diff --git a/docs/NetfilterOverview.xml b/docs/NetfilterOverview.xml index 96ff384c6..af5ffb423 100644 --- a/docs/NetfilterOverview.xml +++ b/docs/NetfilterOverview.xml @@ -36,7 +36,7 @@ -
+
Netfilter Overview Netfilter consists of three tables: -
+
Preliminary Reading I recommend reading the VPN @@ -250,7 +250,7 @@ esac
Configuring Shorewall -
+
Basic Setup Here' a basic setup that treats your remote users as if they @@ -270,7 +270,7 @@ pptpserver net 0.0.0.0/0 loc ppp+
-
+
Remote Users in a Separate Zone If you want to place your remote users in their own zone so that @@ -303,7 +303,7 @@ vpn ppp+ to/from the vpn zone.
-
+
Multiple Remote Networks Often there will be situations where you want multiple diff --git a/docs/PacketHandling.xml b/docs/PacketHandling.xml index 179393782..cf7e4ec9e 100644 --- a/docs/PacketHandling.xml +++ b/docs/PacketHandling.xml @@ -36,7 +36,7 @@ -
+
Introduction This article will try to help you understand how packets pass @@ -55,7 +55,7 @@ appear.
-
+
Packets Entering the Firewall from Outside Certain processing occurs on packets entering the firewall from the @@ -168,8 +168,8 @@ This happens in the filter table's norfc1918 chain. - - + + If the interface on which the packet entered the firewall has the tcpflags option specified in /etc/shorewall/interfaces and the packet's @@ -180,7 +180,7 @@
-
+
All Packets Regardless of whether the packet originated on the firewall or came @@ -248,7 +248,7 @@
-
+
Packets Originating on the Firewall Packets that originate on the firewall itself undergo additional @@ -271,7 +271,7 @@
-
+
Packets Leaving the Firewall Packets being sent to another host undergo additional diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index ca5fd8a43..849a5ab34 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -40,7 +40,7 @@ earlier releases. -
+
Packet and Connection Marks Perhaps no aspect of Shorewall causes more confusion than packet @@ -83,7 +83,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
-
+
Packet Marking "Programs" Packet marking occurs in Netfilter's mangle @@ -132,7 +132,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= POSTROUTING program. These rules are executed for each packet leaving the firewall. Entries specifying the ":T" suffix in the MARK column are also part of the POSTROUTING program (Shorewall version 3.4.0 and - later). + later). @@ -210,7 +210,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
-
+
Mark and Mask Values The mark value is held in a 32-bit field. Because packet marking is @@ -258,7 +258,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
-
+
Shorewall-defined Chains in the Mangle Table Shorewall creates a set of chains in the mangle table to hold rules @@ -307,7 +307,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= (PREROUTING, FORWARD, etc.).
-
+
An Example Here's the example (slightly expanded) from the comments at the top @@ -381,7 +381,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
-
+
Examining the Marking Programs on a Running System You can see the tcrules in action using the shorewall show diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml index 511233099..3a9413a22 100644 --- a/docs/PortKnocking.xml +++ b/docs/PortKnocking.xml @@ -43,7 +43,7 @@ capabilities to see if you have that match. -
+
What is Port Knocking? Port knocking is a technique whereby attempting to connect to port A @@ -53,7 +53,7 @@ which should be considered to be part of this documentation.
-
+
Implementing Port Knocking in Shorewall In order to implement this solution, your iptables and kernel must @@ -239,7 +239,7 @@ Limit:info:SSHA,3,60 net $FW tcp 22 -
+
How Limit is Implemented For those who are curious, the Limit action is implemented in diff --git a/docs/ProxyARP.xml b/docs/ProxyARP.xml index a3b6d96f8..d340ec649 100644 --- a/docs/ProxyARP.xml +++ b/docs/ProxyARP.xml @@ -75,7 +75,7 @@ read the Shorewall Setup Guide. -
+
Example The following figure represents a Proxy ARP environment. @@ -185,7 +185,7 @@ iface eth1 inet static
-
+
ARP cache A word of warning is in order here. ISPs typically configure their diff --git a/docs/ReleaseModel.xml b/docs/ReleaseModel.xml index 8238d0b67..97b0794dc 100644 --- a/docs/ReleaseModel.xml +++ b/docs/ReleaseModel.xml @@ -38,7 +38,7 @@ -
+
Shorewall Releases @@ -129,7 +129,7 @@
- Old Release Model + Old Release Model This release model described above was adopted on 2004-07-03 and modified 2004-07-21. Prior to 2004-07-03, a different release model was diff --git a/docs/ScalabilityAndPerformance.xml b/docs/ScalabilityAndPerformance.xml index 7571dca6a..8830ac2ca 100644 --- a/docs/ScalabilityAndPerformance.xml +++ b/docs/ScalabilityAndPerformance.xml @@ -36,7 +36,7 @@ -
+
Introduction The performance of the shorewall @@ -50,7 +50,7 @@ to the use of Shorewall-perl if at all possible.
