From fa8ae95a22c7aad66330b37d6c2e61e9f1492443 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 9 May 2005 14:49:08 +0000 Subject: [PATCH] Correct FAQ numbering git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2094 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/FAQ.xml | 454 +++++++++++++++---------------- Shorewall-docs2/images/Thumbs.db | Bin 508924 -> 505852 bytes 2 files changed, 214 insertions(+), 240 deletions(-) diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index a1e2d18c1..3f05ec721 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -17,7 +17,7 @@ - 2005-04-24 + 2005-05-08 2001-2005 @@ -99,22 +99,27 @@ shows how to do port forwarding under Shorewall. The format of a port-forwarding rule to a local system is as follows: - #ACTION SOURCE DEST PROTO DEST PORT -DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> + #ACTION SOURCE DEST PROTO DEST PORT DNAT net + loc:<local IP address>[:<local + port>] <protocol> + <port #> So to forward UDP port 7777 to internal system 192.168.1.5, the rule is: - #ACTION SOURCE DEST PROTO DEST PORT -DNAT net loc:192.168.1.5 udp 7777 + #ACTION SOURCE DEST PROTO DEST PORT DNAT net + loc:192.168.1.5 udp 7777 If you want to forward requests directed to a particular address ( <external IP> ) on your firewall to an internal system: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> - <external IP> + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # + PORT DEST. DNAT net loc:<local IP + address>[:<local port>] + <protocol> <port + #> - <external + IP> Finally, if you need to forward a range of ports, in the DEST PORT column specify the range as @@ -230,8 +235,8 @@ DNAT net loc:<local IP address>[:< In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT -DNAT net loc:192.168.1.3:22 tcp 1022 + #ACTION SOURCE DEST PROTO DEST PORT DNAT net + loc:192.168.1.3:22 tcp 1022
@@ -257,26 +262,27 @@ DNAT net loc:192.168.1.3:22 tcp 1022 You can enable access to the server from your local network using the firewall's external IP address by adding this rule: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT DEST -DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL + # PORT DEST DNAT loc dmz:192.168.2.4 tcp 80 - + 206.124.146.176 If your external IP address is dynamic, then you must do the following: In /etc/shorewall/init: - ETH0_IP=`find_interface_address eth0` + ETH0_IP=`find_interface_address + eth0` For users of Shorewall 2.1.0 and later: - ETH0_IP=`find_first_interface_address eth0` + ETH0_IP=`find_first_interface_address + eth0` and make your DNAT rule: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # + PORT DEST. DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP
@@ -292,8 +298,8 @@ DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0 If you add the following rule then from the net, you will have 4104 listening, from your LAN, port 22. - #ACTION SOURCE DEST PROTO DEST PORT(S) -DNAT net fw:192.168.1.1:22 tcp 4104 + #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net + fw:192.168.1.1:22 tcp 4104
@@ -373,40 +379,42 @@ DNAT net fw:192.168.1.1:22 tcp 4104 In /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -loc eth1 detect routeback + #ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect + routeback In /etc/shorewall/masq: - #INTERFACE SUBNET ADDRESS PROTO PORT(S) -eth1:192.168.1.5 eth1 192.168.1.254 tcp www + #INTERFACE SUBNET ADDRESS PROTO PORT(S) + eth1:192.168.1.5 eth1 192.168.1.254 tcp www In /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69 + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL + # PORT DEST. DNAT loc loc:192.168.1.5 tcp www - + 130.151.100.69 That rule only works of course if you have a static external IP address. If you have a dynamic IP address and are running Shorewall 1.3.4 through Shorewall 2.0.* then include this in /etc/shorewall/init: - ETH0_IP=`find_interface_address eth0` + ETH0_IP=`find_interface_address + eth0` For users of Shorewall 2.1.0 and later: - ETH0_IP=`find_first_interface_address eth0` + ETH0_IP=`find_first_interface_address + eth0` and make your DNAT rule: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL + # PORT DEST. DNAT loc loc:192.168.1.5 tcp www - + $ETH0_IP Using this technique, you will want to configure your DHCP/PPPoE client to automatically restart Shorewall each time that @@ -430,7 +438,8 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0 Oct 4 10:26:40 netgw kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200 DST=192.168.118.210 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1342 DF - PROTO=TCP SPT=1494 DPT=1491 WINDOW=17472 RES=0x00 ACK SYN URGP=0 + PROTO=TCP SPT=1494 DPT=1491 WINDOW=17472 RES=0x00 ACK SYN + URGP=0 Answer: This is another problem @@ -460,12 +469,14 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0 Example: - Zone: dmz Interface: eth2 Subnet: 192.168.2.0/24 + Zone: dmz Interface: eth2 Subnet: + 192.168.2.0/24 In /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -dmz eth2 192.168.2.255 routeback + #ZONE INTERFACE BROADCAST OPTIONS dmz eth2 + 192.168.2.255 routeback In /etc/shorewall/nat, be sure that you have Yes in the ALL INTERFACES column. @@ -495,26 +506,27 @@ dmz eth2 192.168.2.255 routeback You can enable access to the server from your local network using the firewall's external IP address by adding this rule: - #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL -# PORT DEST -DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 + #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL + # PORT DEST DNAT loc dmz:192.168.2.4 tcp 80 - + 206.124.146.176 If your external IP address is dynamic, then you must do the following: In /etc/shorewall/init: - ETH0_IP=`find_interface_address eth0` + ETH0_IP=`find_interface_address + eth0` For users of Shorewall 2.1.0 and later: - ETH0_IP=`find_first_interface_address eth0` + ETH0_IP=`find_first_interface_address + eth0` and make your DNAT rule: - #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL -# PORT DEST. -DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # + PORT DEST. DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP @@ -533,17 +545,17 @@ DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0 following:
- > I know PoM -ng is going to address this issue, but till it is ready, and -> all the extras are ported to it, is there any way to use the h.323 -> contrack module kernel patch with a 2.6 kernel? -> Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not -> an option... The module is not ported yet to 2.6, sorry. -> Do I have any options besides a gatekeeper app (does not work in my -> network) or a proxy (would prefer to avoid them)? - -I suggest everyone to setup a proxy (gatekeeper) instead: the module is -really dumb and does not deserve to exist at all. It was an excellent tool -to debug/develop the newnat interface. + > I know PoM -ng is going to address this + issue, but till it is ready, and > all the extras are ported to it, + is there any way to use the h.323 > contrack module kernel patch + with a 2.6 kernel? > Running 2.6.1 - no 2.4 kernel stuff on the + system, so downgrade is not > an option... The module is not ported + yet to 2.6, sorry. > Do I have any options besides a gatekeeper app + (does not work in my > network) or a proxy (would prefer to avoid + them)? I suggest everyone to setup a proxy (gatekeeper) instead: the + module is really dumb and does not deserve to exist at all. It was an + excellent tool to debug/develop the newnat + interface.
