holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Convert the first two French QuickStart Guides to XML

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@897 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-22 04:41:56 +00:00
parent 8c9dc2b2f3
commit fd2a66710e
5 changed files with 1860 additions and 2280 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

790
Shorewall-docs/seattlefirewall_index.htm
View File

@ -1,516 +1,276 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0" style=
"border-collapse: collapse; width: 100%; height: 100%;" id=
"AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2>Site Problem</h2>
The server that normally hosts www.shorewall.net and
ftp.shorewall.net is currently down. Until it is back up, a small
server with very limited bandwidth is being used temporarly. You
will likely experience better response time from the <a href=
"http://shorewall.sourceforge.net" target="_top">Sourceforge
site</a> or from one of the other <a href=
"shorewall_mirrors.htm">mirrors</a>. Sorry for the
inconvenience.<br>
<br>
<h2>Introduction to Shorewall<br>
</h2>
<h3>This is the Shorewall 1.4 Web Site</h3>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3" target=
"_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" target=
"_top">here</a>.</li>
</ul>
<h3>Glossary<br>
</h3>
<ul>
<li><a href="http://www.netfilter.org">Netfilter</a> - the packet
filter facility built into the 2.4 and later Linux kernels.</li>
<li>ipchains - the packet filter facility built into the 2.2 Linux
kernels. Also the name of the utility program used to configure and
control that facility. Netfilter can be used in ipchains
compatibility mode.<br>
</li>
<li>iptables - the utility program used to configure and control
Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).</li>
</ul>
<h3>What is Shorewall?<br>
</h3>
The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of
configuration files. Shorewall reads those configuration files and
with the help of the iptables utility, Shorewall configures
Netfilter to match your requirements. Shorewall can be used on a
dedicated firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system. Shorewall does not use
Netfilter's ipchains compatibility mode and can thus take advantage
of Netfilter's connection state tracking capabilities.<br>
<br>
Shorewall is <span style="text-decoration: underline;">not</span> a
daemon. Once Shorewall has configured Netfilter, it's job is
complete although the <a href=
"starting_and_stopping_shorewall.htm">/sbin/shorewall program can
be used at any time to monitor the Netfilter firewall</a>.<br>
<h3>Getting Started with Shorewall</h3>
New to Shorewall? Start by selecting the <a href=
"shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step
instructions.<br>
<h3>Looking for Information?</h3>
The <a href=
"shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search in the
frame above.
<h3>License<br>
</h3>
This program is free software; you can redistribute it and/or
modify it under the terms of <a href=
"http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software
Foundation.<br>
<p>This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
<br>
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
Eastep</a><br>
</p>
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
If so, the documentation <b></b>on this site will not apply
directly to your setup. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.<br>
<h2>News</h2>
<p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img style=
"border: 0px solid ; width: 28px; height: 12px;" src=
"images/new10.gif" alt="(New)" title=""><br>
</b></p>
<div style="margin-left: 40px;"><a href=
"http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target=
"_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
</div>
<p>Problems Corrected since version 1.4.8:<br>
</p>
<ol>
<li>There has been a low continuing level of confusion over the
terms "Source NAT" (SNAT) and "Static NAT". To avoid future
confusion, all instances of "Static NAT" have been replaced with
"One-to-one NAT" in the documentation and configuration files.</li>
<li>The description of NEWNOTSYN in shorewall.conf has been
reworded for clarity.</li>
<li>Wild-card rules (those involving "all" as SOURCE or DEST) will
no longer produce an error if they attempt to add a rule that would
override a NONE policy. The logic for expanding these wild-card
rules now simply skips those (SOURCE,DEST) pairs that have a NONE
policy.<br>
</li>
</ol>
<p>Migration Issues:<br>
<br>
&nbsp;&nbsp;&nbsp; None.<br>
<br>
New Features:<br>
</p>
<ol>
<li>To cut down on the number of "Why are these ports closed rather
than stealthed?" questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from 'reject' to
'DROP'.</li>
<li>For easier identification, packets logged under the 'norfc1918'
interface option are now logged out of chains named 'rfc1918'.
Previously, such packets were logged under chains named
'logdrop'.</li>
<li>Distributors and developers seem to be regularly inventing new
naming conventions for kernel modules. To avoid the need to change
Shorewall code for each new convention, the MODULE_SUFFIX option
has been added to shorewall.conf. MODULE_SUFFIX may be set to the
suffix for module names in your particular distribution. If
MODULE_SUFFIX is not set in shorewall.conf, Shorewall will use the
list "o gz ko o.gz".<br>
<br>
To see what suffix is used by your distribution:<br>
<br>
ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br>
<br>
All of the files listed should have the same suffix (extension).
Set MODULE_SUFFIX to that suffix.<br>
<br>
Examples:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kzo" then set
MODULE_SUFFIX="kzo"<br>
&nbsp;&nbsp;&nbsp;&nbsp; If all files end in ".kz.o" then set
MODULE_SUFFIX="kz.o"</li>
<li>Support for user defined rule ACTIONS has been implemented
through two new files:<br>
<br>
/etc/shorewall/actions - used to list the user-defined ACTIONS.<br>
/etc/shorewall/action.template - For each user defined
&lt;action&gt;, copy this file to
/etc/shorewall/action.&lt;action&gt; and add the appropriate rules
for that &lt;action&gt;. Once an &lt;action&gt; has been defined,
it may be used like any of the builtin ACTIONS (ACCEPT, DROP, etc.)
in /etc/shorewall/rules.<br>
<br>
Example: You want an action that logs a packet at the 'info' level
and accepts the connection.<br>
<br>
In /etc/shorewall/actions, you would add:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; LogAndAccept<br>
<br>
You would then copy /etc/shorewall/action.template to
/etc/shorewall/LogAndAccept and in that file, you would add the two
rules:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG:info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT<br>
<br>
</li>
</ol>
<p><b>12/03/2003 - Support Torch Passed</b> <b><img style=
"border: 0px solid ; width: 28px; height: 12px;" src=
"images/new10.gif" alt="(New)" title=""></b></p>
Effective today, I am reducing my participation in the day-to-day
support of Shorewall. As part of this shift to community-based
Shorewall support a new <a href=
"https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
Newbies mailing list</a> has been established to field questions
and problems from new users. I will not monitor that list
personally. I will continue my active development of Shorewall and
will be available via the development list to handle development
issues -- Tom.
