diff --git a/Lrp/etc/init.d/shorewall b/Lrp/etc/init.d/shorewall index 9c18802d7..be028befd 100755 --- a/Lrp/etc/init.d/shorewall +++ b/Lrp/etc/init.d/shorewall @@ -1565,7 +1565,13 @@ add_nat_rule() { # Replace destination port by the new destination port - [ -n "$servport" ] && dports="--dport ${servport#*:}" + if [ -n "$servport" ]; then + if [ -z "$multiport" ]; then + dports="--dport ${servport#*:}" + else + dports="--dports ${servport#*:}" + fi + fi # Handle SNAT @@ -1650,18 +1656,21 @@ add_a_rule() case $proto in tcp|udp|TCP|UDP|6|17) if [ -n "$port" -a "x${port}" != "x-" ]; then - [ -n "$multioption" ] && \ - [ "$port" != "${port%,*}" ] && \ + dports="--dport" + if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then multiport="$multioption" - dports="--dport $port" + dports="--dports" + fi + dports="$dports $ports" fi if [ -n "$cport" -a "x${cport}" != "x-" ]; then - [ -n "$multioption" ] && \ - [ -z "$multiport" ] && \ - [ "$cport" != "${cport%,*}" ] && \ + sports="--sport" + if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then multiport="$multioption" - sports="--sport $cport" + sports="--sports" + fi + sports="$sports $cport" fi ;; icmp|ICMP|1) @@ -2428,7 +2437,7 @@ setup_masq() if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then list_search $address $aliases_to_add || \ - aliases_to_add="$aliases_to_add $external $address" + aliases_to_add="$aliases_to_add $address $interface" fi destination=$destnet @@ -2778,7 +2787,8 @@ add_common_rules() { logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options - run_iptables -A badpkt -p !tcp -j LOG $logoptions + run_iptables -A badpkt -p tcp -j DROP # Workaround for iptables 1.2.7 + run_iptables -A badpkt -j LOG $logoptions fi run_iptables -A badpkt -j DROP @@ -2803,7 +2813,8 @@ add_common_rules() { logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options - run_iptables -A logpkt -p !tcp -j LOG $logoptions + run_iptables -A logpkt -p tcp -j RETURN # Workaround for iptables 1.2.7 + run_iptables -A logpkt -j LOG $logoptions echo "Mangled/Invalid Packet Logging enabled on:" @@ -2814,16 +2825,15 @@ add_common_rules() { echo " $interface" done fi + ########################################################################### + # PING + # + [ -n "$FORWARDPING" ] && \ + run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT ############################################################################ # Common ICMP rules # - icmpdef=`find_file icmpdef` - - if [ -f $icmpdef ]; then - . $icmpdef - else - . `find_file icmp.def` - fi + run_user_exit icmpdef ############################################################################ # Common rules in each chain # @@ -2838,7 +2848,6 @@ add_common_rules() { # BROADCASTS # drop_broadcasts `find_broadcasts` - ########################################################################### # RFC 1918 # @@ -3400,6 +3409,7 @@ do_initialize() { MERGE_HOSTS= MUTEX_TIMEOUT= LOGNEWNOTSYN= + FORWARDPING= stopping= have_mutex= masq_seq=1 @@ -3476,6 +3486,7 @@ do_initialize() { MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` + FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` } ################################################################################ diff --git a/Lrp/etc/shorewall/common.def b/Lrp/etc/shorewall/common.def index e070a3101..cde58a555 100644 --- a/Lrp/etc/shorewall/common.def +++ b/Lrp/etc/shorewall/common.def @@ -8,7 +8,7 @@ # # Do not modify this file -- if you wish to change these rules, create # /etc/shorewall/common to replace it. It is suggested that you include -# the command "source /etc/shorewall/common.def" in your +# the command ". /etc/shorewall/common.def" in your # /etc/shorewall/common file so that you will continue to get the # advantage of new releases of this file. # @@ -18,13 +18,6 @@ run_iptables -A common -p icmp -j icmpdef # run_iptables -A common -m state -p tcp --state INVALID -j DROP ############################################################################ -# accept ACKs and RSTs that aren't related to any session so that the -# protocol stack can handle them and so the ACKs can create connection -# tracking entries. -# -run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT -run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT -############################################################################ # NETBIOS chatter # run_iptables -A common -p udp --dport 137:139 -j REJECT diff --git a/Lrp/etc/shorewall/icmp.def b/Lrp/etc/shorewall/icmp.def index 629b724d9..b6b39510b 100644 --- a/Lrp/etc/shorewall/icmp.def +++ b/Lrp/etc/shorewall/icmp.def @@ -1,22 +1,6 @@ ############################################################################## # Shorewall 1.3 /etc/shorewall/icmp.def # -# This file defines the default rules for accepting ICMP packets. +# This file is obsolete and is included for compatibility with existing +# icmpdef extension scripts that source it. # -# Do not modify this file -- if you wish to change these rules, create -# /etc/shorewall/icmpdef to replace it. It is suggested that you include -# the command "source /etc/shorewall/icmp.def" in your -# /etc/shorewall/icmpdef file so that you will continue to get the -# advantage of new releases of this file. -# -# For example, if you want to accept 'ping' everywhere then create -# /etc/shorewall/icmpdef with the following two lines: -# -# source /etc/shorewall/icmp.def -# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT -# -run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT -run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT -run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT -run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT -run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT diff --git a/Lrp/etc/shorewall/interfaces b/Lrp/etc/shorewall/interfaces index fb99fcf4e..eb20f46cd 100644 --- a/Lrp/etc/shorewall/interfaces +++ b/Lrp/etc/shorewall/interfaces @@ -12,20 +12,24 @@ # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you may +# defined in the /etc/shorewall/hosts file, you should # place "-" in this column. # -# INTERFACE Name of interface +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this -# column is left black. +# column is left black.If the interface has multiple +# addresses on multiple subnets then list the broadcast +# addresses as a comma-separated list. # # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before -# the firewall is started and you must have iproute -# installed. +# the firewall is started, you must have iproute +# installed and the interface must only be associated +# with a single subnet. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter diff --git a/Lrp/etc/shorewall/policy b/Lrp/etc/shorewall/policy index abee2aa0c..4b144d54e 100644 --- a/Lrp/etc/shorewall/policy +++ b/Lrp/etc/shorewall/policy @@ -18,7 +18,7 @@ # in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DENY", "REJECT" or "CONTINUE" +# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no diff --git a/Lrp/etc/shorewall/rfc1918 b/Lrp/etc/shorewall/rfc1918 index d3ef5954a..a2e066f49 100644 --- a/Lrp/etc/shorewall/rfc1918 +++ b/Lrp/etc/shorewall/rfc1918 @@ -45,13 +45,13 @@ 42.0.0.0/8 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved 60.0.0.0/8 logdrop # Reserved -69.0.0.0/8 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved 82.0.0.0/7 logdrop # Reserved 84.0.0.0/6 logdrop # Reserved 88.0.0.0/5 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved +127.0.0.0/8 logdrop # Loopback 197.0.0.0/8 logdrop # Reserved 222.0.0.0/7 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf index 5648b8642..1d84039ed 100644 --- a/Lrp/etc/shorewall/shorewall.conf +++ b/Lrp/etc/shorewall/shorewall.conf @@ -350,4 +350,12 @@ MUTEX_TIMEOUT=60 LOGNEWNOTSYN= +# +# Forward "Ping" +# +# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are +# forwarded by the firewall. + +FORWARDPING=Yes + #LAST LINE -- DO NOT REMOVE diff --git a/Lrp/var/lib/shorewall/version b/Lrp/var/lib/shorewall/version index 95b25aee2..3336003dc 100644 --- a/Lrp/var/lib/shorewall/version +++ b/Lrp/var/lib/shorewall/version @@ -1 +1 @@ -1.3.6 +1.3.7 diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index cbd7403b1..9efc392c8 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,15 +1,26 @@ -Changes since 1.3.5 +Changes since 1.3.6 -1. REDIRECT rules are now working again. +1. Comments in the common.def file have been updated. -2. proxyarp option now works. +2. icmp.def deimplemented + +3. FORWARDPING implemented. + +4. Made MULTIPORT work with iptables 1.2.7 + +5. Corrected ADD_SNAT_ALIASES + +6. Work around iptables 1.2.7 protocol match bug. + +7. Remove themes from documentation and web site. + +8. Comments in the interfaces file improved. + +9. Typo in the policy file corrected. + +10. Loopback class A added to rfc1918. -3. It is once again possible to specify a host list in an - /etc/shorewall/hosts entry. -4. The lock file is now removed when the firewall script is killed by a - signal. -5. Implemented "new not SYN" dropping. diff --git a/STABLE/common.def b/STABLE/common.def index 50edd3471..cde58a555 100644 --- a/STABLE/common.def +++ b/STABLE/common.def @@ -8,7 +8,7 @@ # # Do not modify this file -- if you wish to change these rules, create # /etc/shorewall/common to replace it. It is suggested that you include -# the command "source /etc/shorewall/common.def" in your +# the command ". /etc/shorewall/common.def" in your # /etc/shorewall/common file so that you will continue to get the # advantage of new releases of this file. # diff --git a/STABLE/documentation/Documentation.htm b/STABLE/documentation/Documentation.htm index cf5ee7eaf..8964733a5 100644 --- a/STABLE/documentation/Documentation.htm +++ b/STABLE/documentation/Documentation.htm @@ -9,103 +9,112 @@ - + - -

Shorewall 1.3 Reference

+ + + + + +
+

Shorewall 1.3 Reference

+
-

This documentation is intended primarily for reference. +

This documentation is intended primarily for reference. Step-by-step instructions for configuring Shorewall in common setups may - be found in the QuickStart Guides.

+ be found in the QuickStart Guides.

-

Components

+

Components

Shorewall consists of the following components:

- - - - - - - - - - - - - - - - - - - - - - -
bullet +
    +
  • params -- a parameter file installed in + /etc/shorewall that can be used to establish the values of shell variables + for use in other files.
    • +
  • shorewall.conf -- a parameter file installed in /etc/shorewall - that is used to set several firewall parameters.
bullet + that is used to set several firewall parameters. +
  • zones - a parameter file installed in /etc/shorewall that defines - a network partitioning into "zones"
    • bullet + a network partitioning into "zones" +
  • policy -- a parameter file installed in /etc/shorewall/ that -establishes overall firewall policy.
    • bullet +establishes overall firewall policy. +
  • rules -- a parameter file installed in /etc/shorewall and used to express firewall rules that are exceptions to the high-level - policies established in /etc/shorewall/policy.
    • bulletblacklist -- a parameter file installed in /etc/shorewall and used - to list blacklisted IP/subnet/MAC addresses.
    bullet + policies established in /etc/shorewall/policy. +
  • blacklist -- a parameter file installed in /etc/shorewall and used + to list blacklisted IP/subnet/MAC addresses.
    • +
  • functions -- a set of shell functions used by both the firewall and shorewall shell programs. Installed in /etc/shorewall prior to version 1.3.2 - and in /var/lib/shorewall in later versions.
    • bullet + and in /var/lib/shorewall in later versions. +
  • modules -- a parameter file installed in /etc/shorewall and that specifies kernel modules and their parameters. Shorewall will automatically - load the modules specified in this file.
    • bullet + load the modules specified in this file. +
  • tos -- a parameter file installed in /etc/shorewall that is used to - specify how the Type of Service (TOS) field in packets is to be set.
    • bullet + specify how the Type of Service (TOS) field in packets is to be set. +
  • icmp.def -- a parameter file installed in /etc/shorewall and that specifies the default handling of ICMP packets when the applicable policy is - DROP or REJECT.
    • bulletcommon.def -- a parameter file installed in + DROP or REJECT. +
  • common.def -- a parameter file installed in in /etc/shorewall that defines firewall-wide rules that are applied before a - DROP or REJECT policy is applied.
    • bullet + DROP or REJECT policy is applied. +
  • interfaces -- a parameter file installed in /etc/shorewall/ and - used to describe the interfaces on the firewall system.
    • bullet + used to describe the interfaces on the firewall system. +
  • hosts -- a parameter file installed in /etc/shorewall/ and used - to describe individual hosts or subnetworks in zones.
    • bullet + to describe individual hosts or subnetworks in zones. +
  • masq - This file also describes IP masquerading under Shorewall - and is installed in /etc/shorewall.
    • bulletfirewall -- a shell program that reads the configuration files in + and is installed in /etc/shorewall. +
  • firewall -- a shell program that reads the configuration files in /etc/shorewall and configures your firewall. This file is installed in your init.d directory (/etc/rc.d/init.d ) where it is renamed shorewall.  /etc/shorewall/firewall (/var/lib/shorewall/firewall in version 1.3.2 and - later) is a symbolic link to this program.
    • bullet + later) is a symbolic link to this program. +
  • nat -- a parameter file in /etc/shorewall used to define static NAT - .
    • bullet + . +
  • proxyarp -- a parameter file in /etc/shorewall used to define Proxy Arp - .
    • bulletroutestopped -- a parameter file in + . +
  • routestopped -- a parameter file in /etc/shorewall used to define those hosts that can access the firewall when - Shorewall is stopped.
    • bullettcrules -- a parameter file in /etc/shorewall used to define rules for + Shorewall is stopped. +
  • tcrules -- a parameter file in /etc/shorewall used to define rules for classifying packets for Traffic - Shaping/Control.
    • bullet + Shaping/Control. +
  • tunnels -- a parameter file in /etc/shorewall used to define -IPSec tunnels.
    • bullet +IPSec tunnels. +
  • shorewall -- a shell program (requiring a Bourne shell or derivative) used to control and monitor the firewall. This should be placed in /sbin or in /usr/sbin -(the install.sh script and the rpm install this file in /sbin).
    • bullet +(the install.sh script and the rpm install this file in /sbin). +
  • version -- a file created in /etc/shorewall/ (/var/lib/shorewall in version 1.3.2 and later) that describes -the version of  Shorewall installed on your system.
    • +the version of  Shorewall installed on your system. + -

    - /etc/shorewall/params

    +

    + /etc/shorewall/params

    You may use the file /etc/shorewall/params file to set shell variables that you can then use in some of the other @@ -117,90 +126,72 @@ Shorewall programs

    Example:

    -
    -

    NET_IF=eth0
    - NET_BCAST=130.252.100.255
    - NET_OPTIONS=noping,norfc1918

    -
    - -


    - Example (/etc/shorewall/interfaces record):

    - - - -
    -

    net $NET_IF $NET_BCAST $NET_OPTIONS

    -
    - -     - -

    The result will be the same as if the record had been written

    - - - -
    -

    net eth0 130.252.100.255 noping,norfc1918

    -
    - -     - -

    Variables may be used anywhere in the + 

     	NET_IF=eth0
+	NET_BCAST=130.252.100.255
+	NET_OPTIONS=noping,norfc1918
    +

    Example (/etc/shorewall/interfaces record):

    + 
    	net $NET_IF $NET_BCAST $NET_OPTIONS
    +

    The result will be the same as if the record had been written

    + 
    	net eth0 130.252.100.255 noping,norfc1918
    +

    Variables may be used anywhere in the other configuration files.

    -

    - /etc/shorewall/zones

    +

    + /etc/shorewall/zones

    This file is used to define the network zones. There is one entry in /etc/shorewall/zones for each zone; Columns in an entry are:

    -     - - - -
    bullet +
      +
    • ZONE - short name for the zone. The name should be 5 characters or less in length and consist of lower-case letters or numbers. Short names must begin with a letter and the name assigned to the firewall is reserved for use by Shorewall itself. Note that the output produced by iptables is much easier to read if you select short names that -are three characters or less in length.
    bullet - DISPLAY - The name of the zone as displayed during Shorewall startup.
    bullet +are three characters or less in length. The name "all" may not be used as + a zone name nor may the zone name assigned to the firewall itself via the FW + variable in /etc/shorewall/shorewall.conf. +
  • + DISPLAY - The name of the zone as displayed during Shorewall startup.
    • +
  • COMMENTS - Any comments that you want to make about the zone. Shorewall - ignores these comments.
    • + ignores these comments. +

    The /etc/shorewall/zones file released with Shorewall is as follows:

    -     +
    - - - + + + - - - + + + - - - + + + - - - + + + -
    - ZONE - DISPLAY - COMMENTS + ZONE + DISPLAY + COMMENTS
    netNetInternetnetNetInternet
    locLocalLocal networkslocLocalLocal networks
    dmzDMZDemilitarized zonedmzDMZDemilitarized zone
    +

    You may add, delete and modify entries in the /etc/shorewall/zones file as desired so long as you have at least one zone defined.

    @@ -214,30 +205,35 @@ rather than "shorewall restart".

    order of entries in the /etc/shorewall/zones file is significant in some cases.

    -

    - /etc/shorewall/interfaces

    +

    + /etc/shorewall/interfaces

    This file is used to tell the firewall which of your firewall's network interfaces are connected to which zone. There will be one entry in /etc/shorewall/interfaces for each of your interfaces. Columns in an entry are:

    - - - - - -
    bullet +
    bullet - INTERFACE - the name of the interface (examples: eth0, ppp0, ipsec+)
    bullet - BROADCAST - the broadcast address for the sub-network attached to the - interface. This should be left empty for P-T-P interfaces (ppp*, ippp*); - if you need to specify options for such an interface, enter "-" in -this column. If you supply the special value "detect" in this column, -the firewall will automatically determine the broadcast address. Note -that to use this feature, you must have iproute installed and the interface - must be up before you start your firewall. 
    bullet + file to define the zones accessed via this interface. +
  • + INTERFACE - the name of the interface (examples: eth0, ppp0, ipsec+)
    • +
  • + BROADCAST - the broadcast address(es) for the sub-network(s) attached to the + interface. This should be left empty for P-T-P interfaces (ppp*, ippp*); if + you need to specify options for such an interface, enter "-" in this column. + If you supply the special value "detect" in this column, the firewall will + automatically determine the broadcast address. In order to use "detect":
      +
    • you must have iproute installed
      • +
    • the interface must be up before you start your firewall
      • +
    • the interface must only be attached to + a single sub-network (i.e., there must have a single broadcast address). 
      • +
    + +
    • +
  • OPTIONS - a comma-separated list of options. Possible options include:

    blacklist - This option causes incoming packets on this @@ -350,8 +346,8 @@ appropriate forwarding rule.

    not set this option if you are implementing Proxy ARP through entries in /etc/shorewall/proxyarp.

    -
    • + +

    Example 1: You have a conventional firewall setup in which eth0 connects to a @@ -361,65 +357,91 @@ Cable or DSL modem and eth1 connects to your local network and eth0 gets against the black list. Your /etc/shorewall/interfaces file would be as follows:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    - ZONE - INTERFACE - BROADCAST - OPTIONS + ZONE + INTERFACE + BROADCAST + OPTIONS
    neteth0detectdhcp,noping,norfc1918,blacklistneteth0detectdhcp,noping,norfc1918,blacklist
    loceth1detectroutestoppedloceth1detect 
    +

    Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces file would be:

    - +
    - - - - + + + + - - + + - - + + -
    - ZONE - INTERFACE - BROADCAST - OPTIONS + ZONE + INTERFACE + BROADCAST + OPTIONS
    netppp0netppp0    
    + -

    - /etc/shorewall/hosts Configuration

    +

    Example 3: You have local interface eth1 with two IP + addresses - 192.168.1.1/24 and 192.168.12.1/24

    + +
    + + + + + + + + + + + + + + + +
    + ZONE + INTERFACE + BROADCAST + OPTIONS
    loceth1192.168.1.255,192.168.12.255 
    +
    + +

    + /etc/shorewall/hosts Configuration

    For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though @@ -438,14 +460,14 @@ Cable or DSL modem and eth1 connects to your local network and eth0 gets file are:

    -     - - -
    bullet +
    bullet + file. +
  • HOST(S) - The name of a network interface followed by a colon (":") - followed by either:
    • + followed by either: +
    @@ -464,11 +486,11 @@ file are:

    -     - -
    bullet +
      +
    • OPTIONS - A comma-separated list of options. Currently only a single - option is defined:
    + option is defined: +
    @@ -506,43 +528,43 @@ able to access without adding additional rules.

    groups of local hosts that you want to make into separate zones:

    -     - - -
    bullet192.168.1.0/25 
    bullet192.168.1.128/25
    +

    Your /etc/shorewall/interfaces file might look like:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    - ZONE - INTERFACE - BROADCAST - OPTIONS + ZONE + INTERFACE + BROADCAST + OPTIONS
    neteth0detectdhcp,noping,norfc1918neteth0detectdhcp,noping,norfc1918
    -eth1detect -eth1detect 
    +

    The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces @@ -552,41 +574,41 @@ able to access without adding additional rules.

    Your /etc/shorewall/hosts file might look like:

    - +
    - - - + + + - - + + - + - - - + + + -
    - ZONE - HOST(S) - OPTIONS + ZONE + HOST(S) + OPTIONS
    loc1eth1:192.168.1.0/25loc1eth1:192.168.1.0/25   
    loc2eth1:192.168.1.128/25routestoppedloc2eth1:192.168.1.128/25routestopped
    +

    Hosts in 'loc2' can communicate with the firewall while Shorewall is stopped -- those in 'loc1' cannot.

    -

    - Nested and Overlapping Zones

    +

    + Nested and Overlapping Zones

    The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow you @@ -603,8 +625,8 @@ one zone may be managed by the rules of all of those zones. This is done throug use of the special CONTINUE policy described below.

    -

    - /etc/shorewall/policy Configuration.

    +

    + /etc/shorewall/policy Configuration.

    This file is used to describe the firewall policy regarding establishment of connections. Connection establishment @@ -621,20 +643,20 @@ applies to a particular connection request then the policy from /etc/shorewal

    Four policies are defined:

    -     - - - - -
    bullet - ACCEPT - The connection is allowed.
    bullet - DROP - The connection request is ignored.
    bullet +
      +
    • + ACCEPT - The connection is allowed.
      • +
    • + DROP - The connection request is ignored.
      • +
    • REJECT - The connection request is rejected with an RST (TCP) or an ICMP destination-unreachable - packet being returned to the client.
    bullet + packet being returned to the client. +
  • CONTINUE - The connection is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may be used when one or both of the zones named in the entry are sub-zones of or intersect with another zone. For more information, see - below. 
    • + below.  +

    For each policy specified in /etc/shorewall/policy, you can indicate @@ -690,60 +712,60 @@ zones. The policy file installed by default is as follows:

    - +
    - - - - - + + + + + - - - + + + - + - + - - - - - + + + + + - - - - - + + + + + -
    SOURCEDEST - POLICY - LOG LEVELLIMIT:BURSTSOURCEDEST + POLICY + LOG LEVELLIMIT:BURST
    locnetACCEPTlocnetACCEPT     
    netallDROPinfo netallDROPinfo 
    allallREJECTinfo allallREJECTinfo 
    +

    This table may be interpreted as follows:

    -     - - - -
    bulletAll connection requests from the local network to hosts on the internet - are accepted.
    bulletAll connection requests originating from the internet are ignored and - logged at level KERNEL.INFO.
    bulletAll other connection requests are rejected and logged.
    +

    WARNING:

    @@ -753,45 +775,45 @@ from top to bottom and uses the first applicable policy that it finds. connections would be ACCEPT as specified in the first entry even though the third entry in the file specifies REJECT.

    - +
    - - - - - + + + + + - - - + + + - - + + - - - - - + + + + + - - - - - + + + + + -
    SOURCEDESTPOLICYLOG LEVELLIMIT:BURSTSOURCEDESTPOLICYLOG LEVELLIMIT:BURST
    locallACCEPTlocallACCEPT     
    netallDROPinfo netallDROPinfo 
    loclocREJECTinfo loclocREJECTinfo 
    -

    - The CONTINUE policy

    + +

    + The CONTINUE policy

    Where zones are nested or overlapping , the CONTINUE policy allows hosts that are within multiple zones to be @@ -799,98 +821,98 @@ managed under the rules of all of these zones. Let's look at an example:

    /etc/shorewall/zones:

    - +
    - - - + + + - - - + + + - - - + + + - - - + + + -
    - ZONE - DISPLAY - COMMENTS + ZONE + DISPLAY + COMMENTS
    samSamSam's system at homesamSamSam's system at home
    netInternetThe InternetnetInternetThe Internet
    locLocLocal NetworklocLocLocal Network
    +

    /etc/shorewall/interfaces:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    - ZONE - INTERFACE - BROADCAST - OPTIONS + ZONE + INTERFACE + BROADCAST + OPTIONS
    -eth0detectdhcp,noping,norfc1918-eth0detectdhcp,noping,norfc1918
    loceth1detectroutestoppedloceth1detectroutestopped
    +

    /etc/shorewall/hosts:

    - +
    - - - + + + - - + + - + - - - + + + -
    - ZONE - HOST(S) - OPTIONS + ZONE + HOST(S) + OPTIONS
    neteth0:0.0.0.0/0neteth0:0.0.0.0/0   
    sameth0:206.191.149.197routestoppedsameth0:206.191.149.197routestopped
    +

    Note that Sam's home system is a member of both the sam zone and the net zone and @@ -899,51 +921,51 @@ the net zone and + - - - - + + + + - - - + + + - + - - - + + + - + - - - - + + + + - - - - + + + + -
    - SOURCE - DEST - POLICY - LOG LEVEL + SOURCE + DEST + POLICY + LOG LEVEL
    locnetACCEPTlocnetACCEPT   
    samallCONTINUEsamallCONTINUE   
    netallDROPinfonetallDROPinfo
    allallREJECTinfoallallREJECTinfo
    +

    The second entry above says that when Sam is the client, connection requests should first be process under rules where the source zone is sam and @@ -953,66 +975,66 @@ if there is no match then the connection request should be treated under

    Partial /etc/shorewall/rules:

    - +
    - - - - - - - + + + + + + + - + - - - - - - + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    ......             
    DNATsamloc:192.168.1.3tcpssh- DNATsamloc:192.168.1.3tcpssh- 
    DNATnetloc:192.168.1.5tcpwww- DNATnetloc:192.168.1.5tcpwww- 
    ...      ...      
    +

    Given these two rules, Sam can connect to the firewall's internet interface with ssh and the connection request will be forwarded to 192.168.1.3. Like @@ -1031,72 +1053,72 @@ if there is no match then the connection request should be treated under

     

    -     +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - + - - - - - - + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
                  
    ......             
    DNATsamfwtcpssh- DNATsamfwtcpssh- 
    DNATnet!samloc:192.168.1.3tcpssh- DNATnet!samloc:192.168.1.3tcpssh- 
    ...      ...      
    +

    The first rule allows Sam SSH @@ -1113,8 +1135,8 @@ if there is no match then the connection request should be treated under the ACTION is REDIRECT.

    -

    - /etc/shorewall/rules

    +

    + /etc/shorewall/rules

    The /etc/shorewall/rules file @@ -1124,24 +1146,24 @@ if there is no match then the connection request should be treated under

    Entries in the file have the following columns:

    -     - - - - - - - -
    bulletACTION - - - -
    bulletACCEPT, DROP or REJECT. These have the same meaning here as in the - policy file above.
    bulletDNAT -- Causes the connection request to be forwarded to the system +
      +
    • ACTION
        +
      • ACCEPT, DROP or REJECT. These have the same meaning here as in the + policy file above.
        • +
      • DNAT -- Causes the connection request to be forwarded to the system specified in the DEST column (port forwarding). "DNAT" stands for "Destination - Network Address Translation"
    bulletREDIRECT -- Causes the connection request to be redirected to a port on - the local (firewall) system.
    + Network Address Translation" +
  • REDIRECT -- Causes the connection request to be redirected to a port on + the local (firewall) system.
    • +

    The ACTION may optionally be followed by ":" and a syslogd log level (example: REJECT:info). This causes the packet to be logged at the specified level prior to being processed according to the specified ACTION.

    The use of DNAT or REDIRECT requires that you have NAT enabled.

    bulletSOURCE - Describes the source hosts to which the rule applies.. The contents of this field must begin +  +
  • SOURCE - Describes the source hosts to which the rule applies.. The contents of this field must begin with the name of a zone defined in /etc/shorewall/zones or $FW. If the ACTION is DNAT or REDIRECT, sub-zones may be excluded from the rule by following the initial zone name with "!' and a comma-separated list of those @@ -1150,28 +1172,28 @@ if there is no match then the connection request should be treated under The source may be further restricted by adding a colon (":") followed by a comma-separated list of qualifiers. Qualifiers are may include: - - - - - -
    bulletAn interface name - refers to any connection requests arriving on - the specified interface (example loc:eth4).
    bulletAn IP address - refers to a connection request from the host with - the specified address (example net:155.186.235.151)
    bulletA MAC Address in Shorewall format.
    bulletA subnet - refers to a connection request from any host in the specified - subnet (example net:155.186.235.0/24).
    -
    • bulletDEST - Describes the destination host(s) to which the rule applies. May take any of the forms described +
      +
    • An interface name - refers to any connection requests arriving on + the specified interface (example loc:eth4).
      • +
    • An IP address - refers to a connection request from the host with + the specified address (example net:155.186.235.151)
      • +
    • A MAC Address in Shorewall format.
      • +
    • A subnet - refers to a connection request from any host in the specified + subnet (example net:155.186.235.0/24).
      • +
    + +
  • DEST - Describes the destination host(s) to which the rule applies. May take any of the forms described above for SOURCE plus the following two additional forms: - - - -
    bulletAn IP address followed by a colon and the port number that +
      +
    • An IP address followed by a colon and the port number that the server is listening on (service names from /etc/services are not - allowed - example loc:192.168.1.3:80). 
    bulletA single port number (again, service names are not allowed) -- this form is only allowed + allowed - example loc:192.168.1.3:80).  +
  • A single port number (again, service names are not allowed) -- this form is only allowed if the ACTION is REDIRECT and refers to a server running on the firewall itself and - listening on the specified port.
    • -
    • bullet + listening on the specified port. + + +
  • PROTO - Protocol. Must be a protocol name from /etc/protocols, a number, "all" or "related". Specifies the protocol of the connection request. "related" should be specified only if you @@ -1179,8 +1201,8 @@ if there is no match then the connection request should be treated under you wish to override that setting for related connections originating with the client(s) and server(s) specified in this rule. When "related" is given for the protocol, the remainder of the columns should be left - blank.
    • bullet + blank. +
  • DEST PORT(S) - Port or port range (<low port>:<high port>) being connected to. May only be specified if the protocol is tcp, udp or icmp. For icmp, this column's contents @@ -1188,16 +1210,16 @@ with the client(s) and server(s) specified in this rule. When "related" but need to include information in one of the columns to the right, enter "-" in this column. You may give a list of ports and/or port ranges separated by commas. Port numbers may be either integers or service names - from /etc/services.
    • bullet + from /etc/services. +
  • SOURCE PORTS(S) - May be used to restrict the rule to a particular client port or port range (a port range is specified as <low port number>:<high port number>). If you don't want to restrict client ports but want to specify something in the next column, enter "-" in this column. If you wish to specify a list of port number or ranges, separate the list elements with commas (with no embedded white space). Port numbers may be - either integers or service names from /etc/services.
    • bulletORIGINAL DEST - This column may only be non-empty if the ACTION is DNAT + either integers or service names from /etc/services. +
  • ORIGINAL DEST - This column may only be non-empty if the ACTION is DNAT or REDIRECT.

    @@ -1231,8 +1253,8 @@ with the client(s) and server(s) specified in this rule. When "related" If SNAT is not used (no ":" and second IP address), the original source address is used. If you want any destination address to match the rule but want to specify SNAT, simply use a colon followed by the SNAT - address.
    • + address. +

    @@ -1242,38 +1264,38 @@ with the client(s) and server(s) specified in this rule. When "related" internet to local system 192.168.1.3. 

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    DNATnetloc:192.168.1.3tcpssh  DNATnetloc:192.168.1.3tcpssh  
    +

    Example 2. You want to redirect all local www connection requests EXCEPT @@ -1290,47 +1312,47 @@ with the client(s) and server(s) specified in this rule. When "related" redirected to local port 3128.

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    REDIRECTloc3128tcpwww !206.124.146.177REDIRECTloc3128tcpwww !206.124.146.177
    ACCEPTfwnettcpwww  ACCEPTfwnettcpwww  
    +

    Example 3. You want to run a web server at 155.186.235.222 in your @@ -1338,49 +1360,49 @@ DMZ and have it accessible remotely and locally. the DMZ is managed by Proxy ARP or by classical sub-netting.

    - +
    - - - - - - - + + + + + + + - - - - - - + + + + + + - + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    ACCEPTnetdmz:155.186.235.222tcpwww-ACCEPTnetdmz:155.186.235.222tcpwww-   
    ACCEPTlocdmz:155.186.235.222tcpwww  ACCEPTlocdmz:155.186.235.222tcpwww  
    +

    Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded @@ -1406,49 +1428,49 @@ Proxy ARP or by classical sub-netting.

    .

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - + + + + + - + - + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    DNATnetdmz:192.168.2.2tcpftp  DNATnetdmz:192.168.2.2tcpftp  
    DNATloc:192.168.1.0/24dmz:192.168.2.2tcpftpDNATloc:192.168.1.0/24dmz:192.168.2.2tcpftp -- 155.186.235.151155.186.235.151
    +

    If you are running @@ -1482,34 +1504,34 @@ is unique and will not overlap with any usage on the firewall system.

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    ACCEPTloc:~02-00-08-E3-FA-55dmzall   ACCEPTloc:~02-00-08-E3-FA-55dmzall   
    +
    @@ -1518,8 +1540,8 @@ is unique and will not overlap with any usage on the firewall system.

    -

    - /etc/shorewall/common

    +

    + /etc/shorewall/common

    Shorewall allows @@ -1554,8 +1576,8 @@ is unique and will not overlap with any usage on the firewall system.

    stopped.

    -

    - /etc/shorewall/masq

    +

    + /etc/shorewall/masq

    The /etc/shorewall/masq @@ -1566,13 +1588,13 @@ use of this feature, you must have NAT enabled

    Columns are:

    -     - - - -
    bullet +
      +
    • INTERFACE - The interface that will masquerade the subnet; this is normally your internet interface. This interface name can be optionally qualified by adding ":" and a subnet or host IP. When this qualification - is added, only packets addressed to that host or subnet will be masqueraded.
    bullet + is added, only packets addressed to that host or subnet will be masqueraded. +
  • SUBNET - The subnet that you want to have masqueraded through the INTERFACE. This may be expressed as a single IP address, a subnet or an interface name. In the latter instance, the interface must be configured and @@ -1581,13 +1603,13 @@ use of this feature, you must have NAT enabled
    The subnet may be optionally followed by "!' and a comma-separated list of addresses and/or subnets that are to be - excluded from masquerading.
    • bulletADDRESS - The source address to be used + excluded from masquerading. +
  • ADDRESS - The source address to be used for outgoing packets. This column is optional and if left blank, the current primary IP address of the interface in the first column is used. If you have a static IP on that interface, listing it here makes processing of output - packets a little less expensive for the firewall.
    • + packets a little less expensive for the firewall. +

    Example 1: You have eth0 connected to a cable modem and eth1 connected @@ -1595,26 +1617,26 @@ use of this feature, you must have NAT enabled would look like:    

    - +
    - - - + + + - - - + + + -
    - INTERFACE - SUBNETADDRESS + INTERFACE + SUBNETADDRESS
    eth0192.168.9.0/24 eth0192.168.9.0/24 
    +

    Example 2: You have a number of IPSEC tunnels through ipsec0 and @@ -1622,26 +1644,26 @@ you want to masquerade traffic from your 192.168.9.0/24 subnet to the remote subnet 10.1.0.0/16 only.

    - +
    - - - + + + - - - + + + -
    - INTERFACE - SUBNETADDRESS + INTERFACE + SUBNETADDRESS
    ipsec0:10.1.0.0/16192.168.9.0/24 ipsec0:10.1.0.0/16192.168.9.0/24 
    +

    Example 3: You have a DSL line connected on eth0 and a local network @@ -1653,22 +1675,22 @@ remote subnet 10.1.0.0/16 only.

    206.124.146.176.

    - +
    - - - + + + - - - + + + -
    - INTERFACE - SUBNETADDRESS + INTERFACE + SUBNETADDRESS
    eth0192.168.10.0/24206.124.146.176eth0192.168.10.0/24206.124.146.176
    +

    Example 4: @@ -1681,26 +1703,26 @@ remote subnet 10.1.0.0/16 only.

    - +
    - - - + + + - - - + + + -
    - INTERFACE - SUBNETADDRESS + INTERFACE + SUBNETADDRESS
    eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176
    +
    -

    - /etc/shorewall/proxyarp

    +

    + /etc/shorewall/proxyarp

    If you want to @@ -1740,16 +1762,16 @@ remote subnet 10.1.0.0/16 only.

    this file for each system using proxy ARP. Columns are:

    -     - - - - -
    bullet - ADDRESS - address of the system.
    bullet +
      +
    • + ADDRESS - address of the system.
      • +
    • INTERFACE - the interface that connects to the system. If the interface -is obvious from the subnetting, you may enter "-" in this column.
    bullet +is obvious from the subnetting, you may enter "-" in this column. +
  • EXTERNAL - the external interface that you want to honor ARP requests - for the ADDRESS specified in the first column.
    • bulletHAVEROUTE - If + for the ADDRESS specified in the first column. +
  • HAVEROUTE - If you already have a route through INTERFACE to @@ -1766,8 +1788,8 @@ is obvious from the subnetting, you may enter "-" in this column.
    • + "no". +

    Note: After you have made a change to the /etc/shorewall/proxyarp file, you may need to flush the ARP cache of all routers on the LAN segment connected to the interface specified in the EXTERNAL @@ -1787,11 +1809,11 @@ is obvious from the subnetting, you may enter "-" in this column. - - - -
    bulleteth0 - 155.186.235.1 (internet connection)
    bulleteth1 - 192.168.9.0/24 (masqueraded local systems)
    bulleteth2 - 192.168.10.1 (interface to your DMZ)
    +

      +
    • eth0 - 155.186.235.1 (internet connection)
      • +
    • eth1 - 192.168.9.0/24 (masqueraded local systems)
      • +
    • eth2 - 192.168.10.1 (interface to your DMZ)
      • +

    In your DMZ, you want to install a Web/FTP server with public address @@ -1800,29 +1822,29 @@ and you configure 155.186.235.1 as the default gateway. In your /etc/shorewa file, you will have:

    - +
    - - - - + + + + - - - - + + + + -
    - ADDRESS - INTERFACE - EXTERNALHAVEROUTE + ADDRESS + INTERFACE + EXTERNALHAVEROUTE
    155.186.235.4eth2eth0No155.186.235.4eth2eth0No
    +

    Note: You may want to configure the servers in your DMZ with a subnet @@ -1847,8 +1869,8 @@ ARP Subnet Mini HOWTO ( - /etc/shorewall/nat +

    + /etc/shorewall/nat

    The /etc/shorewall/nat @@ -1890,16 +1912,16 @@ use of this feature, you must have NAT enabled

    Columns in an entry are:

    -     - - - - - -
    bullet +
      +
    • EXTERNAL - External IP address - This should NOT be the primary IP - address of the interface named in the next column.
    bullet + address of the interface named in the next column. +
  • INTERFACE - Interface that you want the EXTERNAL IP address to appear - on.
    • bullet - INTERNAL - Internal IP address.
    bulletALL + on. +
  • + INTERNAL - Internal IP address.
    • +
  • ALL INTERFACES - If Yes or yes (or @@ -1925,19 +1947,19 @@ in an entry are:

    Note:     If two or more NATed systems are connected to the same firewall interface and you want them to be able to communicate using their EXTERNAL IP addresses, then you will want to specify the multi option in the - /etc/shorewall/interface entry for that interface.
    • bulletLOCAL - If Yes or yes and the ALL INTERFACES column contains Yes + /etc/shorewall/interface entry for that interface. +
  • LOCAL - If Yes or yes and the ALL INTERFACES column contains Yes or yes, NAT will be effective from the firewall system. Note: For this to work, you must be running kernel 2.4.19 or later and iptables 1.2.6a or later and you must have enabled  CONFIG_IP_NF_NAT_LOCAL in your - kernel.
    • + kernel. +

    Look here for additional information and an example.

    -

    - /etc/shorewall/tunnels

    +

    + /etc/shorewall/tunnels

    The /etc/shorewall/tunnels file allows you to define IPSec, GRE and IPIP tunnels @@ -1957,13 +1979,19 @@ a development snapshot as patching with version 1.9 results in kernel compilat tunnels under Shorewall.

    -

    - /etc/shorewall/shorewall.conf

    +

    + /etc/shorewall/shorewall.conf

    This file is used to set the following firewall parameters:

    -     - -
    bulletLOGNEWNOTSYN - Added in Version 1.3.6
    +
      +
    • FORWARDPING - Added in Version 1.3.7
      + When set to "Yes" or "yes", ICMP echo-request (ping) packets from interfaces + that specify "filterping" are ACCEPTed by the firewall. When set to "No" or + "no", such ping requests are silently dropped unless they are handled by an + explicit entry in the rules file. If not specified, "No" + is assumed.
      • +
    • LOGNEWNOTSYN - Added in Version 1.3.6
      Beginning with version 1.3.6, Shorewall drops non-SYN TCP packets that are not part of an existing connection. If you would like to log these packets, set LOGNEWNOTSYN to the syslog level at which you want the packets logged. @@ -1972,8 +2000,8 @@ a development snapshot as patching with version 1.9 results in kernel compilat Note: Packets logged under this option are usually the result of broken remote IP stacks rather than the result of any sort of attempt to breach your firewall.
    bulletMERGE_HOSTS - Added in Version 1.3.5
    +  +
  • MERGE_HOSTS - Added in Version 1.3.5
    Prior to 1.3.5, when the /etc/shorewall/hosts file included an entry for a zone then the entire zone had to be defined in the /etc/shorewall/hosts file and any associations between the zone and @@ -1988,61 +2016,61 @@ a development snapshot as patching with version 1.9 results in kernel compilat Example:

    Interfaces File:
    - - - - + + + + - - - - + + + + - - - - + + + + -
    ZONEHOSTSBROADCASTOPTIONSZONEHOSTSBROADCASTOPTIONS
    loceth1-dhcploceth1-dhcp
    -ppp+  -ppp+  
    +


    • Hosts File:
     

    -     +
    - - + + - - + + -
    ZONEHOSTSZONEHOSTS
    locppp+:192.168.12.0/24locppp+:192.168.12.0/24
    +


    With MERGE_HOSTS=No, the loc zone consists of only ppp+:192.168.12.0/24; with MERGE_HOSTS=Yes, it includes eth1:0.0.0.0/0 and ppp+:192.168.12.0/24.
     - bulletMULTIPORT - Added in Version 1.3.2
    +  +

  • MULTIPORT - Added in Version 1.3.2
    If set to "Yes" or "yes", Shorewall will use the Netfilter multiport facility. In order to use this facility, your kernel must have multiport support (CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, Shorewall will generate a single rule from each record in the /etc/shorewall/rules file that meets these criteria:
     - - -
    bulletNo port range(s) specified
    bulletSpecifies 15 or fewer ports
      +
    • No port range(s) specified
      • +
    • Specifies 15 or fewer ports
      • +

    Rules not meeting those criteria will continue to generate an individual - rule for each listed port or port range. - bulletNAT_BEFORE_RULES
    + rule for each listed port or port range.