Look here @@ -726,16 +738,16 @@ to debug/develop the newnat interface. I have this entry in /etc/shorewall/tunnels: - # TYPE ZONE GATEWAY GATEWAY -# ZONE -openvpn:5000 net 69.145.71.133 + # TYPE ZONE GATEWAY GATEWAY # ZONE openvpn:5000 net + 69.145.71.133 Yet I am seeing this log message: - Oct 12 13:41:03 localhost kernel: Shorewall:net2all:DROP:IN=eth0 OUT= -MAC=00:04:5a:7f:92:9f:00:b0:c2:89:68:e4:08:00 SRC=69.145.71.133 -DST=216.187.138.18 LEN=42 TOS=0x00 PREC=0x00 TTL=46 ID=11 DF PROTO=UDP -SPT=33120 DPT=5000 LEN=22 + Oct 12 13:41:03 localhost kernel: + Shorewall:net2all:DROP:IN=eth0 OUT= + MAC=00:04:5a:7f:92:9f:00:b0:c2:89:68:e4:08:00 SRC=69.145.71.133 + DST=216.187.138.18 LEN=42 TOS=0x00 PREC=0x00 TTL=46 ID=11 DF PROTO=UDP + SPT=33120 DPT=5000 LEN=22 Answer: Shorewall's openvpn tunnel type assumes that OpenVPN will be @@ -745,9 +757,8 @@ SPT=33120 DPT=5000 LEN=22 url="Documentation.htm#Tunnels">/etc/shorewall/tunnels entry with this one: - # TYPE ZONE GATEWAY GATEWAY -# ZONE -generic:udp:5000 net 69.145.71.133 + # TYPE ZONE GATEWAY GATEWAY # ZONE generic:udp:5000 net + 69.145.71.133 @@ -776,8 +787,7 @@ generic:udp:5000 net 69.145.71.133 /etc/shorewall/shorewall.conf -- If you want to log all messages, set: - LOGLIMIT="" -LOGBURST="" + LOGLIMIT="" LOGBURST="" Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages @@ -791,12 +801,14 @@ LOGBURST="" that may be helpful: http://www.shorewall.net/pub/shorewall/parsefw/ -http://www.fireparse.com -http://cert.uni-stuttgart.de/projects/fwlogwatch -http://www.logwatch.org -http://gege.org/iptables -http://home.regit.org/ulogd-php.html + url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/pub/shorewall/parsefw/ + http://www.fireparse.com + http://cert.uni-stuttgart.de/projects/fwlogwatch + http://www.logwatch.org + http://gege.org/iptables + http://home.regit.org/ulogd-php.html I personally use Logwatch. It emails me a report each day from my various systems with each report summarizing the logged activity on @@ -804,7 +816,7 @@ LOGBURST=""
- (FAQ 2b) DROP messages on port 10619 are flooding the logs with + <title>(FAQ 6b) DROP messages on port 10619 are flooding the logs with their connect requests. Can i exclude these error messages for this port temporarily from logging in Shorewall? @@ -1074,13 +1086,14 @@ LOGBURST="" Here is an example: - Jun 27 15:37:56 gateway kernel: - Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 - DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP - SPT=1803 DPT=53 LEN=47 + Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 + TTL=63 ID=5805 DF PROTO=UDP SPT=1803 + DPT=53 LEN=47 Let's look at the important parts of this message: @@ -1233,23 +1246,21 @@ LOGBURST="" /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect -net eth1 detect + #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect net + eth1 detect /etc/shorewall/policy: - #SOURCE DESTINATION POLICY LIMIT:BURST -net net DROP + #SOURCE DESTINATION POLICY LIMIT:BURST net net + DROP If you have masqueraded hosts, be sure to update /etc/shorewall/masq to masquerade to both ISPs. For example, if you masquerade all hosts connected to eth2 then: - #INTERFACE SUBNET ADDRESS -eth0 eth2 -eth1 eth2 + #INTERFACE SUBNET ADDRESS eth0 eth2 eth1 + eth2 There was an article in SysAdmin covering the topic of setting up routing for this configuration. It may be found at providers that connect a local network (or even a single machine) to the big Internet. - ________ - +------------+ / - | | | - +-------------+ Provider 1 +------- - __ | | | / - ___/ \_ +------+-------+ +------------+ | - _/ \__ | if1 | / - / \ | | | -| Local network -----+ Linux router | | Internet - \_ __/ | | | - \__ __/ | if2 | \ - \___/ +------+-------+ +------------+ | - | | | \ - +-------------+ Provider 2 +------- - | | | - +------------+ \________ - + ________ +------------+ / | | | +-------------+ + Provider 1 +------- __ | | | / ___/ \_ +------+-------+ +------------+ + | _/ \__ | if1 | / / \ | | | | Local network -----+ Linux router | | + Internet \_ __/ | | | \__ __/ | if2 | \ \___/ +------+-------+ + +------------+ | | | | \ +-------------+ Provider 2 +------- | | | + +------------+ \________ There are usually two questions given this setup. @@ -1319,10 +1319,9 @@ eth1 eth2 These are added in /etc/iproute2/rt_tables. Then you set up routing in these tables as follows: - ip route add $P1_NET dev $IF1 src $IP1 table T1 -ip route add default via $P1 table T1 -ip route add $P2_NET dev $IF2 src $IP2 table T2 -ip route add default via $P2 table T2 + ip route add $P1_NET dev $IF1 src $IP1 table T1 ip + route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src + $IP2 table