<p><b>11/07/2003 - Shorewall 1.4.8</b><b><br>
<br>
</b> Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or
directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying to
use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall
start" to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd"
for most zones defined using the /etc/shorewall/hosts file. It has
since been discovered that in many cases these new chains contain
redundant rules and that the "optimization" turns out to be less
than optimal. The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F" or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all
entries.</li>
<li>An incorrect comment concerning Debian's use of the SUBSYSLOCK
option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor the
ROUTE_FILTER parameter were working properly. This has been
corrected (thanks to Eric Bowles for his analysis and patch). The
definition of the ROUTE_FILTER option has changed however.
Previously, ROUTE_FILTER=Yes was documented as enabling route
filtering on all interfaces (which didn't work). Beginning with
this release, setting ROUTE_FILTER=Yes will enable route filtering
of all interfaces brought up while Shorewall is started. As a
consequence, ROUTE_FILTER=Yes can coexist with the use of the
'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and a broadcast address then an error would occur during
startup.</li>
<li>he NONE policy's intended use is to suppress the generating of
rules that can't possibly be traversed. This means that a policy of
NONE is inappropriate where the source or destination zone is $FW
or "all". Shorewall now generates an error message if such a policy
is given in /etc/shorewall/policy. Previously such a policy caused
"shorewall start" to fail.</li>
<li>The 'routeback' option was broken for wildcard interfaces
(e.g., "tun+"). This has been corrected so that 'routeback' now
works as expected in this case.<br>
</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE allows
you to pass connection requests to a user-space filter such as
ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
for effective filtering of p2p applications such as Kazaa. For
example, to use ftwall to filter P2P clients in the 'loc' zone, you
would add the following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any
ACCEPT rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf.
When this option is set to "Yes", the blacklists (dynamic and
static) are only consulted for new connection requests. When set to
"No" (the default if the variable is not set), the blacklists are
consulted on every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may now
begin with a digit ([0-9]) and may contain embedded dashes
("-").</li>
</ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag
awards</b> <b><img style=
"border: 0px solid ; width: 50px; height: 80px;" src=
"images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b></p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The 1.4.7c
script produces a ruleset that should work for everyone even if it
is not quite optimal. My apologies for this ongoing mess.<br>
</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong
code is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p>This is a bugfix rollup of the following problem
corrections:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or
directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.<br>
<br>
</li>
<li>Andres Zhoglo has supplied a correction that avoids trying to
use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall
start" to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization involved creating a chain named "&lt;zone&gt;_frwd"
for most zones defined using the /etc/shorewall/hosts file. It has
since been discovered that in many cases these new chains contain
redundant rules and that the "optimization" turns out to be less
than optimal. The implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F" or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all
entries.<br>
</li>
</ol>
<p><a href="News.htm">More News</a></p>
<p><a href="http://leaf.sourceforge.net" target="_top"><img border=
"0" src="images/leaflogo.gif" width="49" height="36" alt=
"(Leaf Logo)"></a> Jacques Nilo and Eric Wolzak have a LEAF
(router/firewall/gateway on a floppy, CD or compact flash)
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
Kernel-2.4.20. You can find their work at: <a href=
"http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!<br>
<br>
</b>
<div style="text-align: center;">
<div style="text-align: center;"><a href="http://www.shorewall.net"
target="_top"><img src="images/ProtectedBy.png" title="" alt=
"(Protected by Shorewall)" style=
"border: 0px solid ; width: 216px; height: 45px;"></a></div>
</div>
<h2><a name="Donations"></a>Donations</h2>
<p style="text-align: left;"><a href=
"http://www.starlight.org"><img style=
"border: 4px solid ; width: 57px; height: 100px;" src=
"images/newlog.gif" align="left" hspace="10" alt="(Starlight Logo)"
title=""></a><br>
<big>Shorewall is free but if you try it and find it useful,
please consider making a donation to <a href=
"http://www.starlight.org">Starlight Children's Foundation</a>.
Thanks!</big><br>
<a href="http://www.starlight.org"></a></p>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<p><font size="2">Updated 12/07/2003 - <a href="support.htm">Tom
Eastep</a></font><br>
</p>
</body>
</html>
<head>
<meta content="HTML Tidy, see www.w3.org" name="generator" />
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self" />
</head>
<body><div align="center"> <center> <table border="0" cellpadding="0"
cellspacing="0" id="AutoNumber4"
style="border-collapse: collapse; width: 100%; height: 100%;"><tbody><tr><td
width="90%"><h2>Site Problem</h2> The server that normally hosts
www.shorewall.net and ftp.shorewall.net is currently down. Until it is back
up, a small server with very limited bandwidth is being used temporarly. You
will likely experience better response time from the <a
href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>. Sorry
for the inconvenience.<br /> <br /> <h2>Introduction to Shorewall</h2>
<h3>This is the Shorewall 1.4 Web Site</h3> The information on this site
applies only to 1.4.x releases of Shorewall. For older versions:<br />
<ul><li>The 1.3 site is <a href="http://www.shorewall.net/1.3" target="_top">here.</a></li><li>The
1.2 site is <a href="http://shorewall.net/1.2/" target="_top">here</a>.</li></ul>
<h3>Glossary</h3> <ul><li><a href="http://www.netfilter.org">Netfilter</a> -
the packet filter facility built into the 2.4 and later Linux kernels.</li><li>ipchains
- the packet filter facility built into the 2.2 Linux kernels. Also the name
of the utility program used to configure and control that facility.
