>If your /etc/resolv.conf is wrong then your firewall
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall <li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your startup scripts try to start your firewall before <li>If your Name Server(s) is(are) down then your firewall
won't start.</li>
<li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br> starting your DNS server then your firewall won't start.<br>
</li> </li>
<li>Factors totally outside your control (your ISP's router <li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li> is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting <li>You must bring up your network interfaces prior to starting
your firewall.<br> your firewall.<br>
</li> </li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is imposed
by Shorewall to insure backward compatibility with existing configuration
files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul>
<li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li>
</ul> </ul>
Examples of invalid DNS names:<br>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
</p>
<ul> <ul>
<li>mail (not fully qualified)</li> <li>mail.shorewall.net</li>
<li>shorewall.net (only one period)</li> <li>shorewall.net. (note the trailing period).</li>
</ul>
DNS names may not be used as:<br>
</ul>
Examples of invalid DNS names:<br>
<ul> <ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules <li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li>
</ul>
DNS names may not be used as:<br>
<ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li> file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li> <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li> <li>In the /etc/shorewall/nat file.</li>
</ul>
These restrictions are not imposed by Shorewall simply for
your inconvenience but are rather limitations of iptables.<br>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
no white space following the "!".</p>
<h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or there
would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in
any order.</li>
</ul> </ul>
These restrictions are not imposed by Shorewall simply for
<h2>Port Numbers/Service Names</h2> your inconvenience but are rather limitations of iptables.<br>
<p>Unless otherwise specified, when giving a port number you can use <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
either an integer or a service name from /etc/services. </p>
<p>Where specifying an IP address, a subnet or an interface, you can
<h2>Port Ranges</h2> precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low be no white space following the "!".</p>
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to local <h2><a name="Lists"></a>Comma-separated Lists</h2>
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in
any order.</li>
</ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
<h2>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p> within the Shorewall programs</p>
<p>Example:</p> <p>Example:</p>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a
series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address
fields, Shorewall requires MAC addresses to be written in another
way. In Shorewall, MAC addresses begin with a tilde ("~") and
consist of 6 hex numbers separated by hyphens. In Shorewall, the
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2><a name="Levels"></a>Logging</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
       7       debug<br>
       6       info<br>
       5       notice<br>
       4       warning<br>
       3       err<br>
       2       crit<br>
       1       alert<br>
       0       emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
log messages are generated by NetFilter and are logged using the <i>kern</i>
facility and the level that you specify. If you are unsure of the level
to choose, 6 (info) is a safe bet. You may specify levels by name or by
number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs to
log files is done in /etc/syslog.conf (5). If you make changes to this file,
you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a log
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
netfilter to log the related messages via the ULOG target which will send
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
and can be configured to log all Shorewall message to their own log file.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first five steps on another system then either NFS mount your
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file that
you wish to log to&gt;</i>. This tells the /sbin/shorewall program where to
look for the log when processing its "show log", "logwatch" and "monitor"
commands.<br>
<h2><a name="Configs"></a>Shorewall Configurations</h2> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start and <p><br>
restart</a> commands allow you to specify an alternate configuration Example (/etc/shorewall/interfaces record):</p>
directory and Shorewall will use the files in the alternate directory <font
rather than the corresponding files in /etc/shorewall. The alternate directory face="Century Gothic, Arial, Helvetica">
need not contain a complete configuration; those files not in the alternate
directory will be read from /etc/shorewall.</p> <blockquote>
<p> This facility permits you to easily create a test or temporary configuration <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
by:</p> </blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font
face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the other configuration
files.</p>
<h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this feature,
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a
series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
     collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address
fields, Shorewall requires MAC addresses to be written in another
way. In Shorewall, MAC addresses begin with a tilde ("~") and consist
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address
in the example above would be written "~02-00-08-E3-FA-55".<br>
</p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p>
<h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start
and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not
in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration
by:</p>
<ol> <ol>
<li> copying the files that need modification from <li> copying the files that need modification from
/etc/shorewall to a separate directory;</li> /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory;
and</li> and</li>
<li> specifying the separate directory in a shorewall <li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li> restart</b></i> ).</li>
</ol> </ol>
<p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 12/29/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
<br> <br>
</body> </body>

69
STABLE/documentation/copyright.htm
View File

@ -1,34 +1,45 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta http-equiv="Content-Language" content="en-us">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<title>Copyright</title>
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head> </head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> style="border-collapse: collapse;" bordercolor="#111111" width="100%"
<tr> id="AutoNumber1" bgcolor="#400169" height="90">
<td width="100%"> <tbody>
<h1 align="center"><font color="#FFFFFF">Copyright</font></h1> <tr>
</td> <td width="100%">
</tr> <h1 align="center"><font color="#ffffff">Copyright</font></h1>
</td>
</tr>
</tbody>
</table> </table>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp; 2000, 2001
Thomas M Eastep<br> <p align="left">Copyright <font face="Trebuchet MS">©</font>  2000, 2001,
&nbsp;</p> 2003 Thomas M Eastep<br>
<blockquote>  </p>
<p align="left">Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version 1.1 or <blockquote>
any later version published by the Free Software Foundation; with no Invariant <p align="left">Permission is granted to copy, distribute and/or modify
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the this document under the terms of the GNU Free Documentation License, Version
license is included in the section entitled &quot;<a href="GnuCopyright.htm">GNU Free Documentation License</a>&quot;.<br> 1.1 or any later version published by the Free Software Foundation; with
&nbsp;</p> no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
</blockquote> A copy of the license is included in the section entitled "<a
href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
 </p>
</blockquote>
<br>
</body> </body>
</html>
</html>

688
STABLE/documentation/download.htm
View File

@ -1,387 +1,393 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title> <title>Download</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p> <p>The entire set of Shorewall documentation is available in PDF format
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz <p>The documentation in HTML format is included in the .rpm and in the
packages below.</p> .tgz packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p> <p> Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
Linux PPC</b> or <b> TurboLinux</b> distribution with Linux PPC</b> or <b> TurboLinux</b> distribution with
a 2.4 kernel, you can use the RPM version (note: the RPM a 2.4 kernel, you can use the RPM version (note: the
should also work with other distributions that store init RPM should also work with other distributions that store
scripts in /etc/init.d and that include chkconfig or insserv). init scripts in /etc/init.d and that include chkconfig or
If you find that it works in other cases, let <a insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation Instructions</a> I can mention them here. See the <a href="Install.htm">Installation
if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might <li>If you are running LRP, download the .lrp file (you
also want to download the .tgz so you will have a copy of the documentation).</li> might also want to download the .tgz so you will have a copy of
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> the documentation).</li>
and would like a .deb package, Shorewall is included in both the <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian and would like a .deb package, Shorewall is included in both the
Testing Branch</a> and the <a <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Testing Branch</a> and the <a
Unstable Branch</a>.</li> href="http://packages.debian.org/unstable/net/shorewall.html">Debian
<li>Otherwise, download the <i>shorewall</i> Unstable Branch</a>.</li>
module (.tgz)</li> <li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may point release of a new version of Shorewall, the links below may
to a newer or an older version than is shown below.</p> point to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li> will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" </li> -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul> </ul>
<p><font face="Arial">Once you have verified the version, check the <p>Once you have verified the version, check the <font
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
face="Arial"> to see if there are updates that apply to the version if there are updates that apply to the version that you have
that you have downloaded.</font></p> downloaded.</p>
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
configuration of your firewall, you can enable startup by removing the of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.13</b>): <b>Remember that updates
<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates to the mirrors occur 1-12 hours after an update to the Washington State
to the mirrors occur 1-12 hours after an update to the Washington site.</b></p>
State site.</b></p>
<blockquote>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td valign="top">SourceForge<br>
<td><b>DOMAIN</b></td> </td>
<td><b>HTTP</b></td> <td valign="top">sf.net<br>
<td><b>FTP</b></td> </td>
</tr> <td valign="top"><a
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
</tr> </tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p><b>Browse Download Sites:</b></p> <p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" <td> <a target="_blank"
target="_blank">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
component. There's no guarantee that what you find there will work at component. There's no guarantee that what you find there will work
all.<br> at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 12/12/2002 - <a <p align="left"><font size="2">Last Updated 1/13/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