T2 ip route add default via $P2 table T2 Nothing spectacular, just build a route to the gateway and build a default route via that gateway, as you would do in the case of a @@ -1336,8 +1335,8 @@ ip route add default via $P2 table T2 to that neighbour. Note the `src' arguments, they make sure the right outgoing IP address is chosen. - ip route add $P1_NET dev $IF1 src $IP1 -ip route add $P2_NET dev $IF2 src $IP2 + ip route add $P1_NET dev $IF1 src $IP1 ip route add + $P2_NET dev $IF2 src $IP2 Then, your preference for default route: @@ -1348,8 +1347,8 @@ ip route add $P2_NET dev $IF2 src $IP2 a given interface if you already have the corresponding source address: - ip rule add from $IP1 table T1 -ip rule add from $IP2 table T2 + ip rule add from $IP1 table T1 ip rule add from $IP2 + table T2 This set of commands makes sure all answers to traffic coming in on a particular interface get answered from that interface. @@ -1358,12 +1357,11 @@ ip rule add from $IP2 table T2 'If $P0_NET is the local network and $IF0 is its interface, the following additional entries are desirable: - ip route add $P0_NET dev $IF0 table T1 -ip route add $P2_NET dev $IF2 table T1 -ip route add 127.0.0.0/8 dev lo table T1 -ip route add $P0_NET dev $IF0 table T2 -ip route add $P1_NET dev $IF1 table T2 -ip route add 127.0.0.0/8 dev lo table T2 + ip route add $P0_NET dev $IF0 + table T1 ip route add $P2_NET dev $IF2 table T1 ip route add + 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2 + ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev + lo table T2 Now, this is just the very basic setup. It will work for all @@ -1386,8 +1384,8 @@ ip route add 127.0.0.0/8 dev lo table T2 is done as follows (once more building on the example in the section on split-access): - ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ - nexthop via $P2 dev $IF2 weight 1 + ip route add default scope global nexthop via $P1 dev + $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1 This will balance the routes over both providers. The weight parameters can be tweaked to favor one @@ -1464,20 +1462,21 @@ ip route add 127.0.0.0/8 dev lo table T2 Answer: The output you will see looks something like this: - /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy -Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters -/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod -/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed -/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed -iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) -Perhaps iptables or your kernel needs to be upgraded. + /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: + init_module: Device or resource busy Hint: insmod errors can be caused + by incorrect module parameters, including invalid IO or IRQ parameters + /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod + /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed + /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod + ip_tables failed iptables v1.2.3: can't initialize iptables table `nat': + iptables who? (do you need to insmod?) Perhaps iptables or your kernel + needs to be upgraded. This problem is usually corrected through the following sequence of commands - service ipchains stop -chkconfig --delete ipchains -rmmod ipchains + service ipchains stop chkconfig --delete + ipchains rmmod ipchains Also, be sure to check the errata for problems concerning the version of iptables (v1.2.3) shipped with @@ -1500,21 +1499,13 @@ rmmod ipchains I just installed Shorewall and when I issue the start command, I see the following: - Processing /etc/shorewall/params ... -Processing /etc/shorewall/shorewall.conf ... -Starting Shorewall... -Loading Modules... -Initializing... -Determining Zones... - Zones: net loc -Validating interfaces file... -Validating hosts file... -Determining Hosts in Zones... - Net Zone: eth0:0.0.0.0/0 - Local Zone: eth1:0.0.0.0/0 -Deleting user chains... -Creating input Chains... -... + Processing /etc/shorewall/params ... Processing + /etc/shorewall/shorewall.conf ... Starting Shorewall... Loading + Modules... Initializing... Determining Zones... Zones: net loc + Validating interfaces file... Validating hosts file... Determining Hosts + in Zones... Net Zone: eth0:0.0.0.0/0 + Local Zone: eth1:0.0.0.0/0 + Deleting user chains... Creating input Chains... ... Why can't Shorewall detect my interfaces properly? @@ -1629,11 +1620,11 @@ Creating input Chains... When I start shorewall I got the following errors. - Oct 30 11:13:12 fwr modprobe: modprobe: Can't locate module ipt_conntrack -Oct 30 11:13:17 fwr modprobe: modprobe: Can't locate module ipt_pkttype -Oct 30 