diff --git a/Shorewall-docs/Documentation.htm b/Shorewall-docs/Documentation.htm index fd1e8500f..e250081f8 100644 --- a/Shorewall-docs/Documentation.htm +++ b/Shorewall-docs/Documentation.htm @@ -1,285 +1,302 @@
- + - + - +
-
- Shorewall 1.4 Reference- |
-
Shorewall consists of the following components:
- -Shorewall consists of the following components:
+ +You may use the file /etc/shorewall/params file to set shell variables - that you can then use in some of the other configuration - files.
- + that you can then use in some of the other configuration + files. +It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally - within the Shorewall programs
- + within the Shorewall programs +Example:
- +NET_IF=eth0- +
NET_BCAST=130.252.100.255
NET_OPTIONS=blacklist,norfc1918
Example (/etc/shorewall/interfaces record):
- +net $NET_IF $NET_BCAST $NET_OPTIONS- +
The result will be the same as if the record had been written
- +net eth0 130.252.100.255 blacklist,norfc1918- +
Variables may be used anywhere in the other configuration - files.
- + files. +This file is used to define the network zones. There is one entry - in /etc/shorewall/zones for each zone; Columns in an - entry are:
- + in /etc/shorewall/zones for each zone; Columns in + an entry are: +The /etc/shorewall/zones file released with Shorewall is as follows:
- +ZONE | +DISPLAY | +COMMENTS | +
ZONE | -DISPLAY | -COMMENTS | -
net | -Net | -Internet | -
loc | -Local | -Local networks | -
dmz | -DMZ | -Demilitarized zone | -net | +Net | +Internet | + +
loc | +Local | +Local networks | +
dmz | +DMZ | +Demilitarized + zone | +
You may add, delete and modify entries in the /etc/shorewall/zones file - as desired so long as you have at least one zone defined.
- + as desired so long as you have at least one zone +defined. +Warning 1: If you rename or delete a zone, you should perform "shorewall - stop; shorewall start" to install the change rather - than "shorewall restart".
- + stop; shorewall start" to install the change rather + than "shorewall restart". +Warning 2: The order of entries in the /etc/shorewall/zones file is - significant in some cases.
- + significant in some cases. +This file is used to tell the firewall which of your firewall's network - interfaces are connected to which zone. There will -be one entry in /etc/shorewall/interfaces for each of your -interfaces. Columns in an entry are:
- + interfaces are connected to which zone. There will + be one entry in /etc/shorewall/interfaces for each of your + interfaces. Columns in an entry are: + tcpflags (added in version 1.3.11) - This option causes
Shorewall to make sanity checks on the header flags in TCP packets arriving
on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH;
@@ -287,1336 +304,1387 @@ these flag combinations are typically used for "silent" port scans. Packets
failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option
in /etc/shorewall/shorewall.conf and are disposed of
according to the TCP_FLAGS_DISPOSITION option.
-
- blacklist - This option causes incoming
- packets on this interface to be checked against
- the blacklist.
-
- dhcp - The interface is assigned
- an IP address via DHCP or is used by a DHCP server
-running on the firewall. The firewall will be configured
- to allow DHCP traffic to and from the interface even
-when the firewall is stopped. You may also wish to use this option
- if you have a static IP but you are on a LAN segment that has
-a lot of Laptops that use DHCP and you select the norfc1918
- option (see below).
norfc1918 - Packets arriving on this interface and that
have a source address that is reserved in RFC 1918 or in other
- RFCs will be dropped after being optionally logged. If
- packet mangling is enabled in /etc/shorewall/shorewall.conf
- , then packets arriving on this interface that have
- a destination address that is reserved by one of these RFCs
- will also be logged and dropped.
-
- Addresses blocked by the standard
- rfc1918 file include
- those addresses reserved by RFC1918 plus other ranges reserved
- by the IANA or by other RFCs.
Beware that as IPv4 addresses become in increasingly short supply, - ISPs are beginning to use RFC 1918 addresses within - their own infrastructure. Also, many cable and DSL "modems" - have an RFC 1918 address that can be used through a web browser - for management and monitoring functions. If you want to specify - norfc1918 on your external interface but need to -allow access to certain addresses from the above list, see - FAQ 14.
- + ISPs are beginning to use RFC 1918 addresses within + their own infrastructure. Also, many cable and DSL "modems" + have an RFC 1918 address that can be used through a web +browser for management and monitoring functions. If you want +to specify norfc1918 on your external interface but + need to allow access to certain addresses from the above +list, see FAQ 14. + +routefilter - Invoke the Kernel's route filtering - (anti-spoofing) facility on this interface. The kernel - will reject any packets incoming on this interface that -have a source address that would be routed outbound through -another interface on the firewall. Warning: If you specify this option for an interface then the interface must be up prior to starting - the firewall.
- + the firewall. + + dropunclean - Packets from this interface that
are selected by the 'unclean' match target in iptables will
be optionally logged and then dropped.
Warning: This feature requires
- that UNCLEAN match support be configured in your
-kernel, either in the kernel itself or as a module. UNCLEAN
- support is broken in some versions of the kernel but
+ that UNCLEAN match support be configured in your
+ kernel, either in the kernel itself or as a module. UNCLEAN
+ support is broken in some versions of the kernel but
appears to work ok in 2.4.17-rc1.
-
- Update 12/17/2001:
- The unclean match patch from
- 2.4.17-rc1 is
+ Update
+12/17/2001: The unclean match patch
+from 2.4.17-rc1 is available
- for download. I am currently running
- this patch applied to kernel 2.4.16.
Update 12/20/2001: I've - seen a number of tcp connection requests - with OPT (020405B40000080A...) - being dropped in the badpkt chain. This appears to - be a bug in the remote TCP stack whereby it is 8-byte - aligning a timestamp (TCP option 8) but rather than -padding with 0x01 it is padding with 0x00. It's -a tough call whether to deny people access to your -servers because of this rather minor bug in their -networking software. If you wish to disable the - check that causes these connections to be dropped, 0000080A...) + being dropped in the badpkt chain. This appears + to be a bug in the remote TCP stack whereby it is 8-byte + aligning a timestamp (TCP option 8) but rather +than padding with 0x01 it is padding with 0x00. +It's a tough call whether to deny people access +to your servers because of this rather minor +bug in their networking software. If you wish to disable the + check that causes these connections to be dropped, + here's a kernel patch against 2.4.17-rc2.
- + +logunclean - This option works like dropunclean - with the exception that packets selected - by the 'unclean' match target in iptables - are logged but not dropped. - The level at which the packets are logged is determined by - the setting of LOGUNCLEAN and -if LOGUNCLEAN has not been set, "info" is assumed.
- + with the exception that packets +selected by the 'unclean' match target +in iptables are logged but not dropped. + The level at which the packets are logged is determined + by the setting of LOGUNCLEAN + and if LOGUNCLEAN has not been set, "info" is assumed. + +proxyarp (Added in version 1.3.5) - This option causes
- Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp
- and is used when implementing Proxy
- ARP Sub-netting as described at
-
- http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do
- not set this option if you are implementing
- Proxy ARP through entries in <interface>/proxy_arp
+ and is used when implementing Proxy
+ ARP Sub-netting as described at
+
+ http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/.
+Do not set this option if you are implementing
+ Proxy ARP through entries in /etc/shorewall/proxyarp.
-
- maclist (Added in version
-1.3.10) - If this option is specified, all connection requests
-from this interface are subject to
+ maclist (Added in version
+ 1.3.10) - If this option is specified, all connection requests
+ from this interface are subject to MAC Verification. May only be specified
- for ethernet interfaces.
My recommendations concerning options:
-
- +
Example 1: You have a conventional firewall setup in which eth0 connects - to a Cable or DSL modem and eth1 connects to your local - network and eth0 gets its IP address via DHCP. You want - to check all packets entering from the internet against the - black list. Your /etc/shorewall/interfaces - file would be as follows:
- -+ to a Cable or DSL modem and eth1 connects to your + local network and eth0 gets its IP address via DHCP. You + want to check all packets entering from the internet against + the black list. Your /etc/shorewall/interfaces + file would be as follows: + ++- +- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918,blacklist -- - - + +loc -eth1 -detect --
-+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918,blacklist ++ + + +loc +eth1 +detect ++
+
Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces - file would be:
- -+ file would be: + ++- +- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - + + +net -ppp0 --
--
-+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +net +ppp0 ++
++
+
Example 3: You have local interface eth1 with two IP addresses - - 192.168.1.1/24 and 192.168.12.1/24
- -+ 192.168.1.1/24 and 192.168.12.1/24 + ++- +- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - + + +loc -eth1 -192.168.1.255,192.168.12.255 --
-+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +loc +eth1 +192.168.1.255,192.168.12.255 ++
+
For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/shorewall/hosts file.
- +WARNING: The only times that you need entries
in /etc/shorewall/hosts are:
-
Columns in this file are:
- ++ ++- +-
- +- An IP address - (example - eth1:192.168.1.3)
-- A subnet -in CIDR notation (example - -eth2:192.168.2.0/24)
- +- An IP +address (example - eth1:192.168.1.3)
+- A subnet + in CIDR notation (example +- eth2:192.168.2.0/24)
+The interface name much match an entry in /etc/shorewall/interfaces.
-
+ ++- + to set up handling for routing packets sent by this host group back +back to the same group.routeback (Added in version 1.4.2) - This option causes Shorewall - to set up handling for routing packets sent by this host group back back - to the same group.
-
-
- maclist - Added in version 1.3.10. If specified, connection - requests from the hosts specified in this entry are subject -to MAC Verification. This option is -only valid for ethernet interfaces.
-
+
+ maclist - Added in version 1.3.10. If specified, connection + requests from the hosts specified in this entry are subject + to MAC Verification. This option +is only valid for ethernet interfaces.
+ +
If you don't define any hosts for a zone, the hosts in the zone default - to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... - are the interfaces to the zone.
- + to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, + ... are the interfaces to the zone. +Note: You probably DON'T - want to specify any hosts for your internet zone since the hosts -that you specify will be the only ones that you will be able to access -without adding additional rules.
- + want to specify any hosts for your internet zone since the hosts + that you specify will be the only ones that you will be able to access + without adding additional rules. +Example 1:
- +Your local interface is eth1 and you have two groups of local hosts that - you want to make into separate zones:
- + you want to make into separate zones: +Your /etc/shorewall/interfaces file might look like:
- -+ ++- +- + -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918 -- - - +- -eth1 -192.168.1.127,192.168.1.255 -
--
-+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918 ++ + + +- +eth1 +192.168.1.127,192.168.1.255 +
++
+
The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces - to multiple zones.
- + to multiple zones. +Your /etc/shorewall/hosts file might look like:
- +- +- + +- + -
-- -ZONE -HOST(S) -OPTIONS -- +loc1 -eth1:192.168.1.0/25 --
-+ ZONE +HOST(S) +OPTIONS +- - - +loc2 -eth1:192.168.1.128/25 --
-loc1 +eth1:192.168.1.0/25 ++ +
++ + + +loc2 +eth1:192.168.1.128/25 ++
+
Example 2:
- +Your local interface is eth1 and you have two groups of local hosts that - you want to consider as one zone and you want Shorewall to route between - them:
- + you want to consider as one zone and you want Shorewall to route between + them: +Your /etc/shorewall/interfaces file might look like:
- -+ ++- +- + -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918 -- - - +loc -
-eth1 -192.168.1.127,192.168.1.255 -
--
-+ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918 ++ + + +loc +
+eth1 +192.168.1.127,192.168.1.255 +
++
+
Your /etc/shorewall/hosts file might look like:
- +- +- + +- + -
-- -ZONE -HOST(S) -OPTIONS -- +loc -eth1:192.168.1.0/25 --
-+ ZONE +HOST(S) +OPTIONS +- - - +loc -eth1:192.168.1.128/25 --
-loc +eth1:192.168.1.0/25 ++ +
++ + + +loc +eth1:192.168.1.128/25 ++
+
The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow you to define nested or overlapping zones. Such overlapping/nested zones are allowed and Shorewall processes zones in the order that they appear in the /etc/shorewall/zones file. So if you have nested zones, you want the sub-zone to appear before the super-zone and in the case of overlapping zones, the rules - that will apply to hosts that belong to both zones is determined - by which zone appears first in /etc/shorewall/zones.
- + that will apply to hosts that belong to both zones is determined + by which zone appears first in /etc/shorewall/zones. +Hosts that belong to more than one zone may be managed by the rules - of all of those zones. This is done through use of the - special CONTINUE policy described below.
- + of all of those zones. This is done through use of +the special CONTINUE policy described +below. +This file is used to describe the firewall policy regarding establishment - of connections. Connection establishment is described - in terms of clients who initiate connections and - servers who receive those connection requests. Policies - defined in /etc/shorewall/policy describe which zones are - allowed to establish connections with other zones.
- + of connections. Connection establishment is described + in terms of clients who initiate connections and + servers who receive those connection requests. +Policies defined in /etc/shorewall/policy describe which +zones are allowed to establish connections with other zones. +Policies established in /etc/shorewall/policy can be viewed as default - policies. If no rule in /etc/shorewall/rules applies - to a particular connection request then the policy from /etc/shorewall/policy - is applied.
- + policies. If no rule in /etc/shorewall/rules applies + to a particular connection request then the policy from + /etc/shorewall/policy is applied. +Four policies are defined:
- +For each policy specified in /etc/shorewall/policy, you can indicate - that you want a message sent to your system log each - time that the policy is applied.
- + that you want a message sent to your system log each + time that the policy is applied. +Entries in /etc/shorewall/policy have four columns as follows:
- +In the SOURCE and DEST columns, you can enter "all" to indicate all - zones.
- + zones. +The policy file installed by default is as follows:
- +- +- + +- + -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -net -ACCEPT --
--
-- -net -all -DROP -info --
-- - - +all -all -REJECT -info --
-+ +SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST ++ +loc +net +ACCEPT ++
++
++ +net +all +DROP +info ++
++ + + +all +all +REJECT +info ++
+
This table may be interpreted as follows:
- +WARNING:
- +The firewall script processes the - /etc/shorewall/policy file from top to bottom and uses - the first applicable policy that it finds. For example, - in the following policy file, the policy for (loc, loc) connections - would be ACCEPT as specified in the first entry even though - the third entry in the file specifies REJECT.
- + /etc/shorewall/policy file from top to bottom and uses + the first applicable policy that it finds. For +example, in the following policy file, the policy for (loc, +loc) connections would be ACCEPT as specified in the first +entry even though the third entry in the file specifies REJECT. +- +- -- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -all -ACCEPT --
--
-- -net -all -DROP -info --
-- - - -loc -loc -REJECT -info --
-
Any time that you have multiple interfaces associated with a single zone,
- you should ask yourself if you really want traffic routed between those
- interfaces. Cases where you might not want that behavior are:
-
Where zones are nested or overlapping , the - CONTINUE policy allows hosts that are within multiple -zones to be managed under the rules of all of these zones. -Let's look at an example:
- -/etc/shorewall/zones:
- --- -- -
-- -ZONE -DISPLAY -COMMENTS -- -sam -Sam -Sam's system at home -- -net -Internet -The Internet -- - - -loc -Loc -Local Network -
/etc/shorewall/interfaces:
- --- + + +- +
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -- -eth0 -detect -dhcp,norfc1918 -- - - +loc -eth1 -detect --
-SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST + ++ +loc +all +ACCEPT ++
++
++ +net +all +DROP +info ++
++ + + +loc +loc +REJECT +info ++
+
Any time that you have multiple interfaces associated with a single zone,
+ you should ask yourself if you really want traffic routed between those
+ interfaces. Cases where you might not want that behavior are:
+
Where zones are nested or overlapping , the + CONTINUE policy allows hosts that are within multiple + zones to be managed under the rules of all of these zones. + Let's look at an example:
+ +/etc/shorewall/zones:
+ +++ ++ +
++ +ZONE +DISPLAY +COMMENTS ++ +sam +Sam +Sam's system +at home ++ +net +Internet +The Internet ++ + + + +loc +Loc +Local Network +
/etc/shorewall/interfaces:
+ ++++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +- +eth0 +detect +dhcp,norfc1918 ++ + + + +loc +eth1 +detect ++
+
/etc/shorewall/hosts:
- +- +- + +- -
-- -ZONE -HOST(S) -OPTIONS -- -net -eth0:0.0.0.0/0 --
-- - - + +sam -eth0:206.191.149.197 --
-+ +ZONE +HOST(S) +OPTIONS ++ +net +eth0:0.0.0.0/0 ++
++ + + +sam +eth0:206.191.149.197 ++
+
Note that Sam's home system is a member of both the sam zone - and the net - zone and as described above , that - means that sam must be listed before net in /etc/shorewall/zones.
- + and the net + zone and as described above , that + means that sam must be listed before net in /etc/shorewall/zones. +/etc/shorewall/policy:
- +- +- + +- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -- -loc -net -ACCEPT --
-- -sam -all -CONTINUE --
-- -net -all -DROP -info -- - - + +all -all -REJECT -info -+ +SOURCE +DEST +POLICY +LOG LEVEL ++ +loc +net +ACCEPT ++
++ +sam +all +CONTINUE ++
++ +net +all +DROP +info ++ + + +all +all +REJECT +info +
The second entry above says that when Sam is the client, connection - requests should first be process under rules where the - source zone is sam and if there is no match then the - connection request should be treated under rules where the -source zone is net. It is important that this policy - be listed BEFORE the next policy (net to all).
- + requests should first be process under rules where + the source zone is sam and if there is no match then + the connection request should be treated under rules where + the source zone is net. It is important that this policy + be listed BEFORE the next policy (net to all). +Partial /etc/shorewall/rules:
- +- +- + +- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -... --
--
--
--
--
--
-- -DNAT -sam -loc:192.168.1.3 -tcp -ssh -- --
-- -DNAT -net -loc:192.168.1.5 -tcp -www -- --
-- - - + +... --
--
--
--
--
--
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +... ++
++
++
++
++
++
++ +DNAT +sam +loc:192.168.1.3 +tcp +ssh +- ++
++ +DNAT +net +loc:192.168.1.5 +tcp +www +- ++
++ + + +... ++
++
++
++
++
++
+
Given these two rules, Sam can connect to the firewall's internet interface - with ssh and the connection request will be forwarded - to 192.168.1.3. Like all hosts in the net zone, Sam - can connect to the firewall's internet interface on TCP -port 80 and the connection request will be forwarded to 192.168.1.5. - The order of the rules is not significant.
- + with ssh and the connection request will be forwarded + to 192.168.1.3. Like all hosts in the net zone, + Sam can connect to the firewall's internet interface on + TCP port 80 and the connection request will be forwarded to + 192.168.1.5. The order of the rules is not significant. +Sometimes it is necessary to suppress port forwarding - for a sub-zone. For example, suppose that all hosts - can SSH to the firewall and be forwarded to 192.168.1.5 -EXCEPT Sam. When Sam connects to the firewall's external IP, -he should be connected to the firewall itself. Because of the -way that Netfilter is constructed, this requires two rules as -follows:
- -+ for a sub-zone. For example, suppose that all hosts + can SSH to the firewall and be forwarded to 192.168.1.5 + EXCEPT Sam. When Sam connects to the firewall's external IP, + he should be connected to the firewall itself. Because of the + way that Netfilter is constructed, this requires two rules + as follows: + ++- +- - - + + +
- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- --
--
--
--
--
--
--
-- -... --
--
--
--
--
--
-- -DNAT -sam -fw -tcp -ssh -- --
-- -DNAT -net!sam -loc:192.168.1.3 -tcp -ssh -- --
-- - - + +... --
--
--
--
--
--
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ ++
++
++
++
++
++
++
++ +... ++
++
++
++
++
++
++ +DNAT +sam +fw +tcp +ssh +- ++
++ +DNAT +net!sam +loc:192.168.1.3 +tcp +ssh +- ++
++ + + +... ++
++
++
++
++
++
+
The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the net zone - with the exception of those in the 'sam' -zone should have their connection -port forwarded to 192.168.1.3. If -you need to exclude more than -one zone in this way, you - can list the zones separated by commas - (e.g., net!sam,joe,fred). This technique also - may be used when the ACTION is REDIRECT.
- + with the exception of those in the 'sam' + zone should have their connection + port forwarded to 192.168.1.3. +If you need to exclude more +than one zone in this way, you + can list the zones separated by + commas (e.g., net!sam,joe,fred). This technique +also may be used when the ACTION +is REDIRECT. +The /etc/shorewall/rules file defines exceptions to the policies established
- in the /etc/shorewall/policy file. There is one entry
- in /etc/shorewall/rules for each of these rules.
-
Shorewall automatically enables firewall->firewall traffic over the
- loopback interface (lo) -- that traffic cannot be regulated
- using rules and any rule that tries to regulate such traffic
-will generate a warning and will be ignored.
-
Entries in the file have the following columns:
- +The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). This
causes the packet to be logged at the specified level prior to being
processed according to the specified ACTION. Note: if the ACTION
is LOG then you MUST specify a syslog level.
-
- The use of DNAT or REDIRECT
-requires that you have NAT enabled.
-
Example 1. You wish to forward all - ssh connection requests from the internet to local -system 192.168.1.3.
- + ssh connection requests from the internet to local + system 192.168.1.3. +- +- + +- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- - - + +DNAT -net -loc:192.168.1.3 -tcp -ssh --
--
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ + + +DNAT +net +loc:192.168.1.3 +tcp +ssh ++
++
+
Example 2. You want to redirect all local www connection requests - EXCEPT - those to your own http server (206.124.146.177) - to a Squid transparent proxy running - on the firewall and listening on port 3128. Squid will of -course require access to remote web servers. This example shows yet - another use for the ORIGINAL - DEST column; here, connection - requests that were NOT - (notice the "!") originally + EXCEPT + those to your own http server (206.124.146.177) + to a Squid transparent proxy +running on the firewall and listening on port 3128. Squid will + of course require access to remote web servers. This example shows +yet another use for the ORIGINAL + DEST column; here, connection + requests that were NOT + (notice the "!") originally destined to 206.124.146.177 are redirected to local port 3128.
- +- +- + +- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -REDIRECT -loc -3128 -tcp -www -- -
-!206.124.146.177 -- - - + +ACCEPT -fw -net -tcp -www --
--
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +REDIRECT +loc +3128 +tcp +www +- +
+!206.124.146.177 ++ + + +ACCEPT +fw +net +tcp +www ++
++
+
Example 3. You want to run a web server at 155.186.235.222 in your DMZ and have it accessible remotely and locally. the DMZ is managed by Proxy ARP or by classical sub-netting.
- +- +- + +- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -ACCEPT -net -dmz:155.186.235.222 -tcp -www -- --
-- - - + +ACCEPT -loc -dmz:155.186.235.222 -tcp -www --
--
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +ACCEPT +net +dmz:155.186.235.222 +tcp +www +- ++
++ + + +ACCEPT +loc +dmz:155.186.235.222 +tcp +www ++
++
+
Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded
- DMZ. Your internet interface address is 155.186.235.151
- and you want the FTP server to be accessible from the internet
- in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24
- subnetworks. Note that since the server is in the 192.168.2.0/24
- subnetwork, we can assume that access to the server from that
- subnet will not involve the firewall (but see FAQ 2). Note that unless you
have more than one external IP address,
you can leave the ORIGINAL DEST column
@@ -1632,462 +1700,518 @@ in the second rule though
clearly not what you want
- .
- +- + +- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -DNAT -net -dmz:192.168.2.2 -tcp -ftp --
--
-- - - + +DNAT -loc:192.168.1.0/24 -dmz:192.168.2.2 -tcp -ftp -- -155.186.235.151 -+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +DNAT +net +dmz:192.168.2.2 +tcp +ftp ++
++
++ + + +DNAT +loc:192.168.1.0/24 +dmz:192.168.2.2 +tcp +ftp +- +155.186.235.151 +
If you are running wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions - so I use port range 65500-65535. In /etc/ftpaccess, - this entry is appropriate:
- -+ so I use port range 65500-65535. In /etc/ftpaccess, + this entry is appropriate: + ++- +passive ports 0.0.0.0/0 65500 65534
-
If you are running pure-ftpd, you would include "-p 65500:65534" on - the pure-ftpd runline.
- + the pure-ftpd runline. +The important point here is to ensure that the port range used for FTP - passive connections is unique and will not overlap with - any usage on the firewall system.
- + passive connections is unique and will not overlap + with any usage on the firewall system. +Example 5. You wish to allow unlimited DMZ access to the host with MAC address 02:00:08:E3:FA:55.
- +- +- - Example 6. You wish to allow access to the SMTP -server in your DMZ from all zones.- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- - - -ACCEPT -loc:~02-00-08-E3-FA-55 -dmz -all --
--
--
-
-- Example 7 (For advanced users running Shorewall - version 1.3.13 or later). From the internet, you with to -forward tcp port 25 directed to 192.0.2.178 and 192.0.2.179 to -host 192.0.2.177 in your DMZ. You also want to allow access from -the internet directly to tcp port 25 on 192.0.2.177.- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- - - -ACCEPT -
-all -
-dmz -
-tcp -
-25 -
--
--
-
- Note: When 'all' is used as a source or -destination, intra-zone traffic is not affected. In this example, -if there were two DMZ interfaces then the above rule would NOT -enable SMTP traffic between hosts on these interfaces.
-
-- Using "DNAT-" rather than "DNAT" avoids two -extra copies of the third rule from being generated.-
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- -DNAT- -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
-0 -
-192.0.2.178 -
-- -DNAT- -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
-0 -
-192.0.2.179 -
-- - - +ACCEPT -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
--
--
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ + + +ACCEPT +loc:~02-00-08-E3-FA-55 +dmz +all ++
++
++
+
++ Example 7. Your firewall's external + interface has several IP addresses but you only want to accept SSH connections + on address 206.124.146.176.+ +
++ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ + + + +ACCEPT +
+all +
+dmz +
+tcp +
+25 +
++
++
+
+ Note: When 'all' is used as a source + or destination, intra-zone traffic is not affected. In this + example, if there were two DMZ interfaces then the above rule + would NOT enable SMTP traffic between hosts on these interfaces.
+
++ Example 8 (For advanced users running Shorewall version 1.3.13 + or later). From the internet, you with to forward tcp port + 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 + in your DMZ. You also want to allow access from the internet directly + to tcp port 25 on 192.0.2.177.+ +
++ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ + + + +ACCEPT +
+net +
+fw:206.124.146.176 +
+tcp +
+22 +
++
++
+
++ Using "DNAT-" rather than "DNAT" avoids +two extra copies of the third rule from being generated.+ +
++ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ +DNAT- +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
+0 +
+192.0.2.178 +
++ +DNAT- +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
+0 +
+192.0.2.179 +
++ + + + +ACCEPT +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
++
++
+
Look here for information on other services.