745
STABLE/documentation/errata.htm
View File

@ -1,214 +1,240 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the <p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>If you are running a Shorewall version earlier
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall than 1.3.11, when the instructions say to install a corrected firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
/etc/shorewall/firewall or /var/lib/shorewall/firewall before the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by your and /var/lib/shorewall/firewall are symbolic links that point
system initialization scripts to start Shorewall during boot. to the 'shorewall' file used by your system initialization scripts
It is that file that must be overwritten with the corrected to start Shorewall during boot. It is that file that must be overwritten
script.</b></p> with the corrected script. Beginning with Shorewall 1.3.11, you
</li> may rename the existing file before copying in the new file.</b></p>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font color="#660066"><a
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM
on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li> </li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br>
</p>
</li>
</ol>
<ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li>
<li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM
on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
</li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2> <h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.11a</h3>
<h3>Version 1.3.12</h3>
<ul> <ul>
<li><a <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br> by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11</h3> <h3>Version 1.3.12 LRP</h3>
<ul> <ul>
<li>When installing/upgrading using the .rpm, you may receive the following <li>The .lrp was missing the /etc/shorewall/routestopped file -- a new
warnings:<br> lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
<br> </li>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br> </ul>
<br>
These warnings are harmless and may be ignored. Users downloading the <h3>Version 1.3.11a</h3>
.rpm from shorewall.net or mirrors should no longer see these warnings as
the .rpm you will get from there has been corrected.</li> <ul>
<li>DNAT rules that exclude a source subzone (SOURCE column contains <li><a
! followed by a sub-zone list) result in an error message and Shorewall href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
fails to start.<br> copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11</h3>
<ul>
<li>When installing/upgrading using the .rpm, you may receive the
following warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading the
.rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br>
This problem is corrected in version 1.3.11a.<br>
</li>
</ul>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
<ul> <ul>
<li>If you experience problems connecting to a PPTP server running <li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where version of the firewall script</a> may help. Please report any cases where
installing this script in /usr/lib/shorewall/firewall solved your connection installing this script in /usr/lib/shorewall/firewall solved your connection
problems. Beginning with version 1.3.10, it is safe to save the old version problems. Beginning with version 1.3.10, it is safe to save the old version
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
is the real script now and not just a symbolic link to the real script.<br> is the real script now and not just a symbolic link to the real script.<br>
</li> </li>
</ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul> </ul>
<h3>Version 1.3.9a</h3>
<ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li>
</ul>
<pre> recalculate_interfacess: command not found<br></pre> <pre> recalculate_interfacess: command not found<br></pre>
<blockquote> The updated firewall script at <a <blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
described above.<br> described above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br> to 'recalculate_interface'. <br>
</blockquote> </blockquote>
<ul> <ul>
<li>The installer (install.sh) issues a misleading message "Common <li>The installer (install.sh) issues a misleading message "Common
functions installed in /var/lib/shorewall/functions" whereas the file functions installed in /var/lib/shorewall/functions" whereas the file
is installed in /usr/lib/shorewall/functions. The installer also performs is installed in /usr/lib/shorewall/functions. The installer also performs
incorrectly when updating old configurations that had the file /etc/shorewall/functions. incorrectly when updating old configurations that had the file /etc/shorewall/functions.
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br> is an updated version that corrects these problems.<br>
</a></li> </a></li>
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall
at <a script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns <li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
of the policy file doesn't work.</li> of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses <li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
</li> </li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems. as described above corrects these problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing result in an error message. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper <p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward "shorewall refresh", the firewall will not forward
@ -216,349 +242,358 @@ but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as <p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918 options on a given interface then RFC 1918
checking is occurring before DHCP checking. This checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall is running <li>If the firewall is running
a DHCP server, the client won't be able a DHCP server, the client won't be
to obtain an IP address lease from able to obtain an IP address lease from
that server.</li> that server.</li>
<li>With this order of checking, <li>With this order of checking,
the "dhcp" option cannot be used as the "dhcp" option cannot be used as
a noise-reduction measure where there a noise-reduction measure where there
are both dynamic and static clients on are both dynamic and static clients
a LAN segment.</li> on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be installed
in /var/lib/shorewall as described above.</p> in /var/lib/shorewall as described
above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use <p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against version 1.3.7a and check your version against
these md5sums -- if there's a difference, please these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p> and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p> .7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an error occurs when the firewall script attempts to add
an SNAT alias. </p> an SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p> corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above <p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p> line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3> <h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-( <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p> /var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3> <h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the <p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p> following were allowed:</p>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. possible to  include a single host specification on each line.
This problem is corrected by <a This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p> as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version as instructed above. This problem is corrected in version
1.3.5a.</p> 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration so it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in /etc/shorewall/interfaces. that specifies an interface that you didn't include in
To correct this problem, you must add an entry to /etc/shorewall/interfaces. /etc/shorewall/interfaces. To correct this problem, you
Shorewall 1.3.3 and later versions produce a clearer error must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
message in this case.</p> later versions produce a clearer error message in this case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p> version has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface entry <li>The code to detect a duplicate interface entry
in /etc/shorewall/interfaces contained a typo that prevented in /etc/shorewall/interfaces contained a typo that prevented
it from working correctly. </li> it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved <li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li> just like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
each packet is sent through the limit chain twice).</li> each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes <li>An unnecessary jump to the policy chain is
generated for a CONTINUE policy.</li> sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface <li>When an option is given for more than one
in /etc/shorewall/interfaces then depending on the option, interface in /etc/shorewall/interfaces then depending
Shorewall may ignore all but the first appearence of the on the option, Shorewall may ignore all but the first
option. For example:<br> appearence of the option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the <li>Update 17 June 2002 - The bug described in
prior bullet affects the following options: dhcp, dropunclean, the prior bullet affects the following options: dhcp, dropunclean,
logunclean, norfc1918, routefilter, multi, filterping and logunclean, norfc1918, routefilter, multi, filterping and
noping. An additional bug has been found that affects only noping. An additional bug has been found that affects only
the 'routestopped' option.<br> the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script prior Users who downloaded the corrected script prior
to 1850 GMT today should download and install the corrected to 1850 GMT today should download and install the corrected
script again to ensure that this second problem is corrected.</li> script again to ensure that this second problem is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links on <li>Folks who downloaded 1.3.0 from the links
the download page before 23:40 GMT, 29 May 2002 may have on the download page before 23:40 GMT, 29 May 2002 may
downloaded 1.2.13 rather than 1.3.0. The "shorewall version" have downloaded 1.2.13 rather than 1.3.0. The "shorewall
command will tell you which version that you have installed.</li> version" command will tell you which version that you
<li>The documentation NAT.htm file uses non-existent have installed.</li>
wallpaper and bullet graphic files. The <a <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
<hr> <hr>
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
<p align="left">The upgrade issues have moved to <a <p align="left">The upgrade issues have moved to <a
href="upgrade_issues.htm">a separate page</a>.</p> href="upgrade_issues.htm">a separate page</a>.</p>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also corrected 1.2.3 rpm which you can download here</a>  and I have also
built an <a built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing the Netfilter 'mangle' table. You can correct the problem by installing
<a <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to rpm of iptables, you will need to specify the --oldpackage option to rpm
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li> /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall <li>if you are running Shorewall
1.3.6 you may install 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result in Shorewall /etc/shorewall/nat entries of the following form will result in
being unable to start:<br> Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for The solution is to put "no" in the LOCAL column. Kernel support
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it.
2.4.19 kernel contains corrected support under a new kernel configuraiton The 2.4.19 kernel contains corrected support under a new kernel configuraiton
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 12/3/2002 - <p><font size="2"> Last updated 1/3/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>

6
STABLE/documentation/errata_1.htm
View File

@ -207,9 +207,9 @@ ignored<br>
<a href="support.htm">Tom Eastep</a></font> <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <p align="left"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> <font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
</body> </body>
</html> </html>

4
STABLE/documentation/fallback.htm
View File

@ -70,5 +70,5 @@ type &quot;rpm -e shorewall&quot;.</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <p><font size="2">Last updated 3/26/2001 - </font><font size="2">
<a href="support.htm">Tom <a href="support.htm">Tom
Eastep</a></font> </p> Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>

97
STABLE/documentation/gnu_mailman.htm
View File

@ -1,76 +1,79 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>GNU Mailman</title> <title>GNU Mailman</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy <h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
Way</font></h1> Way</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1 align="center"> </h1> <h1 align="center"> </h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael <h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4> Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br> <p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br> <br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide A: Mailman uses a setgid wrapper that is designed to be used in system-wide
aliases file so that rest of mailman's mail handling processes will run aliases file so that rest of mailman's mail handling processes will run
with proper uid/gid. Postfix has an ability to run a command specified in with proper uid/gid. Postfix has an ability to run a command specified in
an alias as owner of that alias, thus mailman's wrapper is not needed here. an alias as owner of that alias, thus mailman's wrapper is not needed here.
The best method to invoke mailman's mail handling via aliases is to use The best method to invoke mailman's mail handling via aliases is to use
separate alias file especially for mailman, and made it owned by mailman separate alias file especially for mailman, and made it owned by mailman
and group mailman. Like:<br> and group mailman. Like:<br>
<br> <br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br> alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br> <br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this may Make sure that /var/mailman/aliases.db is owned by mailman user (this
be done by executing postalias as mailman userid).<br> may be done by executing postalias as mailman userid).<br>
<br> <br>
Next, instead of using mailman-suggested aliases entries with wrapper, use Next, instead of using mailman-suggested aliases entries with wrapper,
the following:<br> use the following:<br>
<br> <br>
instead of<br> instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br> mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br> mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br> mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br> ...<br>
<br> <br>
use<br> use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br> mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br> mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br> mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p> ...</p>
<h4>The Shorewall mailing lists are currently running Postfix 1.1.11 together <h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something
with the stock RedHat Mailman-2.0.13 RPM configured as shown above.</h4> very similar so that no workaround is necessary. See the README.POSTFIX file
included with Mailman-2.1. </h4>
<p align="left"><font size="2">Last updated 9/14/2002 - <a
<p align="left"><font size="2">Last updated 12/29/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br>
</body> </body>
</html> </html>

BIN
STABLE/documentation/images/cache_now.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 493 B

BIN
STABLE/documentation/images/squidnow.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

4
STABLE/documentation/kernel.htm
View File

@ -142,5 +142,5 @@ the options selected above built as modules:</p>
<p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <p><font size="2">Last updated 3/10/2002 - </font><font size="2">
<a href="support.htm">Tom <a href="support.htm">Tom
Eastep</a></font> </p> Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>

388
STABLE/documentation/mailing_list.htm
View File

@ -1,124 +1,138 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title> <title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="33%" valign="middle">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a><a href="http://www.gnu.org/software/mailman/mailman.html"> </a></h1>
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
width="110" height="35">
</a><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45">
</a><font color="#ffffff">Shorewall Mailing Lists<a
href="http://www.inter7.com/courierimap/"><img
src="images/courier-imap.png" alt="Courier-Imap" width="100"
height="38" align="right">
</a></font></h1>
<p align="right"><font color="#ffffff"><b><br>
</b></font></p> <h1 align="center"><a
href="http://www.gnu.org/software/mailman/mailman.html"> <img
<p align="right"><font color="#ffffff"><b><br> border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
Powered by Postfix     </b></font> </p> height="35" alt="">
</td> </a></h1>
</tr>
<p align="right"><br>
</tbody> <font color="#ffffff"><b>   </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td>
<td valign="middle" width="33%">
<h1 align="center"><a href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)">
</a></h1>
<br>
<div align="right"><br>
<b><font color="#ffffff">Powered by Postfix    </font></b><br>
</div>
</td>
</tr>
</tbody>
</table> </table>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
<h2 align="left">Not getting List Mail? -- <a <h2 align="left">Not getting List Mail? -- <a
href="mailing_list_problems.htm">Check Here</a></h2> href="mailing_list_problems.htm">Check Here</a></h2>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0" <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
src="images/but3.png" hspace="3" width="88" height="31"> href="http://osirusoft.com/"> </a></h2>
 </a><a href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
<p>Before subscribing please read my <a href="spam_filters.htm">policy about list traffic that bounces.</a> Also please note that the mail server
about list traffic that bounces.</a> Also please note that the mail server at shorewall.net checks incoming mail:<br>
at shorewall.net checks incoming mail:<br> </p>
</p>
<ol>
<li>against the open relay databases at <a
href="http://ordb.org">ordb.org.</a></li>
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is a valid
fully-qualified DNS name.</li>
</ol>
<h2>Please post in plain text</h2>
While the list server here at shorewall.net accepts and distributes HTML
posts, a growing number of MTAs serving list subscribers are rejecting this
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse"!!<br>
<br>
I think that blocking all HTML is a rather draconian way to control spam
and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
can help by restricting your list posts to plain text.<br>
<br>
And as a bonus, subscribers who use email clients like pine and mutt will
be able to read your plain text posts whereas they are most likely simply
ignoring your HTML posts.<br>
<br>
A final bonus for the use of HTML is that it cuts down the size of messages
by a large percentage -- that is important when the same message must be
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
<h2></h2>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch"> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a>
<p> <font size="-1"> Match: (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li>
<li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record
in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is
a valid fully-qualified DNS name that resolves.</li>
</ol>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in list
posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam and
that the ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from outgoing
posts. This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
<h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the names
of certain ISPs. Again, I believe that such policies hurt more than they
help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2>
<form method="post" action="http://mail.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -127,120 +141,130 @@ sent 500 times over the slow DSL line connecting the list server to the internet
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> <input </font> <input type="hidden" name="config" value="htdig">
type="hidden" name="restrict" <input type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words"
type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire <h2 align="left"><font color="#ff0000">Please do not try to download the
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
stand the traffic. If I catch you, you'll be blacklisted.<br> won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline Firewall If you want to trust X.509 certificates issued by Shoreline
(such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing can either use unencrypted access when subscribing to Shorewall mailing
lists or you can use secure access (SSL) and accept the server's certificate lists or you can use secure access (SSL) and accept the server's certificate
when prompted by your browser.<br> when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of general to get answers to questions and to report problems. Information of
interest to the Shorewall user community is also posted to this list.</p> general interest to the Shorewall user community is also posted to this
list.</p>
<p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p> <p align="left"><b>Before posting a problem report to this list, please see
the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-users" href="https://mail.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p> target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-users</a></p>
<p align="left">To post to the list, post to <a <p align="left">To post to the list, post to <a
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p> href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
list may be found at <a may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to <a Shorewall community. To subscribe, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a> href="http://mail.shorewall.net/mailman/listinfo/shorewall-announce">http://mail.shorewall.net/mailman/listinfo/shorewall-announce</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-announce" href="https://mail.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br> target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-announce.<br>
</a><br> </a><br>
The list archives are at <a The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://mail.shorewall.net/pipermail/shorewall-announce">http://mail.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to <a <p align="left">To subscribe to the mailing list, go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a> href="http://mail.shorewall.net/mailman/listinfo/shorewall-devel">http://mail.shorewall.net/mailman/listinfo/shorewall-devel</a>
SSL: <a SSL: <a
href="https://www.shorewall.net/mailman/listinfo/shorewall-devel" href="https://mail.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br> target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
To post to the list, post to <a To post to the list, post to <a
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p> href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://mail.shorewall.net/pipermail/shorewall-devel">http://mail.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p> from Mailman-managed lists although Mailman 2.1 has attempted to make
this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe
to the list.</p> <p align="left">Follow the same link above that you used to subscribe
</li> to the list.</p>
<li> </li>
<p align="left">Down at the bottom of that page is the following text: <li>
"To change your subscription (set options like digest and delivery
modes, get a reminder of your password, <b>or unsubscribe</b> from <p align="left">Down at the bottom of that page is the following text:
&lt;name of list&gt;), enter your subscription email address:". Enter " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
your email address in the box and click on the "Edit Options" button.</p> reminder, or change your subscription options enter your subscription
</li> email address:". Enter your email address in the box and click
<li> on the "<b>Unsubscribe</b> or edit options" button.</p>
<p align="left">There will now be a box where you can enter your password </li>
and click on "Unsubscribe"; if you have forgotten your password, there <li>
is another button that will cause your password to be emailed to you.</p>
</li> <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, there
is another button that will cause your password to be emailed to you.</p>
</li>
</ul> </ul>
<hr> <hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2> <h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 12/27/2002 - <a <p align="left"><font size="2">Last updated 12/31/2002 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