-
+
Host Groups In this article, we will use the term host @@ -73,7 +73,7 @@ zone.
-
+
Scaling by Host Groups For each host group, it is possible to attempt connections to every @@ -93,7 +93,7 @@ combinations.
-
+
Scaling by Zones A similar scaling issue applies to Shorewall zones. If there are @@ -106,7 +106,7 @@ role="bold">Z2.
-
+
Scaling within the Shorewall Code Shorewall is written entirely in Bourne Shell. While this allows @@ -122,7 +122,7 @@ scaling.
-
+
Improving Performance Achieving good performance boils down to three things: diff --git a/docs/netmap.xml b/docs/netmap.xml index a4b39c56a..00bdf1222 100644 --- a/docs/netmap.xml +++ b/docs/netmap.xml @@ -36,7 +36,7 @@ -
+
Why use Network Mapping Network Mapping is most often used to resolve IP address conflicts. @@ -47,7 +47,7 @@ re-addressing.
-
+
Solution Shorewall NETMAP support is designed to supply a solution. The basic @@ -180,7 +180,7 @@ DNAT 10.10.11.0/24 vpn 192.168.1.0/24 #RULE 1B - + 192.168.1.4 in the top cloud connects to 192.168.1.27 in the bottom cloud @@ -284,7 +284,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B
-
+
Author's Notes This could all be made a bit simpler by eliminating the TYPE field @@ -302,7 +302,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B
-
+
Can't I do this with one router? Why do I need two? I wrote this article before Shorewall included . If you try it and get it working, please contribute an update to this article.
- + \ No newline at end of file diff --git a/docs/ping.xml b/docs/ping.xml index f671bb538..64ba24ffa 100644 --- a/docs/ping.xml +++ b/docs/ping.xml @@ -45,7 +45,7 @@ url="ports.htm">port information page. -
+
'Ping' Management In Shorewall , ICMP echo-request's are treated just like any other @@ -96,40 +96,4 @@ Ping/DROP net $FW files to prevent your log from being flooded by messages generated from remote pinging.
- - - Revision History - - - - 1.3 - - 2005-08-31 - - CR - - Updated for Shorewall 3 - - - - 1.2 - - 2004-01-03 - - TE - - Add traceroute reference - - - - 1.1 - - 2003-08-23 - - TE - - Initial version converted to Docbook XML - - - \ No newline at end of file diff --git a/docs/ports.xml b/docs/ports.xml index 6565462ef..8a7630da4 100644 --- a/docs/ports.xml +++ b/docs/ports.xml @@ -49,7 +49,7 @@ 3.0.0 then please see the documentation for that release -
+
Important Notes @@ -84,7 +84,7 @@ FTP/DNAT net dmz:192.168.1.4
-
+
Auth (identd) @@ -97,7 +97,7 @@ FTP/DNAT net dmz:192.168.1.4 Auth/ACCEPT <source> <destination>
-
+
BitTorrent @@ -114,7 +114,7 @@ Auth/ACCEPT <source> <destination& BitTorrent/ACCEPT <source> <destination>
-
+
DNS #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -180,7 +180,7 @@ Edonkey/DNAT net loc:192.168.1.4 DNAT net loc:192.168.1.4 tcp 4711
-
+
FTP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -190,7 +190,7 @@ FTP/ACCEPT <source> <destination> information.
-
+
Gnutella @@ -216,14 +216,14 @@ FTP/ACCEPT <source> <destination> Gnutella/DNAT net loc:192.168.1.4
-
+
ICQ/AIM #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ICQ/ACCEPT <source> net
-
+
IMAP @@ -241,7 +241,7 @@ IMAP/ACCEPT <source> <destination&g IMAPS/ACCEPT <source> <destination> # IMAP over SSL.
-
+
IPSEC #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -256,7 +256,7 @@ ACCEPT <destination> <source>here.