11:13:18 fwr modprobe: modprobe: Can't locate module ipt_pkttype -Oct 30 11:13:57 fwr last message repeated 2 times -Oct 30 11:14:06 fwr root: Shorewall Restarted + Oct 30 11:13:12 fwr modprobe: modprobe: Can't locate + module ipt_conntrack Oct 30 11:13:17 fwr modprobe: modprobe: Can't + locate module ipt_pkttype Oct 30 11:13:18 fwr modprobe: modprobe: Can't + locate module ipt_pkttype Oct 30 11:13:57 fwr last message repeated 2 + times Oct 30 11:14:06 fwr root: Shorewall Restarted The "shorewall status" output seems complying with my rules set. Should I worry ? and is there any way to get rid of these errors @@ -1663,8 +1654,8 @@ Oct 30 11:14:06 fwr root: Shorewall Restarted are not disabling a feature in your new kernel that you want to use. - alias ipt_conntrack off -alias ipt_pkttype off + alias ipt_conntrack off alias ipt_pkttype + off For users who don't have the pkttype match feature in their kernel, I also recommend upgrading to Shorewall 2.0.6 or later and then @@ -1689,15 +1680,12 @@ alias ipt_pkttype off shorewall start produces the following output: - … -Processing /etc/shorewall/policy... - Policy ACCEPT for fw to net using chain fw2net - Policy ACCEPT for loc0 to net using chain loc02net - Policy ACCEPT for loc1 to net using chain loc12net - Policy ACCEPT for wlan to net using chain wlan2net -Masqueraded Networks and Hosts: -iptables: Invalid argument - ERROR: Command "/sbin/iptables -t nat -A …" Failed + … Processing /etc/shorewall/policy... Policy ACCEPT for + fw to net using chain fw2net Policy ACCEPT for loc0 to net using chain + loc02net Policy ACCEPT for loc1 to net using chain loc12net Policy + ACCEPT for wlan to net using chain wlan2net Masqueraded Networks and + Hosts: iptables: Invalid argument ERROR: Command "/sbin/iptables -t nat + -A …" Failed Answer: 99.999% of the time, this error is caused by a mismatch between your iptables and kernel. @@ -1771,7 +1759,8 @@ iptables: Invalid argument At the shell prompt, type: - /sbin/shorewall version + /sbin/shorewall + version
@@ -1891,7 +1880,8 @@ iptables: Invalid argument version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following: - run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT + run_iptables -I rfc1918 -s 192.168.100.1 -j + ACCEPT If you are running version 1.3.1 or later, add the following to /etc/shorewall/rfc1918 @@ -1902,8 +1892,7 @@ iptables: Invalid argument Be sure that you add the entry ABOVE the entry for 192.168.0.0/16. - #SUBNET TARGET -192.168.100.1 RETURN + #SUBNET TARGET 192.168.100.1 RETURN If you add a second IP address to your external firewall @@ -1912,9 +1901,8 @@ iptables: Invalid argument configure the address 192.168.100.2 on your firewall, then you would add two entries to /etc/shorewall/rfc1918: - #SUBNET TARGET -192.168.100.1 RETURN -192.168.100.2 RETURN + #SUBNET TARGET 192.168.100.1 RETURN 192.168.100.2 + RETURN
@@ -1933,8 +1921,10 @@ iptables: Invalid argument I see the following in my log: - Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=60 -TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 + Mar 1 18:20:07 Mail kernel: + Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 + LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 + DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Answer: The fact that the message is being logged from the OUTPUT chain means that the destination IP address is not in any @@ -1946,8 +1936,8 @@ TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES Add a zone for the modem in /etc/shorewall/zones: - #ZONE DISPLAY COMMENTS -modem ADSLModem Zone for modem + #ZONE DISPLAY COMMENTS modem ADSLModem Zone for + modem @@ -1956,17 +1946,16 @@ modem ADSLModem Zone for modem to your modem) in /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS -modem eth0 detect + #ZONE INTERFACE BROADCAST OPTIONS modem eth0 + detect Allow web traffic to the modem in /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT fw modem tcp 80 -ACCEPT loc modem tcp 80 + #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT fw + modem tcp 80 ACCEPT loc modem tcp 80 @@ -1980,8 +1969,8 @@ ACCEPT loc modem tcp 80 /etc/shorewall/masq: - #INTERFACE SUBNET ADDRESS -eth0 eth1 # eth1 = interface to local network + #INTERFACE SUBNET ADDRESS eth0 eth1 # eth1 = interface + to local network For an example of this when the ADSL/Cable modem is bridged, see my configuration. In that case, I @@ -2038,7 +2027,8 @@ eth0 eth1 # eth1 = interface to local netwo Example: - ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22 + ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp + 22