15
STABLE/documentation/mailing_list_problems.htm
View File

@ -40,21 +40,10 @@
<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a <p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font <p align="left"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p> size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></p>
<p align="left"> </p> <p align="left"> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

250
STABLE/documentation/myfiles.htm
View File

@ -1,134 +1,144 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>My Shorewall Configuration</title> <title>My Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1> <h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table>
<blockquote> </blockquote>
<h1>My Current Network </h1>
<blockquote> </tbody>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). </table>
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet <blockquote> </blockquote>
<h1>My Current Network </h1>
<blockquote>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small>
use a combination of Static NAT and Proxy ARP, neither of which are relevant
to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here won't
apply to your setup so beware of copying parts of this configuration and
expecting them to work for you. They may or may not work in your setup. </small></b></big><br>
</p>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p> 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p>
<p> I use:<br> <p> I use:<br>
</p> </p>
<ul> <ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5 <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li> and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two IP <li>Proxy ARP for wookie (my Linux System). This system has two
addresses: 192.168.1.3/24 and 206.124.146.179/24.</li> IP addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) for  <li>SNAT through the primary gateway address (206.124.146.176)
my Wife's system (tarry) and the Wireless Access Point (wap)</li> for  my Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul> </ul>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p> <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its <p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p> own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable. <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
and is managed by Proxy ARP. It connects to the local network through and is managed by Proxy ARP. It connects to the local network through
the PopTop server running on my firewall. </p> the PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix, <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
(Pure-ftpd). The system also runs fetchmail to fetch our email from our (Pure-ftpd). The system also runs fetchmail to fetch our email from
old and current ISPs. That server is managed through Proxy ARP.</p> our old and current ISPs. That server is managed through Proxy ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local <p> The firewall system itself runs a DHCP server that serves the local
network.</p> network.</p>
<p> All administration and publishing is done using ssh/scp.</p> <p> All administration and publishing is done using ssh/scp.</p>
<p> I run an SNMP server on my firewall to serve <a <p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p> in the DMZ.</p>
<p align="center"> <img border="0" <p align="center"> <img border="0"
src="images/network.png" width="764" height="846"> src="images/network.png" width="764" height="846">
</p> </p>
<p> </p> <p> </p>
<p>The ethernet interface in the Server is configured <p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is 255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same 206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall, default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because 206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see of the entry in /etc/shorewall/proxyarp (see
below).</p> below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which <p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).</p> interfaces to my laptop (206.124.146.180).<br>
</p>
<p><font color="#ff0000" size="5"> Note: My files
use features not available before Shorewall <p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
version 1.3.4.</font></p> access.<br>
</blockquote> </p>
<p><font color="#ff0000" size="5"></font></p>
</blockquote>
<h3>Shorewall.conf</h3> <h3>Shorewall.conf</h3>
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre> <pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
<h3>Zones File:</h3> <h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
<h3>Interfaces File: </h3> <h3>Interfaces File: </h3>
<blockquote> <blockquote>
<p> This is set up so that I can start the firewall before bringing up <p> This is set up so that I can start the firewall before bringing up my
my Ethernet interfaces. </p> Ethernet interfaces. </p>
</blockquote> </blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3> <h3>Hosts File: </h3>
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<h3>Routestopped File:</h3> <h3>Routestopped File:</h3>
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre> <pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
<h3>Common File: </h3> <h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre> <pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
<h3>Policy File:</h3> <h3>Policy File:</h3>
<pre><font size="2" face="Courier"> <pre><font size="2" face="Courier">
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
me all ACCEPT me all ACCEPT
@ -136,40 +146,42 @@ my Ethernet interfaces. </p>
all me CONTINUE #<font all me CONTINUE #<font
color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre> color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
<h3>Masq File: </h3> <h3>Masq File: </h3>
<blockquote> <blockquote>
<p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with <p> Although most of our internal systems use static NAT, my wife's system
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p> (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
</blockquote> laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> <pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3> <h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> <pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>Proxy ARP File:</h3> <h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font <pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><font face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><pre><font
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre></pre>
<h3>Rules File (The shell variables <h3>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):</h3>
are set in /etc/shorewall/params):</h3>
<pre><small> #TYPE          ZONE    GATEWAY</small><small> <br> gre             net     $TEXAS</small><small><br> #LAST LINE -- DO NOT REMOVE<br></small></pre>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Rules File (The shell variables
<p><font size="2"> Last updated 10/14/2002 - </font><font size="2"> are set in /etc/shorewall/params):</h3>
<a href="support.htm">Tom Eastep</a></font>
</p> <pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> ACCEPT net loc:192.168.1.5 tcp 1723<br> ACCEPT net loc:192.168.1.5 gre<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> <p><font size="2"> Last updated 1/12/2003 - </font><font size="2">
<br> <a href="support.htm">Tom Eastep</a></font>
<br> </p>
<br> <a href="copyright.htm"><font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> <br>
</body> </body>
</html> </html>

12
STABLE/documentation/ping.html
View File

@ -26,11 +26,11 @@ way. This page describes how it now works.<br>
There are several aspects to Shorewall Ping management:<br> There are several aspects to Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a <li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a <li>The <b>FORWARDPING</b> option in<a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a <li>Explicit rules in <a
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
@ -81,10 +81,10 @@ then the request is responded to with an ICMP echo-reply.</li>
is either rejected or simply ignored.</li> is either rejected or simply ignored.</li>
</ol> </ol>
<p><font size="2">Updated 12/13/2002 - <a <p><font size="2">Updated 12/13/2002 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p> href="support.htm">Tom Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
</body> </body>
</html> </html>

4
STABLE/documentation/ports.htm
View File

@ -187,8 +187,8 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a <p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
<br> <br>
<br> <br>
</body> </body>

