forked from extern/shorewall_code
Compare commits
1 Commits
5.0.6-Beta
...
5.0.5
| Author | SHA1 | Date | |
|---|---|---|---|
|
1f79bfa8dd |
@@ -1,9 +1,9 @@
|
||||
#
|
||||
# Shorewall - /usr/share/shorewall/macro.SNMPtrap
|
||||
#
|
||||
# This macro deprecated by SNMPtrap.
|
||||
# This macro handles SNMP traps.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
SNMPtrap
|
||||
PARAM - - udp 162
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
#
|
||||
# Shorewall - /usr/share/shorewall/macro.SNMPtrap
|
||||
#
|
||||
# This macro handles SNMP traps.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
|
||||
PARAM - - udp 162
|
||||
@@ -264,7 +264,6 @@ our %EXPORT_TAGS = (
|
||||
have_address_variables
|
||||
set_global_variables
|
||||
save_dynamic_chains
|
||||
save_docker_rules
|
||||
load_ipsets
|
||||
create_save_ipsets
|
||||
validate_nfobject
|
||||
@@ -2990,28 +2989,11 @@ sub initialize_chain_table($) {
|
||||
}
|
||||
}
|
||||
|
||||
my $chainref;
|
||||
|
||||
if ( $full ) {
|
||||
#
|
||||
# Create this chain early in case it is needed by Policy actions
|
||||
#
|
||||
new_standard_chain 'reject';
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
$chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
}
|
||||
}
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
|
||||
$chainref = new_standard_chain( 'DOCKER' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
|
||||
$chainref = new_nat_chain( 'DOCKER' );
|
||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
|
||||
}
|
||||
|
||||
my $ruleref = transform_rule( $globals{LOGLIMIT} );
|
||||
@@ -8061,20 +8043,6 @@ sub emitr1( $$ ) {
|
||||
#
|
||||
# Emit code to save the dynamic chains to hidden files in ${VARDIR}
|
||||
#
|
||||
sub save_docker_rules($) {
|
||||
my $tool = $_[0];
|
||||
|
||||
emit( qq(if [ -n "\$g_docker" ]; then),
|
||||
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
|
||||
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
|
||||
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
|
||||
qq(else),
|
||||
qq( rm -f \$VARDIR/.nat_DOCKER),
|
||||
qq( rm -f \$VARDIR/.nat_POSTROUTING),
|
||||
qq( rm -f \$VARDIR/.filter_DOCKER),
|
||||
qq(fi)
|
||||
)
|
||||
}
|
||||
|
||||
sub save_dynamic_chains() {
|
||||
|
||||
@@ -8109,23 +8077,25 @@ else
|
||||
rm -f \${VARDIR}/.dynamic
|
||||
fi
|
||||
EOF
|
||||
emit(''), save_docker_rules( $tool ) if $config{DOCKER};
|
||||
|
||||
} else {
|
||||
$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
|
||||
|
||||
emit <<"EOF";
|
||||
if chain_exists 'UPnP -t nat'; then
|
||||
$utility -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
|
||||
$tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
|
||||
else
|
||||
rm -f \${VARDIR}/.UPnP
|
||||
fi
|
||||
|
||||
if chain_exists forwardUPnP; then
|
||||
$utility -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
|
||||
$tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
|
||||
else
|
||||
rm -f \${VARDIR}/.forwardUPnP
|
||||
fi
|
||||
|
||||
if chain_exists dynamic; then
|
||||
$utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
|
||||
$tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
|
||||
else
|
||||
rm -f \${VARDIR}/.dynamic
|
||||
fi
|
||||
@@ -8145,11 +8115,10 @@ EOF
|
||||
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
|
||||
qq( if chain_exists dynamic; then),
|
||||
qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
|
||||
emit( '' ), save_docker_rules( $tool ) if $config{DOCKER};
|
||||
} else {
|
||||
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
|
||||
qq( if chain_exists dynamic; then),
|
||||
qq( $utility -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
|
||||
qq( $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
|
||||
}
|
||||
|
||||
emit <<"EOF";
|
||||
@@ -8468,16 +8437,8 @@ sub create_netfilter_load( $ ) {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
|
||||
emit_unindented ":$chainref->{name} - [0:0]";
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
@@ -8563,16 +8524,8 @@ sub preview_netfilter_load() {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
|
||||
print ":$chainref->{name} - [0:0]\n";
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
@@ -8757,11 +8710,13 @@ sub create_stop_load( $ ) {
|
||||
|
||||
emit '';
|
||||
|
||||
save_progress_message "Preparing $utility input...";
|
||||
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
|
||||
'',
|
||||
'progress_message2 "Running $command..."',
|
||||
'',
|
||||
'$command <<__EOF__' );
|
||||
|
||||
emit "exec 3>\${VARDIR}/.${utility}-stop-input";
|
||||
|
||||
enter_cat_mode;
|
||||
$mode = CAT_MODE;
|
||||
|
||||
unless ( $test ) {
|
||||
my $date = localtime;
|
||||
@@ -8791,16 +8746,8 @@ sub create_stop_load( $ ) {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
|
||||
emit_unindented ":$chainref->{name} - [0:0]";
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
@@ -8813,19 +8760,10 @@ sub create_stop_load( $ ) {
|
||||
#
|
||||
# Commit the changes to the table
|
||||
#
|
||||
enter_cat_mode unless $mode == CAT_MODE;
|
||||
emit_unindented 'COMMIT';
|
||||
}
|
||||
|
||||
enter_cmd_mode;
|
||||
|
||||
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
|
||||
|
||||
emit( '',
|
||||
'progress_message2 "Running $command..."',
|
||||
'',
|
||||
"cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
|
||||
);
|
||||
emit_unindented '__EOF__';
|
||||
#
|
||||
# Test result
|
||||
#
|
||||
|
||||
@@ -261,12 +261,7 @@ sub generate_script_2() {
|
||||
'# The library requires that ${VARDIR} exist',
|
||||
'#',
|
||||
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
|
||||
);
|
||||
|
||||
emit( '',
|
||||
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
|
||||
''
|
||||
) if $config{DOCKER};
|
||||
);
|
||||
|
||||
pop_indent;
|
||||
|
||||
|
||||
@@ -736,7 +736,6 @@ sub initialize( $;$$) {
|
||||
RPFILTER_LOG_TAG => '',
|
||||
INVALID_LOG_TAG => '',
|
||||
UNTRACKED_LOG_TAG => '',
|
||||
POSTROUTING => 'POSTROUTING',
|
||||
);
|
||||
#
|
||||
# From shorewall.conf file
|
||||
@@ -875,7 +874,6 @@ sub initialize( $;$$) {
|
||||
WORKAROUNDS => undef ,
|
||||
LEGACY_RESTART => undef ,
|
||||
RESTART => undef ,
|
||||
DOCKER => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@@ -5859,13 +5857,6 @@ sub get_configuration( $$$$ ) {
|
||||
default_yes_no 'INLINE_MATCHES' , '';
|
||||
default_yes_no 'BASIC_FILTERS' , '';
|
||||
default_yes_no 'WORKAROUNDS' , 'Yes';
|
||||
default_yes_no 'DOCKER' , '';
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
|
||||
require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
|
||||
require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' );
|
||||
}
|
||||
|
||||
if ( supplied( $val = $config{RESTART} ) ) {
|
||||
fatal_error "Invalid value for RESTART ($val)" unless $val =~ /^(restart|reload)$/;
|
||||
|
||||
@@ -132,7 +132,7 @@ sub setup_ecn()
|
||||
}
|
||||
|
||||
for my $host ( @hosts ) {
|
||||
add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[2] ) );
|
||||
add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host=>[1], targetopts => '--ecn-tcp-remove', p => 'tcp', imatch_dest_net( $host->[2] ) );
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -628,33 +628,6 @@ sub process_stoppedrules() {
|
||||
$result;
|
||||
}
|
||||
|
||||
sub create_docker_rules() {
|
||||
|
||||
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
|
||||
add_commands( $nat_table->{OUTPUT} , '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
|
||||
|
||||
unless ( known_interface('docker0') ) {
|
||||
my $chainref = $filter_table->{FORWARD};
|
||||
|
||||
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
|
||||
incr_cmd_level( $chainref );
|
||||
#
|
||||
# Emulate the Docker-generated rules
|
||||
#
|
||||
add_ijump_extended( $chainref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
|
||||
add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, o => 'docker0', conntrack => '--ctstate ESTABLISHED,RELATED' );
|
||||
#
|
||||
# Docker creates two ACCEPT rules for traffic forwarded from docker0 -- one for routeback and one for the rest
|
||||
# We combine them into a single rule
|
||||
#
|
||||
add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0' );
|
||||
decr_cmd_level( $chainref );
|
||||
add_commands( $chainref, 'fi' );
|
||||
} else {
|
||||
add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' );
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_mss();
|
||||
|
||||
sub add_common_rules ( $ ) {
|
||||
@@ -673,10 +646,6 @@ sub add_common_rules ( $ ) {
|
||||
my $level = $config{BLACKLIST_LOG_LEVEL};
|
||||
my $tag = $globals{BLACKLIST_LOG_TAG};
|
||||
my $rejectref = $filter_table->{reject};
|
||||
#
|
||||
# Insure that Docker jumps are early in the builtin chains
|
||||
#
|
||||
create_docker_rules if $config{DOCKER};
|
||||
|
||||
if ( $config{DYNAMIC_BLACKLIST} ) {
|
||||
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
|
||||
@@ -1539,15 +1508,13 @@ sub add_interface_jumps {
|
||||
# Add Nat jumps
|
||||
#
|
||||
for my $interface ( @_ ) {
|
||||
addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
|
||||
addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
|
||||
}
|
||||
|
||||
addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
|
||||
addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
|
||||
if ( have_capability 'RAWPOST_TABLE' ) {
|
||||
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
|
||||
@@ -2279,8 +2246,8 @@ sub generate_matrix() {
|
||||
#
|
||||
# Make sure that the 1:1 NAT jumps are last in PREROUTING
|
||||
#
|
||||
addnatjump 'PREROUTING' , 'nat_in';
|
||||
addnatjump $globals{POSTROUTING} , 'nat_out';
|
||||
addnatjump 'PREROUTING' , 'nat_in';
|
||||
addnatjump 'POSTROUTING' , 'nat_out';
|
||||
|
||||
add_interface_jumps @interfaces unless $interface_jumps_added;
|
||||
|
||||
@@ -2488,16 +2455,6 @@ EOF
|
||||
|
||||
EOF
|
||||
|
||||
if ( $config{DOCKER} ) {
|
||||
push_indent;
|
||||
emit( 'if [ $COMMAND = stop ]; then' );
|
||||
push_indent;
|
||||
save_docker_rules( $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}');
|
||||
pop_indent;
|
||||
emit( "fi\n");
|
||||
pop_indent;
|
||||
}
|
||||
|
||||
if ( have_capability( 'NAT_ENABLED' ) ) {
|
||||
emit<<'EOF';
|
||||
if [ -f ${VARDIR}/nat ]; then
|
||||
@@ -2547,10 +2504,6 @@ EOF
|
||||
emit( 'undo_routing',
|
||||
"restore_default_route $config{USE_DEFAULT_RT}"
|
||||
);
|
||||
#
|
||||
# Insure that Docker jumps are early in the builtin chains
|
||||
#
|
||||
create_docker_rules if $config{DOCKER};
|
||||
|
||||
if ( $config{ADMINISABSENTMINDED} ) {
|
||||
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
|
||||
|
||||
@@ -481,22 +481,17 @@ sub process_a_provider( $ ) {
|
||||
$interface = $interfaceref->{name} unless $interfaceref->{wildcard};
|
||||
}
|
||||
|
||||
my $gatewaycase = '';
|
||||
|
||||
if ( $physical =~ /\+$/ ) {
|
||||
return 0 if $pseudo;
|
||||
fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
|
||||
}
|
||||
|
||||
my $gatewaycase = '';
|
||||
my $gw;
|
||||
|
||||
if ( ( $gw = lc $gateway ) eq 'detect' ) {
|
||||
if ( $gateway eq 'detect' ) {
|
||||
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
|
||||
$gateway = get_interface_gateway $interface;
|
||||
$gatewaycase = 'detect';
|
||||
} elsif ( $gw eq 'none' ) {
|
||||
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
|
||||
$gatewaycase = 'none';
|
||||
$gateway = '';
|
||||
} elsif ( $gateway && $gateway ne '-' ) {
|
||||
( $gateway, $mac ) = split_host_list( $gateway, 0 );
|
||||
validate_address $gateway, 0;
|
||||
@@ -511,7 +506,7 @@ sub process_a_provider( $ ) {
|
||||
|
||||
$gatewaycase = 'specified';
|
||||
} else {
|
||||
$gatewaycase = 'omitted';
|
||||
$gatewaycase = 'none';
|
||||
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
|
||||
$gateway = '';
|
||||
}
|
||||
@@ -534,12 +529,10 @@ sub process_a_provider( $ ) {
|
||||
} elsif ( $option eq 'notrack' ) {
|
||||
$track = 0;
|
||||
} elsif ( $option =~ /^balance=(\d+)$/ ) {
|
||||
fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
|
||||
fatal_error 'The balance setting must be non-zero' unless $1;
|
||||
$balance = $1;
|
||||
} elsif ( $option eq 'balance' || $option eq 'primary') {
|
||||
fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
$balance = 1;
|
||||
} elsif ( $option eq 'loose' ) {
|
||||
$loose = 1;
|
||||
@@ -557,13 +550,11 @@ sub process_a_provider( $ ) {
|
||||
} elsif ( $option =~ /^mtu=(\d+)$/ ) {
|
||||
$mtu = "mtu $1 ";
|
||||
} elsif ( $option =~ /^fallback=(\d+)$/ ) {
|
||||
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
|
||||
$default = $1;
|
||||
$default_balance = 0;
|
||||
fatal_error 'fallback must be non-zero' unless $default;
|
||||
} elsif ( $option eq 'fallback' ) {
|
||||
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
$default = -1;
|
||||
$default_balance = 0;
|
||||
} elsif ( $option eq 'local' ) {
|
||||
@@ -576,7 +567,6 @@ sub process_a_provider( $ ) {
|
||||
$track = 0 if $config{TRACK_PROVIDERS};
|
||||
$default_balance = 0 if $config{USE_DEFAULT_RT};
|
||||
} elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
|
||||
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||
$load = sprintf "%1.8f", $1;
|
||||
require_capability 'STATISTIC_MATCH', "load=$1", 's';
|
||||
} elsif ( $option eq 'autosrc' ) {
|
||||
@@ -606,13 +596,13 @@ sub process_a_provider( $ ) {
|
||||
fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
|
||||
|
||||
if ( $local ) {
|
||||
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'omitted';
|
||||
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
|
||||
fatal_error "'track' not valid with 'local'" if $track;
|
||||
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
|
||||
fatal_error "'persistent' is not valid with 'local" if $persistent;
|
||||
} elsif ( $tproxy ) {
|
||||
fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++;
|
||||
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
|
||||
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
|
||||
fatal_error "'track' not valid with 'tproxy'" if $track;
|
||||
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
|
||||
fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-';
|
||||
@@ -659,7 +649,7 @@ sub process_a_provider( $ ) {
|
||||
warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
|
||||
}
|
||||
|
||||
$balance = $default_balance unless $balance || $gatewaycase eq 'none';
|
||||
$balance = $default_balance unless $balance;
|
||||
|
||||
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
|
||||
|
||||
@@ -799,7 +789,7 @@ sub add_a_provider( $$ ) {
|
||||
|
||||
push_indent;
|
||||
|
||||
if ( $gatewaycase eq 'omitted' ) {
|
||||
if ( $gatewaycase eq 'none' ) {
|
||||
if ( $tproxy ) {
|
||||
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
||||
} else {
|
||||
@@ -877,7 +867,7 @@ sub add_a_provider( $$ ) {
|
||||
}
|
||||
$provider_interfaces{$interface} = $table;
|
||||
|
||||
if ( $gatewaycase eq 'omitted' ) {
|
||||
if ( $gatewaycase eq 'none' ) {
|
||||
if ( $tproxy ) {
|
||||
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
||||
} else {
|
||||
@@ -917,7 +907,7 @@ CEOF
|
||||
|
||||
emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
|
||||
"echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
|
||||
);
|
||||
);
|
||||
}
|
||||
|
||||
if ( $duplicate ne '-' ) {
|
||||
|
||||
@@ -1589,7 +1589,7 @@ sub allowBcast( $$$$ ) {
|
||||
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', addrtype => '--dst-type BROADCAST' );
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', '', d => '224.0.0.0/4' );
|
||||
log_irule_limit( $level, $chainref, 'allowBcast' , 'ACCEPT', [], $tag, 'add', ''. d => '224.0.0.0/4' );
|
||||
}
|
||||
|
||||
add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# This program is part of Shorewall.