    • +
  • NAT_BEFORE_RULES
    If set to "No" or "no", port forwarding rules can override the contents of the /etc/shorewall/nat file. If set to "Yes" or "yes", port forwarding rules cannot override static NAT. If not set or set to an - empty value, "Yes" is assumed.     - bulletFW
    + empty value, "Yes" is assumed.
    • +
  • FW
    This parameter specifies the @@ -2053,8 +2081,8 @@ a development snapshot as patching with version 1.9 results in kernel compilat empty string, the value "fw" - is assumed.     - bulletSUBSYSLOCK
    + is assumed.
    • +
  • SUBSYSLOCK
    This parameter should be set to the name of a file that the firewall should create if it starts successfully and remove when it stops. Creating and removing this file allows Shorewall to work with your distribution's @@ -2062,8 +2090,8 @@ a development snapshot as patching with version 1.9 results in kernel compilat For Debian, the value is /var/state/shorewall and in LEAF it is /var/run/shorwall. Example: - SUBSYSLOCK=/var/lock/subsys/shorewall.     - bullet + SUBSYSLOCK=/var/lock/subsys/shorewall.
    • +
  • STATEDIR
    This parameter specifies the name of a directory where Shorewall stores state information. If the directory doesn't exist when Shorewall @@ -2071,20 +2099,23 @@ starts, it will create the directory. Example: STATEDIR=/tmp/shorewall. NOTE: If you change the STATEDIR variable while the firewall is running, create the new directory if necessary then copy the contents of the - old directory to the new directory.     - bullet + old directory to the new directory.
    • +
  • ALLOWRELATED
    This parameter must be assigned the value "Yes" ("yes") or "No" ("no") and specifies whether Shorewall allows connection requests that are related to an already allowed connection. If you say "No" ("no"), you can still override this setting by including "related" rules in - /etc/shorewall/rules ("related" given as the protocol).     - bullet + /etc/shorewall/rules ("related" given as the protocol). If you specify + ALLOWRELATED=No, you will need to include rules in + /etc/shorewall/icmpdef to + handle common ICMP packet types.
    • +
  • MODULESDIR
    This parameter specifies the directory where your kernel netfilter modules may be found. If you leave the variable empty, Shorewall will - supply the value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.     - bullet + supply the value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.
    • +
  • LOGRATE and LOGBURST
    These parameters set the match rate and initial burst size for logged packets. Please see the iptables man page for a description of the behavior @@ -2095,8 +2126,8 @@ you can still override this setting by including "related" rules in Example:
        LOGRATE=10/minute
        LOGBURST=5
     - bulletLOGFILE
    • +
  • LOGFILE
    This parameter tells the /sbin/shorewall @@ -2117,8 +2148,8 @@ you can still override this setting by including "related" rules in an empty value, /var/log/messages - is assumed.     - bulletNAT_ENABLED
    + is assumed.
    • +
  • NAT_ENABLED
    This parameter determines whether Shorewall supports NAT operations. NAT operations include:

    @@ -2131,8 +2162,8 @@ you can still override this setting by including "related" rules in then NAT is enabled. If the parameter has a value of "no" or "No" then NAT is disabled.
    -     - bullet +
    • +
  • MANGLE_ENABLED
    This parameter determines if packet mangling is enabled. If the parameter has no value or has a value of "Yes" or "yes" than @@ -2140,8 +2171,8 @@ parameter has no value or has a value of "Yes" or "yes" than or "No" then packet mangling is disabled. If packet mangling is disabled, the /etc/shorewall/tos file is ignored.
    -     - bullet +
    • +
  • IP_FORWARDING
    This parameter determines whether Shorewall enables or disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). Possible values @@ -2155,8 +2186,8 @@ IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). Possible values If this variable is not set or is given an empty value (IP_FORWARD="") then IP_FORWARD=On is assumed.
    -     - bulletADD_IP_ALIASES
    +
    • +
  • ADD_IP_ALIASES
    This parameter determines whether Shorewall automatically adds the external address(es) in /etc/shorewall/nat @@ -2166,8 +2197,8 @@ these aliases yourself using your distribution's network configuration tools.

    If this variable is not set or is given an empty value (ADD_IP_ALIASES="") - then ADD_IP_ALIASES=Yes is assumed.     - bulletADD_SNAT_ALIASES
    + then ADD_IP_ALIASES=Yes is assumed.
    • +
  • ADD_SNAT_ALIASES
    This parameter determines whether Shorewall automatically adds the SNAT ADDRESS in /etc/shorewall/masq. If the variable is set to "Yes" or "yes" then Shorewall automatically adds these addresses. If @@ -2176,8 +2207,8 @@ tools.

    If this variable is not set or is given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.
    -     - bulletLOGUNCLEAN
    +
    • +
  • LOGUNCLEAN
    This parameter determines the logging level @@ -2208,8 +2239,8 @@ tools.
    the specified level (Example: - LOGUNCLEAN=debug).     - bulletBLACKLIST_DISPOSITION
    + LOGUNCLEAN=debug).
    • +
  • BLACKLIST_DISPOSITION
    This parameter determines the disposition of @@ -2234,8 +2265,8 @@ tools.
    you assign an empty value then DROP is - assumed.     - bulletBLACKLIST_LOGLEVEL
    + assumed.
    • +
  • BLACKLIST_LOGLEVEL
    This paremter determines if packets from @@ -2260,8 +2291,8 @@ tools.
    from blacklisted hosts are not - logged.     - bulletCLAMPMSS
    + logged.
    • +
  • CLAMPMSS
    This parameter enables the TCP Clamp MSS @@ -2292,17 +2323,17 @@ tools.
    requires CONFIG_IP_NF_TARGET_TCPMSS in - your kernel.     - bulletROUTE_FILTER
    + your kernel.
    • +
  • ROUTE_FILTER
    If this parameter is given the value "Yes" or "yes" then route filtering (anti-spoofing) is - enabled on all network interfaces. The default value is "no".     - + enabled on all network interfaces. The default value is "no".
    • + -

    - /etc/shorewall/modules Configuration

    +

    + /etc/shorewall/modules Configuration

    The file @@ -2403,8 +2434,8 @@ so, then the following command is executed:

    -

    - /etc/shorewall/tos Configuration

    +

    + /etc/shorewall/tos Configuration

    @@ -2421,8 +2452,8 @@ by Shorewall, you must have mangle support enabled -     - - - - - - -
    bullet +
      +
    • SOURCE -- The source zone. May be qualified by following the zone name with a colon (":") and either an IP address, an IP subnet, a MAC address in Shorewall Format or the @@ -2430,25 +2461,25 @@ by Shorewall, you must have mangle support enabled zone to indicate packets originating on the firewall itself or "all" to indicate any - source.
    bullet + source. +
  • DEST -- The destination zone. May be qualified by following the zone name with a colon (":") and either an IP address or an IP subnet. Because packets are marked prior to routing, you may not specify the name of an interface. This column may also contain  "all" to indicate - any destination.
    • bullet + any destination. +
  • PROTOCOL -- The name of a protocol in /etc/protocols or the protocol's - number.
    • bullet + number. +
  • SOURCE PORT(S) -- The source port or a port range. For all ports, place - a hyphen ("-") in this column.
    • bullet + a hyphen ("-") in this column. +
  • DEST PORT(S)  -- The destination port or a port range. To indicate - all ports, place a hyphen ("-") in this column.
    • bullet - TOS -- The type of service. Must be one of the following:
    + all ports, place a hyphen ("-") in this column. +
  • + TOS -- The type of service. Must be one of the following:
    • +
    @@ -2468,65 +2499,65 @@ by Shorewall, you must have mangle support enabled
    - +
    - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + @@ -2535,12 +2566,12 @@ by Shorewall, you must have mangle support enabled +
    SOURCEDESTPROTOCOLSOURCE
    - PORT(S)    		DEST PORT(S)TOSSOURCEDESTPROTOCOLSOURCE
    + PORT(S)    		DEST PORT(S)TOS
    allalltcp-ssh16allalltcp-ssh16
    allalltcpssh-16allalltcpssh-16
    allalltcp-ftp16allalltcp-ftp16
    allalltcpftp-16allalltcpftp-16
    allalltcp-ftp-data8allalltcp-ftp-data8
    allalltcpftp-data-8allalltcpftp-data-8

    WARNING: Users have reported that odd routing problems result from adding the ESP and AH protocols to the /etc/shorewall/tos file.

    -

    /etc/shorewall/blacklist

    +

    /etc/shorewall/blacklist

    Each line @@ -2555,8 +2586,8 @@ by Shorewall, you must have mangle support enabled - 

          130.252.100.69
-      206.124.146.0/24
    + 
          130.252.100.69
+      206.124.146.0/24

    Packets from @@ -2604,7 +2635,7 @@ by Shorewall, you must have mangle support enabled/etc/shorewall/rfc1918 (Added in Version 1.3.1) +

    /etc/shorewall/rfc1918 (Added in Version 1.3.1)

    @@ -2612,19 +2643,19 @@ by Shorewall, you must have mangle support enabled     - - -
    bulletSUBNET - The subnet using VLSM notation (e.g., 192.168.0.0/16).
    bulletTARGET - What to do with packets to/from the SUBNET: - - - -
    bulletRETURN - Process the packet normally thru the rules and policies.
    bulletDROP - Silently drop the packet.
    bulletlogdrop - Log then drop the packet.
    -
    +
      +
    • SUBNET - The subnet using VLSM notation (e.g., 192.168.0.0/16).
      • +
    • TARGET - What to do with packets to/from the SUBNET:
        +
      • RETURN - Process the packet normally thru the rules and policies.
        • +
      • DROP - Silently drop the packet.
        • +
      • logdrop - Log then drop the packet.
        • +
      +
      • +
    -

    25. /etc/shorewall/routestopped (Added in Version 1.3.4)

    +

    25. /etc/shorewall/routestopped (Added in Version 1.3.4)

    @@ -2632,10 +2663,10 @@ by Shorewall, you must have mangle support enabled     - - -
    bulletINTERFACE - The firewall interface through which the host(s) comminicate with the firewall.
    bulletHOST(S) - (Optional) - A comma-separated list of IP/Subnet addresses. If not supplied or supplied as "-" then 0.0.0.0/0 is assumed.
    +
      +
    • INTERFACE - The firewall interface through which the host(s) comminicate with the firewall.
      • +
    • HOST(S) - (Optional) - A comma-separated list of IP/Subnet addresses. If not supplied or supplied as "-" then 0.0.0.0/0 is assumed.
      • +
    @@ -2644,26 +2675,26 @@ by Shorewall, you must have mangle support enabled -     +
    - - + + - - + + - - + + -
    INTERFACEHOST(S)INTERFACEHOST(S)
    eth2192.168.1.0/24eth2192.168.1.0/24
    eth1-eth1-
    +

    - Updated 8/6/2002 - Tom + Updated 8/22/2002 - Tom Eastep

    @@ -2678,4 +2709,4 @@ Eastep -     \ No newline at end of file + \ No newline at end of file diff --git a/STABLE/documentation/Documentation_Index.htm b/STABLE/documentation/Documentation_Index.htm new file mode 100644 index 000000000..60fcdafc8 --- /dev/null +++ b/STABLE/documentation/Documentation_Index.htm @@ -0,0 +1,28 @@ + + + + + + + +The Documentation Index + + + + +

    The Shorewall Documentation Index

    +

    has Moved +Here

    + +

    +Last updated 8/9/2002 + - + Tom Eastep +

    +

    + Copyright + © 2001, 2002 Thomas M. Eastep.

    + + + + diff --git a/STABLE/documentation/FAQ.htm b/STABLE/documentation/FAQ.htm index 3a6ae602f..caaaa7527 100644 --- a/STABLE/documentation/FAQ.htm +++ b/STABLE/documentation/FAQ.htm @@ -6,187 +6,194 @@ Shorewall FAQ - + - + -

    Shorewall FAQs

    -

    About Shorewall

    -
    -

    Why do you call it "Shorewall"?

    -

    What distributions does it work with?

    -

    What features does it support?

    -

    Why isn't there a GUI?

    -
    -

    Filtering

    -
    -

    I'm connected via a cable modem and it has an -internel web server that allows me to configure/monitor it but as expected if I -enable rfc1918 blocking for my eth0 interface, it also blocks the cable modems -web server.

    -

    Even though it assigns public IP addresses, my -ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my -external interface, my DHCP client cannot renew its lease.

    -

    I just used an online port scanner to check my -firewall and it shows some ports as 'closed' rather than 'blocked'. Why?

    -

    I just ran an nmap UDP scan of my firewall and -it showed 100s of ports as open!!!!

    -
    -

    Port Forwarding

    -
    -

    I want to forward UDP port 7777 to my my personal PC with IP -address 192.168.1.5. I've looked everywhere and can't find how to do it.

    -

    Ok -- I followed those instructions but it -doesn't work.

    -

    I port forward www requests to www.mydomain.com (IP -130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse -http://www.mydomain.com but internal clients can't.

    -

    I have a zone "Z" with an RFC1918 subnet and I -use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot -communicate with each other using their external (non-RFC1918 addresses) so they -can't access each other using their DNS names.

    -
    -

    Applications

    -
    -

    I want to use Netmeeting with Shorewall. What do I do?

    -
    -

    Connection Problems

    -
    -

    I've installed Shorewall and now I can't ping through the -firewall

    -

    My local systems can't see out to the net

    -
    -

    Logging

    -
    -

    Where are the log messages written and  -how do I change the destination?

    -

    Shorewall is writing log messages all over my -console making it unusable!

    -

    Are there any log parsers that work with -Shorewall?

    -
    -

    Starting and stopping the firewall

    -
    -

    When I stop Shorewall using 'shorewall stop', -I can't connect to anything. Why doesn't that command work?

    -

    When I try to start Shorewall on RedHat 7.x, I + + + + +
    +

    Shorewall FAQs

    +
    + +

    1.  I want to forward UDP +port 7777 to my my personal PC with IP address 192.168.1.5. I've looked +everywhere and can't find how to do it.

    +

    1a. Ok -- I followed those instructions +but it doesn't work.

    +

    2. I port forward www requests to www.mydomain.com (IP +130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse +http://www.mydomain.com but internal clients can't.

    +

    2a. I have a zone "Z" with an RFC1918 +subnet and I use static NAT to assign non-RFC1918 addresses to hosts in +Z. Hosts in Z cannot communicate with each other using their external +(non-RFC1918 addresses) so they can't access each other using their DNS +names.

    + +

    3. I want to use Netmeeting with +Shorewall. What do I do?

    +

    4. I just used an online port scanner to +check my firewall and it shows some ports as 'closed' rather than 'blocked'. +Why?

    +

    4a. I just ran an nmap UDP scan +of my firewall and it showed 100s of ports as open!!!!

    +

    5. I've installed Shorewall and now I +can't ping through the firewall

    + +

    6. Where are the log messages +written and  how do I change the destination?

    + +

    6a. Are there any log parsers +that work with Shorewall?

    + +

    7. When I stop Shorewall using +'shorewall stop', I can't connect to anything. Why doesn't that command +work?

    + +

    8. When I try to start Shorewall on RedHat 7.x, I get messages about insmod failing -- what's wrong?

    -

    Why can't Shorewall detect my interfaces -properly?

    -
    -

    Design

    -
    -

    Why does Shorewall only accept IP addresses as + +

    9. Why does Shorewall only accept IP addresses as opposed to FQDNs?

    + +

    10. What distributions does it +work with?

    + +

    11. What features does it +support?

    + +

    12. Why isn't there a GUI

    + +

    13. Why do you call it "Shorewall"?

    +

    14. I'm connected via a cable modem and it has an internel +web server that allows me to configure/monitor it but as expected if I enable +rfc1918 blocking for my eth0 interface, it also blocks the cable modems +web server.

    +

    14a. Even though it assigns public IP +addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 +filtering on my external interface, my DHCP client cannot renew its lease.

    + +

    15. My local systems can't see out to +the net

    + +

    16. Shorewall is writing log messages +all over my console making it unusable!

    + +

    17. Why can't Shorewall detect my +interfaces properly?

    +
    +

     

    -

    -

    1. I want to forward UDP port 7777 to my my personal PC with IP -address 192.168.1.5. I've looked everywhere and can't find how to do it.

    +
    +

    1. I want to forward UDP port 7777 to my my personal PC with IP +address 192.168.1.5. I've looked everywhere and can't find how to do it.

    Answer: The first example in the rules file documentation shows how to do port forwarding under Shorewall. Assuming that you have a dynamic external IP address, the format of a port-forwarding rule to a local system is as follows:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:<local IP address>[:<local port>]<protocol><port #>  DNATnetloc:<local IP address>[:<local port>]<protocol><port #>  
    +

    So to forward UDP port 7777 to internal system 192.168.1.5, the rule is:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:192.168.1.5udp7777  DNATnetloc:192.168.1.5udp7777  
    +
    -
         DNAT net loc:192.168.1.5 udp 7777
    +
         DNAT net loc:192.168.1.5 udp 7777

    If you want to forward requests directed to a particular address ( <external IP> ) on your firewall to an internal system:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATnetloc:<local IP address>[:<local port>]<protocol><port #>-<external IP>DNATnetloc:<local IP address>[:<local port>]<protocol><port #>-<external IP>
    +
    -

    1a. Ok -- I followed those instructions but -it doesn't work

    +

    1a. Ok -- I followed those instructions but +it doesn't work

    Answer: That is usually the result of one of two things:

    -     - - -
    bulletYou are trying to test from inside your firewall (no, that -won't work -- see FAQ #2).
    bulletYou have a more basic problem with your local system such as an +
      +
    • You are trying to test from inside your firewall (no, that +won't work -- see FAQ #2).
      • +
    • You have a more basic problem with your local system such as an incorrect default gateway configured (it should be set to the IP address of your -firewall's internal interface).
    -

    2. I port forward www requests to www.mydomain.com (IP +firewall's internal interface). + +

    2. I port forward www requests to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse -http://www.mydomain.com but internal clients can't.

    +http://www.mydomain.com but internal clients can't.

    Answer: I have two objections to this setup.

    -     - - -
    bulletHaving an internet-accessible server in your local network +
      +
    • Having an internet-accessible server in your local network is like raising foxes in the corner of your hen house. If the server is compromised, there's nothing between that server and your other internal systems. For the cost of another NIC and a cross-over cable, you can put your server in a DMZ such that it is isolated from your local systems - - assuming that the Server can be located near the Firewall, of course :-)
    bulletThe accessibility problem is best solved using + assuming that the Server can be located near the Firewall, of course :-) +
  • The accessibility problem is best solved using Bind Version 9 "views" (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5 internally. That's what I do here at - shorewall.net for my local systems that use static NAT.
    • + shorewall.net for my local systems that use static NAT. +

    If you insist on an IP solution to the accessibility problem rather than a DNS solution, then assuming that your external interface is eth0 and your internal interface is eth1 @@ -197,30 +204,30 @@ for eth1.

    b) In /etc/shorewall/rules, add:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
    +
    -
         DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254
    +
         DNAT    loc:192.168.1.0/24    loc:192.168.1.5    tcp    www    -    130.151.100.69:192.168.1.254

    That rule only works of course if you have a static external IP @@ -228,42 +235,42 @@ address. If you have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in /etc/shorewall/params:

    -
         ETH0_IP=`find_interface_address eth0`
    +
         ETH0_IP=`find_interface_address eth0`

    and make your DNAT rule:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
    DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
    +

    Using this technique, you will want to configure your DHCP/PPPoE client to automatically restart Shorewall each time that you get a new IP address.

    -

    2a. I have a zone "Z" with an RFC1918 subnet and I +

    2a. I have a zone "Z" with an RFC1918 subnet and I use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot communicate with each other using their external (non-RFC1918 addresses) so they -can't access each other using their DNS names.

    +can't access each other using their DNS names.

    Answer: This is another problem that is best solved using Bind Version 9 "views". It allows both external and internal clients to access a NATed host using the host's DNS name.

    @@ -283,63 +290,63 @@ Interface: eth2
    Subnet: 192.168.2.0/24

    In /etc/shorewall/interfaces:

    - +
    - - - - + + + + - - - - + + + + -
    ZONEINTERFACEBROADCASTOPTIONSZONEINTERFACEBROADCASTOPTIONS
    dmzeth2192.168.2.255multidmzeth2192.168.2.255multi
    +

    In /etc/shorewall/policy:

    - +
    - - - - + + + + - - - - + + + + -
    SOURCE DESTINATIONPOLICYLIMIT:BURSTSOURCE DESTINATIONPOLICYLIMIT:BURST
    dmzdmzACCEPT dmzdmzACCEPT 
    +
    -
         dmz    dmz    ACCEPT
    +
         dmz    dmz    ACCEPT

    In /etc/shorewall/masq:

    - +
    - - - + + + - - - + + + -
    INTERFACE SUBNETADDRESSINTERFACE SUBNETADDRESS
    eth2192.168.2.0/24 eth2192.168.2.0/24 
    +
    -

    3. I want to use Netmeeting with Shorewall. What do I do?

    +

    3. I want to use Netmeeting with Shorewall. What do I do?

    Answer: There is an H.323 connection tracking/NAT module that may help. Also check the Netfilter mailing list archives at http://netfilter.samba.org.

    -

    4. I just used an online port scanner to +

    4. I just used an online port scanner to check my firewall and it shows some ports as 'closed' rather than 'blocked'. - Why?

    + Why?

    Answer: The common.def included with version 1.3.x always rejects connection requests on TCP port 113 rather than dropping them. This is @@ -355,8 +362,8 @@ Also check the Netfilter mailing list archives at 4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!! +

    4a. I just ran an nmap UDP scan of my + firewall and it showed 100s of ports as open!!!!

    Answer: Take a deep breath and read the nmap man page section about UDP scans. If nmap gets nothing back from your firewall then it reports @@ -364,8 +371,8 @@ Also check the Netfilter mailing list archives at 5. I've installed Shorewall and now I can't ping through the -firewall +

    5. I've installed Shorewall and now I can't ping through the +firewall

    Answer: If you want your firewall to be totally open for "ping":

    a) Do NOT specify 'noping' on any interface in @@ -376,8 +383,8 @@ c) Add the following to /etc/shorewall/icmpdef:

    run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT

    -

    6. Where are the log messages written -and  how do I change the destination?

    +

    6. Where are the log messages written +and  how do I change the destination?

    Answer: NetFilter uses the kernel's equivalent of syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility (see "man openlog") and you get to choose the log level (again, see @@ -390,11 +397,11 @@ syslogd (on a RedHat system, "service syslog restart").

    settings in /etc/shorewall/shorewall.conf -- If you want to log all messages, set:

    -
         LOGLIMIT=""
-     LOGBURST=""
    +
         LOGLIMIT=""
+     LOGBURST=""
    -

    6a. Are there any log parsers that work -with Shorewall?

    +

    6a. Are there any log parsers that work +with Shorewall?

    Answer: Here are several links that may be helpful:

    @@ -402,33 +409,33 @@ http://www.shorewall.net/pub/shorewall/parsefw/
    http://www.fireparse.com
    http://cert.uni-stuttgart.de/projects/fwlogwatch

    -

    7. When I stop Shorewall using 'shorewall -stop', I can't connect to anything. Why doesn't that command work?

    +

    7. When I stop Shorewall using 'shorewall +stop', I can't connect to anything. Why doesn't that command work?

    The 'stop' command is intended to place your firewall into a safe state whereby only those interfaces/hosts having the 'routestopped' option in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want to totally open up your firewall, you must use the 'shorewall clear' command.

    -

    8. When I try to start Shorewall on RedHat -7.x, I get messages about insmod failing -- what's wrong?

    +

    8. When I try to start Shorewall on RedHat +7.x, I get messages about insmod failing -- what's wrong?

    Answer: The output you will see looks something like this:

    -
         /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
+
         /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
      Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
      /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
      /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
      /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
      iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
-     Perhaps iptables or your kernel needs to be upgraded.
    
+     Perhaps iptables or your kernel needs to be upgraded.

    This is usually cured by the following sequence of commands:

    -
         service ipchains stop
+
         service ipchains stop
      chkconfig --delete ipchains
-     rmmod ipchains
    
+     rmmod ipchains

    Also, be sure to check the errata for problems concerning the version of iptables (v1.2.3) shipped with RH7.2.

    -

    9. Why does Shorewall only accept IP -addresses as opposed to FQDNs?

    Answer: FQDNs in iptables rules +

    9. Why does Shorewall only accept IP +addresses as opposed to FQDNs?

    Answer: FQDNs in iptables rules aren't nearly as useful as they first appear. When a DNS name appears in a rule, the iptables utility resolves the name to one or more IP addresses and inserts those addresses into the rule. So change in the DNS->IP address relationship @@ -436,71 +443,71 @@ that occur after the firewall has started have absolutely no effect on the firewall's ruleset.

    I'm also trying to protect people from themselves. If your firewall rules include FQDN's then:

    -     - - - - -
    bulletIf your /etc/resolv.conf is wrong then your firewall won't - start.
    bulletIf your /etc/nsswitch.conf is wrong then your firewall won't - start.
    bulletIf your Name Server(s) is(are) down then your firewall won't - start.
    bulletFactors totally outside your control (your ISP's router is - down for example), can prevent your firewall from starting.
    -

    10. What Distributions does it work - with?

    +
      +
    • If your /etc/resolv.conf is wrong then your firewall won't + start.
      • +
    • If your /etc/nsswitch.conf is wrong then your firewall won't + start.
      • +
    • If your Name Server(s) is(are) down then your firewall won't + start.
      • +
    • Factors totally outside your control (your ISP's router is + down for example), can prevent your firewall from starting.
      • +
    +

    10. What Distributions does it work + with?

    Shorewall works with any GNU/Linux distribution that includes - the proper prerequisites.

    11. What Features does it have?

    + the proper prerequisites.

    11. What Features does it have?

    Answer: See the Shorewall Feature - List.

    12. Why isn't there a GUI?

    + List.

    12. Why isn't there a GUI?

    Answer: Every time I've started to work on one, I find myself doing other things. I guess I just don't care enough if Shorewall has a GUI to invest the effort to create one myself. There are several Shorewall GUI projects underway however and I will publish links to them when the authors - feel that they are ready.

    -13. Why do you call it "Shorewall"?

    + feel that they are ready.

    +13. Why do you call it "Shorewall"?

    Answer: Shorewall is a concatenation of "Shoreline" (the - city where I live) and "Firewall".

    + city where I live) and "Firewall".

    14.  I'm connected via a cable modem and it has an internal web server that allows me to configure/monitor it but as expected if I enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks -the cable modems web server.

    +the cable modems web server.

    Is there any way it can add a rule before the rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address of the modem in/out but still block all other rfc1918 addresses.

    Answer: If you are running a version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following:

    - 
         run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT
    + 
         run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT

    If you are running version 1.3.1 or later, simply add the following to /etc/shorewall/rfc1918:

    - +
    - - + + - - + + -
    SUBNET TARGETSUBNET TARGET
    192.168.100.1RETURN192.168.100.1RETURN
    +

    Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.

    -

    14a. Even though it assigns public IP +

    14a. Even though it assigns public IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 - filtering on my external interface, my DHCP client cannot renew its lease.

    + filtering on my external interface, my DHCP client cannot renew its lease.

    The solution is the same as FAQ 14 above. Simply substitute the IP address of your ISPs DHCP server.

    -

    15. My local systems can't see out to the -net

    +

    15. My local systems can't see out to the +net

    Answer: Every time I read "systems can't see out to the net", I wonder where the poster bought computers with eyes and what those computers will "see" @@ -522,20 +529,20 @@ problem are:

    -

    16. Shorewall is writing log messages all -over my console making it unusable!

    +

    16. Shorewall is writing log messages all +over my console making it unusable!

    Answer: "man dmesg" -- add a suitable 'dmesg' command to your startup scripts or place it in /etc/shorewall/start.

    -

    17. Why can't Shorewall detect my - interfaces properly?

    +

    17. Why can't Shorewall detect my + interfaces properly?

    I just installed Shorewall and when I issue the start command, I see the following:

    - 
         Processing /etc/shorewall/shorewall.conf ...
+  
         Processing /etc/shorewall/shorewall.conf ...
      Processing /etc/shorewall/params ...
      Starting Shorewall...
      Loading Modules...
@@ -549,23 +556,22 @@ over my console making it unusable!
      Local Zone: eth1:0.0.0.0/0
      Deleting user chains...
      Creating input Chains...
-     ...
    
+     ...

    Why can't Shorewall detect my interfaces properly?

    Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local - zone is defined as all hosts connected through eth1. -

    + zone is defined as all hosts connected through eth1.

    Last updated -7/31/2002 - Tom +8/15/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/GnuCopyright.htm b/STABLE/documentation/GnuCopyright.htm index 7d39fb81b..9edd1c7ae 100644 --- a/STABLE/documentation/GnuCopyright.htm +++ b/STABLE/documentation/GnuCopyright.htm @@ -6,18 +6,23 @@ Copyright - - + -

    GNU Free Documentation License

    + + + + +
    +

    GNU Free Documentation License

    +

    Version 1.1, March 2000

    -
    Copyright (C) 2000  Free Software Foundation, Inc.
+
    Copyright (C) 2000  Free Software Foundation, Inc.
 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
-
    
+

    0. PREAMBLE

    The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective @@ -130,55 +135,55 @@ of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

     

    -     - - - - - - - - - - - - - - -
    bulletA. Use in the Title Page (and on the covers, if any) a +
      +
    • A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original - publisher of that version gives permission.
    bulletB. List on the Title Page, as authors, one or more + publisher of that version gives permission. +
  • B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the - Document (all of its principal authors, if it has less than five).
    • bulletC. State on the Title page the name of the publisher of - the Modified Version, as the publisher.
    bulletD. Preserve all the copyright notices of the Document. -
    bulletE. Add an appropriate copyright notice for your - modifications adjacent to the other copyright notices.
    bulletF. Include, immediately after the copyright notices, a + Document (all of its principal authors, if it has less than five). +
  • C. State on the Title page the name of the publisher of + the Modified Version, as the publisher.
    • +
  • D. Preserve all the copyright notices of the Document. +
    • +
  • E. Add an appropriate copyright notice for your + modifications adjacent to the other copyright notices.
    • +
  • F. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under - the terms of this License, in the form shown in the Addendum below.
    • bulletG. Preserve in that license notice the full lists of + the terms of this License, in the form shown in the Addendum below. +
  • G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license - notice.
    • bulletH. Include an unaltered copy of this License.
    bulletI. Preserve the section entitled "History", and its + notice. +
  • H. Include an unaltered copy of this License.
    • +
  • I. Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous - sentence.
    • bulletJ. Preserve the network location, if any, given in the + sentence. +
  • J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives - permission.
    • bulletK. In any section entitled "Acknowledgements" or + permission. +
  • K. In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or - dedications given therein.
    • bulletL. Preserve all the Invariant Sections of the Document, + dedications given therein. +
  • L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent - are not considered part of the section titles.
    • bulletM. Delete any section entitled "Endorsements". Such a - section may not be included in the Modified Version.
    bulletN. Do not retitle any existing section as "Endorsements" - or to conflict in title with any Invariant Section.
    + are not considered part of the section titles. +
  • M. Delete any section entitled "Endorsements". Such a + section may not be included in the Modified Version.
    • +
  • N. Do not retitle any existing section as "Endorsements" + or to conflict in title with any Invariant Section.
    • +

    If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To @@ -272,6 +277,6 @@ does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

     

    -     + \ No newline at end of file diff --git a/STABLE/documentation/IPIP.htm b/STABLE/documentation/IPIP.htm index a2b2a84bb..c8c0e7a75 100644 --- a/STABLE/documentation/IPIP.htm +++ b/STABLE/documentation/IPIP.htm @@ -5,13 +5,18 @@ GRE/IPIP Tunnels - - -

    GRE and IPIP Tunnels

    -

    Warning: GRE and IPIP Tunnels are insecure when used -over the internet; use them at your own risk

    + + + + + +
    +

    GRE and IPIP Tunnels

    +
    +

    Warning: GRE and IPIP Tunnels are insecure when used +over the internet; use them at your own risk

    GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks. GRE tunnels were introduced in shorewall version 1.2.0_Beta2.

    The simple scripts described in the Linux Advanced Routing @@ -19,9 +24,10 @@ and Shaping HOWTO work fine with Shorewall. Shorewall also includes a tunnel script for automating tunnel configuration. If you have installed the RPM, the tunnel script may be found in the Shorewall documentation directory (usually /usr/share/doc/shorewall-<version>/).

    -

    Bridging two Masqueraded Networks

    +

    Bridging two Masqueraded Networks

    Suppose that we have the following situation:

    -

    +

    +

    We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file @@ -39,37 +45,37 @@ parameter to the type of tunnel that you want to create.

    On system A, the 10.0.0.0/8 will comprise the gw zone. In /etc/shorewall/interfaces:

    - +
    - - - - + + + + - - - - + + + + -
    ZONEINTERFACEBROADCASTOPTIONSZONEINTERFACEBROADCASTOPTIONS
    gwtosysb10.255.255.255 gwtosysb10.255.255.255 
    +

    In /etc/shorewall/tunnels on system A, we need the following:

    - +
    - - - - + + + + - - - - + + + + -
    TYPEZONEGATEWAYGATEWAY ZONETYPEZONEGATEWAYGATEWAY ZONE
    ipipnet134.28.54.2 ipipnet134.28.54.2 
    +

    This entry in /etc/shorewall/tunnels, opens the firewall so that the IP encapsulation protocol (4) will be accepted to/from the remote gateway.

    @@ -85,37 +91,37 @@ encapsulation protocol (4) will be accepted to/from the remote gateway.

    Similarly, On system B the 192.168.1.0/24 subnet will comprise the gw zone. In /etc/shorewall/interfaces:

    - +
    - - - - + + + + - - - - + + + + -
    ZONEINTERFACEBROADCASTOPTIONSZONEINTERFACEBROADCASTOPTIONS
    gwtosysa192.168.1.255 gwtosysa192.168.1.255 
    +

    In /etc/shorewall/tunnels on system B, we have:

    - +
    - - - - + + + + - - - - + + + + -
    TYPEZONEGATEWAYGATEWAY ZONETYPEZONEGATEWAYGATEWAY ZONE
    ipipnet206.191.148.9 ipipnet206.191.148.9 
    +

    And in the tunnel script on system B:

    @@ -135,28 +141,28 @@ secured so that root can execute them.

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    SOURCEDESTPOLICYLOG LEVELSOURCEDESTPOLICYLOG LEVEL
    locgwACCEPT locgwACCEPT 
    gwlocACCEPT gwlocACCEPT 
    +

    On both systems, restart Shorewall and run the modified tunnel script with the "start" argument on each @@ -167,6 +173,6 @@ Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    - + \ No newline at end of file diff --git a/STABLE/documentation/IPSEC.htm b/STABLE/documentation/IPSEC.htm index 1124ff916..fee400531 100644 --- a/STABLE/documentation/IPSEC.htm +++ b/STABLE/documentation/IPSEC.htm @@ -10,11 +10,16 @@ - - - -

    IPSEC Tunnels

    -

    Configuring FreeS/Wan

    + + + + + + +
    +

    IPSEC Tunnels

    +
    +

    Configuring FreeS/Wan

    There is an excellent guide to configuring IPSEC tunnels at http://jixen.tripod.com . I highly recommend that you consult that site for information about confuring @@ -31,18 +36,18 @@ FreeS/Wan.

         qt service ipsec stop

    In /etc/shorewall/start, include:

        qt service ipsec start

    -

    +

    IPSec Gateway on the Firewall System -

    +

    Suppose that we have the following sutuation:

    - +

    @@ -65,109 +70,129 @@ adding an entry to the /etc/shorewall/tunnels file.

    on system A, we need the following 

    - +
    - - - - + + + + - - - - + + + + -
    - TYPE - ZONE - GATEWAY - GATEWAY ZONE + TYPE + ZONE + GATEWAY + GATEWAY ZONE
    ipsecnet134.28.54.2 ipsecnet134.28.54.2 
    +

    In /etc/shorewall/tunnels on system B, we would have:

    - +
    - - - - + + + + - - - - + + + + -
    - TYPE - ZONE - GATEWAY - GATEWAY ZONE + TYPE + ZONE + GATEWAY + GATEWAY ZONE
    ipsecnet206.161.148.9 ipsecnet206.161.148.9 
    + + +

    You need to define a zone for the remote subnet or include + it in your local zone. In this example, we'll assume that you have created a + zone called "vpn" to represent the remote subnet.

    + +
    + + + + + + + + + + + + +
    ZONEDISPLAYCOMMENTS
    vpnVPNRemote Subnet
    +

    At both -systems, ipsec0 would be included in /etc/shorewall/interfaces as a "gw" +systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn" interface:

    - +
    - - - - + + + + - - - - + + + + -
    - ZONE - INTERFACE - BROADCAST - OPTIONS + ZONE + INTERFACE + BROADCAST + OPTIONS
    gwipsec0  vpnipsec0  
    + -

    You will need to allow traffic between the "gw" zone and +

    You will need to allow traffic between the "vpn" zone and the "loc" zone -- if you simply want to admit all traffic in both directions, you can use the policy file:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    SOURCEDESTPOLICYLOG LEVELSOURCEDESTPOLICYLOG LEVEL
    locgwACCEPT locvpnACCEPT 
    gwlocACCEPT vpnlocACCEPT 
    +

    Once @@ -177,48 +202,67 @@ you are now ready to configure the tunnel in - Mobile System (Road Warrior) +

    + Mobile System (Road Warrior)

    Suppose that you have a laptop system (B) that you take with you when you travel and you want to be able to establish a secure connection back to your local network.

    - +

    +

    You need to define a zone for the laptop or include it in + your local zone. In this example, we'll assume that you have created a zone + called "vpn" to represent the remote host.

    + +
    + + + + + + + + + + + + +
    ZONEDISPLAYCOMMENTS
    vpnVPNRemote Subnet
    +
    +

    In this instance, the mobile system (B) has IP address 134.28.54.2 but that cannot be determined in advance. In the /etc/shorewall/tunnels file on system A, the following entry should be made:

    - +
    - - - - + + + + - - - - + + + + -
    - TYPE - ZONE - GATEWAY - GATEWAY ZONE + TYPE + ZONE + GATEWAY + GATEWAY ZONE
    ipsecnet0.0.0.0/0gwipsecnet0.0.0.0/0vpn
    +

    Note that the GATEWAY -ZONE column contains the name of the zone corresponding to peer subnetworks -(gw in the default /etc/shorewall/zones). This indicates that the +ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the gateway system itself comprises the peer subnetwork; in other words, the remote gateway is a standalone system.

    @@ -228,7 +272,7 @@ remote gateway is a standalone system.

    Last -updated 5/18/2002 - +updated 8/20/2002 - Tom Eastep

    @@ -236,5 +280,5 @@ updated 5/18/2002 -

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/Install.htm b/STABLE/documentation/Install.htm index 3dcf447b4..468f4b2e7 100644 --- a/STABLE/documentation/Install.htm +++ b/STABLE/documentation/Install.htm @@ -5,10 +5,16 @@ Shorewall Installation - -

    Shorewall Installation

    + + + + + +
    +

    Shorewall Installation

    +

    Install using RPM
    Install @@ -25,48 +31,48 @@ either from the RedHat update site or from the Shorewall Errata page before attempting to start Shorewall.

    - - - - -
    bulletInstall the RPM (rpm -ivh <shorewall rpm>).
    +
      +
    • Install the RPM (rpm -ivh <shorewall rpm>).

      Note: Some SuSE users have encountered a problem whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps <shorewall - rpm>).
    bulletEdit the configuration files to match your configuration. WARNING - YOU CAN NOT SIMPLY INSTALL THE RPM + rpm>). +
  • Edit the configuration files to match your configuration. WARNING - YOU CAN NOT SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, -ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.
    • bulletStart the firewall by typing "shorewall start"
    +ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.     +
  • Start the firewall by typing "shorewall start"
    • +

    To install Shorewall using the tarball and install script:

    -     - - - - - - - - - -
    bulletunpack the tarball
    bulletcd to the shorewall directory (the version is encoded in the - directory name as in "shorewall-1.1.10").
    bulletIf you are using +
  • unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
    • +
  • cd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-1.1.10").
    • +
  • If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian - then type "./install.sh"
    • bulletIf you are using SuSe then type - "./install.sh /etc/init.d"
    bulletIf your distribution has directory + then type "./install.sh" +
  • If you are using SuSe then type + "./install.sh /etc/init.d"
    • +
  • If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type - "./install.sh"
    • bulletFor other distributions, determine where your + "./install.sh" +
  • For other distributions, determine where your distribution installs init scripts and type - "./install.sh <init script directory>
    • bulletEdit the configuration files to match your configuration.
    bulletStart the firewall by typing "shorewall - start"
    bulletIf the install script was unable to configure Shorewall to be started automatically at boot, + "./install.sh <init script directory> +
  • Edit the configuration files to match your configuration.
    • +
  • Start the firewall by typing "shorewall + start"
    • +
  • If the install script was unable to configure Shorewall to be started automatically at boot, see these - instructions.
    • + instructions. +

    If you already have the Shorewall RPM installed and are upgrading to a new version:

    If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you @@ -74,11 +80,11 @@ have entries in the /etc/shorewall/hosts file then please check your /etc/shorewall/interfaces file to be sure that it contains an entry for each interface mentioned in the hosts file. Also, there are certain 1.2 rule forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). See -the errata for details. You can check your rules and +the upgrade issues for details. You can check your rules and host file for 1.3 compatibility using the "shorewall check" command after installing the latest version of 1.3.

    -     - - - -
    bulletUpgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If you +
      +
    • Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). @@ -87,11 +93,11 @@ installing the latest version of 1.3.

      conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps <shorewall rpm>).
    bulletSee if there are any incompatibilities between your configuration and the - new Shorewall version (type "shorewall check") and correct as necessary.
    bulletRestart the firewall (shorewall restart).
    +  +
  • See if there are any incompatibilities between your configuration and the + new Shorewall version (type "shorewall check") and correct as necessary.
    • +
  • Restart the firewall (shorewall restart).
    • +

    If you already have Shorewall installed and are upgrading to a new version using the tarball:

    If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you @@ -99,67 +105,67 @@ have entries in the /etc/shorewall/hosts file then please check your /etc/shorewall/interfaces file to be sure that it contains an entry for each interface mentioned in the hosts file.  Also, there are certain 1.2 rule forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). -See the errata for details. You can check your rules +See the upgrade issues for details. You can check your rules and host file for 1.3 compatibility using the "shorewall check" command after installing the latest version of 1.3.