527
STABLE/documentation/seattlefirewall_index.htm
View File

@ -5,6 +5,7 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -12,78 +13,86 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr>
<td width="100%" height="90"> <tr>
<td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 - </a></i></font><font color="#ffffff">Shorewall 1.3
<font size="4">"<i>iptables made easy"</i></font></font></h1> - <font size="4">"<i>iptables made easy"</i></font></font></h1>
<div align="center"><a <div align="center"><a
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div>
<br>
</td> </div>
</tr> <br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr>
<td width="90%"> <tr>
<td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -93,7 +102,7 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
@ -106,26 +115,26 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br> General Public License</a> as published by the Free Software Foundation.<br>
<br> <br>
This program is distributed in the hope that it This program is distributed in the hope that
will be useful, but WITHOUT ANY WARRANTY; without it will be useful, but WITHOUT ANY WARRANTY;
even the implied warranty of MERCHANTABILITY or FITNESS without even the implied warranty of MERCHANTABILITY
FOR A PARTICULAR PURPOSE. See the GNU General Public or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
License for more details.<br> General Public License for more details.<br>
<br> <br>
You should have received a copy of the GNU General You should have received a copy of the GNU
Public License along with this program; if not, General Public License along with this program;
write to the Free Software Foundation, Inc., 675 if not, write to the Free Software Foundation,
Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -134,8 +143,8 @@ License for more details.<br>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -144,23 +153,27 @@ License for more details.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have a LEAF </a>Jacques Nilo and Eric Wolzak have
(router/firewall/gateway on a floppy, CD or compact flash) distribution a LEAF (router/firewall/gateway on a floppy, CD or compact
called <i>Bering</i> that features Shorewall-1.3.10 flash) distribution called <i>Bering</i> that
and Kernel-2.4.18. You can find their work at: features Shorewall-1.3.10 and Kernel-2.4.18. You
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> can find their work at: <a
</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br> Bering 1.0 Final!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -173,7 +186,8 @@ Bering 1.0 Final!!! </b><br>
<h2>News</h2> <h2>News</h2>
@ -182,194 +196,295 @@ Bering 1.0 Final!!! </b><br>
<h2></h2> <h2></h2>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b><br>
</p>
<p> Features include:<br> <p>Just includes a few things that I had on the burner:<br>
</p> </p>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
and tcstart).</li> file. DNAT- is intended for advanced users who wish to minimize the number
<li>"shorewall debug [re]start" now turns off debugging after an of rules that connection requests must traverse.<br>
error occurs. This places the point of the failure near the end of the <br>
trace rather than up in the middle of it.</li> A Shorewall DNAT rule actually generates two iptables rules: a header rewriting
<li>"shorewall [re]start" has been speeded up by more than 40% with rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT-
my configuration. Your milage may vary.</li> rule only generates the first of these rules. This is handy when you have
<li>A "shorewall show classifiers" command has been added which shows several DNAT rules that would generate the same ACCEPT rule.<br>
the current packet classification filters. The output from this command <br>
is also added as a separate page in "shorewall monitor"</li>    Here are three rules from my previous rules file:<br>
<li>ULOG (must be all caps) is now accepted as a valid syslog level <br>
and causes the subject packets to be logged using the ULOG target rather         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
than the LOG target. This allows you to run ulogd (available from <a         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
and log all Shorewall messages <a <br>
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>    These three rules ended up generating _three_ copies of<br>
<li>If you are running a kernel that has a FORWARD chain in the mangle <br>
table ("shorewall show mangle" will show you the chains in the mangle table),          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
you can set MARK_IN_FORWARD_CHAIN=Yes in <a <br>
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking    By writing the rules this way, I end up with only one copy of the ACCEPT
input packets based on their destination even when you are using Masquerading rule.<br>
or SNAT.</li> <br>
<li>I have cluttered up the /etc/shorewall directory with empty 'init',         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
'start', 'stop' and 'stopped' files. If you already have a file with one         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
of these names, don't worry -- the upgrade process won't overwrite your file.</li>         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a <br>
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies </li>
the syslog level at which packets are logged as a result of entries in the <li>The 'shorewall check' command now prints out the applicable policy
/etc/shorewall/rfc1918 file. Previously, these packets were always logged between each pair of zones.<br>
at the 'info' level.<br> <br>
</li>
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
option is set to 'No' then Shorewall won't clear the current traffic control
rules during [re]start. This setting is intended for use by people that prefer
to configure traffic shaping when the network interfaces come up rather than
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
your traffic shaping rules can still use the 'fwmark' classifier based on
packet marking defined in /etc/shorewall/tcrules.<br>
<br>
</li>
<li>A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf
setting.<br>
</li> </li>
</ol> </ol>
<p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p>
<p><b>Until further notice, I will not be involved in either Shorewall
Development or Shorewall Support</b></p>
<p><b>-Tom Eastep</b><br>
</p>
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p>
<p> Features include:<br>
</p>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of
the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than
40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added
which shows the current packet classification filters. The output from
this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target
rather than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a href="shorewall_logging.html">to a
separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain
in the mangle table ("shorewall show mangle" will show you the chains
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with
empty 'init', 'start', 'stop' and 'stopped' files. If you already have
a file with one of these names, don't worry -- the upgrade process won't
overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in
the /etc/shorewall/rfc1918 file. Previously, these packets were always
logged at the 'info' level.<br>
</li>
</ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL This version corrects a problem with Blacklist logging. In Beta
was set to anything but ULOG, the firewall would fail to start and "shorewall 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
refresh" would also fail.<br> fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br> <p> You may download the Beta from:<br>
</p> </p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p> </b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta The first public Beta version of Shorewall 1.3.12 is now available
1 was made available to a limited audience). <br> (Beta 1 was made available to a limited audience). <br>
<br> <br>
Features include:<br> Features include:<br>
<br> <br>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping rules <li>"shorewall refresh" now reloads the traffic shaping
(tcrules and tcstart).</li> rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after <li>"shorewall debug [re]start" now turns off debugging
an error occurs. This places the point of the failure near the end of the after an error occurs. This places the point of the failure near the
trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than 40% <li>"shorewall [re]start" has been speeded up by more
with my configuration. Your milage may vary.</li> than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added which <li>A "shorewall show classifiers" command has been
shows the current packet classification filters. The output from this command added which shows the current packet classification filters. The output
is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog <li>ULOG (must be all caps) is now accepted as a valid
level and causes the subject packets to be logged using the ULOG target syslog level and causes the subject packets to be logged using the ULOG
rather than the LOG target. This allows you to run ulogd (available from target rather than the LOG target. This allows you to run ulogd (available
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a and log all Shorewall messages <a href="shorewall_logging.html">to a
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li> separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain in <li>If you are running a kernel that has a FORWARD chain
the mangle table ("shorewall show mangle" will show you the chains in the in the mangle table ("shorewall show mangle" will show you the chains
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
This allows for marking input packets based on their destination even when This allows for marking input packets based on their destination even
you are using Masquerading or SNAT.</li> when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with empty <li>I have cluttered up the /etc/shorewall directory
'init', 'start', 'stop' and 'stopped' files. If you already have a file with empty 'init', 'start', 'stop' and 'stopped' files. If you already
with one of these names, don't worry -- the upgrade process won't overwrite have a file with one of these names, don't worry -- the upgrade process
your file.</li> won't overwrite your file.</li>
</ol> </ol>
You may download the Beta from:<br> You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png" href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="21" border="0"> alt="Powered by Mandrake Linux" width="150" height="21" border="0">
</a></b></p> </a></b></p>
Shorewall is at the center of MandrakeSoft's recently-announced <a Shorewall is at the center of MandrakeSoft's recently-announced
<a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br> release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b> <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p> </b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in delivered. I have installed 9.0 on one of my systems and I am now
a position to support Shorewall users who run Mandrake 9.0.</p> in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p> </p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b> <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p> </b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
who don't need rules of this type need not upgrade to 1.3.11.</p> users who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> </p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p> </b></p>
<p>In this version:</p> <p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible
with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
fw-&gt;fw rules generate a warning and are ignored</li>
<ul>
<li>A 'tcpflags' option has been added to
entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified) and
it does not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command
is now compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup
error. fw-&gt;fw rules generate a warning and are ignored</li>
</ul> </ul>
<p><b></b><a href="News.htm">More News</a></p> <p><b></b><a href="News.htm">More News</a></p>
@ -379,48 +494,53 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c" valign="top"
align="center"> <a href="http://sourceforge.net">M</a></td> align="center"> <a href="http://sourceforge.net">M</a></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;"> <tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
   
</a></p> </a></p>
@ -428,28 +548,31 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr>
</tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 1/13/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br> <br>
</body> </body>

161
STABLE/documentation/shoreline.htm
View File

@ -1,124 +1,125 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tarry &amp; Tom -- August 2002<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - (now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
present</li> present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also
has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a WINS
server. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  -
Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS
server (Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.11  and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known as
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
on what I learned from Seattle Firewall, I then designed and wrote
Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
Serves as a PPTP server for Road Warrior access. Also has <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a
WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run
both <a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.12+  and a
DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p> <p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
<p>All of our other systems are made by <a <p>All of our other systems are made by <a
href="http://www.compaq.com">Compaq</a> (part of the new <a href="http://www.compaq.com">Compaq</a> (part of the new <a
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
href="http://www.netgear.com">Netgear</a> FA310TXs.</p> href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31"> src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img </a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170" border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20"> height="20">
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall" </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4"> width="125" height="40" hspace="4">
</font></p> </font></p>
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a <p><font size="2">Last updated 1/7/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
<br> M. Eastep.</font></a></font><br>
<br>
</body> </body>
</html> </html>

156
STABLE/documentation/shorewall_logging.html Executable file
View File

@ -0,0 +1,156 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Logging</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
debug<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
notice<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
warning<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
err<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
crit<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
alert<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are unsure
of the level to choose, 6 (info) is a safe bet. You may specify levels
by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs
to log files is done in /etc/syslog.conf (5). If you make changes to this
file, you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which will
send them to a process called 'ulogd'. The ulogd program is available from
http://www.gnumonks.org/projects/ulogd and can be configured to log all
Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from
syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely
no effect on your Shorewall logging (except for Shorewall status messages
which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first six steps on another system then either NFS mount
your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy,
rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
<p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
</body>
</html>

402
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -1,268 +1,288 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
Version 3.1</font></h1> <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
</td> (HOWTO's)<br>
</tr> Version 3.1</font></h1>
</td>
</tbody> </tr>
</tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that we
we must all first walk before we can run.</p> must all first walk before we can run.</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System <li><a href="two-interface.htm">Two-interface</a> Linux
acting as a firewall/router for a small local network</li> System acting as a firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux <li><a href="three-interface.htm">Three-interface</a> Linux
System acting as a firewall/router for a small local network and System acting as a firewall/router for a small local network and
a DMZ.</li> a DMZ.</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall public IP addresses involved or if you want to learn more about Shorewall
than is explained in the single-address guides above.</b></p> than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Introduction</a></li>
Concepts</a></li> <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Concepts</a></li>
Interfaces</a></li> <li><a href="shorewall_setup_guide.htm#Interfaces">3.0
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Network Interfaces</a></li>
Subnets and Routing</a> <li><a href="shorewall_setup_guide.htm#Addressing">4.0
Addressing, Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP <li><a href="shorewall_setup_guide.htm#Addresses">4.1
Addresses</a></li> IP Addresses</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol</a></li> Resolution Protocol</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li> 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a> up your Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li> <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> <li><a href="shorewall_setup_guide.htm#NonRouted">5.2
Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
Proxy ARP</a></li> DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
NAT</a></li> Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li> Odds and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li> Stopping the Firewall</a></li>
</ul> </ul>
<h2><a name="Documentation"></a>Documentation Index</h2> <h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p> to use this documentation directly.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration
file features</a>
<ul> <ul>
<li>Comments in configuration files</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Line Continuation</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Using DNS Names<br>
</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
<li>Logging<br>
</li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File Reference <li><a href="configuration_file_basics.htm">Common configuration
Manual</a> file features</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li><a href="configuration_file_basics.htm#Comments">Comments
<li><font color="#000099"><a in configuration files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#Ports">Port
Numbers/Service Names</a></li>
<li><a href="configuration_file_basics.htm#Ranges">Port
Ranges</a></li>
<li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a href="configuration_file_basics.htm#dnsnames">Using
DNS Names</a><br>
</li>
<li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a href="configuration_file_basics.htm#Configs">Shorewall
Configurations (making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using
MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference
Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li> href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li> href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li> href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li> href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
to extend Shorewall without modifying Shorewall code)</li> (How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li> <li><a href="shorewall_firewall_structure.htm">Firewall
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> Structure</a></li>
<li><a href="configuration_file_basics.htm#Levels">Logging</a><br> <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
</li> <li><a href="shorewall_logging.html">Logging</a><br>
<li><a href="myfiles.htm">My Configuration Files</a> (How </li>
I personally use Shorewall)</li> <li><a href="MAC_Validation.html">MAC Verification</a><br>
<li><a href="ping.html">'Ping' Management</a><br> </li>
</li> <li><a href="myfiles.htm">My Configuration Files</a> (How I personally
<li><a href="ports.htm">Port Information</a> use Shorewall)</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li> <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy with
<li>VPN Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
your firewall to a remote network.</li> your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White List <li><a href="whitelisting_under_shorewall.htm">White List
Creation</a></li> Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 1/9/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br> <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
</p> Eastep</font></a><br>
<br> </p>
<br>
<br>
<br> <br>
<br> <br>
</body> </body>