@@ -2063,7 +2053,8 @@ eth0 eth1 # eth1 = interface to local netwo Otherwise, add this command to your /etc/shorewall/start file: - run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP + run_iptables -D OUTPUT -p ! icmp -m state + --state INVALID -j DROP
@@ -2086,19 +2077,14 @@ eth0 eth1 # eth1 = interface to local netwo The last few lines of a startup trace are these: - + run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE -+ '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0. -0/0 -j MASQUERADE' ']' -+ run_iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE -+ iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE -iptables: Invalid argument -+ '[' -z '' ']' -+ stop_firewall -+ set +x + + run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24 + -d 0.0.0.0/0 -j MASQUERADE + '[' 'x-t nat -A eth0_masq -s + 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE' = 'x-t nat -A eth0_masq -s + 192.168.2.0/24 -d 0.0.0. 0/0 -j MASQUERADE' ']' + run_iptables -t nat + -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE + iptables + -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE + iptables: Invalid argument + '[' -z '' ']' + stop_firewall + set + +x Answer: Your new kernel contains headers that are incompatible with the ones used to compile @@ -2122,15 +2108,15 @@ iptables: Invalid argument everyone's site. Adsense is a Javascript that people add to their Web pages. So I entered the rule: - #ACTION SOURCE DEST PROTO -REJECT fw net:pagead2.googlesyndication.com all + #ACTION SOURCE DEST PROTO REJECT fw + net:pagead2.googlesyndication.com all However, this also sometimes restricts access to "google.com". Why is that? Using dig, I found these IPs for domain googlesyndication.com:216.239.37.99 -216.239.39.99And this for google.com:216.239.37.99 -216.239.39.99 -216.239.57.99So my guess is that you are not actually + 216.239.39.99And this for + google.com:216.239.37.99 216.239.39.99 + 216.239.57.99So my guess is that you are not actually blocking the domain, but rather the IP being called. So how in the world do you block an actual domain name? @@ -2150,24 +2136,23 @@ REJECT fw net:pagead2.googlesyndication.com all - #ACTION SOURCE DEST PROTO -REJECT fw net:216.239.37.99 all -REJECT fw net:216.239.39.99 allGiven that - name-based multiple hosting is a common practice (another example: - lists.shorewall.net and www1.shorewall.net are both hosted on the same - system with a single IP address), it is not possible to filter - connections to a particular name by examiniation of protocol headers - alone. While some protocols such as FTP - require the firewall to examine and possibly modify packet payload, - parsing the payload of individual packets doesn't always work because - the application-level data stream can be split across packets in - arbitrary ways. This is one of the weaknesses of the 'string match' - Netfilter extension available in Patch-O-Matic. The only sure way to - filter on packet content is to proxy the connections in question -- in - the case of HTTP, this means running something like Squid. Proxying allows the - proxy process to assemble complete application-level messages which can - then be accurately parsed and decisions can be made based on the + #ACTION SOURCE DEST PROTO REJECT fw + net:216.239.37.99 all REJECT fw net:216.239.39.99 + allGiven that name-based multiple hosting is a common + practice (another example: lists.shorewall.net and www1.shorewall.net + are both hosted on the same system with a single IP address), it is not + possible to filter connections to a particular name by examiniation of + protocol headers alone. While some protocols such as FTP require the firewall to examine and possibly + modify packet payload, parsing the payload of individual packets doesn't + always work because the application-level data stream can be split + across packets in arbitrary ways. This is one of the weaknesses of the + 'string match' Netfilter extension available in Patch-O-Matic. The only + sure way to filter on packet content is to proxy the connections in + question -- in the case of HTTP, this means running something like + Squid. Proxying allows + the proxy process to assemble complete application-level messages which + can then be accurately parsed and decisions can be made based on the result. @@ -2179,27 +2164,16 @@ REJECT fw net:216.239.39.99 allGiven that check. There is a section near the top of the resulting output that gives you a synopsis of your kernel/iptables capabilities. - gateway:/etc/shorewall # shorewall check -Loading /usr/share/shorewall/functions... -Processing /etc/shorewall/params ... -Processing /etc/shorewall/shorewall.conf... -Loading Modules... - -Notice: The 'check' command is unsupported and