|
||||
#
|
||||
|
||||
@@ -125,7 +125,6 @@ g_sha1sum2=
|
||||
g_counters=
|
||||
g_compiled=
|
||||
g_file=
|
||||
g_docker=
|
||||
|
||||
initialize
|
||||
|
||||
|
||||
@@ -146,8 +146,6 @@ DEFER_DNS_RESOLUTION=Yes
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
@@ -157,8 +157,6 @@ DEFER_DNS_RESOLUTION=Yes
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
@@ -154,8 +154,6 @@ DEFER_DNS_RESOLUTION=Yes
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
@@ -157,8 +157,6 @@ DEFER_DNS_RESOLUTION=Yes
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
DETECT_DNAT_IPADDRS=No
|
||||
|
||||
@@ -150,8 +150,6 @@ DETECT_DNAT_IPADDRS=No
|
||||
|
||||
DISABLE_IPV6=No
|
||||
|
||||
DOCKER=No
|
||||
|
||||
DONT_LOAD=
|
||||
|
||||
DYNAMIC_BLACKLIST=Yes
|
||||
|
||||
@@ -130,7 +130,7 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
|
||||
role="bold">detect|none</emphasis>}</term>
|
||||
role="bold">detect</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>The IP address of the provider's gateway router. Beginning
|
||||
@@ -139,12 +139,8 @@
|
||||
interface. When the MAC is not specified, Shorewall will detect the
|
||||
MAC during firewall start or restart.</para>
|
||||
|
||||
<para>You can enter <emphasis role="bold">detect</emphasis> here and
|
||||
Shorewall will attempt to detect the gateway automatically.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
|
||||
role="bold">none</emphasis>. This causes creation of a routing table
|
||||
with no default route in it.</para>
|
||||
<para>You can enter "detect" here and Shorewall will attempt to
|
||||
detect the gateway automatically.</para>
|
||||
|
||||
<para>For PPP devices, you may omit this column.</para>
|
||||
</listitem>
|
||||
|
||||
@@ -733,19 +733,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DOCKER=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.6. When set to Yes, the generated
|
||||
script will save Docker-generated rules before and restore them
|
||||
after executing the start, reload and restart commands. If set to No
|
||||
(the default), the generated script will delete any Docker-generated
|
||||
rules when executing those commands.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
|
||||
@@ -776,8 +763,8 @@
|
||||
<listitem>
|
||||
<para>Normally, when the SOURCE or DEST columns in
|
||||
shorewall-policy(5) contains 'all', a single policy chain is created
|
||||
and thes policy is enforced in that chain. For example, if the
|
||||
policy entry is<programlisting>#SOURCE DEST POLICY LOG
|
||||
and the policy is enforced in that chain. For example, if the policy
|
||||
entry is<programlisting>#SOURCE DEST POLICY LOG
|
||||
# LEVEL
|
||||
net all DROP info</programlisting>then the chain name is 'net-all'
|
||||
('net2all if ZONE2ZONE=2) which is also the chain named in Shorewall
|
||||
|
||||
@@ -119,17 +119,13 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
|
||||
role="bold">detect|none</emphasis>}</term>
|
||||
role="bold">detect</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>The IP address of the provider's gateway router.</para>
|
||||
|
||||
<para>You can enter <emphasis role="bold">detect</emphasis> here and
|
||||
Shorewall6 will attempt to detect the gateway automatically.</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
|
||||
role="bold">none</emphasis>. This causes creation of a routing table
|
||||
with no default route in it.</para>
|
||||
<para>You can enter "detect" here and Shorewall6 will attempt to
|
||||
detect the gateway automatically.</para>
|
||||
|
||||
<para>For PPP devices, you may omit this column.</para>
|
||||
</listitem>
|
||||
|
||||
@@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
|
||||
wireless). eth4 goes to my DMZ which holds a single server. Here is a
|
||||
diagram of the IPv4 network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009.png"/>
|
||||
<graphic align="center" fileref="images/Network2009.png" />
|
||||
|
||||
<para>Here is the configuration after IPv6 is configured; the part in
|
||||
bold font is configured by the /etc/init.d/ipv6 script.</para>
|
||||
@@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>
|
||||
|
||||
<para>Here is the resulting simple IPv6 Network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009b.png"/>
|
||||
<graphic align="center" fileref="images/Network2009b.png" />
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>
|
||||
|
||||
<para>So the IPv4 network was transformed to this:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009a.png"/>
|
||||
<graphic align="center" fileref="images/Network2009a.png" />
|
||||
|
||||
<para>To implement the same IPv6 network as described above, I used this
|
||||
/etc/shorewall/interfaces file:</para>
|
||||
@@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel
|
||||
|
||||
<para>That file produces the following IPv6 network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2008c.png"/>
|
||||
<graphic align="center" fileref="images/Network2008c.png" />
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@@ -475,7 +475,7 @@ dmz eth2 tcpflags,forward=1</programlisting></par
|
||||
<para><filename>/etc/shorewall6/policy</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<para><programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
net all DROP info
|
||||
loc net ACCEPT
|
||||
dmz net ACCEPT
|
||||
@@ -485,7 +485,7 @@ all all REJECT info</programlisting></para>
|
||||
<para><filename>/etc/shorewall6/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGINAL RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
@@ -493,6 +493,7 @@ all all REJECT info</programlisting></para>
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
@@ -504,7 +505,8 @@ SSH(ACCEPT) loc $FW
|
||||
#
|
||||
# Allow Ping everywhere
|
||||
#
|
||||
Ping(ACCEPT) all all</programlisting></para>
|
||||
Ping(ACCEPT) all all</programlisting>
|
||||
</para>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
@@ -650,7 +652,7 @@ interface eth2 {
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoIPv6Nets1.png"/>
|
||||
<graphic fileref="images/TwoIPv6Nets1.png" />
|
||||
|
||||
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
||||
communicate with the systems in the 2002:488:999::/64 network. This is
|
||||
|
||||
242
docs/Actions.xml
242
docs/Actions.xml
@@ -101,11 +101,13 @@
|
||||
# both directions.
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT RATE USER
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - udp 135,445
|
||||
ACCEPT - - udp 137:139
|
||||
ACCEPT - - udp 1024: 137
|
||||
ACCEPT - - tcp 135,139,445</programlisting>
|
||||
ACCEPT - - tcp 135,139,445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>If you wish to modify one of the standard actions, do not modify
|
||||
the definition in <filename
|
||||
@@ -333,11 +335,21 @@ ACCEPT - - tcp 135,139,445</programlisting>
|
||||
</orderedlist>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 5.0.0 and Later.</title>
|
||||
<title>Shorewall 4.4.16 and Later.</title>
|
||||
|
||||
<para>In Shorewall 5.0, the columns in action.template are the same as
|
||||
those in shorewall-rules (5). There are no restrictions regarding which
|
||||
targets can be used within your action.</para>
|
||||
<para>Beginning with Shorewall 4.4.16, the columns in action.template
|
||||
are the same as those in shorewall-rules (5). The first non-commentary
|
||||
line in the template must be</para>
|
||||
|
||||
<programlisting>FORMAT 2</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.11, the preferred format is as shown
|
||||
below, and the above format is deprecated.</para>
|
||||
|
||||
<programlisting>?FORMAT 2</programlisting>
|
||||
|
||||
<para>When using Shorewall 4.4.16 or later, there are no restrictions
|
||||
regarding which targets can be used within your action.</para>
|
||||
|
||||
<para>The SOURCE and DEST columns in the action file may not include
|
||||
zone names; those are given when the action is invoked.</para>
|
||||
@@ -349,18 +361,22 @@ ACCEPT - - tcp 135,139,445</programlisting>
|
||||
|
||||
<para>/etc/shorewall/action.A:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO Dport SPORT ORIGDEST
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
FORMAT 2
|
||||
$1 - - tcp 80 - 1.2.3.4</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
|
||||
A(REDIRECT) net fw</programlisting>
|
||||
|
||||
<para>The above is equivalent to this rule:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
|
||||
<para>You can 'omit' parameters by using '-'.</para>
|
||||
@@ -397,6 +413,194 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
url="configuration_file_basics.htm#ActionVariables">Action Variables
|
||||
section</ulink> of the Configuration Basics article.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 4.4.15 and Earlier.</title>
|
||||
|
||||
<para>Prior to 4.4.16, columns in the
|
||||
<filename>action.template</filename> file were as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
|
||||
an <<emphasis>action</emphasis>> where
|
||||
<<emphasis>action</emphasis>> is a previously-defined action
|
||||
(that is, it must precede the action being defined in this file in
|
||||
your <filename>/etc/shorewall/actions</filename> file). These
|
||||
actions have the same meaning as they do in the
|
||||
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
|
||||
processing of the current action and returns to the point where that
|
||||
action was invoked). The TARGET may optionally be followed by a
|
||||
colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
|
||||
ACCEPT:debugging). This causes the packet to be logged at the
|
||||
specified level. You may also specify ULOG (must be in upper case)
|
||||
as a log level. This will log to the ULOG target for routing to a
|
||||
separate log through use of ulogd (<ulink
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||
|
||||
<para>You may also use a <ulink url="Macros.html">macro</ulink> in
|
||||
your action provided that the macro's expansion only results in the
|
||||
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
|
||||
<filename>/usr/share/shorewall/action.Drop</filename> for an example
|
||||
of an action that users macros extensively.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE - Source hosts to which the rule applies. A
|
||||
comma-separated list of subnets and/or hosts. Hosts may be specified
|
||||
by IP or MAC address; MAC addresses must begin with <quote>~</quote>
|
||||
and must use <quote>-</quote> as a separator.</para>
|
||||
|
||||
<para>Alternatively, clients may be specified by interface name. For
|
||||
example, eth1 specifies a client that communicates with the firewall
|
||||
system through eth1. This may be optionally followed by another
|
||||
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
|
||||
above (e.g., eth1:192.168.1.5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST - Location of Server. Same as above with the exception
|
||||
that MAC addresses are not allowed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>PROTO - Protocol - Must be <quote>tcp</quote>,
|
||||
<quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
|
||||
<quote>all</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DEST PORT(S) - Destination Ports. A comma-separated list of
|
||||
Port names (from <filename>/etc/services</filename>), port numbers
|
||||
or port ranges; if the protocol is <quote>icmp</quote>, this column
|
||||
is interpreted as the destination icmp-type(s).</para>
|
||||
|
||||
<para>A port range is expressed as <<emphasis>low
|
||||
port</emphasis>>:<<emphasis>high port</emphasis>>.</para>
|
||||
|
||||
<para>This column is ignored if PROTO = <quote>all</quote>, but must
|
||||
be entered if any of the following fields are supplied. In that
|
||||
case, it is suggested that this field contain
|
||||
<quote>-</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
|
||||
source port is acceptable. Specified as a comma-separated list of
|
||||
port names, port numbers or port ranges.</para>
|
||||
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
any of the subsequent fields, then place <quote>-</quote> in this
|
||||
column.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
|
||||
this column:</para>
|
||||
|
||||
<para><programlisting> <<emphasis>rate</emphasis>>/<<emphasis>interval</emphasis>>[:<<emphasis>burst</emphasis>>]</programlisting>where
|
||||
<<emphasis>rate</emphasis>> is the number of connections per
|
||||
<<emphasis>interval</emphasis>> (<quote>sec</quote> or
|
||||
<quote>min</quote>) and <<emphasis>burst</emphasis>> is the
|
||||
largest burst permitted. If no <<emphasis>burst</emphasis>> is
|
||||
given, a value of 5 is assumed. There may be no whitespace embedded
|
||||
in the specification.</para>
|
||||
|
||||
<para><programlisting> Example: 10/sec:20</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>USER/GROUP - For output rules (those with the firewall as
|
||||
their source), you may control connections based on the effective
|
||||
UID and/or GID of the process requesting the connection. This column
|
||||
can contain any of the following:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>[!]<<emphasis>user number</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]<<emphasis>user name</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]:<<emphasis>group number</emphasis>></member>
|
||||
|
||||
<member>[!]:<<emphasis>group name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
number</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
inumber</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
|
||||
<member>[!]+<<emphasis>program name</emphasis>> (Note:
|
||||
support for this form was removed from Netfilter in kernel version
|
||||
2.6.14).</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>MARK</para>
|
||||
|
||||
<para><simplelist>
|
||||
<member>[!]<<emphasis>value</emphasis>>[/<<emphasis>mask</emphasis>>][:C]</member>
|
||||
</simplelist></para>
|
||||
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don’t want to define a test but need to specify
|
||||
anything in the subsequent columns, place a <quote>-</quote> in this
|
||||
field.<simplelist>
|
||||
<member>! — Inverts the test (not equal)</member>
|
||||
|
||||
<member><<emphasis>value</emphasis>> — Value of the packet
|
||||
or connection mark.</member>
|
||||
|
||||
<member><<emphasis>mask</emphasis>> —A mask to be applied
|
||||
to the mark before testing.</member>
|
||||
|
||||
<member>:C — Designates a connection mark. If omitted, the
|
||||
packet mark’s value is tested. This option is only supported by
|
||||
Shorewall-perl</member>
|
||||
</simplelist></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Omitted column entries should be entered using a dash
|
||||
(<quote>-</quote>).</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<para><programlisting> #ACTION COMMENT (place '# ' below the 'C' in comment followed by
|
||||
# v a comment describing the action)
|
||||
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
|
||||
role="bold">Note:</emphasis> If your
|
||||
<filename>/etc/shorewall/actions</filename> file doesn't have an
|
||||
indication where to place the comment, put the <quote>#</quote> in
|
||||
column 21.</para>
|
||||
|
||||
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
|
||||
ACCEPT</programlisting></para>
|
||||
|
||||
<para>Placing a comment on the line causes the comment to appear in the
|
||||
output of the <command>shorewall show actions</command> command.</para>
|
||||
|
||||
<para>To use your action, in <filename>/etc/shorewall/rules</filename>
|
||||
you might do something like:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
LogAndAccept loc $FW tcp 22</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Logging">
|
||||
@@ -421,19 +625,19 @@ REDIRECT net - tcp 80 - 1.2.3.4</programlisting>
|
||||
|
||||
<para>/etc/shorewall/action.foo</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT - - tcp 22
|
||||
bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
foo:debug $FW net</programlisting>
|
||||
|
||||
<para>Logging in the invoke <quote>foo</quote> action will be as if
|
||||
foo had been defined as:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:info</programlisting>
|
||||
</listitem>
|
||||
@@ -447,19 +651,19 @@ bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/action.foo</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT - - tcp 22
|
||||
bar:info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
foo:debug! $FW net</programlisting>
|
||||
|
||||
<para>Logging in the invoke <quote>foo</quote> action will be as if
|
||||
foo had been defined as:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT:debug - - tcp 22
|
||||
bar:debug</programlisting>
|
||||
</listitem>
|
||||
@@ -909,22 +1113,22 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
|
||||
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
|
||||
use this entry in <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
|
||||
|
||||
<para>Using Shorewall 4.4.16 or later, you can also invoke the action this
|
||||
way:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Limit(SSHA,3,60):none net $FW tcp 22</programlisting>
|
||||
|
||||
<para>If you want dropped connections to be logged at the info level, use
|
||||
this rule instead:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
|
||||
|
||||
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para>Shorewall 4.4.16 and later:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Limit(SSH,3,60):info net $FW tcp 22</programlisting></para>
|
||||
|
||||
<para>To summarize, you pass four pieces of information to the Limit
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Anatomy of Shorewall 5.0</title>
|
||||
<title>Anatomy of Shorewall 4.5</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@@ -43,7 +43,7 @@
|
||||
<section id="Products">
|
||||
<title>Products</title>
|
||||
|
||||
<para>Shorewall 5.0 consists of six packages.</para>
|
||||
<para>Shorewall 4.5 consists of six packages.</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
|
||||
@@ -74,11 +74,12 @@
|
||||
<section>
|
||||
<title>Policy Rate Limiting</title>
|
||||
|
||||
<para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
|
||||
file applies to TCP connections that are subject to the policy. The
|
||||
limiting is applied BEFORE the connection request is passed through the
|
||||
rules generated by entries in <filename>/etc/shorewall/rules</filename>.
|
||||
Those connections in excess of the limit are logged and dropped.</para>
|
||||
<para>The LIMIT:BURST column in the
|
||||
<filename>/etc/shorewall/policy</filename> file applies to TCP
|
||||
connections that are subject to the policy. The limiting is applied
|
||||
BEFORE the connection request is passed through the rules generated by
|
||||
entries in <filename>/etc/shorewall/rules</filename>. Those connections
|
||||
in excess of the limit are logged and dropped.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
||||
245
docs/Dynamic.xml
245
docs/Dynamic.xml
@@ -49,12 +49,140 @@
|
||||
support is based on <ulink
|
||||
url="http://ipset.netfilter.org/">ipset</ulink>. Most current
|
||||
distributions have ipset, but you may need to install the <ulink
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
|
||||
package.</para>
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="xtables-addons">
|
||||
<title>Installing xtables-addons</title>
|
||||
|
||||
<para>If your distribution does not have an xtables-addons package, the
|
||||
xtables-addons are fairly easy to install. You do not need to recompile
|
||||
your kernel.</para>
|
||||
|
||||
<para><trademark>Debian</trademark> users can find xtables-addons-common
|
||||
and xtables-addons-source packages in <firstterm>testing</firstterm>. The
|
||||
kernel modules can be built and installed with the help of
|
||||
module-assistant. As of this writing, these packages are in the
|
||||
<firstterm>admin</firstterm> group rather than in the
|
||||
<firstterm>network</firstterm> group!!??</para>
|
||||
|
||||
<para>For other users, the basic steps are as follows:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Install gcc and make</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Install the headers for the kernel you are running. In some
|
||||
distributions, such as <trademark>Debian</trademark> and
|
||||
<trademark>Ubuntu</trademark>, the packet is called kernel-headers.