    -     - - - - - - - - -
    bulletunpack the tarball
    bulletcd to the shorewall directory (the version is encoded in the - directory name as in "shorewall-3.0.1").
    bulletIf you are using +
  • unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
    • +
  • cd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-3.0.1").
    • +
  • If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian - then type "./install.sh"
    • bulletIf you are using SuSe then type - "./install.sh /etc/init.d"
    bulletIf your distribution has directory + then type "./install.sh" +
  • If you are using SuSe then type + "./install.sh /etc/init.d"
    • +
  • If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type - "./install.sh"
    • bulletFor other distributions, determine where your + "./install.sh" +
  • For other distributions, determine where your distribution installs init scripts and type - "./install.sh <init script directory>
    • bulletSee if there are any incompatibilities between your configuration and the - new Shorewall version (type "shorewall check") and correct as necessary.
    bulletRestart the firewall by typing "shorewall restart"
    -

    Configuring Shorewall

    + "./install.sh <init script directory> +
  • See if there are any incompatibilities between your configuration and the + new Shorewall version (type "shorewall check") and correct as necessary.
    • +
  • Restart the firewall by typing "shorewall restart"
    • + +

    Configuring Shorewall

    You will need to edit some or all of these configuration files to match your setup. In most cases, the Shorewall QuickStart Guides contain all of the information you need.

    -     - - - - - - - - - - - - - - - - -
    bullet/etc/shorewall/shorewall.conf - used to set several firewall - parameters.
    bullet/etc/shorewall/params - use this file to set shell variables that you will - expand in other files.
    bullet/etc/shorewall/zones - partition the firewall's view of the world - into zones.
    bullet/etc/shorewall/policy - establishes firewall high-level policy.
    bullet/etc/shorewall/interfaces - describes the interfaces on the - firewall system.
    bullet/etc/shorewall/hosts - allows defining zones in terms of individual - hosts and subnetworks.
    bullet/etc/shorewall/masq - directs the firewall where to use many-to-one - (dynamic) NAT a.k.a. Masquerading.
    bullet/etc/shorewall/modules - directs the firewall to load kernel modules.
    bullet/etc/shorewall/rules - defines rules that are exceptions to the - overall policies established in /etc/shorewall/policy.
    bullet/etc/shorewall/nat - defines static NAT rules.
    bullet/etc/shorewall/proxyarp - defines use of Proxy ARP.
    bullet/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts - accessible when Shorewall is stopped.
    bullet/etc/shorewall/tcrules - defines marking of packets for later use by - traffic control/shaping.
    bullet/etc/shorewall/tos - defines rules for setting the TOS field in packet - headers.
    bullet/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on - the firewall system.
    bullet/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
    -

    Updated 7/31/2002 - Tom +

    +

    Updated 8/7/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     \ No newline at end of file + \ No newline at end of file diff --git a/STABLE/documentation/NAT.htm b/STABLE/documentation/NAT.htm index e3272c554..c72bf1388 100644 --- a/STABLE/documentation/NAT.htm +++ b/STABLE/documentation/NAT.htm @@ -5,13 +5,18 @@ Shorewall NAT - - +
    -

    Static NAT

    + + + + +
    +

    Static NAT

    +

    IMPORTANT: If all you want to do is forward ports to servers behind your firewall, you do NOT want to use static NAT. Port forwarding can be accomplished with simple entries in the @@ -22,7 +27,8 @@ addresses.

    The following figure represents a static NAT environment.

    -

    +

    +

    Static NAT can be used to make the systems with the @@ -31,29 +37,29 @@ /etc/shorewall/NAT file would make the lower left-hand system appear to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.19.

    -     +
    - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + -
    EXTERNALINTERFACEINTERNALALL INTERFACESLOCALEXTERNALINTERFACEINTERNALALL INTERFACESLOCAL
    130.252.100.18eth010.1.1.2yesyes130.252.100.18eth010.1.1.2yesyes
    130.252.100.19eth010.1.1.3yesyes130.252.100.19eth010.1.1.3yesyes
    +

    Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above example) is (are) not included in any specification in /etc/shorewall/masq or /etc/shorewall/proxyarp.

    @@ -83,4 +89,4 @@ Tom Eastep

    Copyright2001, 2002 Thomas M. Eastep.     \ No newline at end of file +© 2001, 2002 Thomas M. Eastep.     \ No newline at end of file diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm index 3050387e6..78ec4d63d 100644 --- a/STABLE/documentation/News.htm +++ b/STABLE/documentation/News.htm @@ -5,39 +5,84 @@ Shorewall News - - + -

    Shorewall News Archive

    + + + + +
    +

    Shorewall News Archive

    +
    +

    8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

    + +

    Features in this release include:

    + +
      +
    • The 'icmp.def' file is now empty! The rules in that file were required in + ipchains firewalls but are not required in Shorewall. Users who have + ALLOWRELATED=No in shorewall.conf should + see the Upgrade Issues.
      • +
    • A 'FORWARDPING' option has been added to + shorewall.conf. The effect of setting this variable to Yes is the same as + the effect of adding an ACCEPT rule for ICMP echo-request in + /etc/shorewall/icmpdef. Users + who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
      • +
    • The loopback CLASS A Network (127.0.0.0/8) has been added to the rfc1918 + file.
      • +
    • Shorewall now works with iptables 1.2.7
      • +
    • The documentation and web site no longer uses FrontPage themes.
      • +
    + +

    I would like to thank John Distler for his valuable input regarding TCP SYN + and ICMP treatment in Shorewall. That input has led to marked improvement in + Shorewall in the last two releases.

    + +

    8/13/2002 - Documentation in the CVS Repository

    + +

    The Shorewall-docs project now contains just the HTML and image files - the + Frontpage files have been removed.

    + +

    8/7/2002 - STABLE branch added to CVS Repository

    + +

    This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest stable tree.

    + +

    8/7/2002 - Upgrade Issues section added + to the Errata Page

    + +

    Now there is one place to go to look for issues involved with upgrading to + recent versions of Shorewall.

    +

    8/7/2002 - Shorewall 1.3.6

    This is primarily a bug-fix rollup with a couple of new features:

    -     - - - -
    bulletThe latest QuickStart Guides - including the Shorewall Setup Guide.
    bulletShorewall will now DROP TCP packets that are not part of or +
    bulletThe processing of "New not SYN" packets may be extended by command in the - new newnotsyn extension script.
    + in /etc/shorewall/shorewall.conf. +
  • The processing of "New not SYN" packets may be extended by commands in + the new newnotsyn extension script.
    • +

    7/30/2002 - Shorewall 1.3.5b Released

    This interim release:

    -     - - - -
    bulletCauses the firewall script to remove the lock file if it is killed.
    bulletOnce again allows lists in the second column of the - /etc/shorewall/hosts file.
    bulletIncludes the latest QuickStart - Guides.
    +
      +
    • Causes the firewall script to remove the lock file if it is killed.
      • +
    • Once again allows lists in the second column of the + /etc/shorewall/hosts file.
      • +
    • Includes the latest QuickStart + Guides.
      • +

    7/29/2002 - New Shorewall Setup Guide Available

    @@ -63,25 +108,25 @@

     In this version:

    -     - - - - - -
    bulletEmpty and invalid source and destination qualifiers are now detected in +
      +
    • Empty and invalid source and destination qualifiers are now detected in the rules file. It is a good idea to use the 'shorewall check' command before you issue a 'shorewall restart' command be be sure that you don't have any - configuration problems that will prevent a successful restart.
    bulletAdded MERGE_HOSTS variable in + configuration problems that will prevent a successful restart. +
  • Added MERGE_HOSTS variable in shorewall.conf to provide saner behavior of the /etc/shorewall/hosts - file.
    • bulletThe time that the counters were last reset is now displayed in the - heading of the 'status' and 'show' commands.
    bulletA proxyarp option has been added for entries in + file. +
  • The time that the counters were last reset is now displayed in the + heading of the 'status' and 'show' commands.
    • +
  • A proxyarp option has been added for entries in /etc/shorewall/interfaces. This option facilitates Proxy ARP sub-netting as described in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). Specifying the proxyarp option for an interface causes Shorewall to set - /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
    • bulletThe Samples have been updated to reflect the new capabilities in this - release.
    + /proc/sys/net/ipv4/conf/<interface>/proxy_arp. +
  • The Samples have been updated to reflect the new capabilities in this + release.
    • +

    7/16/2002 - New Mirror in Argentina

    @@ -92,25 +137,25 @@

    In this version:

    -     - - - - - -
    bulletA new +
      +
    • A new /etc/shorewall/routestopped file has been added. This file is intended to eventually replace the routestopped option in the /etc/shorewall/interface and /etc/shorewall/hosts files. This new file makes remote firewall administration easier by allowing any IP or subnet to be - enabled while Shorewall is stopped.
    bulletAn /etc/shorewall/stopped extension + enabled while Shorewall is stopped. +
  • An /etc/shorewall/stopped extension script has been added. This script is invoked after Shorewall has - stopped.
    • bulletA DETECT_DNAT_ADDRS option has been added to + stopped. +
  • A DETECT_DNAT_ADDRS option has been added to /etc/shoreall/shorewall.conf. When this option is selected, DNAT rules only apply when the destination address is the - external interface's primary IP address.
    • bulletThe QuickStart Guide has - been broken into three guides and has been almost entirely rewritten.
    bulletThe Samples have been updated to reflect the new capabilities in this - release.
    + external interface's primary IP address. +
  • The QuickStart Guide has + been broken into three guides and has been almost entirely rewritten.
    • +
  • The Samples have been updated to reflect the new capabilities in this + release.
    • +

    7/8/2002 - Shorewall 1.3.3 Debian Package Available

    @@ -120,20 +165,20 @@

    In this version:

    -     - - - - - - -
    bulletEntries in /etc/shorewall/interface that use the wildcard character ("+") - now have the "multi" option assumed.
    bulletThe 'rfc1918' chain in the mangle table has been renamed 'man1918' to +
      +
    • Entries in /etc/shorewall/interface that use the wildcard character ("+") + now have the "multi" option assumed.
      • +
    • The 'rfc1918' chain in the mangle table has been renamed 'man1918' to make log messages generated from that chain distinguishable from those - generated by the 'rfc1918' chain in the filter table.
    bulletInterface names appearing in the hosts file are now validated against the - interfaces file.
    bulletThe TARGET column in the rfc1918 file is now checked for correctness.
    bulletThe chain structure in the nat table has been changed to reduce the + generated by the 'rfc1918' chain in the filter table. +
  • Interface names appearing in the hosts file are now validated against the + interfaces file.
    • +
  • The TARGET column in the rfc1918 file is now checked for correctness.
    • +
  • The chain structure in the nat table has been changed to reduce the number of rules that a packet must traverse and to correct problems with - NAT_BEFORE_RULES=No
    • bulletThe "hits" command has been enhanced.
    + NAT_BEFORE_RULES=No +
  • The "hits" command has been enhanced.
    • +

    6/25/2002 - Samples Updated for 1.3.2

    @@ -154,16 +199,16 @@

    In this version:

    -     - - - - -
    bulletA logwatch command has been - added to /sbin/shorewall.
    bulletA dynamic blacklist facility has - been added.
    bulletSupport for the Netfilter multiport - match function has been added.
    bulletThe files firewall, functions and version have been moved - from /etc/shorewall to /var/lib/shorewall.
    +

    6/6/2002 - Why CVS Web access is Password Protected

    @@ -172,11 +217,11 @@ my server was almost unusable due to the high load generated by website copying tools like HTTrack and WebStripper. These mindless tools:

    -     - - - -
    bulletIgnore robot.txt files.
    bulletRecursively copy everything that they find.
    bulletShould be classified as weapons rather than tools.
    +
      +
    • Ignore robot.txt files.
      • +
    • Recursively copy everything that they find.
      • +
    • Should be classified as weapons rather than tools.
      • +

    These tools/weapons are particularly damaging when combined with CVS Web because they doggedly follow every link in the cgi-generated HTML resulting in @@ -202,87 +247,87 @@

    Hot on the heels of 1.3.0, this release:

    -     - - -
    bulletCorrects a serious problem with "all <zone> CONTINUE" policies. +
      +
    • Corrects a serious problem with "all <zone> CONTINUE" policies. This problem is present in all versions of Shorewall that support the CONTINUE policy. These previous versions optimized away the "all2<zone>" chain and replaced it with the "all2all" chain with the usual result that a - policy of REJECT was enforced rather than the intended CONTINUE policy.
    bulletAdds an /etc/shorewall/rfc1918 + policy of REJECT was enforced rather than the intended CONTINUE policy. +
  • Adds an /etc/shorewall/rfc1918 file for defining the exact behavior of the - 'norfc1918' interface option.
    • + 'norfc1918' interface option. +

    5/29/2002 - Shorewall 1.3.0 Released

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 includes:

    -     - -
    bulletA 'filterping' interface option that allows ICMP echo-request (ping) +
      +
    • A 'filterping' interface option that allows ICMP echo-request (ping) requests addressed to the firewall to be handled by entries in - /etc/shorewall/rules and /etc/shorewall/policy.
    + /etc/shorewall/rules and /etc/shorewall/policy. +

    5/23/2002 - Shorewall 1.3 RC1 Available

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) incorporates the following:

    -     - -
    bulletSupport for the /etc/shorewall/whitelist file has been withdrawn. If you +
      +
    • Support for the /etc/shorewall/whitelist file has been withdrawn. If you need whitelisting, see these - instructions.
    + instructions. +

    5/19/2002 - Shorewall 1.3 Beta 2 Available

    In addition to the changes in Beta 1, this release which carries the designation 1.2.91 adds:

    -     - - - - -
    bulletThe structure of the firewall is changed markedly. There is now an INPUT +
      +
    • The structure of the firewall is changed markedly. There is now an INPUT and a FORWARD chain for each interface; this reduces the number of rules that - a packet must traverse, especially in complicated setups.
    bulletSub-zones may now be excluded from - DNAT and REDIRECT rules.
    bulletThe names of the columns in a number of the configuration files have been + a packet must traverse, especially in complicated setups. +
  • Sub-zones may now be excluded from + DNAT and REDIRECT rules.
    • +
  • The names of the columns in a number of the configuration files have been changed to be more consistent and self-explanatory and the documentation has - been updated accordingly.
    • bulletThe sample configurations have been updated for 1.3.
    + been updated accordingly. +
  • The sample configurations have been updated for 1.3.
    • +

    5/17/2002 - Shorewall 1.3 Beta 1 Available

    Beta 1 carries the version designation 1.2.90 and implements the following features:

    -     - - - -
    bulletSimplified rule syntax which makes the intent of each rule clearer and - hopefully makes Shorewall easier to learn.
    bulletUpward compatibility with 1.2 configuration files has been maintained so - that current users can migrate to the new syntax at their convenience.
    bulletWARNING:  Compatibility with the old +
      +
    • Simplified rule syntax which makes the intent of each rule clearer and + hopefully makes Shorewall easier to learn.
      • +
    • Upward compatibility with 1.2 configuration files has been maintained so + that current users can migrate to the new syntax at their convenience.
      • +
    • WARNING:  Compatibility with the old parameterized sample configurations has NOT been maintained. Users still running those configurations should migrate to the new sample configurations - before upgrading to 1.3 Beta 1.
    + before upgrading to 1.3 Beta 1.     +

    5/4/2002 - Shorewall 1.2.13 is Available

    In this version:

    - - - - - -
    bulletWhite-listing is supported.
    bulletSYN-flood protection is added.
    bulletIP addresses added under ADD_IP_ALIASES +
    bulletThe order in which port forwarding DNAT and Static DNAT + interface's primary IP address. +
  • The order in which port forwarding DNAT and Static DNAT can now be reversed so that port forwarding rules can override the contents of - /etc/shorewall/nat.
    • + /etc/shorewall/nat. +

    4/30/2002 - Shorewall Debian News

    @@ -294,23 +339,23 @@

    4/20/2002 - Shorewall 1.2.12 is Available

    -     - - -
    bulletThe 'try' command works again
    bulletThere is now a single RPM that also works with SuSE.
    +
      +
    • The 'try' command works again
      • +
    • There is now a single RPM that also works with SuSE.
      • +

    4/17/2002 - Shorewall Debian News

    Lorenzo Marignoni reports that:

    -     - - -
    bulletShorewall 1.2.10 is in the +
    bulletShorewall 1.2.11 is in the + Testing Branch +
  • Shorewall 1.2.11 is in the Debian - Unstable Branch
    • + Unstable Branch +

    Thanks, Lorenzo!

    @@ -325,20 +370,20 @@

    In this version:

    -     - - - - -
    bulletThe 'try' command now accepts an optional timeout. If the timeout is +
      +
    • The 'try' command now accepts an optional timeout. If the timeout is given in the command, the standard configuration will automatically be restarted after the new configuration has been running for that length of time. This prevents a remote admin from being locked out of the firewall in - the case where the new configuration starts but prevents access.
    bulletKernel route filtering may now be enabled globally using the new + the case where the new configuration starts but prevents access. +
  • Kernel route filtering may now be enabled globally using the new ROUTE_FILTER parameter in - /etc/shorewall/shorewall.conf.
    • bulletIndividual IP source addresses and/or subnets may now be excluded from - masquerading/SNAT.
    bulletSimple "Yes/No" and "On/Off" values are now case-insensitive in - /etc/shorewall/shorewall.conf.
    + /etc/shorewall/shorewall.conf. +
  • Individual IP source addresses and/or subnets may now be excluded from + masquerading/SNAT.
    • +
  • Simple "Yes/No" and "On/Off" values are now case-insensitive in + /etc/shorewall/shorewall.conf.
    • +

    4/13/2002 - Hamburg Mirror now has FTP

    @@ -391,12 +436,12 @@

    3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

    -     - - -
    bulletThe 1.2.10 Debian Package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
    bulletShorewall 1.2.9 is now in the +
    + Unstable Distribution. +

    3/25/2002 - Log Parser Available

    @@ -408,39 +453,39 @@

    In this version:

    -     - - - -
    bulletA "shorewall try" command has been added (syntax: shorewall try +
      +
    • A "shorewall try" command has been added (syntax: shorewall try <configuration directory>). This command attempts "shorewall -c <configuration directory> start" and if that results in the firewall being stopped due to an error, a "shorewall start" command is executed. The 'try' command allows you to create a new configuration and attempt to start it; if there is an error that leaves your firewall in the stopped state, it will automatically be restarted using - the default configuration (in /etc/shorewall).
    bulletA new variable ADD_SNAT_ALIASES has been added to + the default configuration (in /etc/shorewall). +
  • A new variable ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. If this variable is set to "Yes", Shorewall will automatically add IP addresses listed in the third column of the - /etc/shorewall/masq file.
    • bulletCopyright notices have been added to the documenation.
    + /etc/shorewall/masq file. +
  • Copyright notices have been added to the documenation.
    • +

    3/11/2002 - Shorewall 1.2.9 Released

    In this version:

    -     - - - -
    bulletFiltering by MAC address has been added. - MAC addresses may be used as the source address in: - - - - -
    bulletFiltering rules (/etc/shorewall/rules)
    bulletTraffic Control Classification Rules (/etc/shorewall/tcrules)
    bulletTOS Rules (/etc/shorewall/tos)
    bulletBlacklist (/etc/shorewall/blacklist)
    -
    bulletSeveral bugs have been fixed
    bulletThe 1.2.9 Debian Package is also available at http://security.dsi.unimi.it/~lorenzo/debian.html.
    +

    3/1/2002 - 1.2.8 Debian Package is Available

    @@ -463,15 +508,15 @@ http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    In this version:

    -     - - - -
    bulletUPnP probes (UDP destination port 1900) are now silently dropped in the - common chain
    bulletRFC 1918 checking in the mangle table has been streamlined to no longer +
      +
    • UPnP probes (UDP destination port 1900) are now silently dropped in the + common chain
      • +
    • RFC 1918 checking in the mangle table has been streamlined to no longer require packet marking. RFC 1918 checking in the filter table has been - changed to require half as many rules as previously.
    bulletA 'shorewall check' command has been added that does a cursory validation - of the zones, interfaces, hosts, rules and policy files.
    + changed to require half as many rules as previously. +
  • A 'shorewall check' command has been added that does a cursory validation + of the zones, interfaces, hosts, rules and policy files.
    • +

    2/18/2002 - 1.2.6 Debian Package is Available

    @@ -481,17 +526,17 @@ http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    In this version:

    -     - - - -
    bullet$-variables may now be used anywhere in the configuration files except - /etc/shorewall/zones.
    bulletThe interfaces and hosts files now have their contents validated before +
      +
    • $-variables may now be used anywhere in the configuration files except + /etc/shorewall/zones.
      • +
    • The interfaces and hosts files now have their contents validated before any changes are made to the existing Netfilter configuration. The appearance of a zone name that isn't defined in /etc/shorewall/zones causes "shorewall start" and "shorewall restart" to abort without changing the Shorewall state. - Unknown options in either file cause a warning to be issued.
    bulletA problem occurring when BLACKLIST_LOGLEVEL was not set has been - corrected.
    + Unknown options in either file cause a warning to be issued. +
  • A problem occurring when BLACKLIST_LOGLEVEL was not set has been + corrected.
    • +

    2/4/2002 - Shorewall 1.2.5 Debian Package Available

    @@ -504,30 +549,30 @@ http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    In version 1.2.5:

    -     - - - - -
    bulletThe installation problems have been corrected.
    bulletSNAT is now supported.
    bulletA "shorewall version" command has been added
    bulletThe default value of the STATEDIR variable in +
      +
    • The installation problems have been corrected.
      • +
    • SNAT is now supported.
      • +
    • A "shorewall version" command has been added
      • +
    • The default value of the STATEDIR variable in /etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall in - order to conform to the GNU/Linux File Hierarchy Standard, Version 2.2.
    + order to conform to the GNU/Linux File Hierarchy Standard, Version 2.2. +

    1/28/2002 - Shorewall 1.2.4 Released

    -     - - - - -
    bulletThe "fw" zone may now be given a - different name.
    bulletYou may now place end-of-line comments (preceded by '#') in any of the - configuration files
    bulletThere is now protection against against two state changing operations +
      +
    • The "fw" zone may now be given a + different name.
      • +
    • You may now place end-of-line comments (preceded by '#') in any of the + configuration files
      • +
    • There is now protection against against two state changing operations occuring concurrently. This is implemented using the 'lockfile' utility if it is available (lockfile is part of procmail); otherwise, a less robust technique is used. The lockfile is created in the STATEDIR defined in - /etc/shorewall/shorewall.conf and has the name "lock".
    bullet"shorewall start" no longer fails if "detect" is - specified in /etc/shorewall/interfaces for an interface with subnet mask 255.255.255.255.
    + /etc/shorewall/shorewall.conf and has the name "lock". +
  • "shorewall start" no longer fails if "detect" is + specified in /etc/shorewall/interfaces for an interface with subnet mask 255.255.255.255.
    • +

    1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

    @@ -540,17 +585,17 @@ errata for details.

    This is a minor feature and bugfix release. The single new feature is:

    -     - -
    bulletSupport for TCP MSS Clamp to PMTU -- This support is usually required when +
      +
    • Support for TCP MSS Clamp to PMTU -- This support is usually required when the internet connection is via PPPoE or PPTP and may be enabled using the CLAMPMSS - option in /etc/shorewall/shorewall.conf.
    + option in /etc/shorewall/shorewall.conf. +

    The following problems were corrected:

    -     - - - -
    bulletThe "shorewall status" command no longer hangs.
    bulletThe "shorewall monitor" command now displays the icmpdef chain
    bulletThe CLIENT PORT(S) column in tcrules is no longer ignored
    +
      +
    • The "shorewall status" command no longer hangs.
      • +
    • The "shorewall monitor" command now displays the icmpdef chain
      • +
    • The CLIENT PORT(S) column in tcrules is no longer ignored
      • +

    1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

    @@ -570,46 +615,46 @@ health.

    In version 1.2.2

    -     - - - -
    bulletSupport for IP blacklisting has been added - - - - - - -
    bulletYou specify whether you want packets from blacklisted hosts dropped or +
      +
    • Support for IP blacklisting has been added +
        +
      • You specify whether you want packets from blacklisted hosts dropped or rejected using the BLACKLIST_DISPOSITION - setting in /etc/shorewall/shorewall.conf
    bulletYou specify whether you want packets from blacklisted hosts logged and + setting in /etc/shorewall/shorewall.conf +
  • You specify whether you want packets from blacklisted hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL - setting in /etc/shorewall/shorewall.conf
    • bulletYou list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist
    bulletYou specify the interfaces you want checked against the blacklist + setting in /etc/shorewall/shorewall.conf +
  • You list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist
    • +
  • You specify the interfaces you want checked against the blacklist using the new "blacklist" - option in /etc/shorewall/interfaces.
    • bulletThe black list is refreshed from /etc/shorewall/blacklist by the - "shorewall refresh" command.
    -
    bulletUse of TCP RST replies has been expanded  - - - -
    bulletTCP connection requests rejected because of a REJECT policy are now - replied with a TCP RST packet.
    bulletTCP connection requests rejected because of a protocol=all rule in - /etc/shorewall/rules are now replied with a TCP RST packet.
    -
    bulletA LOGFILE specification has been + option in /etc/shorewall/interfaces. +
  • The black list is refreshed from /etc/shorewall/blacklist by the + "shorewall refresh" command.
    • + + +
  • Use of TCP RST replies has been expanded  +
      +
    • TCP connection requests rejected because of a REJECT policy are now + replied with a TCP RST packet.
      • +
    • TCP connection requests rejected because of a protocol=all rule in + /etc/shorewall/rules are now replied with a TCP RST packet.
      • +
    +
    • +
  • A LOGFILE specification has been added to /etc/shorewall/shorewall.conf. LOGFILE is used to tell the - /sbin/shorewall program where to look for Shorewall messages.
    • + /sbin/shorewall program where to look for Shorewall messages. +

    1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates to the previously-released samples. There are two new rules added:

    -     - - -
    bulletUnless you have explicitly enabled Auth connections (tcp port 113) to your +
      +
    • Unless you have explicitly enabled Auth connections (tcp port 113) to your firewall, these connections will be REJECTED rather than DROPPED. This - speeds up connection establishment to some servers.
    bulletOrphan DNS replies are now silently dropped.
    + speeds up connection establishment to some servers. +
  • Orphan DNS replies are now silently dropped.
    • +

    See the README file for upgrade instructions.

    1/1/2002 - Shorewall Mailing List Moving

    @@ -622,24 +667,24 @@ samples. There are two new rules added:

    In version 1.2.1:

    -     - - - -
    bulletLogging of Mangled/Invalid - Packets is added. 
    bulletThe tunnel script has been corrected.
    bullet'shorewall show tc' now correctly handles tunnels.
    +

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing 1.2 on 12/21/2001

    Version 1.2 contains the following new features:

    -     - - - -
    bulletSupport for Traffic Control/Shaping
    bulletSupport for Filtering of - Mangled/Invalid Packets
    bulletSupport for GRE Tunnels
    +

    For the next month or so, I will continue to provide corrections to version 1.1.18 as necessary so that current version 1.1.x users will not be forced into a quick upgrade to 1.2.0 just to have access to bug fixes.

    @@ -657,24 +702,24 @@ and the ftp site is at

    11/30/2001 - A new set of the parameterized Sample Configurations has been released. In this version:

    -     - - -
    bulletPing is now allowed between the zones.
    bulletIn the three-interface configuration, it is now possible to configure the - internet services that are to be available to servers in the DMZ. 
    +
      +
    • Ping is now allowed between the zones.
      • +
    • In the three-interface configuration, it is now possible to configure the + internet services that are to be available to servers in the DMZ. 
      • +

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    In this version:

    -     - - - -
    bulletThe spelling of ADD_IP_ALIASES has been corrected in the shorewall.conf - file
    bulletThe logic for deleting user-defined chains has been simplified so that it - avoids a bug in the LRP version of the 'cut' utility.
    bulletThe /var/lib/lrpkg/shorwall.conf file has been corrected to properly - display the NAT entry in that file.
    +
      +
    • The spelling of ADD_IP_ALIASES has been corrected in the shorewall.conf + file
      • +
    • The logic for deleting user-defined chains has been simplified so that it + avoids a bug in the LRP version of the 'cut' utility.
      • +
    • The /var/lib/lrpkg/shorwall.conf file has been corrected to properly + display the NAT entry in that file.
      • +

    11/19/2001 - Thanks to Juraj Ontkanin, there is now a Shorewall mirror in the Slovak Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall @@ -683,11 +728,11 @@ and the ftp site is at

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. There are three sample configurations:

    -     - - - -
    bulletOne Interface -- for a standalone system.
    bulletTwo Interfaces -- A masquerading firewall.
    bulletThree Interfaces -- A masquerading firewall with DMZ.
    +
      +
    • One Interface -- for a standalone system.
      • +
    • Two Interfaces -- A masquerading firewall.
      • +
    • Three Interfaces -- A masquerading firewall with DMZ.
      • +

    Samples may be downloaded from @@ -699,41 +744,41 @@ and the ftp site is at

    In this version:

    -     - -
    bulletThe handling of ADD_IP_ALIASES - has been corrected. 
    +

    10/22/2001 - The current version of Shorewall is 1.1.16. In this version:

    -     - - - -
    bulletA new "shorewall show connections" command has been added.
    bulletIn the "shorewall monitor" output, the currently tracked - connections are now shown on a separate page.
    bulletPrior to this release, Shorewall unconditionally added the external IP +
      +
    • A new "shorewall show connections" command has been added.
      • +
    • In the "shorewall monitor" output, the currently tracked + connections are now shown on a separate page.
      • +
    • Prior to this release, Shorewall unconditionally added the external IP adddress(es) specified in /etc/shorewall/nat. Beginning with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be set to "no" (or "No") to inhibit this behavior. This allows IP aliases created using your distribution's network - configuration tools to be used in static NAT. 
    + configuration tools to be used in static NAT.  +

    10/15/2001 - The current version of Shorewall is 1.1.15. In this version:

    -     - - -
    bulletSupport for nested zones has been improved. See +
    bulletShorewall now correctly checks the alternate configuration directory for - the 'zones' file.
    + for details +
  • Shorewall now correctly checks the alternate configuration directory for + the 'zones' file.
    • +

    10/4/2001 - The current version of Shorewall is 1.1.14. In this version

    -     - - - - - -
    bulletShorewall now supports alternate configuration directories. When an +
      +
    • Shorewall now supports alternate configuration directories. When an alternate directory is specified when starting or restarting Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall will first look for configuration files in the alternate directory then in @@ -742,116 +787,116 @@ version:

      2. Copy to that directory any of your configuration files that you want to change.
      3. Modify the copied files as needed.
      - 4. Restart Shorewall specifying the new directory.
    bulletThe rules for allowing/disallowing icmp echo-requests (pings) are now + 4. Restart Shorewall specifying the new directory. +
  • The rules for allowing/disallowing icmp echo-requests (pings) are now moved after rules created when processing the rules file. This allows you to add rules that selectively allow/deny ping based on source or destination - address.
    • bulletRules that specify multiple client ip addresses or subnets no longer cause - startup failures.
    bulletZone names in the policy file are now validated against the zones file.
    bulletIf you have packet mangling + address. +
  • Rules that specify multiple client ip addresses or subnets no longer cause + startup failures.
    • +
  • Zone names in the policy file are now validated against the zones file.
    • +
  • If you have packet mangling support enabled, the "norfc1918" interface option now logs and drops any incoming packets on the interface - that have an RFC 1918 destination address.
    • + that have an RFC 1918 destination address. +

    9/12/2001 - The current version of Shorewall is 1.1.13. In this version

    -     - - - -
    bulletShell variables can now be used to parameterize Shorewall rules.
    bulletThe second column in the hosts file may now contain a comma-separated +
      +
    • Shell variables can now be used to parameterize Shorewall rules.
      • +
    • The second column in the hosts file may now contain a comma-separated list.

      Example:
          sea    - eth0:130.252.100.0/24,206.191.149.0/24
    bulletHandling of multi-zone interfaces has been improved. See the documentation - for the /etc/shorewall/interfaces file.
    + eth0:130.252.100.0/24,206.191.149.0/24 +
  • Handling of multi-zone interfaces has been improved. See the documentation + for the /etc/shorewall/interfaces file.
    • +

    8/28/2001 - The current version of Shorewall is 1.1.12. In this version

    -     - - - -
    bulletSeveral columns in the rules file may now contain comma-separated lists.
    bulletShorewall is now more rigorous in parsing the options in - /etc/shorewall/interfaces.
    bulletComplementation using "!" is now supported in rules.
    +
      +
    • Several columns in the rules file may now contain comma-separated lists.
      • +
    • Shorewall is now more rigorous in parsing the options in + /etc/shorewall/interfaces.
      • +
    • Complementation using "!" is now supported in rules.
      • +

    7/28/2001 - The current version of Shorewall is 1.1.11. In this version

    -     - - - - -
    bulletA "shorewall refresh" command has been added to allow for +
      +
    • A "shorewall refresh" command has been added to allow for refreshing the rules associated with the broadcast address on a dynamic interface. This command should be used in place of "shorewall - restart" when the internet interface's IP address changes.
    bulletThe /etc/shorewall/start file (if any) is now processed after all + restart" when the internet interface's IP address changes. +
  • The /etc/shorewall/start file (if any) is now processed after all temporary rules have been deleted. This change prevents the accidental - removal of rules added during the processing of that file.
    • bulletThe "dhcp" interface option is now applicable to firewall - interfaces used by a DHCP server running on the firewall.
    bulletThe RPM can now be built from the .tgz file using "rpm -tb" 
    + removal of rules added during the processing of that file. +
  • The "dhcp" interface option is now applicable to firewall + interfaces used by a DHCP server running on the firewall.
    • +
  • The RPM can now be built from the .tgz file using "rpm -tb" 
    • +

    7/6/2001 - The current version of Shorewall is 1.1.10. In this version

    -     - - - -
    bulletShorewall now enables Ipv4 Packet Forwarding by default. Packet forwarding +
      +
    • Shorewall now enables Ipv4 Packet Forwarding by default. Packet forwarding may be disabled by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf. If you don't want Shorewall to enable or disable packet forwarding, add IP_FORWARDING=Keep to your - /etc/shorewall/shorewall.conf file.
    bulletThe "shorewall hits" command no longer lists extraneous service - names in its last report.
    bulletErroneous instructions in the comments at the head of the firewall script - have been corrected.
    + /etc/shorewall/shorewall.conf file. +
  • The "shorewall hits" command no longer lists extraneous service + names in its last report.
    • +
  • Erroneous instructions in the comments at the head of the firewall script + have been corrected.
    • +

    6/23/2001 - The current version of Shorewall is 1.1.9. In this version

    -     - - - - - - - -
    bulletThe "tunnels" file really is in the RPM now.
    bulletSNAT can now be applied to port-forwarded connections.
    bulletA bug which would cause firewall start failures in some dhcp configurations - has been fixed.
    bulletThe firewall script now issues a message if you have the name of an +
      +
    • The "tunnels" file really is in the RPM now.
      • +
    • SNAT can now be applied to port-forwarded connections.
      • +
    • A bug which would cause firewall start failures in some dhcp configurations + has been fixed.
      • +
    • The firewall script now issues a message if you have the name of an interface in the second column in an entry in /etc/shorewall/masq and that - interface is not up.
    bulletYou can now configure Shorewall so that it doesn't require the NAT and/or - mangle netfilter modules.
    bulletThanks to Alex  Polishchuk, the "hits" command - from seawall is now in shorewall.
    bulletSupport for IPIP tunnels has been added.
    + interface is not up. +
  • You can now configure Shorewall so that it doesn't require the NAT and/or + mangle netfilter modules.
    • +
  • Thanks to Alex  Polishchuk, the "hits" command + from seawall is now in shorewall.
    • +
  • Support for IPIP tunnels has been added.
    • +

    6/18/2001 - The current version of Shorewall is 1.1.8. In this version

    -     - - - -
    bulletA typo in the sample rules file has been corrected.
    bulletIt is now possible to restrict masquerading by - destination host or subnet.
    bulletIt is now possible to have static NAT rules - applied to packets originating on the firewall itself.
    +

    6/2/2001 - The current version of Shorewall is 1.1.7. In this version

    -     - - - - - -
    bulletThe TOS rules are now deleted when the firewall is stopped.
    bulletThe .rpm will now install regardless of which version of iptables is - installed.
    bulletThe .rpm will now install without iproute2 being installed.
    bulletThe documentation has been cleaned up.
    bulletThe sample configuration files included in Shorewall have been formatted - to 80 columns for ease of editing on a VGA console.
    +
      +
    • The TOS rules are now deleted when the firewall is stopped.
      • +
    • The .rpm will now install regardless of which version of iptables is + installed.
      • +
    • The .rpm will now install without iproute2 being installed.
      • +
    • The documentation has been cleaned up.
      • +
    • The sample configuration files included in Shorewall have been formatted + to 80 columns for ease of editing on a VGA console.
      • +

    5/25/2001 - The current version of Shorewall is 1.1.6. In this version

    -     - - - -
    bulletYou may now rate-limit the packet log.
    bullet Previous versions of +
      +
    • You may now rate-limit the packet log.
      • +
    •  Previous versions of Shorewall have an implementation of Static NAT which violates the principle of least surprise.  NAT only occurs for packets arriving at (DNAT) or send from (SNAT) the interface named in the INTERFACE column of @@ -860,129 +905,129 @@ version:

      compatibility with prior versions, I have added a new "ALL "ALL INTERFACES"  column to /etc/shorewall/nat. By placing "no" or "No" in the new column, the NAT behavior of - prior versions may be retained. 
    bulletThe treatment of IPSEC Tunnels where the remote + prior versions may be retained.  +
  • The treatment of IPSEC Tunnels where the remote gateway is a standalone system has been improved. Previously, it was necessary to include an additional rule allowing UDP port 500 traffic to pass through the tunnel. Shorewall will now create this rule automatically when you place the name of the remote peer's zone in a new GATEWAY ZONE - column in /etc/shorewall/tunnels. 
    • + column in /etc/shorewall/tunnels.  +

    5/20/2001 - The current version of Shorewall is 1.1.5. In this version

    -     - - - - -
    bulletYou may now pass parameters when loading - netfilter modules and you can specify the modules to load.
    bulletCompressed modules are now loaded. This requires that you modutils support - loading compressed modules.
    bulletYou may now set the Type of Service (TOS) - field in packets.
    bulletCorrected rules generated for port redirection (again).
    +

    5/10/2001 - The current version of Shorewall is 1.1.4. In this version

    -     - - - - -
    bullet Accepting RELATED connections is now - optional.
    bulletCorrected problem where if "shorewall start" aborted early +
    bulletCorrected rules generated for port redirection.
    bulletThe order in which iptables kernel modules are loaded has been - corrected (Thanks to Mark Pavlidis). 
    + messages were reported. +
  • Corrected rules generated for port redirection.
    • +
  • The order in which iptables kernel modules are loaded has been + corrected (Thanks to Mark Pavlidis). 
    • +

    4/28/2001 - The current version of Shorewall is 1.1.3. In this version

    -     - - - - - - - - -
    bulletCorrect message issued when Proxy ARP address added (Thanks to Jason Kirtland).
    bullet/tmp/shorewallpolicy-$$ is now removed if there is an error while starting the firewall.
    bullet/etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to define the icmpdef and common chains unless overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
    bulletIn the .lrp, the file /var/lib/lrpkg/shorwall.conf has been corrected. An extra space after "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules" has been added.
    bulletWhen a sub-shell encounters a fatal error and has stopped the firewall, it now kills the main shell so that the main shell will not continue.
    bulletA problem has been corrected where a sub-shell stopped the firewall and main shell continued resulting in a perplexing error message - referring to "common.so" resulted.
    bulletPreviously, placing "-" in the PORT(S) column in /etc/shorewall/rules resulted in an error message during start. This has been corrected.
    bulletThe first line of "install.sh" has been corrected -- I had inadvertently deleted the initial "#".
    +
      +
    • Correct message issued when Proxy ARP address added (Thanks to Jason Kirtland).
      • +
    • /tmp/shorewallpolicy-$$ is now removed if there is an error while starting the firewall.
      • +
    • /etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to define the icmpdef and common chains unless overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • +
    • In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been corrected. An extra space after "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules" has been added.
      • +
    • When a sub-shell encounters a fatal error and has stopped the firewall, it now kills the main shell so that the main shell will not continue.
      • +
    • A problem has been corrected where a sub-shell stopped the firewall and main shell continued resulting in a perplexing error message + referring to "common.so" resulted.
      • +
    • Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules resulted in an error message during start. This has been corrected.
      • +
    • The first line of "install.sh" has been corrected -- I had inadvertently deleted the initial "#".
      • +

    4/12/2001 - The current version of Shorewall is 1.1.2. In this version

    -     - - - - - -
    bulletPort redirection now works again.
    bulletThe icmpdef and common chains may - now be user-defined.
    bulletThe firewall no longer fails to start if "routefilter" is +
      +
    • Port redirection now works again.
      • +
    • The icmpdef and common chains may + now be user-defined.
      • +
    • The firewall no longer fails to start if "routefilter" is specified for an interface that isn't started. A warning message is now - issued in this case.
    bulletThe LRP Version is renamed "shorwall" for 8,3 MSDOS file - system compatibility.
    bulletA couple of LRP-specific problems were corrected.
    + issued in this case. +
  • The LRP Version is renamed "shorwall" for 8,3 MSDOS file + system compatibility.
    • +
  • A couple of LRP-specific problems were corrected.
    • +

    4/8/2001 - Shorewall is now affiliated with the Leaf Project

    4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

    -     - - - -
    bulletThe common chain is traversed from INPUT, OUTPUT and FORWARD before - logging occurs
    bulletThe source has been cleaned up dramatically
    bulletDHCP DISCOVER packets with RFC1918 source addresses no longer +
      +
    • The common chain is traversed from INPUT, OUTPUT and FORWARD before + logging occurs
      • +
    • The source has been cleaned up dramatically
      • +
    • DHCP DISCOVER packets with RFC1918 source addresses no longer generate log messages. Linux DHCP clients generate such packets and it's - annoying to see them logged. 
    + annoying to see them logged.  +

    3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

    -     - - - - - - - -
    bulletLog messages now indicate the packet disposition.
    bulletError messages have been improved.
    bulletThe ability to define zones consisting of an enumerated set of hosts - and/or subnetworks has been added.
    bulletThe zone-to-zone chain matrix is now sparse so that only those chains - that contain meaningful rules are defined.
    bullet240.0.0.0/4 and 169.254.0.0/16 have been added to the source +
      +
    • Log messages now indicate the packet disposition.
      • +
    • Error messages have been improved.
      • +
    • The ability to define zones consisting of an enumerated set of hosts + and/or subnetworks has been added.
      • +
    • The zone-to-zone chain matrix is now sparse so that only those chains + that contain meaningful rules are defined.
      • +
    • 240.0.0.0/4 and 169.254.0.0/16 have been added to the source subnetworks whose packets are dropped under the norfc1918 interface - option.
    bulletExits are now provided for executing an user-defined script when a + option. +
  • Exits are now provided for executing an user-defined script when a chain is defined, when the firewall is initialized, when the firewall is - started, when the firewall is stopped and when the firewall is cleared.
    • bulletThe Linux kernel's route filtering facility can now be specified - selectively on network interfaces.
    + started, when the firewall is stopped and when the firewall is cleared. +
  • The Linux kernel's route filtering facility can now be specified + selectively on network interfaces.
    • +

    3/19/2001 - The current version of Shorewall is 1.0.4. This version:

    -     - - - - -
    bulletAllows user-defined zones. Shorewall now has only one pre-defined +
      +
    • Allows user-defined zones. Shorewall now has only one pre-defined zone (fw) with the remaining zones being defined in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones file released in this - version provides behavior that is compatible with Shorewall 1.0.3. 
    bulletAdds the ability to specify logging in entries in the - /etc/shorewall/rules file.
    bulletCorrect handling of the icmp-def chain so that only ICMP packets are - sent through the chain.
    bulletCompresses the output of "shorewall monitor" if awk is + version provides behavior that is compatible with Shorewall 1.0.3.  +
  • Adds the ability to specify logging in entries in the + /etc/shorewall/rules file.
    • +
  • Correct handling of the icmp-def chain so that only ICMP packets are + sent through the chain.
    • +
  • Compresses the output of "shorewall monitor" if awk is installed. Allows the command to work if awk isn't installed (although - it's not pretty).
    • + it's not pretty). +

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix release with no new features.