problem - reports complaining about errors that it didn't catch - will not be accepted - -Shorewall has detected the following iptables/netfilter capabilities: - NAT: Available - Packet Mangling: Available - Multi-port Match: Available - Connection Tracking Match: Available - Packet Type Match: Not available - Policy Match: Available - Physdev Match: Available - IP range Match: Available -Verifying Configuration... -... + gateway:/etc/shorewall # shorewall check Loading + /usr/share/shorewall/functions... Processing /etc/shorewall/params ... + Processing /etc/shorewall/shorewall.conf... Loading Modules... Notice: + The 'check' command is unsupported and problem reports complaining about + errors that it didn't catch will not be accepted Shorewall has detected + the following iptables/netfilter capabilities: NAT: Available Packet + Mangling: Available Multi-port Match: Available Connection Tracking + Match: Available Packet Type Match: Not available Policy Match: + Available Physdev Match: Available IP range Match: Available Verifying + Configuration... ... \ No newline at end of file diff --git a/Shorewall-docs2/images/Thumbs.db b/Shorewall-docs2/images/Thumbs.db index d8abb6f1905c3b2e4d4e07e6d0324b50cefbe0d9..55d63c5fb6d4c67812d915c222ba0b8d547c3af9 100644 GIT binary patch delta 1433 zcmZuxZA=_R7@pbPnYo?L4hb1N^Pm8_5|%mYMNX_d!ktOU=?he z_B1A~35jmkWC%YR(~IsOH4unHQfSR8DEQo^p`9dG<$Oc=DWGj=&I|p(EK{5(!ewhnZHg& zmW?-a5sIgAc!l?#J)jdD0Ue+l^nqURFxUY!KG&EKHLu9JZ{ajlizgSed6%s(Ilkd% zH&T`ACw%^t%eSr_HLuyH4ZYGlwb)OkX}rcf&vS4yTS{h0`65^Dg+`{Lu7WwoA2su4 z(GF=m(Ij^Q@E8}<`SGe{Goo0I4C63K6T3+%3x7_2N6a24X@#9U0Mn2pK@UiPSLs7p z(#bAl$&-*H+nC)>4$3rf2%dE-{f4gxqOP+tbGqS{4gMOiz9IPZq`$dr{(#g?ktoN< zW>@xc_R(!=sHCu>M6~}<*i9J3Kn;ah-n@eEHkRMpWa#}?zCn(Tq{5Je_RAV!b{jdU zu%8dhXZ9NU0Lx#Lw>;q|wO4zjn|!4FzPTGl%ZnSF0PqP>{H?&@Sf7TGAT-5SWvhTV-MU>%2yn)wZy|c3L3wUz9zooKk!&|hSW3AD9LJ;q}_zBo-CMbG+k39a)uYe7sDty%5m zw!VybkiB*ceO2X$Tn~DXy8kK3*xg>NzDU={?XG3IN}9@`xY}RvET^48sx*@7fGlC5 zb(<9tpy_Eee6P^Nh|2&x$EA%+JD0qX+OFtaF;cbc%5Ug+IH39W(f&r?`Ln)OC|(Vy zb`Q!f{e#|a47~2cFs%+h{|KE-;*E6XFfPK~e+!#S;=l?2)rWEn)Os~L!by($h^Tf0 z$IY!MMrUr|U9@Q@s;1h_g2rZU;=v$v=sR<`!bq!hYz~hZ`uohjgZM(Roy z+eCJXF#v*~6kwl7B*I`A2*i-zp@h!e<*7Rs>q;I(nMDRcY{z1E$<^Yk=P5Xldn)hJ7D&?il_V1Mxl1@*x6#+5`guD0&r*LT`4OROT)b8J?*mW0w0hfme&*4| zH~drYm--9xX1WHA4pS8ko<)q3&`0C$zB@{UZfTj0w!6=knZC=oAN3J4Y1sTJt%X@{ z72bT3p>=q;=~Wc&u=UP>u+)QC^?2q4p*O9G$0AR*;OTG!=RMx3zELMczcFg(a=z41 zj=aZc_}a^7uYQy_pV>e%E?h?R8KWptS)?wvRJo$lW64aW|4Zjos4i(xdS|$c3D+Zq zu$HVAdbE3Y#lp@^Qs@aBT;E%;{f&17lVu%QhJtacay@b{tcphm_ zgaQol{Hc3z%ESkF8X8iDcVH1os0yde3CL|I;)<;Rc!aJw=udm7kq?sGf1=epk+2 z*-|>sGgKbMhP&tfl9jSY_^AU&5T(K3naH*W9Fgx1oq<*TNN&_b6ceHEA5QTH?Su$T zxf~X}6QgRSRv+D`#2Y;Z>6q%j#Vhxn>K~=n8ajPv_Kvv2Oo<-Ne%}nOSY#OwqStGt zCbHP3_)&as+sIHHmnE8q^@`ZqeUeme%i!3Sy1D3SpWM8xg@kWQc6U#>8{BY+V3f(= zeL_v9qCyMP$%S)yr@X=HKe=M6edI{zYaX}Ymt_dPF$A{JN9c=i(X6NEPOoXwoDT#3;^{_AKvKOyxZB6Os<(n-JUe)1W& zz;jAYT2=mb9f1>Z%?+kHBjjDlk3Go}lMfPM1U%eoH3@||uRq48zUP?U_4T*OyI8Kh zynl7AdHJsAlHEJFYtAduSiUnTU?o8CRpJe=^lQCmQhFV;Q}U^^w!9NWKdVnaeDLizS{z#r-dx(xcf9+p-?c=e7Kqy@a+hRmxt7JLY0)r+c~eo$+CBgWHC% zO@hsn?6O*?s`|ufhS7pN)dxjc4g#Y@=xUrgWhPbV#pl6tnrG}wZkS6MaLjRsuV0rc z@XAt;QZDM<54Z=R+)@7`ib ze&=R~7L~+9dBUsRrz1hTD|d%dAHoS^I<67xZE;zPvSW^7i!yxceHc7X7R@ zqH6l=_z0~`m+>(}YVXOXHcqEvhWurnhhl468~Q>&h`Hl!?S zi%Qm?`}AW(aUn=;!BFB}hOv!Iz$2#3-7#@Zv9_~sM32`wJzp=o*F!#)W{QOwhl)eP z(&i1ew^MwXkw!#FNE(?)pGCYRm3HzZTmPBH;_su@IPUh*((r6uzpv9g1=&7^}BD^^yKgr ziTJ-|88{?06740;>q@J5ypjR!y|JqmzB`>T#qF)WeoJMTZS@07P%5#HG**b%4O>C3 zkSKH(k_4O~N5~pn^B^z|K@Sf`92mlLk2R8LK~|7EbQ`jT?ttOJJinLb2L&+)r76eG zT%c|sar{}@0lEol{JoqcDDvo_oT|LYTyO)49^`rq6mo>zKtU%^sXL?zhL(_3Y|_^A zRN^3Ys?;`VDshIK@6Ss#3FEIzH1;S28G@S3fj=+N=8$159~D1bMYr{gS7{;rGCn?eTykBuVi92Cb$A$3*%ss=uB zP+nzf(Kg2TRrs^z3E{7zf&72eoLTTKgu;E;b?`hzAj@)x_`%!>eNjWYv12>BxyPx~ z;u41VXSf~pp+L7KU8DTHORl~|NI-A})0J1vpMv4fBinxq_j+0HFD1_~sf=OQk$VyN zez3{UiIC1j@^&r^KhZOc#?dL4Vuc@4#)?ym7k(rt9@#OMo;%}zj@lg8yr<+|meyl+ zTBh}0xZ7iwK22{#khrg=uc?E~;-ORC=5C~^%cM%dam~`T^70v3FnyIE;=TvJI}tjW zQX%-EHvaQfy2~5^PhX77M%=Rgpm}NHHs%~Ac&4rN{CrmP04y)l7scV_(@|e4+25(M zAeMQ1f5L+&o%~*KA{Nb8UqhobxqNF*!~S-{Qp@_y&!a{e2JD4Pbu3w2QiNVL2j1>k zkrs_ql1R7U*r)Q4c?I5)L4(bFK_X}a>_FHuUM%_pP2AENtFo!XD;?(?wWV2+fjOE2 zTc8=M*A(inKNtP@`z=+vm1|tw-6uM$3|-QdZ!{lbIXhhVwBrWN<_4qT@Mfps2%`>~ z(eNIj2el|CM%e6F!=yUlcB1y12==Cky~{)>W3>a`8$h)Q2-X$ttE^o5pz(=yi2cEO zaW7eTI9JhdmYT5nxe*oK@Wf?>;_-@r*LTxK(`KHuQ-8F!52O`6=YvISyjwDgES1sB z7%5siv1}kfi5RCa=-wFCIP5p{@r3BR_&T{n-+em=-Rr#)nK35H<6q`0^`4TEt&(DH zKhH9=fd^o_o*!(7N}i0o;-b@OSI-zUHZv-?(NG{T6E7c0C*CfmU)}YC(3d_Uew2y- zy5f06M%}KCO4>WqCFa{d2yWst$}0j0vU&dZJ`CDPiQLM{217O9oU zJDglNx~BZ@u)2zh()#G=+A*)&8AfUz1MHBV^V}j0_8)PN+Dxr%E6-knA?!;GF`0LLsqM(yY1mHH~%}f(0q?P`<#r? zJL@xh!