- +Shorewall allows definition of rules that apply between - all zones. By default, these rules - are defined in the file - /etc/shorewall/common.def - but may be modified to - suit individual - requirements. Rather than modify /etc/shorewall/common.def, - you should copy that - file to - /etc/shorewall/common - and modify that file.
- + all zones. By default, these rules + are defined in the file + /etc/shorewall/common.def + but may be modified to + suit individual + requirements. Rather than modify /etc/shorewall/common.def, + you should copy that + file to + /etc/shorewall/common + and modify that file. +The /etc/shorewall/common - file is expected to contain iptables - commands; rather than - running iptables - directly, you should run - it indirectly using the - Shorewall function 'run_iptables'. - That way, if iptables encounters - an error, the firewall will be safely - stopped.
- + file is expected to contain iptables + commands; rather than + running iptables + directly, you should run + it indirectly using the + Shorewall function 'run_iptables'. + That way, if iptables encounters + an error, the firewall will be safely + stopped. +The /etc/shorewall/masq file is used to define classical IP Masquerading - and Source Network Address Translation (SNAT). There -is one entry in the file for each subnet that you want to -masquerade. In order to make use of this feature, you must have -NAT enabled .
- + and Source Network Address Translation (SNAT). There + is one entry in the file for each subnet that you want +to masquerade. In order to make use of this feature, you must + have NAT enabled . +Columns are:
- +Example 1: You have eth0 connected to a cable modem and eth1 - connected to your local subnetwork 192.168.9.0/24. -Your /etc/shorewall/masq file would look like:
- -+ connected to your local subnetwork 192.168.9.0/24. + Your /etc/shorewall/masq file would look like: + ++- +- -
-- -INTERFACE -SUBNET -ADDRESS -- - - + +eth0 -192.168.9.0/24 --
-+ +INTERFACE +SUBNET +ADDRESS ++ + + +eth0 +192.168.9.0/24 ++
+
Example 2: You have a number of IPSEC tunnels through ipsec0 - and you want to masquerade traffic from your 192.168.9.0/24 - subnet to the remote subnet 10.1.0.0/16 only.
- -+ and you want to masquerade traffic from your 192.168.9.0/24 + subnet to the remote subnet 10.1.0.0/16 only. + ++- +- -
-- -INTERFACE -SUBNET -ADDRESS -- - - + +ipsec0:10.1.0.0/16 -192.168.9.0/24 --
-+ +INTERFACE +SUBNET +ADDRESS ++ + + +ipsec0:10.1.0.0/16 +192.168.9.0/24 ++
+
Example 3: You have a DSL line connected on eth0 and a local - network (192.168.10.0/24) -connected to eth1. You want all local->net - connections to use - source address - 206.124.146.176.
- -+ network (192.168.10.0/24) + connected to eth1. You want all local->net + connections to use + source address + 206.124.146.176. + ++- +- -
-- -INTERFACE -SUBNET -ADDRESS -- - - + +eth0 -192.168.10.0/24 -206.124.146.176 -+ +INTERFACE +SUBNET +ADDRESS ++ + + +eth0 +192.168.10.0/24 +206.124.146.176 +
Example 4: Same as example 3 except that - you wish to exclude 192.168.10.44 - and 192.168.10.45 from - the SNAT rule.
- -+ you wish to exclude +192.168.10.44 and 192.168.10.45 from + the SNAT rule. + ++- Example 5 (Shorewall version >= 1.3.14): You have - a second IP address (206.124.146.177) assigned to you and wish to - use it for SNAT of the subnet 192.168.12.0/24. You want to give that - address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.- -
-- -INTERFACE -SUBNET -ADDRESS -- - - + +eth0 -192.168.10.0/24!192.168.10.44,192.168.10.45 -206.124.146.176 -+ +INTERFACE +SUBNET +ADDRESS ++ + + +eth0 +192.168.10.0/24!192.168.10.44,192.168.10.45 +206.124.146.176 +
- -++ Example 5 (Shorewall version >= 1.3.14): You + have a second IP address (206.124.146.177) assigned to you and wish + to use it for SNAT of the subnet 192.168.12.0/24. You want to give + that address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes +in /etc/shorewall/shorewall.conf.
+ +- +- -
-- -INTERFACE -SUBNET -ADDRESS -- - - + +eth0:0 -192.168.12.0/24 -206.124.146.177 -+ +INTERFACE +SUBNET +ADDRESS ++ + + +eth0:0 +192.168.12.0/24 +206.124.146.177 +
If you want to use proxy ARP on an entire sub-network, - I suggest that you -look at http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - If you decide to use the technique - described in that - HOWTO, you can set - the proxy_arp flag - for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) - by including the proxyarp + If you decide to use the technique + described in that + HOWTO, you can set + the proxy_arp flag + for an interface + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + by including the proxyarp option in the interface's record in /etc/shorewall/interfaces. When using Proxy ARP - sub-netting, you do NOT include - any entries in -/etc/shorewall/proxyarp.
- + sub-netting, you do NOT include + any entries in + /etc/shorewall/proxyarp. +The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is typically used for @@ -2096,783 +2220,807 @@ small set of systems since you need one entry in this file for each system using proxy ARP. Columns - are:
- + are: +Note: After you have made a change to the /etc/shorewall/proxyarp - file, you may need to flush the ARP cache of all routers - on the LAN segment connected to the interface specified in - the EXTERNAL column of the change/added entry(s). If you are - having problems communicating between an individual host -(A) on that segment and a system whose entry has changed, you -may need to flush the ARP cache on host A as well.
- + file, you may need to flush the ARP cache of all routers + on the LAN segment connected to the interface specified +in the EXTERNAL column of the change/added entry(s). If you +are having problems communicating between an individual +host (A) on that segment and a system whose entry has changed, +you may need to flush the ARP cache on host A as well. +ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump -nei <external interface> host <IP addr>"), it may take a long while to time out. I personally have had to contact my ISP and ask them to delete a stale entry in order to restore a system to working order after changing my proxy ARP settings.
- +Example: You have public IP addresses 155.182.235.0/28. You - configure your firewall as follows:
- + configure your firewall as follows: +In your DMZ, you want to install a Web/FTP server with public address - 155.186.235.4. On the Web server, you subnet just like - the firewall's eth0 and you configure 155.186.235.1 as - the default gateway. In your /etc/shorewall/proxyarp file, - you will have:
- -+ 155.186.235.4. On the Web server, you subnet just +like the firewall's eth0 and you configure 155.186.235.1 +as the default gateway. In your /etc/shorewall/proxyarp file, + you will have: + ++- +- -
-- -ADDRESS -INTERFACE -EXTERNAL -HAVEROUTE -- - - + +155.186.235.4 -eth2 -eth0 -No -+ +ADDRESS +INTERFACE +EXTERNAL +HAVEROUTE ++ + + +155.186.235.4 +eth2 +eth0 +No +
Note: You may want to configure the servers in your DMZ with a subnet - that is smaller than the subnet of your internet interface. - See the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) - for details. In this case you will want to place "Yes" - in the HAVEROUTE column.
- + for details. In this case you will want to place "Yes" + in the HAVEROUTE column. +Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless you are prepared to suffer the consequences. If you start or restart Shorewall with an IPSEC tunnel active, - the proxied IP addresses are mistakenly assigned to the -IPSEC tunnel device (ipsecX) rather than to the interface -that you specify in the INTERFACE column of /etc/shorewall/proxyarp. - I haven't had the time to debug this problem so I can't say if -it is a bug in the Kernel or in FreeS/Wan.
- + the proxied IP addresses are mistakenly assigned to the + IPSEC tunnel device (ipsecX) rather than to the interface + that you specify in the INTERFACE column of /etc/shorewall/proxyarp. + I haven't had the time to debug this problem so I can't say if + it is a bug in the Kernel or in FreeS/Wan. +You might be able to work around this problem using the following - (I haven't tried it):
- + (I haven't tried it): +In /etc/shorewall/init, include:
- +qt service ipsec stop
- +In /etc/shorewall/start, include:
- +qt service ipsec start
- +The /etc/shorewall/nat file is used to define static NAT. There is one - entry in the file for each static NAT relationship -that you wish to define. In order to make use of this feature, - you must have NAT enabled .
- + entry in the file for each static NAT relationship + that you wish to define. In order to make use of this +feature, you must have NAT enabled . +IMPORTANT: If all you want to do - is forward ports -to servers behind your firewall, you - do NOT want to use - static NAT. Port - forwarding can be - accomplished - with simple entries in - the rules - file. Also, in most - cases - Proxy ARP - provides a - superior solution - to static NAT because - the internal -systems -are accessed using the same IP address internally - and externally.
- + is forward ports + to servers behind your firewall, + you do NOT want to use + static NAT. Port + forwarding can + be accomplished + with simple entries in + the + rules file. Also, in most + cases Proxy ARP + provides a + superior solution + to static NAT + because the + internal systems + are accessed using the same IP + address internally and externally. +Columns in an entry are:
- +Look here for additional information and an example. -
- + +The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, - OpenVPN, PPTP and - 6to4.tunnels with end-points on your firewall. To use ipsec, you - must install version 1.9, 1.91 or the current OpenVPN, PPTP +and 6to4.tunnels with end-points on your firewall. To use ipsec, + you must install version 1.9, 1.91 or the current FreeS/WAN development snapshot.
- +Note: For kernels 2.4.4 and above, you will need to use version 1.91 - or a development snapshot as patching with version -1.9 results in kernel compilation errors.
- + or a development snapshot as patching with version + 1.9 results in kernel compilation errors. +Instructions for setting up IPSEC tunnels may - be found here, instructions - for IPIP and GRE tunnels are here, instructions + for IPIP and GRE tunnels are here, instructions for OpenVPN tunnels are here, instructions for PPTP tunnels are here - and instructions for 6to4 tunnels are here.
- + and instructions for 6to4 tunnels are here. +This file is used to set the following firewall parameters:
- +Rules not meeting those criteria will continue to generate an individual - rule for each listed port or port range.
-The file /etc/shorewall/modules contains commands for loading the kernel - modules required by Shorewall-defined firewall rules. - Shorewall will source this file during start/restart provided - that it exists and that the directory specified by the MODULESDIR - parameter exists (see /etc/shorewall/shorewall.conf - above).
- + modules required by Shorewall-defined firewall rules. + Shorewall will source this file during start/restart + provided that it exists and that the directory specified + by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf + above). +The file that is released with Shorewall calls the Shorewall function - "loadmodule" for the set of modules that I load.
- + "loadmodule" for the set of modules that I load. +The loadmodule function is called as follows:
- -+ ++- + <module parameters> ] +loadmodule <modulename> [ - <module parameters> ]
-
where
- -+ +++<modulename>
- -+ +++- +is the name of the modules without the trailing ".o" (example ip_conntrack).
-<module parameters>
- -+ +- ++-Optional parameters to the insmod utility.
-
The function determines if the module named by <modulename> - is already loaded and if not then the function - determines if the ".o" file corresponding to the module - exists in the moduledirectory; if so, then the -following command is executed:
- -+ is already loaded and if not then the function + determines if the ".o" file corresponding to the module + exists in the moduledirectory; if so, then the + following command is executed: + ++- + parameters> +insmod moduledirectory/<modulename>.o <module - parameters>
-
If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed - modules and execute the following command:
- -+ modules and execute the following command: + ++- + parameters> +insmod moduledirectory/<modulename>.o.gz <module - parameters>
-
The /etc/shorewall/tos file allows you to set the Type of Service field - in packet headers based on packet source, packet destination, - protocol, source port and destination port. In order - for this file to be processed by Shorewall, you must have - mangle support enabled .
- + in packet headers based on packet source, packet + destination, protocol, source port and destination + port. In order for this file to be processed by Shorewall, + you must have mangle support enabled + . +Entries in the file have the following columns:
- +-++ +++- + Maximize-Throughput + (8)+-Minimize-Delay (16)
-
- Maximize-Throughput (8)
- Maximize-Reliability (4)
- Minimize-Cost (2)
- Normal-Service (0)
+ Maximize-Reliability + (4)
+ Minimize-Cost (2)
+ Normal-Service (0) +
The /etc/shorewall/tos file that is included with Shorewall contains - the following entries.
- -+ the following entries. + ++- +- -
-- -SOURCE -DEST -PROTOCOL -SOURCE -
- PORT(S)DEST PORT(S) -TOS -- -all -all -tcp -- -ssh -16 -- -all -all -tcp -ssh -- -16 -- -all -all -tcp -- -ftp -16 -- -all -all -tcp -ftp -- -16 -- -all -all -tcp -- -ftp-data -8 -- - - + +all -all -tcp -ftp-data -- -8 -+ +SOURCE +DEST +PROTOCOL +SOURCE +
+ PORT(S)DEST PORT(S) +TOS ++ +all +all +tcp +- +ssh +16 ++ +all +all +tcp +ssh +- +16 ++ +all +all +tcp +- +ftp +16 ++ +all +all +tcp +ftp +- +16 ++ +all +all +tcp +- +ftp-data +8 ++ + + +all +all +tcp +ftp-data +- +8 +
WARNING: Users have reported that odd routing problems result from - adding the ESP and AH protocols to the /etc/shorewall/tos - file.
- + adding the ESP and AH protocols to the /etc/shorewall/tos + file. +Each line in /etc/shorewall/blacklist contains an IP - address, a MAC address in Shorewall Format - or - subnet - address. Example:
- + address, a MAC address in Shorewall Format + or + subnet + address. Example: +130.252.100.69- +
206.124.146.0/24
Packets from
hosts
listed
@@ -2898,119 +3046,123 @@ with a colon (":") and either an IP address or an IP subnet.
are
checked against the
blacklist. The black list is designed to prevent listed
- hosts/subnets from accessing services on your
-network.
-
Beginning with Shorewall 1.3.8, the blacklist file has three columns:
-
Shorewall also has a dynamic blacklist - capability.
- + capability. +IMPORTANT: The Shorewall blacklist file is NOT - designed to police your users' web browsing -- to do that, - I suggest that you install and configure Squid (http://www.squid-cache.org).
- +This file lists the subnets affected by the norfc1918 - interface option. Columns in the file are:
- + interface option. Columns in the file are: +This file defines the hosts that are accessible from the firewall when - the firewall is stopped. Columns in the file are:
- + the firewall is stopped. Columns in the file are: +Example: When your firewall is stopped, you want firewall accessibility - from local hosts 192.168.1.0/24 and from your DMZ. Your - DMZ interfaces through eth1 and your local hosts through -eth2.
- -+ from local hosts 192.168.1.0/24 and from your DMZ. Your + DMZ interfaces through eth1 and your local hosts through + eth2. + ++- +- -
-- -INTERFACE -HOST(S) -- -eth2 -192.168.1.0/24 -- - - + +eth1 -- -+ +INTERFACE +HOST(S) ++ +eth2 +192.168.1.0/24 ++ + + +eth1 +- +
Updated 5/27/2003 - Tom Eastep -
- + +Updated 6/2/2003 - Tom Eastep +
+Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
+ |
Shorewall FAQs- |
-
1a. Ok -- I followed those instructions
- but it doesn't work.
-
1b. I'm still having problems with - port forwarding
- - - -3. I want to use Netmeeting - or MSN Instant Messenger with Shorewall. - What do I do?
- -4a. I just ran an nmap UDP scan
- of my firewall and it showed 100s of ports as
- open!!!!
-
5. I've installed Shorewall and now
- I can't ping through the firewall
-
- 15. My local systems can't see
-out to the net
6. Where are the log messages - written and how do I change the destination?
- -6a. Are there any log parsers - that work with Shorewall?
- -6b. DROP messages on port 10619 are flooding the logs with their connect
- requests. Can i exclude these error messages for this port temporarily
- from logging in Shorewall?
-
16. Shorewall is writing log messages
- all over my console making it unusable!
-
8. When I try to start Shorewall
- on RedHat I get messages about insmod failing
- -- what's wrong?
-
8a. When I try to start Shorewall
- on RedHat I get a message referring me to FAQ #8
-
9. Why can't Shorewall detect - my interfaces properly at startup?
- 22. I have - some iptables commands that I want to run when Shorewall - starts. Which file do I put them in?10. What distributions does - it work with?
- -11. What features does it -support?
- -12. Is there a GUI?
- -13. Why do you call it "Shorewall"?
- 23. Why do you -use such ugly fonts on your web site?1a. Ok -- I followed those instructions
+ but it doesn't work.
+
1b. I'm still having problems with + port forwarding
+ + + +3. I want to use Netmeeting + or MSN Instant Messenger with Shorewall. + What do I do?
+ +4a. I just ran an nmap UDP scan
+ of my firewall and it showed 100s of ports as
+ open!!!!
+
5. I've installed Shorewall and now
+ I can't ping through the firewall
+
+ 15. My local systems can't see
+ out to the net
6. Where are the log messages + written and how do I change the destination?
+ +6a. Are there any log parsers + that work with Shorewall?
+ +6b. DROP messages on port 10619 are flooding the logs with their connect
+ requests. Can i exclude these error messages for this port temporarily
+ from logging in Shorewall?
+
16. Shorewall is writing log messages
+ all over my console making it unusable!
+
8. When I try to start Shorewall
+ on RedHat I get messages about insmod failing
+ -- what's wrong?
+
8a. When I try to start Shorewall
+ on RedHat I get a message referring me to FAQ #8
+
9. Why can't Shorewall detect + my interfaces properly at startup?
+ 22. I +have some iptables commands that I want to run when +Shorewall starts. Which file do I put them in?10. What distributions does + it work with?
+ +11. What features does it support?
+ +12. Is there a GUI?
+ +13. Why do you call it "Shorewall"?
+ 23. Why do you +use such ugly fonts on your web site?Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format + href="Documentation.htm#Rules">rules file documentation shows how to + do port forwarding under Shorewall. The format of a port-forwarding rule to a local system is as follows:
- -+ ++ +- -- -
-- + +ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE + + + -ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT -ORIG. + ORIG. DEST. -- +DNAT -net -loc:<local + + - - +DNAT +net +loc:<local IP address>[:<local port>] -<protocol> -<port + <protocol> +<port #> --
--
-+
++
+So to forward UDP port 7777 to internal system 192.168.1.5, +
So to forward UDP port 7777 to internal system 192.168.1.5, the rule is:
- -+ +- -- -
-- +ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE + + + -ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT -ORIG. + ORIG. DEST. -- - - +DNAT -net -loc:192.168.1.5 -udp -7777 --
--
-+ + +DNAT +net +loc:192.168.1.5 +udp +7777 ++
++
+If - you want to forward requests directed to a particular address - ( <external IP> ) on your firewall to an internal + + +If + you want to forward requests directed to a particular address + ( <external IP> ) on your firewall to an internal system:- -+ ++ Finally, if you need to forward a range of ports, +in the PORT column specify the range as low-port:high-port.- Finally, if you need to forward a range of ports, in - the PORT column specify the range as low-port:high-port.- -
-- + +ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE + + + -ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT -ORIG. + ORIG. DEST. -- +DNAT -net -loc:<local + + - - +DNAT +net +loc:<local IP address>[:<local port>] -<protocol> -<port + <protocol> +<port #> -- -<external + - +<external IP> -
- -1a. Ok -- I followed those instructions - but it doesn't work
- -Answer: That is usually the result of one of three - things:
- --
- -- You are trying - to test from inside your firewall (no, that won't - work -- see FAQ #2).
-- You have -a more basic problem with your local system such as - an incorrect default gateway configured (it should be -set to the IP address of your firewall's internal interface).
-- Your ISP is blocking that particular port inbound.
- -
-1b. I'm still having problems with port - forwarding
- Answer: To further -diagnose this problem:
- --
- -- As root, type "iptables - -t nat -Z". This clears the NetFilter counters in the - nat table.
-- Try to connect to the - redirected port from an external host.
-- As root type "shorewall - show nat"
-- Locate the appropriate - DNAT rule. It will be in a chain called <source - zone>_dnat ('net_dnat' in the above examples).
-- Is the packet count -in the first column non-zero? If so, the connection -request is reaching the firewall and is being redirected to - the server. In this case, the problem is usually a missing - or incorrect default gateway setting on the server (the server's - default gateway should be the IP address of the firewall's - interface to the server).
-- If the packet count -is zero:
- --
- -- the connection request - is not reaching your server (possibly it is being blocked - by your ISP); or
-- you are trying to -connect to a secondary IP address on your firewall and -your rule is only redirecting the primary IP address (You need -to specify the secondary IP address in the "ORIG. DEST." column - in your DNAT rule); or
-- your DNAT rule doesn't - match the connection request in some other way. In -that case, you may have to use a packet sniffer such as tcpdump - or ethereal to further diagnose the problem.
- -
-1c. From the internet, I want - to connect to port 1022 on my firewall and have the firewall forward -the connection to port 22 on local system 192.168.1.3. How do I do that?
- --- ---- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - -DNAT -net -
-loc:192.168.1.3:22 -tcp -1022 -
--
--
-2. I port forward www requests to www.mydomain.com - (IP 130.151.100.69) to system 192.168.1.5 in -my local network. External clients can browse http://www.mydomain.com - but internal clients can't.
- -Answer: I have two objections to this setup.
- --
+- Having an -internet-accessible server in your local network - is like raising foxes in the corner of your hen house. If -the server is compromised, there's nothing between that - server and your other internal systems. For the cost of -another NIC and a cross-over cable, you can put your server -in a DMZ such that it is isolated from your local systems - - assuming that the Server can be located near the Firewall, of course - :-)
-- The accessibility - problem is best solved using Bind Version 9 "views" - (or using a separate DNS server for local clients) such that www.mydomain.com - resolves to 130.141.100.69 externally and 192.168.1.5 - internally. That's what I do here at shorewall.net for my -local systems that use static NAT.
- -
-If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that - your external interface is eth0 and your internal - interface is eth1 and that eth1 has IP address 192.168.1.254 - with subnet 192.168.1.0/24.
- -
-If you are running Shorewall 1.4.0 or earlier see the 1.3 FAQ for instructions suitable for -those releases.
- -
-If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please - upgrade to Shorewall 1.4.2 or later.
- -
-Otherwise:
- +
-1a. Ok -- I followed those instructions + but it doesn't work
+ +Answer: That is usually the result of one of three + things:
+- +
- + +- You are +trying to test from inside your firewall (no, that +won't work -- see FAQ #2).
+- You have +a more basic problem with your local system such as + an incorrect default gateway configured (it should be set +to the IP address of your firewall's internal interface).
+- Your ISP is blocking that particular port inbound.
+
+1b. I'm still having problems with port + forwarding
+ Answer: To further + diagnose this problem:
+- +
- -- As root, type "iptables + -t nat -Z". This clears the NetFilter counters in the + nat table.
+- Try to connect to +the redirected port from an external host.
+- As root type "shorewall + show nat"
+- Locate the appropriate + DNAT rule. It will be in a chain called <source + zone>_dnat ('net_dnat' in the above examples).
+- Is the packet count + in the first column non-zero? If so, the connection + request is reaching the firewall and is being redirected + to the server. In this case, the problem is usually a missing + or incorrect default gateway setting on the server (the server's + default gateway should be the IP address of the firewall's + interface to the server).
+- If the packet count + is zero:
+ ++
+- the connection request + is not reaching your server (possibly it is being blocked + by your ISP); or
+- you are trying to + connect to a secondary IP address on your firewall and + your rule is only redirecting the primary IP address (You +need to specify the secondary IP address in the "ORIG. DEST." +column in your DNAT rule); or
+- your DNAT rule doesn't + match the connection request in some other way. In that + case, you may have to use a packet sniffer such as tcpdump + or ethereal to further diagnose the problem.
+ +
+-
- -- In /etc/shorewall/interfaces:
- --- -- -
-- -ZONE -
-INTERFACE -
-BROADCAST -
-OPTIONS -
-- - - -loc -
-eth1 -
-detect -
-routeback -
-- -
- --
- -- In /etc/shorewall/rules:
- --- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- - - -DNAT -
-loc -web:192.168.1.5 -
-tcp -www -- -
-130.151.100.69:192.168.1.254 -
--- -That rule only works of course if you have a static external - IP address. If you have a dynamic IP address - and are running Shorewall 1.3.4 or later then include - this in /etc/shorewall/init:
--- -ETH0_IP=`find_interface_address eth0`--- -and make your DNAT rule:
--+ +1c. From the internet, I want + to connect to port 1022 on my firewall and have the firewall forward the + connection to port 22 on local system 192.168.1.3. How do I do that?
+ +++ ++ +- -
-- +ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE + + + -ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT -ORIG. + ORIG. DEST. -- - - +DNAT -loc -web:192.168.1.5 -tcp -www -- -$ETH0_IP:192.168.1.254 -+ + +DNAT +net +
+loc:192.168.1.3:22 +tcp +1022 +
++
++
+2. I port forward www requests to www.mydomain.com + (IP 130.151.100.69) to system 192.168.1.5 in my + local network. External clients can browse http://www.mydomain.com + but internal clients can't.
+ +Answer: I have two objections to this setup.
+ ++
+ +- Having an + internet-accessible server in your local network + is like raising foxes in the corner of your hen house. If + the server is compromised, there's nothing between +that server and your other internal systems. For the cost +of another NIC and a cross-over cable, you can put your + server in a DMZ such that it is isolated from your local systems + - assuming that the Server can be located near the Firewall, + of course :-)
+- The accessibility + problem is best solved using Bind Version 9 "views" + (or using a separate DNS server for local clients) such that www.mydomain.com + resolves to 130.141.100.69 externally and 192.168.1.5 +internally. That's what I do here at shorewall.net for my +local systems that use static NAT.
+ +If you insist on an IP solution to the accessibility problem + rather than a DNS solution, then assuming that + your external interface is eth0 and your internal + interface is eth1 and that eth1 has IP address 192.168.1.254 + with subnet 192.168.1.0/24.
+ +
+If you are running Shorewall 1.4.0 or earlier see the 1.3 FAQ for instructions suitable for those +releases.
+ +
+If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please + upgrade to Shorewall 1.4.2 or later.
+ +
+Otherwise:
+ +
++ +
+ ++ +
+ ++
+ +- In /etc/shorewall/interfaces:
+ +++ ++ +
++ +ZONE +
+INTERFACE +
+BROADCAST +
+OPTIONS +
++ + + +loc +
+eth1 +
+detect +
+routeback +
++ +
+ ++
+ +- In /etc/shorewall/rules:
+ +++ ++ +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ + + +DNAT +
+loc +web:192.168.1.5 +
+tcp +www +- +
+130.151.100.69:192.168.1.254 +
++- -That rule only works of course if you have a static external + IP address. If you have a dynamic IP address + and are running Shorewall 1.3.4 or later then include + this in /etc/shorewall/init:
-- -Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each - time that you get a new IP address.