Netfilter can be used in ipchains compatibility mode.</li><li>iptables - the
utility program used to configure and control Netfilter. The term
&#39;iptables&#39; is often used to refer to the combination of
iptables+Netfilter (with Netfilter not in ipchains compatibility mode).</li></ul>
<h3>What is Shorewall?</h3> The Shoreline Firewall, more commonly known as
&#34;Shorewall&#34;, is high-level tool for configuring Netfilter. You
describe your firewall/gateway requirements using entries in a set of
configuration files. Shorewall reads those configuration files and with the
help of the iptables utility, Shorewall configures Netfilter to match your
requirements. Shorewall can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux system.
Shorewall does not use Netfilter&#39;s ipchains compatibility mode and can
thus take advantage of Netfilter&#39;s connection state tracking
capabilities.<br /> <br /> Shorewall is <span
style="text-decoration: underline;">not</span> a daemon. Once Shorewall has
configured Netfilter, it&#39;s job is complete although the <a
href="starting_and_stopping_shorewall.htm">/sbin/shorewall program can be
used at any time to monitor the Netfilter firewall</a>.<br /> <h3>Getting
Started with Shorewall</h3> New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br />
<h3>Looking for Information?</h3> The <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a>
is a good place to start as is the Quick Search in the frame above.
<h3>License</h3> This program is free software; you can redistribute it
and/or modify it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
Public License</a> as published by the Free Software Foundation.<br />
<p>This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
more detail.</p> <p>You should have received a copy of the GNU General
Public License along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Permission is
granted to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 1.2 or any later version
published by the Free Software Foundation; with no Invariant Sections, with
no Front-Cover, and with no Back-Cover Texts. A copy of the license is
included in the section entitled <a>&#34;GNU Free Documentation License&#34;</a>.<p>Copyright
© 2001-2003 Thomas M. Eastep </p> <h3>Running Shorewall on Mandrake with a
two-interface setup?</h3> If so, the documentation <b></b>on this site will
not apply directly to your setup. If you want to use the documentation that
you find here, you will want to consider uninstalling what you have and
installing a setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br />
<h2>News</h2> <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img
alt="(New)" src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title="" /> </b></p>
<div style="margin-left: 40px;"><a
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br />
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
</div> <p>Problems Corrected since version 1.4.8:</p> <ol><li>There has been
a low continuing level of confusion over the terms &#34;Source NAT&#34;
(SNAT) and &#34;Static NAT&#34;. To avoid future confusion, all instances of
&#34;Static NAT&#34; have been replaced with &#34;One-to-one NAT&#34; in the
documentation and configuration files.</li><li>The description of NEWNOTSYN
in shorewall.conf has been reworded for clarity.</li><li>Wild-card rules
(those involving &#34;all&#34; as SOURCE or DEST) will no longer produce an
error if they attempt to add a rule that would override a NONE policy. The
logic for expanding these wild-card rules now simply skips those
(SOURCE,DEST) pairs that have a NONE policy.</li></ol> <p>Migration Issues:<br />
&#x00A0;&#x00A0;&#x00A0; None.<br /> <br /> New Features: </p> <ol><li>To
cut down on the number of &#34;Why are these ports closed rather than
stealthed?&#34; questions, the SMB-related rules in
/etc/shorewall/common.def have been changed from &#39;reject&#39; to
&#39;DROP&#39;.</li><li>For easier identification, packets logged under the
&#39;norfc1918&#39; interface option are now logged out of chains named
&#39;rfc1918&#39;. Previously, such packets were logged under chains named
&#39;logdrop&#39;.</li><li>Distributors and developers seem to be regularly
inventing new naming conventions for kernel modules. To avoid the need to
change Shorewall code for each new convention, the MODULE_SUFFIX option has
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix for
module names in your particular distribution. If MODULE_SUFFIX is not set in
shorewall.conf, Shorewall will use the list &#34;o gz ko o.gz&#34;.<br />
<br /> To see what suffix is used by your distribution:<br /> <br /> ls
/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br /> <br /> All of the
files listed should have the same suffix (extension). Set MODULE_SUFFIX to
that suffix.<br /> <br /> Examples:<br /> <br />
&#x00A0;&#x00A0;&#x00A0;&#x00A0; If all files end in &#34;.kzo&#34; then set
MODULE_SUFFIX=&#34;kzo&#34;<br /> &#x00A0;&#x00A0;&#x00A0;&#x00A0; If all
files end in &#34;.kz.o&#34; then set MODULE_SUFFIX=&#34;kz.o&#34;</li><li>Support
for user defined rule ACTIONS has been implemented through two new files:<br />
<br /> /etc/shorewall/actions - used to list the user-defined ACTIONS.<br />
/etc/shorewall/action.template - For each user defined &#60;action&#62;,
copy this file to /etc/shorewall/action.&#60;action&#62; and add the
appropriate rules for that &#60;action&#62;. Once an &#60;action&#62; has
been defined, it may be used like any of the builtin ACTIONS (ACCEPT, DROP,
etc.) in /etc/shorewall/rules.<br /> <br /> Example: You want an action that
logs a packet at the &#39;info&#39; level and accepts the connection.<br />
<br /> In /etc/shorewall/actions, you would add:<br /> <br />
&#x00A0;&#x00A0;&#x00A0;&#x00A0; LogAndAccept<br /> <br /> You would then
copy /etc/shorewall/action.template to /etc/shorewall/LogAndAccept and in
that file, you would add the two rules:<br />
&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; LOG:info<br />
&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; ACCEPT<br />
<br /></li></ol> <p><b>12/03/2003 - Support Torch Passed</b> <b><img
alt="(New)" src="images/new10.gif"