4065
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

637
STABLE/documentation/sourceforge_index.htm
View File

@ -5,7 +5,7 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -13,36 +13,38 @@
<base target="_self"> <base
target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h1 align="center"> <font size="4"><i> <a <h1 align="center"> <font size="4"><i> <a
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 - </a></i></font><font color="#ffffff">Shorewall
<font size="4">"<i>iptables made easy"</i></font></font><a 1.3 - <font size="4">"<i>iptables made
href="http://www.sf.net"> </a></h1> easy"</i></font></font><a href="http://www.sf.net"> </a></h1>
@ -50,32 +52,33 @@
<div align="center"><a href="/1.2/index.html" target="_top"><font <div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div> color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td> </td>
</tr> </tr>
</tbody>
</table>
<div align="center"> </tbody>
<center> </table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -83,7 +86,8 @@
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
@ -93,39 +97,12 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>The Shoreline Firewall, more commonly known as "Shorewall", is
it under the terms of <a a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General firewall that can be used on a dedicated firewall system, a multi-function
Public License</a> as published by the Free Software Foundation.<br> gateway/router/server or on a standalone GNU/Linux system.</p>
<br>
This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.<br>
<br>
You should have received a copy of the GNU
General Public License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -134,8 +111,40 @@ Public License</a> as published by the Free Software Foundation.<br>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software Foundation.<br>
<br>
This program is distributed in the
hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
You should have received a copy of the
GNU General Public License along with this
program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -144,21 +153,21 @@ Public License</a> as published by the Free Software Foundation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak have </a>Jacques Nilo and Eric Wolzak
a LEAF (router/firewall/gateway on a floppy, CD or compact have a LEAF (router/firewall/gateway on a floppy, CD
flash) distribution called <i>Bering</i> that or compact flash) distribution called <i>Bering</i>
features Shorewall-1.3.10 and Kernel-2.4.18. You that features Shorewall-1.3.10 and Kernel-2.4.18.
can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the recent <b>Congratulations to Jacques and Eric on
release of Bering 1.0 Final!!! <br> the recent release of Bering 1.0 Final!!! <br>
</b> </b>
<h2>News</h2> <h2>News</h2>
@ -171,175 +180,319 @@ Public License</a> as published by the Free Software Foundation.<br>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
</b><br> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
was set to anything but ULOG, the firewall would fail to start and "shorewall <p>Just includes a few things that I had on the burner:<br>
refresh" would also fail.<br> </p>
<p> You may download the Beta from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available (Beta
1 was made available only to a limited audience). <br>
<br>
Features include:<br>
<br>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping rules <li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
(tcrules and tcstart).</li> file. DNAT- is intended for advanced users who wish to minimize the number
<li>"shorewall debug [re]start" now turns off debugging after of rules that connection requests must traverse.<br>
an error occurs. This places the point of the failure near the end of the <br>
trace rather than up in the middle of it.</li> A Shorewall DNAT rule actually generates two iptables rules: a header rewriting
<li>"shorewall [re]start" has been speeded up by more than 40% rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT-
with my configuration. Your milage may vary.</li> rule only generates the first of these rules. This is handy when you have
<li>A "shorewall show classifiers" command has been added which several DNAT rules that would generate the same ACCEPT rule.<br>
shows the current packet classification filters. The output from this command <br>
is also added as a separate page in "shorewall monitor"</li>    Here are three rules from my previous rules file:<br>
<li>ULOG (must be all caps) is now accepted as a valid syslog <br>
level and causes the subject packets to be logged using the ULOG target rather         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
than the LOG target. This allows you to run ulogd (available from         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
and log all Shorewall messages <a <br>
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>    These three rules ended up generating _three_ copies of<br>
<li>If you are running a kernel that has a FORWARD chain in the <br>
mangle table ("shorewall show mangle" will show you the chains in the mangle          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows <br>
for marking input packets based on their destination even when you are using    By writing the rules this way, I end up with only one copy of the ACCEPT
Masquerading or SNAT.</li> rule.<br>
<li>I have cluttered up the /etc/shorewall directory with empty <br>
'init', 'start', 'stop' and 'stopped' files. If you already have a file with         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
one of these names, don't worry -- the upgrade process won't overwrite your         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
file.</li>         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br>
</li>
<li>The 'shorewall check' command now prints out the applicable policy
between each pair of zones.<br>
<br>
</li>
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
option is set to 'No' then Shorewall won't clear the current traffic control
rules during [re]start. This setting is intended for use by people that prefer
to configure traffic shaping when the network interfaces come up rather than
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
your traffic shaping rules can still use the 'fwmark' classifier based on
packet marking defined in /etc/shorewall/tcrules.<br>
<br>
</li>
<li>A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf
setting.</li>
</ol> </ol>
You may download the Beta from:<br> <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p>
<p><b>Until further notice, I will not be involved in either Shorewall
Development or Shorewall Support</b></p>
<p><b>-Tom Eastep</b><br>
</p>
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p>
<p> Features include:<br>
</p>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping rules
(tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging after
an error occurs. This places the point of the failure near the end of
the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more than
40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added
which shows the current packet classification filters. The output from
this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid syslog
level and causes the subject packets to be logged using the ULOG target
rather than the LOG target. This allows you to run ulogd (available from
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a href="shorewall_logging.html">to a
separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain
in the mangle table ("shorewall show mangle" will show you the chains
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
input packets based on their destination even when you are using Masquerading
or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory with
empty 'init', 'start', 'stop' and 'stopped' files. If you already have
a file with one of these names, don't worry -- the upgrade process won't
overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
the syslog level at which packets are logged as a result of entries in
the /etc/shorewall/rfc1918 file. Previously, these packets were always
logged at the 'info' level.</li>
</ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p>
This version corrects a problem with Blacklist logging. In Beta
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p>
The first public Beta version of Shorewall 1.3.12 is now available
(Beta 1 was made available only to a limited audience). <br>
<br>
Features include:<br>
<br>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping
rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging
after an error occurs. This places the point of the failure near the
end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more
than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been
added which shows the current packet classification filters. The output
from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid
syslog level and causes the subject packets to be logged using the ULOG
target rather than the LOG target. This allows you to run ulogd (available
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a href="shorewall_logging.html">to a
separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD chain
in the mangle table ("shorewall show mangle" will show you the chains
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
This allows for marking input packets based on their destination even
when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory
with empty 'init', 'start', 'stop' and 'stopped' files. If you already
have a file with one of these names, don't worry -- the upgrade process
won't overwrite your file.</li>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png" href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="23" border="0"> alt="Powered by Mandrake Linux" width="150" height="23" border="0">
</a></b></p> </a></b></p>
Shorewall is at the center of MandrakeSofts's recently-announced <a Shorewall is at the center of MandrakeSofts's recently-announced
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi <a
Network Firewall (MNF)</a> product. Here is the <a href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press Network Firewall (MNF)</a> product. Here is the <a
release</a>.<br> href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now
in a position to support Shorewall users who run Mandrake 9.0.</p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now in a
position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p> </p>
<p>Apt-get sources listed at <a <p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users </b></p>
who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
documenation. the PDF may be downloaded from</p> with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
users who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
</b></p> documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p>
<p>In this version:</p> <p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been added to entries
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the SOURCE or
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
used, 'all' must appear by itself (in may not be qualified) and it does
not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command is now compatible
with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup error.
fw-&gt;fw rules generate a warning and are ignored</li>
<ul>
<li>A 'tcpflags' option has been added to
entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet
header flags.</li>
<li>It is now allowed to use 'all' in the
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
When used, 'all' must appear by itself (in may not be qualified)
and it does not enable intra-zone traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc' to 'loc'.</li>
<li>Shorewall's use of the 'echo' command
is now compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate a startup
error. fw-&gt;fw rules generate a warning and are ignored</li>
</ul> </ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
documenation. the PDF may be downloaded from</p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> </p>
<p><b></b></p> <p><b></b></p>
<ul> <ul>
</ul> </ul>
<p><b></b><a href="News.htm">More News</a></p> <p><b></b><a href="News.htm">More News</a></p>
@ -349,61 +502,66 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<h2> </h2> <h2> </h2>
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
<h4> </h4> <h4> </h4>
<h2>This site is hosted by the generous folks at <a <h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2> href="http://www.sf.net">SourceForge.net</a> </h2>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c"
align="center"> <br> valign="top" align="center"> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -411,12 +569,13 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -425,30 +584,32 @@ used, 'all' must appear by itself (in may not be qualified) and it does
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</tr>
</tbody>
</table> </table>
<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 1/6/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

329
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -1,13 +1,13 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title> <title>Starting and Stopping Shorewall</title>
@ -15,231 +15,238 @@
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</td> <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
</tr> </td>
</tr>
</tbody>
</tbody>
</table> </table>
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels
2-5 and stop it in run levels 1 and 6. If you want to configure your
firewall differently from this default, you can use the "--level" option
in chkconfig (see "man chkconfig") or using your favorite graphical
run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
<p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall" <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run
levels 2-5 and stop it in run levels 1 and 6. If you want to configure
your firewall differently from this default, you can use the "--level"
option in chkconfig (see "man chkconfig") or using your favorite
graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall in your
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
in that script.</li>
</ol>
<p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p> shell program: </p>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li> <li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running) <li>shorewall restart - stops the firewall (if it's running)
and then starts it again</li> and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters
in the firewall</li> in the firewall</li>
<li>shorewall clear - remove all rules and chains installed <li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li> by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast <li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li> addresses of firewall interfaces and the black and white lists.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, then a shell
trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace</p>
<p> The "shorewall" program may also be used to monitor the firewall.</p> <p> The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the firewall <li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain <li>shorewall show <i>chain</i> - produce a verbose report about
</i>(iptables -L <i>chain</i> -n -v)</li> <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table <li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li> (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle <li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li> table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently <li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li> being tracked by the firewall.</li>
<li>shorewall <li>shorewall
show show
tc - displays information tc - displays information
about the traffic control/shaping configuration.</li> about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall <li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li> changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall <li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li> packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li> <li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of <li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files. <font size="4" the zones, interfaces, hosts, rules and policy files. <font
color="#ff6666"><b>The "check" command does not parse and validate the size="4" color="#ff6666"><b>The "check" command does not parse and validate
generated iptables commands so even though the "check" command completes the generated iptables commands so even though the "check" command
successfully, the configuration may fail to start. See the recommended completes successfully, the configuration may fail to start. See the
way to make configuration changes described below. </b></font> </li> recommended way to make configuration changes described below. </b></font>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> </li>
] - Restart shorewall using the specified configuration and if an error <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
occurs or if the<i> timeout </i> option is given and the new configuration ] - Restart shorewall using the specified configuration and if an error
has been up for that many seconds then shorewall is restarted using the occurs or if the<i> timeout </i> option is given and the new configuration
standard configuration.</li> has been up for that many seconds then shorewall is restarted using
<li>shorewall deny, shorewall reject, shorewall accept and shorewall the standard configuration.</li>
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li> <li>shorewall deny, shorewall reject, shorewall accept and shorewall
<li>shorewall logwatch (added in version 1.3.2) - Monitors the save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall <li>shorewall logwatch (added in version 1.3.2) - Monitors the
messages are logged.</li> <a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the contents Finally, the "shorewall" program may be used to dynamically alter the contents
of a zone.<br> of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
the specified interface (and host if included) from the specified zone.</li>
</ul>
<blockquote>Examples:<br>
<blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 <ul>
from interface ipsec0 to the zone vpn1<br> <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 specified interface (and host if included) to the specified zone.</li>
from interface ipsec0 from zone vpn1<br> <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
</blockquote> the specified interface (and host if included) from the specified zone.</li>
</blockquote>
</ul>
<blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
<b>shorewall try </b>commands allow you to specify which <a <b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a> href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p> to use:</p>
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p> shorewall try <i>configuration-directory</i></p>
</blockquote> </blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that . If the file is present in the <i>configuration-directory</i>, that file
file will be used; otherwise, the file in /etc/shorewall will be used.</p> will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p> When changing the configuration of a production firewall, I recommend <p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li>mkdir /etc/test</li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li>cd /etc/test</li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall <li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li> to . and change them here&gt;</li>
<li>shorewall -c . check</li> <li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li>/sbin/shorewall try .</li> <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start, to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p> the "try" command will automatically start the old one for you.</p>
<p> When the new configuration works then just </p> <p> When the new configuration works then just </p>
<ul> <ul>
<li>cp * /etc/shorewall</li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li>cd</li> <li><font color="#009900"><b>cd</b></font></li>
<li>rm -rf /etc/test</li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 1/9/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