    -     - - - -
    bulletThe PATH variable in the firewall script now includes /usr/local/bin - and /usr/local/sbin.
    bulletDMZ-related chains are now correctly deleted if the DMZ is deleted.
    bulletThe interface OPTIONS for "gw" interfaces are no longer - ignored.
    +
      +
    • The PATH variable in the firewall script now includes /usr/local/bin + and /usr/local/sbin.
      • +
    • DMZ-related chains are now correctly deleted if the DMZ is deleted.
      • +
    • The interface OPTIONS for "gw" interfaces are no longer + ignored.
      • +

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an additional "gw" (gateway) zone for tunnels and it supports IPSEC tunnels with end-points on the firewall. There is also a .lrp available now.

    -

    Updated 7/31/2002 - Tom +

    Updated 8/22/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     \ No newline at end of file + \ No newline at end of file diff --git a/STABLE/documentation/PPTP.htm b/STABLE/documentation/PPTP.htm index 01cf8da3c..b8a61e6c4 100644 --- a/STABLE/documentation/PPTP.htm +++ b/STABLE/documentation/PPTP.htm @@ -6,27 +6,32 @@ Shorewall PPTP - - + -

    PPTP

    + + + + +
    +

    PPTP

    +

    Shorewall easily supports PPTP in a number of configurations:

    -     - - - - -
    bullet - PPTP Server running on your Firewall
    bullet +
    bullet + Firewall. +
  • PPTP Clients running behind your - Firewall.
    • bullet - PPTP Client running on your Firewall.
    -

    1. PPTP Server Running on your Firewall

    + Firewall. +
  • + PPTP Client running on your Firewall.
    • + +

    1. PPTP Server Running on your Firewall

    I will try to give you an idea of how to set up a PPTP server on your firewall system. This isn't a detailed HOWTO but rather an example of how I have set up a working PPTP server on my own firewall.

    @@ -39,56 +44,56 @@ how I have set up a working PPTP server on my own firewall.

  • Configuring pptpd
  • Configuring Shorewall
    • -

    Patching and Building pppd

    +

    Patching and Building pppd

    To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary site for releases of pppd is ftp://ftp.samba.org/pub/ppp.

    You will need the following patches:

    -     - - -
    bullet - http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz
    bullethttp://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz
    +

    You may also want the following patch if you want to require remote hosts to use encryption:

    -     - -
    bulletftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff
    +

    Un-tar the pppd source and uncompress the patches into one directory (the patches and the ppp-2.4.1 directory are all in a single parent directory):

    -     - - - - - - -
    bulletcd ppp-2.4.1
    bulletpatch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch
    bulletpatch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
    bullet(Optional) patch -p1 < ../require-mppe.diff
    bullet./configure
    bulletmake
    +
      +
    • cd ppp-2.4.1
      • +
    • patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch
      • +
    • patch -p1 < ../ppp-2.4.1-MSCHAPv2-fix.patch
      • +
    • (Optional) patch -p1 < ../require-mppe.diff
      • +
    • ./configure
      • +
    • make
      • +

    You will need to install the resulting binary on your firewall system. To do that, I NFS mount my source filesystem and use "make install" from the ppp-2.4.1 directory.

    -

    Patching and Building your Kernel

    +

    Patching and Building your Kernel

    You will need one of the following patches depending on your kernel version:

    -     - - -
    bullet - http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz
    bullet - http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz
    +

    Uncompress the patch into the same directory where your top-level kernel source is located and:

    -     - - -
    bulletcd <your GNU/Linux source top-level directory>
    bulletpatch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch
    +
      +
    • cd <your GNU/Linux source top-level directory>
      • +
    • patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch
      • +

    Now configure your kernel. Here is my ppp configuration:

    -

    Configuring Samba

    +

    Configuring Samba

    You will need a WINS server (Samba configured to run as a WINS server is fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:

    - 
    [global]
+  
    [global]
      workgroup = TDM-NSTOP
      netbios name = WOOKIE
      server string = GNU/Linux Box
@@ -113,9 +118,9 @@ fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) i
 [printers]
      comment = All Printers
      path = /var/spool/samba
-     printable = Yes
    
+     printable = Yes
    -

    Configuring pppd

    +

    Configuring pppd

    Here is a copy of my /etc/ppp/options.poptop file:

    ipparam PoPToP
    @@ -141,14 +146,14 @@ fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) i require-mppe-stateless

    Notes:

    -     - - - -
    bulletSince the firewall itself is acting as a WINS server, I have included the - firewall's internal IP as the 'ms-wins' value.
    bulletI have pointed the remote clients at my DNS server -- it has external - address 206.124.146.177.
    bulletI am requiring 128-bit stateless compression (my kernel is built with the - 'require-mppe.diff' patch mentioned above.
    +
      +
    • Since the firewall itself is acting as a WINS server, I have included the + firewall's internal IP as the 'ms-wins' value.
      • +
    • I have pointed the remote clients at my DNS server -- it has external + address 206.124.146.177.
      • +
    • I am requiring 128-bit stateless compression (my kernel is built with the + 'require-mppe.diff' patch mentioned above.
      • +

    Here's my /etc/ppp/chap-secrets:

    Secrets for authentication using CHAP
    @@ -164,11 +169,11 @@ or without a domain being specified. The system I connect from is my laptop so I give it the same IP address when tunneled in as it has when it is in its docking station.

    You will also want the following in /etc/modules.conf:

    -
         alias ppp-compress-18 ppp_mppe
+
         alias ppp-compress-18 ppp_mppe
      alias ppp-compress-21 bsd_comp
      alias ppp-compress-24 ppp_deflate
-     alias ppp-compress-26 ppp_deflate
    
-
    Configuring pptpd
    
+     alias ppp-compress-26 ppp_deflate
    +

    Configuring pptpd

    PoPTop (pptpd) is available from http://poptop.lineo.com/.

    Here is a copy of my /etc/pptpd.conf file:

    @@ -178,14 +183,14 @@ station.

    remoteip 192.168.1.33-38

    Notes:

    -     - - - -
    bulletI specify the /etc/ppp/options.poptop file as my ppp options file (I have - several).
    bulletThe local IP is the same as my internal interface's (192.168.1.254).
    bulletI have assigned a remote IP range that overlaps my local network. This, +
      +
    • I specify the /etc/ppp/options.poptop file as my ppp options file (I have + several).
      • +
    • The local IP is the same as my internal interface's (192.168.1.254).
      • +
    • I have assigned a remote IP range that overlaps my local network. This, together with 'proxyarp' in my /etc/ppp/options.poptop file make the remote - hosts look like they are part of the local subnetwork.
    + hosts look like they are part of the local subnetwork. +

    I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:

    #!/bin/sh
    @@ -225,249 +230,249 @@ station.

        ;;
    esac

    -

    Configuring Shorewall

    +

    Configuring Shorewall

    I consider hosts connected to my PPTP server to be just like local systems. My key Shorewall entries are:

    -

    /etc/shorewall/zones:

    +

    /etc/shorewall/zones:

    - +
    - - - + + + - - - + + + - - - + + + -
    ZONEDISPLAYCOMMENTSZONEDISPLAYCOMMENTS
    netInternetThe InternetnetInternetThe Internet
    locLocalMy Local Network including remote PPTP clientslocLocalMy Local Network including remote PPTP clients
    +
    -

    /etc/shorewall/interfaces:

    +

    /etc/shorewall/interfaces:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + -
    ZONEINTERFACEBROADCASTOPTIONSZONEINTERFACEBROADCASTOPTIONS
    neteth0206.124.146.255noping,norfc1918neteth0206.124.146.255noping,norfc1918
    loceth2192.168.1.255 loceth2192.168.1.255 
    -ppp+  -ppp+  
    +
    -

    /etc/shorewall/hosts:

    +

    /etc/shorewall/hosts:

    - +
    - - - + + + - - - + + + - - - + + + -
    ZONEHOST(S)OPTIONSZONEHOST(S)OPTIONS
    loceth2:192.168.1.0/24routestoppedloceth2:192.168.1.0/24routestopped
    locppp+:192.168.1.0/24 locppp+:192.168.1.0/24 
    +
    -

    /etc/shorewall/policy:

    +

    /etc/shorewall/policy:

    - +
    - - - - + + + + - - - - + + + + -
    SOURCEDESTPOLICYLOG LEVELSOURCEDESTPOLICYLOG LEVEL
    loclocACCEPT loclocACCEPT 
    +
    -

    /etc/shorewall/rules:

    +

    /etc/shorewall/rules:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    ACCEPTnetfwtcp1723  ACCEPTnetfwtcp1723  
    ACCEPTnetfw47-  ACCEPTnetfw47-  
    ACCEPTfwnet47-  ACCEPTfwnet47-  
    +

    Note: I have multiple ppp interfaces on my firewall. If you have a single ppp interface, you probably want:

    -

    /etc/shorewall/interfaces:

    +

    /etc/shorewall/interfaces:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + -
    ZONEINTERFACEBROADCASTOPTIONSZONEINTERFACEBROADCASTOPTIONS
    neteth0206.124.146.255noping,norfc1918neteth0206.124.146.255noping,norfc1918
    loceth2192.168.1.255 loceth2192.168.1.255 
    locppp0  locppp0  
    +

    and no entries in /etc/shorewall/hosts.

    -

    2. PPTP Server Running Behind your Firewall

    +

    2. PPTP Server Running Behind your Firewall

    If you have a single external IP address, add the following to your /etc/shorewall/rules file:

    -     +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    DNATnetloc:<server address>tcp1723  DNATnetloc:<server address>tcp1723  
    DNATnetloc:<server address>47-  DNATnetloc:<server address>47-  
    +

    If you have multiple external IP address and you want to forward a single <external -address>, add the following to your /etc/shorewall/rules file:

      +address>, add the following to your /etc/shorewall/rules file:

     

    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    DNATnetloc:<server address>tcp1723-<external address>DNATnetloc:<server address>tcp1723-<external address>
    DNATnetloc:<server address>47--<external address>DNATnetloc:<server address>47--<external address>
    -

    3. PPTP Clients Running Behind your Firewall

    + +

    3. PPTP Clients Running Behind your Firewall

    You shouldn't have to take any special action for this case unless you wish to connect multiple clients to the same external server. In that case, you will need to follow the instructions at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html. @@ -477,7 +482,7 @@ file:

    loadmodule ip_conntrack_pptp
    loadmodule ip_nat_pptp

    -

    4. PPTP Client Running on your Firewall.

    +

    4. PPTP Client Running on your Firewall.

    The PPTP GNU/Linux client is available at http://sourceforge.net/projects/pptpclient/.    Rather than use the configuration script that comes with the client, I built my own. I also build my own kernel as described above @@ -492,90 +497,90 @@ below).

  • Define rules for traffic two and from the remote zone.

    • Here are examples from my setup:

    -

    /etc/shorewall/zones

    +

    /etc/shorewall/zones

    - +
    - - - + + + - - - + + + -
    ZONEDISPLAYCOMMENTSZONEDISPLAYCOMMENTS
    cpqCompaqCompaq IntranetcpqCompaqCompaq Intranet
    +
    -

    /etc/shorewall/interfaces

    +

    /etc/shorewall/interfaces

    - +
    - - - - + + + + - - - - + + + + -
    ZONEINTERFACEBROADCASTOPTIONSZONEINTERFACEBROADCASTOPTIONS
    -ppp+  -ppp+  
    +
    -

    /etc/shorewall/hosts

    +

    /etc/shorewall/hosts

    - +
    - - - + + + - - - + + + -
    ZONEHOST(S)OPTIONSZONEHOST(S)OPTIONS
    -ppp+:!192.168.1.0/24 -ppp+:!192.168.1.0/24 
    +
    -

    /etc/shorewall/rules

    +

    /etc/shorewall/rules

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    ACCEPTfwnettcp1723  ACCEPTfwnettcp1723  
    ACCEPTfwnet47-  ACCEPTfwnet47-  
    +

    I use the combination of interface and hosts file to define the 'cpq' zone because I also run a PPTP server on my firewall (see above). Using this @@ -706,7 +711,7 @@ traffic through the PPTP tunnel:     ;;
    esac

    Finally, I run the following script every five minutes under crond to - restart the tunnel if it fails:

         #!/bin/sh
+  restart the tunnel if it fails:
         #!/bin/sh
      restart_pptp() {
          /sbin/service pptp stop
          sleep 10
@@ -722,10 +727,10 @@ traffic through the PPTP tunnel:
      echo "Attempting to restart PPTP"
 
      restart_pptp > /dev/null 2>&1 &
-
    
+

    Here's a script and corresponding ip-up.local from Jerry Vonau that controls two PPTP connections.

    Last modified 7/11/2002 - Tom Eastep

    -Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file +Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/ProxyARP.htm b/STABLE/documentation/ProxyARP.htm index 0757c9c71..c42ae0a9d 100644 --- a/STABLE/documentation/ProxyARP.htm +++ b/STABLE/documentation/ProxyARP.htm @@ -5,46 +5,59 @@ Shorewall Proxy ARP - + - + -

    -

    Proxy ARP

    -

     

    + + + + +
    +

    Proxy ARP

    +

    Proxy ARP allows you to insert a firewall in front of a set of servers without changing their IP addresses and without having to re-subnet.

    The following figure represents a Proxy ARP environment.

    -

    + +
    +

    +

    +
    +

    Proxy ARP can be used to make the systems with addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) subnet.  Assuming that the upper firewall interface is eth0 and the lower interface is eth1, this is accomplished using the following entries in /etc/shorewall/proxyarp:

    -     + +
    +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    ADDRESSINTERFACEEXTERNALHAVEROUTEADDRESSINTERFACEEXTERNALHAVEROUTE
    130.252.100.18eth1eth0no130.252.100.18eth1eth0no
    130.252.100.19eth1eth0no130.252.100.19eth1eth0no
    + +
    +

    Be sure that the internal systems (130.242.100.18 and 130.252.100.19  in the above example) are not included in any specification in /etc/shorewall/masq or /etc/shorewall/nat.

    @@ -53,13 +66,41 @@

    The lower systems (130.252.100.18 and 130.252.100.19) should have their subnet mask and default gateway configured exactly the same way that the Firewall system's eth0 is configured.

    - +
    +

    A word of warning is in order here. ISPs typically configure + their routers with a long ARP cache timeout. If you move a system from + parallel to your firewall to behind your firewall with Proxy ARP, it will + probably be HOURS before that system can communicate with the internet. You + can call your ISP and ask them to purge the stale ARP cache entry but many + either can't or won't purge individual entries. You can determine if your + ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we + suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. + On the firewall, run tcpdump as follows:

    +
    + 
    	tcpdump -nei eth0 icmp
    +
    +
    +

    Now from 130.252.100.19, ping the ISP's gateway (which we will + assume is 130.252.100.254):

    +
    + 
    	ping 130.252.100.254
    +
    +
    +

    We can now observe the tcpdump output:

    +
    + 
    	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
+	13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply
    +
    +
    +

    Notice that the source MAC address in the echo request is + different from the destination MAC address in the echo reply!! In this case + 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still + associates 130.252.100.19 with the NIC in that system rather than with the firewall's + eth0.

    -
    -
    - -

    Last updated 5/16/2002 - +

    Last updated 8/17/2002 - Tom Eastep

    Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file +© 2001, 2002 Thomas M. Eastep.     \ No newline at end of file diff --git a/STABLE/documentation/Shorewall_index_frame.htm b/STABLE/documentation/Shorewall_index_frame.htm index 61975d387..707727ca4 100644 --- a/STABLE/documentation/Shorewall_index_frame.htm +++ b/STABLE/documentation/Shorewall_index_frame.htm @@ -7,60 +7,97 @@ Shorewall Index - + -

     Shorewall

    -     - - - - - - - - - - - - - - - - - - - -
    bulletHome
    bulletShorewall 1.2 Home
    bulletFeatures
    bulletRequirements
    bulletDownload
    bulletQuickStart Guides
    bulletInstallation/Upgrade
    - /Configuration
    bulletDocumentation
    bulletReference Manual
    bulletFAQs
    bulletTroubleshooting
    bulletErrata
    bulletSupport
    bulletMailing Lists
    bulletMirrors - - - - -
    bulletSlovak Republic
    bulletTexas, USA
    bulletGermany
    bulletArgentina
    -
    bulletNews Archive
    bulletCVS Repository
    bulletQuotes from Users
    bulletAbout the Author
    + + + + + + + + +
    +

    Shorewall

    +
    + + +

    Quick Search
    - - + + +

    + +

    Extended Search Forms

    +

    Copyright2001, 2002 Thomas M. Eastep.

    +

    -

    +

    -

    Copyright2001, 2002 Thomas M. Eastep.

    - -
    + \ No newline at end of file diff --git a/STABLE/documentation/blacklisting_support.htm b/STABLE/documentation/blacklisting_support.htm index 46370f176..d6f57f189 100644 --- a/STABLE/documentation/blacklisting_support.htm +++ b/STABLE/documentation/blacklisting_support.htm @@ -6,50 +6,55 @@ Blacklisting Support - - + -

    Blacklisting Support

    + + + + +
    +

    Blacklisting Support

    +

    Shorewall supports two different forms of blacklisting; static and dynamic.

    -

    Static Blacklisting

    +

    Static Blacklisting

    Shorewall static blacklisting support has the following configuration parameters:

    -     - - - - - -
    bulletYou specify whether you want packets from blacklisted hosts dropped or +
      +
    • You specify whether you want packets from blacklisted hosts dropped or rejected using the BLACKLIST_DISPOSITION - setting in /etc/shorewall/shorewall.conf
    bulletYou specify whether you want packets from blacklisted hosts logged and at + setting in /etc/shorewall/shorewall.conf +
  • You specify whether you want packets from blacklisted hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL - setting in /etc/shorewall/shorewall.conf
    • bulletYou list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist
    bulletYou specify the interfaces whose incoming packets you want checked against + setting in /etc/shorewall/shorewall.conf +
  • You list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist
    • +
  • You specify the interfaces whose incoming packets you want checked against the blacklist using the "blacklist" - option in /etc/shorewall/interfaces.
    • bulletThe black list is refreshed from /etc/shorewall/blacklist by the "shorewall - refresh" command.
    -

    Dynamic Blacklisting

    + option in /etc/shorewall/interfaces. +
  • The black list is refreshed from /etc/shorewall/blacklist by the "shorewall + refresh" command.
    • + +

    Dynamic Blacklisting

    Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting doesn't use any configuration parameters but is rather controlled using /sbin/shorewall commands:

    -     - - - - - -
    bulletdeny <ip address list> - causes packets from the listed IP - addresses to be silently dropped by the firewall.
    bulletreject <ip address list> - causes packets from the listed IP - addresses to be rejected by the firewall.
    bulletallow <ip address list> - re-enables receipt of packets from hosts - previously blacklisted by a deny or reject command.
    bulletsave - save the dynamic blacklisting configuration so that it will be - automatically restored the next time that the firewall is restarted.
    bulletshow dynamic - displays the dynamic blacklisting configuration.
    +
      +
    • deny <ip address list> - causes packets from the listed IP + addresses to be silently dropped by the firewall.
      • +
    • reject <ip address list> - causes packets from the listed IP + addresses to be rejected by the firewall.
      • +
    • allow <ip address list> - re-enables receipt of packets from hosts + previously blacklisted by a deny or reject command.
      • +
    • save - save the dynamic blacklisting configuration so that it will be + automatically restored the next time that the firewall is restarted.
      • +
    • show dynamic - displays the dynamic blacklisting configuration.
      • +

    Example 1:

    -
         shorewall deny 192.0.2.124 192.0.2.125
    +
         shorewall deny 192.0.2.124 192.0.2.125

        Drops packets from hosts 192.0.2.124 and 192.0.2.125

    Example 2:

    -
         shorewall allow 192.0.2.125
    +
         shorewall allow 192.0.2.125

        Reenables access from 192.0.2.125.

    Last updated 6/16/2002 - Tom Eastep

    @@ -57,6 +62,6 @@ Eastep

    Copyright © 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/configuration_file_basics.htm b/STABLE/documentation/configuration_file_basics.htm index d103c1eb8..7071256c0 100644 --- a/STABLE/documentation/configuration_file_basics.htm +++ b/STABLE/documentation/configuration_file_basics.htm @@ -6,55 +6,60 @@ Configuration File Basics - - + -

    Configuration Files

    + + + + +
    +

    Configuration Files

    +

    Warning: If you copy or edit your configuration files on a system running Microsoft Windows, you must run them through dos2unix before you use them with Shorewall.

    -

    Files

    +

    Files

    Shorewall's configuration files are in the directory /etc/shorewall.

    -     - - - - - - - - - - - - - - - - -
    bullet/etc/shorewall/shorewall.conf - used to set several firewall - parameters.
    bullet/etc/shorewall/params - use this file to set shell variables that you will - expand in other files.
    bullet/etc/shorewall/zones - partition the firewall's view of the world - into zones.
    bullet/etc/shorewall/policy - establishes firewall high-level policy.
    bullet/etc/shorewall/interfaces - describes the interfaces on the - firewall system.
    bullet/etc/shorewall/hosts - allows defining zones in terms of individual - hosts and subnetworks.
    bullet/etc/shorewall/masq - directs the firewall where to use many-to-one +
      +
    • /etc/shorewall/shorewall.conf - used to set several firewall + parameters.
      • +
    • /etc/shorewall/params - use this file to set shell variables that you will + expand in other files.
      • +
    • /etc/shorewall/zones - partition the firewall's view of the world + into zones.
      • +
    • /etc/shorewall/policy - establishes firewall high-level policy.
      • +
    • /etc/shorewall/interfaces - describes the interfaces on the + firewall system.
      • +
    • /etc/shorewall/hosts - allows defining zones in terms of individual + hosts and subnetworks.
      • +
    • /etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source - Network Address Translation (SNAT).
    bullet/etc/shorewall/modules - directs the firewall to load kernel modules.
    bullet/etc/shorewall/rules - defines rules that are exceptions to the - overall policies established in /etc/shorewall/policy.
    bullet/etc/shorewall/nat - defines static NAT rules.
    bullet/etc/shorewall/proxyarp - defines use of Proxy ARP.
    bullet/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts - accessible when Shorewall is stopped.
    bullet/etc/shorewall/tcrules - defines marking of packets for later use by - traffic control/shaping or policy routing.
    bullet/etc/shorewall/tos - defines rules for setting the TOS field in packet - headers.
    bullet/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on - the firewall system.
    bullet/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
    -

    Comments

    + Network Address Translation (SNAT). +
  • /etc/shorewall/modules - directs the firewall to load kernel modules.
    • +
  • /etc/shorewall/rules - defines rules that are exceptions to the + overall policies established in /etc/shorewall/policy.
    • +
  • /etc/shorewall/nat - defines static NAT rules.
    • +
  • /etc/shorewall/proxyarp - defines use of Proxy ARP.
    • +
  • /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts + accessible when Shorewall is stopped.
    • +
  • /etc/shorewall/tcrules - defines marking of packets for later use by + traffic control/shaping or policy routing.
    • +
  • /etc/shorewall/tos - defines rules for setting the TOS field in packet + headers.
    • +
  • /etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on + the firewall system.
    • +
  • /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
    • + +

    Comments

    You may place comments in configuration files by making the first non-whitespace @@ -65,8 +70,8 @@

    Examples:

    - 
    # This is a comment
    ACCEPT	net	fw	tcp	www	#This is an end-of-line comment
    -

    Line Continuation

    + 
    # This is a comment
    ACCEPT	net	fw	tcp	www	#This is an end-of-line comment
    +

    Line Continuation

    You may continue lines in the configuration files using the usual backslash ("\") followed @@ -76,41 +81,41 @@

    Example:

    - 
    ACCEPT	net	fw	tcp \
-smtp,www,pop3,imap  #Services running on the firewall
    -

    Complementing an Address or Subnet

    + 
    ACCEPT	net	fw	tcp \
+smtp,www,pop3,imap  #Services running on the firewall
    +

    Complementing an Address or Subnet

    Where specifying an IP address, a subnet or an interface, you can precede the item with "!" to specify the complement of the item. For example, !192.168.1.4 means "any host but 192.168.1.4".

    -

    Comma-separated Lists

    +

    Comma-separated Lists

    Comma-separated lists are allowed in a number of contexts within the configuration files. A comma separated list:

    -     - - - -
    bulletMust not have any embedded white space.
    +
      +
    • Must not have any embedded white space.
      Valid: routestopped,dhcp,norfc1918
      Invalid: routestopped,     dhcp,     - norfc1818
    bulletIf you use line continuation to break a comma-separated list, the + norfc1818 +
  • If you use line continuation to break a comma-separated list, the continuation line(s) must begin in column 1 (or there would be embedded - white space)
    • bulletEntries in a comma-separated list may appear in any order.
    + white space) +
  • Entries in a comma-separated list may appear in any order.
    • + -

    Port Numbers/Service Names

    +

    Port Numbers/Service Names

    Unless otherwise specified, when giving a port number you can use either an integer or a service name from /etc/services.

    -

    Port Ranges

    +

    Port Ranges

    If you need to specify a range of ports, the proper syntax is <low port number>:<high port number>.

    -

    Using Shell Variables

    +

    Using Shell Variables

    You may use the file /etc/shorewall/params file to set shell variables that you can then use in some of the other @@ -123,9 +128,9 @@ Shorewall programs

    Example:

    -

    NET_IF=eth0
    - NET_BCAST=130.252.100.255
    - NET_OPTIONS=noping,norfc1918

    + 
    NET_IF=eth0
+NET_BCAST=130.252.100.255
+NET_OPTIONS=noping,norfc1918


    @@ -134,7 +139,7 @@ Shorewall programs

    -

    net $NET_IF $NET_BCAST $NET_OPTIONS

    + 
    net $NET_IF $NET_BCAST $NET_OPTIONS
     @@ -144,7 +149,7 @@ Shorewall programs

    -

    net eth0 130.252.100.255 noping,norfc1918

    + 
    net eth0 130.252.100.255 noping,norfc1918
     @@ -152,7 +157,7 @@ Shorewall programs

    Variables may be used anywhere in the other configuration files.

    -

    Using MAC Addresses

    +

    Using MAC Addresses

    Media Access Control (MAC) addresses can be used to specify packet source in several of the @@ -184,7 +189,7 @@ Shorewall programs

    hyphens. In Shorewall, the MAC address in the example above would be written "~02-00-08-E3-FA-55".

    -

    Shorewall Configurations

    +

    Shorewall Configurations

    Shorewall allows you to have configuration directories other than /etc/shorewall. The shorewall start @@ -223,6 +228,6 @@ Eastep - + \ No newline at end of file diff --git a/STABLE/documentation/copyright.htm b/STABLE/documentation/copyright.htm index bb00660e8..b4af82bdd 100644 --- a/STABLE/documentation/copyright.htm +++ b/STABLE/documentation/copyright.htm @@ -6,12 +6,17 @@ Copyright - - + -

    Copyright

    + + + + +
    +

    Copyright

    +

    Copyright ©  2000, 2001 Thomas M Eastep
     

    @@ -24,6 +29,6 @@ Thomas M Eastep
     

    -     + \ No newline at end of file diff --git a/STABLE/documentation/dhcp.htm b/STABLE/documentation/dhcp.htm index 928262e97..c66b6fe65 100644 --- a/STABLE/documentation/dhcp.htm +++ b/STABLE/documentation/dhcp.htm @@ -6,50 +6,55 @@ DHCP - - + -

    DHCP

    -

    DHCP Server on your firewall

    -     - - -
    bullet + + + + +
    +

    DHCP

    +
    +

    DHCP Server on your firewall

    +
    bullet + file. +

  • When starting "dhcpd", you need to list those interfaces on the run line. On a RedHat system, this is done by modifying - /etc/sysconfig/dhcpd.

    • -

    A Firewall Interface gets its IP Address via DHCP

    -     - - - - -
    bullet + /etc/sysconfig/dhcpd. + +

    A Firewall Interface gets its IP Address via DHCP

    +
    bullet + file. +

  • If you know that the dynamic address is always going to be in the same subnet, you can specify the subnet address in the interface's entry in the /etc/shorewall/interfaces - file.

    • bullet + file. +

  • If you don't know the subnet address in advance, you should specify "detect" for the interface's subnet address in the /etc/shorewall/interfaces - file and start Shorewall after the interface has started.

    • bullet + file and start Shorewall after the interface has started. +

  • In the event that the subnet address might change while Shorewall is started, you need to arrange for a "shorewall refresh" command to be executed when a new dynamic IP address gets - assigned to the interface. Check your DHCP client's documentation.

    • + assigned to the interface. Check your DHCP client's documentation. +

    Last updated 1/26/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/download.htm b/STABLE/documentation/download.htm index 72bffc4d3..73418d31b 100644 --- a/STABLE/documentation/download.htm +++ b/STABLE/documentation/download.htm @@ -6,12 +6,17 @@ Download - - + -

    Shorewall Download

    + + + + +
    +

    Shorewall Download

    +

    I strongly urge you to read and print a copy of the Shorewall QuickStart Guide @@ -19,8 +24,8 @@

    Once you've done that, download one of the modules:

    -     - - - - -
    bulletIf you run a RedHat, SuSE, Mandrake, Linux PPC or +
      +
    • If you run a RedHat, SuSE, Mandrake, Linux PPC or TurboLinux distribution with a 2.4 kernel, you can use the RPM version (note: the RPM should also work with other distributions that store @@ -29,29 +34,29 @@ If you find that it works in other cases, let Installation Instructions if you have problems - installing the RPM.
    bulletIf you are running LRP, download the .lrp file (you might also want to - download the .tgz so you will have a copy of the documentation).
    bulletIf you run Debian and would + installing the RPM. +
  • If you are running LRP, download the .lrp file (you might also want to + download the .tgz so you will have a copy of the documentation).
    • +
  • If you run Debian and would like a .deb package, Shorewall is in both the Debian Testing Branch and the Debian - Unstable Branch.
    • bulletOtherwise, download the shorewall module (.tgz)
    + Unstable Branch. +
  • Otherwise, download the shorewall module (.tgz)
    • +

    The documentation in HTML format is included in the .tgz and .rpm files and there is an documentation .deb that also contains the documentation.

    Please verify the version that you have downloaded -- during the release of a new version of Shorewall, the links below may point to a newer or an older version than is shown below.

    -     - - - -
    bulletRPM - "rpm -qip LATEST.rpm"
    bulletTARBALL - "tar -ztf LATEST.tgz" (the directory - name will contain the version)
    bulletLRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar - -zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
    +
      +
    • RPM - "rpm -qip LATEST.rpm"
      • +
    • TARBALL - "tar -ztf LATEST.tgz" (the directory + name will contain the version)
      • +
    • LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar + -zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
      • +

    Once you have verified the version, check the errata to see if there are updates that apply to the version that you have @@ -61,145 +66,145 @@ AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.

    -

    Download Latest Version (1.3.6): Remember that updates to the mirrors +

    Download Latest Version (1.3.7): Remember that updates to the mirrors occur 1-12 hours after an update to the primary site.

    - +
    - - - - + + + + - - - + + - + + .lrp - - - + + - + + .rpm - - - + + - + + .rpm - - - + + - + + .lrp - - - + + - + + Download .lrp -
    SERVER LOCATIONDOMAINHTTPFTPSERVER LOCATIONDOMAINHTTPFTP
    Washington State, USAShorewall.netDownload .rpm
    +     		Washington State, USAShorewall.netDownload .rpm
    Download .tgz 
    Download - .lrp    		 + .lrp Download .rpm 
    Download .tgz 
    Download - .lrp
    Slovak RepublicShorewall.netDownload .rpm
    +     		Slovak RepublicShorewall.netDownload .rpm
    Download .tgz 
    Download - .lrp    		 + .lrp Download .rpm  
    Download .tgz 
    Download - .rpm
    Texas, USAInfohiiway.comDownload .rpm
    +     		Texas, USAInfohiiway.comDownload .rpm
    Download .tgz 
    Download - .lrp    		 + .lrp Download .rpm  
    Download .tgz 
    Download - .rpm
    Hamburg, GermanyShorewall.net + Hamburg, GermanyShorewall.net Download .rpm
    Download .tgz
    Download - .lrp    		 + .lrp Download .rpm  
    Download .tgz 
    Download - .lrp
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar + Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.ar Download .rpm  
    Download .tgz 
    - Download .lrp    		 + Download .lrp Download .rpm  
    Download .tgz 
    - Download .lrp
    +

    Browse Download Sites:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + Browse - - - - + + + + -
    SERVER LOCATIONDOMAINHTTPFTPSERVER LOCATIONDOMAINHTTPFTP
    Washington State, USAShorewall.netBrowseBrowseWashington State, USAShorewall.netBrowseBrowse
    Slovak RepublicShorewall.netBrowse - BrowseSlovak RepublicShorewall.netBrowse + Browse
    Texas, USAInfohiiway.comBrowseBrowseTexas, USAInfohiiway.comBrowseBrowse
    Hamburg, GermanyShorewall.netBrowseBrowseHamburg, GermanyShorewall.netBrowseBrowse
    Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.arBrowse + Martinez (Zona Norte - GBA), ArgentinaCorreofuego.com.arBrowse - Browse
    California, USA (Incomplete)Sourceforge.netBrowseN/ACalifornia, USA (Incomplete)Sourceforge.netBrowseN/A
    +

    CVS:

    @@ -211,12 +216,12 @@ Shorewall component. There's no guarantee that what you find there will work at all.

    -

    Last Updated 8/05/2002 - Tom +

    Last Updated 8/22/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/errata.htm b/STABLE/documentation/errata.htm index 40eaa27dc..6adf735d5 100644 --- a/STABLE/documentation/errata.htm +++ b/STABLE/documentation/errata.htm @@ -10,15 +10,19 @@ - + - -

    Shorewall Errata

    + + + + + +
    +

    Shorewall Errata/Upgrade Issues

    +

    - - - IMPORTANT

    + IMPORTANT

    1. @@ -58,36 +62,111 @@ dos2unix
    -

    - -         

    - -     - - - - - - -
    bullet +
    bullet + Problems in Version 1.1 +
  • - Problems in Version 1.2
    • bullet + Problems in Version 1.2 +
  • - Problems in Version 1.3
    • bullet + Problems in Version 1.3 +
  • - Problem with iptables version 1.2.3
    • bullet + Problem with iptables version 1.2.3 on RH7.2 +
  • - Problems with kernel 2.4.18 and - RedHat iptables
    • bulletProblems installing/upgrading RPM on SuSE SMP
    -

    + Problems with kernels >= 2.4.18 and + RedHat iptables +
  • Problems installing/upgrading RPM on SuSE
    • +
  • Problems with iptables version 1.2.7 and + MULTIPORT=Yes
    • + +
    -

    Problems in Version 1.3

    +

    Upgrade Issues

    -

    Versions >= 1.3.5

    +

    Version >= 1.3.7

    + +

    Users specifying ALLOWRELATED=No in + /etc/shorewall.conf will need to include the + following rules in their /etc/shorewall/icmpdef + file (creating this file if necessary):

    + + 
    	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
    +

    Users having an /etc/shorewall/icmpdef file may remove the ". + /etc/shorewall/icmp.def" command from that file since the icmp.def file is now + empty.

    +

    Upgrading Bering to + Shorewall >= 1.3.3

    + +

    To properly upgrade with Shorewall version + 1.3.3 and later:

    + +
      +
    1. Be sure you have a backup -- you will need + to transcribe any Shorewall configuration + changes that you have made to the new + configuration.
      2. +
    2. Replace the shorwall.lrp package provided on + the Bering floppy with the later one. If you did + not obtain the later version from Jacques's + site, see additional instructions below.
      3. +
    3. Edit the /var/lib/lrpkg/root.exclude.list + file and remove the /var/lib/shorewall entry if + present. Then do not forget to backup root.lrp !
      4. +
    +

    The .lrp that I release isn't set up for a two-interface firewall like + Jacques's. You need to follow the instructions for + setting up a two-interface firewall plus you also need to add the following + two Bering-specific rules to /etc/shorewall/rules:

    +
    + 
    # Bering specific rules:
+# allow loc to fw udp/53 for dnscache to work
+# allow loc to fw tcp/80 for weblet to work
+#
+ACCEPT loc fw udp 53
+ACCEPT loc fw tcp 80
    +
    + +

    Version >= 1.3.6

    + +

    If you have a pair of firewall systems configured for + failover, you will need to modify your firewall setup slightly under + Shorewall versions >= 1.3.6.

    + +
      +
    1. + +

      Create the file /etc/shorewall/newnotsyn and in it add + the following rule
      +
      + run_iptables -A newnotsyn -j RETURN # So that the + connection tracking table can be rebuilt
      +                                    + # from non-SYN packets after takeover.

      2. +
    2. + +

      Create /etc/shorewall/common (if you don't already + have that file) and include the following:
      +
      + run_iptables -A common -p tcp --tcp-flags + ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
      +                                                                    + #tracking table.
      + . /etc/shorewall/common.def

      3. +
    + +

    Versions >= 1.3.5

    Some forms of pre-1.3.0 rules file syntax are no longer supported.

    @@ -95,26 +174,60 @@ dos2unix

    Example 1:

    - 
    	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
    + 
    	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all

    Must be replaced with:

    - 
    	DNAT	net	loc:192.168.1.12:22	tcp	11111
    + 
    	DNAT	net	loc:192.168.1.12:22	tcp	11111

    Example 2:

    - 
    	ACCEPT	loc	fw::3128	tcp	80	-	all
    + 
    	ACCEPT	loc	fw::3128	tcp	80	-	all

    Must be replaced with:

    - 
    	REDIRECT	loc	3128	tcp	80
    + 
    	REDIRECT	loc	3128	tcp	80
    -

    Version 1.3.5-1.3.5b

    +

    Problems in Version 1.3

    + +

    Version 1.3.6

    + +
      +
    • + +

      If ADD_SNAT_ALIASES=Yes is specified in + /etc/shorewall/shorewall.conf, an error occurs when the firewall + script attempts to add an SNAT alias.

      • +
    • + +

      The logunclean and dropunclean options + cause errors during startup when Shorewall is run with iptables 1.2.7.

      • +
    + +

    These problems are fixed in + + this correct firewall script which must be installed in + /var/lib/shorewall/ as described above. These problems are also + corrected in version 1.3.7.

    + +

    Two-interface Samples 1.3.6 (file two-interfaces.tgz)

    + +

    A line was inadvertently deleted from the "interfaces + file" -- this line should be added back in if the version that you + downloaded is missing it:

    + +

    net    eth0    detect    + routefilter,dhcp,norfc1918

    + +

    If you downloaded two-interfaces-a.tgz then the above + line should already be in the file.

    + +

    Version 1.3.5-1.3.5b

    The new 'proxyarp' interface option doesn't work :-( This is fixed in @@ -122,13 +235,13 @@ dos2unix this corrected firewall script which must be installed in /var/lib/shorewall/ as described above.

    -

    Versions 1.3.4-1.3.5a

    +

    Versions 1.3.4-1.3.5a

    Prior to version 1.3.4, host file entries such as the following were allowed:

    - 
    	adm	eth0:1.2.4.5,eth0:5.6.7.8
    + 
    	adm	eth0:1.2.4.5,eth0:5.6.7.8

    That capability was lost in version 1.3.4 so that it is only @@ -141,14 +254,14 @@ dos2unix

    This problem is corrected in version 1.3.5b.

    -

    Version 1.3.5

    +

    Version 1.3.5

    REDIRECT rules are broken in this version. Install this corrected firewall script in /var/lib/pub/shorewall/firewall as instructed above. This problem is corrected in version 1.3.5a.

    -

    Version 1.3.n, n < 4

    +

    Version 1.3.n, n < 4

    The "shorewall start" and "shorewall restart" commands to not verify that the zones named in the /etc/shorewall/policy file @@ -157,7 +270,7 @@ dos2unix good idea to run that command after you have made configuration changes.

    -

    Version 1.3.n, n < 3

    +

    Version 1.3.n, n < 3

    If you have upgraded from Shorewall 1.2 and after "Activating rules..." you see the message: "iptables: No @@ -167,82 +280,82 @@ dos2unix must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and later versions produce a clearer error message in this case.

    -

    Version 1.3.2

    +

    Version 1.3.2

    Until approximately 2130 GMT on 17 June 2002, the download sites contained an incorrect version of the .lrp file. That file can be identified by its size (56284 bytes). The correct version has a size of 38126 bytes.

    -     - - -
    bulletThe code to detect a duplicate interface entry in +
      +
    • The code to detect a duplicate interface entry in /etc/shorewall/interfaces contained a typo that prevented it from - working correctly.
    bullet"NAT_BEFORE_RULES=No" was broken; it behaved just like "NAT_BEFORE_RULES=Yes".
    + working correctly. +
  • "NAT_BEFORE_RULES=No" was broken; it behaved just like "NAT_BEFORE_RULES=Yes".
    • +

    Both problems are corrected in this script which should be installed in /var/lib/shorewall as described above.

    -     - -
    bullet +
      +

    • The IANA have just announced the allocation of subnet 221.0.0.0/8. This updated rfc1918 file reflects that allocation.