style="border: 0px solid ; width: 28px; height: 12px;" title="" /></b></p>
Effective today, I am reducing my participation in the day-to-day support of
Shorewall. As part of this shift to community-based Shorewall support a new
<a href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
Newbies mailing list</a> has been established to field questions and
problems from new users. I will not monitor that list personally. I will
continue my active development of Shorewall and will be available via the
development list to handle development issues -- Tom. <p><b>11/07/2003 -
Shorewall 1.4.8</b><b><br /> <br /> </b> Problems Corrected since version
1.4.7:<br /> </p> <ol><li>Tuomo Soini has supplied a correction to a problem
that occurs using some versions of &#39;ash&#39;. The symptom is that
&#34;shorewall start&#34; fails with:<br /> &#x00A0;<br /> &#x00A0;&#x00A0;
local: --limit: bad variable name<br /> &#x00A0;&#x00A0; iptables v1.2.8:
Couldn&#39;t load match `-j&#39;:/lib/iptables/libipt_-j.so:<br />
&#x00A0;&#x00A0; cannot open shared object file: No such file or directory<br />
&#x00A0;&#x00A0; Try `iptables -h&#39; or &#39;iptables --help&#39; for more
information.</li><li>Andres Zhoglo has supplied a correction that avoids
trying to use the multiport match iptables facility on ICMP rules.<br />
&#x00A0;<br /> &#x00A0;&#x00A0; Example of rule that previously caused
&#34;shorewall start&#34; to fail:<br /> &#x00A0;<br />
&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;
ACCEPT&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; loc&#x00A0; $FW&#x00A0;
icmp&#x00A0;&#x00A0;&#x00A0; 0,8,11,12<br /> <br /></li><li>Previously, if
the following error message was issued, Shorewall was left in an
inconsistent state.<br /> &#x00A0;<br /> &#x00A0;&#x00A0; Error: Unable to
determine the routes through interface xxx<br /> <br /></li><li>Handling of
the LOGUNCLEAN option in shorewall.conf has been corrected.</li><li>In
Shorewall 1.4.2, an optimization was added. This optimization involved
creating a chain named &#34;&#60;zone&#62;_frwd&#34; for most zones defined
using the /etc/shorewall/hosts file. It has since been discovered that in
many cases these new chains contain redundant rules and that the
&#34;optimization&#34; turns out to be less than optimal. The implementation
has now been corrected.</li><li>When the MARK value in a tcrules entry is
followed by &#34;:F&#34; or &#34;:P&#34;, the &#34;:F&#34; or &#34;:P&#34;
was previously only applied to the first Netfilter rule generated by the
entry. It is now applied to all entries.</li><li>An incorrect comment
concerning Debian&#39;s use of the SUBSYSLOCK option has been removed from
shorewall.conf.</li><li>Previously, neither the &#39;routefilter&#39;
interface option nor the ROUTE_FILTER parameter were working properly. This
has been corrected (thanks to Eric Bowles for his analysis and patch). The
definition of the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn&#39;t work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought up
while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can coexist
with the use of the &#39;routefilter&#39; option in the interfaces file.</li><li>If
MAC verification was enabled on an interface with a /32 address and a
broadcast address then an error would occur during startup.</li><li>he NONE
policy&#39;s intended use is to suppress the generating of rules that
can&#39;t possibly be traversed. This means that a policy of NONE is
inappropriate where the source or destination zone is $FW or &#34;all&#34;.
Shorewall now generates an error message if such a policy is given in
/etc/shorewall/policy. Previously such a policy caused &#34;shorewall
start&#34; to fail.</li><li>The &#39;routeback&#39; option was broken for
wildcard interfaces (e.g., &#34;tun+&#34;). This has been corrected so that
&#39;routeback&#39; now works as expected in this case.<br /></li></ol>
Migration Issues:<br /> <ol><li>The definition of the ROUTE_FILTER option in
shorewall.conf has changed as described in item 8) above.<br /></li></ol>
New Features:<br /> <ol><li>A new QUEUE action has been introduced for
rules. QUEUE allows you to pass connection requests to a user-space filter
such as ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
for effective filtering of p2p applications such as Kazaa. For example, to
use ftwall to filter P2P clients in the &#39;loc&#39; zone, you would add
the following rules:<br /> <br /> &#x00A0;&#x00A0; QUEUE&#x00A0;&#x00A0;
loc&#x00A0;&#x00A0;&#x00A0; &#x00A0;&#x00A0;&#x00A0;&#x00A0;
net&#x00A0;&#x00A0;&#x00A0; tcp<br /> &#x00A0;&#x00A0; QUEUE&#x00A0;&#x00A0;
loc&#x00A0;&#x00A0;&#x00A0; &#x00A0;&#x00A0;&#x00A0;&#x00A0;
net&#x00A0;&#x00A0;&#x00A0; udp<br /> &#x00A0;&#x00A0; QUEUE&#x00A0;&#x00A0;
loc&#x00A0;&#x00A0;&#x00A0; &#x00A0;&#x00A0;&#x00A0;&#x00A0;
fw&#x00A0;&#x00A0;&#x00A0;&#x00A0; udp<br /> <br /> You would normally want
to place those three rules BEFORE any ACCEPT rules for loc-&#62;net udp or
tcp.<br /> <br /> Note: When the protocol specified is TCP (&#34;tcp&#34;,
&#34;TCP&#34; or &#34;6&#34;), Shorewall will only pass connection requests
(SYN packets) to user space. This is for compatibility with ftwall.</li><li>A
BLACKLISTNEWNONLY option has been added to shorewall.conf. When this option
is set to &#34;Yes&#34;, the blacklists (dynamic and static) are only
consulted for new connection requests. When set to &#34;No&#34; (the default
if the variable is not set), the blacklists are consulted on every packet.<br />
<br /> Setting this option to &#34;No&#34; allows blacklisting to stop
existing connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the blacklists
contain a large number of entries.</li><li>Chain names used in the
/etc/shorewall/accounting file may now begin with a digit ([0-9]) and may
contain embedded dashes (&#34;-&#34;).</li></ol> <p><b>10/26/2003 -
Shorewall 1.4.7a and 1.4.7b win brown paper bag awards</b> <b><img
align="middle" alt="" src="images/j0233056.gif"
style="border: 0px solid ; width: 50px; height: 80px;" title="" />Shorewall
1.4.7c released.</b></p> <ol><li>The saga with &#34;&#60;zone&#62;_frwd&#34;