-2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 - addresses to hosts in Z. Hosts in Z cannot communicate - with each other using their external (non-RFC1918 addresses) + +
++ +ETH0_IP=`find_interface_address eth0`+++ +and make your DNAT rule:
+++ ++++ +
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE + PORT +ORIG. + DEST. ++ + + +DNAT +loc +web:192.168.1.5 +tcp +www +- +$ETH0_IP:192.168.1.254 +++ +Using this technique, you will want to configure your DHCP/PPPoE + client to automatically restart Shorewall each + time that you get a new IP address.
+2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 + addresses to hosts in Z. Hosts in Z cannot communicate + with each other using their external (non-RFC1918 addresses) so they can't access each other using their DNS names.
- -Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both -external and internal clients to access a NATed -host using the host's DNS name.
- -Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts -in Z have non-RFC1918 addresses and can be accessed + +
Answer: This is another problem that is best solved + using Bind Version 9 "views". It allows both external + and internal clients to access a NATed host using + the host's DNS name.
+ +Another good way to approach this problem is to switch from + static NAT to Proxy ARP. That way, the hosts +in Z have non-RFC1918 addresses and can be accessed externally and internally using the same address.
- -If you don't like those solutions and prefer routing all Z->Z -traffic through your firewall then:
- + +If you don't like those solutions and prefer routing all +Z->Z traffic through your firewall then:
+a) Set the Z->Z policy to ACCEPT.
- + b) Masquerade +Z to itself.
- b) Masquerade Z -to itself.
-
- Example:
+
+ Example: +Zone: dmz
- + Interface: eth2
- Interface: eth2
- Subnet: 192.168.2.0/24
+ Subnet: 192.168.2.0/24 +In /etc/shorewall/interfaces:
- -+ ++- +- + +
-+ ZONE +INTERFACE +BROADCAST +OPTIONS +- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - +dmz -eth2 -192.168.2.255 --
-dmz +eth2 +192.168.2.255 ++ + +
+In /etc/shorewall/policy:
- -+ ++- +- -
-- +SOURCE + + + -SOURCE -DESTINATION -POLICY -LIMIT:BURST -- - - +dmz -dmz -ACCEPT --
-DESTINATION +POLICY +LIMIT:BURST ++ + +dmz +dmz +ACCEPT ++
+In /etc/shorewall/masq:
- -+ ++ +- -
+- + + +INTERFACE -SUBNET -ADDRESS ++ + + +eth2 +192.168.2.0/24 ++
+3. I want to use Netmeeting or MSN Instant + Messenger with Shorewall. What do I do?
+ +Answer: There is an H.323 connection + tracking/NAT module that may help with Netmeeting. + Look here for a + solution for MSN IM but be aware that there are significant security + risks involved with this solution. Also check the Netfilter mailing + list archives at http://www.netfilter.org. +
+ +4. I just used an online port scanner + to check my firewall and it shows some ports + as 'closed' rather than 'blocked'. Why?
+ +Answer: The common.def included with version 1.3.x + always rejects connection requests on TCP port + 113 rather than dropping them. This is necessary + to prevent outgoing connection problems to services + that use the 'Auth' mechanism for identifying requesting + users. Shorewall also rejects TCP ports 135, 137 and 139 + as well as UDP ports 137-139. These are ports that are used + by Windows (Windows can be configured to use the DCE cell +locator on port 135). Rejecting these connection requests rather +than dropping them cuts down slightly on the amount of Windows chatter + on LAN segments connected to the Firewall.
+ +If you are seeing port 80 being 'closed', that's probably + your ISP preventing you from running a web +server in violation of your Service Agreement.
+ +4a. I just ran an nmap UDP scan of my + firewall and it showed 100s of ports as open!!!!
+ +Answer: Take a deep breath and read the nmap man page + section about UDP scans. If nmap gets nothing + back from your firewall then it reports the port + as open. If you want to see which UDP ports are really +open, temporarily change your net->all policy to REJECT, + restart Shorewall and do the nmap UDP scan again.
+ +
+4b. I have a port that I can't close no matter how + I change my rules.
+ I had a rule that allowed telnet from my local network to my firewall; +I removed that rule and restarted Shorewall but my telnet session still works!!!
+
+ Answer: Rules only govern the establishment of new connections. + Once a connection is established through the firewall it will be usable +until disconnected (tcp) or until it times out (other protocols). If you +stop telnet and try to establish a new session your firerwall will block +that attempt.
+ +5. I've installed Shorewall and now I + can't ping through the firewall
+ +Answer: If you want your firewall to be totally open + for "ping",
+ +a) Create /etc/shorewall/common if it doesn't already exist. +
+ +
+ b) Be sure that + the first command in the file is ". /etc/shorewall/common.def"
+ c) Add the following + to /etc/shorewall/common++ For a complete description of Shorewall + 'ping' management, see this page. + +run_iptables -A icmpdef -p ICMP --icmp-type echo-request + -j ACCEPT
+
+6. Where are the log messages written + and how do I change the destination?
+ +Answer: NetFilter uses the kernel's equivalent of +syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) +facility (see "man openlog") and you get to choose the log level (again, +see "man syslog") in your policies + and rules. The destination for messaged + logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). + When you have changed /etc/syslog.conf, be sure + to restart syslogd (on a RedHat system, "service syslog + restart").
+ +By default, older versions of Shorewall ratelimited log messages + through settings + in /etc/shorewall/shorewall.conf -- If you want +to log all messages, set:
+ +++ +LOGLIMIT=""+ Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages + to a separate file.
LOGBURST=""
+6a. Are there any log parsers that work + with Shorewall?
+ +Answer: Here are several links that may be helpful: +
+ +++ I personnaly use Logwatch. It emails + me a report each day from my various systems with each report + summarizing the logged activity on the corresponding system. + +http://www.shorewall.net/pub/shorewall/parsefw/
+
+ http://www.fireparse.com
+ http://cert.uni-stuttgart.de/projects/fwlogwatch
+ http://www.logwatch.org
+ http://gege.org/iptables
+6b. DROP messages on port 10619 + are flooding the logs with their connect requests. Can + i exclude these error messages for this port temporarily from logging + in Shorewall?
+ Temporarily add the following rule:
+ +DROP net fw udp 10619+ +6c. All day long I get a steady flow + of these DROP messages from port 53 to some high numbered port. + They get dropped, but what the heck are they?
+ +Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00+ Answer: There are two possibilities:
SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
+ ++
+ You can distinguish the difference by setting +the logunclean option (/etc/shorewall/interfaces) + on your external interface (eth0 in the above example). If they get + logged twice, they are corrupted. I solve this problem by using + an /etc/shorewall/common file like this:- They are late-arriving replies to DNS queries.
+- They are corrupted reply packets.
+ +
+ +++ The above file is also include in all of my sample + configurations available in the Quick Start Guides and in + the common.def file in Shorewall 1.4.0 and later.#+
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+ +6d. Why is the MAC address in + Shorewall log messages so long? I thought MAC addresses were only + 6 bytes in length.
+ What is labeled as the MAC address in a Shorewall log message + is actually the Ethernet frame header. IT contains:
+ ++
+ Example:- the destination MAC address (6 bytes)
+- the source MAC address (6 bytes)
+- the ethernet frame type (2 bytes)
+ +
+
+ MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
+ ++
+ +- Destination MAC address = 00:04:4c:dc:e2:28
+- Source MAC address = 00:b0:8e:cf:3c:4c
+- Ethernet Frame Type = 08:00 (IP Version 4)
+ +7. When I stop Shorewall using 'shorewall + stop', I can't connect to anything. Why doesn't + that command work?
+ +The 'stop' command is intended to place your firewall into + a safe state whereby only those hosts listed in + /etc/shorewall/routestopped' are activated. If +you want to totally open up your firewall, you must use the +'shorewall clear' command.
+ +8. When I try to start Shorewall on RedHat, + I get messages about insmod failing -- what's wrong?
+ +Answer: The output you will see looks something like + this:
+ +/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy+ +
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.This is usually cured by the following sequence of commands: +
+ +++ +service ipchains stop+
chkconfig --delete ipchains
rmmod ipchains++ +Also, be sure to check the errata + for problems concerning the version of iptables + (v1.2.3) shipped with RH7.2.
+ +
+8a. When I try to start Shorewall on RedHat + I get a message referring me to FAQ #8
+ Answer: This is usually cured by the sequence of commands + shown above in FAQ #8 +9. Why can't Shorewall detect my interfaces + properly at startup?
+ +I just installed Shorewall and when I issue the start command, + I see the following:
+ +++ +Processing /etc/shorewall/params ...+
Processing /etc/shorewall/shorewall.conf ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Deleting user chains...
Creating input Chains...
...++ +Why can't Shorewall detect my interfaces properly?
+++ +Answer: The above output is perfectly normal. The +Net zone is defined as all hosts that are connected through eth0 and the +local zone is defined as all hosts connected through eth1
+10. What Distributions does it work + with?
+ +Shorewall works with any GNU/Linux distribution that includes + the proper prerequisites.
+ +11. What Features does it have?
+ +Answer: See the Shorewall + Feature List.
+ +12. Is there a GUI?
+ +Answer: Yes. Shorewall support is included in Webmin + 1.060 and later versions. See http://www.webmin.com +
+ +13. Why do you call it "Shorewall"?
+ +Answer: Shorewall is a concatenation of "Shoreline" + (the + city where I live) and "Firewall". The full + name of the product is actually "Shoreline Firewall" but "Shorewall" + is must more commonly used.
+ +14. I'm connected via a cable modem + and it has an internal web server that allows + me to configure/monitor it but as expected if I enable + rfc1918 blocking for my eth0 interface (the internet +one), it also blocks the cable modems web server.
+ +Is there any way it can add a rule before the rfc1918 blocking + that will let all traffic to and from the 192.168.100.1 + address of the modem in/out but still block all other + rfc1918 addresses?
+ +Answer: If you are running a version of Shorewall +earlier than 1.3.1, create /etc/shorewall/start and in it, place the +following:
+ +++ +run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT+++ +If you are running version 1.3.1 or later, simply add the + following to /etc/shorewall/rfc1918:
+++ ++++ +
++ +SUBNET + +TARGET ++ + + +192.168.100.1 +RETURN ++Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
+ +
+Note: If you add a second IP address to your external firewall + interface to correspond to the modem address, you + must also make an entry in /etc/shorewall/rfc1918 for + that address. For example, if you configure the address + 192.168.100.2 on your firewall, then you would add two entries + to /etc/shorewall/rfc1918:
+ +
++- -+ +
-+ SUBNET +
+TARGET
+- - - eth2 -192.168.2.0/24 --
-3. I want to use Netmeeting or MSN Instant - Messenger with Shorewall. What do I do?
- -Answer: There is an H.323 connection - tracking/NAT module that may help with Netmeeting. - Look here for -a solution for MSN IM but be aware that there are significant security - risks involved with this solution. Also check the Netfilter -mailing list archives at http://www.netfilter.org. -
- -4. I just used an online port scanner - to check my firewall and it shows some ports - as 'closed' rather than 'blocked'. Why?
- -Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP -port 113 rather than dropping them. This is necessary - to prevent outgoing connection problems to services that - use the 'Auth' mechanism for identifying requesting users. - Shorewall also rejects TCP ports 135, 137 and 139 as well - as UDP ports 137-139. These are ports that are used by Windows - (Windows can be configured to use the DCE cell locator - on port 135). Rejecting these connection requests rather than -dropping them cuts down slightly on the amount of Windows chatter -on LAN segments connected to the Firewall.
- -If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web -server in violation of your Service Agreement.
- -4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!
- -Answer: Take a deep breath and read the nmap man page - section about UDP scans. If nmap gets nothing - back from your firewall then it reports the port - as open. If you want to see which UDP ports are really open, - temporarily change your net->all policy to REJECT, - restart Shorewall and do the nmap UDP scan again.
- -
-4b. I have a port that I can't close no matter how - I change my rules.
- I had a rule that allowed telnet from my local network to my firewall; -I removed that rule and restarted Shorewall but my telnet session still -works!!!
-
- Answer: Rules only govern the establishment of new connections. -Once a connection is established through the firewall it will be usable until - disconnected (tcp) or until it times out (other protocols). If you stop -telnet and try to establish a new session your firerwall will block that -attempt.
- -5. I've installed Shorewall and now I - can't ping through the firewall
- -Answer: If you want your firewall to be totally open - for "ping",
- -a) Create /etc/shorewall/common if it doesn't already exist. -
- -
- b) Be sure that -the first command in the file is ". /etc/shorewall/common.def"
- c) Add the following - to /etc/shorewall/common-- For a complete description of Shorewall - 'ping' management, see this page. - -run_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT
-
-6. Where are the log messages written - and how do I change the destination?
- -Answer: NetFilter uses the kernel's equivalent of syslog -(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility -(see "man openlog") and you get to choose the log level (again, see "man -syslog") in your policies and rules. The destination for messaged -logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). - When you have changed /etc/syslog.conf, be sure -to restart syslogd (on a RedHat system, "service syslog -restart").
- -By default, older versions of Shorewall ratelimited log messages - through settings - in /etc/shorewall/shorewall.conf -- If you want -to log all messages, set:
- --- -LOGLIMIT=""- Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages - to a separate file.
LOGBURST=""
-6a. Are there any log parsers that work - with Shorewall?
- -Answer: Here are several links that may be helpful: -
- --- I personnaly use Logwatch. It emails - me a report each day from my various systems with each report - summarizing the logged activity on the corresponding system. - -http://www.shorewall.net/pub/shorewall/parsefw/
-
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch
- http://www.logwatch.org
- http://gege.org/iptables
-6b. DROP messages on port 10619 - are flooding the logs with their connect requests. Can - i exclude these error messages for this port temporarily from logging - in Shorewall?
- Temporarily add the following rule:
- -DROP net fw udp 10619- -6c. All day long I get a steady flow - of these DROP messages from port 53 to some high numbered port. - They get dropped, but what the heck are they?
- -Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00- Answer: There are two possibilities:
SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
- --
- You can distinguish the difference by setting the - logunclean option (/etc/shorewall/interfaces) - on your external interface (eth0 in the above example). If they get - logged twice, they are corrupted. I solve this problem by using an - /etc/shorewall/common file like this:- They are late-arriving replies to DNS queries.
-- They are corrupted reply packets.
- -
- --- The above file is also include in all of my sample - configurations available in the Quick Start Guides and in - the common.def file in Shorewall 1.4.0 and later.#-
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
- -6d. Why is the MAC address in - Shorewall log messages so long? I thought MAC addresses were only - 6 bytes in length.
- What is labeled as the MAC address in a Shorewall log message - is actually the Ethernet frame header. IT contains:
- --
- Example:- the destination MAC address (6 bytes)
-- the source MAC address (6 bytes)
-- the ethernet frame type (2 bytes)
- -
-
- MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
- --
- -- Destination MAC address = 00:04:4c:dc:e2:28
-- Source MAC address = 00:b0:8e:cf:3c:4c
-- Ethernet Frame Type = 08:00 (IP Version 4)
- -7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't - that command work?
- -The 'stop' command is intended to place your firewall into - a safe state whereby only those hosts listed -in /etc/shorewall/routestopped' are activated. -If you want to totally open up your firewall, you must use -the 'shorewall clear' command.
- -8. When I try to start Shorewall on RedHat, - I get messages about insmod failing -- what's wrong?
- -Answer: The output you will see looks something like - this:
- -/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy- -
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.This is usually cured by the following sequence of commands: -
- --- -service ipchains stop-
chkconfig --delete ipchains
rmmod ipchains-- -Also, be sure to check the errata - for problems concerning the version of iptables - (v1.2.3) shipped with RH7.2.
- -
-8a. When I try to start Shorewall on RedHat - I get a message referring me to FAQ #8
- Answer: This is usually cured by the sequence of commands - shown above in FAQ #8 -9. Why can't Shorewall detect my interfaces - properly at startup?
- -I just installed Shorewall and when I issue the start command, - I see the following:
- --- -Processing /etc/shorewall/params ...-
Processing /etc/shorewall/shorewall.conf ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Deleting user chains...
Creating input Chains...
...-- -Why can't Shorewall detect my interfaces properly?
--- -Answer: The above output is perfectly normal. The Net - zone is defined as all hosts that are connected through eth0 and the local - zone is defined as all hosts connected through eth1
-10. What Distributions does it work - with?
- -Shorewall works with any GNU/Linux distribution that includes - the proper prerequisites.
- -11. What Features does it have?
- -Answer: See the Shorewall - Feature List.
- -12. Is there a GUI?
- -Answer: Yes. Shorewall support is included in Webmin - 1.060 and later versions. See http://www.webmin.com -
- -13. Why do you call it "Shorewall"?
- -Answer: Shorewall is a concatenation of "Shoreline" - (the - city where I live) and "Firewall". The full - name of the product is actually "Shoreline Firewall" but "Shorewall" - is must more commonly used.
- -14. I'm connected via a cable modem - and it has an internal web server that allows - me to configure/monitor it but as expected if I -enable rfc1918 blocking for my eth0 interface (the internet -one), it also blocks the cable modems web server.
- -Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 - address of the modem in/out but still block all other - rfc1918 addresses?
- -Answer: If you are running a version of Shorewall earlier -than 1.3.1, create /etc/shorewall/start and in it, place the following:
- --- -run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT--- -If you are running version 1.3.1 or later, simply add the - following to /etc/shorewall/rfc1918:
--- ---- -
-- -SUBNET - -TARGET -- - - -192.168.100.1 -RETURN --- -Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
- -
-Note: If you add a second IP address to your external firewall - interface to correspond to the modem address, -you must also make an entry in /etc/shorewall/rfc1918 -for that address. For example, if you configure the address - 192.168.100.2 on your firewall, then you would add two entries - to /etc/shorewall/rfc1918:
- -
---- -
-- -SUBNET -
-TARGET -
-- -192.168.100.1 -
-+ RETURN -
-- ++ + - - + + + +192.168.100.2 -
-+ RETURN -
--- -14a. Even though it assigns public IP - addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC -1918 filtering on my external interface, my DHCP client cannot renew its -lease.
+-+ +The solution is the same as FAQ 14 above. Simply substitute + +
++ +14a. Even though it assigns public +IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable +RFC 1918 filtering on my external interface, my DHCP client cannot renew +its lease.
++- -The solution is the same as FAQ 14 above. Simply substitute the IP address of your ISPs DHCP server.
-15. My local systems can't see out to +
15. My local systems can't see out to the net
- -Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers - with eyes and what those computers will "see" when - things are working properly. That aside, the most common + +
Answer: Every time I read "systems can't see out to + the net", I wonder where the poster bought computers + with eyes and what those computers will "see" when + things are working properly. That aside, the most common causes of this problem are:
- +-
- -- - -
The default gateway on each local system isn't set to +
- + +
-The default gateway on each local system isn't set to the IP address of the local firewall interface.
-- - -
+The entry for the local network in the /etc/shorewall/masq +
- + +
-The entry for the local network in the /etc/shorewall/masq file is wrong or missing.
-- - -
- + +The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall - and hasn't enabled UDP and TCP port 53 from the -firewall to the internet.
-- + +
+The DNS settings on the local systems are wrong or the + user is running a DNS server on the firewall + and hasn't enabled UDP and TCP port 53 from the + firewall to the internet.
+16. Shorewall is writing log messages + +
16. Shorewall is writing log messages all over my console making it unusable!
- -Answer: "man dmesg" -- add a suitable 'dmesg' command - to your startup scripts or place it in /etc/shorewall/start. - Under RedHat, the max log level that is sent -to the console is specified in /etc/sysconfig/init in + +
Answer: If you are running Shorewall version 1.4.4 +or 1.4.4a then check the errata. Otherwise, see +the 'dmesg' man page ("man dmesg"). You must add a suitable 'dmesg' command + to your startup scripts or place it in /etc/shorewall/start. + Under RedHat, the max log level that is sent +to the console is specified in /etc/sysconfig/init in the LOGLEVEL variable.
- -
-17. How do I find out why this traffic is getting + + +
17. How do I find out why this traffic is getting logged?
- Answer: Logging - occurs out of a number of chains (as indicated in the - log message) in Shorewall:
- + Answer: Logging + occurs out of a number of chains (as indicated in + the log message) in Shorewall:
+-
- -- man1918 - The - destination address is listed in /etc/shorewall/rfc1918 +
- man1918 - + The destination address is listed in /etc/shorewall/rfc1918 with a logdrop target -- see /etc/shorewall/rfc1918.
-- rfc1918 -- The source address is listed in /etc/shorewall/rfc1918 - with a logdrop target -- see rfc1918 + - The source address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see /etc/shorewall/rfc1918.
-- all2<zone>, - <zone>2all or all2all - - You have a policy -that specifies a log level and this packet is being -logged under that policy. If you intend to ACCEPT this -traffic then you need a rule to -that effect.
-
-- <zone1>2<zone2> +
- all2<zone>, + <zone>2all or all2all + - You have a policy that + specifies a log level and this packet is being logged +under that policy. If you intend to ACCEPT this traffic +then you need a rule to that effect.
+
+- <zone1>2<zone2> - Either you have a policy for <zone1> - to <zone2> that specifies a log level and - this packet is being logged under that policy or this packet - matches a rule that -includes a log level.
-- <interface>_mac - - The packet is being logged under the maclist + href="Documentation.htm#Policy"> policy for <zone1> + to <zone2> that specifies a log level and + this packet is being logged under that policy or this packet + matches a rule that includes + a log level.
+- <interface>_mac + - The packet is being logged under the maclist interface option.
-
-- logpkt -- The packet is being logged under the logunclean +
+- logpkt +- The packet is being logged under the logunclean interface option.
-- badpkt - - The packet is being logged under the dropunclean - interface option +
- badpkt - + The packet is being logged under the dropunclean + interface option as specified in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
-- blacklst - - The packet is being logged because the source IP - is blacklisted in the /etc/shorewall/blacklist +
+- blacklst + - The packet is being logged because the source IP + is blacklisted in the /etc/shorewall/blacklist file.
-- newnotsyn - - The packet is being logged because it is a TCP packet - that is not part of any current connection yet it is not a -syn packet. Options affecting the logging of such packets include - NEWNOTSYN and LOGNEWNOTSYN in - /etc/shorewall/shorewall.conf.
-- INPUT or - FORWARD - The packet has a source IP address - that isn't in any of your defined zones ("shorewall check" - and look at the printed zone definitions) or the chain is FORWARD - and the destination IP isn't in any of your defined zones.
-- logflags - The packet - is being logged because it failed the checks implemented - by the tcpflags newnotsyn + - The packet is being logged because it is a + TCP packet that is not part of any current connection yet + it is not a syn packet. Options affecting the logging of such + packets include NEWNOTSYN and LOGNEWNOTSYN + in /etc/shorewall/shorewall.conf.
+- INPUT or + FORWARD - The packet has a source IP address + that isn't in any of your defined zones ("shorewall check" + and look at the printed zone definitions) or the chain is +FORWARD and the destination IP isn't in any of your defined + zones.
+- logflags - The packet + is being logged because it failed the checks implemented + by the tcpflags interface option.
- +
-18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for + +
18. Is there any way to use aliased ip addresses + with Shorewall, and maintain separate rulesets for different IPs?
- Answer: Yes. See -Shorewall and Aliased Interfaces. - -19. I have added entries to /etc/shorewall/tcrules + Answer: Yes. See +Shorewall and Aliased Interfaces. + +
19. I have added entries to /etc/shorewall/tcrules but they don't seem to do anything. Why?
- You probably haven't set TC_ENABLED=Yes - in /etc/shorewall/shorewall.conf so the contents of + You probably haven't set TC_ENABLED=Yes + in /etc/shorewall/shorewall.conf so the contents of the tcrules file are simply being ignored.
- -20. I have just set up a server. Do I have - to change Shorewall to allow access to my server from + +
+ +20. I have just set up a server. Do I have + to change Shorewall to allow access to my server from the internet?
- Yes. Consult the QuickStart guide that -you used during your initial setup for information about how to set - up rules for your server.
-
- -21. I see these strange log entries occasionally; +
+ Yes. Consult the QuickStart guide that you +used during your initial setup for information about how to set up +rules for your server.
+ +21. I see these strange log entries occasionally; what are they?
- -
-+- 192.0.2.3 is external on my firewall... + + 192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LANNov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00-
SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3
[SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]
-
- Answer: While most people - associate the Internet Control Message Protocol (ICMP) - with 'ping', ICMP is a key piece of the internet. ICMP is - used to report problems back to the sender of a packet; this -is what is happening here. Unfortunately, where NAT is involved -(including SNAT, DNAT and Masquerade), there are a lot of broken -implementations. That is what you are seeing with these messages.
-
- Here is my interpretation of what - is happening -- to confirm this analysis, one would have +
+ Answer: While most people + associate the Internet Control Message Protocol (ICMP) + with 'ping', ICMP is a key piece of the internet. ICMP is + used to report problems back to the sender of a packet; this is + what is happening here. Unfortunately, where NAT is involved (including + SNAT, DNAT and Masquerade), there are a lot of broken implementations. + That is what you are seeing with these messages.
+
+ Here is my interpretation of what + is happening -- to confirm this analysis, one would have to have packet sniffers placed a both ends of the connection.
-
- Host 172.16.1.10 behind NAT gateway - 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and -your DNS server tried to send a response (the response information - is in the brackets -- note source port 53 which marks this as -a DNS reply). When the response was returned to to 206.124.146.179, - it rewrote the destination IP TO 172.16.1.10 and forwarded the -packet to 172.16.1.10 who no longer had a connection on UDP port -2857. This causes a port unreachable (type 3, code 3) to be generated -back to 192.0.2.3. As this packet is sent back through 206.124.146.179, - that box correctly changes the source address in the packet to 206.124.146.179 - but doesn't reset the DST IP in the original DNS response similarly. - When the ICMP reaches your firewall (192.0.2.3), your firewall has - no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't - appear to be related to anything that was sent. The final result - is that the packet gets logged and dropped in the all2all chain. I -have also seen cases where the source IP in the ICMP itself isn't set -back to the external IP of the remote NAT gateway; that causes your -firewall to log and drop the packet out of the rfc1918 chain because -the source IP is reserved by RFC 1918.
- -22. I have some iptables commands that - I want to run when Shorewall starts. Which file do +
+ Host 172.16.1.10 behind NAT gateway + 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and +your DNS server tried to send a response (the response information + is in the brackets -- note source port 53 which marks this as a + DNS reply). When the response was returned to to 206.124.146.179, + it rewrote the destination IP TO 172.16.1.10 and forwarded the packet + to 172.16.1.10 who no longer had a connection on UDP port 2857. +This causes a port unreachable (type 3, code 3) to be generated back +to 192.0.2.3. As this packet is sent back through 206.124.146.179, + that box correctly changes the source address in the packet to 206.124.146.179 + but doesn't reset the DST IP in the original DNS response similarly. + When the ICMP reaches your firewall (192.0.2.3), your firewall has + no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't + appear to be related to anything that was sent. The final result + is that the packet gets logged and dropped in the all2all chain. I have + also seen cases where the source IP in the ICMP itself isn't set back + to the external IP of the remote NAT gateway; that causes your firewall + to log and drop the packet out of the rfc1918 chain because the source + IP is reserved by RFC 1918.