      -
    + + -

    Version 1.3.1

    +

    Version 1.3.1

    -     - - - - -
    bulletTCP SYN packets may be double counted when +
      +
    • TCP SYN packets may be double counted when LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each - packet is sent through the limit chain twice).
    bulletAn unnecessary jump to the policy chain is sometimes - generated for a CONTINUE policy.
    bulletWhen an option is given for more than one interface in + packet is sent through the limit chain twice). +
  • An unnecessary jump to the policy chain is sometimes + generated for a CONTINUE policy.
    • +
  • When an option is given for more than one interface in /etc/shorewall/interfaces then depending on the option, Shorewall may ignore all but the first appearence of the option. For example:

    net    eth0    dhcp
    loc    eth1    dhcp

    - Shorewall will ignore the 'dhcp' on eth1.
    • bulletUpdate 17 June 2002 - The bug described in the prior bullet + Shorewall will ignore the 'dhcp' on eth1. +
  • Update 17 June 2002 - The bug described in the prior bullet affects the following options: dhcp, dropunclean, logunclean, norfc1918, routefilter, multi, filterping and noping. An additional bug has been found that affects only the 'routestopped' option.

    Users who downloaded the corrected script prior to 1850 GMT today should download and install the corrected script again to ensure - that this second problem is corrected.
    • + that this second problem is corrected. +

    These problems are corrected in this firewall script which should be installed in /etc/shorewall/firewall as described above.

    -

    Version 1.3.0

    +

    Version 1.3.0

    -     - - -
    bulletFolks who downloaded 1.3.0 from the links on the download page +
      +
    • Folks who downloaded 1.3.0 from the links on the download page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than 1.3.0. The "shorewall version" command will tell you which version - that you have installed.
    bulletThe documentation NAT.htm file uses non-existent + that you have installed. +
  • The documentation NAT.htm file uses non-existent wallpaper and bullet graphic files. The - corrected version is here.
    • -

    + corrected version is here. + +
    -

    - Problem with iptables version 1.2.3

    +

    + Problem with iptables version 1.2.3

    @@ -257,9 +370,9 @@ RedHat released this buggy iptables in RedHat 7.2. 

    you are currently running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.

    -

    Update +

    Update 11/9/2001: RedHat has - released an iptables-1.2.4 RPM of their own which you can download from + released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. I have installed this RPM on my firewall and it works fine.

    @@ -272,20 +385,20 @@ you are currently running RedHat 7.1, you can install either of these RPMs corrects a problem in handling the  TOS target.

    To install one of the above patches:

    -     - - -
    bulletcd iptables-1.2.3/extensions
    bulletpatch -p0 < the-patch-file
    +
      +
    • cd iptables-1.2.3/extensions
      • +
    • patch -p0 < the-patch-file
      • +
    -

    Problems with kernel 2.4.18 - and RedHat iptables

    +

    Problems with kernels >= 2.4.18 + and RedHat iptables

    -

    Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may +

    Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following:

    - 
    # shorewall start
+     
    # shorewall start
 Processing /etc/shorewall/shorewall.conf ...
 Processing /etc/shorewall/params ...
 Starting Shorewall...
@@ -303,7 +416,7 @@ Aborted (core dumped)
 iptables: libiptc/libip4tc.c:380: do_check: Assertion
 `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
 Aborted (core dumped)
-
    
+

    The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in the @@ -314,8 +427,8 @@ Aborted (core dumped) "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

    -

    Problems - installing/upgrading RPM on SuSE SMP

    +

    Problems + installing/upgrading RPM on SuSE

    If you find that rpm complains about a conflict with kernel <= 2.2 yet you have a 2.4 kernel @@ -326,13 +439,29 @@ Aborted (core dumped)

    Upgrading: rpm -Uvh <shorewall rpm>

    -

    - Last updated 8/4/2002 - - Tom Eastep -

    +

    Problems with + iptables version 1.2.7 and MULTIPORT=Yes

    + +

    The iptables 1.2.7 release of iptables has made + an incompatible change to the syntax used to + specify multiport match rules; as a consequence, + if you install iptables 1.2.7 you must

    + +
      +
    • set MULTIPORT=No in + /etc/shorewall/shorewall.conf; or
      • +
    • if you are running Shorewall 1.3.6 you may + install + + this firewall script in /var/lib/shorewall/firewall + as described above.
      • +
    +

    + Last updated 8/22/2002 - + Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/errata_1.htm b/STABLE/documentation/errata_1.htm index 374972241..b64dc819a 100644 --- a/STABLE/documentation/errata_1.htm +++ b/STABLE/documentation/errata_1.htm @@ -6,15 +6,20 @@ Shorewall Errata for Version 1 - - + -

    Shorewall Errata for Version 1.1

    + + + + +
    +

    Shorewall Errata for Version 1.1

    +
    -

    To those of you who downloaded the 1.1.13 updated firewall script prior -to Sept 20, 2001:

    +

    To those of you who downloaded the 1.1.13 updated firewall script prior +to Sept 20, 2001:

    @@ -24,7 +29,7 @@ of the firewall script. This has now been corrected. I apologize for any confusi this may have caused.

    -

    Version 1.1.18

    +

    Version 1.1.18

    @@ -34,8 +39,8 @@ this may have caused.

    -

    - Version 1.1.17

    +

    + Version 1.1.17

    @@ -47,8 +52,8 @@ this may have caused.

    problem is also corrected in version 1.1.18.

    -

    - Version 1.1.16

    +

    + Version 1.1.16

    @@ -61,16 +66,16 @@ in the firewall script. To correct this problem, install the - Version 1.1.14-1.1.15 +

    + Version 1.1.14-1.1.15

    There are no corrections for these versions.

    -

    - Version 1.1.13

    +

    + Version 1.1.13

    @@ -85,8 +90,8 @@ in the firewall script. To correct this problem, install the - Version 1.1.12 +

    + Version 1.1.12

    @@ -103,16 +108,16 @@ file. This incorrect file results in many error messages of the form:

    . This problem is also corrected in version 1.1.13.

    -

    - Version 1.1.11

    +

    + Version 1.1.11

    There are no known problems with this version.

    -

    - Version 1.1.10

    +

    + Version 1.1.10

    @@ -148,24 +153,24 @@ Install the script into the location pointed to by the symbolic link This problem has also been corrected in version 1.1.11.

    -

    - Version 1.1.9

    +

    + Version 1.1.9

    -     - -
    bulletThe shorewall "hits" command lists extraneous service names in the final +
    + + -

    Version 1.1.8

    +

    Version 1.1.8

    -     - -
    bulletUnder some circumstances, the "dhcp" option on an interface triggers +
      +
    • Under some circumstances, the "dhcp" option on an interface triggers a bug in the firewall script that results in a "chain already exists" error. This version of the firewall script @@ -175,22 +180,22 @@ the symbolic link /etc/shorewall/firewall.
      This problem is also corrected in version 1.1.9.
      -
    + + -

    Version 1.1.7

    +

    Version 1.1.7

    -     - -
    bulletIf the /etc/shorewall/rules template from version 1.1.7 is used, a warning +
      +
    • If the /etc/shorewall/rules template from version 1.1.7 is used, a warning message appears during firewall startup:

          Warning: Invalid Target - rule "@ icmp-unreachable packet." ignored

      This warning may be eliminated by replacing the "@" in column 1 of - line 17 with "#"
    + line 17 with "#" +

    @@ -205,6 +210,6 @@ ignored

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/errata_2.htm b/STABLE/documentation/errata_2.htm new file mode 100644 index 000000000..29250ef7d --- /dev/null +++ b/STABLE/documentation/errata_2.htm @@ -0,0 +1,439 @@ + + + + + + Shorewall 1.2 Errata + + + + + + + + + + + + +
    +

    Shorewall 1.2 Errata

    +
    + +

    + + + IMPORTANT

    + +

    + + If you use a Windows system to download a corrected script, be sure to +run the script through +dos2unix + after you have moved it to your Linux system.

    + +

    + + When the instructions say to install a corrected firewall script in + /etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the + existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall + before you do that. /etc/shorewall/firewall is a symbolic link that points + to the 'shorewall' file used by your system initialization scripts to + start Shorewall during boot and it is that file that must be overwritten + with the corrected script.

    + + +
    + +

    Problems in Version 1.2

    + +

    Version 1.2.13

    + +
      +
    • + +

      Some users have reported problems installing the RPM + on SuSE 7.3 where rpm reports a conflict with kernel <= 2.2 even + though a 2.4 kernel RPM is installed. To get around this problem, use + the --nodeps option to rpm (e.g., "rpm -ivh --nodeps + shorewall-1.2-13.noarch.rpm").
      +
      + The problem stems from the fact that SuSE does not + include a package named "kernel" but rather has a number of packages + that provide the virtual package "kernel". Since virtual packages have + no version associated with them, a conflict results. Since the + workaround is simple, I don't intend to change the Shorewall package.

      + +
      • +
    • + +

      Shorewall accepts invalid rules of the form:
      +
      + ACCEPT <src> <dest>:<ip addr> all <port number> - + <original ip address>
      +
      +       The <port number> is ignored with the result that all + connection requests from the <src> zone whose original destination IP + address matches the last column are forwarded to the <dest> zone, IP + address <ip addr>.  + + This corrected firewall script correctly generates an error when + such a rule is encountered.

      + +
      • +
    + +

    Version 1.2.11

    + +
      +
    • + +

      The 'try' command is broken.

      • +
    • + +

      The usage text printed by the shorewall utility + doesn't show the optional timeout for the 'try' command.

      • +
    + +

    Both problems are corrected by + + this new version of /sbin/shorewall.

    + +

    Sample Configurations:

    + +
      +
    • + +

      There have been several problems with SSH, DNS and + ping in the two- and three-interface examples. Before reporting + problems with these services, please verify that you have the latest + version of the appropriate sample 'rules' file.

      • +
    + +

    All Versions through 1.2.10

    + + +
    +
    + + + + + + + + + + + + + + + + +
    ZONEHOST(S)OPTIONS
    loceth2:192.168.1.0/24routestopped
    locppp+:192.168.1.0/24 
    +
    +
    + +

    All Versions through 1.2.8

    + +
      +
    • + +

      The shorewall.conf file and the documentation + incorrectly refer to a parameter in /etc/shorewall/shorewall.conf + called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (see + the corrected online documentation). Users of the rpm should + change the name (and possibly the value) of this parameter so that + Shorewall interacts properly with the SysV init scripts. The + documentation on this web site has been corrected and + + here's a corrected version of shorewall.conf.

      + +
      • +
    • + +

      The documentation indicates that a comma-separated + list of IP/subnet addresses may appear in an entry in the hosts file. + This is not the case; if you want to specify multiple addresses for a + zone, you need to have a separate entry for each address.

      + +
      • +
    + +

    Version 1.2.7

    + +

    Version 1.2.7 is quite broken -- please install 1.2.8

    + +

    If you have installed and started version 1.2.7 then before trying + to restart under 1.2.8:

    +
      +
    1. Look at your /etc/shorewall/shorewall.conf file and note the directory + named in the STATEDIR variable. If that variable is empty, assume + /var/state/shorewall.
      2. +
    2. Remove the file 'lock' in the directory determined in step 1.
      3. +
    +

    You may now restart using 1.2.8.

    + +

    Version 1.2.6

    + +
      +
    • + +

      GRE and IPIP tunnels are broken.

      • +
    • + +

      The following rule results in a start error:
      +
      +    ACCEPT    z1    z2    + icmp

      • +
    + +

    To correct the above problems, install + this + corrected firewall script in  /etc/shorewall/firewall..

    Version 1.2.5

    + +
      +
    • + +

      The new ADDRESS column in /etc/shorewall/masq cannot + contain a $-variable name.

      • +
    • + +

      Errors result if $FW appears in the + /etc/shorewall/policy file.

      • +
    • + +

      Using Blacklisting without setting BLACKLIST_LOGLEVEL + results in an error at start time.

      • +
    + +

    To correct the above problems, install + this + corrected firewall script in /etc/shorewall/firewall.

     

    + +

    Version 1.2.4

    + +
      +

    • This version will not install "out of the box" without + modification. Before attempting to start the + firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to + refer to /var/lib/shorewall. This only applies to fresh installations -- if + you are upgrading from a previous version of Shorewall, version 1.2.4 will + work without modification.

      • +
    + +

    Version 1.2.3

    + + +
    + +

    Alternatively, edit /etc/shorewall/firewall and change line 1564 from:

    + +
    + 
              run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \
    +
    + +

    to

    + +
    + 
              run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \
    + +

    Version 1.2.2

    + +
      +
    • The "shorewall status" command hangs after + it displays the chain information. Here's + a corrected /sbin/shorewall. if  you want to simply modify your copy of + /sbin/shorewall, then at line 445 change this:
      • +
    + +
    + + 
           status)
+           clear
    + +
    +
    + +

    to this:

    + +
    +
    + + 
           status)
+           get_config
+           clear
    + +
    +
      +
    • The "shorewall monitor" command + doesn't show the icmpdef chain - this + corrected /sbin/shorewall fixes that problem as well as the status + problem described above.
      • +
    +
      +
    • In all 1.2.x versions, the 'CLIENT PORT(S)' + column in /etc/shorewall/tcrules is ignored. This is corrected in this + updated firewall script.  Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for + spotting this bug.
      • +
    + +

    Version 1.2.1

    + +
      +
    • The new logunclean interface option is not + described in the help text in /etc/shorewall/interfaces. An updated + interfaces file is available.
      • +
    • When REJECT is specified in a TCP rule, Shorewall + correctly replies with a TCP RST packet. Previous versions of the + firewall script are broken in the case of a REJECT policy, however; in + REJECT policy chains, all requests are currently replied to with an + ICMP port-unreachable packet. This + corrected firewall script replies to TCP requests with TCP RST in + REJECT policy chains. Place the script in /etc/shorewall/firewall.
      • +
    + +

    Version 1.2.0

    + +
    + +

    Note: If you are upgrading from one of the Beta + RPMs to 1.2.0, you must use the "--oldpackage" option to rpm + (e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).

    + +

    The tunnel script released in version 1.2.0 contained + errors -- a corrected + script is available.

    + +
    + +
    + +

    + Problem with iptables version 1.2.3

    + +
    + +

    There are a couple of serious bugs in iptables 1.2.3 that + prevent it from working with Shorewall. Regrettably, +RedHat released this buggy iptables in RedHat 7.2. 

    + +

    I have built a + corrected 1.2.3 rpm which you can download here  and I have also built + an + iptables-1.2.4 rpm which you can download here. If +you are currently running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2.

    + +

    Update + 11/9/2001: RedHat has + released an iptables-1.2.4 RPM of their own which you can download from + http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM + on my firewall and it works fine.

    + +

    If you + would like to patch iptables 1.2.3 yourself, the patches are available + for download. This patch + which corrects a problem with parsing of the --log-level specification while + this patch + corrects a problem in handling the  TOS target.

    + +

    To install one of the above patches:

    +
      +
    • cd iptables-1.2.3/extensions
      • +
    • patch -p0 < the-patch-file
      • +
    + +
    + +

    Problems with kernel 2.4.18 + and RedHat iptables

    +
    +

    Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may + experience the following:

    +
    + 
    # shorewall start
+Processing /etc/shorewall/shorewall.conf ...
+Processing /etc/shorewall/params ...
+Starting Shorewall...
+Loading Modules...
+Initializing...
+Determining Zones...
+Zones: net
+Validating interfaces file...
+Validating hosts file...
+Determining Hosts in Zones...
+Net Zone: eth0:0.0.0.0/0
+iptables: libiptc/libip4tc.c:380: do_check: Assertion
+`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
+Aborted (core dumped)
+iptables: libiptc/libip4tc.c:380: do_check: Assertion
+`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
+Aborted (core dumped)
+
    +
    +

    The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in the + Netfilter 'mangle' table. You can correct the problem by installing + + this iptables RPM. If you are already running a 1.2.5 version of + iptables, you will need to specify the --oldpackage option to rpm (e.g., + "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

    +
    + +

    + Last updated 5/24/2002 - + Tom Eastep +

    + +

    Copyright + © 2001, 2002 Thomas M. Eastep.

    + + + \ No newline at end of file diff --git a/STABLE/documentation/fallback.htm b/STABLE/documentation/fallback.htm index 6244a2a5e..b3219c5e1 100644 --- a/STABLE/documentation/fallback.htm +++ b/STABLE/documentation/fallback.htm @@ -5,40 +5,47 @@ Shorewall Fallback and Uninstall - - + -

    Fallback and Uninstall

    + + + + +
    + +

    Fallback and Uninstall

    + +

    Shorewall includes a fallback script and an uninstall script.

    -

    Falling Back to the Previous Version of Shorewall -using the Fallback Script

    +

    Falling Back to the Previous Version of Shorewall +using the Fallback Script

    If you install Shorewall and discover that it doesn't work for you, you can fall back to your previously installed version. To do that:

    -     - - -
    bulletcd to the distribution directory for the version +
      +
    • cd to the distribution directory for the version of Seattle Firewall that you are currently running (NOT the version - that you want to fall back to).
    bulletType "./fallback.sh"
    + that you want to fall back to). +
  • Type "./fallback.sh"
    • + -

    Warning: The fallback script +

    Warning: The fallback script will replace /etc/shorewall/policy, /etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp and /etc/shorewall/masq with the version of these files from before the current version was installed. Any -changes to any of these files will be lost.

    +changes to any of these files will be lost.

    -

    Falling Back to the Previous Version of Shorewall using -rpm

    +

    Falling Back to the Previous Version of Shorewall using +rpm

    If your previous version of Shorewall was installed using RPM, you may fall back to that version by typing @@ -46,16 +53,16 @@ installed using RPM, you may fall back to that version by typing prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm" would fall back to the 3.1-0 version of Shorewall).

    -

    Uninstalling Shorewall

    +

    Uninstalling Shorewall

    If you no longer wish to use Shorewall, you may remove it by:

    -     - - -
    bulletcd to the distribution directory for the version - of Shorewall that you have installed.
    bullettype "./uninstall.sh"
    +
      +
    • cd to the distribution directory for the version + of Shorewall that you have installed.
      • +
    • type "./uninstall.sh"
      • +

    If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".

    @@ -64,4 +71,4 @@ type "rpm -e shorewall".

    Tom Eastep

    Copyright2001, 2002 Thomas M. Eastep.     \ No newline at end of file +© 2001, 2002 Thomas M. Eastep.     \ No newline at end of file diff --git a/STABLE/documentation/gnu_mailman.htm b/STABLE/documentation/gnu_mailman.htm index a6ac24881..702ff74be 100644 --- a/STABLE/documentation/gnu_mailman.htm +++ b/STABLE/documentation/gnu_mailman.htm @@ -6,15 +6,22 @@ GNU Mailman - - + -

    GNU Mailman/Postfix
    -the Easy Way

    -

    The following was posted on the Postfix mailing list on 5/4/2002 by Michael -Tokarev as a suggested addition to the Postfix FAQ.

    + + + + +
    +

    GNU Mailman/Postfix +the Easy Way

    +
    + +

     

    +

    The following was posted on the Postfix mailing list on 5/4/2002 by Michael +Tokarev as a suggested addition to the Postfix FAQ.

    Q: Mailman does not work with Postfix, complaining about GID mismatch

    A: Mailman uses a setgid wrapper that is designed to be used in system-wide @@ -43,13 +50,13 @@ mailinglist: /var/mailman/scripts/post mailinglist
    mailinglist-admin: /var/mailman/scripts/mailowner mailinglist
    mailinglist-request: /var/mailman/scripts/mailcmd mailinglist
    ...

    -

    The Shorewall mailing lists are currently running Postfix 1.1.7 together -with the stock RedHat Mailman-2.0.8 RPM configured as shown above.

    +

    The Shorewall mailing lists are currently running Postfix 1.1.7 together +with the stock RedHat Mailman-2.0.8 RPM configured as shown above.

    Last updated 5/4/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/images/DMZ.jpg b/STABLE/documentation/images/DMZ.jpg deleted file mode 100644 index 5dad01fd0..000000000 Binary files a/STABLE/documentation/images/DMZ.jpg and /dev/null differ diff --git a/STABLE/documentation/images/DMZ2.jpg b/STABLE/documentation/images/DMZ2.jpg deleted file mode 100644 index 7e5917f28..000000000 Binary files a/STABLE/documentation/images/DMZ2.jpg and /dev/null differ diff --git a/STABLE/documentation/images/DMZ3.jpg b/STABLE/documentation/images/DMZ3.jpg deleted file mode 100644 index 05c7bbf15..000000000 Binary files a/STABLE/documentation/images/DMZ3.jpg and /dev/null differ diff --git a/STABLE/documentation/images/DMZ4.JPG b/STABLE/documentation/images/DMZ4.JPG deleted file mode 100644 index 7054b0566..000000000 Binary files a/STABLE/documentation/images/DMZ4.JPG and /dev/null differ diff --git a/STABLE/documentation/images/DMZ5.JPG b/STABLE/documentation/images/DMZ5.JPG deleted file mode 100644 index 384247221..000000000 Binary files a/STABLE/documentation/images/DMZ5.JPG and /dev/null differ diff --git a/STABLE/documentation/images/DMZ6.JPG b/STABLE/documentation/images/DMZ6.JPG deleted file mode 100644 index 8894a5e7a..000000000 Binary files a/STABLE/documentation/images/DMZ6.JPG and /dev/null differ diff --git a/STABLE/documentation/images/Mobile.png b/STABLE/documentation/images/Mobile.png new file mode 100644 index 000000000..5456c7bcf Binary files /dev/null and b/STABLE/documentation/images/Mobile.png differ diff --git a/STABLE/documentation/images/TwoNets1.jpg b/STABLE/documentation/images/TwoNets1.jpg index f7962f377..3c10145da 100644 Binary files a/STABLE/documentation/images/TwoNets1.jpg and b/STABLE/documentation/images/TwoNets1.jpg differ diff --git a/STABLE/documentation/images/TwoNets1.png b/STABLE/documentation/images/TwoNets1.png new file mode 100644 index 000000000..c425132ea Binary files /dev/null and b/STABLE/documentation/images/TwoNets1.png differ diff --git a/STABLE/documentation/images/basics.jpg b/STABLE/documentation/images/basics.jpg deleted file mode 100644 index b04001249..000000000 Binary files a/STABLE/documentation/images/basics.jpg and /dev/null differ diff --git a/STABLE/documentation/images/basics.png b/STABLE/documentation/images/basics.png new file mode 100644 index 000000000..b2de10dba Binary files /dev/null and b/STABLE/documentation/images/basics.png differ diff --git a/STABLE/documentation/images/basics1.jpg b/STABLE/documentation/images/basics1.jpg deleted file mode 100644 index 1883f93ae..000000000 Binary files a/STABLE/documentation/images/basics1.jpg and /dev/null differ diff --git a/STABLE/documentation/images/basics1.png b/STABLE/documentation/images/basics1.png new file mode 100644 index 000000000..9b3e58db5 Binary files /dev/null and b/STABLE/documentation/images/basics1.png differ diff --git a/STABLE/documentation/images/dmz1.png b/STABLE/documentation/images/dmz1.png new file mode 100644 index 000000000..a5454ebff Binary files /dev/null and b/STABLE/documentation/images/dmz1.png differ diff --git a/STABLE/documentation/images/dmz2.png b/STABLE/documentation/images/dmz2.png new file mode 100644 index 000000000..a793a1caa Binary files /dev/null and b/STABLE/documentation/images/dmz2.png differ diff --git a/STABLE/documentation/images/dmz3.png b/STABLE/documentation/images/dmz3.png new file mode 100644 index 000000000..b7d8b23fc Binary files /dev/null and b/STABLE/documentation/images/dmz3.png differ diff --git a/STABLE/documentation/images/dmz4.png b/STABLE/documentation/images/dmz4.png new file mode 100644 index 000000000..6e79d5d91 Binary files /dev/null and b/STABLE/documentation/images/dmz4.png differ diff --git a/STABLE/documentation/images/dmz5.png b/STABLE/documentation/images/dmz5.png new file mode 100644 index 000000000..ffd5b9bdd Binary files /dev/null and b/STABLE/documentation/images/dmz5.png differ diff --git a/STABLE/documentation/images/dmz6.png b/STABLE/documentation/images/dmz6.png new file mode 100644 index 000000000..2763dbf5d Binary files /dev/null and b/STABLE/documentation/images/dmz6.png differ diff --git a/STABLE/documentation/images/network.jpg b/STABLE/documentation/images/network.jpg deleted file mode 100644 index 94be8ae5d..000000000 Binary files a/STABLE/documentation/images/network.jpg and /dev/null differ diff --git a/STABLE/documentation/images/network.png b/STABLE/documentation/images/network.png new file mode 100644 index 000000000..fab0fcace Binary files /dev/null and b/STABLE/documentation/images/network.png differ diff --git a/STABLE/documentation/images/proxyarp.jpg b/STABLE/documentation/images/proxyarp.jpg deleted file mode 100644 index 2255acc9f..000000000 Binary files a/STABLE/documentation/images/proxyarp.jpg and /dev/null differ diff --git a/STABLE/documentation/images/proxyarp.png b/STABLE/documentation/images/proxyarp.png new file mode 100644 index 000000000..88b0f1b42 Binary files /dev/null and b/STABLE/documentation/images/proxyarp.png differ diff --git a/STABLE/documentation/images/staticnat.jpg b/STABLE/documentation/images/staticnat.jpg deleted file mode 100644 index 0ab312803..000000000 Binary files a/STABLE/documentation/images/staticnat.jpg and /dev/null differ diff --git a/STABLE/documentation/images/staticnat.png b/STABLE/documentation/images/staticnat.png new file mode 100644 index 000000000..a147089b7 Binary files /dev/null and b/STABLE/documentation/images/staticnat.png differ diff --git a/STABLE/documentation/index.htm b/STABLE/documentation/index.htm index bc8538fc9..6bf808fdb 100644 --- a/STABLE/documentation/index.htm +++ b/STABLE/documentation/index.htm @@ -5,18 +5,17 @@ Shoreline Firewall - - + - <body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"> + <body> <p>This page uses frames, but your browser doesn't support them.</p> - <!--mstheme--></font></body> + </body> diff --git a/STABLE/documentation/kernel.htm b/STABLE/documentation/kernel.htm index 904ba1067..175527399 100644 --- a/STABLE/documentation/kernel.htm +++ b/STABLE/documentation/kernel.htm @@ -5,11 +5,16 @@ Shorewall Kernel Configuration - - -

    Kernel Configuration

    + + + + + +
    +

    Kernel Configuration

    +

    For information regarding configuring and building GNU/Linux kernels, see http://www.kernelnewbies.org.

    Here's a screen shot of my Network Options Configuration:

    @@ -138,4 +143,4 @@ the options selected above built as modules:

    Tom Eastep

    Copyright2001, 2002 Thomas M. Eastep.     \ No newline at end of file +© 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/mailing_list.htm b/STABLE/documentation/mailing_list.htm index f7f8174f5..7a0d25340 100644 --- a/STABLE/documentation/mailing_list.htm +++ b/STABLE/documentation/mailing_list.htm @@ -6,35 +6,37 @@ Shorewall Mailing Lists - + - + -

    -Shorewall Mailing Lists

    - -

     

    - -

     

    + + + + +
    +

    +Shorewall Mailing Lists

    +

    Note: The list server limits posts to 120kb.

    -

    Not getting List Mail? -- Check -Here

    +

    Not getting List Mail? -- Check +Here

    If you experience problems with any of these lists, please let me know

    -

    Not able to Post Mail to shorewall.net?

    +

    Not able to Post Mail to shorewall.net?

    You can report such problems by sending mail to tom dot eastep at hp dot com.

    -

    A Word about SPAM Filters +

    A Word about SPAM Filters -

    +

    Before subscribing please read my policy about list traffic that bounces. Also please note that the mail server @@ -42,7 +44,7 @@ at hp dot com.

    databases at ordb.org and at osirusoft.com.

    -

    Search the Mailing List Archives

    +

    Search the Mailing List Archives

    @@ -74,59 +76,62 @@ Search:

    -

    Shorewall Users Mailing List

    +

    Shorewall Users Mailing List

    The Shorewall Users Mailing list provides a way for users to get answers to questions and to report problems. Information of general interest to the Shorewall user community is also posted to this list.

    Before posting a problem report to this list, please see the problem reporting guidelines.

    -

    To subscribe to the mailing list, go to https://www.shorewall.net/mailman/listinfo/shorewall-users.

    +

    To subscribe to the mailing list, go to +http://www.shorewall.net/mailman/listinfo/shorewall-users.

    To post to the list, post to shorewall-users@shorewall.net.

    The list archives are at http://www.shorewall.net/pipermail/shorewall-users.

    Note that prior to 1/1/2002, the mailing list was hosted at Sourceforge. The archives from that list may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.

    -

    Shorewall Announce Mailing List

    +

    Shorewall Announce Mailing List

    This list is for announcements of general interest to the -Shorewall community. To subscribe, go to https://www.shorewall.net/mailman/listinfo/shorewall-announce.

    +Shorewall community. To subscribe, go to +http://www.shorewall.net/mailman/listinfo/shorewall-announce.

    The list archives are at http://www.shorewall.net/pipermail/shorewall-announce.

    -

    Shorewall Development Mailing List

    +

    Shorewall Development Mailing List

    The Shorewall Development Mailing list provides a forum for the exchange of ideas about the future of Shorewall and for coordinating ongoing Shorewall Development.

    -

    To subscribe to the mailing list, go to https://www.shorewall.net/mailman/listinfo/shorewall-devel.

    +

    To subscribe to the mailing list, go to +http://www.shorewall.net/mailman/listinfo/shorewall-devel.

    To post to the list, post to shorewall-devel@shorewall.net

    The list archives are at http://www.shorewall.net/pipermail/shorewall-devel.

    -

    How to Unsubscribe from one of the -Mailing Lists

    +

    How to Unsubscribe from one of the +Mailing Lists

    There seems to be near-universal confusion about unsubscribing from Mailman-managed lists. To unsubscribe:

    -     - - - -
    bullet +
      +

    • Follow the same link above that you used to subscribe to the list.

      -
    bullet + +

  • Down at the bottom of that page is the following text: "To change your subscription (set options like digest and delivery modes, get a reminder of your password, or unsubscribe from <name of list>), enter your subscription email address:". Enter your email address in the box and click on the "Edit Options" button.

    -
    • bullet + +

  • There will now be a box where you can enter your password and click on "Unsubscribe"; if you have forgotten your password, there is another button that will cause your password to be emailed to you.

    -
    • -

    -

    Frustrated by having to Rebuild Mailman to use it with Postfix?

    + + +
    +

    Frustrated by having to Rebuild Mailman to use it with Postfix?

    Check out these instructions

    Last updated 7/26/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/mailing_list_problems.htm b/STABLE/documentation/mailing_list_problems.htm index a6d9766d1..4c76f9a6d 100644 --- a/STABLE/documentation/mailing_list_problems.htm +++ b/STABLE/documentation/mailing_list_problems.htm @@ -6,19 +6,24 @@ Mailing List Problems - - + -

    Mailing List Problems

    + + + + +
    +

    Mailing List Problems

    +
    -

    Shorewall.net is currently experiencing mail delivery problems -to at least one address in each of the following domains:

    +

    Shorewall.net is currently experiencing mail delivery problems +to at least one address in each of the following domains:

    - 
    2020ca - delivery to this domain has been disabled (cause unknown)
+    
    2020ca - delivery to this domain has been disabled (cause unknown)
 excite.com - delivery to this domain has been disabled (cause unknown)
 epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
 gmx.net - delivery to this domain has been disabled (cause unknown)
@@ -33,7 +38,7 @@ penquindevelopment.com - delivery to this domain has been disabled (connection t
 scip-online.de - delivery to this domain has been disabled (cause unknown)
 spctnet.com - connection timed out - delivery to this domain has been disabled
 telusplanet.net - delivery to this domain has been disabled (cause unknown)
-yahoo.com - delivery to this domain has been disabled (Mailbox over quota)
    
+yahoo.com - delivery to this domain has been disabled (Mailbox over quota)
    @@ -47,6 +52,6 @@ Eastep

     

    - + \ No newline at end of file diff --git a/STABLE/documentation/myfiles.htm b/STABLE/documentation/myfiles.htm index ffb4b2b36..d39dd4de6 100644 --- a/STABLE/documentation/myfiles.htm +++ b/STABLE/documentation/myfiles.htm @@ -10,14 +10,20 @@ - + - -

    About My Network

    + + + + + +
    +

    About My Network

    +
    -

    My Current Network

    +

    My Current Network

    @@ -38,7 +44,8 @@ runs Samba and acts as the a WINS server.  Wookie is in its own 'whitelist' called 'me'.

    My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own -Sygate firewall software and is managed by Proxy ARP.

    +Sygate firewall software and is managed by Proxy ARP. It connects to the +local network through the PopTop server running on my firewall.

    The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server @@ -52,7 +59,7 @@ All administration and publishing is done using ssh/scp.

    I run an SNMP server on my firewall to serve MRTG running in the DMZ.

    -

    +

     

    The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask @@ -68,9 +75,9 @@ MRTG running in the DMZ.

    Note: My files use features not available before Shorewall version 1.3.4.

    -

    Shorewall.conf

    +

    Shorewall.conf

    - 
    	SUBSYSLOCK=/var/lock/subsys/shorewall
+  
    	SUBSYSLOCK=/var/lock/subsys/shorewall
 	STATEDIR=/var/state/shorewall
 
 	LOGRATE=
@@ -80,16 +87,16 @@ MRTG running in the DMZ.
    
 
 	CLAMPMSS=Yes
 
-	MULTIPORT=Yes
    
-  
    Zones File:
    
-  
    	#ZONE 	DISPLAY 	COMMENTS
+	MULTIPORT=Yes
    
+  
    Zones File:
    
+  
    	#ZONE 	DISPLAY 	COMMENTS
 	net	Internet	Internet
 	me	Eastep		My Workstation
 	loc	Local		Local networks
 	dmz	DMZ		Demilitarized zone
 	tx	Texas		Peer Network in Dallas Texas
-	#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    
-  
    Interfaces File: 
    
+	#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    +

    Interfaces File:

    @@ -98,38 +105,35 @@ interfaces.

    - 
    	#ZONE    INTERFACE	BROADCAST 	OPTIONS
+  
    	#ZONE    INTERFACE	BROADCAST 	OPTIONS
 	net	eth0 		206.124.146.255	routefilter,norfc1918,blacklist,filterping
-	-	eth2 		192.168.1.255	dhcp
+	loc	eth2 		192.168.1.255	dhcp
 	dmz	eth1 		206.124.146.255	-
-	loc	eth3		206.124.146.255 -
-	tx	texas 		-
+	net	eth3		206.124.146.255 norfc1918
+	-	texas 		-
 	loc	ppp+
-	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    
-  
    Hosts File: 
    
+	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    +

    Hosts File:

    - 
    	#ZONE 		HOST(S)			OPTIONS
+  
    	#ZONE 		HOST(S)			OPTIONS
 	me		eth2:192.168.1.3
-	loc		eth2:0.0.0.0/0
-	loc		ppp+:192.168.1.0/24
-	loc		eth3:206.124.146.180
 	tx 		texas:192.168.9.0/24
-	#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
    
+	#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
    -

    Routestopped File:

    +

    Routestopped File:

    - 
    	#INTERFACE	HOST(S)
+  
    	#INTERFACE	HOST(S)
 	eth1		206.124.146.177
 	eth2 		-
-	eth3 		206.124.146.180
    
-  
    Common File: 
    
-  
    	. /etc/shorewall/common.def
+	eth3 		206.124.146.180
    
+  
    Common File: 
    
+  
    	. /etc/shorewall/common.def
 	run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
-	run_iptables -A common -p tcp --dport 113 -j REJECT
    
+	run_iptables -A common -p tcp --dport 113 -j REJECT
    -

    Policy File:

    +

    Policy File:

    - 
    
+  
    
 	#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
 	me	all	ACCEPT
 	tx	me	ACCEPT		#Give Texas access to my personal system
@@ -141,10 +145,11 @@ interfaces. 
    
 	$FW	tx	ACCEPT
 	loc	tx	ACCEPT
 	loc	fw	REJECT
+	net	net	ACCEPT
 	net	all	DROP	info		10/sec:40
 	all	all	REJECT	info
-	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
    
-  
    Masq File: 
    
+	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
    +

    Masq File:

    @@ -152,25 +157,25 @@ Although most of our internal systems use static NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.

    - 
    	#INTERFACE 	SUBNET		ADDRESS
+  
    	#INTERFACE 	SUBNET		ADDRESS
 	eth0 		192.168.1.0/24	206.124.146.176
-	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    
-  
    NAT File: 
    
-  
    	#EXTERNAL	INTERFACE	INTERNAL	ALL	LOCAL
+	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    
+  
    NAT File: 
    
+  
    	#EXTERNAL	INTERFACE	INTERNAL	ALL	LOCAL
 	206.124.146.178 eth0 		192.168.1.5 	No 	No
 	206.124.146.179 eth0 		192.168.1.3 	No 	No
-	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    
+	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -

    Proxy ARP File:

    - 
         	#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE
+                                          
    Proxy ARP File:
    
+  
         	#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE
 	206.124.146.177 eth1 		eth0 		No
 	206.124.146.180	eth3		eth0		No
-	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    
+	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    -

    Rules File (The shell variables - are set in /etc/shorewall/params):

    +

    Rules File (The shell variables + are set in /etc/shorewall/params):

    - 
         	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL
+  
         	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL
 	#                       				PORT(S) PORT(S)	PORT(S)	DEST
 	#
 	# Local Network to Internet - Reject attempts by Trojans to call home
@@ -218,7 +223,6 @@ Although most of our internal systems use static NAT, my wife's system
 	#
 	# Net to Local 
 	#
-	ACCEPT		net		loc:206.124.146.180	#Runs its own firewall software
 	ACCEPT		net		loc			tcp	auth
 	REJECT		net		loc			tcp	www
 	#
@@ -282,12 +286,12 @@ Although most of our internal systems use static NAT, my wife's system
 	ACCEPT 		tx 		fw 			icmp 	echo-request
 	ACCEPT		tx 		loc 			icmp 	echo-request
 
-	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    
+	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

    -Last updated 8/4/2002 +Last updated 8/9/2002 - Tom Eastep

    Copyright - © 2001, 2002 Thomas M. Eastep.     \ No newline at end of file + © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/ports.htm b/STABLE/documentation/ports.htm index 081136136..f205236fe 100644 --- a/STABLE/documentation/ports.htm +++ b/STABLE/documentation/ports.htm @@ -5,10 +5,16 @@ Shorewall Port Information - -

    Ports required for Various Services/Applications

    + + + + + +
    +

    Ports required for Various Services/Applications

    +

    In addition to those applications described in the /etc/shorewall/rules documentation, here are some other @@ -95,6 +101,12 @@ services/applications that you may need to configure your firewall to accommodat

    Traceroute

    UDP ports 33434 through 33434+<max number of hops>-1

    +
    +

    NFS

    +
    +

    There's some good information at  + + http://nfs.sourceforge.net/nfs-howto/security.html

    Didn't find what you are looking for -- have you looked in your own /etc/services file?

    @@ -103,8 +115,8 @@ services/applications that you may need to configure your firewall to accommodat http://www.networkice.com/advice/Exploits/Ports

    -

    Last updated 7/30/2002 - +

    Last updated 8/21/2002 - Tom Eastep

    Copyright2001, 2002 Thomas M. Eastep. \ No newline at end of file +© 2001, 2002 Thomas M. Eastep.     \ No newline at end of file diff --git a/STABLE/documentation/quotes.htm b/STABLE/documentation/quotes.htm index 2b0afcdf5..9f3778db2 100644 --- a/STABLE/documentation/quotes.htm +++ b/STABLE/documentation/quotes.htm @@ -6,12 +6,17 @@ Quotes from Shorewall Users - - + -

    Quotes from Shorewall Users

    + + + + +
    +

    Quotes from Shorewall Users

    +

    "I just installed Shorewall after weeks of messing with @@ -86,6 +91,6 @@ Guatamala

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/samba.htm b/STABLE/documentation/samba.htm index 48cbd73e9..6656b21bf 100644 --- a/STABLE/documentation/samba.htm +++ b/STABLE/documentation/samba.htm @@ -6,88 +6,93 @@ Samba - - + -

    Samba

    + + + + +
    +

    Samba

    +

    If you wish to run Samba on your firewall and access shares between the firewall and local hosts, you need the following rules:

    -

    /etc/shorewall/rules:

    +

    /etc/shorewall/rules:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDEST - PROTODEST
    - PORT(S)    		SOURCE
    - PORT(S)    		ORIGINAL
    - DEST    		ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    ACCEPTfwlocudp137:139  ACCEPTfwlocudp137:139  
    ACCEPTfwloctcp137,139  ACCEPTfwloctcp137,139  
    ACCEPTfwlocudp1024:137 ACCEPTfwlocudp1024:137 
    ACCEPTlocfwudp137:139  ACCEPTlocfwudp137:139  
    ACCEPTlocfwtcp137,139  ACCEPTlocfwtcp137,139  
    ACCEPTlocfwudp1024:137 ACCEPTlocfwudp1024:137 
    +

    Last modified 5/29/2002 - Tom Eastep

    -Copyright © 2002 Thomas M. Eastep. \ No newline at end of file +Copyright © 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/seattlefirewall_index.htm b/STABLE/documentation/seattlefirewall_index.htm index 4edeb0109..81e76436c 100644 --- a/STABLE/documentation/seattlefirewall_index.htm +++ b/STABLE/documentation/seattlefirewall_index.htm @@ -11,195 +11,151 @@ - + - + + + + + +
    +

    + + Shorewall 1.3 - "iptables made easy"

    +
    -

    Shorewall 1.3 - "iptables made easy"

    +
    +
    + + + + + +
    -

    Shorewall 1.2 Site is - Here

    - -

     

    - -

    What is it?

    +

    What is it?

    The Shoreline Firewall, more commonly known as "Shorewall",  is a - Netfilter (iptables) - based firewall that can be used on a dedicated firewall system, a - multi-function gateway/router/server or on a standalone GNU/Linux system.

    + Netfilter (iptables) based firewall + that can be used on a dedicated firewall system, a multi-function + gateway/router/server or on a standalone GNU/Linux system.

    -

    This program is free software; you can redistribute it and/or modify - it under the terms of Version 2 of the GNU General Public License - as published by the Free Software Foundation.
    +

    This program is free software; you can redistribute it and/or modify it + under the terms of Version + 2 of the GNU General Public License as published by the Free Software + Foundation.

    - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - for more details.
    + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + for more details.

    You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software Foundation, - Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    + along with this program; if not, write to the Free Software Foundation, + Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    Copyright 2001, 2002 Thomas M. Eastep

    -

    Want a Copy of this Site?