chains continues. The 1.4.7c script produces a ruleset that should work for
everyone even if it is not quite optimal. My apologies for this ongoing
mess.<br /></li></ol> <p><b>10/24/2003 - Shorewall 1.4.7b</b></p> <p>This is
a bugfx rollup of the 1.4.7a fixes plus:<br /> </p> <ol><li>The fix for
problem 5 in 1.4.7a was wrong with the result that
&#34;&#60;zone&#62;_frwd&#34; chains might contain too few rules. That wrong
code is corrected in this release.<br /></li></ol> <p><b>10/21/2003 -
Shorewall 1.4.7a</b></p> <p>This is a bugfix rollup of the following problem
corrections:<br /> </p> <ol><li>Tuomo Soini has supplied a correction to a
problem that occurs using some versions of &#39;ash&#39;. The symptom is
that &#34;shorewall start&#34; fails with:<br /> &#x00A0;<br />
&#x00A0;&#x00A0; local: --limit: bad variable name<br /> &#x00A0;&#x00A0;
iptables v1.2.8: Couldn&#39;t load match
`-j&#39;:/lib/iptables/libipt_-j.so:<br /> &#x00A0;&#x00A0; cannot open
shared object file: No such file or directory<br /> &#x00A0;&#x00A0; Try
`iptables -h&#39; or &#39;iptables --help&#39; for more information.<br />
<br /></li><li>Andres Zhoglo has supplied a correction that avoids trying to
use the multiport match iptables facility on ICMP rules.<br /> &#x00A0;<br />
&#x00A0;&#x00A0; Example of rule that previously caused &#34;shorewall
start&#34; to fail:<br /> &#x00A0;<br />
&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;
ACCEPT&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; loc&#x00A0; $FW&#x00A0;
icmp&#x00A0;&#x00A0;&#x00A0; 0,8,11,12<br /> <br /></li><li>Previously, if
the following error message was issued, Shorewall was left in an
inconsistent state.<br /> &#x00A0;<br /> &#x00A0;&#x00A0; Error: Unable to
determine the routes through interface xxx<br /> <br /></li><li>Handling of
the LOGUNCLEAN option in shorewall.conf has been corrected.</li><li>In
Shorewall 1.4.2, an optimization was added. This optimization involved
creating a chain named &#34;&#60;zone&#62;_frwd&#34; for most zones defined
using the /etc/shorewall/hosts file. It has since been discovered that in
many cases these new chains contain redundant rules and that the
&#34;optimization&#34; turns out to be less than optimal. The implementation
has now been corrected.</li><li>When the MARK value in a tcrules entry is
followed by &#34;:F&#34; or &#34;:P&#34;, the &#34;:F&#34; or &#34;:P&#34;
was previously only applied to the first Netfilter rule generated by the
entry. It is now applied to all entries.<br /></li></ol> <p><a
href="News.htm">More News</a></p> <p><a href="http://leaf.sourceforge.net"
target="_top"><img alt="(Leaf Logo)" border="0" height="36"
src="images/leaflogo.gif" width="49" /></a> Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway on a floppy, CD or compact flash)
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
Kernel-2.4.20. You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br />
</a></p> <b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!!<br /> <br /> </b> <div style="text-align: center;"> <div
style="text-align: center;"><a href="http://www.shorewall.net" target="_top"><img
alt="(Protected by Shorewall)" src="images/ProtectedBy.png"
style="border: 0px solid ; width: 216px; height: 45px;" title="" /></a></div>
</div> <h2><a name="Donations"></a>Donations</h2> <p
style="text-align: left;"><a href="http://www.starlight.org"><img
align="left" alt="(Starlight Logo)" hspace="10" src="images/newlog.gif"
style="border: 4px solid ; width: 57px; height: 100px;" title="" /></a><br />
<big>Shorewall is free but if you try it and find it useful, please consider
making a donation to <a href="http://www.starlight.org">Starlight
Children&#39;s Foundation</a>. Thanks!</big><br /> <a
href="http://www.starlight.org"></a></p></td></tr></tbody></table> </center>
</div> <p><font size="2">Updated 12/21/2003 - <a href="support.htm">Tom
Eastep</a></font><br /> </p></body>
</html>

426
Shorewall-docs/standalone_fr.html
View File

@ -1,426 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head>
<body>
<h1 style="text-align: center;">Standalone Firewall</h1>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à
une traduction exacte du texte, mais plutôt à en faire une version
française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps
conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les
retrouver
dans le reste des documentations ainsi que dans les fichiers de
configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à
JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP
pour
son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall
(écluse) pour un petit réseau est une chose assez simple, si vous
comprenez les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
son
utilisation la plus courante :</p>
<ul>
<li>Un système Linux</li>
<li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame
Relay, rtc...</li>
</ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du
programme ip sur votre système de firewall. Sous root, utilisez la
commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au
début en
effectuant le changements dans votre configuration. Les points, où les
changements
dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13"> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte
cette option sinon vous devez les faire passer par dos2unix avant
d'essayer de les
utiliser. De la même manière, si vous copiez un fichier de
configuration depuis
votre disque dur Windows vers une disquette, vous devez lancer dos2unix
sur
la copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
<h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> Les fichiers de configuration pour Shorewall sont situés dans
le répertoire /etc/shorewall -- pour de simples paramétrages, vous
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
le <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers
contient
des instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une
unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table>
<p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont
exprimées en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy">
/etc/shorewall/policy </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