|
||||
For other distrubutions, such as OpenSuSE, you must install the
|
||||
kernel-source package.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>download the iptables source tarball</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>untar the source</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the iptables source directory</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run 'make'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>as root, run 'make install'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Your new iptables binary will now be installed in
|
||||
/usr/local/sbin. Modify shorewall.conf to specify
|
||||
IPTABLES=/usr/local/sbin/iptables</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Download the latest xtables-addons source tarball</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Untar the xtables-addons source</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd to the xtables-addons source directory</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run './configure'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run 'make'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As root, cd to the xtables-addons directory and run 'make
|
||||
install'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Restart shorewall</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>'shorewall show capabilities' should now indicate<emphasis
|
||||
role="bold"> Ipset Match: Available</emphasis></para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>You will have to repeat steps 10-13 each time that you receive a
|
||||
kernel upgrade from your distribution vendor. You can install
|
||||
xtables-addons before booting to the new kernel as follows
|
||||
(<emphasis>new-kernel-version</emphasis> is the version of the
|
||||
newly-installed kernel - example <emphasis
|
||||
role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
|
||||
directory to get the full version name)</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>cd to the xtables-addons source directory</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run 'make clean'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run './configure
|
||||
--with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
|
||||
--with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run 'make'</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As root, cd to the xtables-addons source directory and run 'make
|
||||
install'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>As root, run 'depmod -a
|
||||
<emphasis>new-kernel-version'</emphasis></para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Dynamic Zones</title>
|
||||
<title>Dynamic Zones -- Shorewall 4.5.9 and Later</title>
|
||||
|
||||
<para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
|
||||
<filename>/etc/shorewall/hosts</filename>, Shorewall would create a
|
||||
@@ -160,6 +288,117 @@ rsyncok:
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="Version-4.5.9">
|
||||
<title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
|
||||
|
||||
<para>The method described in this section is still supported in the later
|
||||
releases.</para>
|
||||
|
||||
<section id="defining1">
|
||||
<title>Defining a Dynamic Zone</title>
|
||||
|
||||
<para>A dynamic zone is defined by using the keyword <emphasis
|
||||
role="bold">dynamic</emphasis> in the zones host list.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME TYPE OPTIONS
|
||||
loc ipv4
|
||||
webok:loc ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth0 - …
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
webok eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Once the above definition is added, Shorewall will automatically
|
||||
create an ipset named <emphasis>webok_eth0</emphasis> the next time that
|
||||
Shorewall is started or restarted. Shorewall will create an ipset of
|
||||
type <firstterm>iphash</firstterm>. If you want to use a different type
|
||||
of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
|
||||
manually create that ipset yourself before the next Shorewall
|
||||
start/restart.</para>
|
||||
|
||||
<para>The dynamic zone capability was added to Shorewall6 in Shorewall
|
||||
4.4.21.</para>
|
||||
</section>
|
||||
|
||||
<section id="adding1">
|
||||
<title>Adding a Host to a Dynamic Zone</title>
|
||||
|
||||
<para>Adding a host to a dynamic zone is accomplished by adding the
|
||||
host's IP address to the appropriate ipset. Shorewall provldes a command
|
||||
for doing that:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall add</command> <replaceable>interface:address
|
||||
...</replaceable> <replaceable>zone</replaceable></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall add eth0:192.168.3.4 webok</command></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The command can only be used when the ipset involved is of type
|
||||
iphash. For other ipset types, the <command>ipset</command> command must
|
||||
be used directly.</para>
|
||||
</section>
|
||||
|
||||
<section id="deleting">
|
||||
<title>Deleting a Host from a Dynamic Zone</title>
|
||||
|
||||
<para>Deleting a host from a dynamic zone is accomplished by removing
|
||||
the host's IP address from the appropriate ipset. Shorewall provldes a
|
||||
command for doing that:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall delete</command>
|
||||
<replaceable>interface:address ...</replaceable>
|
||||
<replaceable>zone</replaceable></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall delete eth0:192.168.3.4
|
||||
webok</command></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The command can only be used when the ipset involved is of type
|
||||
iphash. For other ipset types, the <command>ipse t</command> command
|
||||
must be used directly.</para>
|
||||
</section>
|
||||
|
||||
<section id="listing1">
|
||||
<title>Listing the Contents of a Dynamic Zone</title>
|
||||
|
||||
<para>The shorewall show command may be used to list the current
|
||||
contents of a dynamic zone.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>shorewall show dynamic</command>
|
||||
<replaceable>zone</replaceable></para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting><command>shorewall show dynamic webok</command>
|
||||
eth0:
|
||||
192.168.3.4
|
||||
192.168.3.9</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="start-stop">
|
||||
<title>Dynamic Zone Contents and Shorewall stop/start/restart</title>
|
||||
|
||||
|
||||
@@ -538,7 +538,8 @@ SetEvent(SSH,ACCEPT,src)</programlisting>
|
||||
|
||||
<para><filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
SSHLIMIT net $FW tcp 22 </programlisting>
|
||||
|
||||
<caution>
|
||||
@@ -644,7 +645,8 @@ SSHLIMIT net $FW tcp 22
|
||||
<para>To duplicate the SSHLIMIT entry in
|
||||
<filename>/etc/shorewall/rules</filename> shown above:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
AutoBL(SSH,-,-,-,REJECT,warn)\
|
||||
net $FW tcp 22 </programlisting>
|
||||
</section>
|
||||
@@ -686,7 +688,8 @@ Knock #Port Knocking</programlisting>
|
||||
#
|
||||
?format 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT
|
||||
#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
|
||||
- - tcp 22
|
||||
SetEvent(SSH,ACCEPT) - - tcp 1600
|
||||
@@ -694,7 +697,8 @@ ResetEvent(SSH,DROP:info) </programlisting>
|
||||
|
||||
<para><filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
Knock net $FW tcp 22,1599-1601 </programlisting>
|
||||
</section>
|
||||
|
||||
@@ -746,7 +750,7 @@ KnockEnhanced 'net', '$FW', {name => 'SSH1', log_level => 3, proto => '
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">original_dest</emphasis> is the rule
|
||||
ORIGDEST</para>
|
||||
ORIGINAL DEST</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
|
||||
a single address?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Specify the external
|
||||
address that you want to redirect in the ORIGDEST column.</para>
|
||||
address that you want to redirect in the ORIGINAL DEST column.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
<para>You have a policy for traffic from
|
||||
<replaceable>zone1</replaceable> to
|
||||
<replaceable>zone2</replaceable> that specifies TCP connection
|
||||
rate limiting (value in the LIMIT column). The logged packet
|
||||
rate limiting (value in the LIMIT:BURST column). The logged packet
|
||||
exceeds that limit and was dropped. Note that these log messages
|
||||
themselves are severely rate-limited so that a syn-flood won't
|
||||
generate a secondary DOS because of excessive log message. These
|
||||
|
||||
59
docs/FTP.xml
59
docs/FTP.xml
@@ -345,22 +345,23 @@ xt_tcpudp 3328 0
|
||||
HELPER rules allow specification of a helper for connections that are
|
||||
ACCEPTed by the applicable policy.</para>
|
||||
|
||||
<para>Example (loc->net policy is ACCEPT) - In
|
||||
<para> Example (loc->net policy is ACCEPT) - In
|
||||
/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
FTP(HELPER) loc - </programlisting>
|
||||
|
||||
<para>or equivalently</para>
|
||||
<para>or equivalently </para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
HELPER loc - tcp 21 { helper=ftp }</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The set of enabled helpers (either by AUTOHELPERS=Yes or by the
|
||||
<para> The set of enabled helpers (either by AUTOHELPERS=Yes or by the
|
||||
HELPERS column) can be taylored using the new HELPERS option in
|
||||
shorewall.conf.</para>
|
||||
shorewall.conf. </para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -388,9 +389,10 @@ HELPER loc - tcp 21 { helper=ftp }</programlisting>
|
||||
/etc/shorewall[6]/conntrack file. These rules are included conditionally
|
||||
based in the setting of AUTOHELPERS.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
<para> Example:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
?if $AUTOHELPERS && __CT_TARGET
|
||||
?if __FTP_HELPER
|
||||
CT:helper:ftp all - tcp 21
|
||||
@@ -398,22 +400,23 @@ CT:helper:ftp all - tcp 21
|
||||
...
|
||||
?endif</programlisting>
|
||||
|
||||
<para>__FTP_HELPER evaluates to false if the HELPERS setting is non-empty
|
||||
<para> __FTP_HELPER evaluates to false if the HELPERS setting is non-empty
|
||||
and 'ftp' is not listed in that setting. For example, if you only need FTP
|
||||
access from your 'loc' zone, then add this rule outside of the outer-most
|
||||
?if....?endif shown above.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
...
|
||||
CT:helper:ftp loc - tcp 21</programlisting>
|
||||
|
||||
<para>For an overview of Netfilter Helpers and Shorewall's support for
|
||||
<para> For an overview of Netfilter Helpers and Shorewall's support for
|
||||
dealing with them, see <ulink
|
||||
url="Helpers.html">http://www.shorewall.net/Helpers.html</ulink>.</para>
|
||||
|
||||
<para>See <ulink
|
||||
url="https://home.regit.org/netfilter-en/secure-use-of-helpers/">https://home.regit.org/netfilter-en/secure-use-of-helpers/</ulink>
|
||||
for additional information.</para>
|
||||
for additional information. </para>
|
||||
</section>
|
||||
|
||||
<section id="Ports">
|
||||
@@ -430,7 +433,8 @@ CT:helper:ftp loc - tcp 21</programlisti
|
||||
|
||||
<para><filename>/etc/shorewall/rules:</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the</programlisting>
|
||||
|
||||
<para>That entry will accept ftp connections on port 12345 from the net
|
||||
@@ -438,7 +442,8 @@ DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ft
|
||||
|
||||
<para><filename>/etc/shorewall/conntrack:</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
|
||||
# PORT(S) PORT(S) GROUP
|
||||
...
|
||||
CT:helper:ftp loc - tcp 12345</programlisting>
|
||||
|
||||
@@ -526,19 +531,20 @@ options nf_nat_ftp</programlisting>
|
||||
<para>Otherwise, for FTP you need exactly <emphasis
|
||||
role="bold">one</emphasis> rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
ACCEPT or <<emphasis>source</emphasis>> <<emphasis>destination</emphasis>> tcp 21 - <external IP addr> if
|
||||
DNAT ACTION = DNAT</programlisting>
|
||||
|
||||
<para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
|
||||
you have multiple external IP addresses and you want a specific IP address
|
||||
to be forwarded to your server.</para>
|
||||
<para>You need an entry in the ORIGINAL DESTINATION column only if the
|
||||
ACTION is DNAT, you have multiple external IP addresses and you want a
|
||||
specific IP address to be forwarded to your server.</para>
|
||||
|
||||
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
|
||||
with 20 (ftp-data) in the DPORT column. If you post your rules on the
|
||||
mailing list and they show 20 in the DPORT column, we will know that you
|
||||
haven't read this article and will either ignore your post or tell you to
|
||||
RTFM.</para>
|
||||
with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
|
||||
the mailing list and they show 20 in the DEST PORT(S) column, we will know
|
||||
that you haven't read this article and will either ignore your post or
|
||||
tell you to RTFM.</para>
|
||||
|
||||
<para>Shorewall includes an FTP macro that simplifies creation of FTP
|
||||
rules. The macro source is in
|
||||
@@ -552,13 +558,15 @@ DNAT ACTION =
|
||||
<para>Suppose that you run an FTP server on 192.168.1.5 in your local
|
||||
zone using the standard port (21). You need this rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
FTP(DNAT) net loc:192.168.1.5</programlisting>
|
||||
</example><example id="Example4">
|
||||
<title>Allow your DMZ FTP access to the Internet</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
|
||||
FTP(ACCEPT) dmz net</programlisting>
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
FTP(ACCEPT) dmz net</programlisting>
|
||||
</example></para>
|
||||
|
||||
<para>Note that the FTP connection tracking in the kernel cannot handle
|
||||
@@ -580,7 +588,8 @@ WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</progr
|
||||
<para>I see this problem occasionally with the FTP server in my DMZ. My
|
||||
solution is to add the following rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
ACCEPT:info dmz net tcp - 20</programlisting>
|
||||
|
||||
<para>The above rule accepts and logs all active mode connections from my
|
||||
|
||||
@@ -50,7 +50,7 @@
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png"/>
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
@@ -91,7 +91,7 @@ vpn tun0 10.255.255.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
generic:tcp:1071 net 134.28.54.2
|
||||
generic:47 net 134.28.54.2</programlisting>
|
||||
|
||||
@@ -104,7 +104,7 @@ vpn tun0 192.168.1.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
generic:tcp:1071 net 206.191.148.9
|
||||
generic:47 net 206.191.148.9</programlisting>
|
||||
|
||||
|
||||
@@ -503,7 +503,8 @@ loadmodule nf_conntrack_sane ports=0</programlisting>
|
||||
limit the scope of the helper. Suppose that your Linux FTP server is
|
||||
in zone dmz and has address 70.90.191.123.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(2)
|
||||
SECTION RELATED
|
||||
ACCEPT all dmz:70.90.191.123 32768: ; helper=ftp # passive FTP to dmz server; /proc/sys/net/ipv4/ip_local_port_range == 32760:65535
|
||||
ACCEPT dmz:70.90.191.123 all tcp 1024: 20 ; helper=ftp # active FTP to dmz server
|
||||
|
||||
@@ -62,7 +62,7 @@
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png"/>
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
@@ -103,12 +103,12 @@ vpn ipv4</programlisting>
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tosysb</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tosysb 10.255.255.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipip net 134.28.54.2</programlisting>
|
||||
|
||||
<para>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
||||
@@ -133,12 +133,12 @@ subnet=10.0.0.0/8
|
||||
<emphasis role="bold">vpn</emphasis> zone. In
|
||||
/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE
|
||||
vpn tosysa</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
vpn tosysa 192.168.1.255</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipip net 206.191.148.9</programlisting>
|
||||
|
||||
<para>And in the tunnel script on system B:</para>
|
||||
|
||||
@@ -267,14 +267,16 @@
|
||||
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
|
||||
System A:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsec net 134.28.54.2</programlisting>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 134.28.54.2
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename><filename>/etc/shorewall/tunnels</filename></filename> —
|
||||
System B:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsec net 206.162.148.9</programlisting>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 206.162.148.9
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<note>
|
||||
@@ -293,9 +295,11 @@ ipsec net 206.162.148.9</programlisting>
|
||||
<para><filename><filename>/etc/shorewall/zones</filename></filename> —
|
||||
Systems A and B:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
net ipv4
|
||||
<emphasis role="bold">vpn ipv4</emphasis></programlisting>
|
||||
<emphasis role="bold">vpn ipv4</emphasis>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Remember the assumption that both systems A and B have eth0 as their
|
||||
@@ -311,12 +315,14 @@ net ipv4
|
||||
<para><filename>/etc/shorewall/hosts</filename> — System A</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis></programlisting>
|
||||
vpn eth0:10.0.0.0/8,134.28.54.2 <emphasis role="bold"> ipsec</emphasis>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename> — System B</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis></programlisting>
|
||||
vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ipsec</emphasis>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Assuming that you want to give each local network free access to the
|
||||
@@ -324,17 +330,17 @@ vpn eth0:192.168.1.0/24,206.162.148.9 <emphasis role="bold">ips
|
||||
<filename>/etc/shorewall/policy</filename> entries on each system:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
|
||||
loc vpn ACCEPT
|
||||
vpn loc ACCEPT</programlisting>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT
|
||||
loc vpn ACCEPT
|
||||
vpn loc ACCEPT</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>If you need access from each firewall to hosts in the other network,
|
||||
then you could add:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DEST POLICY LEVEL BURST:LIMIT
|
||||
$FW vpn ACCEPT</programlisting>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST:LIMIT
|
||||
$FW vpn ACCEPT</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>If you need access between the firewall's, you should describe the
|
||||
@@ -342,7 +348,7 @@ $FW vpn ACCEPT</programlisting>
|
||||
from System B, add this rule on system A:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO POLICY
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO POLICY
|
||||
ACCEPT vpn:134.28.54.2 $FW</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -452,7 +458,8 @@ sainfo address 192.168.1.0/24 any address 134.28.54.2/32 any
|
||||
through an ESP tunnel then the following entry would be
|
||||
appropriate:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis></programlisting>
|
||||
|
||||
<para>You should also set FASTACCEPT=No in shorewall.conf to ensure
|
||||
@@ -486,24 +493,25 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
net ipv4
|
||||
<emphasis role="bold">vpn ipsec</emphasis>
|
||||
loc ipv4
|
||||
</programlisting>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>In this instance, the mobile system (B) has IP address 134.28.54.2
|
||||
but that cannot be determined in advance. In the
|
||||
<filename>/etc/shorewall/tunnels</filename> file on system A, the
|
||||
following entry should be made:<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 0.0.0.0/0 vpn
|
||||
</programlisting>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote></para>
|
||||
|
||||
<para><note>
|
||||
<para>the GATEWAY_ZONE column contains the name of the zone
|
||||
<para>the GATEWAY ZONE column contains the name of the zone
|
||||
corresponding to peer subnetworks. This indicates that the gateway
|
||||
system itself comprises the peer subnetwork; in other words, the
|
||||
remote gateway is a standalone system.</para>
|
||||
@@ -516,7 +524,8 @@ ipsec net 0.0.0.0/0 vpn
|
||||
<para><filename>/etc/shorewall/hosts</filename> — System A:</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:0.0.0.0/0</programlisting>
|
||||
vpn eth0:0.0.0.0/0
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>You will need to configure your <quote>through the tunnel</quote>
|
||||
@@ -527,20 +536,24 @@ vpn eth0:0.0.0.0/0</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> - System B:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
vpn ipsec
|
||||
net ipv4
|
||||
loc ipv4</programlisting>
|
||||
loc ipv4
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename> - System B:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
ipsec net 206.162.148.9 vpn</programlisting>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec net 206.162.148.9 vpn
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename> - System B:</para>
|
||||
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
vpn eth0:0.0.0.0/0</programlisting>
|
||||
vpn eth0:0.0.0.0/0
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>On system A, here are the IPsec files:</para>
|
||||
@@ -703,11 +716,13 @@ RACOON=/usr/sbin/racoon</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System A</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
et ipv4
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
net ipv4
|
||||
vpn ipsec
|
||||
<emphasis role="bold">l2tp ipv4</emphasis>
|
||||
loc ipv4</programlisting>
|
||||
loc ipv4
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Since the L2TP will require the use of pppd, you will end up with
|
||||
@@ -722,7 +737,8 @@ loc ipv4</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 192.168.1.255
|
||||
l2tp ppp+ -</programlisting>
|
||||
l2tp ppp+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>The next thing that must be done is to adjust the policy so that the
|
||||
@@ -760,7 +776,7 @@ l2tp ppp+ -</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW all ACCEPT
|
||||
loc net ACCEPT
|
||||
loc l2tp ACCEPT # Allows local machines to connect to road warriors
|
||||
@@ -768,7 +784,8 @@ l2tp loc ACCEPT # Allows road warriors to connect to loca
|
||||
l2tp net ACCEPT # Allows road warriors to connect to the Internet
|
||||
net all DROP info
|
||||
# The FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info</programlisting>
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>The final step is to modify your rules file. There are three
|
||||
@@ -785,7 +802,8 @@ all all REJECT info</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
?SECTION ESTABLISHED
|
||||
# Prevent IPsec bypass by hosts behind a NAT gateway
|
||||
L2TP(REJECT) net $FW
|
||||
@@ -797,7 +815,8 @@ ACCEPT vpn $FW udp 1701
|
||||
HTTP(ACCEPT) loc $FW
|
||||
HTTP(ACCEPT) l2tp $FW
|
||||
HTTPS(ACCEPT) loc $FW
|
||||
HTTPS(ACCEPT) l2tp $FW</programlisting>
|
||||