+ +22. I have some iptables commands that + I want to run when Shorewall starts. Which file do I put them in?
- You can place these commands in -one of the Shorewall Extension -Scripts. Be sure that you look at the contents of the chain(s) that -you will be modifying with your commands to be sure that the -commands will do what they are intended. Many iptables commands -published in HOWTOs and other instructional material use the -A command -which adds the rules to the end of the chain. Most chains that Shorewall -constructs end with an unconditional DROP, ACCEPT or REJECT rule and -any rules that you add after that will be ignored. Check "man iptables" - and look at the -I (--insert) command.
- -23. Why do you use such ugly fonts on your + You can place these commands in + one of the Shorewall Extension + Scripts. Be sure that you look at the contents of the chain(s) that + you will be modifying with your commands to be sure that the + commands will do what they are intended. Many iptables commands + published in HOWTOs and other instructional material use the -A +command which adds the rules to the end of the chain. Most chains + that Shorewall constructs end with an unconditional DROP, ACCEPT or +REJECT rule and any rules that you add after that will be ignored. + Check "man iptables" and look at the -I (--insert) command.
+ +23. Why do you use such ugly fonts on your web site?
- The Shorewall web site is almost font neutral - (it doesn't explicitly specify fonts except on a few pages) so - the fonts you see are largely the default fonts configured in your - browser. If you don't like them then reconfigure your browser.
- -24. How can I allow conections to let's say - the ssh port only from specific IP Addresses on the -internet?
- In the SOURCE column of the rule, follow "net" - by a colon and a list of the host/subnet addresses as a comma-separated + The Shorewall web site is almost font neutral + (it doesn't explicitly specify fonts except on a few pages) +so the fonts you see are largely the default fonts configured in +your browser. If you don't like them then reconfigure your browser.
+ +24. How can I allow conections to let's say + the ssh port only from specific IP Addresses on the internet?
+ In the SOURCE column of the rule, follow "net" + by a colon and a list of the host/subnet addresses as a comma-separated list.
- +net:<ip1>,<ip2>,...- Example:
- + Example:
+ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22- +- -25. How to I tell which version of Shorewall + +
+ At the shell prompt, type:25. How to I tell which version of Shorewall I am running?
- At the shell prompt, type:
-
-
- /sbin/shorewall version
-
- Last updated 4/14/2003 - Tom Eastep +
+
+ /sbin/shorewall version
+
+ Last updated 5/29/2003 - Tom EastepCopyright © 2001, 2002, 2003 Thomas M. Eastep.
-
-
-
-
-
+ diff --git a/Shorewall-docs/IPSEC.htm b/Shorewall-docs/IPSEC.htm index 842fe9168..7a0afd53a 100644 --- a/Shorewall-docs/IPSEC.htm +++ b/Shorewall-docs/IPSEC.htm @@ -1,421 +1,767 @@ - +Shorewall IPSec Tunneling - + - + - +- -
- +- ++ + - - + + + +- IPSEC Tunnels
-Configuring FreeS/Wan
- There is an excellent guide to configuring IPSEC tunnels at http://www.geocities.com/jixen66/ -. I highly recommend that you consult that site for information about confuring -FreeS/Wan. + . I highly recommend that you consult that site for information about configuring + FreeS/Wan.Warning: Do not use Proxy ARP and - FreeS/Wan on the same system unless you are prepared to suffer the consequences. - If you start or restart Shorewall with an IPSEC tunnel active, the proxied - IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) - rather than to the interface that you specify in the INTERFACE column of - /etc/shorewall/proxyarp. I haven't had the time to debug this problem so -I can't say if it is a bug in the Kernel or in FreeS/Wan.
- + FreeS/Wan on the same system unless you are prepared to suffer the consequences. + If you start or restart Shorewall with an IPSEC tunnel active, the proxied + IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) + rather than to the interface that you specify in the INTERFACE column +of /etc/shorewall/proxyarp. I haven't had the time to debug this problem +so I can't say if it is a bug in the Kernel or in FreeS/Wan. +You might be able to work around this problem using the following - (I haven't tried it):
- + (I haven't tried it): +In /etc/shorewall/init, include:
- +qt service ipsec stop
- +In /etc/shorewall/start, include:
- +qt service ipsec start
- +IPSec Gateway on the Firewall System
- +Suppose that we have the following sutuation:
- +- + +
-
We want systems in the 192.168.1.0/24 sub-network to be able - to communicate with systems in the 10.0.0.0/8 network.
- + to communicate with systems in the 10.0.0.0/8 network. +To make this work, we need to do two things:
- +a) Open the firewall so that the IPSEC tunnel can be established - (allow the ESP and AH protocols and UDP Port 500).
- + (allow the ESP and AH protocols and UDP Port 500). +b) Allow traffic through the tunnel.
- +Opening the firewall for the IPSEC tunnel is accomplished - by adding an entry to the /etc/shorewall/tunnels file.
- + by adding an entry to the /etc/shorewall/tunnels file. +In /etc/shorewall/tunnels on system A, we need the following
- -+ +- +- -- -
-- -TYPE -ZONE -GATEWAY -GATEWAY ZONE -- - - -ipsec -net -134.28.54.2 -- In /etc/shorewall/tunnels on system B, we would have:
- --- -- +
-- -TYPE -ZONE -GATEWAY -GATEWAY ZONE -- - - -ipsec -net -206.161.148.9 -- Note: If either of the endpoints is behind a NAT gateway - then the tunnels file entry on the other endpoint should specify - a tunnel type of ipsecnat rather than ipsec and the GATEWAY - address should specify the external address of the NAT gateway.
- -
-You need to define a zone for the remote subnet or include - it in your local zone. In this example, we'll assume that you have -created a zone called "vpn" to represent the remote subnet.
- --- -- -
- -ZONE -DISPLAY -COMMENTS -- - - +vpn -VPN -Remote Subnet -TYPE +ZONE +GATEWAY +GATEWAY ZONE + ++ + +ipsec +net +134.28.54.2 ++ At both systems, ipsec0 would be included in /etc/shorewall/interfaces - as a "vpn" interface:
- -+ ++In /etc/shorewall/tunnels on system B, we would have:
+ +- -- +
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - -vpn -ipsec0 -- - You will need to allow traffic between the "vpn" zone and - the "loc" zone -- if you simply want to admit all traffic in both - directions, you can use the policy file:
- --- + +- -
- -SOURCE -DEST -POLICY -LOG LEVEL -- -loc -vpn -ACCEPT -- - - - +vpn -loc -ACCEPT -- TYPE +ZONE +GATEWAY +GATEWAY ZONE + ++ + +ipsec +net +206.161.148.9 ++ Note: If either of the endpoints is behind a NAT gateway + then the tunnels file entry on the other endpoint should +specify a tunnel type of ipsecnat rather than ipsec and the +GATEWAY address should specify the external address of the NAT gateway.
+ +
+You need to define a zone for the remote subnet or include + it in your local zone. In this example, we'll assume that you have +created a zone called "vpn" to represent the remote subnet.
+ +++ ++ +
++ +ZONE +DISPLAY +COMMENTS ++ + + +vpn +VPN +Remote Subnet +At both systems, ipsec0 would be included in /etc/shorewall/interfaces + as a "vpn" interface:
+ +++ ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +vpn +ipsec0 ++ + You will need to allow traffic between the "vpn" zone and + the "loc" zone -- if you simply want to admit all traffic in both + directions, you can use the policy file:
+ ++++ +
++ +SOURCE +DEST +POLICY +LOG LEVEL ++ +loc +vpn +ACCEPT ++ + + + +vpn +loc +ACCEPT ++ Once you have these entries in place, restart Shorewall (type shorewall restart); you are now ready to configure the tunnel in FreeS/WAN .
- -Mobile System (Road - Warrior)
- + +VPN Hub
+ Shorewall can be used in a VPN Hub environment where multiple remote networks +are connected to a gateway running Shorewall. This environment is shown in +this diatram.
+ ++ ++
+We want systems in the 192.168.1.0/24 sub-network to be able + to communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16 networks +and we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to communicate.
+ +To make this work, we need to do several things:
+ +a) Open the firewall so that two IPSEC tunnels can be established + (allow the ESP and AH protocols and UDP Port 500).
+ +b) Allow traffic through the tunnels two/from the local zone +(192.168.1.0/24).
+ +
+c) Deny traffic through the tunnels between the two remote +networks.
+ +
+Opening the firewall for the IPSEC tunnels is accomplished + by adding two entries to the /etc/shorewall/tunnels file.
+ +In /etc/shorewall/tunnels on system A, we need the following
+ +++ ++ +
++ +TYPE +ZONE +GATEWAY +GATEWAY ZONE ++ +ipsec +
+net +134.28.54.2 ++ + + + +ipsec +
+net +
+130.152.100.14 +
++
+In /etc/shorewall/tunnels on systems B and C, we would have:
+ +++ + + ++ +
++ +TYPE +ZONE +GATEWAY +GATEWAY ZONE ++ + + +ipsec +net +206.161.148.9 ++ Note: If either of the endpoints is behind a NAT gateway + then the tunnels file entry on the other endpoint should +specify a tunnel type of ipsecnat rather than ipsec
+ +
+ and the GATEWAY address should specify the external address of the +NAT gateway.
+On each system, we will create a zone to represent the remote +networks. On System A:
+ +
+++ ++ +
++ +ZONE +DISPLAY +COMMENTS ++ +vpn1 +VPN1 +Remote Subnet on system B ++ + + +vpn2 +
+VPN2 +
+Remote Subnet on system C +
+On systems B and C:
+ +
+++ ++ +
++ +ZONE +DISPLAY +COMMENTS ++ + + +vpn +VPN +Remote Subnet on system A +At system A, ipsec0 represents two zones so we have the following +in /etc/shorewall/interfaces:
+ +++ ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +- +
+ipsec0 ++ +
+The /etc/shorewall/hosts file on system A defines the two +VPN zones:
+ +
+++ ++ +
++ +ZONE +HOSTS +
+OPTIONS ++ +vpn1 +
+ipsec0:10.0.0.0/16 ++
++ + + +vpn2 +
+ipsec0:10.1.0.0/16 +
++
+At systems B and C, ipsec0 represents a single zone so we +have the following in /etc/shorewall/interfaces:
+ ++++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +vpn +
+ipsec0 ++ +
+
+On systems A, you will need to allow traffic between the "vpn1" +zone and the "loc" zone as well as between "vpn2" and the "loc" zone +-- if you simply want to admit all traffic in both directions, you +can use the following policy file entries on all three gateways:
+ ++++ +
++ +SOURCE +DEST +POLICY +LOG LEVEL ++ +loc +vpn1 +ACCEPT ++ + +vpn1 +loc +ACCEPT ++ + +loc +
+vpn2 +
+ACCEPT +
++
++ + + +vpn2 +
+loc +
+ACCEPT +
++
+On systems B and C, you will need to allow traffic between +the "vpn" zone and the "loc" zone -- if you simply want to admit all +traffic in both directions, you can use the following policy file entries +on all three gateways:
+ +++ ++ +
++ +SOURCE +DEST +POLICY +LOG LEVEL ++ +loc +vpn +ACCEPT ++ + + + +vpn +loc +ACCEPT ++ Once you have the Shorewall entries added, restart Shorewall +on each gateway (type shorewall restart); you are now ready to configure +the tunnels in FreeS/WAN + .
+ Note that to allow traffic between the networks attached to systems B and +C, it is necessary to simply add two additional entries to the /etc/shorewall/policy +file on system A.
+++ ++ +
++ +SOURCE +DEST +POLICY +LOG LEVEL ++ +vpn1 +
+vpn2 +ACCEPT ++ + + + +vpn2 +vpn1 +
+ACCEPT ++
+Mobile System +(Road Warrior)
+Suppose that you have a laptop system (B) that you take with you when you travel and you want to be able to establish a secure connection back to your local network.
- +- + +
-
You need to define a zone for the laptop or include it in - your local zone. In this example, we'll assume that you have created - a zone called "vpn" to represent the remote host.
- -+ your local zone. In this example, we'll assume that you have created + a zone called "vpn" to represent the remote host. + ++ You can use the "shorewall check" command to see the groups + associated with each of your zones.+ +- -
+- -ZONE -DISPLAY -COMMENTS -- - - + +vpn -VPN -Remote Subnet -+ +ZONE +DISPLAY +COMMENTS ++ + + +vpn +VPN +Remote Subnet +In this instance, the mobile system (B) has IP address 134.28.54.2 + but that cannot be determined in advance. In the /etc/shorewall/tunnels +file on system A, the following entry should be made:
+ ++- -+ +
+ +TYPE +ZONE +GATEWAY +GATEWAY ZONE ++ + +ipsec +net +0.0.0.0/0 +vpn +In this instance, the mobile system (B) has IP address 134.28.54.2 - but that cannot be determined in advance. In the /etc/shorewall/tunnels -file on system A, the following entry should be made:
- --- +- -
-- -TYPE -ZONE -GATEWAY -GATEWAY ZONE -- - - -ipsec -net -0.0.0.0/0 -vpn -Note that the GATEWAY ZONE column contains the name of the zone corresponding - to peer subnetworks. This indicates that the gateway system itself comprises - the peer subnetwork; in other words, the remote gateway is a standalone + to peer subnetworks. This indicates that the gateway system itself comprises + the peer subnetwork; in other words, the remote gateway is a standalone system.
- +You will need to configure /etc/shorewall/interfaces and establish your "through the tunnel" policy as shown under the first example above.
- + +
-Dynamic RoadWarrior Zones
- Beginning with Shorewall release 1.3.10, you can define multiple VPN zones - and add and delete remote endpoints dynamically using /sbin/shorewall. In - /etc/shorewall/zones:
-
- --- In /etc/shorewall/tunnels:- -
+ Beginning with Shorewall release 1.3.10, you can define multiple VPN +zones and add and delete remote endpoints dynamically using /sbin/shorewall. +In /etc/shorewall/zones:- -ZONE -
-DISPLAY -
-COMMENTS -
-- -vpn1 -
-VPN-1 -
-First VPN Zone -
-- -vpn2 -
-VPN-2 -
-Second VPN Zone -
-- - - -vpn3 -
-VPN-3 -
-Third VPN Zone -
-
-
- -+ ++ New Features:++ In /etc/shorewall/tunnels:+ +
++ +ZONE +
+DISPLAY +
+COMMENTS +
++ +vpn1 +
+VPN-1 +
+First VPN Zone +
++ +vpn2 +
+VPN-2 +
+Second VPN Zone +
++ + + +vpn3 +
+VPN-3 +
+Third VPN Zone +
+
+
+ ++ When Shorewall is started, the zones vpn[1-3] will all be empty and +Shorewall will issue warnings to that effect. These warnings may be safely +ignored. FreeS/Wan may now be configured to have three different Road Warrior +connections with the choice of connection being based on X-509 certificates +or some other means. Each of these connectioins will utilize a different +updown script that adds the remote station to the appropriate zone when the +connection comes up and that deletes the remote station when the connection +comes down. For example, when 134.28.54.2 connects for the vpn2 zone the +'up' part of the script will issue the command":- -
+- -TYPE -
-ZONE -
-GATEWAY -
-GATEWAY ZONE -
-- - + +ipsec -
-net -
-0.0.0.0/0 -
-vpn1,vpn2,vpn3 -
-+ +TYPE +
+ZONE +
+GATEWAY +
+GATEWAY ZONE +
++ + + +ipsec +
+net +
+0.0.0.0/0 +
+vpn1,vpn2,vpn3 +
+
+
+
+ +/sbin/shorewall add ipsec0:134.28.54.2 vpn2+ and the 'down' part will:
+
+ +/sbin/shorewall delete ipsec0:134.28.54.2 vpn+ +
+
+Limitations of Dynamic Zones
+ If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added + hosts are not excluded from the rule.
+
+ Example with dyn=dynamic zone:
+
+ ++- When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall - will issue warnings to that effect. These warnings may be safely ignored. - FreeS/Wan may now be configured to have three different Road Warrior connections - with the choice of connection being based on X-509 certificates or some -other means. Each of these connectioins will utilize a different updown -script that adds the remote station to the appropriate zone when the connection -comes up and that deletes the remote station when the connection comes down. -For example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of -the script will issue the command":+ +
-+ +ACTION +
+SOURCE +
+DESTINATION +
+PROTOCOL +
+PORT(S) +
+CLIENT +
+ PORT(S)
+ORIGINAL +
+ DESTINATION
++ +DNAT +
+z:dyn +
+loc:192.168.1.3 +
+tcp +
+80 +
++
++
+
-
-
- -/sbin/shorewall add ipsec0:134.28.54.2 vpn2- and the 'down' part will:
-
- -/sbin/shorewall delete ipsec0:134.28.54.2 vpn-
-
-Limitations of Dynamic Zones
-If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added -hosts are not excluded from the rule.
-
-Example with dyn=dynamic zone:
-
---Dynamic changes to the zone dyn will have no effect on the above rule. - -- -
-- -ACTION -
-SOURCE -
-DESTINATION -
-PROTOCOL -
-PORT(S) -
-CLIENT -
-PORT(S)
-ORIGINAL -
-DESTINATION
-- - -DNAT -
-z:dyn -
-loc:192.168.1.3 -
-tcp -
-80 -
--
--
-Last updated 5/3//2003 - + Dynamic changes to the zone dyn will have no effect on the above +rule. +
Last updated 6/10//2003 - Tom Eastep
- +Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
-
-
+ size="2">2001, 2002, 2003 Thomas M. Eastep.
+
diff --git a/Shorewall-docs/MAC_Validation.html b/Shorewall-docs/MAC_Validation.html index 60db899b2..7c47fade6 100644 --- a/Shorewall-docs/MAC_Validation.html +++ b/Shorewall-docs/MAC_Validation.html @@ -2,110 +2,118 @@MAC Verification - + - + - +- -
-- +- + + - - + +- MAC Verification
-
-
-
+ + + +
- All traffic from an interface or from a subnet on an interface -can be verified to originate from a defined set of MAC addresses. Furthermore, -each MAC address may be optionally associated with one or more IP addresses. -
-
- Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC - - module name ipt_mac.o).
-
- There are four components to this facility.
- +
+ All traffic from an interface or from a subnet on an interface + can be verified to originate from a defined set of MAC addresses. Furthermore, + each MAC address may be optionally associated with one or more IP addresses. +
+
+ Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC + - module name ipt_mac.o).
+
+ There are four components to this facility.
+-
- The columns in /etc/shorewall/maclist are:- The maclist interface option in The maclist interface option in /etc/shorewall/interfaces. When this option is specified, all traffic arriving on the interface is subjet to MAC verification.
-- The maclist option in The maclist option in /etc/shorewall/hosts. When this option - is specified for a subnet, all traffic from that subnet is subject to MAC - verification.
-- The /etc/shorewall/maclist file. This file is used to associate - MAC addresses with interfaces and to optionally associate IP addresses -with MAC addresses.
-- The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables - in /etc/shorewall/shorewall.conf. - The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT + is specified for a subnet, all traffic from that subnet is subject to +MAC verification.
+- The /etc/shorewall/maclist file. This file is used to associate + MAC addresses with interfaces and to optionally associate IP addresses + with MAC addresses.
+- The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables + in /etc/shorewall/shorewall.conf. + The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines the disposition of connection requests that fail MAC verification. - The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection - requests that fail verification are to be logged. If set the the empty + The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection + requests that fail verification are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.
- + +
-
- + The columns in /etc/shorewall/maclist are:
+-
- +- INTERFACE - The name of an ethernet interface on the Shorewall - system.
-- MAC - The MAC address of a device on the ethernet segment connected - by INTERFACE. It is not necessary to use the Shorewall MAC format in -this column although you may use that format if you so choose.
-- IP Address - An optional comma-separated list of IP addresses - for the device whose MAC is listed in the MAC column.
- +- INTERFACE - The name of an ethernet interface on the Shorewall + system.
+- MAC - The MAC address of a device on the ethernet segment +connected by INTERFACE. It is not necessary to use the Shorewall MAC format +in this column although you may use that format if you so choose.
+- IP Address - An optional comma-separated list of IP addresses + for the device whose MAC is listed in the MAC column.
+Example 1: Here are my files:
- /etc/shorewall/shorewall.conf:
- + /etc/shorewall/shorewall.conf:
+MACLIST_DISPOSITION=REJECT- /etc/shorewall/interfaces:
MACLIST_LOG_LEVEL=info
- -#ZONE INTERFACE BROADCAST OPTIONS- /etc/shorewall/maclist:
net eth0 206.124.146.255 norfc1918,dhcp,blacklist
loc eth2 192.168.1.255 dhcp,maclist
dmz eth1 192.168.2.255
net eth3 206.124.146.255 blacklist
- texas 192.168.9.255
loc ppp+
- -#INTERFACE MAC IP ADDRESSES (Optional)- As shown above, I use MAC Verification on my local zone.
eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie
eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry
eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa
eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa
eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)
eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap
- + /etc/shorewall/interfaces:
+ +++ /etc/shorewall/maclist:#ZONE INTERFACE BROADCAST OPTIONS+
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp
dmz eth1 192.168.2.255
wap eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255
+ +++ As shown above, I use MAC Verification on my wireless zone.#INTERFACE MAC IP ADDRESSES (Optional)+
eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop
eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11
eth3 00:06:25:56:33:3c #WET11
eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER
+
+Note: The WET11 is a somewhat curious device; when forwarding DHCP +traffic, it uses the MAC address of the host (TIPPER) but for other forwarded +traffic it uses it's own MAC address. Consequently, I don't assign the WET11 +a fixed IP address in /etc/shorewall/maclist.
+Example 2: Router in Local Zone
- Suppose now that I add a second ethernet segment to my local zone -and gateway that segment via a router with MAC address 00:06:43:45:C6:15 -and IP address 192.168.1.253. Hosts in the second segment have IP addresses - in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist - file:
- -eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24- This entry accomodates traffic from the router itself (192.168.1.253) - and from the second LAN segment (192.168.2.0/24). Remember that all traffic - being sent to my firewall from the 192.168.2.0/24 segment will be forwarded - by the router so that traffic's MAC address will be that of the router -(00:06:43:45:C6:15) and not that of the host sending the traffic. - -Updated 2/21/2002 - Tom Eastep -
- - - + Suppose now that I add a second wireless segment to my wireless +zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15 + and IP address 192.168.3.253. Hosts in the second segment have IP addresses + in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist + file:
+ +eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24+ This entry accomodates traffic from the router itself (192.168.3.253) + and from the second wireless segment (192.168.4.0/24). Remember that +all traffic being sent to my firewall from the 192.168.4.0/24 segment +will be forwarded by the router so that traffic's MAC address will be +that of the router (00:06:43:45:C6:15) and not that of the host sending +the traffic. +Updated 6/10/2002 - Tom Eastep +
+Copyright © - 2001, 2002, 2003 Thomas M. Eastep.
+ 2001, 2002, 2003 Thomas M. Eastep.
-
+ +
+
diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm index c5b0ac99b..2d1316734 100644 --- a/Shorewall-docs/News.htm +++ b/Shorewall-docs/News.htm @@ -4,7 +4,7 @@ - +Shorewall News @@ -14,254 +14,304 @@ - + - + - +- -
- -- + ++ + + + + + + + - + - +- + + -Shorewall News Archive
-5/27/2003 - Shorewall-1.4.4a
- The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed out - that the code in 1.4.4 restricts the length of short zone names to 4 characters. - I've produced version 1.4.4a that restores the previous 5-character limit - by conditionally omitting the log rule number when the LOGFORMAT doesn't -contain '%d'.
+ +6/17/2003 - Shorewall-1.4.5
+Problems Corrected:
+
++
+- The command "shorewall debug try <directory>" now correctly traces +the attempt.
+- The INCLUDE directive now works properly in the zones file; previously, +INCLUDE in that file was ignored.
+- /etc/shorewall/routestopped records with an empty second column are +no longer ignored.
+
+New Features:
+
++
+- The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now contain +a list of addresses. If the list begins with "!' then the rule will take +effect only if the original destination address in the connection request +does not match any of the addresses listed.
+6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8
+ +The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and +iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems +have been encountered with this set of software. The Shorewall version is +1.4.4b plus the accumulated changes for 1.4.5.
+ +
+6/8/2003 - Updated Samples
+Thanks to Francesca Smith, the samples have been updated to Shorewall +version 1.4.4.
+ +5/29/2003 - Shorewall-1.4.4b
+ +Groan -- This version corrects a problem whereby the --log-level was not + being set when logging via syslog. The most commonly reported symptom was + that Shorewall messages were being written to the console even though console + logging was correctly configured per FAQ 16.
+ +
+5/27/2003 - Shorewall-1.4.4a
+ The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed + out that the code in 1.4.4 restricts the length of short zone names to +4 characters. I've produced version 1.4.4a that restores the previous 5-character + limit by conditionally omitting the log rule number when the LOGFORMAT +doesn't contain '%d'.
+5/23/2003 - Shorewall-1.4.4
- I apologize for the rapid-fire releases but since there is a potential -configuration change required to go from 1.4.3a to 1.4.4, I decided to make -it a full release rather than just a bug-fix release.
-
- Problems corrected:
- + I apologize for the rapid-fire releases but since there is a potential + configuration change required to go from 1.4.3a to 1.4.4, I decided to +make it a full release rather than just a bug-fix release.
+
+ Problems corrected:
+None.- New Features:
-
- +
+-
- +- A REDIRECT- rule target has been added. This target behaves for -REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter nat -table REDIRECT rule is added but not the companion filter table ACCEPT rule.
-
-
-- The LOGMARKER variable has been renamed LOGFORMAT and has been changed - to a 'printf' formatting template which accepts three arguments (the chain - name, logging rule number and the disposition). To use LOGFORMAT with fireparse - (http://www.fireparse.com), set it - as:
-
-
- LOGFORMAT="fp=%s:%d a=%s "
-
- CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT - string (up to but not including the first '%') to find log messages in the - 'show log', 'status' and 'hits' commands. This part should not be omitted - (the LOGFORMAT should not begin with "%") and the leading part should be -sufficiently unique for /sbin/shorewall to identify Shorewall messages.
-
-- When logging is specified on a DNAT[-] or REDIRECT[-] rule, the -logging now takes place in the nat table rather than in the filter table. -This way, only those connections that actually undergo DNAT or redirection -will be logged.