cette
politique est REJECT ou DROP la requête est alors comparée par rapport
aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
one-interface a les politiques suivantes :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
<tr>
<td>net</td>
<td>all<br>
</td>
<td>DROP</td>
<td>info</td>
<td> <br>
</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<pre> </pre>
Ces politiques vont :
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers
l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à
besoin de cette politique).</li>
</ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p>
<h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL
(pas
un simple modem), l'<i>External Interface</i> (interface externe) sera
l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u>
vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous
connectez par un simple modem (RTC), votre interface externe sera aussi
<b>ppp0</b>. Si vous vous connectez en utilisant l'ISDN (numéris),
votre interface externe sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> L'exemple de configuration de Shorewall pour une
interface suppose que votre interface externe est <b>eth0</b>. Si
votre configuration est différente, vous devrez modifier le fichier
d'exemple /etc/shorewall/interfaces en conséquence. Puisque vous y
êtes, vous pourriez parcourir la liste d'options qui sont spécifiées
pour l'interface. Quelques astuces :</p>
<ul>
<li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le
"dhcp" de la liste d'option. </p>
</li>
</ul>
<div align="left">
<h2 align="left">Adresse IP</h2>
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP
privée
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les
paquets dont les adresses de destinations sont définies dans la RFC
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis
ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> Avant de lancer Shorewall, vous devriez
regarder l'adresse de votre interface externe et si elle est comprise
dans une des plages précédentes, vous devriez enlever l'option
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Permettre d'autres connexions</h2>
</div>
<div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis
l'Internet vers votre firewall, le format général est :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et
un
serveur POP3 sur votre système de firewall :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte
en clair (même
pour le login et le mot de passe !). Si vous voulez avoir un accès au
shell
de votre firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<pre> ACCEPT net fw tcp 22</pre>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter les
autres connexions désirées.</p>
</div>
<div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2>
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> La <a href="Install.htm">procédure
d'installation </a> configure votre système pour lancer Shorewall au
boot du système, mais au début avec la version 1.3.9 de Shorewall le
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la
configuration soit finie. Une fois que vous en aurez fini avec la
configuration du firewall, vous pouvez permettre le lancement de
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre
'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
est stoppé,
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Un firewall qui tourne peut être relancé en utilisant la commande
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
sur votre
configuration de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que
vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de
laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall
restart"; il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

460
Shorewall-docs/standalone_fr.xml Executable file
View File

@ -0,0 +1,460 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="IPIP">
<articleinfo>
<title>Standalone Firewall</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-12-08</pubdate>
<copyright>
<year>2001-2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
</legalnotice>
</articleinfo>
<note>
<para><emphasis role="underline">Notes du traducteur :</emphasis> Je ne
prétends pas être un vrai traducteur dans le sens ou mon travail n&#39;est
pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N&#39;hésitez pas à me contacter afin
d?améliorer ce document <ulink url="mailto:vetsel.patrice@wanadoo.fr">VETSEL
Patrice</ulink> (merci à JMM pour sa relecture et ses commentaires
pertinents, ainsi qu&#39;à Tom EASTEP pour son formidable outil et sa
disponibilité).</para>
</note>
<section id="Documentation">
<title>Introduction</title>
<para>Mettre en place un système Linux en tant que firewall (écluse) pour
un petit réseau est une chose assez simple, si vous comprenez les bases et
suivez la documentation.</para>
<para>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
son utilisation la plus courante :</para>
<itemizedlist>
<listitem>
<para>Un système Linux</para>
</listitem>
<listitem>
<para>Une seule adresse IP externe</para>
</listitem>
<listitem>
<para>Une connexion passant par un modem câble, ADSL, ISDN, Frame
Relay, rtc...</para>
</listitem>
</itemizedlist>
<para>Ce guide suppose que vous avez le paquet iproute/iproute2
d&#39;installé. Vous pouvez voir si le paquet est installé en vérifiant la
présence du programme ip sur votre système de firewall. Sous root,
utilisez la commande &#39;which&#39; pour rechercher le programme :</para>
<programlisting> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]#
</programlisting>
<para>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu&#39;il va se passer, et de revenir au
début en effectuant le changements dans votre configuration. Les points,
où les changements dans la configuration sont recommandées, sont signalés
par une <inlinegraphic fileref="images/BD21298_.gif" /></para>
<para><inlinegraphic fileref="images/j0213519.gif" />Si vous éditez vos
fichiers de configuration sur un système Windows, vous devez les sauver
comme des fichiers Unix si votre éditeur supporte cette option sinon vous
devez les faire passer par dos2unix avant d&#39;essayer de les utiliser.