HTTPS(ACCEPT) l2tp $FW
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@@ -871,8 +890,9 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter,dhcp,tcpflags</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter,dhcp,tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
@@ -890,7 +910,8 @@ net ipv4</programlisting>
|
||||
<para><filename><filename>/etc/shorewall/hosts</filename></filename>:</para>
|
||||
|
||||
<programlisting>#ZONE HOST(S) OPTIONS
|
||||
loc eth0:192.168.20.0/24</programlisting>
|
||||
loc eth0:192.168.20.0/24
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>It is worth noting that although <emphasis>loc</emphasis> is a
|
||||
sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
|
||||
@@ -900,14 +921,15 @@ loc eth0:192.168.20.0/24</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW all ACCEPT
|
||||
loc $FW ACCEPT
|
||||
net loc NONE
|
||||
loc net NONE
|
||||
net all DROP info
|
||||
# The FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info</programlisting>
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>Since there are no cases where net<->loc traffic should
|
||||
occur, NONE policies are used.</para>
|
||||
|
||||
@@ -266,13 +266,13 @@ dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
|
||||
<para>The <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
file included with the three-interface sample has the following policies:
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the three-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the Internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT</programlisting> The above policies will:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@@ -316,7 +316,8 @@ $FW net ACCEPT</programlisting> The above policies will:
|
||||
url="manpages/shorewall-rules.html"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT net $FW tcp 22</programlisting>
|
||||
|
||||
<para>So although you have a policy of ignoring all connection attempts
|
||||
|
||||
@@ -68,10 +68,10 @@
|
||||
optional interfaces for the 'net' zone in
|
||||
<filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 optional,…
|
||||
net wlan0 optional,…
|
||||
net ppp0 optional,…</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect optional,…
|
||||
net wlan0 detect optional,…
|
||||
net ppp0 - optional,…</programlisting>
|
||||
|
||||
<para>With this configuration, access to the 'net' zone is possible
|
||||
regardless of which of the interfaces is being used.</para>
|
||||
|
||||
@@ -172,20 +172,22 @@ MACLIST_LOG_LEVEL=info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $EXT_IF dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF dhcp
|
||||
dmz $DMZ_IF
|
||||
vpn tun+
|
||||
Wifi $WIFI_IF maclist,dhcp</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF 192.168.1.255 dhcp
|
||||
dmz $DMZ_IF -
|
||||
vpn tun+ -
|
||||
Wifi $WIFI_IF - maclist,dhcp
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>etc/shorewall/maclist:</para>
|
||||
<para>/etc/shorewall/maclist:</para>
|
||||
|
||||
<programlisting>#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
|
||||
ACCEPT $WIFI_IF 00:04:5e:3f:85:b9 #WAP11
|
||||
ACCEPT $WIFI_IF 00:06:25:95:33:3c #WET11
|
||||
ACCEPT $WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER
|
||||
ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop</programlisting>
|
||||
ACCEPT $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>As shown above, I used MAC Verification on my wireless zone that
|
||||
was served by a Linksys WET11 wireless bridge.</para>
|
||||
|
||||
@@ -469,7 +469,7 @@ ACCEPT $FW loc tcp 135,139,445</programlist
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>
|
||||
<para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
|
||||
|
||||
<para>To use this column, you must include 'FORMAT 2' as the first
|
||||
non-comment line in your macro file.</para>
|
||||
|
||||
@@ -195,14 +195,16 @@ sub Knock {
|
||||
|
||||
<para>The rule from the Port Knocking article:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSHKnock net $FW tcp 22,1599,1600,1601
|
||||
</programlisting>
|
||||
|
||||
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target => 22, knocker => 1600, trap => [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target => 22, knocker => 1600, trap => [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
|
||||
SSHKnock net $FW tcp 1599,1600,1601
|
||||
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
|
||||
|
||||
PERL Knock 'net', '$FW', {name => 'SSH', knocker => 1600, trap => [1599, 1601]};
|
||||
|
||||
@@ -892,7 +892,7 @@ net eth1 detect …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
|
||||
net net DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename>:</para>
|
||||
@@ -913,13 +913,15 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
|
||||
later, you would make this entry in <ulink
|
||||
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
MARK(2):P <local network> 0.0.0.0/0 tcp 25</programlisting>
|
||||
|
||||
<para>Note that traffic from the firewall itself must be handled in a
|
||||
different rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||
|
||||
<para>If you are running a Shorewall version earlier than 4.6.0, the
|
||||
@@ -927,12 +929,14 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
|
||||
would be:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
2:P <local network> 0.0.0.0/0 tcp 25</programlisting>
|
||||
|
||||
<para>And for traffic from the firewall:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
2 $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||
</section>
|
||||
|
||||
@@ -947,7 +951,8 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORTS(S) DEST
|
||||
DNAT net loc:192.168.1.3 tcp 25</programlisting>
|
||||
|
||||
<para>Continuing the above example, to forward only connection requests
|
||||
@@ -957,16 +962,19 @@ DNAT net loc:192.168.1.3 tcp 25</programlisting
|
||||
<listitem>
|
||||
<para>Qualify the SOURCE by ISP 1's interface:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORTS(S) DEST
|
||||
DNAT net<emphasis role="bold">:eth0</emphasis> loc:192.168.1.3 tcp 25</programlisting>
|
||||
|
||||
<para>or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the IP address of ISP 1 in the ORIGDEST column:</para>
|
||||
<para>Specify the IP address of ISP 1 in the ORIGINAL DEST
|
||||
column:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORTS(S) DEST
|
||||
DNAT net loc:192.168.1.3 tcp 25 <emphasis
|
||||
role="bold">- 206.124.146.176</emphasis></programlisting>
|
||||
</listitem>
|
||||
@@ -2565,7 +2573,8 @@ wireless 3 3 - wlan0 172.20.1.1 track,o
|
||||
role="bold">avvanta</emphasis> provider.</para>
|
||||
|
||||
<para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
|
||||
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
<filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S) PORT(S)
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 21
|
||||
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting></para>
|
||||
@@ -2574,7 +2583,8 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
|
||||
switching to using a mangle file (<command>shorewall update -t</command>
|
||||
will do that for you). Here are the equivalent tcrules entries:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S)
|
||||
2 $FW 0.0.0.0/0 tcp 21
|
||||
2 $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||
2 $FW 0.0.0.0/0 tcp 119</programlisting>
|
||||
@@ -2593,7 +2603,8 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlistin
|
||||
|
||||
<para>The same rules converted to use the mangle file are:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
# PORT(S)
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 21
|
||||
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
|
||||
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
|
||||
@@ -2601,7 +2612,8 @@ MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting>
|
||||
<para>The remaining files are for a rather standard two-interface config
|
||||
with a bridge as the local interface.</para>
|
||||
|
||||
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<para><filename>zones</filename>:<programlisting>#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
kvm ipv4</programlisting><filename>policy</filename>:<programlisting>net net NONE
|
||||
@@ -2611,17 +2623,17 @@ kvm all ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting></para>
|
||||
|
||||
<para>interfaces:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
<para>interfaces:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
|
||||
#
|
||||
net eth0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||
net wlan0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||
kvm br0 routeback #Virtual Machines</programlisting><note>
|
||||
net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||
net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||
kvm br0 detect routeback #Virtual Machines</programlisting><note>
|
||||
<para><filename class="devicefile">wlan0</filename> is the wireless
|
||||
adapter in the notebook. Used when the laptop is in our home but not
|
||||
connected to the wired network.</para>
|
||||
</note></para>
|
||||
|
||||
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
|
||||
<para>masq:<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
eth0 192.168.0.0/24
|
||||
wlan0 192.168.0.0/24</programlisting><note>
|
||||
<para>Because the firewall has only a single external IP address, I
|
||||
@@ -2803,7 +2815,7 @@ dmz ip #LXC Containers</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback
|
||||
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
|
||||
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
|
||||
@@ -2869,7 +2881,9 @@ root@gateway:~# </programlisting>
|
||||
<para><filename>/etc/shorewall/mangle</filename> is not used to support
|
||||
Multi-ISP:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
FORMAT 2
|
||||
TTL(+1):P INT_IF -
|
||||
SAME:P INT_IF - tcp 80,443
|
||||
?if $PROXY && ! $SQUID2
|
||||
|
||||
@@ -114,7 +114,7 @@
|
||||
of this discussion, it makes no difference.</para>
|
||||
</note>
|
||||
|
||||
<graphic fileref="images/MultiZone1.png"/>
|
||||
<graphic fileref="images/MultiZone1.png" />
|
||||
|
||||
<section id="Standard">
|
||||
<title>Can You Use the Standard Configuration?</title>
|
||||
@@ -183,7 +183,7 @@
|
||||
all hosts connected to eth1 and a second zone <quote>loc1</quote>
|
||||
(192.168.2.0/24) as a sub-zone.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1A.png"/>
|
||||
<graphic fileref="images/MultiZone1A.png" />
|
||||
|
||||
<para><note>
|
||||
<para>The Router in the above diagram is assumed to NOT be doing
|
||||
@@ -209,7 +209,7 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
@@ -234,7 +234,7 @@ loc1 loc NONE</programlisting>
|
||||
<para>You define both zones in the /etc/shorewall/hosts file to create
|
||||
two disjoint zones.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone1B.png"/>
|
||||
<graphic fileref="images/MultiZone1B.png" />
|
||||
|
||||
<para><note>
|
||||
<para>The Router in the above diagram is assumed to NOT be doing
|
||||
@@ -247,8 +247,8 @@ loc2 ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- eth1 -
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
- eth1 192.168.1.255
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
@@ -274,7 +274,7 @@ loc2 loc1 NONE</programlisting>
|
||||
<para>There are cases where a subset of the addresses associated with an
|
||||
interface need special handling. Here's an example.</para>
|
||||
|
||||
<graphic fileref="images/MultiZone2.png"/>
|
||||
<graphic fileref="images/MultiZone2.png" />
|
||||
|
||||
<para>In this example, addresses 192.168.1.8 - 192.168.1.15
|
||||
(192.168.1.8/29) are to be treated as their own zone (loc1).</para>
|
||||
@@ -287,8 +287,8 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE
|
||||
loc eth1</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
loc eth1 -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
|
||||
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
|
||||
@@ -326,7 +326,7 @@ loc1 loc NONE</programlisting>
|
||||
<quote>loc</quote> zone are configured with their default gateway set to
|
||||
the Shorewall router's RFC1918 address.</para>
|
||||
|
||||
<para><graphic fileref="images/MultiZone3.png"/></para>
|
||||
<para><graphic fileref="images/MultiZone3.png" /></para>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename></para>
|
||||
|
||||
@@ -336,8 +336,8 @@ loc:net ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
|
||||
|
||||
@@ -494,7 +494,8 @@ tarpit inline # Wrapper for TARPIT
|
||||
<section>
|
||||
<title>/etc/shorewall/action.Mirrors</title>
|
||||
|
||||
<para><programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
<para><programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
?COMMENT Accept traffic from Mirrors
|
||||
?FORMAT 2
|
||||
DEFAULTS -
|
||||
@@ -507,7 +508,8 @@ $1 $MIRRORS
|
||||
<section>
|
||||
<title>/etc/shorewall/action.tarpit</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
$LOG { rate=s:1/min }
|
||||
TARPIT
|
||||
</programlisting>
|
||||
@@ -518,8 +520,7 @@ TARPIT
|
||||
<section id="zones">
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<para><programlisting>#ZONE TYPE
|
||||
fw firewall
|
||||
<para><programlisting>fw firewall
|
||||
loc ip #Local Zone
|
||||
net ipv4 #Internet
|
||||
dmz ipv4 #LXC Containers
|
||||
@@ -530,7 +531,7 @@ smc:net ip #10.0.1.0/24
|
||||
<section id="interfaces">
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<para><programlisting>#ZONE INTERFACE OPTIONS
|
||||
<para><programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0
|
||||
net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags
|
||||
net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp
|
||||
@@ -551,7 +552,8 @@ smc COMC_IF:10.0.0.0/24
|
||||
<section id="policy">
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
$FW dmz REJECT $LOG
|
||||
$FW net REJECT $LOG
|
||||
?else
|
||||
@@ -575,7 +577,8 @@ all all REJECT:Reject $LOG
|
||||
<section id="accounting">
|
||||
<title>/etc/shorewall/accounting</title>
|
||||
|
||||
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DPORT SPORT USER MARK IPSEC
|
||||
<para><programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
|
||||
# PORT(S) PORT(S) GROUP
|
||||
?COMMENT
|
||||
?SECTION PREROUTING
|
||||
?SECTION INPUT
|
||||
@@ -601,8 +604,7 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COMB_IF
|
||||
<section id="blacklist">
|
||||
<title>/etc/shorewall/blrules</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
WHITELIST net:70.90.191.126 all
|
||||
<para><programlisting>WHITELIST net:70.90.191.126 all
|
||||
BLACKLIST net:+blacklist all
|
||||
BLACKLIST net all udp 1023:1033,1434,5948,23773
|
||||
DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
|
||||
@@ -712,7 +714,8 @@ br0 70.90.191.120/29 70.90.191.121
|
||||
<title>/etc/shorewall/conntrack</title>
|
||||
|
||||
<para><programlisting>?FORMAT 2
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/
|
||||
# PORT(S) PORT(S) GROUP
|
||||
#
|
||||
DROP net - udp 3551
|
||||
NOTRACK net - tcp 23
|
||||
@@ -815,7 +818,8 @@ br0 - ComcastB 11000
|
||||
<section id="routestopped">
|
||||
<title>/etc/shorewall/stoppedrules</title>
|
||||
|
||||
<para><programlisting>#TARGET HOST(S) DEST PROTO DPORT SPORT
|
||||
<para><programlisting>#TARGET HOST(S) DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
ACCEPT INT_IF:172.20.1.0/24 $FW
|
||||
NOTRACK COMB_IF - 41
|
||||
NOTRACK $FW COMB_IF 41
|
||||
@@ -828,7 +832,9 @@ ACCEPT COMC_IF $FW udp 67:68</programlistin
|
||||
<title>/etc/shorewall/rules</title>
|
||||
|
||||
<para><programlisting>################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
################################################################################################################################################################################################
|
||||
?if $VERSION < 40500
|
||||
?SHELL echo " ERROR: Shorewall version is too low" >&2; exit 1
|
||||
?endif
|
||||
|
||||
@@ -60,7 +60,7 @@
|
||||
|
||||
<para>The following figure represents a one-to-one NAT environment.</para>
|
||||
|
||||
<graphic fileref="images/staticnat.png"/>
|
||||
<graphic fileref="images/staticnat.png" />
|
||||
|
||||
<para>One-to-one NAT can be used to make the systems with the 10.1.1.*
|
||||
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
|
||||
@@ -73,7 +73,7 @@
|
||||
internal host(s) — such traffic is still subject to your policies and
|
||||
rules.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
130.252.100.18 eth0 10.1.1.2 no no
|
||||
130.252.100.19 eth0 10.1.1.3 no no</programlisting></para>
|
||||
|
||||
@@ -105,7 +105,7 @@
|
||||
<quote>yes</quote> then you must NOT configure your own
|
||||
alias(es).</para>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
@@ -126,7 +126,8 @@
|
||||
would need the following entry in
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIG
|
||||
# PORT(S) PORT(S) DEST
|
||||
ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18</programlisting>
|
||||
</section>
|
||||
|
||||
|
||||
@@ -68,8 +68,8 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>It is widely supported -- I run it on both Linux and
|
||||
Windows.</para>
|
||||
<para>It is widely supported -- I run it on both Linux and Windows
|
||||
XP.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -97,7 +97,7 @@
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png"/>
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to
|
||||
communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
@@ -118,7 +118,8 @@
|
||||
<para><filename>/etc/shorewall/zones</filename> — Systems A &
|
||||
B</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
vpn ipv4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -129,7 +130,7 @@ vpn ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
A:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tun0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -137,7 +138,7 @@ vpn tun0</programlisting>
|
||||
the following:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpn net 134.28.54.2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -149,7 +150,7 @@ openvpn net 134.28.54.2</programlisting>
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/tunnels with port 7777:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpn:7777 net 134.28.54.2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -160,7 +161,7 @@ openvpn:7777 net 134.28.54.2</programlisting>
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/tunnels using TCP:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpn:tcp net 134.28.54.2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -169,7 +170,7 @@ openvpn:tcp net 134.28.54.2</programlisting>
|
||||
<blockquote>
|
||||
<para>/etc/shorewall/tunnels using TCP port 7777:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpn:tcp:7777 net 134.28.54.2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -205,7 +206,7 @@ vpn tun0 </programlisting>
|
||||
have:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpn net 206.191.148.9</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -248,7 +249,7 @@ vpn loc ACCEPT</programlisting>
|
||||
<para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
|
||||
the setup in the following diagram:</para>
|
||||
|
||||
<graphic fileref="images/Mobile.png"/>
|
||||
<graphic fileref="images/Mobile.png" />
|
||||
|
||||
<para>On the gateway system (System A), we need a zone to represent the
|
||||
remote clients — we'll call that zone <quote>road</quote>.</para>
|
||||
@@ -256,7 +257,8 @@ vpn loc ACCEPT</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename> — System A:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
road ipv4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -267,7 +269,7 @@ road ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
A:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
road tun+</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -275,7 +277,7 @@ road tun+</programlisting>
|
||||
the following:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpn:1194 net 0.0.0.0/0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -286,7 +288,7 @@ openvpn:1194 net 0.0.0.0/0</programlisting>
|
||||
uses NAT.</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpnserver:1194 net 0.0.0.0/0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -361,7 +363,7 @@ home tun0</programlisting>
|
||||
the following:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpn:1194 net 206.162.148.9</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -370,7 +372,7 @@ openvpn:1194 net 206.162.148.9</programlisting>
|
||||
prefer:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpnclient:1194 net 206.162.148.9</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -441,7 +443,7 @@ verb 3</programlisting>
|
||||
192.168.1.0/24, there will be times when your roadwarriors need to access
|
||||
your lan from a remote location that uses that same network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Mobile1.png"/>
|
||||
<graphic align="center" fileref="images/Mobile1.png" />
|
||||
|
||||
<para>This may be accomplished by configuring a second server on your
|
||||
firewall that uses a different port and by using <ulink
|
||||
@@ -717,7 +719,7 @@ TUNNEL_IF=gif0
|
||||
<para>Add this entry to <ulink
|
||||
url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpnserver:1194 net 0.0.0.0/0</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
@@ -734,7 +736,7 @@ openvpnserver:1194 net 0.0.0.0/0</programlisting>
|
||||
|
||||
<para>Consider the following case:</para>
|
||||
|
||||
<graphic align="center" fileref="images/bridge4.png"/>
|
||||
<graphic align="center" fileref="images/bridge4.png" />
|
||||
|
||||
<para>Part of the 192.168.1.0/24 network is in one location and part in
|
||||
another. The two LANs can be bridged with OpenVPN as described in this
|
||||
|
||||
@@ -141,16 +141,17 @@ server:~ # </programlisting>
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>###############################################################################
|
||||
#ZONE TYPE OPTIONS IN_OPTION OUT_OPTIONS
|
||||
#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
net ipv4
|
||||
vz ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>###############################################################################
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 proxyarp=1
|
||||
vz venet0 <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 - proxyarp=1
|
||||
vz venet0 - <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@@ -158,8 +159,8 @@ vz venet0 <emphasis role="bold">routeback,arp_filter=0</emphas
|
||||
|
||||
<para>If you run Shorewall Multi-ISP support on the host, you should
|
||||
arrange for traffic to your containers to use the main routing table. In
|
||||
the configuration shown here, this entry in /etc/shorewall/rtrules is
|
||||
appropriate:</para>
|
||||
the configuration shown here, this entry in /etc/shorewall/rtrules
|
||||
is appropriate:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
- 206.124.146.178 main 1000</programlisting>
|
||||
@@ -289,7 +290,7 @@ done.