471
STABLE/documentation/support.htm
View File

@ -2,121 +2,120 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title> <title>Support</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support<img <h1 align="center"><font color="#ffffff">Shorewall Support<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> <br> <p> <b><big><big><font color="#ff0000">Due to "Shorewall burnout", I am currently
<span style="font-weight: 400;"></span></p> not involved in either Shorewall development or Shorewall support. Nevertheless,
the mailing list is being ably manned by other Shorewall users.</font></big><span
<h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly style="font-weight: 400;"></span></big></b></p>
but I try to spend some amount of time each day responding to problems
posted on the Shorewall mailing list.</b></font></big></h2> <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
<h2>Before Reporting a Problem</h2> <h2>Before Reporting a Problem</h2>
There are a number of sources for problem
<h3>T<b>here are a number of sources for problem solution information. Please solution information. Please try these before you post.
try these before you post.</b></h3>
<h3> </h3> <h3> </h3>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li>More than half of the questions posted on the support list
<h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common have answers directly accessible from the <a
problems.</b></h3> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br>
</li> </li>
<li> The <a href="FAQ.htm">FAQ</a>
has solutions to more than 20 common problems. </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li> The <a
<h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information href="troubleshoot.htm">Troubleshooting</a> Information contains
contains a number of tips to help you solve common problems.</b></h3> a number of tips to help you solve common problems. </li>
</li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li> The <a
<h3><b>The <a href="errata.htm"> Errata</a> has links to download href="errata.htm"> Errata</a> has links to download updated
updated components.</b></h3> components. </li>
</li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li> The Mailing List Archives
<h3><b>The Mailing List Archives search facility can locate posts search facility can locate posts about similar problems:
about similar problems:</b></h3> </li>
</li>
</ul> </ul>
<h2> </h2> <h2> </h2>
<h2>Mailing List Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<h2>Mailing List Archive Search</h2>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
<p> <font size="-1"> Match: <p> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -125,163 +124,239 @@
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30"
value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2>Problem Reporting Guidelines</h2> <h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a real-world example.  <i>"Let me see if I can translate your message into a real-world
It would be like saying that you have three rooms at home, and when you example. It would be like saying that you have three rooms at home,
walk into one of the rooms, you detect this strange smell.  Can anyone tell and when you walk into one of the rooms, you detect this strange smell.
you what that strange smell is?<br> Can anyone tell you what that strange smell is?<br>
<br> <br>
Now, all of us could do some wonderful guessing as to the smell and even Now, all of us could do some wonderful guessing as to the smell
what's causing it.  You would be absolutely amazed at the range and variety and even what's causing it. You would be absolutely amazed at the range
of smells we could come up with.  Even more amazing is that all of the explanations and variety of smells we could come up with. Even more amazing is that
for the smells would be completely plausible."<br> all of the explanations for the smells would be completely plausible."<br>
</i><br> </i><br>
<div align="center">   - Russell Mosemann<br> <div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div> </div>
<br> <br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li>Please remember we only know what is posted in your message. Do
<h3><b>When reporting a problem, give as much information as you can. not leave out any information that appears to be correct, or was mentioned
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3> in a previous post. There have been countless posts by people who were
</li> sure that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous practices
in writing and formatting your e-mail. Provide details that we need if
you expect good answers. <em>Exact quoting </em> of error messages, log
entries, command output, and other output is better than a paraphrase or
summary.<br>
<br>
</li>
<li> Please don't describe your environment
and then ask us to send you custom configuration files.
We're here to answer your questions but we can't do your
job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include this
information:</li>
</ul> </ul>
<ul>
<ul>
<li>the exact version of Shorewall you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses.<br>
<br>
</li>
</ul>
</ul>
<ul>
<li><b>NEVER </b>include the output of "<b><font color="#009900">iptables
-L</font></b>". Instead, please post the exact output of<br>
<br>
<b><font color="#009900">/sbin/shorewall status<br>
<br>
</font></b>Since that command generates a lot of output, we suggest
that you redirect the output to a file and attach the file to your post<br>
<br>
<b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
</li>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
</ul>
<ul>
</ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>
<h3><b>Please don't describe your environment and then ask us to send
you custom configuration files. We're here to answer your
questions but we can't do your job for you.</b></h3>
</li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li> Do you see any "Shorewall"
<h3><b>Do you see any "Shorewall" messages in /var/log/messages messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems?</b></h3> when you exercise the function that is giving you problems? If
</li> so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file)
that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies). </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>
<h3><b>Have you looked at the packet flow with a tool like tcpdump
to try to understand what is going on?</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Have you tried using the diagnostic capabilities of the
application that isn't working? For example, if "ssh" isn't able
to connect, using the "-v" option gives you a lot of valuable diagnostic
information.</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>Please include any of the Shorewall configuration files (especially
the /etc/shorewall/hosts file if you have modified that file)
that you think are relevant.</b></h3>
</li>
<li>
<h3><b>If an error occurs when you try to "shorewall start", include
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section
for instructions).</b></h3>
</li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc to the Mailing List -- your post
will be rejected.</b></h3>
</li>
</ul>
<h3> </h3>
<h2>Please post in plain text</h2>
<blockquote>
<h3><b> While the list server here at shorewall.net accepts and distributes
HTML posts, a growing number of MTAs serving list subscribers are rejecting
this HTML list traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse"!!</b></h3>
<h3><b> I think that blocking all HTML is a rather draconian way to control
spam and that the unltimate loser here is not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
help by restricting your list posts to plain text.</b></h3>
<h3><b> And as a bonus, subscribers who use email clients like pine and
mutt will be able to read your plain text posts whereas they are most likely
simply ignoring your HTML posts.</b></h3>
<h3><b> A final bonus for the use of HTML is that it cuts down the size
of messages by a large percentage -- that is important when the same message
must be sent 500 times over the slow DSL line connecting the list server
to the internet.</b> </h3>
</blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<h3></h3> </ul>
<blockquote> <h3> </h3>
<ul>
<li> If an error occurs when
you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li>
</ul>
<h3> </h3>
<ul>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3>
</li>
</ul>
The author gratefully acknowleges that the above list was heavily plagiarized
from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found
at <a href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
<h2>Please post in plain text</h2>
<blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in list
posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control spam
and that the ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber
wrote to me privately "These e-mail admin's need to get a <i>(expletive
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
Nevertheless, to allow subscribers to receive list posts as must as possible,
I have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
list</a>.</span></h4> list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall
(MNF) and you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a>
<b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p> href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
</blockquote> </blockquote>
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 1/9/2002 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
<br> <br>
<br>
</body> </body>
</html> </html>

477
STABLE/documentation/traffic_shaping.htm
View File

@ -1,293 +1,324 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title> <title>Traffic Shaping</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1> <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support <p align="left">Beginning with version 1.2.0, Shorewall has limited support
for traffic shaping/control. In order to use traffic shaping under Shorewall, for traffic shaping/control. In order to use traffic shaping under Shorewall,
it is essential that you get a copy of the <a it is essential that you get a copy of the <a
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>, href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
version 0.3.0 or later. You must also install the iproute (iproute2) package version 0.3.0 or later. You must also install the iproute (iproute2) package
to provide the "ip" and "tc" utilities.</p> to provide the "ip" and "tc" utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Shaping also requires that you enable packet mangling.<br> Traffic Shaping also requires that you enable packet mangling.</li>
</li> <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in Shorewall
<li>/etc/shorewall/tcrules - A file where you can specify firewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the setting of
marking of packets. The firewall mark value may be used to classify this variable determines whether Shorewall clears the traffic shaping configuration
packets for traffic shaping/control.<br> during Shorewall [re]start and Shorewall stop. <br>
</li> </li>
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced <li><b>/etc/shorewall/tcrules</b> - A file where you can specify
by Shorewall during "shorewall start" and which you can use to define firewall marking of packets. The firewall mark value may be used to
your traffic shaping disciplines and classes. I have provided a <a classify packets for traffic shaping/control.<br>
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does </li>
table-driven CBQ shaping but if you read the traffic shaping sections of <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that
the HOWTO mentioned above, you can probably code your own faster than is sourced by Shorewall during "shorewall start" and which you can
you can learn how to use my sample. I personally use <a use to define your traffic shaping disciplines and classes. I have
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB provided a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>
support may eventually become an integral part of Shorewall since that does table-driven CBQ shaping but if you read the traffic shaping
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, sections of the HOWTO mentioned above, you can probably code your
own faster than you can learn how to use my sample. I personally use
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall since
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br> order to use it.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use the run_tc In tcstart, when you want to run the 'tc' utility, use the
function supplied by shorewall if you want tc errors to stop the firewall.<br> run_tc function supplied by shorewall if you want tc errors to stop
<br> the firewall.<br>
You can generally use off-the-shelf traffic shaping scripts by simply copying <br>
them to /etc/shorewall/tcstart. I use <a You can generally use off-the-shelf traffic shaping scripts by simply
copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
use use Masquerading or SNAT (i.e., you only have one external IP address) use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br> address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that
by Shorewall when it is clearing traffic shaping. This file is normally is sourced by Shorewall when it is clearing traffic shaping. This
not required as Shorewall's method of clearing qdisc and filter definitions file is normally not required as Shorewall's method of clearing qdisc
is pretty general.</li> and filter definitions is pretty general.</li>
</ul> </ul>
Shorewall allows you to start traffic shaping when Shorewall itself starts
or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic shaping
rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can mark packets
using entries in /etc/shorewall/tcrules.</li>
</ol>
To start traffic shaping when you bring up your network interfaces, you will
have to arrange for your traffic shaping configuration script to be run at
that time. How you do that is distribution dependent and will not be covered
here. You then should:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier, you
can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
<h3 align="left">Kernel Configuration</h3> <h3 align="left">Kernel Configuration</h3>
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p> <p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
<p align="center"><img border="0" src="images/QoS.png" width="590" <p align="center"><img border="0" src="images/QoS.png" width="590"
height="764"> height="764">
</p> </p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3> <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br> a means for specifying these marks in a tabular fashion.<br>
</p> </p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before <p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br> <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p> </p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in case of <li>MARK - Specifies the mark value is to be assigned in case
a match. This is an integer in the range 1-255.<br> of a match. This is an integer in the range 1-255.<br>
<br> <br>
Example - 5<br> Example - 5<br>
</li> </li>
<li>SOURCE - The source of the packet. If the packet originates <li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in comma-separated list of interface names, IP addresses, MAC addresses in
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
    eth0<br>     eth0<br>
    192.168.2.4,192.168.1.0/24<br>     192.168.2.4,192.168.1.0/24<br>
</li> </li>
<li>DEST -- Destination of the packet. Comma-separated list of <li>DEST -- Destination of the packet. Comma-separated list of
IP addresses and/or subnets.<br> IP addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from <li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br> /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port <li>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22); names (from /etc/services), port numbers or port ranges (e.g., 21:22);
if the protocol is "icmp", this column is interpreted as the destination if the protocol is "icmp", this column is interpreted as the
icmp type(s).<br> destination icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a comma-separate omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li> list of port names, port numbers or port ranges.</li>
</ul> </ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with 2. with 1. All packets arriving on eth2 and eth3 should be marked with 2.
All packets originating on the firewall itself should be marked with 3.</p> All packets originating on the firewall itself should be marked with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>1</td> <td>1</td>
<td>eth1</td> <td>eth1</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td>2</td>
<td>eth2</td> <td>eth2</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">2<br> <td valign="top">2<br>
</td> </td>
<td valign="top">eth3<br> <td valign="top">eth3<br>
</td> </td>
<td valign="top">0.0.0.0/0<br> <td valign="top">0.0.0.0/0<br>
</td> </td>
<td valign="top">all<br> <td valign="top">all<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>3</td> <td>3</td>
<td>fw</td> <td>fw</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating <p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with on the firewall and destined for 155.186.235.151 should be marked with
12.</p> 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>12</td> <td>12</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>47</td> <td>47</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 <p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p> and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>MARK</b></td> <td><b>MARK</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b>PROTO</b></td> <td><b>PROTO</b></td>
<td><b>PORT(S)</b></td> <td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td> <td><b>CLIENT PORT(S)</b></td>
</tr> </tr>
<tr> <tr>
<td>22</td> <td>22</td>
<td>192.168.1.0/24</td> <td>192.168.1.0/24</td>
<td>155.186.235.151</td> <td>155.186.235.151</td>
<td>tcp</td> <td>tcp</td>
<td>22</td> <td>22</td>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3>My Setup<br> <h3>My Setup<br>
</h3> </h3>
<p>While I am currently using the HTB version of <a <p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown in
README), I have also run with the following set of hand-crafted rules in the Wondershaper README), I have also run with the following set of hand-crafted
my tcstart file:<br> rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p> </p>
<blockquote> <blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre> <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre> <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
<pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre> <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre> <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
<pre>echo "   Enabled PFIFO on Second Level Classes"</pre> <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre> <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre> <pre>echo "   Defined fwmark filters"<br></pre>
</blockquote> </blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1 <p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at my <a href="myfiles.htm">network configuration</a> above. You can look at my <a href="myfiles.htm">network configuration</a>
to get an idea of why I wanted these particular rules.<br> to get an idea of why I wanted these particular rules.<br>
</p> </p>
<ol> <ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound from <li>I wanted to allow up to 140kbits/second for traffic outbound from
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local systems can use all available bandwidth if there is no traffic from the local systems
or from my laptop or firewall).</li> or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li> <li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br> <li>My firewall could use up to 20kbits/second.<br>
</li> </li>
</ol> </ol>
<p><font size="2">Last Updated 12/31/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