    - -

    The Shorewall .tgz and .rpm files contain a copy of this site -- - download Shorewall and you get a copy of the - Shorewall portion of this site for the same low price (Free!).

    - +

     Jacques + Nilo and Eric Wolzak have a LEAF distribution called Bering that + features Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at: + + http://leaf.sourceforge.net/devel/jnilo

    + -

    News

    +

    News

    -

    8/7/2002 - Shorewall 1.3.6 -

    +

    8/22/2002 - Shorewall 1.3.7 Released 8/13/2002 +

    + +

    Features in this release include:

    + +
      +
    • The 'icmp.def' file is now empty! The rules in that file were + required in ipchains firewalls but are not required in Shorewall. Users + who have ALLOWRELATED=No in + shorewall.conf should see the Upgrade + Issues.
      • +
    • A 'FORWARDPING' option has been added to + shorewall.conf. The effect of + setting this variable to Yes is the same as the effect of adding an + ACCEPT rule for ICMP echo-request in + /etc/shorewall/icmpdef. + Users who have such a rule in icmpdef are encouraged to switch to + FORWARDPING=Yes.
      • +
    • The loopback CLASS A Network (127.0.0.0/8) has been added to the + rfc1918 file.
      • +
    • Shorewall now works with iptables 1.2.7.
      • +
    • The documentation and Web site no longer use FrontPage themes.
      • +
    + +

    I would like to thank John Distler for his valuable input regarding TCP SYN + and ICMP treatment in Shorewall. That input has led to marked improvement in + Shorewall in the last two releases.

    + +

    8/13/2002 - Documentation in the + CVS Repository

    + +

    The Shorewall-docs project now contains just the HTML and image files - the + Frontpage files have been removed.

    + +

    8/7/2002 - STABLE branch added to + CVS Repository

    + +

    This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest stable tree.

    + +

    8/7/2002 - Upgrade Issues section added + to the Errata Page

    + +

    Now there is one place to go to look for issues involved with upgrading to + recent versions of Shorewall.

    + +

    8/7/2002 - Shorewall 1.3.6

    This is primarily a bug-fix rollup with a couple of new features:

    - - - - -
    bulletThe latest QuickStart Guides - including the Shorewall Setup Guide.
    bulletShorewall will now DROP TCP packets that are not part of or - related to an existing connection and that are not SYN packets. These "New - not SYN" packets may be optionally logged by setting the LOGNEWNOTSYN option - in /etc/shorewall/shorewall.conf.
    bulletThe processing of "New not SYN" packets may be extended by command in the - new newnotsyn extension script.
    - -

    7/30/2002 - Shorewall 1.3.5b Released

    - -

    This interim release:

    - -     - - - -
    bulletCauses the firewall script to remove the lock file if it is killed.
    bulletOnce again allows lists in the second column of the - /etc/shorewall/hosts file.
    bulletIncludes the latest QuickStart - Guides.
    - -

    7/29/2002 - New Shorewall Setup Guide Available

    - -

    The first draft of this guide is available at - - http://www.shorewall.net/shorewall_setup_guide.htm. The guide is intended - for use by people who are setting up Shorewall to manage multiple public IP - addresses and by people who want to learn more about Shorewall than is - described in the single-address guides. Feedback on the new guide is welcome.

    - -

    7/28/2002 - Shorewall 1.3.5 Debian Package Available

    - -

    Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - -

    7/27/2002 - Shorewall 1.3.5a Released

    - -

    This interim release restores correct handling of REDIRECT rules.

    - -

    7/26/2002 - Shorewall 1.3.5 Released

    - -

    This will be the last Shorewall release for a while. I'm going to be - focusing on rewriting a lot of the documentation.

    - -

     In this version:

    - -     - - - - - -
    bulletEmpty and invalid source and destination qualifiers are now detected in - the rules file. It is a good idea to use the 'shorewall check' command before - you issue a 'shorewall restart' command be be sure that you don't have any - configuration problems that will prevent a successful restart.
    bulletAdded MERGE_HOSTS variable in shorewall.conf to provide saner behavior of - the /etc/shorewall/hosts file.
    bulletThe time that the counters were last reset is now displayed in the - heading of the 'status' and 'show' commands.
    bulletA proxyarp option has been added for entries in - /etc/shorewall/interfaces. This - option facilitates Proxy ARP sub-netting as described in the Proxy ARP - subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an interface causes Shorewall to set - /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
    bulletThe Samples have been updated to reflect the new capabilities in this - release.
    - -

    7/16/2002 - New Mirror in Argentina

    - -

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall - mirror in Argentina. Thanks Buanzo!!!

    - -

    7/16/2002 - Shorewall 1.3.4 Released

    - -

    In this version:

    - -     - - - - - -
    bulletA new - /etc/shorewall/routestopped file has been added. This file is intended to - eventually replace the routestopped option in the - /etc/shorewall/interface and /etc/shorewall/hosts files. This new file makes - remote firewall administration easier by allowing any IP or subnet to be - enabled while Shorewall is stopped.
    bulletAn /etc/shorewall/stopped extension - script has been added. This script is invoked after Shorewall has - stopped.
    bulletA DETECT_DNAT_ADDRS option has been added to - /etc/shoreall/shorewall.conf. When this - option is selected, DNAT rules only apply when the destination address is the - external interface's primary IP address.
    bulletThe QuickStart Guide has - been broken into three guides and has been almost entirely rewritten.
    bulletThe Samples have been updated - to reflect the new capabilities in this release. 
    - -

    7/8/2002 - Shorewall 1.3.3 Debian Package Available

    - -

    Lorenzo Martignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - -

    7/6/2002 - Shorewall 1.3.3 Released

    - -

    In this version:

    - -     - - - - - - -
    bulletEntries in /etc/shorewall/interface that use the wildcard character ("+") - now have the "multi" option assumed.
    bulletThe 'rfc1918' chain in the mangle table has been renamed 'man1918' to - make log messages generated from that chain distinguishable from those - generated by the 'rfc1918' chain in the filter table.
    bulletInterface names appearing in the hosts file are now validated against the - interfaces file.
    bulletThe TARGET column in the rfc1918 file is now checked for correctness.
    bulletThe chain structure in the nat table has been changed to reduce the - number of rules that a packet must traverse and to correct problems with - NAT_BEFORE_RULES=No.
    bulletThe 'hits' command has been enhanced.
    +

    More News

    -

    SourceForge LogoThe - Shorewall Project uses facilities provided by SourceForge.

    +

    Donations

    - -

    - - Jacques Nilo and Eric Wolzak have a LEAF distribution called Bering - that features Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at: - http://leaf.sourceforge.net/devel/jnilo

    +     		+ SourceForge Logo
    +
    +
    + + + + +
    +

    +

    +

    Shorewall is free but if + you try it and find it useful, please consider making a donation to + Starlight Children's Foundation. Thanks!

    -

    Updated - 7/29/2002 - Tom Eastep +

    Updated + 8/22/2002 - Tom Eastep -

    - + \ No newline at end of file diff --git a/STABLE/documentation/shoreline.htm b/STABLE/documentation/shoreline.htm index 75e9dd4f8..3e6239b7f 100644 --- a/STABLE/documentation/shoreline.htm +++ b/STABLE/documentation/shoreline.htm @@ -10,13 +10,19 @@ - + - + -

    Tom Eastep

    + + + + +
    +

    Tom Eastep

    +
    @@ -32,21 +38,21 @@ by Ken Mazawa

    -     - - - - - - -
    bulletBorn 1945 in Washington +
    bulletBA Mathematics from Washington State +. +
  • BA Mathematics from Washington State University - 1967
    • bulletMA Mathematics from University -of Washington 1969
    bulletBurroughs Corporation (now Unisys -) 1969 - 1980
    bulletTandem Computers, Incorporated - (now part of the The New HP) 1980 - present
    bulletMarried 1969 - no children.
    + 1967 +
  • MA Mathematics from University +of Washington 1969
    • +
  • Burroughs Corporation (now Unisys +) 1969 - 1980
    • +
  • Tandem Computers, Incorporated + (now part of the The New HP) 1980 - present
    • +
  • Married 1969 - no children.
    • +

    I am currently a member of the design team for the next-generation operating system from the NonStop Enterprise Division of HP.

    @@ -64,26 +70,25 @@ Washington

    Our current home network consists of:

    -     - - - - - - -
    bullet1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE HDs - and LNE100TX (Tulip) NIC - My personal Windows system. This system also has - RH7.3 installed.
    bulletPII/266, RH7.3, 320MB RAM, 20GB HD, LNE100TX(Tulip) NIC - My personal - GNU/Linux System which runs Samba configured as a WINS server.
    bulletK6-2/350, RH7.3, 256MB RAM, 8GB IDE HD, EEPRO100 NIC  +
      +
    • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 8GB IDE HDs and LNE100TX + (Tulip) NIC - My personal Windows system.
      • +
    • Celeron 1.4Gz, RH7.3, 256MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My + personal Linux System which runs Samba configured as a WINS server.
      • +
    • K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - Mail (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server - (Bind).
    bulletPII/233, RH7.3 with 2.4.19 kernel, 128MB MB RAM, 2GB SCSI HD - 3 - LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.4 and a DHCP - server.  Also runs PoPToP for road warrior access.
    bulletDuron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.
    bulletPII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100 -in expansion base - My main work system.
    + (Bind). +
  • PII/233, RH7.3 with 2.4.19 kernel, 256MB MB RAM, 2GB SCSI HD - 3 + LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.6 and a DHCP + server.  Also runs PoPToP for road warrior access.
    • +
  • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.
    • +
  • PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100 +in expansion base - My main work system.
    • +

    For more about our network see my Shorewall Configuration.

    -

    The PII/266 is made by Dell. All of our +

    All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.

    @@ -93,8 +98,8 @@ in expansion base - My main work system.    <

    -

    Last updated 8/4/2002 - +

    Last updated 8/16/2002 - Tom Eastep

    Copyright - © 2001, 2002 Thomas M. Eastep. \ No newline at end of file + © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/shorewall_extension_scripts.htm b/STABLE/documentation/shorewall_extension_scripts.htm index 9615a9add..c8689cdbe 100644 --- a/STABLE/documentation/shorewall_extension_scripts.htm +++ b/STABLE/documentation/shorewall_extension_scripts.htm @@ -6,12 +6,17 @@ Shorewall Extension Scripts - - + -

    Extension Scripts

    + + + + +
    +

    Extension Scripts

    +

    Extension scripts are user-provided @@ -19,17 +24,17 @@ stop and clear. The scripts are placed in /etc/shorewall and are processed using the Bourne shell "source" mechanism. The following scripts can be supplied:

    -     - - - - - - - -
    bulletinit -- invoked early in "shorewall start" and "shorewall restart"
    bulletstart -- invoked after the firewall has been started or restarted.
    bulletstop -- invoked as a first step when the firewall is being stopped.
    bulletstopped -- invoked after the firewall has been stopped.
    bulletclear -- invoked after the firewall has been cleared.
    bulletrefresh -- invoked while the firewall is being refreshed but before the - common and/or blacklst chains have been rebuilt.
    bulletnewnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain - has been created but before any rules have been added to it.
    +
      +
    • init -- invoked early in "shorewall start" and "shorewall restart"
      • +
    • start -- invoked after the firewall has been started or restarted.
      • +
    • stop -- invoked as a first step when the firewall is being stopped.
      • +
    • stopped -- invoked after the firewall has been stopped.
      • +
    • clear -- invoked after the firewall has been cleared.
      • +
    • refresh -- invoked while the firewall is being refreshed but before the + common and/or blacklst chains have been rebuilt.
      • +
    • newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain + has been created but before any rules have been added to it.
      • +
    @@ -41,20 +46,10 @@ been processed.

    -

    The following two files receive -special treatment:

    - -     - - -
    bullet/etc/shorewall/common -- If this file is present, the rules that it +

    The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it defines will totally replace the default rules in the common chain. These default rules are contained in the file /etc/shorewall/common.def which - may be used as a starting point for making your own customized file.

    bullet/etc/shorewall/icmpdef -- If this file is present, the rules that it - defines will totally replace the default rules in the icmpdef chain. -These default rules are contained in the file /etc/shorewall/icmp.def -which may be used as a starting point for making your own customized -file.
    + may be used as a starting point for making your own customized file.

    @@ -68,9 +63,8 @@ processing of the command.

    - If you decide to create /etc/shorewall/common or /etc/shorewall/icmp.def, it - is a good idea to use the following technique (common file shown but the same - technique applies to icmpdef).

    + If you decide to create /etc/shorewall/common it is a good idea to use the + following technique

    @@ -80,29 +74,40 @@ processing of the command.

    - 
    source /etc/shorewall/common.def
-<add your rules here>
    + 
    . /etc/shorewall/common.def
+<add your rules here>

    If you need to supercede a rule in the released common.def file, you can add - the superceding rule before the 'source' command. Using this technique allows + the superceding rule before the '.' command. Using this technique allows you to add new rules while still getting the benefit of the latest common.def file.

    -

    Remember that /etc/shorewall/common and /etc/shorewall/icmpdef define rules +

    Remember that /etc/shorewall/common defines rules that are only applied if the applicable policy is DROP or REJECT. These rules - are NOT applied if the policy is ACCEPT or CONTINUE.
    -

    + are NOT applied if the policy is ACCEPT or CONTINUE.

    -

    Last updated -8/5/2002 - Tom +

    If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be + rejected by the firewall. It is recommended with this setting that you create + the file /etc/shorewall/icmpdef and in it place the following commands:

    + + + + 
    	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
+	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
+
    +

    Last updated +8/22/2002 - Tom Eastep

    Copyright 2002 Thomas M. Eastep

    -     + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_features.htm b/STABLE/documentation/shorewall_features.htm index a4ce1dc32..e2dff314f 100644 --- a/STABLE/documentation/shorewall_features.htm +++ b/STABLE/documentation/shorewall_features.htm @@ -6,81 +6,86 @@ Shorewall Features - - + -

    Shorewall Features

    -     - - - - - - - - - - -
    bulletUses Netfilter's connection tracking facilities for stateful packet - filtering.
    bulletCan be used in a wide range of router/firewall/gateway applications. - - - - - - -
    bulletCompletely customizable using configuration files.
    bulletNo limit on the number of network interfaces.
    bulletAllows you to partitions the network into zones + + + + +
    +

    Shorewall Features

    +
    +
      +
    • Uses Netfilter's connection tracking facilities for stateful packet + filtering.
      • +
    • Can be used in a wide range of router/firewall/gateway applications. +
        +
      • Completely customizable using configuration files.
        • +
      • No limit on the number of network interfaces.
        • +
      • Allows you to partitions the network into zones and gives you complete control over the connections permitted between - each pair of zones.
    bulletMultiple interfaces per zone and multiple zones per interface - permitted.
    bulletSupports nested and overlapping zones.
    -
    bullet QuickStart Guides to help - get your first firewall up and running quickly
    bulletExtensive documentation - included in the .tgz and .rpm downloads.
    bulletFlexible address management/routing support (and you can use all + each pair of zones. +
  • Multiple interfaces per zone and multiple zones per interface + permitted.
    • +
  • Supports nested and overlapping zones.
    • + + +
  • QuickStart Guides to help + get your first firewall up and running quickly
    • +
  • Extensive documentation + included in the .tgz and .rpm downloads.
    • +
  • Flexible address management/routing support (and you can use all types in the same firewall): - - - - - - -
    bulletMasquerading/SNAT
    bulletPort Forwarding (DNAT).
    bullet - Static NAT.
    bullet - Proxy ARP.
    bulletSimple host/subnet Routing
    -
    • bulletBlacklisting of individual - IP addresses and subnetworks is supported.
    bulletOperational support: - - - - -
    bulletCommands to start, stop and clear the firewall
    bulletSupports status monitoring - with an audible alarm when an "interesting" packet is detected.
    bulletWide variety of informational commands.
    -
    bulletVPN Support - - - -
    bulletIPSEC, GRE and IPIP - Tunnels.
    bulletPPTP clients and Servers.
    -
    bulletSupport for Traffic Control/Shaping - integration.
    bulletWide support for different GNU/Linux Distributions. - - - - -
    bulletRPM and Debian - packages available.
    bulletIncludes automated install, upgrade, fallback + + +
  • Blacklisting of individual + IP addresses and subnetworks is supported.
    • +
  • Operational support: +
      +
    • Commands to start, stop and clear the firewall
      • +
    • Supports status monitoring + with an audible alarm when an "interesting" packet is detected.
      • +
    • Wide variety of informational commands.
      • +
    +
    • +
  • VPN Support + +
    • +
  • Support for Traffic Control/Shaping + integration.
    • +
  • Wide support for different GNU/Linux Distributions. +
    • bulletCompatible with 2.4-kernel based versions of + to use the RPM or Debian packages. +
  • Compatible with 2.4-kernel based versions of LEAF - .
    • -
    + . + + +

    Last updated 7/14/2002 - Tom Eastep

    Copyright © 2001,2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_firewall_structure.htm b/STABLE/documentation/shorewall_firewall_structure.htm index b8ebbf90a..ffdfd6b46 100644 --- a/STABLE/documentation/shorewall_firewall_structure.htm +++ b/STABLE/documentation/shorewall_firewall_structure.htm @@ -6,14 +6,19 @@ Shorewall Firewall Structure - - + -

    Firewall Structure

    + + + + +
    +

    Firewall Structure

    +

    - Shorewall views the network in which it is running as a set of disjoint + Shorewall views the network in which it is running as a set of zones. Shorewall itself defines exactly one zone called "fw" which refers to the firewall system itself . The /etc/shorewall/zones file is used to define additional zones and the example file provided with Shorewall @@ -36,6 +41,21 @@ from the internet and from the DMZ and in some cases, from each other. +

    While zones are normally disjoint (no two zones have a host in common), + there are cases where nested or overlapping zone definitions are appropriate.

    +

    Packets entering the firewall first pass through the mangle table's + PREROUTING chain (you can see the mangle table by typing "shorewall show + mangle"). If the packet entered through an interface that has the norfc1918 + option, then the packet is sent down the man1918  which will drop + the packet if its destination IP address is reserved (as specified in the + /etc/shorewall/rfc1918 file). Next the packet passes through the pretos + chain to set its TOS field as specified in the /etc/shorewall/tos file. + Finally, if traffic control/shaping is being used, the packet is sent through + the tcpre chain to be marked for later use in policy routing or traffic + control.

    +

    Next, if the packet isn't part of an established connection, it passes + through the nat table's PREROUTING chain (you can see the nat table by + typing "shorewall show nat").

    Traffic entering the firewall is sent to an input chain. If the traffic is destined for the @@ -133,4 +153,4 @@ server, adding a rule won't help (see point 3 above).

    Last modified 7/26/2002 - Tom Eastep

    -Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file +Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/STABLE/documentation/shorewall_index.htm b/STABLE/documentation/shorewall_index.htm index 24fcf92ac..bede1c576 100644 --- a/STABLE/documentation/shorewall_index.htm +++ b/STABLE/documentation/shorewall_index.htm @@ -5,7 +5,6 @@ Shoreline Firewall - @@ -16,9 +15,9 @@ - <body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"> + <body> - <p>This page uses frames, but your browser doesn't support them.<!--mstheme--></font></body> + <p>This page uses frames, but your browser doesn't support them.</body> diff --git a/STABLE/documentation/shorewall_mailing_list_migration.htm b/STABLE/documentation/shorewall_mailing_list_migration.htm index 3b90157f2..d39573fe8 100644 --- a/STABLE/documentation/shorewall_mailing_list_migration.htm +++ b/STABLE/documentation/shorewall_mailing_list_migration.htm @@ -6,12 +6,17 @@ Shorewall Mailing List Migration - - + -

    Shorewall Mailing List Migration

    + + + + +
    +

    Shorewall Mailing List Migration

    +

    If you are a current subscriber to the Shorewall mailing list at Sourceforge, please do the following:

      @@ -32,6 +37,6 @@ Eastep

      Copyright © 2002 Thomas M. Eastep.

      - + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_mirrors.htm b/STABLE/documentation/shorewall_mirrors.htm index 0856d7064..a99d161ed 100644 --- a/STABLE/documentation/shorewall_mirrors.htm +++ b/STABLE/documentation/shorewall_mirrors.htm @@ -6,12 +6,17 @@ Shorewall Mirrors - - + -

      Shorewall Mirrors

      + + + + +
      +

      Shorewall Mirrors

      +

      Remember that updates to the mirrors are often delayed for 6-12 hours after an update to the primary site.

      @@ -20,38 +25,38 @@ and is located in Washington State, USA. It is mirrored at:

      -       - - - - -
      bullet +
      bullet + (Slovak Republic). +
    1. http://shorewall.infohiiway.com - (Texas, USA).
      2. bullet - http://germany.shorewall.net (Hamburg, Germany)
      bullethttp://shorewall.correofuego.com.ar (Martinez (Zona Norte - GBA), Argentina)
      + (Texas, USA). +
    2. + http://germany.shorewall.net (Hamburg, Germany)
      3. +
    3. http://shorewall.correofuego.com.ar (Martinez (Zona Norte - GBA), Argentina)
      4. +

      The main Shorewall FTP Site is ftp://ftp.shorewall.net/pub/shorewall/ and is located in Washington State, USA.  It is mirrored at:

      -       - - - - -
      bulletftp://slovakia.shorewall.net/mirror/shorewall - (Slovak Republic).
      bullet +
      bullet - ftp://germany.shorewall.net/pub/shorewall (Hamburg, Germany)
      bullet - ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall (Martinez (Zona Norte - GBA), Argentina)
      + (Texas, USA). +
    4. + ftp://germany.shorewall.net/pub/shorewall (Hamburg, Germany)
      5. +
    5. + ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall (Martinez (Zona Norte - GBA), Argentina)
      6. +

      Last Updated 7/16/2002 - Tom Eastep

      Copyright © 2001, 2002 Thomas M. Eastep.

      -       + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_prerequisites.htm b/STABLE/documentation/shorewall_prerequisites.htm index 594808b50..56067978f 100644 --- a/STABLE/documentation/shorewall_prerequisites.htm +++ b/STABLE/documentation/shorewall_prerequisites.htm @@ -6,46 +6,49 @@ Shorewall Prerequisites - - + -

      Shorewall Requirements

      -

       

      -       - - - - - -
      bulletA kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. + + + + +
      +

      Shorewall Requirements

      +
      +
      bulletiptables 1.2 or later but beware version 1.2.3 -- see the Errata. + . +
    6. iptables 1.2 or later but beware version 1.2.3 -- see the Errata. WARNING: The buggy iptables version 1.2.3 is included in RedHat 7.2 and you should upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4 is available from RedHat and in the Shorewall Errata. If you are going to be running kernel 2.4.18 or later, NO currently-available RedHat iptables RPM - will work -- again, see the Shorewall Errata.
      7. bulletSome features require iproute ("ip" utility). The iproute package is + will work -- again, see the Shorewall Errata. +
    7. Some features require iproute ("ip" utility). The iproute package is included with most distributions but may not be installed by default. The - official download site is -ftp://ftp.inr.ac.ru/ip-routing. - -
      8. bulletA Bourne shell or derivative such as bash or ash. Must have correct + official download site is + ftp://ftp.inr.ac.ru/ip-routing. + +
    8. A Bourne shell or derivative such as bash or ash. Must have correct support for variable expansion formats ${variable%pattern }, ${variable%%pattern}, ${variable#pattern - } and ${variable##pattern}.
      9. bulletThe firewall monitoring display is greatly improved if you have awk - (gawk) installed.
      + } and ${variable##pattern}. +
    9. The firewall monitoring display is greatly improved if you have awk + (gawk) installed.
      10. +

      Last updated 8/4/2002 - Tom Eastep

      Copyright © 2001, 2002 Thomas M. Eastep.

      -       + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_quickstart_guide.htm b/STABLE/documentation/shorewall_quickstart_guide.htm index 556a0d581..bcd097d68 100644 --- a/STABLE/documentation/shorewall_quickstart_guide.htm +++ b/STABLE/documentation/shorewall_quickstart_guide.htm @@ -6,138 +6,145 @@ Shorewall QuickStart Guide - + - + -

      Shorewall QuickStart Guides
      -Version 3.0

      + + + + +
      +

      Shorewall QuickStart Guides
      +Version 3.0

      +

      With thanks to Richard who reminded me once again that we must all first walk before we can run.

      -

      The Guides

      +

      The Guides

      These guides provide step-by-step instructions for configuring Shorewall in common firewall setups.

      The following guides are for firewalls with a single external IP address:

      -       - - - -
      bulletStandalone Linux System
      bulletTwo-interface Linux System acting as a - firewall/router for a small local network
      bulletThree-interface Linux System acting as a - firewall/router for a small local network and a DMZ.
      +
        +
      • Standalone Linux System
        • +
      • Two-interface Linux System acting as a + firewall/router for a small local network
        • +
      • Three-interface Linux System acting as a + firewall/router for a small local network and a DMZ.
        • +

      The above guides are designed to get your first firewall up and running quickly in the three most common Shorewall configurations.

      The Shorewall Setup Guide outlines the steps necessary to set up a firewall where there are multiple public IP addresses involved or if you want to learn more about Shorewall than is explained in the single-address guides above.

      -       - - - - - - - -
      bullet1.0 Introduction
      bullet2.0 Shorewall Concepts
      bullet3.0 Network Interfaces
      bullet4.0 Addressing, Subnets and Routing - - - - -
      bullet4.1 IP Addresses
      bullet4.2 Subnets
      bullet4.3 Routing
      bullet4.4 Address Resolution Protocol
      - - -
      bullet4.5 RFC 1918
      -
      bullet5.0 Setting up your Network - -
      bullet5.1 Routed
      - - - - -
      bullet5.2 Non-routed - - - - -
      bullet5.2.1 SNAT
      bullet5.2.2 DNAT
      bullet5.2.3 Proxy ARP
      bullet5.2.4 Static NAT
      -
      bullet5.3 Rules
      bullet5.4 Odds and Ends
      -
      bullet6.0 DNS
      bullet7.0 Starting and - Stopping the Firewall
      -

      Additional Documentation

      + +

      Additional Documentation

      The following documentation covers a variety of topics and supplements the -QuickStart Guides described above.

      -       - - - - - - - - - - - - - - - - -
      bulletBlacklisting - - -
      bulletStatic Blacklisting using /etc/shorewall/blacklist
      bulletDynamic Blacklisting using /sbin/shorewall
      -
      bulletCommon configuration file features - - - - - - - - -
      bulletComments in configuration files
      bulletLine Continuation
      bulletPort Numbers/Service Names
      bulletPort Ranges
      bulletUsing Shell Variables
      bulletComplementing an IP address or Subnet
      bulletShorewall Configurations (making a test configuration)
      bulletUsing MAC Addresses in Shorewall
      -
      bulletConfiguration File Reference Manual - - - - - - - - - - - - - - - - - - -
      bullet - params
      bulletzones
      bulletinterfaces
      bullethosts
      bulletpolicy
      bulletrules
      bulletcommon
      bulletmasq
      bulletproxyarp
      bulletnat
      bullettunnels
      bullettcrules
      bulletshorewall.conf
      bulletmodules
      bullettos
      bulletblacklist
      bulletrfc1918
      bulletroutestopped
      -
      bulletDHCP
      bulletExtension Scripts - (How to extend Shorewall without modifying Shorewall code)
      bulletFallback/Uninstall
      bulletFirewall Structure
      bulletKernel Configuration
      bulletMy - Configuration Files (How I personally use Shorewall)
      bulletPort Information - - -
      bulletWhich applications use which ports
      bulletPorts used by Trojans
      -
      bulletProxy ARP
      bulletSamba
      bulletStarting/stopping the Firewall
      bulletStatic NAT
      bulletTunnels - - - -
      bulletIPSEC
      bulletGRE and IPIP
      bulletPPTP
      -
      bulletWhite List Creation
      +QuickStart Guides described above.

      +

      If you use one of these guides and have a suggestion for improvement please let me know.

      Copyright 2002 Thomas M. Eastep

      -       + \ No newline at end of file diff --git a/STABLE/documentation/shorewall_setup_guide.htm b/STABLE/documentation/shorewall_setup_guide.htm index 3ffd11b9e..fefe0e2ab 100644 --- a/STABLE/documentation/shorewall_setup_guide.htm +++ b/STABLE/documentation/shorewall_setup_guide.htm @@ -6,12 +6,12 @@ Shorewall Setup Guide - + - + -

      Shorewall Setup Guide

      +

      Shorewall Setup Guide

      1.0 Introduction
      2.0 Shorewall Concepts
      3.0 Network Interfaces
      @@ -38,7 +38,7 @@

    6.0 DNS
    7.0 Starting and Stopping the Firewall

    -

    1.0 Introduction

    +

    1.0 Introduction

    This guide is intended for users who are setting up Shorewall in an environment where a set of public IP addresses must be managed or who want to know more about Shorewall than is contained in the @@ -46,29 +46,33 @@ know more about Shorewall than is contained in the guides. Because the range of possible applications is so broad, the Guide will give you general guidelines and will point you to other resources as necessary.

    +

        +If you run LEAF Bering, your Shorewall configuration is NOT what I release -- I +suggest that you consider installing a stock Shorewall lrp from the +shorewall.net site before you proceed.

    This guide assumes that you have the iproute/iproute2 package installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:

    -
         [root@gateway root]# which ip
+
         [root@gateway root]# which ip
      /sbin/ip
-     [root@gateway root]#
    I recommend that you first read through the 
+     [root@gateway root]#

    I recommend that you first read through the guide to familiarize yourself with what's involved then go back through it again making your configuration changes. Points at which configuration changes are recommended are flagged with .

        If you edit your configuration files on a Windows system, you must save them as Unix files if your editor supports that option or you must run them through -dos2unix before trying to use them. Similarly, if you copy a configuration file +dos2unix before trying to use them with Shorewall. Similarly, if you copy a configuration file from your Windows hard drive to a floppy disk, you must run dos2unix against the copy before using it with Shorewall.

    -     - - -
    bulletWindows Version of - dos2unix
    bulletLinux Version of - dos2unix
    -

    2.0 Shorewall Concepts

    + +

    2.0 Shorewall Concepts

    The configuration files for Shorewall are contained in the directory /etc/shorewall -- for most setups, you will only need to deal with a few of these as described in this guide. Skeleton files are created during the @@ -78,24 +82,24 @@ look through the actual file on your system -- each file contains detailed configuration instructions and some contain default entries.

    Shorewall views the network where it is running as being composed of a set of zones. In the default installation, the following zone names are used:

    -     +
    - - + + - - + + - - + + - - + + -
    NameDescriptionNameDescription
    netThe InternetnetThe Internet
    locYour Local NetworklocYour Local Network
    dmzDemilitarized ZonedmzDemilitarized Zone
    +

    Zones are defined in the /etc/shorewall/zones file.

    Shorewall also recognizes the firewall system as its own zone - by default, @@ -110,16 +114,17 @@ or "because that is the DMZ".

    /etc/shorewall/zones file and make any changes necessary.

    Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.

    -     - - -
    bulletYou express your default policy for connections from one zone to another - zone in the /etc/shorewall/policy file.
    bulletYou define exceptions to those default policies in the - /etc/shorewall/rules file.
    +

    Shorewall is built on top of the Netfilter kernel facility. Netfilter -implements a connection tracking function that allow what is often referred -to as statefull inspection of packets. This statefull property allows +implements a + connection tracking function that allows what is often referred +to as stateful inspection of packets. This stateful property allows firewall rules to be defined in terms of connections rather than in terms of packets. With Shorewall, you:

      @@ -135,9 +140,9 @@ terms of packets. With Shorewall, you:

      is expressed in terms of the client's zone and the server's zone.

    - Just because connections of a particular type are allowed between zone A - and the firewall and are also allowed between the firewall and zone B - DOES NOT mean that these connections are allowed between zone A and zone + Just because connections of a particular type are allowed from zone A to the + firewall and are also allowed from the firewall to zone B + DOES NOT mean that these connections are allowed from zone A to zone B. It rather means that you can have a proxy running on the firewall that accepts a connection from zone A and then establishes its own separate connection from the firewall to zone B.

    @@ -149,36 +154,36 @@ request is first checked against the rules in /etc/shorewall/common.def.

    The default /etc/shorewall/policy file has the following policies:

    - +
    - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + -
    Source ZoneDestination ZonePolicyLog LevelLimit:BurstSource ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  locnetACCEPT  
    netallDROPinfo netallDROPinfo 
    allallREJECTinfo allallREJECTinfo 
    +

    The above policy will:

      @@ -191,23 +196,21 @@ following policies:

        At this point, edit your /etc/shorewall/policy and make any changes that you wish.

    -

    3.0 Network Interfaces

    +

    3.0 Network Interfaces

    For the remainder of this guide, we'll refer to the following diagram. While it may not look like your own network, it can be used to illustrate the important aspects of Shorewall configuration.

    In this diagram:

    -     - - - -
    bullet -

    The DMZ Zone consists of systems DMZ 1 and DMZ 2.

    -
    bullet -

    The Local Zone consists of systems Local 1, Local 2 and Local 3.

    -
    bullet -

    All systems from the ISP outward comprise the Internet Zone.

    -
    -

    +
      +
    • The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used to isolate your +internet-accessible servers from your local systems so that if one of those +servers is compromised, you still have the firewall between the compromised +system and your local systems.
      • +
    • The Local Zone consists of systems Local 1, Local 2 and Local 3.
      • +
    • All systems from the ISP outward comprise the Internet Zone.
      • +
    +

    +

    The simplest way to define zones is to simply associate the zone name (previously defined in /etc/shorewall/zones) with a network interface. This is done in the /etc/shorewall/interfaces @@ -239,50 +242,49 @@ cable).

    Do not connect more than one interface to the same hub or switch (even for testing). It won't work the way that you -expect it to and you will end up confused and -believing that Shorewall doesn't work at all.

    +expect it to and you will end up confused and believing that Linux networking doesn't work at all.

    For the remainder of this Guide, we will assume that:

    -     - - - -
    bullet -

    The external interface is eth0.

    -
    bullet -

    The Local interface is eth1.

    -
    bullet -

    The DMZ interface is eth2.

    -
    +
      +
    • +

      The external interface is eth0.

      +
      • +
    • +

      The Local interface is eth1.

      +
      • +
    • +

      The DMZ interface is eth2.

      +
      • +

    The Shorewall default configuration does not define the contents of any zone. To define the above configuration using the /etc/shorewall/interfaces file, that file would might contain:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + -
    ZoneInterfaceBroadcastOptionsZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918neteth0detectnorfc1918
    loceth1detect loceth1detect 
    dmzeth2detect dmzeth2detect 
    +

        Edit the /etc/shorewall/interfaces file and define the network interfaces on @@ -291,61 +293,61 @@ is interfaced through more than one interface, simply include one entry for each interface and repeat the zone name as many times as necessary.

    Example:

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + -
    ZoneInterfaceBroadcastOptionsZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918neteth0detectnorfc1918
    loceth1detect loceth1detect 
    loceth2detectdhcploceth2detectdhcp
    +

    When you have more than one interface to a zone, you will usually want a policy that permits intra-zone traffic:

    - +
    - - - - - + + + + + - - - - - + + + + + -
    Source ZoneDestination ZonePolicyLog LevelLimit:BurstSource ZoneDestination ZonePolicyLog LevelLimit:Burst
    loclocACCEPT  loclocACCEPT  
    +

        You may define more complicated zones using the /etc/shorewall/hosts file but in most cases, that isn't necessary.

    -

    4.0 Addressing, Subnets and Routing

    +

    4.0 Addressing, Subnets and Routing

    Normally, your ISP will assign you a set of Public IP addresses. You will configure your firewall's external interface to use one of those addresses permanently and you will then have to decide how you are @@ -357,7 +359,7 @@ you may go to the next section.

    this subject, I highly recommend "IP Fundamentals: What Everyone Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    -

    4.1 IP Addresses

    +

    4.1 IP Addresses

    IP version 4 (IPv4) addresses are 32-bit numbers. The notation w.x.y.z refers to an address where the high-order byte has value "w", the next byte has value "x", etc. If we take the address 192.0.2.14 and express it in hexadecimal, @@ -369,10 +371,10 @@ we get:

    C000020E

    -

    4.2 Subnets

    +

    4.2 Subnets

    You will still hear the terms "Class A network", "Class B network" and "Class C network". In the early days of IP, networks only came -in three sizes:

    +in three sizes (there were also Class D networks but they were used differently):

    Class A - netmask 255.0.0.0, size = 2 ** 24

    Class B - netmask 255.255.0.0, size = 2 ** 16

    @@ -413,175 +415,176 @@ thing of the past.

    As you can see by this definition, in each subnet of size n there are (n - 2) usable addresses (addresses that can be assigned to hosts). The first and last address in the subnet are used for the subnet - address and subnet broadcast address respectively.

    + address and subnet broadcast address respectively. Consequently, small + subnetworks are more wasteful of IP addresses than are large ones.

    Since n is a power of two, we can easily calculate the Natural Logarithm (log2) of n. For the more common subnet sizes, the size and its natural logarithm are given in the following table:

    - +
    - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + -
    nllog2 n(32 - log2 n)nlog2 n(32 - log2 n)
    83298329
    1642816428
    3252732527
    6462664626
    128725128725
    256824256824
    512923512923
    1024102210241022
    2048112120481121
    4096122040961220
    8192131981921319
    163841418163841418
    327681517327681517
    655361616655361616
    +

    You will notice that the above table also contains a column - for (32 - log2 n). That number is the Variable Length Subnet Mask for a network of size n. From the above table, we can - extract the following one which is a little easier to use.

    + for (32 - log2 n). That number is the Variable Length Subnet Mask for a network of size n. + From the above table, we can derive the following one which is a little easier to use.

    - +
    - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + -
    Size of SubnetVLSMSubnet MaskSize of SubnetVLSMSubnet Mask
    8/29255.255.255.2488/29255.255.255.248
    16/28255.255.255.24016/28255.255.255.240
    32/27255.255.255.22432/27255.255.255.224
    64/26255.255.255.19264/26255.255.255.192
    128/25255.255.255.128128/25255.255.255.128
    256/24255.255.255.0256/24255.255.255.0
    512/23255.255.254.0512/23255.255.254.0
    1024/22255.255.252.01024/22255.255.252.0
    2048/21255.255.248.02048/21255.255.248.0
    4096/20255.255.240.04096/20255.255.240.0
    8192/19255.255.224.08192/19255.255.224.0
    16384/18255.255.192.016384/18255.255.192.0
    32768/17255.255.128.032768/17255.255.128.0
    65536/16255.255.0.065536/16255.255.0.0
    2 ** 24/8255.0.0.02 ** 24/8255.0.0.0
    +

    Notice that the VLSM is written with a slash ("/") -- you will often hear a subnet of size 64 referred to as a "slash 26" subnet and one of @@ -596,58 +599,59 @@ thing of the past.

    The subnet mask has the property that if you logically AND the subnet mask with an address in the subnet, the result is the subnet address. Just as important, if you logically AND the subnet mask with an address - outside the subnet, the result is NOT the subnet address.

    + outside the subnet, the result is NOT the subnet address. As we will see + below, this property of subnet masks is very useful in routing.

    For a subnetwork whose address is a.b.c.d and whose Variable Length Subnet Mask is /v, we denote the subnetwork as "a.b.c.d/v" using VLSM Notation

    Example:

    - +
    - - + + - - + + - - + + - - + + - - + + -
    Subnet:10.10.10.0 - 10.10.10.127Subnet:10.10.10.0 - 10.10.10.127
    Subnet Size:128Subnet Size:128
    Subnet Address:10.10.10.0Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.127Broadcast Address:10.10.10.127
    VLSM Notation:10.10.10.0/25VLSM Notation:10.10.10.0/25
    +

    There are two degenerate subnets that need mentioning; namely, the subnet with one member and the subnet with 2 ** 32 members.

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    Size of SubnetworkVLSM LengthSubnet MaskVLSM NotationSize of SubnetworkVLSM LengthSubnet MaskVLSM Notation
    132255.255.255.255a.b.c.d/32132255.255.255.255a.b.c.d/32
    2 ** 3200.0.0.00.0.0.0/02 ** 3200.0.0.00.0.0.0/0
    +

    So any address a.b.c.d may also be written a.b.c.d/32 and the set of all possible IP addresses is written 0.0.0.0/0.

    @@ -658,12 +662,12 @@ ip address a.b.c.d and with the netmask that corresponds to VLSM /vExample: 192.0.2.65/29

        The interface is configured with IP address 192.0.2.65 and netmask 255.255.255.248.

    -

    4.3 Routing

    +

    4.3 Routing

    One of the purposes of subnetting is that it forms the basis for routing. Here's the routing table on my firewall:

    - 
    [root@gateway root]# netstat -nr
+    
    [root@gateway root]# netstat -nr
 Kernel IP routing table
 Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
 192.168.9.1 	0.0.0.0 	255.255.255.255 UH    40  0         0 texas
@@ -676,7 +680,7 @@ Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
 192.168.9.0     192.0.2.223 	255.255.255.0 	UG    40  0         0 texas
 127.0.0.0 	0.0.0.0 	255.0.0.0 	U     40  0         0 lo
 0.0.0.0 	206.124.146.254 0.0.0.0 	UG    40  0         0 eth0
-[root@gateway root]#
    
+[root@gateway root]#

    The device texas is a GRE tunnel to a peer site in the @@ -690,33 +694,33 @@ route and the gateway mentioned in that route is called the default gateway.

    When the kernel is trying to send a packet to IP address A, it starts at the top of the routing table and:

    -     - - - - -
    bullet +
      +

    • A is logically ANDed with the 'Genmask' value in the table entry.

      -
    bullet + +

  • The result is compared with the 'Destination' value in the table entry.

    -
    • bullet + +

  • If the result and the 'Destination' value are the same, then:

    -     - - -
    bullet +
      +

    • If the 'Gateway' column is non-zero, the packet is sent to the gateway over the interface named in the 'Iface' column.

      -
    bullet + +

  • Otherwise, the packet is sent directly to A over the interface named in the 'iface' column.

    -
    • -
    • bullet + + + +

  • Otherwise, the above steps are repeated on the next entry in the table.

    -
    • + +

    Since the default route matches any IP address (A land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table entries are sent to the default gateway which is usually a router at your @@ -727,10 +731,17 @@ table but if we logically and that address with 255.255.255.0, the result is 192.168.1.0 which matches this routing table entry:

    - 
    192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
    + 
    192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2

    So to route a packet to 192.168.1.5, the packet is sent directly over eth2.

    -

    4.4 Address Resolution Protocol

    +

    One more thing needs to be emphasized -- all outgoing packet are +sent using the routing table and reply packets are not a special case. There +seems to be a common mis-conception whereby people think that request packets +are like salmon and contain a genetic code that is magically transferred to +reply packets so that the replies follow the reverse route taken by the request. +That isn't the case; the replies may take a totally different route back to the +client than was taken by the requests -- they are totally independent.