- +
-- A REDIRECT- rule target has been added. This target behaves +for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter +nat table REDIRECT rule is added but not the companion filter table ACCEPT +rule.
+
+
+- The LOGMARKER variable has been renamed LOGFORMAT and has been + changed to a 'printf' formatting template which accepts three arguments + (the chain name, logging rule number and the disposition). To use LOGFORMAT + with fireparse (http://www.fireparse.com), + set it as:
+
+
+ LOGFORMAT="fp=%s:%d a=%s "
+
+ CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT + string (up to but not including the first '%') to find log messages in +the 'show log', 'status' and 'hits' commands. This part should not be omitted + (the LOGFORMAT should not begin with "%") and the leading part should be + sufficiently unique for /sbin/shorewall to identify Shorewall messages.
+
+- When logging is specified on a DNAT[-] or REDIRECT[-] rule, +the logging now takes place in the nat table rather than in the filter +table. This way, only those connections that actually undergo DNAT or +redirection will be logged.
+
+5/20/2003 - Shorewall-1.4.3a
- This version primarily corrects the documentation included in the .tgz - and in the .rpm. In addition:
-
- + + This version primarily corrects the documentation included in the + .tgz and in the .rpm. In addition:
+-
- -- (This change is in 1.4.3 but is not documented) If you are running - iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject replies - as follows:
-
- a) tcp - RST
- b) udp - ICMP port unreachable
- c) icmp - ICMP host unreachable
- d) Otherwise - ICMP host prohibited
- If you are running earlier software, Shorewall will follow it's traditional - convention:
- a) tcp - RST
- b) Otherwise - ICMP port unreachable- UDP port 135 is now silently dropped in the common.def chain. -Remember that this chain is traversed just before a DROP or REJECT policy -is enforced.
- -
-5/18/2003 - Shorewall 1.4.3
- Problems Corrected:
-
- --
- New Features:- There were several cases where Shorewall would fail to remove -a temporary directory from /tmp. These cases have been corrected.
-- The rules for allowing all traffic via the loopback interface -have been moved to before the rule that drops status=INVALID packets. This -insures that all loopback traffic is allowed even if Netfilter connection -tracking is confused.
- -
- --
- -- IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels - file.
-- You may now change the leading portion of the --log-prefix - used by Shorewall using the LOGMARKER variable in shorewall.conf. By default, - "Shorewall:" is used.
- -
-5/10/2003 - Shorewall Mirror in Asia
- -
-Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
- -
-5/8/2003 - Shorewall Mirror in Chile
- Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago - Chile. -4/21/2003 - Samples updated for Shorewall version 1.4.2
+(This change is in 1.4.3 but is not documented) If you are +running iptables 1.2.7a and kernel 2.4.20, then Shorewall will return reject +replies as follows: +
+ a) tcp - RST
+ b) udp - ICMP port unreachable
+ c) icmp - ICMP host unreachable
+ d) Otherwise - ICMP host prohibited
+ If you are running earlier software, Shorewall will follow it's +traditional convention:
+ a) tcp - RST
+ b) Otherwise - ICMP port unreachableUDP port 135 is now silently dropped in the common.def chain. + Remember that this chain is traversed just before a DROP or REJECT policy + is enforced. + + +
+5/18/2003 - Shorewall 1.4.3
+ Problems Corrected:
+
+ ++
+ New Features:- There were several cases where Shorewall would fail to remove + a temporary directory from /tmp. These cases have been corrected.
+- The rules for allowing all traffic via the loopback interface + have been moved to before the rule that drops status=INVALID packets. +This insures that all loopback traffic is allowed even if Netfilter connection + tracking is confused.
+ +
+ ++
+ +- IPV6-IPV4 (6to4) tunnels are now supported in the /etc/shorewall/tunnels + file.
+- You may now change the leading portion of the --log-prefix + used by Shorewall using the LOGMARKER variable in shorewall.conf. By default, + "Shorewall:" is used.
+ +
+5/10/2003 - Shorewall Mirror in Asia
+ +
+Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
+ +
+5/8/2003 - Shorewall Mirror in Chile
+ Thanks to Darcy Ganga, there is now an HTTP mirror in +Santiago Chile. +4/21/2003 - Samples updated for Shorewall version 1.4.2
+Thanks to Francesca Smith, the sample configurations are now upgraded to Shorewall version 1.4.2.
- +4/9/2003 - Shorewall 1.4.2
- + +
-Problems Corrected:
- -+ ++- +-
-- TCP connection requests rejected out of the common - chain are now properly rejected with TCP RST; previously, some of these - requests were rejected with an ICMP port-unreachable response.
-- 'traceroute -I' from behind the firewall previously timed - out on the first hop (e.g., to the firewall). This has been worked around.
- +- TCP connection requests rejected out of the common + chain are now properly rejected with TCP RST; previously, some of +these requests were rejected with an ICMP port-unreachable response.
+- 'traceroute -I' from behind the firewall previously + timed out on the first hop (e.g., to the firewall). This has been +worked around.
+New Features:
- +-
- +- Where an entry in the/etc/shorewall/hosts file specifies -a particular host or network, Shorewall now creates an intermediate chain - for handling input from the related zone. This can substantially reduce - the number of rules traversed by connections requests from such zones.
-
-
-- Any file may include an INCLUDE directive. An INCLUDE directive - consists of the word INCLUDE followed by a file name and causes the -contents of the named file to be logically included into the file containing -the INCLUDE. File names given in an INCLUDE directive are assumed to -reside in /etc/shorewall or in an alternate configuration directory -if one has been specified for the command.
-
- Examples:
- shorewall/params.mgmt:
- MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
- TIME_SERVERS=4.4.4.4
- BACKUP_SERVERS=5.5.5.5
- ----- end params.mgmt -----
-
-
- shorewall/params:
- # Shorewall 1.3 /etc/shorewall/params
- [..]
- #######################################
-
- INCLUDE params.mgmt
-
- # params unique to this host here
- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- ----- end params -----
-
-
- shorewall/rules.mgmt:
- ACCEPT net:$MGMT_SERVERS $FW tcp 22
- ACCEPT $FW net:$TIME_SERVERS udp 123
- ACCEPT $FW net:$BACKUP_SERVERS tcp 22
- ----- end rules.mgmt -----
-
- shorewall/rules:
- # Shorewall version 1.3 - Rules File
- [..]
- #######################################
-
- INCLUDE rules.mgmt
-
- # rules unique to this host here
- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT +- Where an entry in the/etc/shorewall/hosts file specifies + a particular host or network, Shorewall now creates an intermediate + chain for handling input from the related zone. This can substantially + reduce the number of rules traversed by connections requests from such + zones.
+
+
+- Any file may include an INCLUDE directive. An INCLUDE + directive consists of the word INCLUDE followed by a file name and +causes the contents of the named file to be logically included into +the file containing the INCLUDE. File names given in an INCLUDE directive +are assumed to reside in /etc/shorewall or in an alternate configuration + directory if one has been specified for the command.
-
+
+ Examples:
+ shorewall/params.mgmt:
+ MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3
+ TIME_SERVERS=4.4.4.4
+ BACKUP_SERVERS=5.5.5.5
+ ----- end params.mgmt -----
+
+
+ shorewall/params:
+ # Shorewall 1.3 /etc/shorewall/params
+ [..]
+ #######################################
+
+ INCLUDE params.mgmt
+
+ # params unique to this host here
+ #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- ----- end rules -----
-
- INCLUDE's may be nested to a level of 3 -- further nested INCLUDE - directives are ignored with a warning message.
-
-- Routing traffic from an interface back out that interface - continues to be a problem. While I firmly believe that this should -never happen, people continue to want to do it. To limit the damage + ----- end params -----
+
+
+
+ shorewall/rules.mgmt:
+ ACCEPT net:$MGMT_SERVERS $FW tcp 22
+ ACCEPT $FW net:$TIME_SERVERS udp 123
+ ACCEPT $FW net:$BACKUP_SERVERS tcp 22
+ ----- end rules.mgmt -----
+
+ shorewall/rules:
+ # Shorewall version 1.3 - Rules File
+ [..]
+ #######################################
+
+ INCLUDE rules.mgmt
+
+ # rules unique to this host here
+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO +NOT REMOVE
+ ----- end rules -----
+
+ INCLUDE's may be nested to a level of 3 -- further nested + INCLUDE directives are ignored with a warning message.
+
+- Routing traffic from an interface back out that interface + continues to be a problem. While I firmly believe that this should + never happen, people continue to want to do it. To limit the damage that such nonsense produces, I have added a new 'routeback' option in /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in /etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in other words, 'routeback' can't -be used as an option for a multi-zone interface. The 'routeback' option -CAN be specified however on individual group entries in /etc/shorewall/hosts.
- + be used as an option for a multi-zone interface. The 'routeback' option + CAN be specified however on individual group entries in /etc/shorewall/hosts.
-
- The 'routeback' option is similar to the old 'multi' option -with two exceptions:
-
- a) The option pertains to a particular zone,interface,address - tuple.
-
- b) The option only created infrastructure to pass traffic -from (zone,interface,address) tuples back to themselves (the 'multi' -option affected all (zone,interface,address) tuples associated with the -given 'interface').
-
- See the 'Upgrade Issues' for - information about how this new option may affect your configuration.
-
+
+ The 'routeback' option is similar to the old 'multi' option + with two exceptions:
+
+ a) The option pertains to a particular zone,interface,address + tuple.
+
+ b) The option only created infrastructure to pass traffic + from (zone,interface,address) tuples back to themselves (the 'multi' + option affected all (zone,interface,address) tuples associated with + the given 'interface').
+
+ See the 'Upgrade Issues' + for information about how this new option may affect your configuration.
+ +3/24/2003 - Shorewall 1.4.1
- + @@ -280,955 +330,893 @@ given 'interface').
- +This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 and removes additional warts.
- +
-
- Problems Corrected:
-
+ Problems Corrected:
+ +-
- New Features:- When Shorewall 1.4.0 is run under the ash shell (such as - on Bering/LEAF), it can attempt to add ECN disabling rules even if -the /etc/shorewall/ecn file is empty. That problem has been corrected -so that ECN disabling rules are only added if there are entries in /etc/shorewall/ecn.
- +- When Shorewall 1.4.0 is run under the ash shell (such + as on Bering/LEAF), it can attempt to add ECN disabling rules even +if the /etc/shorewall/ecn file is empty. That problem has been corrected + so that ECN disabling rules are only added if there are entries in +/etc/shorewall/ecn.
+
- + New Features:
+Note: In the list that follows, the term group refers to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a host address) accessed through a particular interface. Examples:- + eth2:192.168.1.0/24
- +eth0:0.0.0.0/0- You can use the "shorewall check" command to see the groups -associated with each of your zones.
- eth2:192.168.1.0/24
- eth3:192.0.2.123
-
-
+ eth3:192.0.2.123
+
+-
- +- Beginning with Shorewall 1.4.1, if a zone Z comprises more - than one group then if there is no explicit Z to Z policy and -there are no rules governing traffic from Z to Z then Shorewall will permit - all traffic between the groups in the zone.
-- Beginning with Shorewall 1.4.1, Shorewall will never create - rules to handle traffic from a group to itself.
-- A NONE policy is introduced in 1.4.1. When a policy of -NONE is specified from Z1 to Z2:
- +- Beginning with Shorewall 1.4.1, if a zone Z comprises + more than one group then if there is no explicit Z to Z policy + and there are no rules governing traffic from Z to Z then Shorewall will + permit all traffic between the groups in the zone.
+- Beginning with Shorewall 1.4.1, Shorewall will never + create rules to handle traffic from a group to itself.
+- A NONE policy is introduced in 1.4.1. When a policy +of NONE is specified from Z1 to Z2:
+-
- See the upgrade issues for -a discussion of how these changes may affect your configuration. - + See the upgrade issues +for a discussion of how these changes may affect your configuration. +- There may be no rules created that govern connections from - Z1 to Z2.
-- Shorewall will not create any infrastructure to handle -traffic from Z1 to Z2.
- +- There may be no rules created that govern connections + from Z1 to Z2.
+- Shorewall will not create any infrastructure to handle + traffic from Z1 to Z2.
+3/17/2003 - Shorewall 1.4.0
- Shorewall 1.4 - represents the next step in the evolution of Shorewall. The main -thrust of the initial release is simply to remove the cruft that has -accumulated in Shorewall over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute - package ('ip' utility).
-
- Function from 1.3 that has been omitted from this version - include:
- + Shorewall + 1.4 represents the next step in the evolution of Shorewall. The + main thrust of the initial release is simply to remove the cruft that + has accumulated in Shorewall over time.
+
+ IMPORTANT: Shorewall 1.4.0 requires the iproute + package ('ip' utility).
+
+ Function from 1.3 that has been omitted from this + version include:
+-
- Changes for 1.4 include:- The MERGE_HOSTS variable in shorewall.conf -is no longer supported. Shorewall 1.4 behavior is the same as 1.3 -with MERGE_HOSTS=Yes.
-
-
-- Interface names of the form <device>:<integer> - in /etc/shorewall/interfaces now generate an error.
-
-
-- Shorewall 1.4 implements behavior consistent with - OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error - at startup as will specification of the 'noping' or 'filterping' - interface options.
-
-
-- The 'routestopped' option in the /etc/shorewall/interfaces - and /etc/shorewall/hosts files is no longer supported and will generate - an error at startup if specified.
-
-
-- The Shorewall 1.2 syntax for DNAT and REDIRECT -rules is no longer accepted.
-
-
-- The ALLOWRELATED variable in shorewall.conf is -no longer supported. Shorewall 1.4 behavior is the same as 1.3 with - ALLOWRELATED=Yes.
-
-
-- The icmp.def file has been removed.
- +
-- The MERGE_HOSTS variable in shorewall.conf + is no longer supported. Shorewall 1.4 behavior is the same as 1.3 + with MERGE_HOSTS=Yes.
+
+
+- Interface names of the form <device>:<integer> + in /etc/shorewall/interfaces now generate an error.
+
+
+- Shorewall 1.4 implements behavior consistent + with OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate + an error at startup as will specification of the 'noping' or 'filterping' + interface options.
+
+
+- The 'routestopped' option in the /etc/shorewall/interfaces + and /etc/shorewall/hosts files is no longer supported and will + generate an error at startup if specified.
+
+
+- The Shorewall 1.2 syntax for DNAT and REDIRECT + rules is no longer accepted.
+
+
+- The ALLOWRELATED variable in shorewall.conf + is no longer supported. Shorewall 1.4 behavior is the same as +1.3 with ALLOWRELATED=Yes.
+
+
+- The icmp.def file has been removed.
+
+
- + Changes for 1.4 include:
+-
- +- The /etc/shorewall/shorewall.conf file has been - completely reorganized into logical sections.
-
-
-- LOG is now a valid action for a rule (/etc/shorewall/rules).
-
-
-- The firewall script and version file are now installed - in /usr/share/shorewall.
-
-
-- Late arriving DNS replies are now silently dropped - in the common chain by default.
-
-
-- In addition to behaving like OLD_PING_HANDLING=No, - Shorewall 1.4 no longer unconditionally accepts outbound ICMP packets. - So if you want to 'ping' from the firewall, you will need the appropriate - rule or policy.
-
-
-- CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
-
-
-- 802.11b devices with names of the form wlan<n> -now support the 'maclist' option.
-
-
-- Explicit Congestion Notification (ECN - RFC 3168) may - now be turned off on a host or network basis using the new /etc/shorewall/ecn - file. To use this facility:
-
-
- a) You must be running kernel 2.4.20
- b) You must have applied the patch in
- http://www.shorewall/net/pub/shorewall/ecn/patch.
- c) You must have iptables 1.2.7a installed.
-
-- The /etc/shorewall/params file is now processed first - so that variables may be used in the /etc/shorewall/shorewall.conf -file.
-
-
-- Shorewall now gives a more helpful diagnostic - when the 'ipchains' compatibility kernel module is loaded and a 'shorewall - start' command is issued.
-
-
-- The SHARED_DIR variable has been removed from shorewall.conf. - This variable was for use by package maintainers and was not documented - for general use.
-
-
-- Shorewall now ignores 'default' routes when detecting -masq'd networks.
- +- The /etc/shorewall/shorewall.conf file has +been completely reorganized into logical sections.
+
+
+- LOG is now a valid action for a rule (/etc/shorewall/rules).
+
+
+- The firewall script and version file are now + installed in /usr/share/shorewall.
+
+
+- Late arriving DNS replies are now silently +dropped in the common chain by default.
+
+
+- In addition to behaving like OLD_PING_HANDLING=No, + Shorewall 1.4 no longer unconditionally accepts outbound ICMP +packets. So if you want to 'ping' from the firewall, you will need +the appropriate rule or policy.
+
+
+- CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
+
+
+- 802.11b devices with names of the form wlan<n> + now support the 'maclist' option.
+
+
+- Explicit Congestion Notification (ECN - RFC 3168) + may now be turned off on a host or network basis using the new /etc/shorewall/ecn + file. To use this facility:
+
+
+ a) You must be running kernel 2.4.20
+ b) You must have applied the patch in
+ http://www.shorewall/net/pub/shorewall/ecn/patch.
+ c) You must have iptables 1.2.7a installed.
+
+- The /etc/shorewall/params file is now processed +first so that variables may be used in the /etc/shorewall/shorewall.conf + file.
+
+
+- Shorewall now gives a more helpful diagnostic + when the 'ipchains' compatibility kernel module is loaded and a +'shorewall start' command is issued.
+
+
+- The SHARED_DIR variable has been removed from shorewall.conf. + This variable was for use by package maintainers and was not documented + for general use.
+
+
+- Shorewall now ignores 'default' routes when detecting + masq'd networks.
+3/10/2003 - Shoreall 1.3.14a
- +A roleup of the following bug fixes and other updates:
- --
- There is an updated rfc1918 file that reflects the resent - allocation of 222.0.0.0/8 and 223.0.0.0/8.
- --
- + +- The documentation for the routestopped file claimed that - a comma-separated list could appear in the second column while the - code only supported a single host or network address.
-- Log messages produced by 'logunclean' and 'dropunclean' - were not rate-limited.
-- 802.11b devices with names of the form wlan<n> - don't support the 'maclist' interface option.
-- Log messages generated by RFC 1918 filtering are not rate - limited.
-- The firewall fails to start in the case where you have -"eth0 eth1" in /etc/shorewall/masq and the default route is through eth1
- +- There is an updated rfc1918 file that reflects the +resent allocation of 222.0.0.0/8 and 223.0.0.0/8.
++
+- The documentation for the routestopped file claimed + that a comma-separated list could appear in the second column +while the code only supported a single host or network address.
+- Log messages produced by 'logunclean' and 'dropunclean' + were not rate-limited.
+- 802.11b devices with names of the form wlan<n> + don't support the 'maclist' interface option.
+- Log messages generated by RFC 1918 filtering are not + rate limited.
+- The firewall fails to start in the case where you +have "eth0 eth1" in /etc/shorewall/masq and the default route is through + eth1
+ +2/8/2003 - Shoreawall 1.3.14
- +New features include
- --
- -- An OLD_PING_HANDLING option has been added -to shorewall.conf. When set to Yes, Shorewall ping handling is -as it has always been (see http://www.shorewall.net/ping.html).
-
-
- When OLD_PING_HANDLING=No, icmp echo (ping) -is handled via rules and policies just like any other connection - request. The FORWARDPING=Yes option in shorewall.conf and the - 'noping' and 'filterping' options in /etc/shorewall/interfaces -will all generate an error.
-
-- It is now possible to direct Shorewall to -create a "label" such as "eth0:0" for IP addresses that it -creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This -is done by specifying the label instead of just the interface name:
-
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-- Support for OpenVPN Tunnels.
-
-
-- Support for VLAN devices with names of the -form $DEV.$VID (e.g., eth0.0)
-
-
-- In /etc/shorewall/tcrules, the MARK value may - be optionally followed by ":" and either 'F' or 'P' to designate - that the marking will occur in the FORWARD or PREROUTING chains respectively. - If this additional specification is omitted, the chain used to mark - packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN - option in shorewall.conf.
-
-
-- When an interface name is entered in the SUBNET - column of the /etc/shorewall/masq file, Shorewall previously - masqueraded traffic from only the first subnet defined on that - interface. It did not masquerade traffic from:
- -
-
- a) The subnets associated with other addresses - on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter - an interface name in the SUBNET column, shorewall will use the - firewall's routing table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
- - - -[root@gateway test]# cat /etc/shorewall/masq- - - -
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2- - - -
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254[root@gateway test]# shorewall start-
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
- When upgrading to Shorewall 1.3.14, if you -have multiple local subnets connected to an interface that -is specified in the SUBNET column of an /etc/shorewall/masq entry, -your /etc/shorewall/masq file will need changing. In most cases, -you will simply be able to remove redundant entries. In some cases -though, you might want to change from using the interface name to listing -specific subnetworks if the change described above will cause masquerading - to occur on subnetworks that you don't wish to masquerade.
-
- Example 2 -- Suppose that your current config - is as follows:
-
- - - -[root@gateway test]# cat /etc/shorewall/masq- - - -
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2-
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
- In this case, the second entry in /etc/shorewall/masq - is no longer required.
-
- Example 3 -- What if your current configuration - is like this?
-
- - - -[root@gateway test]# cat /etc/shorewall/masq- - - -
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2-
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
- In this case, you would want to change the - entry in /etc/shorewall/masq to:
- - - -#INTERFACE SUBNET ADDRESS-
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE- -
- 2/5/2003 - Shorewall Support included in Webmin - 1.060Webmin version 1.060 now has Shorewall support included as standard. See - http://www.webmin.com.
- -
-
- 2/4/2003 - Shorewall 1.3.14-RC1Includes the Beta 2 content plus support for OpenVPN tunnels.
- -1/28/2003 - Shorewall 1.3.14-Beta2
-Includes the Beta 1 content plus restores VLAN device names of the form - $dev.$vid (e.g., eth0.1)
- -1/25/2003 - Shorewall 1.3.14-Beta1
- -
-The Beta includes the following changes:
-
--
+ +- An OLD_PING_HANDLING option has been -added to shorewall.conf. When set to Yes, Shorewall ping handling -is as it has always been (see http://www.shorewall.net/ping.html).
-
-
- When OLD_PING_HANDLING=No, icmp echo (ping) -is handled via rules and policies just like any other connection - request. The FORWARDPING=Yes option in shorewall.conf and the - 'noping' and 'filterping' options in /etc/shorewall/interfaces -will all generate an error.
-
-- It is now possible to direct Shorewall - to create a "label" such as "eth0:0" for IP addresses that -it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. - This is done by specifying the label instead of just the interface +
- An OLD_PING_HANDLING option has been added + to shorewall.conf. When set to Yes, Shorewall ping handling + is as it has always been (see http://www.shorewall.net/ping.html).
+
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) + is handled via rules and policies just like any other connection + request. The FORWARDPING=Yes option in shorewall.conf and +the 'noping' and 'filterping' options in /etc/shorewall/interfaces + will all generate an error.
+
+- It is now possible to direct Shorewall +to create a "label" such as "eth0:0" for IP addresses that +it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. +This is done by specifying the label instead of just the interface name:
-
-
- a) In the INTERFACE column of /etc/shorewall/masq
- b) In the INTERFACE column of /etc/shorewall/nat
-- When an interface name is entered in -the SUBNET column of the /etc/shorewall/masq file, Shorewall -previously masqueraded traffic from only the first subnet defined -on that interface. It did not masquerade traffic from:
+
-
- a) The subnets associated with other addresses - on the interface.
- b) Subnets accessed through local routers.
-
- Beginning with Shorewall 1.3.14, if you enter - an interface name in the SUBNET column, shorewall will use the - firewall's routing table to construct the masquerading/SNAT rules.
-
- Example 1 -- This is how it works in 1.3.14.
-
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+- Support for OpenVPN Tunnels.
+
+
+- Support for VLAN devices with names of +the form $DEV.$VID (e.g., eth0.0)
+
+
+- In /etc/shorewall/tcrules, the MARK value + may be optionally followed by ":" and either 'F' or 'P' to designate + that the marking will occur in the FORWARD or PREROUTING chains +respectively. If this additional specification is omitted, the chain +used to mark packets will be determined by the setting of the MARK_IN_FORWARD_CHAIN + option in shorewall.conf.
+
+
+- When an interface name is entered in the + SUBNET column of the /etc/shorewall/masq file, Shorewall previously + masqueraded traffic from only the first subnet defined on that + interface. It did not masquerade traffic from:
- + +
+
+ a) The subnets associated with other +addresses on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you +enter an interface name in the SUBNET column, shorewall will +use the firewall's routing table to construct the masquerading/SNAT +rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
- +[root@gateway test]# cat /etc/shorewall/masq- +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2- +
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254[root@gateway test]# shorewall start-
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
- When upgrading to Shorewall 1.3.14, if you -have multiple local subnets connected to an interface that -is specified in the SUBNET column of an /etc/shorewall/masq entry, -your /etc/shorewall/masq file will need changing. In most cases, -you will simply be able to remove redundant entries. In some cases -though, you might want to change from using the interface name to listing -specific subnetworks if the change described above will cause masquerading - to occur on subnetworks that you don't wish to masquerade.
-
- Example 2 -- Suppose that your current config - is as follows:
-
+
+ When upgrading to Shorewall 1.3.14, if +you have multiple local subnets connected to an interface +that is specified in the SUBNET column of an /etc/shorewall/masq + entry, your /etc/shorewall/masq file will need changing. In +most cases, you will simply be able to remove redundant entries. +In some cases though, you might want to change from using the interface + name to listing specific subnetworks if the change described above +will cause masquerading to occur on subnetworks that you don't wish +to masquerade.
+
+ Example 2 -- Suppose that your current +config is as follows:
+
- +[root@gateway test]# cat /etc/shorewall/masq- +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2-
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
- In this case, the second entry in /etc/shorewall/masq - is no longer required.
-
- Example 3 -- What if your current configuration - is like this?
-
+
+ In this case, the second entry in /etc/shorewall/masq + is no longer required.
+
+ Example 3 -- What if your current configuration + is like this?
+
- +[root@gateway test]# cat /etc/shorewall/masq- +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2-
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
- In this case, you would want to change the - entry in /etc/shorewall/masq to:
+
+ In this case, you would want to change + the entry in /etc/shorewall/masq to:
- +#INTERFACE SUBNET ADDRESS-
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE+
+ 2/5/2003 - Shorewall Support included in +Webmin 1.060Webmin version 1.060 now has Shorewall support included as standard. See + http://www.webmin.com.
+ +
+
+ 2/4/2003 - Shorewall 1.3.14-RC1Includes the Beta 2 content plus support for OpenVPN tunnels.