|
||||
|
||||
<para>The network diagram is shown below.</para>
|
||||
|
||||
<graphic fileref="images/Network2009c.png"/>
|
||||
<graphic fileref="images/Network2009c.png" />
|
||||
|
||||
<para>The two systems shown in the green box are OpenVZ Virtual
|
||||
Environments (containers).</para>
|
||||
@@ -456,7 +457,8 @@ NAME="server"</emphasis></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
@@ -470,11 +472,11 @@ INT_IF=eth1
|
||||
<emphasis role="bold">VPS_IF=venet0</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
|
||||
role="bold">proxyarp=1</emphasis>
|
||||
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
<emphasis role="bold">dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
|
||||
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
<emphasis role="bold">dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
|
||||
...</programlisting>This is a multi-ISP configuration so entries are required
|
||||
in <filename>/etc/shorewall/rtrules</filename>:</para>
|
||||
|
||||
@@ -499,7 +501,8 @@ loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tc
|
||||
|
||||
<para>/etc/shorewall/zones:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4</programlisting>
|
||||
|
||||
@@ -523,7 +526,7 @@ net <emphasis role="bold">venet0 </emphasis> detect dhcp,tc
|
||||
|
||||
<para>The network diagram is shown below.</para>
|
||||
|
||||
<graphic fileref="images/Network2010.png"/>
|
||||
<graphic fileref="images/Network2010.png" />
|
||||
|
||||
<para>The two systems shown in the green box are OpenVZ Virtual
|
||||
Environments (containers).</para>
|
||||
@@ -765,7 +768,8 @@ NAME="server"
|
||||
|
||||
<para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
@@ -779,10 +783,10 @@ INT_IF=eth1
|
||||
<emphasis role="bold">VPS_IF=vzbr0</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
|
||||
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
|
||||
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
|
||||
...</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp:</filename></para>
|
||||
@@ -809,14 +813,15 @@ dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.12
|
||||
|
||||
<para><filename>/etc/shorewall/zones:</filename></para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">eth0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net <emphasis role="bold">eth0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@@ -178,8 +178,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Rules are conditionally executed based on whether the current
|
||||
packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
|
||||
USER, TEST, LENGTH and TOS columns.</para>
|
||||
packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
|
||||
CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -352,7 +352,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
||||
<para>The relationship between these options is shown in this
|
||||
diagram.</para>
|
||||
|
||||
<graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
|
||||
<graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
|
||||
|
||||
<para>The default values of these options are determined by the settings
|
||||
of other options as follows:</para>
|
||||
@@ -476,7 +476,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
||||
<para>Here's the example (slightly expanded) from the comments at the top
|
||||
of the <filename>/etc/shorewall/mangle</filename> file.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
|
||||
# PORT(S)
|
||||
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1
|
||||
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2
|
||||
MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3
|
||||
@@ -485,7 +486,8 @@ MARK(1) $FW 0.0.0.0/0 icmp echo-reply #R
|
||||
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5
|
||||
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6
|
||||
MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7
|
||||
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8</programlisting>
|
||||
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8
|
||||
##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>Let's take a look at each rule:</para>
|
||||
|
||||
@@ -552,25 +554,33 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
|
||||
<filename>/etc/shorewall/providers</filename>:</para>
|
||||
|
||||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||
Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1</programlisting>
|
||||
Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para>Here is <filename>/etc/shorewall/mangle</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||
# PORT(S)
|
||||
CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority
|
||||
#over the server
|
||||
CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873</programlisting>
|
||||
CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para>And here is <filename>/etc/shorewall/tcdevices</filename> and
|
||||
<filename>/etc/shorewall/tcclasses</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
eth3 1.3mbit 384kbit
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
eth3 10 full full 1 tcp-ack,tos-minimize-delay
|
||||
eth3 20 9*full/10 9*full/10 2 default
|
||||
eth3 30 6*full/10 6*full/10 3</programlisting>
|
||||
eth3 30 6*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para>I've annotated the following output with comments beginning with
|
||||
"<<<<" and ending with ">>>>". This example uses
|
||||
|
||||
@@ -131,13 +131,13 @@ add_rule( $chainref, '-p tcp --dport 1601 -m recent --name
|
||||
Internet, add this rule in
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
|
||||
|
||||
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
|
||||
can just add a log level as in:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
|
||||
</listitem>
|
||||
|
||||
@@ -146,16 +146,18 @@ SSHKnock:info net $FW tcp 22,1599,1600,1601<
|
||||
206.124.146.178 to internal system 192.168.1.5. In
|
||||
/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
|
||||
SSHKnock net $FW tcp 1599,1600,1601
|
||||
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
|
||||
|
||||
<note>
|
||||
<para>You can use SSHKnock with DNAT on earlier releases provided
|
||||
that you omit the ORIGDEST entry on the second SSHKnock rule. This
|
||||
rule will be quite secure provided that you specify 'routefilter' on
|
||||
your external interface and have NULL_ROUTE_RFC1918=Yes in
|
||||
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
|
||||
This rule will be quite secure provided that you specify
|
||||
'routefilter' on your external interface and have
|
||||
NULL_ROUTE_RFC1918=Yes in
|
||||
<filename>shorewall.conf</filename>.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
@@ -84,7 +84,7 @@
|
||||
|
||||
<para>The following figure represents a Proxy ARP environment.</para>
|
||||
|
||||
<graphic align="center" fileref="images/proxyarp.png"/>
|
||||
<graphic align="center" fileref="images/proxyarp.png" />
|
||||
|
||||
<para>Proxy ARP can be used to make the systems with addresses
|
||||
130.252.100.18 and 130.252.100.19 appear to be on the upper
|
||||
@@ -129,7 +129,7 @@
|
||||
irrelevant, one approach you can take is to make that address the same as
|
||||
the address of your external interface!</para>
|
||||
|
||||
<graphic align="center" fileref="images/proxyarp1.png"/>
|
||||
<graphic align="center" fileref="images/proxyarp1.png" />
|
||||
|
||||
<para>In the diagram above, <filename class="devicefile">eth1</filename>
|
||||
has been given the address 130.252.100.17, the same as
|
||||
@@ -142,7 +142,8 @@
|
||||
you have configured to be in the <emphasis role="bold">loc</emphasis> zone
|
||||
then you would need this entry in /etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT
|
||||
ACCEPT net loc:130.252.100.19 tcp 80</programlisting>
|
||||
|
||||
<warning>
|
||||
|
||||
@@ -213,7 +213,8 @@ ip link set ifb0 up</programlisting>
|
||||
|
||||
<para>The tcdevices file describes the two devices:</para>
|
||||
|
||||
<programlisting>#NUMBER: IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
||||
<programlisting>#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
#INTERFACE INTERFACES
|
||||
1:eth0 - ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0
|
||||
2:ifb0 - ${DOWNLOAD}kbit hfsc eth0</programlisting>
|
||||
</section>
|
||||
@@ -224,66 +225,67 @@ ip link set ifb0 up</programlisting>
|
||||
<para>The tcclasses file defines the class hierarchy for both
|
||||
devices:</para>
|
||||
|
||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
1 1 ${UP_SC_VOIP_RATE}kbit:\
|
||||
${UP_SC_VOIP_DMAX}:\
|
||||
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
||||
<programlisting>#IFACE: MARK RATE: CEIL PRIORITY OPTIONS
|
||||
#CLASS DMAX:UMAX
|
||||
1 1 ${UP_SC_VOIP_RATE}kbit:\
|
||||
${UP_SC_VOIP_DMAX}:\
|
||||
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
||||
|
||||
1 2 ${UP_RT_PRIO_RATE}kbit:\
|
||||
${UP_RT_PRIO_DMAX}:\
|
||||
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
|
||||
${UP_UL_PRIO_RATE}kbit 1
|
||||
1 2 ${UP_RT_PRIO_RATE}kbit:\
|
||||
${UP_RT_PRIO_DMAX}:\
|
||||
${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\
|
||||
${UP_UL_PRIO_RATE}kbit 1
|
||||
|
||||
1 3 - ${UP_LS_NORMAL_RATE}kbit:\
|
||||
${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\
|
||||
min=$UP_NORMAL_RED_min,\
|
||||
max=$UP_NORMAL_RED_max,\
|
||||
burst=$UP_NORMAL_RED_burst,\
|
||||
probability=$UP_NORMAL_RED_PROB,\
|
||||
ecn)
|
||||
1 4 - ${UP_LS_P2P_RATE}kbit:\
|
||||
${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\
|
||||
min=$UP_P2P_RED_min,\
|
||||
max=$UP_P2P_RED_max,\
|
||||
burst=$UP_P2P_RED_burst,\
|
||||
probability=$UP_P2P_RED_PROB,\
|
||||
ecn)
|
||||
1 5 - ${UP_LS_BULK_RATE}kbit:\
|
||||
${UP_UL_BULK_RATE}kbit 1 default,\
|
||||
red=(limit=$UP_BULK_RED_limit,\
|
||||
min=$UP_BULK_RED_min,\
|
||||
max=$UP_BULK_RED_max,\
|
||||
burst=$UP_BULK_RED_burst,\
|
||||
probability=$UP_BULK_RED_PROB,\
|
||||
ecn)
|
||||
1 3 - ${UP_LS_NORMAL_RATE}kbit:\
|
||||
${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\
|
||||
min=$UP_NORMAL_RED_min,\
|
||||
max=$UP_NORMAL_RED_max,\
|
||||
burst=$UP_NORMAL_RED_burst,\
|
||||
probability=$UP_NORMAL_RED_PROB,\
|
||||
ecn)
|
||||
1 4 - ${UP_LS_P2P_RATE}kbit:\
|
||||
${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\
|
||||
min=$UP_P2P_RED_min,\
|
||||
max=$UP_P2P_RED_max,\
|
||||
burst=$UP_P2P_RED_burst,\
|
||||
probability=$UP_P2P_RED_PROB,\
|
||||
ecn)
|
||||
1 5 - ${UP_LS_BULK_RATE}kbit:\
|
||||
${UP_UL_BULK_RATE}kbit 1 default,\
|
||||
red=(limit=$UP_BULK_RED_limit,\
|
||||
min=$UP_BULK_RED_min,\
|
||||
max=$UP_BULK_RED_max,\
|
||||
burst=$UP_BULK_RED_burst,\
|
||||
probability=$UP_BULK_RED_PROB,\
|
||||
ecn)
|
||||
|
||||
2:10 - ${UP_SC_VOIP_RATE}kbit:\
|
||||
${UP_SC_VOIP_DMAX}:\
|
||||
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
||||
2:10 - ${UP_SC_VOIP_RATE}kbit:\
|
||||
${UP_SC_VOIP_DMAX}:\
|
||||
${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1
|
||||
|
||||
2:20 - ${DOWN_RT_PRIO_RATE}kbit:\
|
||||
${DOWN_RT_PRIO_DMAX}:\
|
||||
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1
|
||||
2:20 - ${DOWN_RT_PRIO_RATE}kbit:\
|
||||
${DOWN_RT_PRIO_DMAX}:\
|
||||
${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1
|
||||
|
||||
2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\
|
||||
${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\
|
||||
min=$DOWN_NORMAL_RED_min,\
|
||||
max=$DOWN_NORMAL_RED_max,\
|
||||
burst=$DOWN_NORMAL_RED_burst,\
|
||||
probability=$DOWN_NORMAL_RED_PROB)
|
||||
2:40 - - ${DOWN_LS_P2P_RATE}kbit:\
|
||||
${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\
|
||||
min=$DOWN_P2P_RED_min,\
|
||||
max=$DOWN_P2P_RED_max,\
|
||||
burst=$DOWN_P2P_RED_burst,\
|
||||
probability=$DOWN_P2P_RED_PROB)
|
||||
2:50 - - ${DOWN_LS_BULK_RATE}kbit:\
|
||||
${DOWN_UL_BULK_RATE}kbit 1 default,\
|
||||
red=(limit=$DOWN_BULK_RED_limit,\
|
||||
min=$DOWN_BULK_RED_min,\
|
||||
max=$DOWN_BULK_RED_max,\
|
||||
burst=$DOWN_BULK_RED_burst,\
|
||||
probability=$DOWN_BULK_RED_PROB)</programlisting>
|
||||
2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\
|
||||
${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\
|
||||
min=$DOWN_NORMAL_RED_min,\
|
||||
max=$DOWN_NORMAL_RED_max,\
|
||||
burst=$DOWN_NORMAL_RED_burst,\
|
||||
probability=$DOWN_NORMAL_RED_PROB)
|
||||
2:40 - - ${DOWN_LS_P2P_RATE}kbit:\
|
||||
${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\
|
||||
min=$DOWN_P2P_RED_min,\
|
||||
max=$DOWN_P2P_RED_max,\
|
||||
burst=$DOWN_P2P_RED_burst,\
|
||||
probability=$DOWN_P2P_RED_PROB)
|
||||
2:50 - - ${DOWN_LS_BULK_RATE}kbit:\
|
||||
${DOWN_UL_BULK_RATE}kbit 1 default,\
|
||||
red=(limit=$DOWN_BULK_RED_limit,\
|
||||
min=$DOWN_BULK_RED_min,\
|
||||
max=$DOWN_BULK_RED_max,\
|
||||
burst=$DOWN_BULK_RED_burst,\
|
||||
probability=$DOWN_BULK_RED_PROB)</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@@ -291,7 +293,8 @@ ip link set ifb0 up</programlisting>
|
||||
|
||||
<para>The mangle file classifies upload packets:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE USER TEST
|
||||
# PORT(S) PORT(S)
|
||||
RESTORE:T - - - - - - !0:C
|
||||
CONTINUE:T - - - - - - !0
|
||||
2:T - - icmp
|
||||
@@ -316,7 +319,8 @@ SAVE:T - - - - - -
|
||||
|
||||
<para>The tcfilters file classifies download packets:</para>
|
||||
|
||||
<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT TOS LENGTH
|
||||
<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE TOS LENGTH
|
||||
#CLASS PORT(S) PORT(S)
|
||||
#
|
||||
# These classify download traffic
|
||||
#
|
||||
|
||||
@@ -240,15 +240,15 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DPORT</para>
|
||||
<para>DEST PORT(S)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>SPORT</para>
|
||||
<para>SOURCE PORT(S)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ORIGDEST</para>
|
||||
<para>ORIGINAL DEST</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -284,9 +284,8 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Notice that the first five columns of both sets are the same
|
||||
(although the port-valued column names have changed, the contents are
|
||||
the same).</para>
|
||||
<para>Notice that the first five columns of both sets are the
|
||||
same.</para>
|
||||
|
||||
<para>In Shorewall 5, support for format-1 macros and actions has been
|
||||
dropped and all macros and actions will be processed as if ?FORMAT 2
|
||||
|
||||
@@ -163,7 +163,8 @@ httpd_accel_uses_host_header on</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
ACCEPT $FW net tcp www
|
||||
REDIRECT loc 3128 tcp www - !206.124.146.177
|
||||
</programlisting>
|
||||
@@ -174,9 +175,10 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
||||
Squid.</para>
|
||||
|
||||
<para>If needed, you may just add the additional hosts/networks to the
|
||||
ORIGDEST column in your REDIRECT rule.</para>
|
||||
ORIGINAL DEST column in your REDIRECT rule.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
||||
|
||||
<para>People frequently ask <emphasis>How can I exclude certain
|
||||
@@ -186,7 +188,8 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
||||
<para>Suppose that you want to exclude 192.168.1.5 and 192.168.1.33
|
||||
from the proxy. Your rules would then be:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
ACCEPT $FW net tcp www
|
||||
REDIRECT loc:!192.168.1.5,192.168.1.33\
|
||||
3128 tcp www - !206.124.146.177,130.252.100.0/24
|
||||
@@ -212,7 +215,8 @@ gateway:/etc/shorewall# </programlisting>
|
||||
role="bold">(squid)</emphasis> is running under the <emphasis
|
||||
role="bold">proxy</emphasis> user Id. We add these rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL RATE USER/
|
||||
# PORT(S) DEST LIMIT GROUP
|
||||
ACCEPT $FW net tcp www
|
||||
REDIRECT $FW 3128 tcp www - - - <emphasis
|
||||
role="bold"> !proxy</emphasis></programlisting>
|
||||
@@ -238,16 +242,18 @@ Squid 1 202 - eth1 192.168.1.3 loose,no
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
<para>If you are still using a tcrules file, you should consider
|
||||
switching to using a mangle file (<command>shorewall update
|
||||
-t</command> (<command>shorewall update</command> on Shorewall 5.0
|
||||
and later) will do that for you). Corresponding
|
||||
-t</command> (<command>shorewall update</command> on
|
||||
Shorewall 5.0 and later) will do that for you). Corresponding
|
||||
/etc/shorewall/tcrules entries are:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT
|
||||
<programlisting>#MARK SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
202:P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||
</listitem>
|
||||
|
||||
@@ -255,8 +261,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||
</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -288,7 +294,8 @@ loc eth1 <emphasis role="bold">routeback,routefilter=0,logmartians=0
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.0.2.177</programlisting>
|
||||
</section>
|
||||
|
||||
@@ -309,12 +316,14 @@ Squid 1 202 - eth2 192.0.2.177 loose,no
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/mangle</filename> add:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
<para>Corresponding /etc/shorewall/tcrules entries are:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT
|