-
+
LDAP @@ -268,8 +268,8 @@ LDAP/ACCEPT <source> <destina LDAPS/ACCEPT <source> <destination> # LDAP over SSL
-
- <trademark>MySQL</trademark> +
+ <trademark>My\SQL</trademark> This information is valid only for Shorewall 3.2 or later. @@ -288,31 +288,32 @@ LDAPS/ACCEPT <source> & MySQL/ACCEPT <source> <destination>
-
+
NFS #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111 ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp - For more NFS information, see http://lists.shorewall.net/~kb/. + For more NFS information, see http://lists.shorewall.net/~kb/.
-
+
NTP (Network Time Protocol) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) NTP/ACCEPT <source> <destination>
-
+
<trademark>PCAnywhere</trademark> #ACTION SOURCE DESTINATION PROTO DEST PORT(S) PCA/ACCEPT <source> <destination>
-
+
POP3 @@ -329,7 +330,7 @@ POP3/ACCEPT <source> <destination&g POP3S/ACCEPT <source> <destination> #Unsecure Pop3
-
+
PPTP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -340,21 +341,21 @@ ACCEPT <source> <destination>here.
-
+
rdate #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Rdate/ACCEPT <source> <destination>
-
+
rsync #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Rsync/ACCEPT <source> <destination>
-
+
Siproxd @@ -368,14 +369,14 @@ ACCEPT net fw udp 5060 ACCEPT net fw udp 7070:7089
-
+
SSH/SFTP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) SSH/ACCEPT <source> <destination>
-
+
SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File Sharing) @@ -386,7 +387,7 @@ SMB/ACCEPT <destination> <source> Also, see this page.
-
+
SMTP @@ -398,14 +399,14 @@ SMTP/ACCEPT <source> <destination& SMTPS/ACCEPT <source> <destination> #SMTP over SSL (TLS)
-
+
SNMP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) SNMP/ACCEPT <source> <destination>
-
+
SVN @@ -421,7 +422,7 @@ SNMP/ACCEPT <source> <destination&g SVN/ACCEPT <source> <destination>
-
+
Telnet @@ -433,7 +434,7 @@ SVN/ACCEPT <source> <destination> Telnet/ACCEPT <source> <destination>
-
+
TFTP You must have TFTP connection tracking support in your kernel. If @@ -450,7 +451,7 @@ Telnet/ACCEPT <source> <destination ACCEPT <source> <destination> udp 69
-
+
Traceroute #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -469,7 +470,7 @@ ACCEPT fw loc icmp ACCEPT fw ...
-
+
Usenet (NNTP) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -479,7 +480,7 @@ NNTPS/ACCEPT <source> <destination> # secure NNTPTCP Port 119
-
+
VNC @@ -502,19 +503,16 @@ VNC/ACCEPT <source> <destination> VNCL/ACCEPT <source> <destination>
-
+
<trademark>Vonage</trademark> The standard Shorewall loc->net ACCEPT policy is all that is required for Vonage IP phone service to work, provided that you have loaded the tftp helper modules (add the following entries to /etc/shorewall/modules if they are not there already): - - loadmodule ip_conntrack_tftp - loadmodule ip_nat_tftp
-
+
Web Access @@ -526,7 +524,7 @@ HTTP/ACCEPT <source> <destination&g HTTPS/ACCEPT <source> <destination> #Secure HTTP
-
+
Webmin #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -534,14 +532,14 @@ Webmin/ACCEPT <source> <destination use TCP port 10000.