+ +1/28/2003 - Shorewall 1.3.14-Beta2
+ +Includes the Beta 1 content plus restores VLAN device names of the form + $dev.$vid (e.g., eth0.1)
+ +1/25/2003 - Shorewall 1.3.14-Beta1
+ +
+The Beta includes the following changes:
+ +
++
+- An OLD_PING_HANDLING option has been + added to shorewall.conf. When set to Yes, Shorewall ping +handling is as it has always been (see http://www.shorewall.net/ping.html).
+
+
+ When OLD_PING_HANDLING=No, icmp echo (ping) + is handled via rules and policies just like any other connection + request. The FORWARDPING=Yes option in shorewall.conf and +the 'noping' and 'filterping' options in /etc/shorewall/interfaces + will all generate an error.
+
+- It is now possible to direct Shorewall + to create a "label" such as "eth0:0" for IP addresses that + it creates under ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. + This is done by specifying the label instead of just the interface + name:
+
+
+ a) In the INTERFACE column of /etc/shorewall/masq
+ b) In the INTERFACE column of /etc/shorewall/nat
+- When an interface name is entered +in the SUBNET column of the /etc/shorewall/masq file, Shorewall + previously masqueraded traffic from only the first subnet +defined on that interface. It did not masquerade traffic from:
+ +
+
+ a) The subnets associated with other +addresses on the interface.
+ b) Subnets accessed through local routers.
+
+ Beginning with Shorewall 1.3.14, if you +enter an interface name in the SUBNET column, shorewall will +use the firewall's routing table to construct the masquerading/SNAT +rules.
+
+ Example 1 -- This is how it works in 1.3.14.
+
+ + + +[root@gateway test]# cat /etc/shorewall/masq+ + + +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2+ + + +
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254[root@gateway test]# shorewall start+
...
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
Processing /etc/shorewall/tos...
+ When upgrading to Shorewall 1.3.14, if +you have multiple local subnets connected to an interface +that is specified in the SUBNET column of an /etc/shorewall/masq + entry, your /etc/shorewall/masq file will need changing. In +most cases, you will simply be able to remove redundant entries. +In some cases though, you might want to change from using the interface + name to listing specific subnetworks if the change described above +will cause masquerading to occur on subnetworks that you don't wish +to masquerade.
+
+ Example 2 -- Suppose that your current +config is as follows:
+
+ + + +[root@gateway test]# cat /etc/shorewall/masq+ + + +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
eth0 192.168.10.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2+
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+ In this case, the second entry in /etc/shorewall/masq + is no longer required.
+
+ Example 3 -- What if your current configuration + is like this?
+
+ + + +[root@gateway test]# cat /etc/shorewall/masq+ + + +
#INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE[root@gateway test]# ip route show dev eth2+
192.168.1.0/24 scope link
192.168.10.0/24 proto kernel scope link src 192.168.10.254
[root@gateway test]#
+ In this case, you would want to change + the entry in /etc/shorewall/masq to:
+ + + +#INTERFACE SUBNET ADDRESS+
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format
- +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. - the PDF may be downloaded from
- + + ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
- http://slovakia.shorewall.net/pub/shorewall/pdf/ - +1/17/2003 - shorewall.net has MOVED
- + +Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A big thanks to Alex for making this happen.
- + + +
-1/13/2003 - Shorewall 1.3.13
- + + +
-Just includes a few things that I had on the burner:
- + + +
--
- + +- A new 'DNAT-' action has been added - for entries in the /etc/shorewall/rules file. DNAT- is intended - for advanced users who wish to minimize the number of rules -that connection requests must traverse.
-
-
- A Shorewall DNAT rule actually generates - two iptables rules: a header rewriting rule in the 'nat' table - and an ACCEPT rule in the 'filter' table. A DNAT- rule only -generates the first of these rules. This is handy when you have - several DNAT rules that would generate the same ACCEPT rule.
-
- Here are three rules from my previous - rules file:
-
- DNAT net dmz:206.124.146.177 -tcp smtp - 206.124.146.178
- DNAT net dmz:206.124.146.177 -tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 -tcp www,smtp,ftp,...
-
- These three rules ended up generating - _three_ copies of
-
- ACCEPT net dmz:206.124.146.177 - tcp smtp
-
- By writing the rules this way, I end -up with only one copy of the ACCEPT rule.
-
- DNAT- net dmz:206.124.146.177 -tcp smtp - 206.124.146.178
- DNAT- net dmz:206.124.146.177 -tcp smtp - 206.124.146.179
- ACCEPT net dmz:206.124.146.177 -tcp www,smtp,ftp,....
-
-- The 'shorewall check' command now -prints out the applicable policy between each pair of zones.
-
-
-- A new CLEAR_TC option has been added - to shorewall.conf. If this option is set to 'No' then Shorewall - won't clear the current traffic control rules during [re]start. - This setting is intended for use by people that prefer to configure - traffic shaping when the network interfaces come up rather than when - the firewall is started. If that is what you want to do, set TC_ENABLED=Yes - and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. - That way, your traffic shaping rules can still use the 'fwmark' classifier - based on packet marking defined in /etc/shorewall/tcrules.
-
-
-- A new SHARED_DIR variable has been - added that allows distribution packagers to easily move the - shared directory (default /usr/lib/shorewall). Users should -never have a need to change the value of this shorewall.conf setting.
- +
-- A new 'DNAT-' action has been +added for entries in the /etc/shorewall/rules file. DNAT- +is intended for advanced users who wish to minimize the number + of rules that connection requests must traverse.
+
+
+ A Shorewall DNAT rule actually generates + two iptables rules: a header rewriting rule in the 'nat' +table and an ACCEPT rule in the 'filter' table. A DNAT- rule +only generates the first of these rules. This is handy when you +have several DNAT rules that would generate the same ACCEPT rule.
+
+ Here are three rules from my previous + rules file:
+
+ DNAT net dmz:206.124.146.177 + tcp smtp - 206.124.146.178
+ DNAT net dmz:206.124.146.177 + tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 + tcp www,smtp,ftp,...
+
+ These three rules ended up generating + _three_ copies of
+
+ ACCEPT net dmz:206.124.146.177 + tcp smtp
+
+ By writing the rules this way, I +end up with only one copy of the ACCEPT rule.
+
+ DNAT- net dmz:206.124.146.177 + tcp smtp - 206.124.146.178
+ DNAT- net dmz:206.124.146.177 + tcp smtp - 206.124.146.179
+ ACCEPT net dmz:206.124.146.177 + tcp www,smtp,ftp,....
+
+- The 'shorewall check' command +now prints out the applicable policy between each pair of +zones.
+
+
+- A new CLEAR_TC option has been + added to shorewall.conf. If this option is set to 'No' then + Shorewall won't clear the current traffic control rules during + [re]start. This setting is intended for use by people that prefer + to configure traffic shaping when the network interfaces come up +rather than when the firewall is started. If that is what you want +to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart + file. That way, your traffic shaping rules can still use the 'fwmark' + classifier based on packet marking defined in /etc/shorewall/tcrules.
+
+
+- A new SHARED_DIR variable has +been added that allows distribution packagers to easily move +the shared directory (default /usr/lib/shorewall). Users should + never have a need to change the value of this shorewall.conf + setting.
+ +
+1/6/2003 - BURNOUT
- + +Until further notice, I will not be involved in either Shorewall Development - or Shorewall Support
- + or Shorewall Support + +-Tom Eastep
- + + +
-12/30/2002 - Shorewall Documentation in PDF Format
- +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. - the PDF may be downloaded from
+ the PDF may be downloaded from - +ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ + +
- http://slovakia.shorewall.net/pub/shorewall/pdf/
+12/27/2002 - Shorewall 1.3.12 Released
+ + +Features include:
- -
12/27/2002 - Shorewall 1.3.12 Released
- -Features include:
- +
--
- -- "shorewall refresh" now reloads - the traffic shaping rules (tcrules and tcstart).
-- "shorewall debug [re]start" now - turns off debugging after an error occurs. This places -the point of the failure near the end of the trace rather -than up in the middle of it.
-- "shorewall [re]start" has been -speeded up by more than 40% with my configuration. Your milage -may vary.
-- A "shorewall show classifiers" -command has been added which shows the current packet classification - filters. The output from this command is also added as -a separate page in "shorewall monitor"
-- ULOG (must be all caps) is now -accepted as a valid syslog level and causes the subject -packets to be logged using the ULOG target rather than the -LOG target. This allows you to run ulogd (available from "shorewall refresh" now reloads + the traffic shaping rules (tcrules and tcstart).
+- "shorewall debug [re]start" + now turns off debugging after an error occurs. This +places the point of the failure near the end of the trace +rather than up in the middle of it.
+- "shorewall [re]start" has +been speeded up by more than 40% with my configuration. +Your milage may vary.
+- A "shorewall show classifiers" + command has been added which shows the current packet + classification filters. The output from this command is + also added as a separate page in "shorewall monitor"
+- ULOG (must be all caps) is +now accepted as a valid syslog level and causes the subject + packets to be logged using the ULOG target rather than the + LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a separate log file.
-- If you are running a kernel that - has a FORWARD chain in the mangle table ("shorewall show - mangle" will show you the chains in the mangle table), you - can set MARK_IN_FORWARD_CHAIN=Yes in If you are running a kernel + that has a FORWARD chain in the mangle table ("shorewall + show mangle" will show you the chains in the mangle table), + you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows for marking input packets based on their destination even when you are using Masquerading or SNAT.
-- I have cluttered up the /etc/shorewall - directory with empty 'init', 'start', 'stop' and 'stopped' - files. If you already have a file with one of these names, -don't worry -- the upgrade process won't overwrite your file.
-- I have added a new RFC1918_LOG_LEVEL - variable to shorewall.conf. - This variable specifies the syslog level at which packets - are logged as a result of entries in the /etc/shorewall/rfc1918 - file. Previously, these packets were always logged at the 'info' - level.
- -
-12/20/2002 - Shorewall 1.3.12 Beta 3
- This version corrects a problem with - Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL was -set to anything but ULOG, the firewall would fail to start and -"shorewall refresh" would also fail.
-
+I have cluttered up the /etc/shorewall + directory with empty 'init', 'start', 'stop' and 'stopped' + files. If you already have a file with one of these names, + don't worry -- the upgrade process won't overwrite your file. +I have added a new RFC1918_LOG_LEVEL + variable to shorewall.conf. + This variable specifies the syslog level at which packets + are logged as a result of entries in the /etc/shorewall/rfc1918 + file. Previously, these packets were always logged at the 'info' + level. - + + + + +
+12/20/2002 - Shorewall 1.3.12 Beta 3
+ This version corrects a problem +with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL + was set to anything but ULOG, the firewall would fail to start +and "shorewall refresh" would also fail.
+
+ +12/20/2002 - Shorewall 1.3.12 Beta 2
- +The first public Beta version of Shorewall 1.3.12 is now available (Beta - 1 was made available only to a limited audience).
- Features include:
-
+ 1 was made available only to a limited audience).
+ + Features include:
- +-
- You may download the Beta from:- "shorewall refresh" now reloads - the traffic shaping rules (tcrules and tcstart).
-- "shorewall debug [re]start" - now turns off debugging after an error occurs. This places - the point of the failure near the end of the trace rather than - up in the middle of it.
-- "shorewall [re]start" has -been speeded up by more than 40% with my configuration. Your -milage may vary.
-- A "shorewall show classifiers" - command has been added which shows the current packet -classification filters. The output from this command is also -added as a separate page in "shorewall monitor"
-- ULOG (must be all caps) is - now accepted as a valid syslog level and causes the subject - packets to be logged using the ULOG target rather than the -LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages "shorewall refresh" now + reloads the traffic shaping rules (tcrules and tcstart).
+- "shorewall debug [re]start" + now turns off debugging after an error occurs. This +places the point of the failure near the end of the trace rather + than up in the middle of it.
+- "shorewall [re]start" +has been speeded up by more than 40% with my configuration. + Your milage may vary.
+- A "shorewall show classifiers" + command has been added which shows the current packet + classification filters. The output from this command is + also added as a separate page in "shorewall monitor"
+- ULOG (must be all caps) + is now accepted as a valid syslog level and causes the + subject packets to be logged using the ULOG target rather than + the LOG target. This allows you to run ulogd (available from + http://www.gnumonks.org/projects/ulogd) + and log all Shorewall messages to a separate log file.
-- If you are running a kernel - that has a FORWARD chain in the mangle table ("shorewall - show mangle" will show you the chains in the mangle table), - you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This - allows for marking input packets based on their destination even - when you are using Masquerading or SNAT.
-- I have cluttered up the /etc/shorewall - directory with empty 'init', 'start', 'stop' and 'stopped' - files. If you already have a file with one of these names, - don't worry -- the upgrade process won't overwrite your file.
+- If you are running a +kernel that has a FORWARD chain in the mangle table +("shorewall show mangle" will show you the chains in the mangle +table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. + This allows for marking input packets based on their destination +even when you are using Masquerading or SNAT.
+- I have cluttered up the + /etc/shorewall directory with empty 'init', 'start', +'stop' and 'stopped' files. If you already have a file with +one of these names, don't worry -- the upgrade process won't overwrite + your file.
- +
+ You may download the Beta from:
- +http://www.shorewall.net/pub/shorewall/Beta+
- ftp://ftp.shorewall.net/pub/shorewall/Beta
-12/12/2002 - Mandrake Multi Network Firewall
- Shorewall is at the center of - MandrakeSoft's recently-announced + Shorewall is at the center + of MandrakeSoft's recently-announced Multi - Network Firewall (MNF) product. Here is the product. Here is the press - release.-
+ release.
- +12/7/2002 - Shorewall Support for Mandrake 9.0
- +Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. - I have installed 9.0 on one of my systems and I am -now in a position to support Shorewall users who run Mandrake - 9.0.
+ I have installed 9.0 on one of my systems and I +am now in a position to support Shorewall users who run +Mandrake 9.0. - +12/6/2002 - Debian 1.3.11a Packages Available
+ - +
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +12/3/2002 - Shorewall 1.3.11a
- +This is a bug-fix roll up which includes Roger Aich's fix for DNAT with - excluded subnets (e.g., "DNAT foo!bar ..."). Current - 1.3.11 users who don't need rules of this type need not - upgrade to 1.3.11.
+ excluded subnets (e.g., "DNAT foo!bar ..."). Current + 1.3.11 users who don't need rules of this type need +not upgrade to 1.3.11. - +11/24/2002 - Shorewall 1.3.11
- +In this version:
- +-
- +- A 'tcpflags' option - has been added to entries in A 'tcpflags' option + has been added to entries in /etc/shorewall/interfaces. This option causes Shorewall to make a set of sanity check on TCP packet header flags.
-- It is now allowed -to use 'all' in the SOURCE or DEST column in a rule. When used, 'all' must -appear by itself (in may not be qualified) and it does not enable +
- It is now allowed + to use 'all' in the SOURCE or DEST column in a + rule. When used, 'all' +must appear by itself (in may not be qualified) and it does not enable intra-zone traffic. For example, the rule
-
-
- ACCEPT loc all tcp 80
-
- does not enable http traffic - from 'loc' to 'loc'.- Shorewall's use of -the 'echo' command is now compatible with bash clones -such as ash and dash.
-- fw->fw policies -now generate a startup error. fw->fw rules generate - a warning and are ignored
+
+ ACCEPT loc all tcp + 80
+
+ does not enable http +traffic from 'loc' to 'loc'. +- Shorewall's use + of the 'echo' command is now compatible with bash +clones such as ash and dash.
+- fw->fw policies + now generate a startup error. fw->fw rules generate + a warning and are ignored
- +11/14/2002 - Shorewall Documentation in PDF Format
- +Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. - the PDF may be downloaded from
+ the PDF may be downloaded from - +ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
+ - +
- http://slovakia.shorewall.net/pub/shorewall/pdf/
-11/09/2002 - Shorewall is Back at SourceForge
- +The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
+ - +
-11/09/2002 - Shorewall 1.3.10
- +In this version:
- +-
- +- You may now define the contents of a zone dynamically - with the "shorewall - add" and "shorewall delete" commands. These commands - are expected to be used primarily within - FreeS/Wan updown - scripts.
-- Shorewall can now - do MAC verification on ethernet - segments. You can specify the set of allowed MAC addresses on -the segment and you can optionally tie each MAC address to one or more - IP addresses.
-- PPTP Servers and - Clients running on the firewall system may now be - defined in the /etc/shorewall/tunnels -file.
-- A new 'ipsecnat' - tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
-- The PATH used by - Shorewall may now be specified in You may now + define the contents of a zone + dynamically with the "shorewall add" and + "shorewall delete" commands. These commands are +expected to be used primarily within FreeS/Wan updown + scripts.
+- Shorewall can + now do MAC verification on + ethernet segments. You can specify the set of allowed MAC addresses + on the segment and you can optionally tie each MAC address to one + or more IP addresses.
+- PPTP Servers + and Clients running on the firewall system may now + be defined in the /etc/shorewall/tunnels + file.
+- A new 'ipsecnat' + tunnel type is supported for use when the + remote IPSEC endpoint is behind a NAT + gateway.
+- The PATH used + by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
-- The main firewall - script is now /usr/lib/shorewall/firewall. The script - in /etc/init.d/shorewall is very small and uses /sbin/shorewall - to do the real work. This change makes custom distributions - such as for Debian and for Gentoo easier to manage since - it is /etc/init.d/shorewall that tends to have distribution-dependent - code
+- The main firewall + script is now /usr/lib/shorewall/firewall. The script + in /etc/init.d/shorewall is very small and uses /sbin/shorewall + to do the real work. This change makes custom distributions + such as for Debian and for Gentoo easier to manage since + it is /etc/init.d/shorewall that tends to have distribution-dependent + code
- +10/24/2002 - Shorewall is now in Gentoo Linux
- Alexandru Hartmann -reports that his Shorewall package is now a part of - the Gentoo Linux distribution. - Thanks Alex!
-
+ + Alexandru Hartmann + reports that his Shorewall package is now a part + of the Gentoo Linux distribution. + Thanks Alex!
+ + +10/23/2002 - Shorewall 1.3.10 Beta 1
+ In this version:
+ + ++
+ You may download + the Beta from:- You may now + define the contents of a zone + dynamically with the "shorewall add" and + "shorewall delete" commands. These commands are + expected to be used primarily within FreeS/Wan updown + scripts.
+- Shorewall +can now do MAC verification + on ethernet segments. You can specify the set of allowed +MAC addresses on the segment and you can optionally tie + each MAC address to one or more IP addresses.
+- PPTP Servers + and Clients running on the firewall system may now + be defined in the /etc/shorewall/tunnels + file.
+- A new 'ipsecnat' + tunnel type is supported for use when the + remote IPSEC endpoint is behind a NAT + gateway.
+- The PATH used + by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
+- The main firewall + script is now /usr/lib/shorewall/firewall. The + script in /etc/init.d/shorewall is very small and uses /sbin/shorewall + to do the real work. This change makes custom distributions + such as for Debian and for Gentoo easier to manage since + it is /etc/init.d/shorewall that tends to have distribution-dependent + code.
-10/23/2002 - Shorewall 1.3.10 Beta 1
- In this version:
+
-
- You may download the - Beta from:- You may now define the contents of a zone dynamically - with the "shorewall - add" and "shorewall delete" commands. These commands - are expected to be used primarily within - FreeS/Wan updown - scripts.
-- Shorewall can -now do MAC verification on -ethernet segments. You can specify the set of allowed -MAC addresses on the segment and you can optionally tie - each MAC address to one or more IP addresses.
-- PPTP Servers and - Clients running on the firewall system may now be - defined in the /etc/shorewall/tunnels file.
-- A new 'ipsecnat' - tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
-- The PATH used -by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
-- The main firewall - script is now /usr/lib/shorewall/firewall. The script - in /etc/init.d/shorewall is very small and uses /sbin/shorewall - to do the real work. This change makes custom distributions - such as for Debian and for Gentoo easier to manage since - it is /etc/init.d/shorewall that tends to have distribution-dependent - code.
- - -
- - - - -10/10/2002 - Debian 1.3.9b Packages Available
- - -
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- - -10/9/2002 - Shorewall 1.3.9b
- This release rolls -up fixes to the installer and to the firewall script.
- - -10/6/2002 - Shorewall.net now running on RH8.0
- Roles up the fix -for broken tunnels.
-
- The firewall and -server here at shorewall.net are now running RedHat - release 8.0.
-
- 9/30/2002 - Shorewall - 1.3.9a
- -9/30/2002 - TUNNELS Broken in 1.3.9!!!
- There is an updated - firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
+10/10/2002 - Debian 1.3.9b Packages Available
- -
+9/28/2002 - Shorewall 1.3.9
- - -In this version:
- - -
--
- - -- DNS Names are -now allowed in Shorewall config files (although I recommend against - using them).
-- The connection - SOURCE may now be qualified by both interface and - IP address in a Shorewall - rule.
-- Shorewall - startup is now disabled after initial installation - until the file /etc/shorewall/startup_disabled is removed. - This avoids nasty surprises during reboot for users who - install Shorewall but don't configure it.
-- The 'functions' - and 'version' files and the 'firewall' symbolic - link have been moved from /var/lib/shorewall to /usr/lib/shorewall - to appease the LFS police at Debian.
- - -
-9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
-
-- A couple -of recent configuration changes at www.shorewall.net - broke the Search facility:
- - - -- - -- Hopefully - these problems are now corrected. - --
-- Mailing - List Archive Search was not available.
-- The -Site Search index was incomplete
-- Only - one page of matches was presented.
- - - - -9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
- A couple of - recent configuration changes at www.shorewall.net - had the negative effect of breaking the Search facility:
-
- - --
- Hopefully -these problems are now corrected.- Mailing - List Archive Search was not available.
-- The -Site Search index was incomplete
-- Only -one page of matches was presented.
- - -
- - -9/18/2002 - Debian 1.3.8 Packages Available
- - +
-Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- -9/16/2002 - Shorewall 1.3.8
+ +10/9/2002 - Shorewall 1.3.9b
+ This release rolls + up fixes to the installer and to the firewall script.
+ + +10/6/2002 - Shorewall.net now running on RH8.0
+ Roles up the +fix for broken tunnels.
+
+ The firewall +and server here at shorewall.net are now running RedHat + release 8.0.
+ +
+ 9/30/2002 - Shorewall + 1.3.9a
+ + +9/30/2002 - TUNNELS Broken in 1.3.9!!!
+ There is an +updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + -- copy that file to /usr/lib/shorewall/firewall.
+ + +9/28/2002 - Shorewall 1.3.9
In this version:
@@ -1236,700 +1224,808 @@ these problems are now corrected.
-
+ + +- A - NEWNOTSYN option has -been added to shorewall.conf. This option determines whether Shorewall - accepts TCP packets which are not part of an established - connection and that are not 'SYN' packets (SYN flag - on and ACK flag off).
+- DNS Names are +now allowed in Shorewall config files (although I recommend against + using them).
- The - need for the 'multi' option to communicate between - zones za and zb on the same interface is removed in the - case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' - will exist if:
+ connection SOURCE may now be qualified by both interface + and IP address in a Shorewall + rule. +- Shorewall + startup is now disabled after initial installation + until the file /etc/shorewall/startup_disabled is removed. + This avoids nasty surprises during reboot for users +who install Shorewall but don't configure it.
+- The +'functions' and 'version' files and the 'firewall' + symbolic link have been moved from /var/lib/shorewall + to /usr/lib/shorewall to appease the LFS police at +Debian.
+ + +
+9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
+ +
+ ++ A couple + of recent configuration changes at www.shorewall.net + broke the Search facility:
+ + + ++ + ++ Hopefully + these problems are now corrected. + ++
+ +- Mailing + List Archive Search was not available.
+- The + Site Search index was incomplete
+- Only + one page of matches was presented.
+9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
+ A couple + of recent configuration changes at www.shorewall.net + had the negative effect of breaking the Search facility:
+
+ + ++
+ Hopefully + these problems are now corrected.- Mailing + List Archive Search was not available.
+- The + Site Search index was incomplete
+- Only + one page of matches was presented.
+ + +
+ + +9/18/2002 - Debian 1.3.8 Packages Available
+ + +
+Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ + +9/16/2002 - Shorewall 1.3.8
+ + +In this version:
+ + +
++
- + +- A + NEWNOTSYN option has + been added to shorewall.conf. This option determines whether Shorewall + accepts TCP packets which are not part of an established + connection and that are not 'SYN' packets (SYN flag + on and ACK flag off).
+- The + need for the 'multi' option to communicate between + zones za and zb on the same interface is removed in +the case where the chain 'za2zb' and/or 'zb2za' exists. + 'za2zb' will exist if:
+ + + +-
- +- - There is a policy for za to zb; or
-- There is at least one rule for za to zb.
+- There is a policy for za to zb; or +
+ +- There is at least one rule for za to zb.
- +-
- +- The - /etc/shorewall/blacklist file now contains three columns. - In addition to the SUBNET/ADDRESS column, there are - optional PROTOCOL and PORT columns to block only certain - applications from the blacklisted addresses.
+
-- The + /etc/shorewall/blacklist file now contains three + columns. In addition to the SUBNET/ADDRESS column, there + are optional PROTOCOL and PORT columns to block only certain + applications from the blacklisted addresses.
- +
+9/11/2002 - Debian 1.3.7c Packages Available
- +Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +9/2/2002 - Shorewall 1.3.7c
- +This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).
+ (fw). - +8/31/2002 - I'm not available
- +I'm currently on vacation -- please respect my need for a couple of weeks free of Shorewall problem reports.
- +-Tom
- +8/26/2002 - Shorewall 1.3.7b
- +This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" - checking.
+ reverses the order of "dhcp" and "norfc1918" + checking. - +8/26/2002 - French FTP Mirror is Operational
- +ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.
+ is now available. - +8/25/2002 - Shorewall Mirror in France
- +Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at http://france.shorewall.net.
- +8/25/2002 - Shorewall 1.3.7a Debian Packages Available
- +Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author - -- Shorewall 1.3.7a released
+ - +-
1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.
+ Shorewall 1.3.7. - +8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
- +Features in this release include:
- +-
- +- The - 'icmp.def' file is now empty! The rules in that file - were required in ipchains firewalls but are not -required in Shorewall. Users who have ALLOWRELATED=No - in shorewall.conf should - see the Upgrade Issues.
-- A - 'FORWARDPING' option has been added to shorewall.conf. The effect - of setting this variable to Yes is the same as - the effect of adding an ACCEPT rule for ICMP echo-request - in /etc/shorewall/icmpdef. - Users who have such a rule in icmpdef are - encouraged to switch to FORWARDPING=Yes.
-- The - loopback CLASS A Network (127.0.0.0/8) has been added - to the rfc1918 file.
-- Shorewall - now works with iptables 1.2.7
-- The - documentation and web site no longer uses FrontPage - themes.