||||
<programlisting>#MARK SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
202:P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
</listitem>
|
||||
|
||||
@@ -322,8 +331,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||
</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth2 <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth2 detect <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -354,7 +363,7 @@ loc eth2 <emphasis role="bold">routefilter=0,logmartians=0</emphasis
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT Z SZ tcp SP
|
||||
ACCEPT SZ net tcp 80,443</programlisting>
|
||||
|
||||
@@ -362,7 +371,7 @@ ACCEPT SZ net tcp 80,443</programlisting>
|
||||
<title>Squid on the firewall listening on port 8080 with access from the
|
||||
<quote>loc</quote> zone:</title>
|
||||
|
||||
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc $FW tcp 8080
|
||||
ACCEPT $FW net tcp 80,443</programlisting></para>
|
||||
</example>
|
||||
@@ -397,8 +406,8 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- lo -</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- lo - -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/providers</filename>:</para>
|
||||
|
||||
@@ -413,13 +422,17 @@ Tproxy 1 - - lo - tproxy</programli
|
||||
<para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
|
||||
eth1 and net interface is eth0):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
<para>Corresponding <filename>/etc/shorewall/mangle</filename> are:</para>
|
||||
<para>Corresponding <filename>/etc/shorewall/tcrules</filename>
|
||||
are:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting><emphasis role="bold">FORMAT 2</emphasis>
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
|
||||
@@ -432,14 +445,16 @@ TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
on port 80, then you need to exclude it from TPROXY. Suppose that your
|
||||
web server listens on 192.0.2.144; then:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting><emphasis role="bold">FORMAT 2</emphasis>
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
DIVERT eth0 0.0.0.0/0 tcp - 80
|
||||
TPROXY(3129) eth1 !192.0.2.144 tcp 80 -</programlisting>
|
||||
</note>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc $FW tcp 80
|
||||
ACCEPT $FW net tcp 80</programlisting>
|
||||
|
||||
|
||||
@@ -166,7 +166,7 @@ iface eth0 inet static
|
||||
<example id="SSH">
|
||||
<title>allow SSH from net to eth0:0 above</title>
|
||||
|
||||
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
||||
</example>
|
||||
</section>
|
||||
@@ -179,14 +179,15 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
||||
zone at 192.168.1.3. That is accomplished by a single rule in the
|
||||
<filename>/etc/shorewall/rules</filename> file:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
|
||||
|
||||
<para>If I wished to forward tcp port 10000 on that virtual interface to
|
||||
port 22 on local host 192.168.1.3, the rule would be:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178 </programlisting>
|
||||
</section>
|
||||
|
||||
@@ -201,7 +202,7 @@ DNAT net loc:192.168.1.3:22 tcp 10000 - 20
|
||||
eth0 192.168.1.0/24 206.124.146.178</programlisting>
|
||||
|
||||
<para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
|
||||
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT
|
||||
have source IP 206.124.146.178:<programlisting>#INTERFACE SUBNET ADDRESS PROTO DEST PORT(S)
|
||||
eth0 192.168.1.22 206.124.146.178 tcp 25</programlisting></para>
|
||||
|
||||
<para>Shorewall can create the alias (additional address) for you if you
|
||||
@@ -245,7 +246,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
||||
would have the following in
|
||||
<filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
206.124.146.178 eth0 192.168.1.3 no no</programlisting>
|
||||
|
||||
<para>Shorewall can create the alias (additional address) for you if you
|
||||
@@ -262,7 +263,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
||||
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in
|
||||
the INTERFACE column as follows.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL
|
||||
<para><filename>/etc/shorewall/nat</filename><programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
206.124.146.178 eth0:0 192.168.1.3 no no</programlisting></para>
|
||||
|
||||
<para>In either case, to create rules in
|
||||
@@ -274,7 +275,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
||||
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
|
||||
192.168.1.3.</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
|
||||
</example>
|
||||
</section>
|
||||
@@ -304,8 +305,8 @@ loc ipv4</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 - <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
|
||||
ACCEPT rules for the traffic that you want to permit.</para>
|
||||
@@ -326,8 +327,8 @@ loc2 ipv4</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- eth1 </programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- eth1 - </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
|
||||
@@ -68,7 +68,7 @@
|
||||
<para>The following diagram shows the relationship between routing
|
||||
decisions and Netfilter.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Netfilter.png"/>
|
||||
<graphic align="center" fileref="images/Netfilter.png" />
|
||||
|
||||
<para>The light blue boxes indicate where routing decisions are made. Upon
|
||||
exit from one of these boxes, if the packet is being sent to another
|
||||
@@ -208,7 +208,8 @@
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
206.124.146.177 eth1 eth0 No</programlisting>
|
||||
206.124.146.177 eth1 eth0 No
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>The above entry will cause Shorewall to execute the following
|
||||
command:</para>
|
||||
|
||||
@@ -86,7 +86,7 @@
|
||||
<para>The following diagram shows a firewall for two bridged LAN
|
||||
segments.</para>
|
||||
|
||||
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle"/>
|
||||
<graphic align="center" fileref="images/SimpleBridge.png" valign="middle" />
|
||||
|
||||
<para>This is fundamentally the Two-interface Firewall described in the
|
||||
<ulink url="two-interface.htm">Two-interface Quickstart Guide</ulink>. The
|
||||
@@ -108,11 +108,10 @@
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 ...
|
||||
loc <emphasis role="bold">br0</emphasis> <emphasis
|
||||
role="bold">routeback,bridge</emphasis>,...</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect ...
|
||||
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
||||
role="bold">routeback</emphasis>,...</programlisting>
|
||||
|
||||
<para>So the key points here are:</para>
|
||||
|
||||
@@ -129,9 +128,8 @@ loc <emphasis role="bold">br0</emphasis> <emphasis
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">routeback</emphasis> and <emphasis
|
||||
role="bold">bridge</emphasis> options is specified for <filename
|
||||
class="devicefile">br0</filename>.</para>
|
||||
<para>The <emphasis role="bold">routeback</emphasis> option is
|
||||
specified for <filename class="devicefile">br0</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -140,6 +138,13 @@ loc <emphasis role="bold">br0</emphasis> <emphasis
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
|
||||
should also specify the <emphasis role="bold">bridge</emphasis>
|
||||
option:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect ...
|
||||
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
||||
role="bold">routeback,bridge</emphasis>,...</programlisting></para>
|
||||
|
||||
<para>Your entry in <filename>/etc/shorewall/masq</filename> should be
|
||||
unchanged:</para>
|
||||
|
||||
|
||||
@@ -93,8 +93,9 @@ forward_chain_name = forwardUPnP</programlisting>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth1 dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth1 detect dhcp,routefilter,tcpflags,<emphasis
|
||||
role="bold">upnp</emphasis></programlisting>
|
||||
|
||||
<para>If your loc->fw policy is not ACCEPT then you need this
|
||||
rule:</para>
|
||||
|
||||
@@ -202,7 +202,7 @@
|
||||
<filename>/etc/shorewall/macro.*</filename>, the general format of a
|
||||
rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<important>
|
||||
@@ -214,7 +214,7 @@
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Web(ACCEPT) net $FW
|
||||
IMAP(ACCEPT)net $FW</programlisting>
|
||||
</example>
|
||||
@@ -225,14 +225,14 @@ IMAP(ACCEPT)net $FW</programlisting>
|
||||
general format of a rule in <filename>/etc/shorewall/rules</filename>
|
||||
is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
|
||||
<example id="Example2">
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT net $FW tcp 80
|
||||
ACCEPT net $FW tcp 143</programlisting></para>
|
||||
</example>
|
||||
@@ -320,7 +320,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
||||
<para>Then at a root prompt, type:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>/sbin/shorewall reload</command></para>
|
||||
<para><command>/sbin/shorewall restart</command></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@@ -345,7 +345,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
||||
<para>Then at a root prompt, type:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><command>/sbin/shorewall reload</command></para>
|
||||
<para><command>/sbin/shorewall restart</command></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
40
docs/VPN.xml
40
docs/VPN.xml
@@ -46,7 +46,7 @@
|
||||
The two most common means for doing this are IPSEC and PPTP. The basic
|
||||
setup is shown in the following diagram:</para>
|
||||
|
||||
<graphic fileref="images/VPN.png"/>
|
||||
<graphic fileref="images/VPN.png" />
|
||||
|
||||
<para>A system with an RFC 1918 address needs to access a remote network
|
||||
through a remote gateway. For this example, we will assume that the local
|
||||
@@ -87,15 +87,15 @@
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTO</entry>
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">DPORT</entry>
|
||||
<entry align="center">PORT</entry>
|
||||
|
||||
<entry align="center">SPORT</entry>
|
||||
<entry align="center">CLIENT PORT</entry>
|
||||
|
||||
<entry align="center">ORIGDEST</entry>
|
||||
<entry align="center">ORIGINAL DEST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
@@ -109,11 +109,11 @@
|
||||
|
||||
<entry>50</entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -127,9 +127,9 @@
|
||||
|
||||
<entry>500</entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@@ -146,15 +146,15 @@
|
||||
|
||||
<entry align="center">SOURCE</entry>
|
||||
|
||||
<entry align="center">DEST</entry>
|
||||
<entry align="center">DESTINATION</entry>
|
||||
|
||||
<entry align="center">PROTO</entry>
|
||||
<entry align="center">PROTOCOL</entry>
|
||||
|
||||
<entry align="center">DPORT</entry>
|
||||
<entry align="center">PORT</entry>
|
||||
|
||||
<entry align="center">SPORT</entry>
|
||||
<entry align="center">CLIENT PORT</entry>
|
||||
|
||||
<entry align="center">ORIGDEST</entry>
|
||||
<entry align="center">ORIGINAL DEST</entry>
|
||||
</row>
|
||||
</thead>
|
||||
|
||||
@@ -170,9 +170,9 @@
|
||||
|
||||
<entry>4500</entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -186,9 +186,9 @@
|
||||
|
||||
<entry>500</entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
|
||||
@@ -115,7 +115,7 @@
|
||||
|
||||
<para>Incoming traffic is similar.</para>
|
||||
|
||||
<graphic align="center" fileref="images/VPNBasics.png"/>
|
||||
<graphic align="center" fileref="images/VPNBasics.png" />
|
||||
</section>
|
||||
|
||||
<section id="Shorewall">
|
||||
@@ -203,8 +203,8 @@ loc ipv4
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTION
|
||||
net eth0 tcpflags,routefilter
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
||||
net eth0 - tcpflags,routefilter
|
||||
loc eth1 -
|
||||
<emphasis role="bold">rem ppp0 -</emphasis></programlisting>
|
||||
</section>
|
||||
@@ -216,7 +216,7 @@ loc eth1 -
|
||||
client(s) and the local zone. You can do that with a couple of
|
||||
policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOGLEVEL BURST
|
||||
<programlisting>#SOURCE DESTINATION POLICY LEVEL BURST/LIMIT
|
||||
rem loc ACCEPT
|
||||
loc rem ACCEPT</programlisting>
|
||||
|
||||
@@ -259,8 +259,8 @@ rem2 ipv4 #Remote LAN 2</emphasis></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTION
|
||||
net eth0 tcpflags,routefilter
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
||||
net eth0 - tcpflags,routefilter
|
||||
loc eth1 -
|
||||
<emphasis role="bold">- tun+ -</emphasis></programlisting>
|
||||
|
||||
@@ -291,14 +291,15 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
|
||||
<para>/<filename>etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
ipsec Z1 1.2.3.4 Z2</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
ACCEPT $FW Z1:1.2.3.4 udp 500
|
||||
ACCEPT Z1:1.2.3.4 $FW udp 500
|
||||
ACCEPT $FW Z1:1.2.3.4 50
|
||||
@@ -321,14 +322,15 @@ ACCEPT Z2:1.2.3.4 $FW udp 500</programlisting>
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
pptpserver Z1 1.2.3.4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>/<filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
|
||||
ACCEPT Z1:1.2.3.4 $FW tcp 1723
|
||||
ACCEPT $FW Z1:1.2.3.4 47
|
||||
@@ -345,14 +347,15 @@ ACCEPT Z1:1.2.3.4 $FW 47</programlisting>
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpn:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
|
||||
ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis>
|
||||
ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting>
|
||||
@@ -361,14 +364,15 @@ ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></progr
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpnclient:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
|
||||
ACCEPT Z1:1.2.3.4 $FW udp - <emphasis>port</emphasis>
|
||||
ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></programlisting>
|
||||
@@ -377,14 +381,15 @@ ACCEPT $FW Z1:1.2.3.4 udp <emphasis>port</emphasis></progr
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
openvpnserver:<emphasis>port</emphasis> Z1 1.2.3.4</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT PORT(S)
|
||||
|
||||
ACCEPT Z1:1.2.3.4 $FW udp <emphasis>port</emphasis>
|
||||
ACCEPT $FW Z1:1.2.3.4 udp - <emphasis>port</emphasis></programlisting>
|
||||
|
||||
@@ -122,7 +122,7 @@ gateway:~#</programlisting>
|
||||
<para>This is a diagram of the network configuration here at Shorewall.net
|
||||
during the summer of 2010:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2010a.png"/>
|
||||
<graphic align="center" fileref="images/Network2010a.png" />
|
||||
|
||||
<para>I created a zone for the vservers as follows:</para>
|
||||
|
||||
@@ -138,9 +138,8 @@ vpn ipv4 #OpenVPN clients
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
<emphasis role="bold">net eth1 routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<emphasis role="bold">net eth1 detect routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
@@ -165,7 +164,8 @@ drct eth4:dynamic
|
||||
|
||||
<para><filename>/etc/shorewall6/zones</filename></para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv6
|
||||
loc ipv6
|
||||
@@ -175,9 +175,8 @@ vpn ipv6
|
||||
|
||||
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
<emphasis role="bold">net sit1 tcpflags,forward=1,nosmurfs,routeback</emphasis>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<emphasis role="bold">net sit1 detect tcpflags,forward=1,nosmurfs,routeback</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall6/hosts</filename>:</para>
|
||||
@@ -205,7 +204,7 @@ vpn ipv6
|
||||
Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram
|
||||
is as shown below:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2011.png"/>
|
||||
<graphic align="center" fileref="images/Network2011.png" />
|
||||
|
||||
<para>This change was accompanied by the following additions to
|
||||
<filename>/etc/shorewall6/proxyndp</filename>:</para>
|
||||
|
||||
@@ -105,7 +105,7 @@
|
||||
|
||||
<para>Here is a high-level diagram of our network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen5.png"/>
|
||||
<graphic align="center" fileref="images/Xen5.png" />
|
||||
|
||||
<para>As shown in this diagram, the Xen system has three physical network
|
||||
interfaces. These are:</para>
|
||||
@@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
||||
<para>With the three Xen domains up and running, the system looks as
|
||||
shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen4a.png"/>
|
||||
<graphic align="center" fileref="images/Xen4a.png" />
|
||||
|
||||
<para>The zones correspond to the Shorewall zones in the Dom0
|
||||
configuration.</para>
|
||||
@@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
||||
a bridged OpenVPN server for the wireless network in our home. Here is
|
||||
the firewall's view of the network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/network4a.png"/>
|
||||
<graphic align="center" fileref="images/network4a.png" />
|
||||
|
||||
<para>The three laptops can be directly attached to the LAN as shown
|
||||
above or they can be attached wirelessly -- their IP addresses are the
|
||||
@@ -520,17 +520,21 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall #The firewall itself.