^~v&FbZ{)FVZw9%FIJb@y&8EVtO9bx0Xx>*soMEJe=MeH5zvo>Bj86En52V z4m3rAwM57^d6SEk2>F24RHqd0*G!m#CE&j`QB3PI>ShW$XeE{;>1at6&p@#%A{4@? zb1~V*>*Ylk%OFZi)C8I_l|9tw?wiNos5n$P0&e$|&aFhsUJZ9-T^Pk|zc7Pvr`Co9 zUwEGxI&?+!sMo9U-Jl)B*8v6>r|kA8WgnisIzPyxTDML4;m2^TDU7Hp37s9xJ}4XO zMN+p(v7T&!mT?LlWw7^F{_xB-{ibnmi!|u3#PRko-#Y9Bb2CJJYp#&5@@(?C+P*qg zx9oK8!tGqW?}C2i2n4bj?R7iVuEgl&w-oi+Ge_laHe(^Rjs+9{#BHe||ElhKjyn^a zq3g}uNqrMO5$^_JySttb`JTPMj15CJkno_=7(bcecC?#!^ah9!c7|^P-zYjjP|(E^ z^bE%&ZddPsRy`%(@4^HpqEW+9qFqL|%c-pK!!w6(;Tt@;h?&b?aVj*!1td@?PhQW$ zwd&)mk-?K`rEIe=Ip<49ZjFAH{L$pYFhI7J@}3AyT*1MI2_cp6-VPrTVp5;x%TC_L z)-?Uf`Yi{IT+Q&KAVSLDYWDH5L8(lgkC$25eVu;s8Q$7 zO8+fGr(-p^7M?x9y}F#x8XdIELt~vphQavW6=5I`v23aHyv?#wdm=S?0ue-WQE6gW zB9@0@NQI?C4#8+B_0Ef~w!$F&*z>!oUsZ(~jHeQt&(^AQpWa{5jil2`D*m#Vkl*7J zt65of(f7e4-bSQ3AIO~Z^Vl_zpR1=s7^(HI*(7*bz+4lOt)7|ZYkAtYmeB5x@!YG@ z4-VnwZPwi4RHBvUA`d5xZg$l>e&ptRT$DHy{rn(_YjiW8?js%9gTUna{wTilmbQ#s zUgPDFA)M2$|8$!e27NHe|dl&oXj{3Kp(}oksz^=2w!eK&n$c=7ofh>bjtEpVgzHJ$|kP@A0 zIPz+lrMC6FyiZbJ&A7kT?p(c^RisAh(IUIOC!DD)9EnLEwC&2%Ol}-jRf5T5vmN!- ztXNpcX|>B!DqhRYUU}Q~@#yw;E@C2a;4)ug8{?3)asXko7B802b@YoBwFAd-6znq| zz}n7qD_b8U7=~i;BhA*sMbazP?SHPpYdX(O(FN*bk{LcyNu$c+iO|E0xLL_7wQ5SN zh)+(dDX|1*=0McEMHm792_`}f-SEfBRm47xGuY41VO)ZlygV-vs&ODN>JXvBk7|({ zBK6=$Yej@6Z9o&!I8L|AG64#Rf?t)m_re0-{vN0`3U|X40w-%Ea&KLj2pv_$pB0AS z&Stv(or6_K?a)?7tqj8-I5!yuyZ+iHTf?E1HL zS?}rA-rE|R0KcfRDiR`efdjQYYeqQrZ)=j26a$ZyfYV7J_chjdVtG01BH?&oZ0)H- zw6ItmflEaOla=9Tfb;dW>ymn4&i4vr{7jeCmq&9~7W2>Vv_Q|EP04YMMA-?%hXwH9 zQJr_@inSSry|ra8Ve&6~22rY9@(CtF1MdQmxY%)O+AqFV*psDk>#Ph0rz1NRr%uW% z5uv4CBl*gOPEE$_FKn8v_gxihVHVyfCn98KBxv^c&FwG!`~J&8{&iGzn`F*ZeS+&DxUJd3`|ByQ>SM5fD&nC7g; zPjHxum&9K0f0H0|nxmPK%HeLRS`&4Gfo8S~rB0VPoS{vCJ-C{F=~BcU63o zM1q$Rx85{leJsImJ5As#h){BER>1N7BzIPKDK_%$D|Rk#Eo^6KV;Kg^rW8_HHYA)H zP=#ND&xTGZB`s2GiGOyGd)<9YR*J*A*MciFqJZx+uQd^}3Y=TGhxQwkJ2Et);Uwq4 z(RE%`g+-ut91g|}w8z#72vu4Moz)CDu8yW^@p4Vg>l;h_pW*JNY{SpDzUuS3B6OS6e3(C?$Odr(P4TBQ zQx#rXu_j#W!|a3`Q@@E+T=d#VIdNGM8>BK{$Lj;38g$I`7mPF`!`>>rT_{;{vW8Ab zKZ#*HqQ2B|)qe4Vpn87iMvM42$!`wd$H`TX#3%=;%X=?sYCXu$?fW9L=7zqJ^<)t~ zxSwcJ5XFmj-Cq5YKItIY^L;lPbZWkFK6t6Vvv#Of?ng_rwhuNcyoRRedX-ov?uBO2 zo>IPt7o#|+wW2rq;6UyKV@s^o^fCvcOK^(k$?3JZ5XN9QLev3hX_jttL&b9IzO zLc&H^i#YzLIU`n9*GUko`~2xf;Fr@DfNFaQ&UEBy9Oxzb6Cu2}It~^=`y#&YGCKQc6ZdR<)cWYQnT`PhrWk0*=^}mz+dL6jQkzf-NGxgll#EP_n@3 zFt^2h_VM<0`{5EbgZ39QyWE!`kXT{$rn{&>rExgOuL=3q?te3FlO>|^z9IV6ae4|U zaaF$kIz}RtH-dyJke__+-VeLaI@uz;HdGf$6#3-n+|bTrEcC^nOxP#hW*4fZ*nh45 zL@pLfLZS34&VLW|@C)zmJ|LkXfM*3kVCoeRdl>J2{xuj$1wI3BfHdGOkPc)32Q$0_ z!z>^V$N_SJ_SiBXBnct*EB?{(Auv4*i~!$&QD6)h2PObQ?EQUT*mCVVp2MG+Z#9>F z>R7o$s-JjYoGqiKFY};zc#=tSa8$}PfpM_b#lxn%WC;`%fLoA041!&0* zRYaK<8QQLPG)S@`9*ivNvisUU!xy6Bt5lR)cs-i$V7?RByn>n)vFw~Gb-1{xkcr&sOI^)l0}=pI^QeVIflfQ?C0(OMqyT;A2W zVUmaUOP|7LJp#>c)Dt}X^o|)gf1f0WtuyLc-6}oXrgprQ+;jGYAXB;LRV7+Ao>B>3 zNaBrRppw$#0QiYvR}Hzs$!jAvwi7vaJKWVJ7F)KCNK&uXFW;JR_xK{GSmy2L$AXYY zvK__6SNn_o9-A49?1{(I-IKGNbDY8}#x}czyNf?6853~MKL{&q5g~;lL;pOy)@pj_ zrm>LBw(i5X<+1iG*Q5h2R@79#vDR+R$&=*nnc-eez}nP{B}N`U(vNDoo$41k=K?j4 zK8~soySMbkhfHHGb1zw%^U``0HYEoa)||w-Ivcv1)1U5e##ibBhiF#S+vu~iYq(lmkfPg zeh=>+`3$c;Z9OikG8w^>tOtaZcNlC_=nVt&W_W56aJl95x9?#PX!UO5JvBVl#I2py@(y1 ztp}*NB6zzqB}#}0m5n{+0@rt!8Ucka1b!=uu*;}3Q?t#!min_Q)gcgvPXaeoW6Bu0 zQo>Y#-mjYWE+W^5Pd6MR*PkUus5uVwwJYMCDH0QZ9{ zuhD-j>t|K^)Sr~x99Q?V8!IEQYD{6BTmM+2cXuX41Ymm;znTUP)Kfh+^=(OYhhs+!fNuN7i`*4Luc*$~48*8ZAxUY^Gaq$0hGXR5j;J>pO zfI&O(-`NbnpdI+{Yz7dZ9XMzP(urgwSC0G{j}~M46_4g&ie;D;jjuJJJPcQh;LRU*6bEawkT8hYwwmW_621z~^Bu^aIBy;KgG%+p^+gm3oIIXBlB zb+4KQ-;vXJCDAcxY5V$lYLd#ccN-Kgfi86`XlI#*V_QQXJ|BDC&!22g>#D?o9FXYu zx@G?_RhOsZG_UvFOvXa0n9}VD z%)vUxVwhFDesHD>u-PK^HQk(fj-=#xbKp*IcoEEqDX_sv#sZu zp|7yAOMlhw&hbcsd&%f=!{bt$O}<@5qer_p+Rb$1hIJFX9)I*pJ#^)ANZ=J$8CUzm zO%)wm6d#H^UY=l`Vc@5AHqKyaSsE>_;!9gds7@CuNf*Z+zrUk$8@*9 zl_v3>lNI*5a7F*Ax!EftiAml|f23lzhHF;*z5zD^R`!|An&x9`hVVE#HXe{AS}gfq?7C+P-4X63yZ!gIV$p6qG| zx+1UHaLtpY_@~13pu0LiXyeb8=WD2F3S*46E$wjP2xsjTc&wer-6y1RDZkn> zZuXnyVzjkJUDtcsPd317+JcTTDrc7$ z)mtT8M@I!UY?jA0qg7t(xFwSOEb&_baf77ilM(i+MfS#rw?ip!HA-gDLrNXJU z+XD=(Zgw%UCH=h7(M7ukNiQb-t$&uB1tn)B1!FSkxnz=DEwZnTYeYMkEVbzMch7D{rp_>`6gBG}ErPHo6-FK8cC%4Jz0%mxH%TuqA zlB|#mIhf(;uNhJbR;uK)zZ%0YD%%yjUU!HxP4O)l?*@E$^R3FWB;NRiBfY5TG@Y_y zyVV%Z&8TO&{o9Y1a#!Y_vwF3rR2&w@n4ZkQi2-4WQF|L}EA#MY}j~Z0&}l`ptsqt|kO` zNL@;~HcrXU1oVk>%ZV@)v;%?>hB2p^?GeqUOd+nxt3kL*LWqeQ5u#W-h!%l>5|!|y zntA;J)T-G*pyKj=M>Y|9(M42eZE~hmXU&s-F|ptOdNS*!*6c_`H&4i8mFUL^6{}lc zL@5=?_;Lk1Ht8sFsSRu+dH(t4>-3X4ESkXx_9t;SYp3Aw?TwVQN1E~1s-KUm_VRfv ztzVivSud%jjmY47DKp^aluBM~Y!iH=h1N)wg=Ubqbg5^-G%Vfb%0h)4o8S2-7t79q zK-0Ic`7RR6Lo| z^WG^jW{0y>-o?JZ{QgpiUFB#pIX`^G)|9=ks?1y6;WI0{U2vyga;CUJfolhv})e_Krei zmx8dlQw0yLEn;wss+Yz}S4$q+2ROa%nJ^Bz%iIhb@e@85i0*`bJ3PhyV2*JNr|KTd z|71|bjNB65ehYs*{_6Stbj=549ei?g{g{}cwxM><;o9hMiy4-w?