-
+
Whois #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Whois/ACCEPT <source> <destination>
-
+
X/XDMCP Assume that the Choser and/or X Server are running at @@ -553,7 +551,7 @@ ACCEPT <chooser> <apps> ACCEPT <apps> <chooser> tcp 6000:6009 #X Displays 0-9
-
+
Other Source of Port Information Didn't find what you are looking for -- have you looked in your own @@ -562,202 +560,4 @@ ACCEPT <apps> <chooser Still looking? Try http://www.networkice.com/advice/Exploits/Ports
- - - Revision History - - - - 1.18 - - 2006-07-18 - - CR - - Updated for Shorewall 3.2 - - - - 1.18 - - 2005-11-23 - - CR - - Add Webmin info - - - - 1.17 - - 2005-09-20 - - TE - - More 3.0 Updates - - - - 1.16 - - 2005-09-02 - - CR - - Updated for Shorewall v3.0 - - - - 1.15 - - 2005-05-02 - - TE - - Added Emule - - - - 1.14 - - 2004-10-01 - - TE - - Add rsync. - - - - 1.13 - - 2004-09-21 - - TE - - Add note about ICMP type 11 to Traceroute. - - - - 1.12 - - 2004-09-09 - - TE - - Add note about Vonage. - - - - 1.11 - - 2004-05-28 - - TE - - Corrected directory for actions.std and enhanced the DNS - section. - - - - 1.10 - - 2004-05-09 - - TE - - Added TFTP. - - - - 1.9 - - 2004-04-24 - - TE - - Revised ICQ/AIM. - - - - 1.8 - - 2004-04-23 - - TE - - Added SNMP. - - - - 1.7 - - 2004-02-18 - - TE - - Make NFS work for everyone. - - - - 1.6 - - 2004-02-14 - - TE - - Add PCAnywhere. - - - - 1.5 - - 2004-02-05 - - TE - - Added information about VNC viewers in listen - mode. - - - - 1.4 - - 2004-01-26 - - TE - - Correct ICQ. - - - - 1.3 - - 2004-01-04 - - TE - - Alphabetize - - - - 1.2 - - 2004-01-03 - - TE - - Add rules file entries. - - - - 1.1 - - 2002-07-30 - - TE - - Initial version converted to Docbook XML - - - \ No newline at end of file diff --git a/docs/quotes.xml b/docs/quotes.xml index 254f4b9c6..fd2589d1e 100644 --- a/docs/quotes.xml +++ b/docs/quotes.xml @@ -29,23 +29,23 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. -
+
What Users are saying...
AS, Poland I want to say that Shorewall documentation is the best - I've ever found on the net. It's helped me a lot in - understanding how network is working. It is the best of breed. It - contains not only Shorewall specific topics with the assumption that all - the rest is well known, but also gives some very useful background - information. Thank you very much for this wonderful piece of work. - + I've ever found on the net. It's helped me a lot in understanding how + network is working. It is the best of breed. It contains not only + Shorewall specific topics with the assumption that all the rest is well + known, but also gives some very useful background information. Thank you + very much for this wonderful piece of work.
@@ -63,12 +63,12 @@
SE, California, USA - In two words, I'd call Shorewall "brilliant - simplicity". Define general rules of what it is you want to do, and - let the software determine the specific rules on how to implement it. - It's great only having to define specific rules for specific - instances. I have a much higher degree of confidence in my firewall than - I have had previously. Thank you for Shorewall!. + In two words, I'd call Shorewall "brilliant simplicity". + Define general rules of what it is you want to do, and let the software + determine the specific rules on how to implement it. It's great only + having to define specific rules for specific instances. I have a much + higher degree of confidence in my firewall than I have had previously. + Thank you for Shorewall!.
@@ -84,7 +84,8 @@ JL, Ohio I just installed Shorewall after weeks of messing with - ipchains/iptables and I had it up and running in under 20 minutes! + ipchains/iptables and I had it up and running in under 20 + minutes!
@@ -124,8 +125,9 @@
B.R, Netherlands - [Shorewall is a] great, great project. I've - used/tested may firewall scripts but this one is till now the best. + [Shorewall is a] great, great project. I've used/tested + may firewall scripts but this one is till now the + best.
@@ -150,19 +152,19 @@
SE, US - You have the best support of any other package I've - ever used. + You have the best support of any other package I've ever + used.
Name withheld by request, Europe Because our company has information which has been - classified by the national government as secret, our security - doesn't stop by putting a fence around our company. Information - security is a hot issue. We also make use of checkpoint firewalls, but - not all of the internet servers are guarded by checkpoint, some of them - are running....Shorewall. + classified by the national government as secret, our security doesn't + stop by putting a fence around our company. Information security is a + hot issue. We also make use of checkpoint firewalls, but not all of the + internet servers are guarded by checkpoint, some of them are + running....Shorewall.
@@ -170,7 +172,7 @@ thanx for all your efforts you put into shorewall - this product stands out against a lot of commercial stuff i´ve been working - with in terms of flexibillity, quality & support + with in terms of flexibillity, quality & support
@@ -184,13 +186,13 @@
RP, Guatamala - My respects... I've just found and installed - Shorewall 1.3.3-1 and it is a wonderful piece of software. I've just - sent out an email to about 30 people recommending it. :-) + My respects... I've just found and installed Shorewall + 1.3.3-1 and it is a wonderful piece of software. I've just sent out an + email to about 30 people recommending it. :-) While I had previously taken the time (maybe 40 hours) to really understand ipchains, then spent at least an hour per server - customizing and carefully scrutinizing firewall rules, I've got + customizing and carefully scrutinizing firewall rules, I've got shorewall running on my home firewall, with rulesets and policies that I know make sense, in under 20 minutes.