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
dmz ipv4 #DMZ
|
||||
vpn ipv4 #Open VPN clients
|
||||
wifi ipv4 #Local Wireless Zone</programlisting>
|
||||
wifi ipv4 #Local Wireless Zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
$FW $FW ACCEPT
|
||||
$FW net ACCEPT
|
||||
loc net ACCEPT
|
||||
@@ -545,7 +549,8 @@ net $FW DROP $LOG 1/sec:2
|
||||
net loc DROP $LOG 2/sec:4
|
||||
net dmz DROP $LOG 8/sec:30
|
||||
net vpn DROP $LOG
|
||||
all all REJECT $LOG</programlisting>
|
||||
all all REJECT $LOG
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>Note that the firewall<->local network interface
|
||||
is wide open so from a security point of view, the firewall system is
|
||||
@@ -567,7 +572,9 @@ EXT_IF=eth0
|
||||
WIFI_IF=eth2
|
||||
TEST_IF=eth4
|
||||
|
||||
OMAK=<IP address at our second home></programlisting>
|
||||
OMAK=<IP address at our second home>
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
@@ -584,14 +591,16 @@ loc $TEST_IF detect optional
|
||||
loc $TEST1_IF detect optional
|
||||
wifi $WIFI_IF detect dhcp,maclist,mss=1400
|
||||
vpn tun+ -
|
||||
</programlisting>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
COMMENT One-to-one NAT
|
||||
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
|
||||
206.124.146.180 $EXT_IF:2 192.168.1.6 No No</programlisting>
|
||||
206.124.146.180 $EXT_IF:2 192.168.1.6 No No
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||
the <filename>following proxyarp</filename> file that allows me to
|
||||
@@ -600,7 +609,7 @@ COMMENT One-to-one NAT
|
||||
rule before the SNAT rules generated by entries in
|
||||
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
|
||||
COMMENT Handle DSL 'Modem'
|
||||
|
||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
@@ -615,36 +624,51 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
|
||||
|
||||
COMMENT Masquerade Local Network
|
||||
|
||||
$EXT_IF 192.168.1.0/24 206.124.146.179</programlisting>
|
||||
$EXT_IF 192.168.1.0/24 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
192.168.1.1 $EXT_IF $INT_IF yes
|
||||
206.124.146.177 $DMZ_IF $EXT_IF yes
|
||||
192.168.1.7 $TEST_IF $INT_IF yes</programlisting>
|
||||
192.168.1.7 $TEST_IF $INT_IF yes
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||
# ZONE
|
||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server</programlisting>
|
||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/blacklist</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||
- udp 1024:1033,1434
|
||||
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION
|
||||
Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
|
||||
Mirrors # Accept traffic from Shorewall Mirrors
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||
ACCEPT $MIRRORS</programlisting>
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT $MIRRORS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>SECTION NEW
|
||||
###############################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
###############################################################################################################################################################################
|
||||
REJECT:$LOG loc net tcp 25
|
||||
REJECT:$LOG loc net udp 1025:1031
|
||||
@@ -869,24 +893,28 @@ Ping(ACCEPT) fw dmz
|
||||
# Avoid logging Freenode.net probes
|
||||
#
|
||||
DROP net:82.96.96.3 all
|
||||
</programlisting>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>etc/shorewall/tcdevices</filename></para>
|
||||
<para><filename>/etc/shorewall/tcdevices</filename></para>
|
||||
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
$EXT_IF 1300kbit 384kbit
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
||||
$EXT_IF 20 3*full/10 9*full/10 2 default
|
||||
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
|
||||
$EXT_IF 30 2*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.</programlisting></para>
|
||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The <filename class="devicefile">tap0</filename> device used by
|
||||
|
||||
@@ -72,7 +72,7 @@
|
||||
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
|
||||
as shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen1.png"/>
|
||||
<graphic align="center" fileref="images/Xen1.png" />
|
||||
|
||||
<para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
|
||||
the bridge and virtual interfaces from Dom0 itself. That distinction is
|
||||
@@ -169,7 +169,7 @@
|
||||
|
||||
<para>Here is a high-level diagram of our network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen5.png"/>
|
||||
<graphic align="center" fileref="images/Xen5.png" />
|
||||
|
||||
<para>As shown in this diagram, the Xen system has three physical network
|
||||
interfaces. These are:</para>
|
||||
@@ -330,7 +330,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
||||
<para>With all three Xen domains up and running, the system looks as
|
||||
shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen4.png"/>
|
||||
<graphic align="center" fileref="images/Xen4.png" />
|
||||
|
||||
<para>The zones correspond to the Shorewall zones in the firewall DomU
|
||||
configuration.</para>
|
||||
@@ -430,24 +430,39 @@ done</programlisting>
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
loc ipv4
|
||||
dmz ipv4</programlisting>
|
||||
dmz ipv4
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename> (Note the unusual use
|
||||
of an ACCEPT all->all policy):</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
dmz all REJECT info
|
||||
all dmz REJECT info
|
||||
all all ACCEPT</programlisting>
|
||||
all all ACCEPT
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc xenbr0 192.168.1.255 dhcp,routeback
|
||||
dmz xenbr1 - routeback</programlisting>
|
||||
dmz xenbr1 - routeback
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
SECTION NEW
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@@ -463,7 +478,7 @@ dmz xenbr1 - routeback</programlisting>
|
||||
for our two laptops and a bridged OpenVPN server for the wireless
|
||||
network in our home. Here is the firewall's view of the network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/network4.png"/>
|
||||
<graphic align="center" fileref="images/network4.png" />
|
||||
|
||||
<para>The two laptops can be directly attached to the LAN as shown above
|
||||
or they can be attached wirelessly -- their IP addresses are the same in
|
||||
@@ -529,17 +544,21 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4 #Internet
|
||||
loc ipv4 #Local wired Zone
|
||||
dmz ipv4 #DMZ
|
||||
vpn ipv4 #Open VPN clients
|
||||
wifi ipv4 #Local Wireless Zone</programlisting>
|
||||
wifi ipv4 #Local Wireless Zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
$FW $FW ACCEPT
|
||||
$FW net ACCEPT
|
||||
loc net ACCEPT
|
||||
@@ -554,7 +573,8 @@ net $FW DROP $LOG 1/sec:2
|
||||
net loc DROP $LOG 2/sec:4
|
||||
net dmz DROP $LOG 8/sec:30
|
||||
net vpn DROP $LOG
|
||||
all all REJECT $LOG</programlisting>
|
||||
all all REJECT $LOG
|
||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/params (edited)</filename>:</para>
|
||||
|
||||
@@ -571,7 +591,9 @@ DMZ_IF=eth1
|
||||
EXT_IF=eth3
|
||||
WIFI_IF=eth4
|
||||
|
||||
OMAK=<IP address at our second home></programlisting>
|
||||
OMAK=<IP address at our second home>
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
@@ -585,14 +607,15 @@ dmz $DMZ_IF 192.168.0.255 logmartians
|
||||
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
|
||||
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
|
||||
vpn tun+ -
|
||||
</programlisting>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
|
||||
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
|
||||
</programlisting>
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||
the <filename>following proxyarp</filename> file that allows me to
|
||||
@@ -601,39 +624,45 @@ vpn tun+ -
|
||||
rule before the SNAT rules generated by entries in
|
||||
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
$EXT_IF 192.168.0.0/22 206.124.146.179</programlisting>
|
||||
$EXT_IF 192.168.0.0/22 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
192.168.1.1 $EXT_IF $INT_IF yes
|
||||
206.124.146.177 $DMZ_IF $EXT_IF yes</programlisting>
|
||||
206.124.146.177 $DMZ_IF $EXT_IF yes
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||
# ZONE
|
||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||
</programlisting>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION
|
||||
Mirrors # Accept traffic from Shorewall Mirrors
|
||||
</programlisting>
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO PORT SPORT ORIGDEST RATE
|
||||
ACCEPT $MIRRORS</programlisting>
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT $MIRRORS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>?SECTION NEW
|
||||
<programlisting>SECTION NEW
|
||||
###############################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
###############################################################################################################################################################################
|
||||
REJECT:$LOG loc net tcp 25
|
||||
REJECT:$LOG loc net udp 1025:1031
|
||||
@@ -786,24 +815,28 @@ Ping(ACCEPT) fw dmz
|
||||
# Avoid logging Freenode.net probes
|
||||
#
|
||||
DROP net:82.96.96.3 all
|
||||
</programlisting>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename></para>
|
||||
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
$EXT_IF 1300kbit 384kbit</programlisting>
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
$EXT_IF 1300kbit 384kbit
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
||||
$EXT_IF 20 3*full/10 9*full/10 2 default
|
||||
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
|
||||
$EXT_IF 30 2*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
</programlisting></para>
|
||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
||||
</blockquote>
|
||||
|
||||
<para>The tap0 device used by the bridged OpenVPN server is bridged to
|
||||
|
||||
@@ -85,13 +85,14 @@
|
||||
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
|
||||
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
|
||||
standard and custom macros as well as standard and custom actions. See
|
||||
<ulink url="manpages/shorewall-rules.html">shorewall-blrules</ulink> (5)
|
||||
for details.</para>
|
||||
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
|
||||
details.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORTS(S)
|
||||
SECTION BLACKLIST
|
||||
WHITELIST net:70.90.191.126 all
|
||||
DROP net all udp 1023:1033,1434,5948,23773
|
||||
DROP all net udp 1023:1033
|
||||
@@ -106,74 +107,243 @@ DROP net:200.55.14.18 all
|
||||
<para>Beginning with Shorewall 4.4.26, the <command>update</command>
|
||||
command supports a <option>-b</option> option that causes your legacy
|
||||
blacklisting configuration to use the blrules file.</para>
|
||||
|
||||
<note>
|
||||
<para>If you prefer to keep your blacklisting rules in your rules file
|
||||
(<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5)), you can place them in the BLACKLIST section of that file rather
|
||||
than in blrules.</para>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Dynamic Blacklisting</title>
|
||||
<title>Legacy Blacklisting</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
|
||||
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
|
||||
Prior to that release, the feature is always enabled.</para>
|
||||
<para>Prior to 4.4.25, two forms of blacklisting were supported; static
|
||||
and dynamic. The dynamic variety is still appropriate for
|
||||
<firstterm>on-the-fly</firstterm> blacklisting; the static form is
|
||||
deprecated.</para>
|
||||
|
||||
<para>Once enabled, dynamic blacklisting doesn't use any configuration
|
||||
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
|
||||
<emphasis role="bold">Note</emphasis> that <emphasis
|
||||
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
|
||||
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
|
||||
later</emphasis>.</para>
|
||||
<important>
|
||||
<para><emphasis role="bold">By default, only the source address is
|
||||
checked against the blacklists</emphasis>. Blacklists only stop
|
||||
blacklisted hosts from connecting to you — they do not stop you or your
|
||||
users from connecting to blacklisted hosts .</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>drop [to|from] <emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be silently dropped by
|
||||
the firewall.</para>
|
||||
</listitem>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>UPDATE</term>
|
||||
|
||||
<listitem>
|
||||
<para>reject [to|from]<emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be rejected by the
|
||||
firewall.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.4.12, you can also blacklist by
|
||||
destination address. See <ulink
|
||||
url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
|
||||
(5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
|
||||
for details.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</important>
|
||||
|
||||
<listitem>
|
||||
<para>allow [to|from] <emphasis><ip address list></emphasis> -
|
||||
re-enables receipt of packets from hosts previously blacklisted by a
|
||||
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
|
||||
command.</para>
|
||||
</listitem>
|
||||
<important>
|
||||
<para><emphasis role="bold">Dynamic Shorewall blacklisting is not
|
||||
appropriate for blacklisting 1,000s of different addresses. Static
|
||||
Blacklisting can handle large blacklists but only if you use
|
||||
ipsets</emphasis>. Without ipsets, the blacklists will take forever to
|
||||
load, and will have a very negative effect on firewall
|
||||
performance.</para>
|
||||
</important>
|
||||
|
||||
<listitem>
|
||||
<para>save - save the dynamic blacklisting configuration so that it
|
||||
will be automatically restored the next time that the firewall is
|
||||
restarted.</para>
|
||||
<section id="Static">
|
||||
<title>Static Blacklisting</title>
|
||||
|
||||
<para><emphasis role="bold">Update:</emphasis> Beginning with
|
||||
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
|
||||
<command>stop/start</command> sequences and over
|
||||
<command>restart</command> and <emphasis
|
||||
role="bold">reload</emphasis>.</para>
|
||||
</listitem>
|
||||
<para>Shorewall static blacklisting support has the following
|
||||
configuration parameters:</para>
|
||||
|
||||
<listitem>
|
||||
<para>show dynamic - displays the dynamic blacklisting
|
||||
configuration.</para>
|
||||
</listitem>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
dropped or rejected using the BLACKLIST_DISPOSITION setting in
|
||||
<ulink
|
||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>logdrop [to|from] <emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be dropped and logged
|
||||
by the firewall. Logging will occur at the level specified by the
|
||||
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
|
||||
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
|
||||
in <ulink
|
||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>logreject [to|from}<emphasis><ip address list></emphasis>
|
||||
- causes packets from the listed IP addresses to be rejected and
|
||||
logged by the firewall. Logging will occur at the level specified by
|
||||
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
|
||||
at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<listitem>
|
||||
<para>You list the IP addresses/subnets that you wish to blacklist
|
||||
in <ulink
|
||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
||||
(5). You may also specify PROTOCOL and Port numbers/Service names in
|
||||
the blacklist file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You specify the interfaces whose incoming packets you want
|
||||
checked against the blacklist using the <quote>blacklist</quote>
|
||||
option in <ulink
|
||||
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
|
||||
(<ulink
|
||||
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
|
||||
Shorewall 4.4.12 and later).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Prior to Shorewall 4.4.20, only source-address static blacklisting
|
||||
was supported.</para>
|
||||
|
||||
<para>Users with a large static black list may want to set the
|
||||
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
|
||||
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
|
||||
connections before loading the blacklist rules. While this may allow
|
||||
connections from blacklisted hosts to slip by during construction of the
|
||||
blacklist, it can substantially reduce the time that all new connections
|
||||
are disabled during "shorewall [re]start".</para>
|
||||
|
||||
<para>Beginning with Shorewall 2.4.0, you can use <ulink
|
||||
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
|
||||
an example:</para>
|
||||
|
||||
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||
+Blacklistports[dst]
|
||||
+Blacklistnets[src,dst]
|
||||
+Blacklist[src,dst]
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>In this example, there is a portmap ipset
|
||||
<emphasis>Blacklistports</emphasis> that blacklists all traffic with
|
||||
destination ports included in the ipset. There are also
|
||||
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
|
||||
and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
|
||||
ipsets that allow blacklisting networks and individual IP addresses.
|
||||
Note that [src,dst] is specified so that individual entries in the sets
|
||||
can be bound to other portmap ipsets to allow blacklisting
|
||||
(<emphasis>source address</emphasis>, <emphasis>destination
|
||||
port</emphasis>) combinations. For example:</para>
|
||||
|
||||
<programlisting>ipset -N SMTP portmap --from 1 --to 31
|
||||
ipset -A SMTP 25
|
||||
ipset -A Blacklist 206.124.146.177
|
||||
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
|
||||
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
|
||||
</section>
|
||||
|
||||
<section id="whitelisting">
|
||||
<title>Static Whitelisting</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.20, you can create
|
||||
<firstterm>whitelist</firstterm> entries in the blacklist file.