- +- The 'icmp.def' file is now empty! The rules +in that file were required in ipchains firewalls + but are not required in Shorewall. Users who have + ALLOWRELATED=No in shorewall.conf + should see the Upgrade Issues.
+ +- A 'FORWARDPING' option has been added to + shorewall.conf. The +effect of setting this variable to Yes is the same + as the effect of adding an ACCEPT rule for ICMP +echo-request in /etc/shorewall/icmpdef. + Users who have such a rule in icmpdef are + encouraged to switch to FORWARDPING=Yes.
+ +- The loopback CLASS A Network (127.0.0.0/8) +has been added to the rfc1918 file.
+ +- Shorewall now works with iptables 1.2.7
+ +- The documentation and web site no longer uses + FrontPage themes.
+ +I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That - input has led to marked improvement in Shorewall - in the last two releases.
+ SYN and ICMP treatment in Shorewall. +That input has led to marked improvement in + Shorewall in the last two releases. - +8/13/2002 - Documentation in the CVS Repository
- +The Shorewall-docs project now contains just the HTML and image files - the Frontpage files have been removed.
- +8/7/2002 - STABLE branch added to CVS Repository
- +This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch - to get the latest stable tree.
+ so you can always update from this branch + to get the latest stable tree. - +8/7/2002 - Upgrade Issues section added to the Errata Page
- +Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.
+ to recent versions of Shorewall. - +8/7/2002 - Shorewall 1.3.6
- +This is primarily a bug-fix rollup with a couple of new features:
- +-
- +- The - latest QuickStart -Guides including the The latest QuickStart + Guides including the Shorewall Setup Guide.
-- Shorewall - will now DROP TCP packets that are not part of or - related to an existing connection and that are not SYN - packets. These "New not SYN" packets may be optionally - logged by setting the LOGNEWNOTSYN option in /etc/shorewall/shorewall.conf.
-- The - processing of "New not SYN" packets may be extended - by commands in the new Shorewall will now DROP TCP packets that are + not part of or related to an existing connection and + that are not SYN packets. These "New not SYN" packets + may be optionally logged by setting the LOGNEWNOTSYN + option in /etc/shorewall/shorewall.conf.
+ +- The processing of "New not SYN" packets may +be extended by commands in the new newnotsyn extension script.
- +7/30/2002 - Shorewall 1.3.5b Released
- +This interim release:
- +-
- +- Causes - the firewall script to remove the lock file if it - is killed.
-- Once - again allows lists in the second column of the - /etc/shorewall/hosts -file.
-- Includes - the latest QuickStart - Guides.
- +- Causes the firewall script to remove the lock + file if it is killed.
+ +- Once again allows lists in the second column + of the /etc/shorewall/hosts + file.
+ +- Includes the latest QuickStart Guides.
+ +7/29/2002 - New Shorewall Setup Guide Available
- +The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people - who are setting up Shorewall to manage multiple - public IP addresses and by people who want to learn - more about Shorewall than is described in the single-address - guides. Feedback on the new guide is welcome.
+ The guide is intended for use by people + who are setting up Shorewall to manage multiple + public IP addresses and by people who want to learn + more about Shorewall than is described in the single-address + guides. Feedback on the new guide is welcome. - +7/28/2002 - Shorewall 1.3.5 Debian Package Available
- +Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +7/27/2002 - Shorewall 1.3.5a Released
- +This interim release restores correct handling of REDIRECT rules.
- +7/26/2002 - Shorewall 1.3.5 Released
- +This will be the last Shorewall release for a while. I'm going to be focusing on rewriting a lot of the documentation.
- +In this version:
- +-
- +- Empty - and invalid source and destination qualifiers are - now detected in the rules file. It is a good idea to - use the 'shorewall check' command before you issue - a 'shorewall restart' command be be sure that you don't have - any configuration problems that will prevent a successful - restart.
-- Added - MERGE_HOSTS variable in shorewall.conf to provide - saner behavior of the /etc/shorewall/hosts - file.
-- The - time that the counters were last reset is now displayed - in the heading of the 'status' and 'show' commands.
-- A - proxyarp option has been added for entries - in /etc/shorewall/interfaces. - This option facilitates Proxy ARP sub-netting as described - in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). - Specifying the proxyarp option for an - interface causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
-- The - Samples have been updated to reflect the new capabilities - in this release.
- +- Empty and invalid source and destination qualifiers + are now detected in the rules file. It is a good + idea to use the 'shorewall check' command before + you issue a 'shorewall restart' command be be sure that you +don't have any configuration problems that will prevent + a successful restart.
+ +- Added MERGE_HOSTS variable in shorewall.conf to provide + saner behavior of the /etc/shorewall/hosts + file.
+ +- The time that the counters were last reset is + now displayed in the heading of the 'status' and + 'show' commands.
+ +- A proxyarp option has been added + for entries in /etc/shorewall/interfaces. + This option facilitates Proxy ARP sub-netting as described + in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). + Specifying the proxyarp option for +an interface causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+ +- The Samples have been updated to reflect the + new capabilities in this release.
+ +7/16/2002 - New Mirror in Argentina
- +Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!
+ Argentina. Thanks Buanzo!!! - +7/16/2002 - Shorewall 1.3.4 Released
- +In this version:
- +-
- +- A - new /etc/shorewall/routestopped - file has been added. This file is intended -to eventually replace the routestopped -option in the /etc/shorewall/interface and /etc/shorewall/hosts - files. This new file makes remote firewall administration - easier by allowing any IP or subnet to be enabled while - Shorewall is stopped.
-- An - /etc/shorewall/stopped extension script has been - added. This script is invoked after Shorewall has - stopped.
-- A - DETECT_DNAT_ADDRS option has been added - to /etc/shoreall/shorewall.conf. - When this option is selected, DNAT rules only apply - when the destination address is the external - interface's primary IP address.
-- The - QuickStart Guide - has been broken into three guides and has been - almost entirely rewritten.
-- The - Samples have been updated to reflect the new capabilities - in this release.
- +- A new /etc/shorewall/routestopped + file has been added. This file is intended + to eventually replace the routestopped + option in the /etc/shorewall/interface and /etc/shorewall/hosts + files. This new file makes remote firewall administration + easier by allowing any IP or subnet to be enabled + while Shorewall is stopped.
+ +- An /etc/shorewall/stopped extension script has been + added. This script is invoked after Shorewall +has stopped.
+ +- A DETECT_DNAT_ADDRS option has +been added to /etc/shoreall/shorewall.conf. + When this option is selected, DNAT rules only +apply when the destination address is the + external interface's primary IP address.
+ +- The QuickStart + Guide has been broken into three guides +and has been almost entirely rewritten.
+ +- The Samples have been updated to reflect the + new capabilities in this release.
+ +7/8/2002 - Shorewall 1.3.3 Debian Package Available
- +Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +7/6/2002 - Shorewall 1.3.3 Released
- +In this version:
- +-
- +- Entries - in /etc/shorewall/interface that use the wildcard - character ("+") now have the "multi" option assumed.
-- The - 'rfc1918' chain in the mangle table has been renamed - 'man1918' to make log messages generated from that - chain distinguishable from those generated by the - 'rfc1918' chain in the filter table.
-- Interface - names appearing in the hosts file are now validated - against the interfaces file.
-- The - TARGET column in the rfc1918 file is now checked for - correctness.
-- The - chain structure in the nat table has been changed - to reduce the number of rules that a packet must traverse - and to correct problems with NAT_BEFORE_RULES=No
-- The - "hits" command has been enhanced.
- +- Entries in /etc/shorewall/interface that use + the wildcard character ("+") now have the "multi" + option assumed.
+ +- The 'rfc1918' chain in the mangle table has + been renamed 'man1918' to make log messages generated + from that chain distinguishable from those generated + by the 'rfc1918' chain in the filter table.
+ +- Interface names appearing in the hosts file + are now validated against the interfaces file.
+ +- The TARGET column in the rfc1918 file is now + checked for correctness.
+ +- The chain structure in the nat table has been + changed to reduce the number of rules that a packet + must traverse and to correct problems with NAT_BEFORE_RULES=No
+ +- The "hits" command has been enhanced.
+ +6/25/2002 - Samples Updated for 1.3.2
- +The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall 1.3.2.
+ new features introduced in Shorewall +1.3.2. - +6/25/2002 - Shorewall 1.3.1 Debian Package Available
- +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +6/19/2002 - Documentation Available in PDF Format
- +Thanks to Mike Martinez, the Shorewall Documentation is now available for download in Adobe PDF format.
- +6/16/2002 - Shorewall 1.3.2 Released
- +In this version:
- +-
- +- A - logwatch command -has been added to /sbin/shorewall.
-- A - dynamic blacklist facility - has been added.
-- Support - for the Netfilter multiport - match function has been added.
-- The - files firewall, functions and version - have been moved from /etc/shorewall to /var/lib/shorewall.
- +- A logwatch command + has been added to /sbin/shorewall.
+ +- A dynamic blacklist + facility has been added.
+ +- Support for the Netfilter + multiport match function has been +added.
+ +- The files firewall, functions and + version have been moved from /etc/shorewall + to /var/lib/shorewall.
+ +6/6/2002 - Why CVS Web access is Password Protected
- +Last weekend, I installed the CVS Web package to provide brower-based access to the Shorewall CVS repository. Since then, I have had several instances where my server was almost unusable due to the high load generated by website copying tools like HTTrack and WebStripper. These mindless tools:
- +-
- +- Ignore - robot.txt files.
-- Recursively - copy everything that they find.
-- Should - be classified as weapons rather than tools.
- +- Ignore robot.txt files.
+ +- Recursively copy everything that they find.
+ +- Should be classified as weapons rather than tools.
+ +These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link - in the cgi-generated HTML resulting in 1000s - of executions of the cvsweb.cgi script. Yesterday, -I spend several hours implementing measures to block these - tools but unfortunately, these measures resulted in -my server OOM-ing under even moderate load.
+ because they doggedly follow every link + in the cgi-generated HTML resulting in 1000s + of executions of the cvsweb.cgi script. Yesterday, + I spend several hours implementing measures to block +these tools but unfortunately, these measures resulted + in my server OOM-ing under even moderate load. - +Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), -CVS Web access will remain Password Protected. -
+ more RAM if that is what is required), + CVS Web access will remain Password Protected. + - +6/5/2002 - Shorewall 1.3.1 Debian Package Available
- +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- +6/2/2002 - Samples Corrected
- +The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These - problems have been corrected in the 1.3.1 samples.
- +6/1/2002 - Shorewall 1.3.1 Released
- +Hot on the heels of 1.3.0, this release:
- +-
- +- Corrects - a serious problem with "all <zone> - CONTINUE" policies. This problem is present in all -versions of Shorewall that support the CONTINUE - policy. These previous versions optimized away the "all2<zone>" - chain and replaced it with the "all2all" chain with the - usual result that a policy of REJECT was enforced rather than - the intended CONTINUE policy.
-- Adds - an /etc/shorewall/rfc1918 - file for defining the exact behavior of theCorrects a serious problem with "all <zone> + CONTINUE" policies. This problem is present in all + versions of Shorewall that support the CONTINUE + policy. These previous versions optimized away the "all2<zone>" + chain and replaced it with the "all2all" chain with +the usual result that a policy of REJECT was enforced rather + than the intended CONTINUE policy.
+ +- Adds an /etc/shorewall/rfc1918 + file for defining the exact behavior of the 'norfc1918' interface option.
- +5/29/2002 - Shorewall 1.3.0 Released
- +In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 includes:
- +-
- +- A - 'filterping' interface option that allows ICMP echo-request - (ping) requests addressed to the firewall to -be handled by entries in /etc/shorewall/rules and /etc/shorewall/policy.
- +- A 'filterping' interface option that allows +ICMP echo-request (ping) requests addressed +to the firewall to be handled by entries in /etc/shorewall/rules + and /etc/shorewall/policy.
+ +5/23/2002 - Shorewall 1.3 RC1 Available
- +In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) incorporates the following:
- +-
- +- Support - for the /etc/shorewall/whitelist file has been withdrawn. - If you need whitelisting, see these instructions.
- +- Support for the /etc/shorewall/whitelist file + has been withdrawn. If you need whitelisting, see + these instructions.
+ +5/19/2002 - Shorewall 1.3 Beta 2 Available
- +In addition to the changes in Beta 1, this release which carries the designation 1.2.91 adds:
- +-
- +- The - structure of the firewall is changed markedly. There - is now an INPUT and a FORWARD chain for each interface; - this reduces the number of rules that a packet -must traverse, especially in complicated setups.
-- Sub-zones may now be excluded - from DNAT and REDIRECT rules.
-- The - names of the columns in a number of the configuration - files have been changed to be more consistent -and self-explanatory and the documentation has been - updated accordingly.
-- The - sample configurations have been updated for 1.3.
- +- The structure of the firewall is changed markedly. + There is now an INPUT and a FORWARD chain for each + interface; this reduces the number of rules that + a packet must traverse, especially in complicated setups.
+ +- Sub-zones may now be + excluded from DNAT and REDIRECT rules.
+ +- The names of the columns in a number of the +configuration files have been changed to be more + consistent and self-explanatory and the documentation + has been updated accordingly.
+ +- The sample configurations have been updated +for 1.3.
+ +5/17/2002 - Shorewall 1.3 Beta 1 Available
- +Beta 1 carries the version designation 1.2.90 and implements the following - features:
+ features: - +-
- +- Simplified - rule syntax which makes the intent of each rule - clearer and hopefully makes Shorewall easier to learn.
-- Upward - compatibility with 1.2 configuration files has - been maintained so that current users can migrate - to the new syntax at their convenience.
-- WARNING: Compatibility with the old - parameterized sample configurations has NOT been maintained. - Users still running those configurations should migrate - to the new sample configurations before upgrading - to 1.3 Beta 1.
- +- Simplified rule syntax which makes the intent + of each rule clearer and hopefully makes Shorewall + easier to learn.
+ +- Upward compatibility with 1.2 configuration + files has been maintained so that current users can +migrate to the new syntax at their convenience.
+ +- WARNING: Compatibility with + the old parameterized sample configurations has NOT been + maintained. Users still running those configurations +should migrate to the new sample configurations + before upgrading to 1.3 Beta 1.
+ +5/4/2002 - Shorewall 1.2.13 is Available
- +In this version:
- +-
- +- White-listing is supported.
-- SYN-flood protection is - added.
-- IP - addresses added under ADD_IP_ALIASES - and ADD_SNAT_ALIASES now inherit the -VLSM and Broadcast Address of the interface's primary - IP address.
-- The - order in which port forwarding DNAT and Static DNAT - can now be reversed - so that port forwarding rules can override the contents - of /etc/shorewall/nat. -
- +- White-listing is + supported.
+ +- SYN-flood protection + is added.
+ +- IP addresses added under ADD_IP_ALIASES and ADD_SNAT_ALIASES + now inherit the VLSM and Broadcast Address of + the interface's primary IP address.
+ +- The order in which port forwarding DNAT and +Static DNAT can now +be reversed so that port forwarding rules can override + the contents of /etc/shorewall/nat. +
+ +4/30/2002 - Shorewall Debian News
- +Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian Testing Branch and the .
- +4/20/2002 - Shorewall 1.2.12 is Available
- +-
- +- The - 'try' command works again
-- There - is now a single RPM that also works with SuSE.
- +- The 'try' command works again
+ +- There is now a single RPM that also works with + SuSE.
+ +4/17/2002 - Shorewall Debian News
- +Lorenzo Marignoni reports that:
- +-
- +- Shorewall - 1.2.10 is in the Shorewall 1.2.10 is in the Debian Testing Branch
-- Shorewall - 1.2.11 is in the Shorewall 1.2.11 is in the Debian Unstable Branch
- +Thanks, Lorenzo!
- +4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
- +Thanks to Stefan Mohr, there - is now a Shorewall 1.2.11 - SuSE RPM available.
+ SuSE RPM available. - +4/13/2002 - Shorewall 1.2.11 Available
- +In this version:
- +-
- +- The - 'try' command now accepts an optional timeout. If - the timeout is given in the command, the standard - configuration will automatically be restarted after - the new configuration has been running for that length of - time. This prevents a remote admin from being locked out -of the firewall in the case where the new configuration - starts but prevents access.
-- Kernel - route filtering may now be enabled globally using - the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
-- Individual - IP source addresses and/or subnets may now be -excluded from masquerading/SNAT.
-- Simple - "Yes/No" and "On/Off" values are now case-insensitive - in /etc/shorewall/shorewall.conf.
- +- The 'try' command now accepts an optional timeout. + If the timeout is given in the command, the standard + configuration will automatically be restarted after + the new configuration has been running for that length +of time. This prevents a remote admin from being locked +out of the firewall in the case where the new configuration + starts but prevents access.
+ +- Kernel route filtering may now be enabled globally + using the new ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
+ +- Individual IP source addresses and/or subnets + may now be excluded from masquerading/SNAT.
+ +- Simple "Yes/No" and "On/Off" values are now +case-insensitive in /etc/shorewall/shorewall.conf.
+ +4/13/2002 - Hamburg Mirror now has FTP
- +Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall. - Thanks Stefan!
+ Thanks Stefan! - +4/12/2002 - New Mirror in Hamburg
- +Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website - at http://germany.shorewall.net. -
+ is now a mirror of the Shorewall website + at http://germany.shorewall.net. + - +4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
- +Version 1.1 of the QuickStart - Guide is now available. Thanks to -those who have read version 1.0 and offered their - suggestions. Corrections have also been made to the - sample scripts.
+ Guide is now available. Thanks to + those who have read version 1.0 and offered their + suggestions. Corrections have also been made to the + sample scripts. - +4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
- +Version 1.0 of the QuickStart - Guide is now available. This Guide -and its accompanying sample configurations are - expected to provide a replacement for the recently - withdrawn parameterized samples.
+ Guide is now available. This Guide + and its accompanying sample configurations +are expected to provide a replacement for the recently + withdrawn parameterized samples. - +4/8/2002 - Parameterized Samples Withdrawn
- +Although the parameterized - samples have allowed people to get -a firewall up and running quickly, they have -unfortunately set the wrong level of expectation among -those who have used them. I am therefore withdrawing support - for the samples and I am recommending that they not be -used in new Shorewall installations.
+ samples have allowed people to get + a firewall up and running quickly, they have + unfortunately set the wrong level of expectation among + those who have used them. I am therefore withdrawing +support for the samples and I am recommending that +they not be used in new Shorewall installations. - +4/2/2002 - Updated Log Parser
- +John Lodge has provided an updated - version of his CGI-based log parser with corrected date handling.
- +3/30/2002 - Shorewall Website Search Improvements
- +The quick search on the home page now excludes the mailing list archives. - The Extended - Search allows excluding the archives or - restricting the search to just the archives. An archive - search form is also available on the Extended + Search allows excluding the archives +or restricting the search to just the archives. An archive + search form is also available on the mailing list information - page.
+ page. - +3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
- +-
- +- The - 1.2.10 Debian Package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
-- Shorewall - 1.2.9 is now in the The 1.2.10 Debian Package is available at + http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +- Shorewall 1.2.9 is now in the Debian Unstable Distribution.
- +3/25/2002 - Log Parser Available
- +John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.
+ John. - +3/20/2002 - Shorewall 1.2.10 Released
- +In this version:
- +-
- +- A - "shorewall try" command has been added (syntax: shorewall - try <configuration directory>). - This command attempts "shorewall -c <configuration - directory> start" and if that results in the -firewall being stopped due to an error, a "shorewall start" - command is executed. The 'try' command allows you to + +
- A "shorewall try" command has been added (syntax: + shorewall try <configuration directory>). + This command attempts "shorewall -c <configuration + directory> start" and if that results in the + firewall being stopped due to an error, a "shorewall start" + command is executed. The 'try' command allows you to create a new configuration and attempt to start it; if there is an error that leaves - your firewall in the stopped state, it will automatically - be restarted using the default configuration (in /etc/shorewall).
-- A - new variable ADD_SNAT_ALIASES has been added to - /etc/shorewall/shorewall.conf. - If this variable is set to "Yes", Shorewall will - automatically add IP addresses listed in the third - column of the /etc/shorewall/masq - file.
-- Copyright - notices have been added to the documenation.
+ your firewall in the stopped state, it will automatically + be restarted using the default configuration (in /etc/shorewall). - +- A new variable ADD_SNAT_ALIASES has been added + to /etc/shorewall/shorewall.conf. + If this variable is set to "Yes", Shorewall will + automatically add IP addresses listed in the +third column of the /etc/shorewall/masq + file.
+ +- Copyright notices have been added to the documenation.
+ +3/11/2002 - Shorewall 1.2.9 Released
- +In this version:
- +-
- +- Filtering - by MAC address has - been added. MAC addresses may be used as the source address in: + +
- Filtering by MAC address + has been added. MAC addresses may be used as the source +address in: -
--
-- Filtering - rules (/etc/shorewall/rules)
-- Traffic - Control Classification Rules (Filtering rules (/etc/shorewall/rules)
+ +- Traffic Control Classification Rules (/etc/shorewall/tcrules)
-- TOS - Rules (/etc/shorewall/tos)
-- Blacklist - (/etc/shorewall/blacklist)
+ +- TOS Rules (/etc/shorewall/tos)
+ +- Blacklist (/etc/shorewall/blacklist)
- +- Several - bugs have been fixed
-- The - 1.2.9 Debian Package is also available at http://security.dsi.unimi.it/~lorenzo/debian.html.
- + + +- Several bugs have been fixed
+ +- The 1.2.9 Debian Package is also available at + http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +3/1/2002 - 1.2.8 Debian Package is Available
- +See http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/25/2002 - New Two-interface Sample
- +I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
+ http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz - +2/23/2002 - Shorewall 1.2.8 Released
- +Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. - My apologies for any inconvenience my carelessness - may have caused.
+ operations from occuring simultaneously. + My apologies for any inconvenience my carelessness + may have caused. - +2/22/2002 - Shorewall 1.2.7 Released
- +In this version:
- +-
- +- UPnP - probes (UDP destination port 1900) are now silently - dropped in the common chain
-- RFC - 1918 checking in the mangle table has been streamlined - to no longer require packet marking. RFC 1918 checking - in the filter table has been changed to require half - as many rules as previously.
-- A - 'shorewall check' command has been added that does - a cursory validation of the zones, interfaces, hosts, - rules and policy files.
- +- UPnP probes (UDP destination port 1900) are +now silently dropped in the common chain
+ +- RFC 1918 checking in the mangle table has been + streamlined to no longer require packet marking. + RFC 1918 checking in the filter table has been changed +to require half as many rules as previously.
+ +- A 'shorewall check' command has been added that + does a cursory validation of the zones, interfaces, + hosts, rules and policy files.
+ +2/18/2002 - 1.2.6 Debian Package is Available
- +See http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/8/2002 - Shorewall 1.2.6 Released
- +In this version:
- +-
- +- $-variables - may now be used anywhere in the configuration files - except /etc/shorewall/zones.
-- The - interfaces and hosts files now have their contents - validated before any changes are made to the existing - Netfilter configuration. The appearance of a zone - name that isn't defined in /etc/shorewall/zones causes "shorewall - start" and "shorewall restart" to abort without changing - the Shorewall state. Unknown options in either file -cause a warning to be issued.
-- A - problem occurring when BLACKLIST_LOGLEVEL was not - set has been corrected.
- +- $-variables may now be used anywhere in the +configuration files except /etc/shorewall/zones.
+ +- The interfaces and hosts files now have their + contents validated before any changes are made to +the existing Netfilter configuration. The appearance + of a zone name that isn't defined in /etc/shorewall/zones + causes "shorewall start" and "shorewall restart" + to abort without changing the Shorewall state. Unknown +options in either file cause a warning to be issued.
+ +- A problem occurring when BLACKLIST_LOGLEVEL + was not set has been corrected.
+ +2/4/2002 - Shorewall 1.2.5 Debian Package Available
- +see http://security.dsi.unimi.it/~lorenzo/debian.html
- +2/1/2002 - Shorewall 1.2.5 Released
- +Due to installation problems with Shorewall 1.2.4, I have released Shorewall - 1.2.5. Sorry for the rapid-fire development.
+ 1.2.5. Sorry for the rapid-fire development. - +In version 1.2.5:
- +-
- +- The - installation problems have been corrected.
-- SNAT is now supported.
-- A - "shorewall version" command has been added
-- The - default value of the STATEDIR variable in /etc/shorewall/shorewall.conf - has been changed to /var/lib/shorewall in - order to conform to the GNU/Linux File Hierarchy Standard, - Version 2.2.
- +- The installation problems have been corrected.
+ +- SNAT is now supported.
+ +- A "shorewall version" command has been added
+ +- The default value of the STATEDIR variable in + /etc/shorewall/shorewall.conf has been changed + to /var/lib/shorewall in order to conform to the +GNU/Linux File Hierarchy Standard, Version 2.2.
+ +1/28/2002 - Shorewall 1.2.4 Released
- +-
- +- The - "fw" zone may now be given - a different name.
-- You - may now place end-of-line comments (preceded by -'#') in any of the configuration files
-- There - is now protection against against two state changing - operations occuring concurrently. This is implemented - using the 'lockfile' utility if it is available - (lockfile is part of procmail); otherwise, a less robust - technique is used. The lockfile is created in the STATEDIR - defined in /etc/shorewall/shorewall.conf and has the - name "lock".
-- "shorewall - start" no longer fails if "detect" is specified - in /etc/shorewall/interfaces - for an interface with subnet mask 255.255.255.255.
- +- The "fw" zone may now + be given a different name.
+ +- You may now place end-of-line comments (preceded + by '#') in any of the configuration files
+ +- There is now protection against against two +state changing operations occuring concurrently. + This is implemented using the 'lockfile' utility + if it is available (lockfile is part of procmail); + otherwise, a less robust technique is used. The lockfile + is created in the STATEDIR defined in /etc/shorewall/shorewall.conf + and has the name "lock".
+ +- "shorewall start" no longer fails if "detect" + is specified in /etc/shorewall/interfaces + for an interface with subnet mask 255.255.255.255.
+ +1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
- +1/20/2002 - Corrected firewall script available
- +Corrects a problem with BLACKLIST_LOGLEVEL. See the - errata for details.
+ errata for details. - +1/19/2002 - Shorewall 1.2.3 Released
- +This is a minor feature and bugfix release. The single new feature is:
- +-
- +- Support - for TCP MSS Clamp to PMTU -- This support is usually - required when the internet connection is via -PPPoE or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
- +- Support for TCP MSS Clamp to PMTU -- This support + is usually required when the internet connection + is via PPPoE or PPTP and may be enabled using the + CLAMPMSS option in + /etc/shorewall/shorewall.conf.
+ +The following problems were corrected:
- +-
- +- The - "shorewall status" command no longer hangs.