(Ay|o-((d7M7?f zEfwjvi(Le-;aK%7^8}(sht8uSm|pn4LVLeEIoFmxL+kR1U$$gl6tT2)t#tGVX1&2S z^BDSaX0*#E^Eu?@d%L>>vhcXgik}(RdrNefYgP0V94Fuw^;Qw}lF7=wdnjwPZKB50 z0?k>VqCGG0osEanaY?5l`bH}&Mx5+NW)u84=dd;{3eU?Hn&o>!&5`F^6GmYYxm24{ zXwfyS-s3TOikiB+>Jyj36k~mW7h)-)<9(-9r@Mm(%@VH^sd_ZDcmFNjT%cWK)C9N& z;@}%_kjB$ER(xv;8tHaAcxOsnhbu>FFph`u%nMQw8Bvj4H#pIM_6WIRH2pgS_pZO) zhD_r}B{uR$)URlQ7dBH0V|p|roy2V=PwqK}KUN4#B&nSmiru?Bv#HJMWTuYLmeq8%b26{s`ca_?1+&vNr?@be-2;r@79r*P}Yp5x-?4IM?UUYye z-i9z-PM9`}CPHkek{@t6^E8NB{WTV~T$%g>4XRE3tNg#l{tI)$KNt0XHS7Q5oEc6M zwsQsINypSawz8k*<`@t6>6J<-S|8Lt%zM)^;>lxLXBBxn_I4xh@97~i=L%HX)DY4< zTt$Y&!BR(4l4uh6AI%a7DgUG8y056l+uqC*pGu%NV}?7ka^dl65NpQtuKoy~LQyaE zR}`5t^jk`PS6A(sA$by%Emj(NXf|uiXxLgWgiEc68D zZI#knm*nri5`7Hohk9b`To8Lv|bB*s2$1ztuSg)$aq$I-v1C`rP${l zw)ufu$44SW@7LU|1+P&vT`Pf{hlfh#WXH!C>$Z}m>Wvz_ha*$-rp*aZw5m7#qckQ~vRB zc5%f_2-YO-j*Myf(A$a%xgAjbW6Wc zR%wo{6x+Gy5~$_2F_)}`=jbxcyLo4}sjs?ELGHchj7wXjj62gp|FJK3a*UUCr#>MZ z4LLHV(v?i8BMM*0!ngPIa9?Rha?k5DYXxD7$*B*WFN?de70VHzsGq@Yqu$<7Fjw?! zYK=5UiA-6`@npRGn`Y!=M!h}>O|)Ml-!kju#?xNg3NA7RLW&td)=WfwPsQuQNe?#1 zu)qd51049sUIy0b5RO)^>mcG_02&M@y!hQmL};GekOA**)8$kzzx)a0! z8piOR$tCd40&;&3G(O1Hu2FD>f8`hk9_O3_5%40oUe&9HaIXTnk9z^C@A_BSJHziXmH5PWms0!pl5HNa~h^K)My~;m>r1KhnPiN3QJ|o`f@TKgLvhjk>o#g@;*D z2d|Ti1c>YVq9OwnYHE_&sCkscYQxtARk^8|Gh5@b2K`*I`-Io>;cO~F*7sPa4I&j8 zg>_?vB?7h^YHoGrcv#GQs9Gv}oGlrVR=BI9p5f<#oqf*M>XL?oEjTDIMu&P&J@k(_ z^%~pLoN((*ybNp>wk1+)sm`9{HECvN9p-23FsYsv+I_9G;ogV?UuJU-Q!;qq#0lQ= z*rl9@w@gZIgY8B` z-8xGwkMh0Y&wQ_?myIgkR?;R$vrI`{o{q?u9;cnfEFeA#xyQ)uIpKZrf^U(C;;H1Z zA?(;J*hlpW!sYhklXdq6s0N#+67POnUO-!TMb#$Mgu*#Te$4aKHq*2w$IFW)G+>c| zn=sAL$-d4=HI|74Iehi=jvRYi)04qhD~}Zze{v9`?s`ZiiydG|DaXt#xnjz15+NZJ z-IC!M)J*!szP%La>&Ky1g%{B1X$?1cT8Uj*OCMWnNP8!ujV6_n`NVVkWoh4 zIb>T-7!#qB1H}&~KSaCUEYcTb*f`@>wl9L)Oxs^~rRLrM;fnbT@c!^%f!VU}y^N*$ zJqfinqtP=Oe0#O4Wkl$n^-xL=XyRMp;#`bif4K8}7SKy{)CotXF-=QMOPoCD=w!a~3cI@cB^BOU z7PX2rNn?>g7$EX>>vA;78f4-_J&>igv1eSD`Rh7m-pgZ>sFggdDJChNlR2Efs>mDQ zZm56oz`3zzy&F9IhCslTda(vPsV*h>T!Y6M;fd>cZ*3Qx^JAV1G&}aTaz{D&2#T5F z!t%UgFFT;F*k2$!XE9?eAcf$8qpv4yH^}=oBv{z)1{<-kgevG4q&mBvXN@Nr>hLp&dPtlf%>wlu#vBkkgf1U<<9!@(JM2M8| z#IO%Z=_i&th@)-RjqDyZUTXHXDzl{7IdTp<+CpYCHE^mr11APgyyWVr^^{5Uj9VKs zmHi}C&uu-zYYy?fVpruVm$=n_Ov7f{gQnKp(tpII89WWX9DY^OJgtR1#5Db@;hUC5 zp4-$n0@d^v{X?!rV^lsfmP3!TdiSUWvhT*zaU1mHGH6)1iJH@yvP&4qwvH<1q~ACZ z*EDNc%T*<52g<;IFC?y?elbQe5^bnLF8aQOd+S7w3~zLit3buM<4;4CKp5ywU~Lcy zB8Zx4J%0JZz(k<^DZjjPRT@r{R^C*QTo_oCiO7el0`*u!!K3%gg~BKMZFTX#gy zUYe8U2Cw1@oGwAG^{f(#hJT%JVShC<9;5WQv`Jy|mOI~P)r-c8yrb*|f<%&^on9v#o**9@d?pq%81JP2+VqRBX#@NJ^lQaVlSW1?{i# z%4@8?nzy@~2x<2@gj?N}b5(nX<(lYC3_=NC+KpGl)`a<~r=<~+-wm_0{qUNO)}NHG z&pb~aVEUAAh=)V=os@?~FdChXS6WTV%(`Lg>9d>|e}$fUClK7bmNkbp`yJJ>J-9>W zduKPmW&$TwTA%DCC#^Q8CPF_%Ca`1VU31O7C4Jx9Yf%@_=6-6p%rvhH=mgorpL}y1 z(Zl2n@8L7aQ-1DbotyZUT3j?%_tI+UBXLjWxNW16Mt3)fv{sVoK9ImIsZe-hwJ4s$+t-L-t* zCI{BWU8@!Wala@KeW__GMorwpH4{SRRSDqaclrt*7gdZMys3uyTgKle6zZJz`@zf+ z1aU)o4-fgx-crM>MTKp{Nh;^h_-nci+|?a3(eUsP)R4<5pSFl;?(KbF&sn9+|3rXh z9Hw(i5U~GsP9@Y6i~^AT8H;0U%>;^l{tW8~LKk1lnAg_!Z=+d~+w}Vh!egr22rS(t z0o1Q2TB<)EJ7os^SD$FbzBWJlUwek7=bu8ivy9x|;Q!-!S=_J3VgKt#Z~De%6O}eE z_LQ&r6((NbzcLb8{Q;%>_lIH%M#fZD9e6F_qXLLlSH$Xaht>x|RhQuz3wYEoVz{(F z_gWJXs@h>Mb;>!F%B#*)aj1To+|immDKSBiI2fzYSyxJQB2gBgC53Fj!*M+TJYy%u zG92S2&jb^tcN0i1HN;nQASkI!e$N~{$lNw1b&4myN(x5pwn+Qw;!&CuqI3t}>sir* zeDLoaBoH3h?3&;WTfC6x^;ffSTAV>*JC<7M&6H0KfXpPC75r2JCnFWp=IKa>g zFf<24Mc~g5HWcGuPg5Y_RoN)qPW=8leyI;HJJC+-M7rINdJELNe|U5(nOn|L1y~ZYAUg zq!h}jf-MuKu`5tbwQX6j6%-VDM@pp|M0>gwKFG&_uPd-v;k~(?z9?$DI5AsEwmWy7 zi@zT`*LsE|bmM9&`M*kZ=?p08bfIYqNuJY_yl{n8U(Usj9ZTDU-?{CB(!^v`CjbV6FPd z=4h~%MX#~Pp4z%5xE3~3^XonTqKgv#RF*h5%W0E>sj<%Ujt;B$>awMelHoj}{aHW#gGa#9t|6y`gT;pAbn!sW?uh$cp>|JG%dtS}NcYVh%<#8i2!c@TlyMKi$}syj}ytheT*vuMb?Y zznJYqJqKwzTFC^3li>L-5t8XxovnPMI`L8jsaIfVe63DbCWy9c<+lO?GQHpw4^{z3 zvp9-C&WG!D2j@30o76r(wA)X($#5M=}rQnE+lskE`b zek8xu&~P|0o_D7}NxJSIxW-=n33AL;%}}Tzzaaws9;U{0#4d3;V(E zLrvUi_wY3$G_DLs9Q?$7Uxm}H+ouMWt_ScAxIdH=ewShwce&k`pPKKg`d9yj*6o2M zvW5&60UiP2Km<@7FU~^B6R*EZ{_0!} zn63rtfR8{u&;T?72lF?BVGGa-aFc<%9Ua@Dc&EwVF&h;J#Ytb02~1)z!`7>Tmd)09q<4=fxCbg z;0^cyzJMR#4+H=(5D1j+-=w(6LgNCKivDfM@h(0TTEEV#>tI7@*?+C8ICSpk?Gf0= zS|H`;|4;C1oA^sTd@0&a#Vc@vJ1@`QYNA7dZJnn6HNVs!=Vg5LL9x5P7qbS7DFQFE z9Q>31*J5sh$veQGyDr`(mEsD??RX^)gm5V~m4b#8z6UlV2nYu510g^t5C%K|9s(HP z5fBbU0Fgix@EC{&Vt`oS3Gft%1LA>az;hr0cmW(7<(FWX1SA8m4uM;s*I*@m@fI^@MCsq0}^;f(u2i z364>G;4H=ab6Q|b54Zy809OHB;9&pggP{Rn2weLkE#AVH^vwC&V9Fgx1#AFYzz(nn z?f?#eBj5x$11`WpjfB$1ISQDbO5*nu!5K&K<=_UMlFIA1WV*+oF&X~jrzHl7{5)Mt zt9K|u<*CenD_80)MX4uD<@8%p{OWDWFJz=7;_-F2DTT=s!G@P^SW{93#C8$b3ZM7P zl8~K)#D7-!Yq>tZ&+I%;d4=X8Nb&tWb#SIT7K=c)TGZFdZ+Cph|_mlcwWU5u~Z`4=|#Epe%$}Z&8$*8X_iWe$HF!Y>5ch vEhH{6QpeL@Mcn5U0L$|Opd;4i=8O#_x4;Drh1{<}