De la même manière, si vous copiez un fichier de configuration depuis
votre disque dur Windows vers une disquette, vous devez lancer dos2unix
sur la copie avant de l&#39;utiliser avec Shorewall.</para>
<itemizedlist>
<listitem>
<para><ulink url="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</ulink></para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Les Concepts de Shorewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" />Les fichiers de
configuration pour Shorewall sont situés dans le répertoire /etc/shorewall
-- pour de simples paramétrages, vous n&#39;avez à faire qu&#39;avec
quelques un d&#39;entre eux comme décris dans ce guide. Après avoir <ulink
url="Install.htm">installé Shorewall</ulink>, <emphasis role="bold">téléchargez
<ulink url="http://www1.shorewall.net/pub/shorewall/Samples/">le
one-interface sample</ulink>, un-tarez le (tar -zxvf one-interface.tgz) et
copiez les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de
même nom déjà existant dans /etc/shorewall installés lors de
l&#39;installation de Shorewall)</emphasis>.</para>
<para>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers
contient des instructions de configuration détaillées et des entrées par
défaut.</para>
<para>Shorewall voit le réseau où il tourne comme composé par un ensemble
de zones. Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</para>
<table>
<title>/etc/shorewall/zones</title>
<tgroup cols="2">
<tbody>
<row>
<entry align="left"><emphasis role="bold">ZONE</emphasis></entry>
<entry align="left" role="underline"><emphasis role="bold">DISPLAY</emphasis></entry>
</row>
<row>
<entry>net</entry>
<entry>Internet</entry>
</row>
</tbody>
</tgroup>
</table>
<para>Les zones de Shorewall sont définies dans /etc/shorewall/zones.</para>
<para>Shorewall reconnaît aussi le système de firewall comme sa propre
zone - par défaut, le firewall lui-même est connu en tant que fw.</para>
<para>Les règles concernant le trafic à autoriser ou à interdire sont
exprimées en utilisant les termes de zones.</para>
<table>
<title>/etc/shorewall/policy</title>
<tgroup cols="5">
<tbody>
<row>
<entry><emphasis role="bold">SOURCE ZONE</emphasis></entry>
<entry><emphasis role="bold">DESTINATION ZONE</emphasis></entry>
<entry><emphasis role="bold">POLICY</emphasis></entry>
<entry><emphasis role="bold">LOG LEVEL</emphasis></entry>
<entry><emphasis role="bold">LIMIT:BURST</emphasis></entry>
</row>
<row>
<entry>fw</entry>
<entry>net</entry>
<entry>ACCEPT</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>net</entry>
<entry>all</entry>
<entry>DROP</entry>
<entry>info</entry>
<entry></entry>
</row>
<row>
<entry>all</entry>
<entry>all</entry>
<entry>REJECT</entry>
<entry>info</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>Ces politiques vont :</para>
<orderedlist>
<listitem>
<para>permettre toutes demandes de connexion depuis le firewall vers
l&#39;Internet</para>
</listitem>
<listitem>
<para>drop (ignorer) toutes les demandes de connexion depuis
l&#39;Internet vers votre firewall</para>
</listitem>
<listitem>
<para>rejeter toutes les autres requêtes de connexion (Shorewall à
besoin de cette politique).</para>
</listitem>
</orderedlist>
<para><inlinegraphic fileref="images/BD21298_.gif" />A ce point, éditez
votre /etc/shorewall/policy et faites y les changements que vous désirez.</para>
</section>
<section>
<title>Interface Externe</title>
<para>Le firewall possède une seule interface réseau. Lorsque la connexion
Internet passe par un modem câble ou par un routeur ADSL (pas un simple
modem), l&#39;External Interface (interface externe) sera l&#39;adaptateur
ethernet (<emphasis role="bold">eth0</emphasis>) qui y est connecté à
moins que vous vous connectiez par Point-to-Point Protocol over Ethernet
(PPPoE) ou Point-to-Point TunnelingProtocol(PPTP) dans ce cas
l&#39;interface externe sera <emphasis role="bold">ppp0</emphasis>. Si
vous vous connectez par un simple modem (RTC), votre interface externe
sera aussi <emphasis role="bold">ppp0</emphasis>. Si vous vous connectez
en utilisant l&#39;ISDN (numéris), votre interface externe sera <emphasis
role="bold">ippp0</emphasis>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" />L&#39;exemple de
configuration de Shorewall pour une interface suppose que votre interface
externe est <emphasis role="bold">eth0</emphasis>. Si votre configuration
est différente, vous devrez modifier le fichier d&#39;exemple
/etc/shorewall/interfaces en conséquence. Puisque vous y êtes, vous
pourriez parcourir la liste d&#39;options qui sont spécifiées pour
l&#39;interface. Quelques astuces :</para>
<itemizedlist>
<listitem>
<para>Si votre interface externe est <emphasis role="bold">ppp0</emphasis>
ou <emphasis role="bold">ippp0</emphasis>, vous pouvez remplacer le
&#34;detect&#34; dans la seconde colonne par un &#34;-&#34;.</para>
</listitem>
<listitem>
<para>Si votre interface externe est <emphasis role="bold">ppp0</emphasis>
ou <emphasis role="bold">ippp0</emphasis> ou bien si vous avez une
adresse IP statique, vous pouvez enlever le &#34;dhcp&#34; de la liste
d&#39;option.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Adresse IP</title>
<para>La RFC 1918 définie plusieurs plage d&#39;adresses IP privée
(PrivateIP) pour l&#39;utilisation dans des réseaux privés :</para>
<programlisting> 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</programlisting>
<para>Ces adresses sont parfois désignées comme étant non-routables car
les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans
certains cas, les fournisseurs (provider ou ISP) utilisent ces adresses et
utilisent le Network Address Translation afin de récrire les entêtes des
paquets lorsqu&#39;ils les font circuler depuis ou vers l&#39;Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" />Avant de lancer
Shorewall, vous devriez regarder l&#39;adresse de votre interface externe
et si elle est comprise dans une des plages précédentes, vous devriez
enlever l&#39;option &#39;norfc1918&#39; dans le fichier
/etc/shorewall/interfaces.</para>
</section>
<section>
<title>Permettre d&#39;autres connexions</title>
<para>Si vous désirez autoriser d&#39;autres connexions depuis
l&#39;Internet vers votre firewall, le format général est :<table><title>/etc/shorewall/rules</title><tgroup
cols="7"><tbody><row><entry><emphasis role="bold">ACTION</emphasis></entry><entry><emphasis
role="bold">SOURCE</emphasis></entry><entry><emphasis role="bold">DESTINATION</emphasis></entry><entry><emphasis
role="bold">PROTOCOL</emphasis></entry><entry><emphasis role="bold">PORT</emphasis></entry><entry><emphasis
role="bold">SOURCE PORT</emphasis></entry><entry><emphasis role="bold">ORIGINAL
DEST</emphasis></entry></row><row><entry>ACCEPT</entry><entry>net</entry><entry>fw</entry><entry><emphasis>&#60;protocol&#62;</emphasis></entry><entry><emphasis>&#60;port&#62;</emphasis></entry><entry></entry><entry></entry></row></tbody></tgroup></table></para>
<para>Exemple - Vous voulez faire tourner un serveur Web et un serveur
POP3 sur votre système de firewall :</para>
<table>
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<tbody>
<row>
<entry><emphasis role="bold">ACTION</emphasis></entry>
<entry><emphasis role="bold">SOURCE</emphasis></entry>
<entry><emphasis role="bold">DESTINATION</emphasis></entry>
<entry><emphasis role="bold">PROTOCOL</emphasis></entry>
<entry><emphasis role="bold">PORT</emphasis></entry>
<entry><emphasis role="bold">SOURCE PORT</emphasis></entry>
<entry><emphasis role="bold">ORIGINAL DEST</emphasis></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>tcp</entry>
<entry>80</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>tcp</entry>
<entry>110</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para>Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <ulink url="ports.htm">ici</ulink>.
<emphasis role="bold">Important:</emphasis> Je ne vous recommande pas
d&#39;autoriser le telnet depuis ou vers l&#39;Internet car il utilise du
texte en clair (même pour le login et le mot de passe !). Si vous voulez
avoir un accès au shell de votre firewall depuis Internet, utilisez SSH :</para>
<table>
<title>/etc/shorewall/rules</title>
<tgroup cols="7">
<tbody>
<row>
<entry><emphasis role="bold">ACTION</emphasis></entry>
<entry><emphasis role="bold">SOURCE</emphasis></entry>
<entry><emphasis role="bold">DESTINATION</emphasis></entry>
<entry><emphasis role="bold">PROTOCOL</emphasis></entry>
<entry><emphasis role="bold">PORT</emphasis></entry>
<entry><emphasis role="bold">SOURCE PORT</emphasis></entry>
<entry><emphasis role="bold">ORIGINAL DEST</emphasis></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>tcp</entry>
<entry>22</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<para><inlinegraphic fileref="images/BD21298_.gif" />A ce point, éditez
/etc/shorewall/rules pour rajouter les autres connexions désirées.</para>
</section>
<section>
<title>Lancer et Arrêter son Firewall</title>
<para>La <ulink url="Install.htm">procédure d&#39;installation</ulink>
configure votre système pour lancer Shorewall au boot du système, mais au
début avec la version 1.3.9 de Shorewall le lancement est désactivé,
n&#39;essayer pas de lancer Shorewall avec que la configuration soit
finie. Une fois que vous en aurez fini avec la configuration du firewall,
vous pouvez permettre le lancement de Shorewall en supprimant le fichier
/etc/shorewall/startup_disabled.</para>
<para><emphasis role="bold">IMPORTANT: Les utilisateurs des paquets .deb
doivent éditer /etc/default/shorewall et mettre &#39;startup=1&#39;.</emphasis></para>
<para>Le firewall est activé en utilisant la commande &#34;shorewall
start&#34; et arrêté avec &#34;shorewall stop&#34;. Lorsque le firewall
est stoppé, le routage est autorisé sur les hôtes qui possèdent une entrée
dans <ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>.
Un firewall qui tourne peut être relancé en utilisant la commande
&#34;shorewall restart&#34;. Si vous voulez enlever toutes traces de
Shorewall sur votre configuration de Netfilter, utilisez &#34;shorewall
clear&#34;.</para>
<para><emphasis role="bold">ATTENTION:</emphasis> Si vous êtes connecté à
votre firewall depuis Internet, n&#39;essayez pas une commande
&#34;shorewall stop&#34; tant que vous n&#39;avez pas ajouté une entrée
pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
dans<ulink url="Documentation.htm#Routestopped">
/etc/shorewall/routestopped</ulink>. De la même manière, je ne vous
recommande pas d&#39;utiliser &#34;shorewall restart&#34;; il est plus
intéressant de créer <ulink url="configuration_file_basics.htm#Configs">une
configuration alternative</ulink> et de la tester en utilisant la commande
&#34;<ulink url="starting_and_stopping_shorewall.htm">shorewall try</ulink>&#34;.</para>
</section>
</article>

1339
Shorewall-docs/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

1125
Shorewall-docs/two-interface_fr.xml Executable file
View File

File diff suppressed because it is too large Load Diff