-- The - "shorewall monitor" command now displays the icmpdef - chain
-- The - CLIENT PORT(S) column in tcrules is no longer ignored
- +- The "shorewall status" command no longer hangs.
+ +- The "shorewall monitor" command now displays + the icmpdef chain
+ +- The CLIENT PORT(S) column in tcrules is no longer + ignored
+ +1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release
- +Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution - that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo - for details.
+ for details. - +1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. - There is a link to Lorenzo's site from the Shorewall download page.
- +1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.
+ the "shorewall status" command to health. - +1/8/2002 - Shorewall 1.2.2 Released
- +In version 1.2.2
- +-
- -- Support - for IP blacklisting has been added + +
- Support for IP blacklisting has been added - +
+ +-
- You - specify whether you want packets from blacklisted - hosts dropped or rejected using the BLACKLIST_DISPOSITION - setting in /etc/shorewall/shorewall.conf
-- You - specify whether you want packets from blacklisted - hosts logged and at what syslog level using the - BLACKLIST_LOGLEVEL - setting in /etc/shorewall/shorewall.conf
-- You - list the IP addresses/subnets that you wish to blacklist - in /etc/shorewall/blacklist
-- You - specify the interfaces you want checked against - the blacklist using the new "You specify whether you want packets from + blacklisted hosts dropped or rejected using the + BLACKLIST_DISPOSITION + setting in /etc/shorewall/shorewall.conf
+ +- You specify whether you want packets from + blacklisted hosts logged and at what syslog level + using the BLACKLIST_LOGLEVEL + setting in /etc/shorewall/shorewall.conf
+ +- You list the IP addresses/subnets that you + wish to blacklist in /etc/shorewall/blacklist
+ +- You specify the interfaces you want checked + against the blacklist using the new "blacklist" option - in /etc/shorewall/interfaces.
-- The - black list is refreshed from /etc/shorewall/blacklist - by the "shorewall refresh" command.
+ in /etc/shorewall/interfaces.- The black list is refreshed from /etc/shorewall/blacklist + by the "shorewall refresh" command.
- +Use - of TCP RST replies has been expanded + + + +Use of TCP RST replies has been expanded - + --
-- TCP - connection requests rejected because of a REJECT - policy are now replied with a TCP RST packet.
-- TCP - connection requests rejected because of a protocol=all - rule in /etc/shorewall/rules are now replied - with a TCP RST packet.
+ +- TCP connection requests rejected because + of a REJECT policy are now replied with a TCP + RST packet.
+ +- TCP connection requests rejected because + of a protocol=all rule in /etc/shorewall/rules + are now replied with a TCP RST packet.
- +A - LOGFILE specification - has been added to /etc/shorewall/shorewall.conf. LOGFILE - is used to tell the /sbin/shorewall program where to look - for Shorewall messages. - + + +A LOGFILE specification + has been added to /etc/shorewall/shorewall.conf. LOGFILE + is used to tell the /sbin/shorewall program where to look + for Shorewall messages. + + - +1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There - are two new rules added:
+ to the previously-released samples. There + are two new rules added: - +-
- +- Unless - you have explicitly enabled Auth connections (tcp - port 113) to your firewall, these connections will be -REJECTED rather than DROPPED. This speeds up connection - establishment to some servers.
-- Orphan - DNS replies are now silently dropped.
- +- Unless you have explicitly enabled Auth connections + (tcp port 113) to your firewall, these connections + will be REJECTED rather than DROPPED. This speeds +up connection establishment to some servers.
+ +- Orphan DNS replies are now silently dropped.
+ +See the README file for upgrade instructions.
- +1/1/2002 - Shorewall Mailing List Moving
- +The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. - If you are a current subscriber to the list at -Sourceforge, please is moving to Shorewall.net. + If you are a current subscriber to the list +at Sourceforge, please see these instructions. - If you would like to subscribe to the new -list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
- +12/31/2001 - Shorewall 1.2.1 Released
- +In version 1.2.1:
- +-
- +- Logging of Mangled/Invalid - Packets is added.
-- The - tunnel script has been corrected.
-- 'shorewall - show tc' now correctly handles tunnels.
- +- Logging of Mangled/Invalid + Packets is added.
+ +- The tunnel script has been + corrected.
+ +- 'shorewall show tc' now correctly handles tunnels.
+ +12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing 1.2 on 12/21/2001
- +Version 1.2 contains the following new features:
- +-
- +- Support - for Traffic Control/Shaping
-- Support - for Filtering of -Mangled/Invalid Packets
-- Support - for GRE Tunnels
- +- Support for Traffic Control/Shaping
+ +- Support for Filtering + of Mangled/Invalid Packets
+ +- Support for GRE Tunnels
+ +For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version - 1.1.x users will not be forced into a quick upgrade - to 1.2.0 just to have access to bug fixes.
+ 1.1.18 as necessary so that current version + 1.1.x users will not be forced into a quick upgrade + to 1.2.0 just to have access to bug fixes. - +For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading - to 1.2.0:
+ to use the "--oldpackage" option when +upgrading to 1.2.0: - +- + ++ - +rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
-12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror - in Texas. This web site is mirrored at , there is now a Shorewall mirror + in Texas. This web site is mirrored at http://www.infohiiway.com/shorewall - and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
- +11/30/2001 - A new set of the parameterized Sample Configurations has been released. In this version:
- +-
- + +- Ping - is now allowed between the zones.
-- In - the three-interface configuration, it is now possible - to configure the internet services that are to be -available to servers in the DMZ.
- +- Ping is now allowed between the zones.
+ +- In the three-interface configuration, it is now + possible to configure the internet services that + are to be available to servers in the DMZ.
+ +11/20/2001 - The current version of Shorewall is 1.1.18.
- +In this version:
- +-
- +- The - spelling of ADD_IP_ALIASES has been corrected in -the shorewall.conf file
-- The - logic for deleting user-defined chains has been simplified - so that it avoids a bug in the LRP version of the -'cut' utility.
-- The - /var/lib/lrpkg/shorwall.conf file has been corrected - to properly display the NAT entry in that file.
- +- The spelling of ADD_IP_ALIASES has been corrected + in the shorewall.conf file
+ +- The logic for deleting user-defined chains has + been simplified so that it avoids a bug in the LRP +version of the 'cut' utility.
+ +- The /var/lib/lrpkg/shorwall.conf file has been + corrected to properly display the NAT entry +in that file.
+ +11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall - mirror in the Slovak Republic. The website -is now mirrored at , there is now a Shorewall + mirror in the Slovak Republic. The website + is now mirrored at http://www.nrg.sk/mirror/shorewall and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
- +11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. - There are three sample configurations:
- - - --
+ There are three sample configurations: +- One - Interface -- for a standalone system.
-- Two - Interfaces -- A masquerading firewall.
-- Three - Interfaces -- A masquerading firewall with DMZ.
- - -+ +
+ + +- One Interface -- for a standalone system.
+ +- Two Interfaces -- A masquerading firewall.
+ +- Three Interfaces -- A masquerading firewall with + DMZ.
+ + +Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 - . See the README file for instructions.
+ . See the README file for instructions. - +11/1/2001 - The current version of Shorewall is 1.1.17. I intend - this to be the last of the 1.1 Shorewall - releases.
+ this to be the last of the 1.1 +Shorewall releases. - +In this version:
- +-
- + +- The - handling of ADD_IP_ALIASES - has been corrected.
- +- The handling of ADD_IP_ALIASES + has been corrected.
+ +10/22/2001 - The current version of Shorewall is 1.1.16. In this - version:
+ version: - +-
- + +- A - new "shorewall show connections" command has been - added.
-- In - the "shorewall monitor" output, the currently tracked - connections are now shown on a separate page.
-- Prior - to this release, Shorewall unconditionally added - the external IP adddress(es) specified in /etc/shorewall/nat. - Beginning with version 1.1.16, a new parameter - (ADD_IP_ALIASES) may - be set to "no" (or "No") to inhibit this behavior. - This allows IP aliases created using your distribution's - network configuration tools to be used in static - NAT.
- +- A new "shorewall show connections" command has + been added.
+ +- In the "shorewall monitor" output, the currently + tracked connections are now shown on a separate + page.
+ +- Prior to this release, Shorewall unconditionally + added the external IP adddress(es) specified in +/etc/shorewall/nat. Beginning with version 1.1.16, + a new parameter (ADD_IP_ALIASES) + may be set to "no" (or "No") to inhibit +this behavior. This allows IP aliases created using +your distribution's network configuration tools + to be used in static NAT.
+ +10/15/2001 - The current version of Shorewall is 1.1.15. In this - version:
+ version: - +-
- +- Support - for nested zones has been improved. See the documentation for details
-- Shorewall - now correctly checks the alternate configuration - directory for the 'zones' file.
- +- Support for nested zones has been improved. +See the documentation + for details
+ +- Shorewall now correctly checks the alternate + configuration directory for the 'zones' file.
+ +10/4/2001 - The current version of Shorewall is 1.1.14. In this - version
+ version - +-
- +- Shorewall - now supports alternate configuration directories. - When an alternate directory is specified when starting - or restarting Shorewall (e.g., "shorewall -c /etc/testconf - restart"), Shorewall will first look for configuration - files in the alternate directory then in /etc/shorewall. - To create an alternate configuration simply:
-
- 1. -Create a New Directory
- 2. -Copy to that directory any of your configuration files - that you want to change.
- 3. -Modify the copied files as needed.
- 4. -Restart Shorewall specifying the new directory.- The - rules for allowing/disallowing icmp echo-requests - (pings) are now moved after rules created when + +
- Shorewall now supports alternate configuration + directories. When an alternate directory is specified +when starting or restarting Shorewall (e.g., + "shorewall -c /etc/testconf restart"), Shorewall will +first look for configuration files in the alternate directory + then in /etc/shorewall. To create an alternate configuration + simply:
+ +
+ + 1. Create a New Directory
+ + 2. Copy to that directory any of your configuration + files that you want to change.
+ + 3. Modify the copied files as needed.
+ + 4. Restart Shorewall specifying the new directory.- The rules for allowing/disallowing icmp echo-requests + (pings) are now moved after rules created when processing the rules file. This allows you to add rules that selectively allow/deny ping based on source or destination address.
-- Rules - that specify multiple client ip addresses or subnets - no longer cause startup failures.
-- Zone - names in the policy file are now validated against - the zones file.
-- If - you have packet mangling - support enabled, the "Rules that specify multiple client ip addresses + or subnets no longer cause startup failures.
+ +- Zone names in the policy file are now validated + against the zones file.
+ +- If you have packet + mangling support enabled, the "norfc1918" interface option now logs and drops any incoming packets on the interface that have an RFC 1918 destination address.
- +9/12/2001 - The current version of Shorewall is 1.1.13. In this - version
+ version - +-
- +- Shell - variables can now be used to parameterize Shorewall - rules.
-- The - second column in the hosts file may now contain a - comma-separated list.
-
-
- Example:
- - sea eth0:130.252.100.0/24,206.191.149.0/24- Handling - of multi-zone interfaces has been improved. See -the documentation for -the /etc/shorewall/interfaces file.
- +- Shell variables can now be used to parameterize + Shorewall rules.
+ +- The second column in the hosts file may now contain + a comma-separated list.
+ +
+ +
+ + Example:
+ + sea eth0:130.252.100.0/24,206.191.149.0/24- Handling of multi-zone interfaces has been improved. + See the documentation + for the /etc/shorewall/interfaces file.
+ +8/28/2001 - The current version of Shorewall is 1.1.12. In this - version
+ version - +-
- +- Several - columns in the rules file may now contain comma-separated - lists.
-- Shorewall - is now more rigorous in parsing the options in - /etc/shorewall/interfaces.
-- Complementation - using "!" is now supported in rules.
- +- Several columns in the rules file may now contain + comma-separated lists.
+ +- Shorewall is now more rigorous in parsing the + options in /etc/shorewall/interfaces.
+ +- Complementation using "!" is now supported in + rules.
+ +7/28/2001 - The current version of Shorewall is 1.1.11. In this - version
+ version - +-
- +- A - "shorewall refresh" command has been added to allow - for refreshing the rules associated with the broadcast - address on a dynamic interface. This command should - be used in place of "shorewall restart" when the internet - interface's IP address changes.
-- The - /etc/shorewall/start file (if any) is now processed - after all temporary rules have been deleted. - This change prevents the accidental removal of - rules added during the processing of that file.
-- The - "dhcp" interface option is now applicable to firewall - interfaces used by a DHCP server running on the firewall.
-- The - RPM can now be built from the .tgz file using "rpm - -tb"
- +- A "shorewall refresh" command has been added + to allow for refreshing the rules associated with +the broadcast address on a dynamic interface. This + command should be used in place of "shorewall restart" + when the internet interface's IP address changes.
+ +- The /etc/shorewall/start file (if any) is now + processed after all temporary rules have been + deleted. This change prevents the accidental + removal of rules added during the processing of that file.
+ +- The "dhcp" interface option is now applicable + to firewall interfaces used by a DHCP server running + on the firewall.
+ +- The RPM can now be built from the .tgz file using + "rpm -tb"
+ +7/6/2001 - The current version of Shorewall is 1.1.10. In this version
- +-
- +- Shorewall - now enables Ipv4 Packet Forwarding by default. -Packet forwarding may be disabled by specifying IP_FORWARD=Off - in /etc/shorewall/shorewall.conf. If you don't - want Shorewall to enable or disable packet forwarding, - add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf - file.
-- The - "shorewall hits" command no longer lists extraneous - service names in its last report.
-- Erroneous - instructions in the comments at the head of the - firewall script have been corrected.
- +- Shorewall now enables Ipv4 Packet Forwarding + by default. Packet forwarding may be disabled by +specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf. + If you don't want Shorewall to enable or disable + packet forwarding, add IP_FORWARDING=Keep to your + /etc/shorewall/shorewall.conf file.
+ +- The "shorewall hits" command no longer lists + extraneous service names in its last report.
+ +- Erroneous instructions in the comments at the + head of the firewall script have been corrected.
+ +6/23/2001 - The current version of Shorewall is 1.1.9. In this version
- +-
- +- The - "tunnels" file really is in the RPM now.
-- SNAT - can now be applied to port-forwarded connections.
-- A - bug which would cause firewall start failures in -some dhcp configurations has been fixed.
-- The - firewall script now issues a message if you have -the name of an interface in the second column in an - entry in /etc/shorewall/masq and that interface -is not up.
-- You - can now configure Shorewall so that it doesn't require the NAT and/or - mangle netfilter modules.
-- Thanks - to Alex Polishchuk, the "hits" command from seawall - is now in shorewall.
-- Support - for IPIP tunnels has been added.
- +- The "tunnels" file really is in the + RPM now.
+ +- SNAT can now be applied to port-forwarded connections.
+ +- A bug which would cause firewall start failures + in some dhcp configurations has been fixed.
+ +- The firewall script now issues a message if you + have the name of an interface in the second column + in an entry in /etc/shorewall/masq and that interface + is not up.
+ +- You can now configure Shorewall so that it doesn't require the NAT and/or + mangle netfilter modules.
+ +- Thanks to Alex Polishchuk, the "hits" command + from seawall is now in shorewall.
+ +- Support for IPIP tunnels + has been added.
+ +6/18/2001 - The current version of Shorewall is 1.1.8. In this version
- +-
- +- A - typo in the sample rules file has been corrected.
-- It - is now possible to restrict masquerading by destination host or subnet.
-- It - is now possible to have static NAT rules applied to packets originating - on the firewall itself.
- +- A typo in the sample rules file has been corrected.
+ +- It is now possible to restrict masquerading by destination host or subnet.
+ +- It is now possible to have static NAT rules applied to packets originating + on the firewall itself.
+ +6/2/2001 - The current version of Shorewall is 1.1.7. In this version
- +-
- +- The - TOS rules are now deleted when the firewall is stopped.
-- The - .rpm will now install regardless of which version - of iptables is installed.
-- The - .rpm will now install without iproute2 being installed.
-- The - documentation has been cleaned up.
-- The - sample configuration files included in Shorewall - have been formatted to 80 columns for ease of editing -on a VGA console.
- +- The TOS rules are now deleted when the firewall + is stopped.
+ +- The .rpm will now install regardless of which + version of iptables is installed.
+ +- The .rpm will now install without iproute2 being + installed.
+ +- The documentation has been cleaned up.
+ +- The sample configuration files included in Shorewall + have been formatted to 80 columns for ease of +editing on a VGA console.
+ +5/25/2001 - The current version of Shorewall is 1.1.6. In this version
- +-
- +- You may now rate-limit the -packet log.
-- - Previous versions of Shorewall have an implementation - of Static NAT which violates the principle - of least surprise. NAT only occurs for packets arriving + +
- You may now rate-limit + the packet log.
+ +- Previous versions of Shorewall have an implementation + of Static NAT which violates the principle + of least surprise. NAT only occurs for packets arriving at (DNAT) or send from (SNAT) the interface named in the - INTERFACE column of /etc/shorewall/nat. Beginning with version - 1.1.6, NAT effective regardless of which interface - packets come from or are destined to. To get compatibility + INTERFACE column of /etc/shorewall/nat. Beginning with +version 1.1.6, NAT effective regardless of which interface + packets come from or are destined to. To get compatibility with prior versions, I have added a new "ALL "ALL INTERFACES" column to /etc/shorewall/nat. - By placing "no" or "No" in the new column, the NAT -behavior of prior versions may be retained.
-- The - treatment of IPSEC Tunnels - where the remote gateway is a standalone system has been - improved. Previously, it was necessary to include an additional - rule allowing UDP port 500 traffic to pass through the tunnel. - Shorewall will now create this rule automatically when you -place the name of the remote peer's zone in a new GATEWAY ZONE -column in /etc/shorewall/tunnels.
+ By placing "no" or "No" in the new column, the NAT + behavior of prior versions may be retained. - +- The treatment of IPSEC + Tunnels where the remote gateway is a standalone system +has been improved. Previously, it was necessary to include +an additional rule allowing UDP port 500 traffic to pass +through the tunnel. Shorewall will now create this rule automatically + when you place the name of the remote peer's zone in a new GATEWAY +ZONE column in /etc/shorewall/tunnels.
+ +5/20/2001 - The current version of Shorewall is 1.1.5. In this version
- +-
- +- You may now pass parameters - when loading netfilter modules and you can specify the modules - to load.
-- Compressed - modules are now loaded. This requires that you -modutils support loading compressed modules.
-- You may now set the Type of Service - (TOS) field in packets.
-- Corrected - rules generated for port redirection (again).
- +- You may now pass parameters + when loading netfilter modules and you can specify the modules + to load.
+ +- Compressed modules are now loaded. This requires + that you modutils support loading compressed + modules.
+ +- You may now set the Type + of Service (TOS) field in packets.
+ +- Corrected rules generated for port redirection + (again).
+ +5/10/2001 - The current version of Shorewall is 1.1.4. In this version
- +-
- +- - Accepting RELATED connections - is now optional.
-- Corrected - problem where if "shorewall start" aborted early - (due to kernel configuration errors for example), superfluous - 'sed' error messages were reported.
-- Corrected - rules generated for port redirection.
-- The - order in which iptables kernel modules are loaded - has been corrected (Thanks to Mark Pavlidis).
- +- Accepting RELATED +connections is now optional.
+ +- Corrected problem where if "shorewall start" + aborted early (due to kernel configuration errors + for example), superfluous 'sed' error messages + were reported.
+ +- Corrected rules generated for port redirection.
+ +- The order in which iptables kernel modules are + loaded has been corrected (Thanks to Mark Pavlidis).
+ +4/28/2001 - The current version of Shorewall is 1.1.3. In this version
- +-
- +- Correct - message issued when Proxy ARP address added (Thanks - to Jason Kirtland).
-- /tmp/shorewallpolicy-$$ - is now removed if there is an error while - starting the firewall.
-- /etc/shorewall/icmp.def - and /etc/shorewall/common.def are now used - to define the icmpdef and common chains unless overridden - by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
-- In - the .lrp, the file /var/lib/lrpkg/shorwall.conf has - been corrected. An extra space after "/etc/shorwall/policy" - has been removed and "/etc/shorwall/rules" has been - added.
-- When - a sub-shell encounters a fatal error and has stopped - the firewall, it now kills the main shell so that - the main shell will not continue.
-- A - problem has been corrected where a sub-shell stopped - the firewall and main shell continued resulting in - a perplexing error message referring to "common.so" - resulted.
-- Previously, - placing "-" in the PORT(S) column in /etc/shorewall/rules - resulted in an error message during start. This - has been corrected.
-- The - first line of "install.sh" has been corrected -- -I had inadvertently deleted the initial "#".
- +- Correct message issued when Proxy ARP address + added (Thanks to Jason Kirtland).
+ +- /tmp/shorewallpolicy-$$ is now removed if there + is an error while starting the firewall.
+ +- /etc/shorewall/icmp.def and /etc/shorewall/common.def + are now used to define the icmpdef and common +chains unless overridden by the presence of /etc/shorewall/icmpdef +or /etc/shorewall/common.
+ +- In the .lrp, the file /var/lib/lrpkg/shorwall.conf + has been corrected. An extra space after "/etc/shorwall/policy" + has been removed and "/etc/shorwall/rules" has +been added.
+ +- When a sub-shell encounters a fatal error and + has stopped the firewall, it now kills the main + shell so that the main shell will not continue.
+ +- A problem has been corrected where a sub-shell + stopped the firewall and main shell continued + resulting in a perplexing error message referring + to "common.so" resulted.
+ +- Previously, placing "-" in the PORT(S) column + in /etc/shorewall/rules resulted in an error message + during start. This has been corrected.
+ +- The first line of "install.sh" has been corrected + -- I had inadvertently deleted the initial "#".
+ +4/12/2001 - The current version of Shorewall is 1.1.2. In this version
- +-
- +- Port - redirection now works again.
-- The - icmpdef and common chains may now be user-defined.
-- The - firewall no longer fails to start if "routefilter" - is specified for an interface that isn't started. - A warning message is now issued in this case.
-- The - LRP Version is renamed "shorwall" for 8,3 MSDOS -file system compatibility.
-- A - couple of LRP-specific problems were corrected.
- +- Port redirection now works again.
+ +- The icmpdef and common chains may now be user-defined.
+ +- The firewall no longer fails to start if "routefilter" + is specified for an interface that isn't started. + A warning message is now issued in this case.
+ +- The LRP Version is renamed "shorwall" for 8,3 + MSDOS file system compatibility.
+ +- A couple of LRP-specific problems were corrected.
+ +4/8/2001 - Shorewall is now affiliated with the Leaf Project
+ - +-
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
- +-
- +- The - common chain is traversed from INPUT, OUTPUT and -FORWARD before logging occurs
-- The - source has been cleaned up dramatically
-- DHCP - DISCOVER packets with RFC1918 source addresses no - longer generate log messages. Linux DHCP clients generate - such packets and it's annoying to see them logged.
- +- The common chain is traversed from INPUT, OUTPUT + and FORWARD before logging occurs
+ +- The source has been cleaned up dramatically
+ +- DHCP DISCOVER packets with RFC1918 source addresses + no longer generate log messages. Linux DHCP clients + generate such packets and it's annoying to see +them logged.
+ +3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
- +-
- +- Log - messages now indicate the packet disposition.
-- Error - messages have been improved.
-- The - ability to define zones consisting of an enumerated - set of hosts and/or subnetworks has been added.
-- The - zone-to-zone chain matrix is now sparse so that only - those chains that contain meaningful rules are - defined.
-- 240.0.0.0/4 - and 169.254.0.0/16 have been added to the source - subnetworks whose packets are dropped under the - norfc1918 interface option.
-- Exits - are now provided for executing an user-defined script - when a chain is defined, when the firewall is initialized, - when the firewall is started, when the firewall - is stopped and when the firewall is cleared.
-- The - Linux kernel's route filtering facility can now -be specified selectively on network interfaces.
- +- Log messages now indicate the packet disposition.
+ +- Error messages have been improved.
+ +- The ability to define zones consisting of an +enumerated set of hosts and/or subnetworks has been + added.
+ +- The zone-to-zone chain matrix is now sparse so + that only those chains that contain meaningful + rules are defined.
+ +- 240.0.0.0/4 and 169.254.0.0/16 have been added + to the source subnetworks whose packets are dropped + under the norfc1918 interface option.
+ +- Exits are now provided for executing an user-defined + script when a chain is defined, when the firewall + is initialized, when the firewall is started, + when the firewall is stopped and when the firewall is + cleared.
+ +- The Linux kernel's route filtering facility +can now be specified selectively on network interfaces.
+ +3/19/2001 - The current version of Shorewall is 1.0.4. This version:
- +-
- +- Allows - user-defined zones. Shorewall now has only one pre-defined - zone (fw) with the remaining zones being defined - in the new configuration file /etc/shorewall/zones. - The /etc/shorewall/zones file released in this version - provides behavior that is compatible with Shorewall 1.0.3.
-- Adds - the ability to specify logging in entries in the - /etc/shorewall/rules file.
-- Correct - handling of the icmp-def chain so that only ICMP - packets are sent through the chain.
-- Compresses - the output of "shorewall monitor" if awk is -installed. Allows the command to work if awk isn't installed - (although it's not pretty).
- +- Allows user-defined zones. Shorewall now has + only one pre-defined zone (fw) with the remaining + zones being defined in the new configuration + file /etc/shorewall/zones. The /etc/shorewall/zones file +released in this version provides behavior that +is compatible with Shorewall 1.0.3.
+ +- Adds the ability to specify logging in entries + in the /etc/shorewall/rules file.
+ +- Correct handling of the icmp-def chain so that + only ICMP packets are sent through the chain.
+ +- Compresses the output of "shorewall monitor" +if awk is installed. Allows the command to work if +awk isn't installed (although it's not pretty).
+ +3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix - release with no new features.
+ release with no new features. - +-
- +- The - PATH variable in the firewall script now includes - /usr/local/bin and /usr/local/sbin.
-- DMZ-related - chains are now correctly deleted if the DMZ is - deleted.
-- The - interface OPTIONS for "gw" interfaces are no longer - ignored.
- +- The PATH variable in the firewall script now +includes /usr/local/bin and /usr/local/sbin.
+ +- DMZ-related chains are now correctly deleted + if the DMZ is deleted.
+ +- The interface OPTIONS for "gw" interfaces are + no longer ignored.
+ +3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels - and it supports IPSEC tunnels with end-points on - the firewall. There is also a .lrp available now.
+ additional "gw" (gateway) zone for tunnels + and it supports IPSEC tunnels with end-points + on the firewall. There is also a .lrp available now. - -Updated 5/27/2003 - Tom Eastep -
+ +Updated 6/17/2003 - Tom Eastep +
- +Copyright © 2001, 2002 Thomas M. Eastep.
-
-
-
+