    +

    4.4 Address Resolution Protocol

    When sending packets over Ethernet, IP addresses aren't used. Rather Ethernet addressing is based on Media Access Control (MAC) addresses. Each Ethernet device has it's own unique  MAC address which is @@ -738,13 +749,13 @@ burned into a PROM on the device during manufacture. You can obtain the MAC of an Ethernet device using the 'ip' utility:

    - 
    [root@gateway root]# ip addr show eth0
+    
    [root@gateway root]# ip addr show eth0
 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
 link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
 inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
 inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0
 inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
-[root@gateway root]#
    
+[root@gateway root]#
    @@ -760,7 +771,7 @@ inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
    - 
    [root@gateway root]# tcpdump -nei eth2 arp
+      
    [root@gateway root]# tcpdump -nei eth2 arp
 tcpdump: listening on eth2
 09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254
 09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0
@@ -768,7 +779,7 @@ tcpdump: listening on eth2
 2 packets received by filter
 0 packets dropped by kernel
 [root@gateway root]#
-
    
+
    @@ -782,12 +793,12 @@ IP<->MAC correspondences. You can see the ARP cache on your system (includ your Windows system) using the 'arp' command:

    - 
    [root@gateway root]# arp -na
+    
    [root@gateway root]# arp -na
 ? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
 ? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
 ? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
 ? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
-? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
    
+? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2

    The leading question marks are a result of my having specified @@ -796,23 +807,23 @@ program to forego IP->DNS name translation. Had I not given that option, the question marks would have been replaced with the FQDN corresponding to each IP address. Notice that the last entry in the table records the information we saw using tcpdump above.

    -

    4.5 RFC 1918

    +

    4.5 RFC 1918

    IP addresses are allocated by the Internet Assigned Number Authority (IANA) who delegates allocations on a geographic basis to Regional Internet Registries (RIRs). For example, allocation for the Americas and for sub-Sahara Africa is delegated to the American Registry for Internet Numbers (ARIN). These RIRs may in turn delegate to -national registrys. Most of us don't deal with these registrars but rather get +national registries. Most of us don't deal with these registrars but rather get our IP addresses from our ISP.

    It's a fact of life that most of us can't afford as many Public IP addresses as we have devices to assign them to so we end up making use of Private IP addresses. RFC 1918 reserves several IP address ranges for this purpose:

    - 
         10.0.0.0    - 10.255.255.255
+  
         10.0.0.0    - 10.255.255.255
      172.16.0.0  - 172.31.255.255
-     192.168.0.0 - 192.168.255.255
    
+     192.168.0.0 - 192.168.255.255

    The addresses reserved by RFC 1918 are sometimes referred to @@ -823,21 +834,21 @@ purpose:

    When selecting addresses from these ranges, there's a couple of things to keep in mind:

    - - - -
    bullet

    As the IPv4 address space becomes depleted, more and more +

      +

    • As the IPv4 address space becomes depleted, more and more organizations (including ISPs) are beginning to use RFC 1918 addresses in - their infrastructure.

    bullet

    You don't want to use addresses that are being used by + their infrastructure. +

  • You don't want to use addresses that are being used by your ISP or by another organization with whom you want to establish a VPN - relationship.

    • + relationship. +

    So it's a good idea to check with your ISP to see if they are using (or are planning to use) private addresses before you decide the addresses that you are going to use.

    -

    5.0 Setting up your Network

    +

    5.0 Setting up your Network

    The choice of how to set up your network depends primarily on @@ -861,7 +872,7 @@ purpose:

    In the subsections that follow, we'll look at each of these separately.

    -

    5.1 Routed

    +

    5.1 Routed

    Let's assume that your ISP has assigned you the subnet @@ -872,7 +883,8 @@ purpose:

    addresses, you are able to subnet your /28 into two /29's and set up your network as shown in the following diagram.
    -

    +

    +

    Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ would be @@ -893,10 +905,10 @@ purpose:

    DMZ 1 will look like this:
    - 
    Kernel IP routing table
+    
    Kernel IP routing table
 Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
 192.0.2.64 	0.0.0.0 	255.255.255.248 U     40  0         0 eth0
-0.0.0.0 	192.0.2.66	0.0.0.0 	UG    40  0         0 eth0
    
+0.0.0.0 	192.0.2.66	0.0.0.0 	UG    40  0         0 eth0
    @@ -914,7 +926,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface of the firewall's interfaces that connect to the hub/switch can respond! It is then a race as to which "here-is" response reaches the sender first.
    -

    5.2 Non-routed

    +

    5.2 Non-routed

    If you have the above situation but it is @@ -934,24 +946,24 @@ Destination Gateway Genmask Flags MSS Window irtt Iface and there aren't enough addresses for all of the network interfaces. There are four different techniques that can be used to work around this problem.

    - - - - - -
    bullet -

    Source Network Address Translation (SNAT).

    bullet +
      +
    • +

      Source Network Address Translation (SNAT).

      • +

    • Destination Network Address Translation (DNAT) also - known as Port Forwarding.

    bullet -

    Proxy ARP.

    bullet + known as Port Forwarding. +
  • +

    Proxy ARP.

    • +

  • Network Address Translation (NAT) also referred to as - Static NAT.

    • + Static NAT. +

    Often a combination of these techniques is used. Each of these will be discussed in the sections that follow.

    -

     5.2.1 SNAT

    +

     5.2.1 SNAT

    With SNAT, an internal LAN segment is configured using RFC 1918 @@ -966,7 +978,8 @@ Destination Gateway Genmask Flags MSS Window irtt Iface and use public address 192.0.2.176 as both your firewall's external IP address and the source IP address of internet requests sent from that zone.

    -

    +

    +

    The local zone has been subnetted as 192.168.201.0/29 (netmask @@ -985,18 +998,18 @@ Destination Gateway Genmask Flags MSS Window irtt Iface /etc/shorewall/masq file.
    - +
    - - - + + + - - - + + + -
    INTERFACESUBNETADDRESSINTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176eth0192.168.201.0/29192.0.2.176
    +
    @@ -1007,7 +1020,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface external interface or you could set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf and Shorewall will add the address for you.
    -

    5.2.2 DNAT

    +

    5.2.2 DNAT

    When SNAT is used, it is impossible for hosts on the internet @@ -1021,26 +1034,26 @@ Destination Gateway Genmask Flags MSS Window irtt Iface entry in /etc/shorewall/rules:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATIONACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    DNATnetloc:192.168.201.4tcpwww-192.0.2.176DNATnetloc:192.168.201.4tcpwww-192.0.2.176
    +
    @@ -1056,29 +1069,30 @@ Destination Gateway Genmask Flags MSS Window irtt Iface You can use another of your public IP addresses but Shorewall will not add that address to the firewall's external interface for you.
    -

    5.2.3 Proxy ARP

    +

    5.2.3 Proxy ARP

    The idea behind proxy ARP is that:

    - - - - -
    bullet +
      +

    • A host H behind your firewall is assigned one of your public IP addresses (A) and is assigned the same netmask (M) as - the firewall's external interface.

    bullet -

    The firewall responds to ARP "who has" requests for A.

    bullet + the firewall's external interface. +
  • +

    The firewall responds to ARP "who has" requests for A.

    • +

  • When H issues an ARP "who has" request for an address in the subnetwork defined by A and M, the firewall will respond - (with the MAC if the firewall interface to H).

    • + (with the MAC if the firewall interface to H). +

    Let suppose that we decide to use Proxy ARP on the DMZ in our example network.

    -

    +

    +

    Here, we've assigned the IP addresses 192.0.2.177 to system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned an arbitrary RFC 1918 IP @@ -1093,33 +1107,65 @@ Destination Gateway Genmask Flags MSS Window irtt Iface /etc/shorewall/proxyarp file.
    - +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    ADDRESSINTERFACEEXTERNALHAVE ROUTEADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No192.0.2.178eth2eth0No
    +

    Because the HAVE ROUTE column contains No, Shorewall will add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.

    -

    5.2.4 Static NAT

    +

    A word of warning is in order here. ISPs typically configure + their routers with a long ARP cache timeout. If you move a system from + parallel to your firewall to behind your firewall with Proxy ARP, it will + probably be HOURS before that system can communicate with the internet. You + can call your ISP and ask them to purge the stale ARP cache entry but many + either can't or won't purge individual entries. You can determine if your + ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we + suspect that the gateway router has a stale ARP cache entry for 192.0.2.177. + On the firewall, run tcpdump as follows:

    +
    + 
    	tcpdump -nei eth0 icmp
    +
    +
    +

    Now from 192.0.2.177, ping the default gateway (which we are + assuming is 192.0.2.254):

    +
    + 
    	ping 192.0.2.254
    +
    +
    +

    We can now observe the tcpdump output:

    +
    + 
    	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF)
+	13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo reply
    +
    +
    +

    Notice that the source MAC address in the echo request is + different from the destination MAC address in the echo reply!! In this case + 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + was the MAC address of DMZ 1. In other words, the gateway's ARP cache still + associates 192.0.2.177 with the NIC in DMZ 1 rather than with the firewall's + eth0.

    +
    +

    5.2.4 Static NAT

    With static NAT, you assign local systems RFC 1918 addresses @@ -1128,25 +1174,25 @@ Destination Gateway Genmask Flags MSS Window irtt Iface DNAT occurs. Let's go back to our earlier example involving your daughter's web server running on system Local 3.

    -

    +

    Recall that in this setup, the local network is using SNAT and is sharing the firewall external IP (192.0.2.176) for outbound connections. This is done with the following entry in /etc/shorewall/masq:

    - +
    - - - + + + - - - + + + -
    INTERFACESUBNETADDRESSINTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176eth0192.168.201.0/29192.0.2.176
    +
    @@ -1156,22 +1202,22 @@ Destination Gateway Genmask Flags MSS Window irtt Iface adding an entry in /etc/shorewall/nat.
    - +
    - - - - - + + + + + - - - - - + + + + + -
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCALEXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo192.0.2.179eth0192.168.201.4NoNo
    +
    @@ -1185,30 +1231,30 @@ Destination Gateway Genmask Flags MSS Window irtt Iface rather just use an ACCEPT rule:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATIONACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    ACCEPTnetloc:192.168.201.4tcpwww  ACCEPTnetloc:192.168.201.4tcpwww  
    +
    -

    5.3 Rules

    +

    5.3 Rules

        @@ -1225,43 +1271,43 @@ Destination Gateway Genmask Flags MSS Window irtt Iface

    You probably want to allow ping between your zones:

    - +
    - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTACTIONSOURCEDESTINATIONPROTOCOLPORT
    ACCEPTnetdmzicmpecho-requestACCEPTnetdmzicmpecho-request
    ACCEPTnetlocicmpecho-requestACCEPTnetlocicmpecho-request
    ACCEPTdmzlocicmpecho-requestACCEPTdmzlocicmpecho-request
    ACCEPTlocdmzicmpecho-requestACCEPTlocdmzicmpecho-request
    +
    @@ -1269,88 +1315,88 @@ Destination Gateway Genmask Flags MSS Window irtt Iface a Web Server on DMZ 1. The rules that you would need are:
    - +
    - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTSACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the InternetACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the InternetACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local NetworkACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local NetworkACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the FirewallACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the InternetACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.177tcphttp# WWW from the NetACCEPTnetdmz:192.0.2.177tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.177tcphttps# Secure HTTP from the NetACCEPTnetdmz:192.0.2.177tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.177tcphttps# Secure HTTP from the Local NetACCEPTlocdmz:192.0.2.177tcphttps# Secure HTTP from the Local Net
    +
    @@ -1358,80 +1404,80 @@ Destination Gateway Genmask Flags MSS Window irtt Iface to add the following rules:
    - +
    - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTSACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the InternetACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internetACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewallACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewallACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local NetACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local NetACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the InternetACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the InternetACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    +
    @@ -1440,36 +1486,36 @@ Destination Gateway Genmask Flags MSS Window irtt Iface scp utility can also do publishing and software update distribution.
    - +
    - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTSACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTlocdmztcpssh# SSH to the DMZACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the FirewallACCEPTlocfwtcpssh# SSH to the Firewall
    +
    -

    5.4 Odds and Ends

    +

    5.4 Odds and Ends

    The above discussion reflects my personal preference for using @@ -1492,32 +1538,32 @@ Destination Gateway Genmask Flags MSS Window irtt Iface site-specific).

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + -
    ZoneInterfaceBroadcastOptionsZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918,routefilter neteth0detectnorfc1918,routefilter
    loceth1detect loceth1detect 
    dmzeth2detect dmzeth2detect 
    +
    @@ -1528,302 +1574,302 @@ Destination Gateway Genmask Flags MSS Window irtt Iface you bring up your network interfaces.
    - +
    - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + -
    ZoneInterfaceBroadcastOptionsZoneInterfaceBroadcastOptions
    neteth0192.0.2.255norfc1918,routefilter neteth0192.0.2.255norfc1918,routefilter
    loceth1192.168.201.7 loceth1192.168.201.7 
    dmzeth2192.168.202.7 dmzeth2192.168.202.7 
    +

    /etc/shorewall/masq - Local subnet

    - +
    - - - + + + - - - + + + -
    INTERFACESUBNETADDRESSINTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176eth0192.168.201.0/29192.0.2.176
    +

    /etc/shorewall/proxyarp - DMZ

    - +
    - - - - + + + + - - - - + + + + - - - - + + + + -
    ADDRESSINTERFACEEXTERNALHAVE ROUTEADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No192.0.2.178eth2eth0No
    +

    /etc/shorewall/nat- Daughter's System

    - +
    - - - - - + + + + + - - - - - + + + + + -
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCALEXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo192.0.2.179eth0192.168.201.4NoNo
    +

    /etc/shorewall/rules

    - +
    - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTSACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the InternetACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the InternetACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local NetworkACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local NetworkACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the FirewallACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the InternetACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.178tcphttp# WWW from the NetACCEPTnetdmz:192.0.2.178tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.178tcphttps# Secure HTTP from the NetACCEPTnetdmz:192.0.2.178tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.178tcphttps# Secure HTTP from the Local NetACCEPTlocdmz:192.0.2.178tcphttps# Secure HTTP from the Local Net
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the InternetACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internetACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewallACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewallACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local NetACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local NetACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the InternetACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the InternetACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    ACCEPTnetdmzicmpecho-request# PingACCEPTnetdmzicmpecho-request# Ping
    ACCEPTnetlocicmpecho-request#  "ACCEPTnetlocicmpecho-request#  "
    ACCEPTdmzlocicmpecho-request# "ACCEPTdmzlocicmpecho-request# "
    ACCEPTlocdmzicmpecho-request# "ACCEPTlocdmzicmpecho-request# "
    ACCEPTlocdmztcpssh# SSH to the DMZACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the FirewallACCEPTlocfwtcpssh# SSH to the Firewall
    +
    -

    6.0 DNS

    +

    6.0 DNS

    Given the collection of RFC 1918 and public addresses in this @@ -1845,7 +1891,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface

    - 
    options {
+      
    options {
 	directory "/var/named";
 	listen-on { 127.0.0.1 ; 192.0.2.177; };
 };
@@ -1861,10 +1907,10 @@ logging {
 	category xfer-in { xfer-log; };
 	category xfer-out { xfer-log; };
 	category notify { xfer-log; };
-};
    
+};
    - 
    #
+      
    #
 # This is the view presented to our internal systems
 #
 
@@ -1996,7 +2042,7 @@ view "external" {
 		allow-transfer { <secondary NS IP>; };
 		file "db.192.0.2.179";
 	};
-};
    
+};
    @@ -2004,7 +2050,7 @@ view "external" {

    Here are the files in /var/named (those not shown are usually included in your bind disbribution).

    db.192.0.2.176 - This is the reverse zone for the firewall's external interface

    - 
    ; ############################################################
+    
    ; ############################################################
 ; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32
 ; Filename: db.192.0.2.176
 ; ############################################################
@@ -2025,13 +2071,13 @@ view "external" {
 ; Iverse Address Arpa Records (PTR's) 
 ; ############################################################
 176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.
-
    
+
    db.192.0.2.177 - This is the reverse zone for the www/DNS server
    - 
    ; ############################################################
+    
    ; ############################################################
 ; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32
 ; Filename: db.192.0.2.177
 ; ############################################################
@@ -2052,14 +2098,14 @@ view "external" {
 ; Iverse Address Arpa Records (PTR's) 
 ; ############################################################
 177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.
-
    
+
    db.192.0.2.178 - This is the reverse zone for the mail server
    - 
    ; ############################################################
+    
    ; ############################################################
 ; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32
 ; Filename: db.192.0.2.178
 ; ############################################################
@@ -2080,7 +2126,7 @@ view "external" {
 ; Iverse Address Arpa Records (PTR's) 
 ; ############################################################
 178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.
-
    
+
    @@ -2088,7 +2134,7 @@ view "external" {
    db.192.0.2.179 - This is the reverse zone for daughter's web server's public IP
    - 
    ; ############################################################
+    
    ; ############################################################
 ; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32
 ; Filename: db.192.0.2.179
 ; ############################################################
@@ -2109,7 +2155,7 @@ view "external" {
 ; Iverse Address Arpa Records (PTR's) 
 ; ############################################################
 179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.
-
    
+
    @@ -2117,7 +2163,7 @@ view "external" {

    int/db.127.0.0 - The reverse zone for localhost

    - 
    ; ############################################################
+    
    ; ############################################################
 ; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8
 ; Filename: db.127.0.0
 ; ############################################################
@@ -2135,7 +2181,7 @@ view "external" {
 ; ############################################################
 ; Iverse Address Arpa Records (PTR's)
 ; ############################################################
-1	86400		IN PTR	localhost.foobar.net.
    
+1	86400		IN PTR	localhost.foobar.net.
    @@ -2143,7 +2189,7 @@ view "external" { only shown to internal clients
    - 
    ; ############################################################
+    
    ; ############################################################
 ; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29
 ; Filename: db.192.168.201
 ; ############################################################
@@ -2165,7 +2211,7 @@ view "external" {
 1	86400		IN PTR 	gateway.foobar.net.
 2	86400		IN PTR	winken.foobar.net.
 3	86400		IN PTR	blinken.foobar.net.
-4	86400		IN PTR	nod.foobar.net.
    
+4	86400		IN PTR	nod.foobar.net.
    @@ -2174,7 +2220,7 @@ view "external" {
    - 
    ; ############################################################
+      
    ; ############################################################
 ; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29
 ; Filename: db.192.168.202
 ; ############################################################
@@ -2193,7 +2239,7 @@ view "external" {
 ; ############################################################
 ; Iverse Address Arpa Records (PTR's)
 ; ############################################################
-1 		86400 IN PTR	dmz.foobar.net.
    
+1 		86400 IN PTR	dmz.foobar.net.
    @@ -2201,7 +2247,7 @@ view "external" {

    int/db.foobar - Forward zone for use by internal clients.

    - 
    ;##############################################################
+    
    ;##############################################################
 ; Start of Authority for foobar.net.
 ; Filename: db.foobar
 ;##############################################################
@@ -2229,7 +2275,7 @@ www		86400	IN A	192.0.2.177
 gateway		86400	IN A 	192.168.201.1
 winken		86400	IN A 	192.168.201.2
 blinken		86400	IN A	192.168.201.3
-nod		86400	IN A	192.168.201.4
    
+nod		86400	IN A	192.168.201.4
    @@ -2237,7 +2283,7 @@ nod 86400 IN A 192.168.201.4
    - 
    ;##############################################################
+      
    ;##############################################################
 ; Start of Authority for foobar.net.
 ; Filename: db.foobar
 ;##############################################################
@@ -2280,12 +2326,12 @@ nod		86400	IN A	192.0.2.179
 ;############################################################
 foobar.net.	86400	IN A	192.0.2.177
 		86400 	IN MX 0 mail.foobar.net.
-		86400	IN MX 1 <backup MX>.
    
+		86400	IN MX 1 <backup MX>.
    -

    7.0 Starting and Stopping Your Firewall

    +

    7.0 Starting and Stopping Your Firewall

    The installation procedure @@ -2312,11 +2358,11 @@ foobar.net. 86400 IN A 192.0.2.177 test it using the "shorewall try" command.

    Last updated -8/2/2002 - Tom +8/18/2002 - Tom Eastep

    Copyright 2002 Thomas M. Eastep

    -     + \ No newline at end of file diff --git a/STABLE/documentation/spam_filters.htm b/STABLE/documentation/spam_filters.htm index 2efd8f1d2..b230cdda6 100644 --- a/STABLE/documentation/spam_filters.htm +++ b/STABLE/documentation/spam_filters.htm @@ -6,14 +6,21 @@ SPAM Filters - - + -

    SPAM Filters
    + + + + +
    +

    SPAM Filters

    +
    + +


    -

    +

    Like all of you, I'm concerned about the increasing volume of Unsolicited Commercial Email (UCE or SPAM). I am therefore sympathetic with those of you who are installing SPAM filters on your mail servers. A couple of recent incidents @@ -32,6 +39,6 @@ delivery (or you can reenable delivery yourself).

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/standalone.htm b/STABLE/documentation/standalone.htm index 9347d4a8d..c09af0eda 100644 --- a/STABLE/documentation/standalone.htm +++ b/STABLE/documentation/standalone.htm @@ -6,32 +6,39 @@ Standalone Firewall - - + -

    Standalone Firewall

    + + + + +
    -

    Version 2.0.1

    +

    Standalone Firewall

    + +
    + +

    Version 2.0.1

    Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the documentation.

    This guide doesn't attempt to acquaint you with all of the features of Shorewall. It rather focuses on what is required to configure Shorewall in one of its most common configurations:

    -     - - - -
    bulletLinux system
    bulletSingle external IP address
    bulletConnection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...
    +
      +
    • Linux system
      • +
    • Single external IP address
      • +
    • Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...
      • +

    This guide assumes that you have the iproute/iproute2 package installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:

    -
         [root@gateway root]# which ip
+
         [root@gateway root]# which ip
      /sbin/ip
-     [root@gateway root]#
    I recommend that you read through the guide 
+     [root@gateway root]#

    I recommend that you read through the guide first to familiarize yourself with what's involved then go back through it again making your configuration changes.  Points at which configuration changes are recommended are flagged with .

    @@ -41,13 +48,13 @@ Unix files if your editor supports that option or you must run them through dos2unix before trying to use them. Similarly, if you copy a configuration file from your Windows hard drive to a floppy disk, you must run dos2unix against the copy before using it with Shorewall.

    -     - - -
    bulletWindows Version of - dos2unix
    bulletLinux Version of - dos2unix
    -

    Shorewall Concepts

    + +

    Shorewall Concepts

    The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you only need to deal with a few of these as described in this guide. After you have installed Shorewall, @@ -61,28 +68,28 @@ configuration instructions and default entries.

    Shorewall views the network where it is running as being composed of a set of zones. In the one-interface sample configuration, only one zone is defined:

    -     +
    - - + + - - + + -
    NameDescriptionNameDescription
    netThe InternetnetThe Internet
    +

    Shorewall zones are defined in /etc/shorewall/zones.

    Shorewall also recognizes the firewall system as its own zone - by default, the firewall itself is known as fw.

    Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.

    -     - - -
    bulletYou express your default policy for connections from one zone to another - zone in the /etc/shorewall/policy file.
    bulletYou define exceptions to those default policies in the - /etc/shorewall/rules file.
    +

    For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the @@ -93,40 +100,40 @@ file for you).

    The /etc/shorewall/policy file included with the one-interface sample has the following policies:

    - +
    - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + -
    SOURCE ZONEDESTINATION ZONEPOLICYLOG LEVELLIMIT:BURSTSOURCE ZONEDESTINATION ZONEPOLICYLOG LEVELLIMIT:BURST
    fwnetACCEPT  fwnetACCEPT  
    netnetDROPinfo netnetDROPinfo 
    allallREJECTinfo allallREJECTinfo 
    +
    -
         fw		net	ACCEPT
+
         fw		net	ACCEPT
      net	all	DROP	info
-     all	all	REJECT	info
    
+     all	all	REJECT	info

    The above policy will:

    1. allow all connection requests from the firewall to the internet
      2. @@ -136,7 +143,7 @@ following policies:

    At this point, edit your /etc/shorewall/policy and make any changes that you wish.

    -

    External Interface

    +

    External Interface

    The firewall has a single network interface. Where Internet connectivity is through a cable or DSL "Modem", the External Interface will be the ethernet adapter (eth0) that is connected to that "Modem"  @@ -150,24 +157,24 @@ the external interface is eth0. If your configuration is different, you will have to modify the sample /etc/shorewall/interfaces file accordingly. While you are there, you may wish to review the list of options that are specified for the interface. Some hints:

    -     - - -
    bullet +
      +

    • If your external interface is ppp0 or ippp0, you can replace the - "detect" in the second column with "-".

    bullet + "detect" in the second column with "-". +

  • If your external interface is ppp0 or ippp0 or if you have a static IP - address, you can remove "dhcp" from the option list.

    • + address, you can remove "dhcp" from the option list. +
    -

    IP Addresses

    +

    IP Addresses

    RFC 1918 reserves several Private IP address ranges for use in private networks:

    - 
         10.0.0.0    - 10.255.255.255
+  
         10.0.0.0    - 10.255.255.255
      172.16.0.0  - 172.31.255.255
-     192.168.0.0 - 192.168.255.255
    
+     192.168.0.0 - 192.168.255.255

    These addresses are sometimes referred to as non-routable because the Internet backbone routers will not forward a packet whose @@ -179,32 +186,32 @@ use in private networks:

    interface and if it is one of the above ranges, you should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.
    -

    Enabling other Connections

    +

    Enabling other Connections

    If you wish to enable connections from the internet to your firewall, the general format is:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfw<protocol><port>  ACCEPTnetfw<protocol><port>  
    +
    @@ -212,35 +219,35 @@ use in private networks:

    system:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp80  ACCEPTnetfwtcp80  
    ACCEPTnetfwtcp110  ACCEPTnetfwtcp110  
    +
    @@ -252,36 +259,36 @@ use in private networks:

    access to your firewall from the internet, use SSH:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp22  ACCEPTnetfwtcp22  
    +
    - 
         ACCEPT	net	fw	tcp	22
    + 
         ACCEPT	net	fw	tcp	22

        At this point, edit /etc/shorewall/rules to add other connections as desired.

    -

    Starting and Stopping Your Firewall

    +

    Starting and Stopping Your Firewall

    The installation procedure @@ -308,6 +315,6 @@ Eastep

    Copyright 2002 Thomas M. Eastep

    -     + \ No newline at end of file diff --git a/STABLE/documentation/starting_and_stopping_shorewall.htm b/STABLE/documentation/starting_and_stopping_shorewall.htm index 6d82fd67e..67cc82150 100644 --- a/STABLE/documentation/starting_and_stopping_shorewall.htm +++ b/STABLE/documentation/starting_and_stopping_shorewall.htm @@ -6,14 +6,19 @@ Starting and Stopping Shorewall - - + -

    Starting/Stopping and Monitoring the Firewall

    + + + + +
    +

    Starting/Stopping and Monitoring the Firewall

    +
    @@ -46,71 +51,76 @@ from this default, you can use the "--level" option in chkconfig You can manually start and stop Shoreline Firewall using the "shorewall" shell program:

    -     - - - - - - -
    bulletshorewall start - starts the firewall
    bulletshorewall stop - stops the firewall
    bulletshorewall restart - stops the firewall (if it's running) and - then starts it again
    bulletshorewall reset - reset the packet and byte counters in the -firewall
    bulletshorewall clear - remove all rules and chains installed by -Shoreline Firewall
    bulletshorewall refresh - refresh the rules involving the broadcast addresses - of firewall interfaces and the black and white lists.
    +
      +
    • shorewall start - starts the firewall
      • +
    • shorewall stop - stops the firewall
      • +
    • shorewall restart - stops the firewall (if it's running) and + then starts it again
      • +
    • shorewall reset - reset the packet and byte counters in the +firewall
      • +
    • shorewall clear - remove all rules and chains installed by +Shoreline Firewall
      • +
    • shorewall refresh - refresh the rules involving the broadcast addresses + of firewall interfaces and the black and white lists.
      • +

    The "shorewall" program may also be used to monitor the firewall.

    -     - - - - - - - - - - - - - - -
    bulletshorewall status - produce a verbose report about the firewall - (iptables -L -n -v)
    bulletshorewall show chain - produce a verbose report about chain - (iptables -L chain -n -v)
    bulletshorewall show nat - produce a verbose report about the nat table - (iptables -t nat -L -n -v)
    bulletshorewall show tos - produce a verbose report about the mangle table - (iptables -t mangle -L -n -v)
    bulletshorewall show log - display the last 20 packet log entries.
    bulletshorewall show connections - displays the IP connections currently being - tracked by the firewall.
    bulletshorewall +
      +
    • shorewall status - produce a verbose report about the firewall + (iptables -L -n -v)
      • +
    • shorewall show chain - produce a verbose report about chain + (iptables -L chain -n -v)
      • +
    • shorewall show nat - produce a verbose report about the nat table + (iptables -t nat -L -n -v)
      • +
    • shorewall show tos - produce a verbose report about the mangle table + (iptables -t mangle -L -n -v)
      • +
    • shorewall show log - display the last 20 packet log entries.
      • +
    • shorewall show connections - displays the IP connections currently being + tracked by the firewall.
      • +
    • shorewall show tc - - displays information about the traffic control/shaping configuration.
    bulletshorewall monitor [ delay ] - Continuously display the firewall + - displays information about the traffic control/shaping configuration. +
  • shorewall monitor [ delay ] - Continuously display the firewall status, last 20 log entries and nat. When the log entry display - changes, an audible alarm is sounded.
    • bulletshorewall hits - Produces several reports about the Shorewall packet log - messages in the current /var/log/messages file.
    bulletshorewall version - Displays the installed - version number.
    bulletshorewall check - Performs a cursory validation - of the zones, interfaces, hosts, rules and policy files.
    bulletshorewall try configuration-directory [ timeout ] - Restart shorewall using the + changes, an audible alarm is sounded. +
  • shorewall hits - Produces several reports about the Shorewall packet log + messages in the current /var/log/messages file.
    • +
  • shorewall version - Displays the installed + version number.
    • +
  • shorewall check - Performs a cursory validation + of the zones, interfaces, hosts, rules and policy files. + The "check" command does not parse and + validate the generated iptables commands so even though the "check" command + completes successfully, the configuration may fail to start. See the + recommended way to make configuration changes described below. +
    • +
  • shorewall try configuration-directory [ timeout ] - Restart shorewall using the specified configuration and if an error occurs or if the timeout option is given and the new configuration has been up for that many seconds - then shorewall is restarted using the standard configuration.
    • bulletshorewall deny, shorewall reject, shorewall accept and shorewall save - implement dynamic blacklisting.
    bulletshorewall logwatch (added in version 1.3.2) - Monitors the + then shorewall is restarted using the standard configuration. +
  • shorewall deny, shorewall reject, shorewall accept and shorewall save + implement dynamic blacklisting.
    • +
  • shorewall logwatch (added in version 1.3.2) - Monitors the LOGFILE and produces an audible alarm when new Shorewall - messages are logged.
    • + messages are logged. +

    - The shorewall start and - - shorewall restart commands allow you to specify which + The shorewall start, shorewall restart, shorewall check  and + shorewall try commands allow you to specify which Shorewall configuration to use:

    - shorewall [ -c configuration-directory ] {start|restart}

    + shorewall [ -c configuration-directory ] {start|restart|check}
    + shorewall try configuration-directory

    @@ -121,8 +131,43 @@ Shoreline Firewall +

    + When changing the configuration of a production firewall, I recommend the + following:

    + + + +
      +
    • mkdir /etc/test
      • +
    • cd /etc/test
      • +
    • <copy any files that you need to change from /etc/shorewall to . and change them here>
      • +
    • shorewall -c . check
      • +
    • <correct any errors found by check and check again>
      • +
    • /sbin/shorewall try .
      • +
    + +

    + If the configuration starts but doesn't work, just "shorewall restart" to + restore the old configuration. If the new configuration fails to start, the + "try" command will automatically start the old one for you.

    + + + +

    + When the new configuration works then just

    + + + +
      +
    • cp * /etc/shorewall
      • +
    • cd
      • +
    • rm -rf /etc/test
      • +
    + + +

    - Updated 7/26/2002 - Tom + Updated 8/8/2002 - Tom Eastep

    @@ -133,6 +178,6 @@ Eastep -     + - + \ No newline at end of file diff --git a/STABLE/documentation/subnet_masks.htm b/STABLE/documentation/subnet_masks.htm index 2067d5f9a..d3d0b3159 100644 --- a/STABLE/documentation/subnet_masks.htm +++ b/STABLE/documentation/subnet_masks.htm @@ -6,12 +6,17 @@ Subnet Masks - - + -

    Subnet Masks/VLSM Notation

    + + + + +
    +

    Subnet Masks/VLSM Notation

    +

    IP addresses and subnet masks are 32-bit numbers. The notation w.x.y.z refers to an address where the high-order byte has value "w", the next byte has value "x", etc. If we take 255.255.255.0 and express it in @@ -68,6 +73,6 @@ thing of the past.

    Eastep

    Copyright 2002 Thomas M. Eastep

    - + \ No newline at end of file diff --git a/STABLE/documentation/support.htm b/STABLE/documentation/support.htm index dd68ca30e..79ce8991f 100644 --- a/STABLE/documentation/support.htm +++ b/STABLE/documentation/support.htm @@ -6,34 +6,40 @@ Support - + - + -

    Shorewall Support

    + + + + +
    +

    Shorewall Support

    +
    -

    Before Reporting a Problem

    +

    Before Reporting a Problem

    -

    +

    "It is easier to post a problem than to use your own brain" -- -Weitse Venema (creator of Postfix)

    +Weitse Venema (creator of Postfix)

    There are a number of sources for problem solution information.

    -     - - - - -
    bulletThe Troubleshooting Information contains a - number of tips to help you solve common problems.
    bulletThe Errata has links to download updated - components.
    bulletThe FAQ has solutions to common problems.
    bulletThe Mailing List Archives are a useful source of problem solving - information.
    +
      +
    • The Troubleshooting Information contains a + number of tips to help you solve common problems.
      • +
    • The Errata has links to download updated + components.
      • +
    • The FAQ has solutions to common problems.
      • +
    • The Mailing List Archives are a useful source of problem solving + information.
      • +

    The archives from the mailing List are at http://www.shorewall.net/pipermail/shorewall-users.

    -

    Search the Mailing List Archives at Shorewall.net

    +

    Search the Mailing List Archives at Shorewall.net

    @@ -67,52 +73,55 @@ Search:

    -

    Problem Reporting Guidelines

    +

    Problem Reporting Guidelines

    -     - - - - - - - -
    bulletWhen reporting a problem, give as much information as you can. Reports -that say "I tried XYZ and it didn't work" are not at all helpful.
    bulletPlease don't describe your environment and then ask us to send you +
      +
    • When reporting a problem, give as much information as you can. Reports +that say "I tried XYZ and it didn't work" are not at all helpful.
      • +
    • Please don't describe your environment and then ask us to send you custom configuration files. We're here to answer your questions but we - can't do your job for you.
    bulletDo you see any "Shorewall" messages in /var/log/messages when you exercise -the function that is giving you problems?
    bulletHave you looked at the packet flow with a tool like tcpdump to try to -understand what is going on?
    bulletHave you tried using the diagnostic capabilities of the application that + can't do your job for you. +
  • Do you see any "Shorewall" messages in /var/log/messages when you exercise +the function that is giving you problems?
    • +
  • Have you looked at the packet flow with a tool like tcpdump to try to +understand what is going on?
    • +
  • Have you tried using the diagnostic capabilities of the application that isn't working? For example, if "ssh" isn't able to connect, using the -"-v" option gives you a lot of valuable diagnostic information.
    • bulletPlease include any of the Shorewall configuration files (especially the +"-v" option gives you a lot of valuable diagnostic information. +
  • Please include any of the Shorewall configuration files (especially the /etc/shorewall/hosts file if you have modified that file) that you think are relevant. If an error occurs when you try to "shorewall start", include a trace (See the Troubleshooting section for - instructions).
    • bulletThe list server limits posts to 120kb so don't post GIFs of your - network layout, etc to the Mailing List -- your post will be rejected.
    -

    Where to Send your Problem -Report or to Ask for Help

    -

    Please post your question or problem to the + instructions). +

  • The list server limits posts to 120kb so don't post GIFs of your + network layout, etc to the Mailing List -- your post will be rejected.
    • + +

    Where to Send your Problem +Report or to Ask for Help

    +

    If you run Shorewall under Bering -- please +post your question or problem to the +LEAF Users mailing list.

    +

    Otherwise, please post your question or problem to the Shorewall users mailing list; there are lots of folks there who are willing to help you. Your question/problem description and their responses will be placed in the mailing list archives to help people who have a similar question or problem in the future.

    -

    "It irks me when people believe that free software +

    "It irks me when people believe that free software comes at no cost. The cost is incredibly high." - - Weitse Venema

    + Weitse Venema

    I do not answer questions or work on problems sent to me personally but I try to respond promptly to mailing list posts.   -Tom

    To Subscribe to the mailing list go to http://www.shorewall.net/mailman/listinfo/shorewall-users .

    -

    Last Updated 8/5/2002 - Tom +

    Last Updated 8/17/2002 - Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/three-interface.htm b/STABLE/documentation/three-interface.htm index 61619bb2b..ad554638d 100644 --- a/STABLE/documentation/three-interface.htm +++ b/STABLE/documentation/three-interface.htm @@ -6,14 +6,19 @@ Three-Interface Firewall - - + -

    Three-Interface Firewall

    + + + + +
    +

    Three-Interface Firewall

    +
    -

    Version 2.0.1

    +

    Version 2.0.1

    Setting up a Linux system as a firewall for a small network with DMZ is a fairly straight-forward task if you understand the basics and follow the @@ -21,21 +26,22 @@ documentation.

    This guide doesn't attempt to acquaint you with all of the features of Shorewall. It rather focuses on what is required to configure Shorewall in one of its more popular configurations:

    -     - - - - -
    bulletLinux system used as a firewall/router for a small local network.
    bulletSingle external IP address.
    bulletDMZ connected to a separate ethernet interface.
    bulletConnection through DSL, Cable Modem, ISDN, Frame Relay, dial-up, ...
    +
      +
    • Linux system used as a firewall/router for a small local network.
      • +
    • Single external IP address.
      • +
    • DMZ connected to a separate ethernet interface.
      • +
    • Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up, ...
      • +

    Here is a schematic of a typical installation.

    -

    +

    +

    This guide assumes that you have the iproute/iproute2 package installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:

    -
         [root@gateway root]# which ip
+
         [root@gateway root]# which ip
      /sbin/ip
-     [root@gateway root]#
    I recommend that you first read through the guide 
+     [root@gateway root]#

    I recommend that you first read through the guide to familiarize yourself with what's involved then go back through it again making your configuration changes. Points at which configuration changes are @@ -46,13 +52,13 @@ Unix files if your editor supports that option or you must run them through dos2unix before trying to use them. Similarly, if you copy a configuration file from your Windows hard drive to a floppy disk, you must run dos2unix against the copy before using it with Shorewall.

    - - - -
    bulletWindows Version of - dos2unix
    bulletLinux Version of - dos2unix
    -

    Shorewall Concepts

    + +

    Shorewall Concepts

    The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of these as described in this guide. After you have installed Shorewall, @@ -65,36 +71,36 @@ look through the actual file on your system -- each file contains detailed configuration instructions and default entries.

    Shorewall views the network where it is running as being composed of a set of zones. In the three-interface sample configuration, the following zone names are used:

    -     +
    - - + + - - + + - - + + - - + + -
    NameDescriptionNameDescription
    netThe InternetnetThe Internet
    locYour Local NetworklocYour Local Network
    dmzDemilitarized ZonedmzDemilitarized Zone
    +

    Zone names are defined in /etc/shorewall/zones.

    Shorewall also recognizes the firewall system as its own zone - by default, the firewall itself is known as fw.

    Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.

    -     - - -
    bulletYou express your default policy for connections from one zone to another - zone in the /etc/shorewall/policy file.
    bulletYou define exceptions to those default policies in the - /etc/shorewall/rules file.
    +

    For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the @@ -105,57 +111,57 @@ file for you).

    The /etc/shorewall/policy file included with the three-interface sample has the following policies:

    - +
    - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + -
    Source ZoneDestination ZonePolicyLog LevelLimit:BurstSource ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  locnetACCEPT  
    netallDROPinfo netallDROPinfo 
    allallREJECTinfo allallREJECTinfo 
    +

    In the three-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the internet, uncomment that line.

    -     +
    - - - - - + + + + + - - - - - + + + + + -
    Source ZoneDestination ZonePolicyLog LevelLimit:BurstSource ZoneDestination ZonePolicyLog LevelLimit:Burst
    fwnetACCEPT  fwnetACCEPT  
    +

    The above policy will:

      @@ -169,8 +175,9 @@ uncomment that line.

          At this point, edit your /etc/shorewall/policy file and make any changes that you wish.

      -

      Network Interfaces

      -

      +

      Network Interfaces

      +

      +

      The firewall has three network interfaces. Where Internet connectivity is through a cable or DSL "Modem", the External Interface will be the ethernet adapter that is connected to that "Modem" (e.g., eth0)  @@ -206,15 +213,15 @@ eth2. If your configuration is different, you will have to modify the sample /etc/shorewall/interfaces file accordingly. While you are there, you may wish to review the list of options that are specified for the interfaces. Some hints:

      -       - - -
      bullet +
        +

      • If your external interface is ppp0 or ippp0, you can replace the - "detect" in the second column with "-".

      bullet + "detect" in the second column with "-". +

    1. If your external interface is ppp0 or ippp0 or if you have a static IP - address, you can remove "dhcp" from the option list.

      2. -

      IP Addresses

      + address, you can remove "dhcp" from the option list. + +

      IP Addresses

      Before going further, we should say a few words about Internet Protocol (IP) addresses. Normally, your ISP will assign you a single Public IP address. This address may be assigned via the Dynamic Host @@ -228,9 +235,9 @@ for your internal network (the local and DMZ Interfaces on your firewall plus yo computers). RFC 1918 reserves several Private IP address ranges for this purpose:

      - 
           10.0.0.0    - 10.255.255.255
+  
           10.0.0.0    - 10.255.255.255
      172.16.0.0  - 172.31.255.255
-     192.168.0.0 - 192.168.255.255
      
+     192.168.0.0 - 192.168.255.255

          @@ -254,24 +261,24 @@ purpose:

      Example sub-network:

      - +
      - - + + - - + + - - + + - - + + -
      Range:10.10.10.0 - 10.10.10.255Range:10.10.10.0 - 10.10.10.255
      Subnet Address:10.10.10.0Subnet Address:10.10.10.0
      Broadcast Address:10.10.10.255Broadcast Address:10.10.10.255
      VLSM Notation:10.10.10.0/24VLSM Notation:10.10.10.0/24
      +
      @@ -297,10 +304,11 @@ Needs to Know about Addressing & Routing", Thomas A. Maufer, Prenti 1999, ISBN 0-13-975483-0.