389
STABLE/documentation/troubleshoot.htm
View File

@ -1,234 +1,237 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall Troubleshooting</title> <title>Shorewall Troubleshooting</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90" src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle"> height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h3 align="left">Check the Errata</h3> <h3 align="left">Check the Errata</h3>
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be <p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
sure that there isn't an update that you are missing for your version sure that there isn't an update that you are missing for your version
of the firewall.</p> of the firewall.</p>
<h3 align="left">Check the FAQs</h3> <h3 align="left">Check the FAQs</h3>
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common <p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
problems.</p> problems.</p>
<h3 align="left">If the firewall fails to start</h3> <h3 align="left">If the firewall fails to start</h3>
If you receive an error message when starting or restarting the If you receive an error message when starting or restarting
firewall and you can't determine the cause, then do the following: the firewall and you can't determine the cause, then do the following:
<ul>
<li>Make a note of the error message that you see.<br>
</li>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log where
the error message you saw is generated -- in 99.9% of the cases, it will
not be near the end of the log because after startup errors, Shorewall goes
through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:
</p>
<ul>
<li>Port Forwarding where client and server are in the
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.</li>
</ul>
<h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
clutter to your rule set and they represent a big security hole in the event
that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall problem.
If you DO see packet messages, it may be an indication that you are missing
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br>
LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT policy
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
</ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br>
</p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br>
</p>
<h3 align="left">Other Gotchas</h3>
<ul> <ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or <li>Make a note of the error message that you see.<br>
FORWARD chains? This means that: </li>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you
determine what the problem is. Be sure you find the place in the log
where the error message you saw is generated -- in 99.9% of the cases, it
will not be near the end of the log because after startup errors, Shorewall
goes through a "shorewall stop" phase which will also be traced.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
Here's an example. During startup, a user sees the following:<br>
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:
</p>
<ul>
<li>Port Forwarding where client and server are in
the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch.
Given the way that the Linux kernel respond to ARP "who-has" requests,
this type of setup does NOT work the way that you expect it to.</li>
</ul>
<h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they
add clutter to your rule set and they represent a big security hole in
the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
your best diagnostic tools - the "Shorewall" messages that Netfilter
will generate when you try to connect in a way that isn't permitted
by your rule set.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall
problem. If you DO see packet messages, it may be an indication that you
are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
<p align="left">LOGRATE=""<br>
LOGBURST=""</p>
<p align="left">This way, you will see all of the log messages being
generated (be sure to restart shorewall after clearing these variables).</p>
<p align="left">Example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT
policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
</ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
is in the "loc" zone. I was missing the rule:</p>
<p align="left">ACCEPT    dmz    loc    udp    53<br>
</p>
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
about how to interpret the chain name appearing in a Shorewall log message.<br>
</p>
<h3 align="left">'Ping' Problems?</h3>
Either can't ping when you think you should be able to or are able to ping
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
href="ping.html"> is described here</a>.<br>
<h3 align="left">Other Gotchas</h3>
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT or
FORWARD chains? This means that:
<ol> <ol>
<li>your zone definitions are screwed up and the host that is <li>your zone definitions are screwed up and the host that
sending the packets or the destination host isn't in any zone (using is sending the packets or the destination host isn't in any zone
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file (using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
are you?); or</li> file are you?); or</li>
<li>the source and destination hosts are both connected to the <li>the source and destination hosts are both connected to
same interface and that interface doesn't have the 'multi' option the same interface and that interface doesn't have the 'multi'
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> option specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
</ol> </ol>
</li> </li>
<li>Remember that Shorewall doesn't automatically allow ICMP <li>Remember that Shorewall doesn't automatically allow ICMP
type 8 ("ping") requests to be sent between zones. If you want pings type 8 ("ping") requests to be sent between zones. If you want pings
to be allowed between zones, you need a rule of the form:<br> to be allowed between zones, you need a rule of the form:<br>
<br> <br>
    ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;        ACCEPT    &lt;source zone&gt;    &lt;destination zone&gt;   
icmp    echo-request<br> icmp    echo-request<br>
<br> <br>
The ramifications of this can be subtle. For example, if you The ramifications of this can be subtle. For example, if you
have the following in /etc/shorewall/nat:<br> have the following in /etc/shorewall/nat:<br>
<br> <br>
    10.1.1.2    eth0    130.252.100.18<br>     10.1.1.2    eth0    130.252.100.18<br>
<br> <br>
and you ping 130.252.100.18, unless you have allowed icmp type and you ping 130.252.100.18, unless you have allowed icmp type
8 between the zone containing the system you are pinging from and 8 between the zone containing the system you are pinging from and the
the zone containing 10.1.1.2, the ping requests will be dropped. This zone containing 10.1.1.2, the ping requests will be dropped. This is
is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li> true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface <li>If you specify "routefilter" for an interface, that interface
must be up prior to starting the firewall.</li> must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually <li>Is your routing correct? For example, internal systems usually
need to be configured with their default gateway set to the IP address need to be configured with their default gateway set to the IP address
of their nearest firewall interface. One often overlooked aspect of of their nearest firewall interface. One often overlooked aspect
routing is that in order for two hosts to communicate, the routing between of routing is that in order for two hosts to communicate, the routing
them must be set up <u>in both directions.</u> So when setting up routing between them must be set up <u>in both directions.</u> So when setting
between <b>A</b> and<b> B</b>, be sure to verify that the route from up routing between <b>A</b> and<b> B</b>, be sure to verify that the
<b>B</b> back to <b>A</b> is defined.</li> route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a <li>Some versions of LRP (EigerStein2Beta for example) have a
shell with broken variable expansion. <a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li> shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a <li>Do you have your kernel properly configured? <a
href="kernel.htm">Click here to see my kernel configuration.</a> </li> href="kernel.htm">Click here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is <li>Some features require the "ip" program. That program
generally included in the "iproute" package which should be included is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li> .</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts <li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
then the zone must be entirely defined in /etc/shorewall/hosts unless then the zone must be entirely defined in /etc/shorewall/hosts unless
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
For example, if a zone has two interfaces but only one interface has For example, if a zone has two interfaces but only one interface has an
an entry in /etc/shorewall/hosts then hosts attached to the other interface entry in /etc/shorewall/hosts then hosts attached to the other interface
will <u>not</u> be considered part of the zone.</li> will <u>not</u> be considered part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all <li>Problems with NAT? Be sure that you let Shorewall add all
external addresses to be use with NAT unless you have set <a external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li> href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
</ul> </ul>
<h3>Still Having Problems?</h3> <h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p> <p>See the<a href="support.htm"> support page.<br>
<font face="Century Gothic, Arial, Helvetica"> </a></p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote> <blockquote> </blockquote>
</font> </font>
<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p> <p><font size="2">Last updated 1/7/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

1560
STABLE/documentation/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.3.12 VERSION=1.3.13
usage() # $1 = exit status usage() # $1 = exit status
{ {