      The remainder of this quide will assume that you have configured your network as shown here:

      -

      +

      +

      The default gateway for the DMZ computers would be 10.10.10.254 and the default gateway for the Local computers would be 10.10.10.254.

      -

      IP Masquerading (SNAT)

      +

      IP Masquerading (SNAT)

      The addresses reserved by RFC 1918 are sometimes referred to as non-routable because the Internet backbone routers don't forward packets which have an RFC-1918 destination address. When one of your local systems @@ -318,15 +326,15 @@ forwards the packet on to local computer 1.

      IP Masquerading       and you will also see the term Source Network Address Translation (SNAT) used. Shorewall follows the convention used with Netfilter:

      -       - - -
      bullet +
        +

      • Masquerade describes the case where you let your - firewall system automatically detect the external interface address.

      bullet + firewall system automatically detect the external interface address. +

    2. SNAT refers to the case when you explicitly specify the source address that you want outbound packets from your local network to use. -

      3. + +

      In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file.

          If your external firewall interface is eth0, your local @@ -338,7 +346,7 @@ is static, you can enter it in the third column in the /etc/shorewall/masq entry if you like although your firewall will work fine if you leave that column empty. Entering your static IP in column 3 makes processing outgoing packets a little more efficient.

      -

      Port Forwarding (DNAT)

      +

      Port Forwarding (DNAT)

      One of your goals will be to run one or more servers on your DMZ computers. Because these computers have RFC-1918 addresses, it is not possible for clients on the internet to connect directly to them. It is rather necessary for those clients to address their connection requests to your firewall @@ -351,119 +359,119 @@ forwarding using DNAT rules in the /etc/shorewall/rules file.

      The general form of a simple port forwarding rule in /etc/shorewall/rules is:

      - +
      - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
      ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
      DNATnetdmz:<server local ip address> [:<server port>]<protocol><port>  DNATnetdmz:<server local ip address> [:<server port>]<protocol><port>  
      +

      If you don't specify the <server port>, it is assumed to be the same as <port>.

      Example - you run a Web Server on DMZ 2 and you want to forward incoming TCP port 80 to that system:

      - +
      - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
      ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
      DNATnetdmz:10.10.11.2tcp80# Forward port 80from the internetDNATnetdmz:10.10.11.2tcp80# Forward port 80from the internet
      ACCEPTlocdmz:10.10.11.2tcp80#Allow connections from the local networkACCEPTlocdmz:10.10.11.2tcp80#Allow connections from the local network
      +

      A couple of important points to keep in mind:

      -       - - -
      bulletWhen you are connecting to your server from your local systems, you must - use the server's internal IP address (10.10.11.2).
      bulletMany ISPs block incoming connection requests to port 80. If you have +
        +
      • When you are connecting to your server from your local systems, you must + use the server's internal IP address (10.10.11.2).
        • +
      • Many ISPs block incoming connection requests to port 80. If you have problems connecting to your web server, try the following rule and try connecting to port 5000 (e.g., connect to - http://w.x.y.z:5000 where w.x.y.z is your external IP).
      + http://w.x.y.z:5000 where w.x.y.z is your external IP). +
      - +
      - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
      ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
      DNATnetdmz:10.10.11.2:80tcp5000  DNATnetdmz:10.10.11.2:80tcp5000  
      +

      If you want to be able to access your server from the local network using your external address, then if you have a static external IP you can replace the loc->dmz rule above with:

      - +
      - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
      ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
      DNATnetdmz:10.10.11.2:80tcp80-<external IP>DNATnetdmz:10.10.11.2:80tcp80-<external IP>
      +

      If you have a dynamic ip then you must ensure that your external interface is up before starting Shorewall and you must take steps as follows (assume that @@ -476,32 +484,32 @@ your external interface is eth0):

    3. Make your loc->dmz rule:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetdmz:10.10.11.2:80tcp80-$ETH0_IPDNATnetdmz:10.10.11.2:80tcp80-$ETH0_IP
    +

    If you want to access your server from the DMZ using your external IP address, see FAQ 2a.

        At this point, add the DNAT and ACCEPT rules for your servers.

    -

    Domain Name Server (DNS)

    +

    Domain Name Server (DNS)

    Normally, when you connect to your ISP, as part of getting an IP address your firewall's Domain Name Service (DNS) resolver will be automatically configured (e.g., the /etc/resolv.conf file will be written). @@ -509,15 +517,15 @@ Alternatively, your ISP may have given you the IP address of a pair of DNS name servers for you to manually configure as your primary and secondary name servers. It is your responsibility to configure the resolver in your internal systems. You can take one of two approaches:

    -     - - -
    bullet +
      +

    • You can configure your internal systems to use your ISP's name servers. If you ISP gave you the addresses of their servers or if those addresses are available on their web site, you can configure your internal systems to use those addresses. If that information isn't available, look in /etc/resolv.conf on your firewall system -- the name servers are given in - "nameserver" records in that file.

    bullet + "nameserver" records in that file. +

  •     You can configure a Caching Name Server on your firewall or in your DMZ. Red Hat has an RPM for a caching name server (which also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you @@ -526,145 +534,145 @@ internal systems. You can take one of two approaches:

    address of the firewall (10.10.10.254 in the example above) for the name server address if you choose to run the name server on your firewall. To allow your local systems to talk to your caching name server, you must open port 53 (both UDP and TCP) from the local network to the - server; you do that by adding the rules in /etc/shorewall/rules.
    • + server; you do that by adding the rules in /etc/shorewall/rules. +
    -

    If you run the name server on the firewall: +

    If you run the name server on the firewall:

    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp53  ACCEPTlocfwtcp53  
    ACCEPTlocfwudp53  ACCEPTlocfwudp53  
    ACCEPTdmzfwtcp53  ACCEPTdmzfwtcp53  
    ACCEPTdmzfwudp53  ACCEPTdmzfwudp53  
    +

    Run name server on DMZ computer 1

    -     +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocdmz:10.10.11.1tcp53  ACCEPTlocdmz:10.10.11.1tcp53  
    ACCEPTlocdmz:10.10.11.1udp53  ACCEPTlocdmz:10.10.11.1udp53  
    ACCEPTfwdmz:10.10.10.1tcp53  ACCEPTfwdmz:10.10.10.1tcp53  
    ACCEPTfwdmz:10.10.10.1udp53  ACCEPTfwdmz:10.10.10.1udp53  
    +
    -

    Other Connections

    +

    Other Connections

    The three-interface sample includes the following rules:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTfwnetudp53  ACCEPTfwnetudp53  
    ACCEPTfwnettcp53  ACCEPTfwnettcp53  
    +
    @@ -675,35 +683,35 @@ internal systems. You can take one of two approaches:

    The sample also includes:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp22  ACCEPTlocfwtcp22  
    ACCEPTlocdmztcp22  ACCEPTlocdmztcp22  
    +
    @@ -714,26 +722,26 @@ internal systems. You can take one of two approaches:

    If you wish to enable other connections between your systems, the general format is:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPT<source zone><destination zone><protocol><port>  ACCEPT<source zone><destination zone><protocol><port>  
    +
    @@ -741,35 +749,35 @@ internal systems. You can take one of two approaches:

    system:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp53#Allow DNS accessfrom the internetACCEPTnetfwtcp53#Allow DNS accessfrom the internet
    ACCEPTnetfwtcp53#Allow DNS accessfrom the internetACCEPTnetfwtcp53#Allow DNS accessfrom the internet
    +
    @@ -784,33 +792,33 @@ internal systems. You can take one of two approaches:

    access to your firewall from the internet, use SSH:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp22  ACCEPTnetfwtcp22  
    +

        Now modify /etc/shorewall/rules to add or remove other connections as required.

    -

    Starting and Stopping Your Firewall

    +

    Starting and Stopping Your Firewall

    The installation procedure @@ -843,6 +851,6 @@ Eastep

    Copyright 2002 Thomas M. Eastep

    - + \ No newline at end of file diff --git a/STABLE/documentation/traffic_shaping.htm b/STABLE/documentation/traffic_shaping.htm index 3c4b7e5b8..22092ef11 100644 --- a/STABLE/documentation/traffic_shaping.htm +++ b/STABLE/documentation/traffic_shaping.htm @@ -6,12 +6,17 @@ Traffic Shaping - - + -

    Traffic Shaping/Control

    + + + + +
    +

    Traffic Shaping/Control

    +

    Beginning with version 1.2.0, Shorewall has limited support for traffic shaping/control. In order to use traffic shaping under Shorewall, it is essential that you get a copy of the Linux Advanced Routing @@ -21,15 +26,15 @@ utilities.

    Shorewall traffic shaping support consists of the following:

    -     - - - - -
    bulletA new TC_ENABLED parameter in /etc/shorewall.conf. Traffic +
      +
    • A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic Shaping also requires that you enable packet mangling.
      -
    bullet/etc/shorewall/tcrules - A file where you can specify + +
  • /etc/shorewall/tcrules - A file where you can specify firewall marking of packets. The firewall mark value may be used to classify packets for traffic shaping/control.
    -
    • bullet/etc/shorewall/tcstart - A user-supplied file that is + +
  • /etc/shorewall/tcstart - A user-supplied file that is sourced by Shorewall during "shorewall start" and which you can use to define your traffic shaping disciplines and classes. I have provided a sample that does @@ -44,24 +49,24 @@ utilities.


    In tcstart, when you want to run the 'tc' utility, use the run_tc function supplied by shorewall.
    -
    • bullet/etc/shorewall/tcclear - A user-supplied file that is + +
  • /etc/shorewall/tcclear - A user-supplied file that is sourced by Shorewall when it is clearing traffic shaping. This file is normally not required as Shorewall's method of clearing qdisc and filter - definitions is pretty general.
    • -

    /etc/shorewall/tcrules

    + definitions is pretty general. + +

    /etc/shorewall/tcrules

    The fwmark classifier provides a convenient way to classify packets for traffic shaping. The /etc/shorewall/tcrules file provides a means for specifying these marks in a tabular fashion.

    Columns in the file are as follows:

    -     - - - - - - -
    bulletMARK - Specifies the mark value is to be assigned in case of +
      +
    • MARK - Specifies the mark value is to be assigned in case of a match. This is an integer in the range 1-255.

      Example - 5
      -
    bulletSOURCE - The source of the packet. If the packet originates + +
  • SOURCE - The source of the packet. If the packet originates on the firewall, place "fw" in this column. Otherwise, this is a comma-separated list of interface names, IP addresses, MAC addresses in Shorewall Format and/or Subnets.
    @@ -69,110 +74,110 @@ for specifying these marks in a tabular fashion.

    Examples
        eth0
        192.168.2.4,192.168.1.0/24
    -
    • bulletDEST -- Destination of the packet. Comma-separated list of + +
  • DEST -- Destination of the packet. Comma-separated list of IP addresses and/or subnets.
    -
    • bulletPROTO - Protocol - Must be the name of a protocol from + +
  • PROTO - Protocol - Must be the name of a protocol from /etc/protocol, a number or "all"
    -
    • bulletPORT(S) - Destination Ports. A comma-separated list of Port + +
  • PORT(S) - Destination Ports. A comma-separated list of Port names (from /etc/services), port numbers or port ranges (e.g., 21:22); if the protocol is "icmp", this column is interpreted as the destination icmp type(s).
    -
    • bulletCLIENT PORT(S) - (Optional) Port(s) used by the client. If + +
  • CLIENT PORT(S) - (Optional) Port(s) used by the client. If omitted, any source port is acceptable. Specified as a comma-separate list - of port names, port numbers or port ranges.
    • + of port names, port numbers or port ranges. +

    Example 1 - All packets arriving on eth1 should be marked with 1. All packets arriving on eth2 should be marked with 2. All packets originating on the firewall itself should be marked with 3.

    -     +
    - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + - - - - - - + + + + + + -
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    1eth10.0.0.0/0all  1eth10.0.0.0/0all  
    2eth20.0.0.0/0all  2eth20.0.0.0/0all  
    3fw0.0.0.0/0all  3fw0.0.0.0/0all  
    +

    Example 2 - All GRE (protocol 47) packets not originating on the firewall and destined for 155.186.235.151 should be marked with 12.

    -     +
    - - - - - - + + + + + + - - - - - - + + + + + + -
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    120.0.0.0/0155.186.235.15147  120.0.0.0/0155.186.235.15147  
    +

    Example 3 - All SSH packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22.

    -     +
    - - - - - - + + + + + + - - - - - - + + + + + + -
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    22192.168.1.0/24155.186.235.151tcp22 22192.168.1.0/24155.186.235.151tcp22 
    -

    Hierarchical Token Bucket

    + +

    Hierarchical Token Bucket

    I personally use HTB. I have found a couple of things that may be of use to others.

    -     - - -
    bulletThe gzipped tc binary at the HTB +
    bulletThe HTB example in the HOWTO seems to be full of errors. I'm currently - running with this set of shaping rules in my tcstart file so I know that it works.
    + them for HTB. +
  • The HTB example in the HOWTO seems to be full of errors. I'm currently + running with this set of shaping rules in my tcstart file so I know that it works.
    • +

    run_tc qdisc add dev eth0 root handle 1: htb default 30

    @@ -201,6 +206,6 @@ Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/troubleshoot.htm b/STABLE/documentation/troubleshoot.htm index bf3acfb6a..43ae1333e 100644 --- a/STABLE/documentation/troubleshoot.htm +++ b/STABLE/documentation/troubleshoot.htm @@ -10,57 +10,62 @@ - - - + + -

    Shorewall Troubleshooting

    + + + + +
    +

    Shorewall Troubleshooting

    +
    -

    Check the Errata

    +

    Check the Errata

    Check the Shorewall Errata to be sure that there isn't an update that you are missing for your version of the firewall.

    -

    Check the FAQs

    +

    Check the FAQs

    Check the FAQs for solutions to common problems.

    -

    If the firewall fails to start

    +

    If the firewall fails to start

    If you receive an error message when starting or restarting the firewall and you can't determine the cause, then do the following: -     - - - -
    bulletshorewall debug start 2> /tmp/trace
    bulletLook at the /tmp/trace file and see if that helps you determine what -the problem is.
    bulletIf you still can't determine what's wrong then see the - support page.
    -

    Your test environment

    +
      +
    • shorewall debug start 2> /tmp/trace
      • +
    • Look at the /tmp/trace file and see if that helps you determine what +the problem is.
      • +
    • If you still can't determine what's wrong then see the + support page.
      • +
    +

    Your test environment

    Many times when people have problems with Shorewall, the problem is actually an ill-conceived test setup. Here are several popular snafus:

    -     - - - -
    bulletPort +
      +
    • Port Forwarding where client and server are in the same subnet. See FAQ - 2.
    bulletChanging the IP address of a local system to be in the external subnet, + 2. +
  • Changing the IP address of a local system to be in the external subnet, thinking that Shorewall will suddenly believe that the system is in the - 'net' zone.
    • bulletMultiple interfaces connected to the same HUB or Switch. Given the way + 'net' zone. +
  • Multiple interfaces connected to the same HUB or Switch. Given the way that the Linux kernel respond to ARP "who-has" requests, this type of setup - does NOT work the way that you expect it to.
    • + does NOT work the way that you expect it to. + -

    If you are having -connection problems:

    +

    If you are having +connection problems:

    If the appropriate policy for the connection that you are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING @@ -100,16 +105,16 @@ ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47

    Let's look at the important parts of this message:

    - - - - - - - - -
    bulletall2all:REJECT - the packet was rejected under the "all"->"all" REJECT -policy
    bulletIN=eth2 - the packet entered the firewall via eth2
    bulletOUT=eth1 - if accepted, the packet would be sent on eth1
    bulletSRC=192.168.2.2 - the packet was sent by 192.168.2.2
    bulletDST=192.168.1.3 - the packet is destined for 192.168.1.3
    bulletPROTO=UDP - UDP Protocol
    bulletDPT=53 - DNS
    +
      +
    • all2all:REJECT - the packet was rejected under the "all"->"all" REJECT +policy
      • +
    • IN=eth2 - the packet entered the firewall via eth2
      • +
    • OUT=eth1 - if accepted, the packet would be sent on eth1
      • +
    • SRC=192.168.2.2 - the packet was sent by 192.168.2.2
      • +
    • DST=192.168.1.3 - the packet is destined for 192.168.1.3
      • +
    • PROTO=UDP - UDP Protocol
      • +
    • DPT=53 - DNS
      • +

    In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3 is in the "loc" zone. I was missing the rule:

    @@ -118,10 +123,10 @@ policy     -

    Other Gotchas

    +

    Other Gotchas

    - - - - - - - - - -
    bulletRemember that Shorewall doesn't automatically allow ICMP type 8 ("ping") +
      +
    • Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping") requests to be sent between zones. If you want pings to be allowed between zones, you need a rule of the form:

      @@ -136,40 +141,40 @@ icmp and you ping 130.252.100.18, unless you have allowed icmp type 8 between the zone containing the system you are pinging from and the zone containing 10.1.1.2, the ping requests will be dropped. This is true even if you -have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.
    bulletIf you specify "routefilter" for an interface, that interface must be -up prior to starting the firewall.
    bulletIs your routing correct? For example, internal systems usually need to +have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces. +
  • If you specify "routefilter" for an interface, that interface must be +up prior to starting the firewall.
    • +
  • Is your routing correct? For example, internal systems usually need to be configured with their default gateway set to the IP address of their nearest firewall interface. One often overlooked aspect of routing is that in order for two hosts to communicate, the routing between them must be set up in both directions. So when setting up routing between A and B, be sure to verify that the route from B back to A - is defined.
    • bulletSome versions of LRP (EigerStein2Beta for example) have a shell with + is defined. +
  • Some versions of LRP (EigerStein2Beta for example) have a shell with broken variable expansion. You can get a corrected shell from the Shorewall Errata download site. -
    • bulletDo you have your kernel properly configured? Click - here to see my kernel configuration.
    bulletSome features require the "ip" program. That program is generally included + +
  • Do you have your kernel properly configured? Click + here to see my kernel configuration.
    • +
  • Some features require the "ip" program. That program is generally included in the "iproute" package which should be included with your distribution (though many distributions don't install iproute by default). You may also download the latest source tarball from ftp://ftp.inr.ac.ru/ip-routing -.
    • bulletIf you have any entry for a zone in /etc/shorewall/hosts then the +. +
  • If you have any entry for a zone in /etc/shorewall/hosts then the zone must be entirely defined in /etc/shorewall/hosts unless you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). For example, if a zone has two interfaces but only one interface has an entry in /etc/shorewall/hosts then hosts attached to the other interface will not be considered -part of the zone.
    • bulletProblems with NAT? Be sure that you let Shorewall add all external addresses +part of the zone. +
  • Problems with NAT? Be sure that you let Shorewall add all external addresses to be use with NAT unless you have set ADD_IP_ALIASES -=No in /etc/shorewall/shorewall.conf.
    • -

    Still Having Problems?

    +=No in /etc/shorewall/shorewall.conf. + +

    Still Having Problems?

    See the support page.

    @@ -185,5 +190,5 @@ Tom Eastep

    Copyright © 2001, 2002 Thomas M. Eastep.

    -     + \ No newline at end of file diff --git a/STABLE/documentation/two-interface.htm b/STABLE/documentation/two-interface.htm index 5cf52718b..b8867ba10 100644 --- a/STABLE/documentation/two-interface.htm +++ b/STABLE/documentation/two-interface.htm @@ -6,33 +6,40 @@ Two-Interface Firewall - + - + -

    Basic Two-Interface Firewall

    + + + + +
    +

    Basic Two-Interface Firewall

    +

    Setting up a Linux system as a firewall for a small network is a fairly straight-forward task if you understand the basics and follow the documentation.

    This guide doesn't attempt to acquaint you with all of the features of Shorewall. It rather focuses on what is required to configure Shorewall in its most common configuration:

    -     - - - -
    bulletLinux system used as a firewall/router for a small local network.
    bulletSingle external IP address.
    bulletInternet connection through cable modem, DSL, ISDN, Frame Relay, dial-up - ...
    +
      +
    • Linux system used as a firewall/router for a small local network.
      • +
    • Single external IP address.
      • +
    • Internet connection through cable modem, DSL, ISDN, Frame Relay, dial-up + ...
      • +

    Here is a schematic of a typical installation.

    -

    +

    +

    This guide assumes that you have the iproute/iproute2 package installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:

    -
         [root@gateway root]# which ip
+
         [root@gateway root]# which ip
      /sbin/ip
-     [root@gateway root]#
    I recommend that you first read through the 
+     [root@gateway root]#

    I recommend that you first read through the guide to familiarize yourself with what's involved then go back through it again making your configuration changes. Points at which configuration changes are recommended are flagged with .

    @@ -42,50 +49,49 @@ Unix files if your editor supports that option or you must run them through dos2unix before trying to use them. Similarly, if you copy a configuration file from your Windows hard drive to a floppy disk, you must run dos2unix against the copy before using it with Shorewall.

    -     - - -
    bulletWindows Version of - dos2unix
    bulletLinux Version of - dos2unix
    -

    Shorewall Concepts

    + +

    Shorewall Concepts

    The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of these as described in this guide. After you have installed Shorewall, -download the -two-interface sample, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall +download the two-interface sample, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall (these files will replace files with the same name).

    As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration instructions and default entries.

    Shorewall views the network where it is running as being composed of a set of zones. In the two-interface sample configuration, the following zone names are used:

    -     +
    - - + + - - + + - - + + -
    NameDescriptionNameDescription
    netThe InternetnetThe Internet
    locYour Local NetworklocYour Local Network
    +

    Zones are defined in the /etc/shorewall/zones file.

    Shorewall also recognizes the firewall system as its own zone - by default, the firewall itself is known as fw.

    Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.

    -     - - -
    bulletYou express your default policy for connections from one zone to another - zone in the /etc/shorewall/policy file.
    bulletYou define exceptions to those default policies in the - /etc/shorewall/rules file.
    +

    For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the @@ -96,57 +102,57 @@ file for you).

    The /etc/shorewall/policy file included with the two-interface sample has the following policies:

    - +
    - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + - - - - - + + + + + -
    Source ZoneDestination ZonePolicyLog LevelLimit:BurstSource ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  locnetACCEPT  
    netallDROPinfo netallDROPinfo 
    allallREJECTinfo allallREJECTinfo 
    +

    In the two-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the internet, uncomment that line.

    -     +
    - - - - - + + + + + - - - - - + + + + + -
    Source ZoneDestination ZonePolicyLog LevelLimit:BurstSource ZoneDestination ZonePolicyLog LevelLimit:Burst
    fwnetACCEPT  fwnetACCEPT  
    +

    The above policy will:

      @@ -159,8 +165,9 @@ uncomment that line.

        At this point, edit your /etc/shorewall/policy and make any changes that you wish.

    -

    Network Interfaces

    -

    +

    Network Interfaces

    +

    +

    The firewall has two network interfaces. Where Internet connectivity is through a cable or DSL "Modem", the External Interface will be the ethernet adapter that is connected to that "Modem" (e.g., eth0)  @@ -188,15 +195,15 @@ the external interface is eth0 and the internal interface is eth1. If your configuration is different, you will have to modify the sample /etc/shorewall/interfaces file accordingly. While you are there, you may wish to review the list of options that are specified for the interfaces. Some hints:

    -     - - -
    bullet +
      +

    • If your external interface is ppp0 or ippp0, you can replace the - "detect" in the second column with "-".

    bullet + "detect" in the second column with "-". +

  • If your external interface is ppp0 or ippp0 or if you have a static IP - address, you can remove "dhcp" from the option list.

    • -

    IP Addresses

    + address, you can remove "dhcp" from the option list. + +

    IP Addresses

    Before going further, we should say a few words about Internet Protocol (IP) addresses. Normally, your ISP will assign you a single Public IP address. This address may be assigned via the Dynamic Host @@ -210,9 +217,9 @@ internal network (the Internal Interface on your firewall plus your other computers). RFC 1918 reserves several Private IP address ranges for this purpose:

    - 
         10.0.0.0    - 10.255.255.255
+  
         10.0.0.0    - 10.255.255.255
      172.16.0.0  - 172.31.255.255
-     192.168.0.0 - 192.168.255.255
    
+     192.168.0.0 - 192.168.255.255

        @@ -236,24 +243,24 @@ purpose:

    Example sub-network:

    - +
    - - + + - - + + - - + + - - + + -
    Range:10.10.10.0 - 10.10.10.255Range:10.10.10.0 - 10.10.10.255
    Subnet Address:10.10.10.0Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.255Broadcast Address:10.10.10.255
    VLSM Notation:10.10.10.0/24VLSM Notation:10.10.10.0/24
    +
    @@ -278,9 +285,10 @@ Needs to Know about Addressing & Routing", Thomas A. Maufer, Prenti 1999, ISBN 0-13-975483-0.

    The remainder of this quide will assume that you have configured your network as shown here:

    -

    +

    +

    The default gateway for computer's 1 & 2 would be 10.10.10.254.

    -

    IP Masquerading (SNAT)

    +

    IP Masquerading (SNAT)

    The addresses reserved by RFC 1918 are sometimes referred to as non-routable because the Internet backbone routers don't forward packets which have an RFC-1918 destination address. When one of your local systems @@ -299,15 +307,15 @@ forwards the packet on to computer 1.

    IP Masquerading but you will also see the term Source Network Address Translation (SNAT) used. Shorewall follows the convention used with Netfilter:

    -     - - -
    bullet +
      +

    • Masquerade describes the case where you let your - firewall system automatically detect the external interface address.

    bullet + firewall system automatically detect the external interface address. +

  • SNAT refers to the case when you explicitly specify the source address that you want outbound packets from your local network to use. -

    • + +

    In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file. You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static.

    @@ -320,7 +328,7 @@ static, you can enter it in the third column in the /etc/shorewall/masq entry if you like although your firewall will work fine if you leave that column empty. Entering your static IP in column 3 makes processing outgoing packets a little more efficient.

    -

    Port Forwarding (DNAT)

    +

    Port Forwarding (DNAT)

    One of your goals may be to run one or more servers on your local computers. Because these computers have RFC-1918 addresses, it is not possible for clients on the internet to connect directly to them. It is rather @@ -334,89 +342,89 @@ forwarding using DNAT rules in the /etc/shorewall/rules file.

    The general form of a simple port forwarding rule in /etc/shorewall/rules is:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetloc:<server local ip address> [:<server port>]<protocol><port>  DNATnetloc:<server local ip address> [:<server port>]<protocol><port>  
    +

    Example - you run a Web Server on computer 2 and you want to forward incoming TCP port 80 to that system:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetloc:10.10.10.2tcp80  DNATnetloc:10.10.10.2tcp80  
    +

    A couple of important points to keep in mind:

    -     - - -
    bulletYou must test the above rule from a client outside of your local network +
      +
    • You must test the above rule from a client outside of your local network (i.e., don't test from a browser running on computers 1 or 2 or on the firewall). If you want to be able to access your web server using the IP address of your external interface, see Shorewall FAQ - #2.
    bulletMany ISPs block incoming connection requests to port 80. If you have + #2. +
  • Many ISPs block incoming connection requests to port 80. If you have problems connecting to your web server, try the following rule and try - connecting to port 5000.
    • + connecting to port 5000. +
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    DNATnetloc:10.10.10.2:80tcp5000  DNATnetloc:10.10.10.2:80tcp5000  
    +

        At this point, modify /etc/shorewall/rules to add any DNAT rules that you require.

    -

    Domain Name Server (DNS)

    +

    Domain Name Server (DNS)

    Normally, when you connect to your ISP, as part of getting an IP address your firewall's Domain Name Service (DNS) resolver will be automatically configured (e.g., the /etc/resolv.conf file will be written). @@ -424,15 +432,15 @@ Alternatively, your ISP may have given you the IP address of a pair of DNS name servers for you to manually configure as your primary and secondary name servers. Regardless of how DNS gets configured on your firewall, it is your responsibility to configure the resolver in your internal systems. You can take one of two approaches:

    -     - - -
    bullet +
      +

    • You can configure your internal systems to use your ISP's name servers. If you ISP gave you the addresses of their servers or if those addresses are available on their web site, you can configure your internal systems to use those addresses. If that information isn't available, look in /etc/resolv.conf on your firewall system -- the name servers are given in - "nameserver" records in that file.

    bullet + "nameserver" records in that file. +

  •     You can configure a Caching Name Server on your firewall. Red Hat has an RPM for a caching name server (the RPM also requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you @@ -441,75 +449,75 @@ internal systems. You can take one of two approaches:

    address of the firewall (10.10.10.254 in the example above) for the name server address. To allow your local systems to talk to your caching name server, you must open port 53 (both UDP and TCP) from the local network to the - firewall; you do that by adding the following rules in /etc/shorewall/rules.
    • + firewall; you do that by adding the following rules in /etc/shorewall/rules. +
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp53  ACCEPTlocfwtcp53  
    ACCEPTlocfwudp53  ACCEPTlocfwudp53  
    +
    -

    Other Connections

    +

    Other Connections

    The two-interface sample includes the following rules:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTfwnettcp53  ACCEPTfwnettcp53  
    ACCEPTfwnetudp53  ACCEPTfwnetudp53  
    +
    @@ -520,26 +528,26 @@ internal systems. You can take one of two approaches:

    The sample also includes:

    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTlocfwtcp22  ACCEPTlocfwtcp22  
    +
    @@ -550,26 +558,26 @@ internal systems. You can take one of two approaches:

    and other systems, the general format is:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPT<source zone><destination zone><protocol><port>  ACCEPT<source zone><destination zone><protocol><port>  
    +
    @@ -577,35 +585,35 @@ internal systems. You can take one of two approaches:

    system:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp80#Allow web accessfrom the internetACCEPTnetfwtcp80#Allow web accessfrom the internet
    ACCEPTlocfwtcp80#Allow web accessfrom the local networkACCEPTlocfwtcp80#Allow web accessfrom the local network
    +
    @@ -620,33 +628,33 @@ internal systems. You can take one of two approaches:

    access to your firewall from the internet, use SSH:
    - +
    - - - - - - - + + + + + + + - - - - - - - + + + + + + + -
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESSACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL ADDRESS
    ACCEPTnetfwtcp22  ACCEPTnetfwtcp22  
    +

        Now edit your /etc/shorewall/rules file to add or delete other connections as required.

    -

    Starting and Stopping Your Firewall

    +

    Starting and Stopping Your Firewall

    The installation procedure @@ -678,6 +686,6 @@ Eastep

    Copyright 2002 Thomas M. Eastep

    - + \ No newline at end of file diff --git a/STABLE/documentation/whitelisting_under_shorewall.htm b/STABLE/documentation/whitelisting_under_shorewall.htm new file mode 100644 index 000000000..c0a706c56 --- /dev/null +++ b/STABLE/documentation/whitelisting_under_shorewall.htm @@ -0,0 +1,281 @@ + + + + + + + +Whitelisting under Shorewall + + + + + + + + +
    +

    Whitelisting under Shorewall

    +
    +

    For a brief time, the 1.2 version of Shorewall supported an +/etc/shorewall/whitelist file. This file was intended to contain a list of IP +addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was +implemented as a stop-gap measure until the facilities necessary for +implementing white lists using zones was in place. As of Version 1.3 RC1, those +facilities were available.

    +

    White lists are most often used to give special privileges to a +set  of hosts within an organization. Let us suppose that we have the +following environment:

    +
      +
    • A firewall with three interfaces -- one to the internet, one + to a local network and one to a DMZ.
      • +
    • The local network uses SNAT to the internet and is comprised + of the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 + local network, the technique described here in no way depends on that or on + SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).
      • +
    • The network operations staff have workstations with IP + addresses in the class C network 10.10.10.0/24
      • +
    • We want the network operations staff to have full access to + all other hosts.
      • +
    • We want the network operations staff to bypass the transparent + HTTP proxy running on our firewall.
      • +
    +

    The basic approach will be that we will place the operations +staff's class C in its own zone called ops. Here are the appropriate +configuration files:

    +

    Zone File

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + ZONE + DISPLAY + COMMENTS
    netNetInternet
    opsOperationsOperations Staff's Class C
    locLocalLocal Class B
    dmzDMZDemilitarized zone
    +
    +

    The ops zone has been added to the standard 3-zone zones file -- since +ops is a sub-zone of loc, we list it BEFORE loc.

    +

    Interfaces File

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + ZONE + INTERFACE + BROADCAST + OPTIONS
    neteth0<whatever><options>
    dmzeth1<whatever>routestopped
    -eth210.10.255.255 
    +
    +

    Because eth2 interfaces to two zones (ops and loc), we +don't specify a zone for it here.

    +

    Hosts File

    +
    + + + + + + + + + + + + + + + + + + + + + +
    + ZONE + HOST(S) + OPTIONS
    opseth2:10.10.10.0/24routestopped
    loceth2:0.0.0.0/0 
    +
    +

    Here we define the ops and loc zones. When Shorewall is +stopped, only the hosts in the ops zone will be allowed to access the +firewall and the DMZ. I use 0.0.0.0/0 to define the loc zone rather than +10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into +that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for +that special address.

    +

    Policy File

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    SOURCEDEST + POLICY + LOG LEVELLIMIT:BURST
    opsallACCEPT  
    allopsCONTINUE  
    locnetACCEPT  
    netallDROPinfo 
    allallREJECTinfo 
    +
    +

    Two entries for ops have been added to the standard 3-zone policy file. +WARNING: You must be running Shorewall 1.3.1 or later +for the above to work properly.

    +

    Rules File

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDEST + PROTODEST
    + PORT(S)    		SOURCE
    + PORT(S)    		ORIGINAL
    + DEST
    REDIRECTloc!ops3128tcphttp  
    ...      
    +
    +

    This is the rule that transparently redirects web traffic to the transparent +proxy running on the firewall. The SOURCE column explicitly excludes the ops +zone from the rule.

    + + + +

    + Updated 5/31/2002 - Tom +Eastep +

    + + + +

    Copyright + © 2002 Thomas M. Eastep.

    + + + + + + \ No newline at end of file diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 61b89b7e7..71c0e9ba4 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.3.6 +VERSION=1.3.7 usage() # $1 = exit status { diff --git a/STABLE/firewall b/STABLE/firewall index 9c18802d7..be028befd 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -1565,7 +1565,13 @@ add_nat_rule() { # Replace destination port by the new destination port - [ -n "$servport" ] && dports="--dport ${servport#*:}" + if [ -n "$servport" ]; then + if [ -z "$multiport" ]; then + dports="--dport ${servport#*:}" + else + dports="--dports ${servport#*:}" + fi + fi # Handle SNAT @@ -1650,18 +1656,21 @@ add_a_rule() case $proto in tcp|udp|TCP|UDP|6|17) if [ -n "$port" -a "x${port}" != "x-" ]; then - [ -n "$multioption" ] && \ - [ "$port" != "${port%,*}" ] && \ + dports="--dport" + if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then multiport="$multioption" - dports="--dport $port" + dports="--dports" + fi + dports="$dports $ports" fi if [ -n "$cport" -a "x${cport}" != "x-" ]; then - [ -n "$multioption" ] && \ - [ -z "$multiport" ] && \ - [ "$cport" != "${cport%,*}" ] && \ + sports="--sport" + if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then multiport="$multioption" - sports="--sport $cport" + sports="--sports" + fi + sports="$sports $cport" fi ;; icmp|ICMP|1) @@ -2428,7 +2437,7 @@ setup_masq() if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then list_search $address $aliases_to_add || \ - aliases_to_add="$aliases_to_add $external $address" + aliases_to_add="$aliases_to_add $address $interface" fi destination=$destnet @@ -2778,7 +2787,8 @@ add_common_rules() { logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options - run_iptables -A badpkt -p !tcp -j LOG $logoptions + run_iptables -A badpkt -p tcp -j DROP # Workaround for iptables 1.2.7 + run_iptables -A badpkt -j LOG $logoptions fi run_iptables -A badpkt -j DROP @@ -2803,7 +2813,8 @@ add_common_rules() { logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:" logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options" run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options - run_iptables -A logpkt -p !tcp -j LOG $logoptions + run_iptables -A logpkt -p tcp -j RETURN # Workaround for iptables 1.2.7 + run_iptables -A logpkt -j LOG $logoptions echo "Mangled/Invalid Packet Logging enabled on:" @@ -2814,16 +2825,15 @@ add_common_rules() { echo " $interface" done fi + ########################################################################### + # PING + # + [ -n "$FORWARDPING" ] && \ + run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT ############################################################################ # Common ICMP rules # - icmpdef=`find_file icmpdef` - - if [ -f $icmpdef ]; then - . $icmpdef - else - . `find_file icmp.def` - fi + run_user_exit icmpdef ############################################################################ # Common rules in each chain # @@ -2838,7 +2848,6 @@ add_common_rules() { # BROADCASTS # drop_broadcasts `find_broadcasts` - ########################################################################### # RFC 1918 # @@ -3400,6 +3409,7 @@ do_initialize() { MERGE_HOSTS= MUTEX_TIMEOUT= LOGNEWNOTSYN= + FORWARDPING= stopping= have_mutex= masq_seq=1 @@ -3476,6 +3486,7 @@ do_initialize() { MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` + FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` } ################################################################################ diff --git a/STABLE/icmp.def b/STABLE/icmp.def index 629b724d9..b6b39510b 100644 --- a/STABLE/icmp.def +++ b/STABLE/icmp.def @@ -1,22 +1,6 @@ ############################################################################## # Shorewall 1.3 /etc/shorewall/icmp.def # -# This file defines the default rules for accepting ICMP packets. +# This file is obsolete and is included for compatibility with existing +# icmpdef extension scripts that source it. # -# Do not modify this file -- if you wish to change these rules, create -# /etc/shorewall/icmpdef to replace it. It is suggested that you include -# the command "source /etc/shorewall/icmp.def" in your -# /etc/shorewall/icmpdef file so that you will continue to get the -# advantage of new releases of this file. -# -# For example, if you want to accept 'ping' everywhere then create -# /etc/shorewall/icmpdef with the following two lines: -# -# source /etc/shorewall/icmp.def -# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT -# -run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT -run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT -run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT -run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT -run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT diff --git a/STABLE/install.sh b/STABLE/install.sh index 710e06109..1626089db 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.3.6 +VERSION=1.3.7 usage() # $1 = exit status { @@ -479,11 +479,17 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then fi elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then if chkconfig --add $FIREWALL ; then - echo -e "\nFirewall will automatically start in run levels as follows:" + echo -e "\nFirewall will start automatically in run levels as follows:" chkconfig --list $FIREWALL else cant_autostart fi + elif [ -x /sbin/rc-update ]; then + if rc-update add shorewall default; then + echo -e "\nFirewall will start automatically at boot" + else + cant_autostart + fi else modify_rclocal fi diff --git a/STABLE/interfaces b/STABLE/interfaces index fb99fcf4e..eb20f46cd 100644 --- a/STABLE/interfaces +++ b/STABLE/interfaces @@ -12,20 +12,24 @@ # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you may +# defined in the /etc/shorewall/hosts file, you should # place "-" in this column. # -# INTERFACE Name of interface +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this -# column is left black. +# column is left black.If the interface has multiple +# addresses on multiple subnets then list the broadcast +# addresses as a comma-separated list. # # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before -# the firewall is started and you must have iproute -# installed. +# the firewall is started, you must have iproute +# installed and the interface must only be associated +# with a single subnet. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter diff --git a/STABLE/policy b/STABLE/policy index abee2aa0c..4b144d54e 100644 --- a/STABLE/policy +++ b/STABLE/policy @@ -18,7 +18,7 @@ # in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DENY", "REJECT" or "CONTINUE" +# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index d3e57380b..11eb0c2e7 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -3,13 +3,22 @@ fixes. New features include: -1) The new "Shorewall Setup Guide" is included in this release. This - guide is intended for users who have multiple static external IP - addresses and for users who what to learn a bit more abound - Shorewall than is described in the single-address guides. +1) The 'icmp.def' file is now empty! The rules in that file were + required in ipchains firewalls but are not required in Shorewall. + Users who have ALLOWRELATED=No in shorewall.conf should see the + Upgrade Issues. +2) A 'FORWARDPING' option has been added to shorewall.conf. The effect + of setting this variable to Yes is the same as the effect of adding + an ACCEPT rule for ICMP echo-request in + /etc/shorewall/icmpdef. Users who have such a rule in icmpdef are + encouraged to switch to FORWARDPING=Yes. +3) The loopback CLASS A Network (127.0.0.0/8) has been added to the + rfc1918 file. +4) Shorewall now works with iptables 1.2.7. +5) The documentation and Web site no longer use FrontPage themes. -2) Shorewall now drops non-SYN tcp packets that are not part of an - established connection. These packets can be optionally logged by - setting the new LOGNEWNOTSYN variable in shorewall.conf. +I would like to thank John Distler for his valuable input regarding TCP +SYN and ICMP treatment in Shorewall. That input has led to marked +improvement in Shorewall in the last two releases. diff --git a/STABLE/rfc1918 b/STABLE/rfc1918 index d3ef5954a..a2e066f49 100644 --- a/STABLE/rfc1918 +++ b/STABLE/rfc1918 @@ -45,13 +45,13 @@ 42.0.0.0/8 logdrop # Reserved 58.0.0.0/7 logdrop # Reserved 60.0.0.0/8 logdrop # Reserved -69.0.0.0/8 logdrop # Reserved 70.0.0.0/7 logdrop # Reserved 72.0.0.0/5 logdrop # Reserved 82.0.0.0/7 logdrop # Reserved 84.0.0.0/6 logdrop # Reserved 88.0.0.0/5 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved +127.0.0.0/8 logdrop # Loopback 197.0.0.0/8 logdrop # Reserved 222.0.0.0/7 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved diff --git a/STABLE/shorewall.conf b/STABLE/shorewall.conf index 36ccc6955..adef919b5 100644 --- a/STABLE/shorewall.conf +++ b/STABLE/shorewall.conf @@ -349,4 +349,12 @@ MUTEX_TIMEOUT=60 LOGNEWNOTSYN= +# +# Forward "Ping" +# +# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are +# forwarded by the firewall. + +FORWARDPING=Yes + #LAST LINE -- DO NOT REMOVE diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index 24cae25e5..aedc4cc1f 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.3.6 +%define version 1.3.7 %define release 1 %define prefix /usr @@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Thu Aug 22 2002 Tom Eastep +- Changed version to 1.3.7 * Sun Aug 04 2002 Tom Eastep - Changed version to 1.3.6 * Mon Jul 29 2002 Tom Eastep diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index 7e9920320..8dfcbe0e3 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.3.6 +VERSION=1.3.7 usage() # $1 = exit status {