124
STABLE/firewall
View File

@ -70,7 +70,7 @@ list_count() {
# #
# Mutual exclusion -- These functions are jackets for the mutual exclusion # Mutual exclusion -- These functions are jackets for the mutual exclusion
# routines in /usr/lib/shorewall/functions. They invoke # routines in $FUNCTIONS. They invoke
# the corresponding function in that file if the user did # the corresponding function in that file if the user did
# not specify "nolock" on the runline. # not specify "nolock" on the runline.
# #
@ -833,6 +833,11 @@ validate_rule() {
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
DNAT-)
target=ACCEPT
address=${address:=detect}
logtarget=DNAT
;;
REDIRECT) REDIRECT)
target=ACCEPT target=ACCEPT
address=${address:=all} address=${address:=all}
@ -983,6 +988,17 @@ validate_policy()
local zone1 local zone1
local pc local pc
local chain local chain
local policy
local loglevel
local synparams
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
}
all_policy_chains= all_policy_chains=
@ -1048,27 +1064,34 @@ validate_policy()
for zone1 in $zones $FW all; do for zone1 in $zones $FW all; do
eval pc=\$${zone}2${zone1}_policychain eval pc=\$${zone}2${zone1}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain eval ${zone}2${zone1}_policychain=$chain
print_policy $zone $zone1
fi
done done
done done
else else
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${zone}2${server}_policychain eval pc=\$${zone}2${server}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
fi
done done
fi fi
elif [ -n "$serverwild" ]; then elif [ -n "$serverwild" ]; then
for zone in $zones $FW all; do for zone in $zones $FW all; do
eval pc=\$${client}2${zone}_policychain eval pc=\$${client}2${zone}_policychain
[ -n "$pc" ] || \ if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi
done done
else else
eval ${chain}_policychain=${chain} eval ${chain}_policychain=${chain}
print_policy $client $server
fi fi
done < $TMP_DIR/policy done < $TMP_DIR/policy
@ -1234,7 +1257,7 @@ stop_firewall() {
[ -n "$NAT_ENABLED" ] && delete_nat [ -n "$NAT_ENABLED" ] && delete_nat
delete_proxy_arp delete_proxy_arp
[ -n "$TC_ENABLED" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
setpolicy INPUT DROP setpolicy INPUT DROP
setpolicy OUTPUT DROP setpolicy OUTPUT DROP
@ -1344,12 +1367,18 @@ setup_tunnels() # $1 = name of tunnels file
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
else else
run_iptables -A $inchain -p udp -s $1 --dport 500 $options run_iptables -A $inchain -p udp -s $1 --dport 500 $options
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
fi fi
for z in `separate_list $3`; do for z in `separate_list $3`; do
if validate_zone $z; then if validate_zone $z; then
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options if [ $2 = ipsec ]; then
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
else
addrule ${z}2${FW} -p udp --dport 500 $options
addrule ${z}2${FW} -p udp --dport 4500 $options
fi
else else
error_message "Warning: Invalid gateway zone ($z)" \ error_message "Warning: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" may encounter keying problems" " -- Tunnel \"$tunnel\" may encounter keying problems"
@ -1820,6 +1849,7 @@ setup_tc() {
# #
delete_tc() delete_tc()
{ {
clear_one_tc() { clear_one_tc() {
tc qdisc del dev $1 root 2> /dev/null tc qdisc del dev $1 root 2> /dev/null
tc qdisc del dev $1 ingress 2> /dev/null tc qdisc del dev $1 ingress 2> /dev/null
@ -1830,11 +1860,11 @@ delete_tc()
run_ip link list | \ run_ip link list | \
while read inx interface details; do while read inx interface details; do
case $inx in case $inx in
[0-9]*) [0-9]*)
clear_one_tc ${interface%:} clear_one_tc ${interface%:}
;; ;;
*) *)
;; ;;
esac esac
done done
} }
@ -1846,7 +1876,7 @@ refresh_tc() {
echo "Refreshing Traffic Control Rules..." echo "Refreshing Traffic Control Rules..."
delete_tc [ -n "$CLEAR_TC" ] && delete_tc
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
@ -2152,7 +2182,7 @@ add_a_rule()
add_nat_rule add_nat_rule
fi fi
if [ $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}" serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
@ -2229,14 +2259,23 @@ process_rule() # $1 = target
fi fi
logtarget="$target" logtarget="$target"
dnat_only=
# Convert 1.3 Rule formats to 1.2 format # Convert 1.3 Rule formats to 1.2 format
[ "x$address" = "x-" ] && address=
case $target in case $target in
DNAT) DNAT)
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
DNAT-)
target=ACCEPT
address=${address:=detect}
dnat_only=Yes
logtarget=DNAT
;;
REDIRECT) REDIRECT)
target=ACCEPT target=ACCEPT
address=${address:=all} address=${address:=all}
@ -2379,7 +2418,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$xtarget" in case "$xtarget" in
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*) ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
expandv xclients xservers xprotocol xports xcports xaddress expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -3233,7 +3272,7 @@ initialize_netfilter () {
run_iptables -t mangle -F && \ run_iptables -t mangle -F && \
run_iptables -t mangle -X run_iptables -t mangle -X
[ -n "$TC_ENABLED" ] && delete_tc [ -n "$CLEAR_TC" ] && delete_tc
run_user_exit init run_user_exit init
@ -3267,7 +3306,7 @@ initialize_netfilter () {
run_user_exit newnotsyn run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
if [ "$LOGNEWNOTSYN" = ULOG ]; then if [ "$LOGNEWNOTSYN" = ULOG ]; then
run_iptables -A newnotsyn -j ULOG \ run_iptables -A newnotsyn -j ULOG
--ulog-prefix "Shorewall:newnotsyn:DROP:" --ulog-prefix "Shorewall:newnotsyn:DROP:"
else else
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG \
@ -4432,6 +4471,10 @@ do_initialize() {
TCP_FLAGS_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL= RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN= MARK_IN_FORWARD_CHAIN=
SHARED_DIR=/usr/lib/shorewall
FUNCTIONS=
VERSION_FILE=
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
@ -4445,31 +4488,35 @@ do_initialize() {
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9 trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
functions=/usr/lib/shorewall/functions if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
config=$SHOREWALL_DIR/shorewall.conf
if [ -f $functions ]; then
. $functions
else else
startup_error "$functions does not exist!" config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2
fi fi
version_file=/usr/lib/shorewall/version FUNCTIONS=$SHARED_DIR/functions
[ -f $version_file ] && version=`cat $version_file` if [ -f $FUNCTIONS ]; then
# . $FUNCTIONS
# Strip the files that we use often else
# startup_error "$FUNCTIONS does not exist!"
strip_file interfaces fi
strip_file hosts
run_user_exit shorewall.conf VERSION_FILE=$SHARED_DIR/version
run_user_exit params
[ -f $VERSION_FILE ] && version=`cat $VERSION_FILE`
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
[ -d $STATEDIR ] || mkdir -p $STATEDIR [ -d $STATEDIR ] || mkdir -p $STATEDIR
[ -z "$FW" ] && FW=fw [ -z "$FW" ] && FW=fw
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
@ -4544,7 +4591,20 @@ do_initialize() {
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN` MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN`
[ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
if [ -n "$TC_ENABLED" ]; then
CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC`
else
CLEAR_TC=
fi
run_user_exit params
#
# Strip the files that we use often
#
strip_file interfaces
strip_file hosts
} }
# #

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.3.12 VERSION=1.3.13
usage() # $1 = exit status usage() # $1 = exit status
{ {

67
STABLE/releasenotes.txt
View File

@ -2,39 +2,48 @@ This is a minor release of Shorewall that has a couple of new features.
New features include: New features include:
1) "shorewall refresh" now reloads the traffic shaping rules (tcrules 1) A new 'DNAT-' action has been added for entries in the
and tcstart). /etc/shorewall/rules file. DNAT- is intended for advanced users who
wish to minimize the number of rules that connection requests must
traverse.
A Shorewall DNAT rule actually generates two iptables rules: a
header rewriting rule in the 'nat' table and an ACCEPT rule in the
'filter' table. A DNAT- rule only generates the first of these
rules. This is handy when you have several DNAT rules that would
generate the same ACCEPT rule.
2) "shorewall debug [re]start" now turns off debugging after an error Here are three rules from my previous rules file:
occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it. DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
3) "shorewall [re]start" has been speeded up by more than 40% with These three rules ended up generating _three_ copies of
my configuration. Your milage may vary.
4) A "shorewall show classifiers" command has been added which shows ACCEPT net dmz:206.124.146.177 tcp smtp
the current packet classification filters. The output from this
command is also added as a separate page in "shorewall monitor"
5) ULOG (must be all caps) is now accepted as a valid syslog level and By writing the rules this way, I end up with only one copy of the
causes the subject packets to be logged using the ULOG target rather ACCEPT rule.
than the LOG target. This allows you to run ulogd (available from
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
a separate log file.
6) If you are running a kernel that has a FORWARD chain in the mangle DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
table ("shorewall show mangle" will show you the chains in the DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
mangle table), you can set MARK_IN_FORWARD=Yes in ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
shorewall.conf. This allows for marking inbound packets based on
their destination even when you are using Masquerading or SNAT.
7) I have cluttered up the /etc/shorewall directory with empty 'init', 2) The 'shorewall check' command now prints out the applicable policy
'start', 'stop' and 'stopped' files. If you already have a file with between each pair of zones.
one of these names, don't worry -- the upgrade process won't
overwrite your file.
8) I have added a new RFC1918_LOG_LEVEL variable to 3. A new CLEAR_TC option has been added to shorewall.conf. If this
shorewall.conf. This variable specifies the syslog level at which option is set to 'No' then Shorewall won't clear the current
packets are logged as a result of entries in the traffic control rules during [re]start. This setting is intended
/etc/shorewall/rfc1918 file. Previously, these packets were always for use by people that prefer to configure traffic shaping when
logged at the 'info' level. the network interfaces come up rather than when the firewall
is started. If that is what you want to do, set TC_ENABLED=Yes and
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
way, your traffic shaping rules can still use the 'fwmark'
classifier based on packet marking defined in /etc/shorewall/tcrules.
4. A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default
/usr/lib/shorewall). Users should never have a need to change the
value of this shorewall.conf setting.

4
STABLE/rules
View File

@ -24,6 +24,10 @@
# DNAT -- Forward the request to another # DNAT -- Forward the request to another
# system (and optionally another # system (and optionally another
# port). # port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# #

56
STABLE/shorewall
View File

@ -569,51 +569,65 @@ fi
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
functions=/usr/lib/shorewall/functions PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHARED_DIR=/usr/lib/shorewall
MUTEX_TIMEOUT=
if [ -f $functions ]; then if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
. $functions config=$SHOREWALL_DIR/shorewall.conf
else else
echo "$functions does not exist!" >&2 config=/etc/shorewall/shorewall.conf
fi
if [ -f $config ]; then
. $config
else
echo "$config does not exist!" >&2
exit 2 exit 2
fi fi
firewall=/usr/lib/shorewall/firewall [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
if [ ! -f $firewall ]; then FIREWALL=$SHARED_DIR/firewall
FUNCTIONS=$SHARED_DIR/functions
VERSION_FILE=$SHARED_DIR/version
if [ -f $FUNCTIONS ]; then
. $FUNCTIONS
else
echo "$FUNCTIONS does not exist!" >&2
exit 2
fi
if [ ! -f $FIREWALL ]; then
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
if [ -L $firewall ]; then if [ -L $FIREWALL ]; then
echo " $firewall is a symbolic link to a" echo " $FIREWALL is a symbolic link to a"
echo " non-existant file" echo " non-existant file"
else else
echo " The file /usr/lib/shorewall/firewall does not exist" echo " The file $FIREWALL does not exist"
fi fi
exit 2 exit 2
fi fi
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin if [ -f $VERSION_FILE ]; then
version=`cat $VERSION_FILE`
version_file=/usr/lib/shorewall/version
if [ -f $version_file ]; then
version=`cat $version_file`
else else
echo "ERROR: Shorewall is not properly installed" echo "ERROR: Shorewall is not properly installed"
echo " The file /usr/lib/shorewall/version does not exist" echo " The file $VERSION_FILE does not exist"
exit 1 exit 1
fi fi
banner="Shorewall-$version Status at $HOSTNAME -" banner="Shorewall-$version Status at $HOSTNAME -"
get_statedir
case `echo -e` in case `echo -e` in
-e*) -e*)
RING_BELL="echo \'\a\'" RING_BELL="echo \a"
;; ;;
*) *)
RING_BELL="echo -e \'\a\'" RING_BELL="echo -e \a"
;; ;;
esac esac
@ -629,11 +643,11 @@ esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $firewall $debugging $nolock $1 exec $FIREWALL $debugging $nolock $1
;; ;;
add|delete) add|delete)
[ $# -ne 3 ] && usage 1 [ $# -ne 3 ] && usage 1
exec $firewall $debugging $nolock $1 $2 $3 exec $FIREWALL $debugging $nolock $1 $2 $3
;; ;;
show) show)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1

7
STABLE/shorewall.conf
View File

@ -9,6 +9,13 @@
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################## ##############################################################################
# #
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
##############################################################################
#
# General note about log levels. Log levels are a method of describing # General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters # to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value. # in this file have log levels as their value.

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.3.12 %define version 1.3.13
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.13
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net> * Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
- Changes version to 1.3.12 - Changes version to 1.3.12
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net> * Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.12 VERSION=1.3.13
usage() # $1 = exit status usage() # $1 = exit status
{ {