|
||||
Connections/packets matching a whitelist entry are not matched against
|
||||
the entries in the blacklist file that follow. Whitelist entries are
|
||||
created using the <emphasis role="bold">whitelist</emphasis> option
|
||||
(OPTIONS column). See <ulink
|
||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
||||
(5).</para>
|
||||
</section>
|
||||
|
||||
<section id="Dynamic">
|
||||
<title>Dynamic Blacklisting</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
|
||||
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
|
||||
Prior to that release, the feature is always enabled.</para>
|
||||
|
||||
<para>Once enabled, dynamic blacklisting doesn't use any configuration
|
||||
parameters but is rather controlled using /sbin/shorewall[-lite]
|
||||
commands. <emphasis role="bold">Note</emphasis> that <emphasis
|
||||
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
|
||||
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
|
||||
later</emphasis>.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>drop [to|from] <emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be silently dropped
|
||||
by the firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>reject [to|from]<emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be rejected by the
|
||||
firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>allow [to|from] <emphasis><ip address list></emphasis> -
|
||||
re-enables receipt of packets from hosts previously blacklisted by a
|
||||
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
|
||||
command.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>save - save the dynamic blacklisting configuration so that it
|
||||
will be automatically restored the next time that the firewall is
|
||||
restarted.</para>
|
||||
|
||||
<para><emphasis role="bold">Update:</emphasis> Beginning with
|
||||
Shorewall 4.4.10, the dynamic blacklist is automatically retained
|
||||
over <command>stop/start</command> sequences and over
|
||||
<command>restart</command>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>show dynamic - displays the dynamic blacklisting
|
||||
configuration.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>logdrop [to|from] <emphasis><ip address list></emphasis>
|
||||
- causes packets from the listed IP addresses to be dropped and
|
||||
logged by the firewall. Logging will occur at the level specified by
|
||||
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
|
||||
be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>logreject [to|from}<emphasis><ip address
|
||||
list></emphasis> - causes packets from the listed IP addresses to
|
||||
be rejected and logged by the firewall. Logging will occur at the
|
||||
level specified by the BLACKLIST_LOGLEVEL setting at the last
|
||||
[re]start (logging will be at the 'info' level if no
|
||||
BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Dynamic blacklisting is not dependent on the
|
||||
<quote>blacklist</quote> option in
|
||||
<filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<example id="Ignore">
|
||||
<title>Ignore packets from a pair of systems</title>
|
||||
|
||||
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
|
||||
|
||||
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
|
||||
</example>
|
||||
|
||||
<example id="Allow">
|
||||
<title>Re-enable packets from a system</title>
|
||||
|
||||
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
|
||||
|
||||
<para>Re-enables traffic from 192.0.2.125.</para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<title>Displaying the Dynamic Blacklist</title>
|
||||
|
||||
<programlisting> <command>shorewall show dynamic</command></programlisting>
|
||||
|
||||
<para>Displays the 'dynamic' chain which contains rules for the
|
||||
dynamic blacklist. The <firstterm>source</firstterm> column contains
|
||||
the set of blacklisted addresses.</para>
|
||||
</example>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@@ -134,7 +134,7 @@
|
||||
the bridge would work exactly the same if public IP addresses were used
|
||||
(remember that the bridge doesn't deal with IP addresses).</para>
|
||||
|
||||
<graphic fileref="images/bridge.png"/>
|
||||
<graphic fileref="images/bridge.png" />
|
||||
|
||||
<para>There are a several key differences in this setup and a normal
|
||||
Shorewall configuration:</para>
|
||||
@@ -180,7 +180,7 @@
|
||||
systems connected to that switch. All of the systems on the local side of
|
||||
the <emphasis role="bold">router</emphasis> would still be configured with
|
||||
IP addresses in 192.168.1.0/24 as shown below.<graphic
|
||||
fileref="images/bridge3.png"/></para>
|
||||
fileref="images/bridge3.png" /></para>
|
||||
</section>
|
||||
|
||||
<section id="Bridge">
|
||||
@@ -571,7 +571,8 @@ rc-update add bridge boot
|
||||
fw firewall
|
||||
world ipv4
|
||||
net:world bport
|
||||
loc:world bport</programlisting>
|
||||
loc:world bport
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>The <emphasis>world</emphasis> zone can be used when defining rules
|
||||
whose source zone is the firewall itself (remember that fw-><BP
|
||||
@@ -580,10 +581,11 @@ loc:world bport</programlisting>
|
||||
<para>A conventional two-zone policy file is appropriate here —
|
||||
<filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
all all REJECT info
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/shorewall.conf</filename>:</para>
|
||||
|
||||
@@ -594,10 +596,11 @@ all all REJECT info</programlisting>
|
||||
is connected to <filename class="devicefile">eth0</filename> and the
|
||||
switch to <filename class="devicefile">eth1</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 detect bridge
|
||||
net br0:eth0
|
||||
loc br0:eth1</programlisting>
|
||||
loc br0:eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>The <emphasis>world</emphasis> zone is associated with the bridge
|
||||
itself which is defined with the <emphasis role="bold">bridge</emphasis>
|
||||
@@ -613,7 +616,8 @@ loc br0:eth1</programlisting>
|
||||
<filename><filename>/etc/shorewall/routestopped</filename></filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE HOST(S) OPTIONS
|
||||
br0 192.168.1.0/24 routeback</programlisting>
|
||||
br0 192.168.1.0/24 routeback
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>The <filename>/etc/shorewall/rules</filename> file from the
|
||||
two-interface sample is a good place to start for defining a set of
|
||||
@@ -641,9 +645,9 @@ br0 192.168.1.0/24 routeback</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
world br1 bridge
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 - bridge
|
||||
world br1 - bridge
|
||||
z1 br0:p+
|
||||
z2 br1:p+</programlisting>
|
||||
|
||||
@@ -653,11 +657,11 @@ br0 192.168.1.0/24 routeback</programlisting>
|
||||
configuration may be defined using the following in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
world br1 bridge
|
||||
z1 br0:x+ physical=p+
|
||||
z2 br1:y+ physical=p+</programlisting>
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 - bridge
|
||||
world br1 - bridge
|
||||
z1 br0:x+ - physical=p+
|
||||
z2 br1:y+ - physical=p+</programlisting>
|
||||
|
||||
<para>In this configuration, 'x+' is the logical name for ports p+ on
|
||||
bridge br0 while 'y+' is the logical name for ports p+ on bridge
|
||||
@@ -669,7 +673,8 @@ br0 192.168.1.0/24 routeback</programlisting>
|
||||
|
||||
<para>Example from /etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
|
||||
</section>
|
||||
|
||||
@@ -678,7 +683,7 @@ br0 192.168.1.0/24 routeback</programlisting>
|
||||
|
||||
<para>A system running Shorewall doesn't have to be exclusively a bridge
|
||||
or a router -- it can act as both, which is also know as a brouter. Here's
|
||||
an example:<graphic fileref="images/bridge2.png"/></para>
|
||||
an example:<graphic fileref="images/bridge2.png" /></para>
|
||||
|
||||
<para>This is basically the same setup as shown in the <ulink
|
||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
|
||||
@@ -705,11 +710,11 @@ loc ipv4</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
|
||||
follows:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
pub br0 routefilter,bridge
|
||||
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
pub br0 detect routefilter,bridge
|
||||
net br0:eth0
|
||||
dmz br0:eth2
|
||||
loc eth1</programlisting></para>
|
||||
loc eth1 detect</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -756,7 +761,9 @@ all all REJECT info</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
#
|
||||
PORT(S) PORT(S)
|
||||
ACCEPT all all icmp 8
|
||||
ACCEPT loc $DMZ tcp 25,53,80,443,...
|
||||
ACCEPT loc $DMZ udp 53
|
||||
@@ -777,7 +784,7 @@ ACCEPT $FW $DMZ tcp 53 </
|
||||
|
||||
<para>This configuration is shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/veth1.png"/>
|
||||
<graphic align="center" fileref="images/veth1.png" />
|
||||
|
||||
<para>In this configuration, veth0 is assigned the internal IP address;
|
||||
br0 does not have an IP address.</para>
|
||||
@@ -865,7 +872,8 @@ iface veth0 inet static
|
||||
<para>For this configuration, we need several additional zones as shown
|
||||
here:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
zone1 bport
|
||||
@@ -935,19 +943,22 @@ all all REJECT:info</programlisting>
|
||||
|
||||
<para>Rules allowing traffic from the net to zone2 look like this:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
ACCEPT col zone2 tcp 22 - - - - <emphasis
|
||||
role="bold">net</emphasis></programlisting>
|
||||
|
||||
<para>or more compactly:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT col <emphasis role="bold">zone2</emphasis> tcp 22 ; mark=<emphasis
|
||||
role="bold">net</emphasis></programlisting>
|
||||
|
||||
<para>Similarly, rules allowing traffic from the firewall to zone3:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22 ; mark=<emphasis
|
||||
role="bold">fw</emphasis></programlisting>
|
||||
|
||||
@@ -958,7 +969,8 @@ ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22
|
||||
<para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
|
||||
zone3:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
DNAT- net loc:172.168.4.45 tcp 80
|
||||
ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis
|
||||
role="bold">net</emphasis></programlisting>
|
||||
@@ -967,13 +979,15 @@ ACCEPT col zone3:172.168.4.45 tcp 80 - -
|
||||
role="bold">zonei</emphasis> zones to the <emphasis
|
||||
role="bold">net</emphasis> zone look like this:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
ACCEPT loc net tcp 21 - - - - <emphasis
|
||||
role="bold">zone1</emphasis></programlisting>
|
||||
|
||||
<para>And to the firewall:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
ACCEPT zone2 col tcp - - - - <emphasis
|
||||
role="bold">zone2</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@@ -464,7 +464,8 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
|
||||
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT net:\
|
||||
206.124.146.177,\
|
||||
206.124.146.178,\
|
||||
@@ -482,7 +483,8 @@ ACCEPT net:\
|
||||
<para>A trailing backslash is not ignored in a comment. So the continued
|
||||
rule above can be commented out with a single '#' as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<emphasis role="bold">#</emphasis>ACCEPT net:\
|
||||
206.124.146.177,\
|
||||
206.124.146.178,\
|
||||
@@ -763,7 +765,8 @@ ACCEPT net:\
|
||||
|
||||
<para>Example (rules file):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting>
|
||||
|
||||
<para>Here's the same line in several equivalent formats:</para>
|
||||
@@ -1130,7 +1133,8 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
|
||||
INCLUDE params.mgmt
|
||||
|
||||
# params unique to this host here
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
----- end params -----
|
||||
|
||||
shorewall/rules.mgmt:
|
||||
@@ -1150,7 +1154,7 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
|
||||
INCLUDE rules.mgmt
|
||||
|
||||
# rules unique to this host here
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
----- end rules -----</programlisting>
|
||||
|
||||
@@ -1162,14 +1166,14 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
|
||||
ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules
|
||||
gateway:/etc/shorewall # </programlisting></para>
|
||||
|
||||
<para>/etc/shorewall/rules:<programlisting>?SECTION NEW
|
||||
<para>/etc/shorewall/rules:<programlisting>SECTION NEW
|
||||
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
|
||||
|
||||
<para>If you are the sort to put such an entry in your rules file even
|
||||
though /etc/shorewall/rules.d might not exist or might be empty, then
|
||||
you probably want:</para>
|
||||
|
||||
<programlisting>?SECTION NEW
|
||||
<programlisting>SECTION NEW
|
||||
SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.2, in files other than
|
||||
@@ -1302,7 +1306,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>?COMMENT [ <replaceable>comment</replaceable> ]</term>
|
||||
<term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If <replaceable>comment</replaceable> is present, it will
|
||||
@@ -1359,7 +1363,8 @@ gateway:~ #
|
||||
|
||||
<para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT RATE USER
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
?COMMENT SSH
|
||||
PARAM - - tcp 22 </programlisting>
|
||||
<filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
|
||||
@@ -1766,7 +1771,7 @@ SSH(ACCEPT) net:$MYIP $FW
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>They may also appear in the ORIGDEST column of:</para>
|
||||
<para>They may also appear in the ORIGINAL DEST column of:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@@ -2313,7 +2318,8 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.2
|
||||
<para>So this rule may work for five minutes then suddently stop
|
||||
working:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
||||
|
||||
<para>If your firewall rules include DNS names then:</para>
|
||||
@@ -2412,7 +2418,7 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Must not have any embedded white space.+<programlisting> Valid: routefilter,dhcp,arpfilter
|
||||
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,arpfilter
|
||||
Invalid: routefilter, dhcp, arpfilter</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
@@ -2602,7 +2608,7 @@ redirect => 137</programlisting>
|
||||
to forward the range of tcp ports 4000 through 4100 to local host
|
||||
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S)
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
|
||||
|
||||
<para>If you omit the low port number, a value of zero is assumed; if you
|
||||
@@ -2784,7 +2790,8 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
|
||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
|
||||
on.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis
|
||||
role="bold">primary_down</emphasis> </programlisting>
|
||||
</blockquote>
|
||||
@@ -2815,16 +2822,17 @@ DNAT net dmz:$BACKUP tcp 80 - -
|
||||
|
||||
<para>Here is an example:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">COM_IF </emphasis> dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net <emphasis role="bold">COM_IF </emphasis> detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
|
||||
role="bold">physical=eth0</emphasis>
|
||||
net <emphasis role="bold">EXT_IF</emphasis> dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
|
||||
net <emphasis role="bold">EXT_IF</emphasis> detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
|
||||
role="bold">physical=eth2</emphasis>
|
||||
loc <emphasis role="bold">INT_IF </emphasis> dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
|
||||
loc <emphasis role="bold">INT_IF </emphasis> detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
|
||||
role="bold">physical=eth1</emphasis>
|
||||
dmz <emphasis role="bold">VPS_IF </emphasis> logmartians=1,routefilter=0,routeback,<emphasis
|
||||
dmz <emphasis role="bold">VPS_IF </emphasis> detect logmartians=1,routefilter=0,routeback,<emphasis
|
||||
role="bold">physical=venet0</emphasis>
|
||||
loc <emphasis role="bold">TUN_IF</emphasis> <emphasis role="bold">physical=tun+</emphasis></programlisting>
|
||||
loc <emphasis role="bold">TUN_IF</emphasis> detect <emphasis
|
||||
role="bold">physical=tun+</emphasis></programlisting>
|
||||
|
||||
<para>In this example, COM_IF is a logical interface name that refers to
|
||||
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
|
||||
|
||||
@@ -154,13 +154,15 @@
|
||||
<para>Allow UDP ports 67 and 68 ("67:68") between the client zone and
|
||||
the server zone:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT ZONEA ZONEB udp 67:68
|
||||
ACCEPT ZONEB ZONEA udp 67:68</programlisting>
|
||||
|
||||
<para>Alternatively, use the DHCPfwd macro:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DHCPfwd(ACCEPT) ZONEA ZONEB</programlisting>
|
||||
</listitem>
|
||||
|
||||
|
||||
@@ -107,13 +107,13 @@
|
||||
|
||||
<para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para>
|
||||
|
||||
<para><filename>/etc/shorewall/blrules</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DROP net:+blacklist</programlisting></para>
|
||||
<para><filename>/etc/shorewall/blacklist</filename><programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||
+blacklist</programlisting></para>
|
||||
|
||||
<para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net:+sshok $FW tcp 22</programlisting></para>
|
||||
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT net:+sshok $FW tcp 22</programlisting></para>
|
||||
|
||||
<para>The name of the ipset can be optionally followed by a
|
||||
comma-separated list of flags enclosed in square brackets ([...]). Each
|
||||
|
||||
@@ -54,7 +54,7 @@
|
||||
|
||||
<para>Shorewall NETMAP support is designed to supply a solution. The basic
|
||||
situation is as shown in the following diagram.<graphic
|
||||
fileref="images/netmap.png"/></para>
|
||||
fileref="images/netmap.png" /></para>
|
||||
|
||||
<para>While the link between the two firewalls is shown here as a VPN, it
|
||||
could be any type of interconnection that allows routing of <ulink
|
||||
@@ -163,8 +163,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DPORT (Optional - Added in Shorewall
|
||||
4.4.23.2)</emphasis> -
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -190,8 +190,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SPORT (Optional - Added in Shorewall
|
||||
4.4.23.2)</emphasis> -
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@@ -314,7 +314,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
|
||||
|
||||
<entry>192.168.1.27</entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@@ -350,7 +350,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
|
||||
|
||||
<entry>192.168.1.4</entry>
|
||||
|
||||
<entry/>
|
||||
<entry></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
@@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24</emphasis></programlisting
|
||||
<para>IPv6 Netmap has been verified at shorewall.net using the
|
||||
configuration shown below.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2011b.png"/>
|
||||
<graphic align="center" fileref="images/Network2011b.png" />
|
||||
|
||||
<para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
|
||||
block is 2001:470:b:227::/64.</para>
|
||||
|
||||
@@ -55,7 +55,7 @@
|
||||
policy for z1 to z2 is not ACCEPT, you need a rule in
|
||||
<filename>/etc/shorewall/rules</filename> of the form:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Ping(ACCEPT) z1 z2</programlisting>
|
||||
|
||||
<example id="Example1">
|
||||
@@ -63,7 +63,7 @@ Ping(ACCEPT) z1 z2</programlisting>
|
||||
|
||||
<para>To permit ping from the local zone to the firewall:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Ping(ACCEPT) loc $FW</programlisting>
|
||||
</example>
|
||||
|
||||
@@ -79,7 +79,7 @@ Ping(ACCEPT) loc $FW</programlisting>
|
||||
<para>With that rule in place, if you want to ignore <quote>ping</quote>
|
||||
from z1 to z2 then you need a rule of the form:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Ping(DROP) z1 z2</programlisting>
|
||||
|
||||
<example id="Example2">
|
||||
@@ -88,7 +88,7 @@ Ping(DROP) z1 z2</programlisting>
|
||||
<para>To drop ping from the Internet, you would need this rule in
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Ping(DROP) net $FW</programlisting>
|
||||
</example>
|
||||
|
||||
|
||||
@@ -61,7 +61,7 @@
|
||||
from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis
|
||||
role="bold">net</emphasis> zone:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
<programlisting>#ACTION SOURCE DESTINATION
|
||||
DNS(ACCEPT) dmz net</programlisting>
|
||||
</note>
|
||||
|
||||
@@ -74,12 +74,12 @@ DNS(ACCEPT) dmz net</programlisting>
|
||||
<para>Example: You want to port forward FTP from the net to your server
|
||||
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
|
||||
<para>You would code your rule as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
FTP(DNAT) net dmz:192.168.1.4 </programlisting>
|
||||
</note>
|
||||
</section>
|
||||
@@ -93,7 +93,7 @@ FTP(DNAT) net dmz:192.168.1.4 </programlisting>
|
||||
anymore.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Auth(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@@ -110,14 +110,14 @@ Auth(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination&
|
||||
port(s)</emphasis></emphasis></para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
BitTorrent(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="DNS">
|
||||
<title>DNS</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
DNS(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
||||
|
||||
<para>Note that if you are setting up a DNS server that supports recursive
|
||||
@@ -128,7 +128,7 @@ DNS(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination&
|
||||
a public DNS server in your DMZ that supports recursive resolution for
|
||||
local clients then you would need:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
DNS(ACCEPT) all dmz
|
||||
DNS(ACCEPT) dmz net </programlisting>
|
||||
|
||||
@@ -174,7 +174,7 @@ DNS(ACCEPT) dmz net </programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules:</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Edonkey(DNAT) net loc:192.168.1.4
|
||||
#if you wish to enable the Emule webserver, add this rule too.
|
||||
DNAT net loc:192.168.1.4 tcp 4711</programlisting>
|
||||
@@ -183,7 +183,7 @@ DNAT net loc:192.168.1.4 tcp 4711</programlisting>
|
||||
<section id="FTP">
|
||||
<title>FTP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
|
||||
<para>Look <ulink url="FTP.html">here</ulink> for much more
|
||||
@@ -212,14 +212,14 @@ FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination>
|
||||
<listitem>
|
||||
<para>Your loc->net policy is ACCEPT</para>
|
||||
</listitem>
|
||||
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Gnutella(DNAT) net loc:192.168.1.4</programlisting></para>
|
||||
</section>
|
||||
|
||||
<section id="ICQ">
|
||||
<title>ICQ/AIM</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ICQ(ACCEPT) <emphasis><source></emphasis> net</programlisting>
|
||||
</section>
|
||||
|
||||
@@ -236,7 +236,7 @@ ICQ(ACCEPT) <emphasis><source></emphasis> net</programlisting>
|
||||
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
IMAP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Unsecure IMAP
|
||||
IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.</programlisting>
|
||||
</section>
|
||||
@@ -244,7 +244,7 @@ IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.</programlis
|
||||
<section id="IPSEC">
|
||||
<title>IPSEC</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 50
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 51
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> udp 500
|
||||
@@ -263,9 +263,9 @@ ACCEPT <emphasis><destination></emphasis> <emphasis><source></e
|
||||
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
LDAP(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> #Insecure LDAP</emphasis>
|
||||
LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> <destination></emphasis></emphasis><emphasis/> # LDAP over SSL</programlisting>
|
||||
LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> <destination></emphasis></emphasis><emphasis></emphasis> # LDAP over SSL</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="MySQL">
|
||||
@@ -284,14 +284,14 @@ LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> &
|
||||
how to deal with the consequences, you have been warned.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
MySQL(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> </emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="NFS">
|
||||
<title>NFS</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d tcp 111
|
||||
ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d udp</programlisting>
|
||||
|
||||
@@ -302,14 +302,14 @@ ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis
|
||||
<section id="NTP">
|
||||
<title>NTP (Network Time Protocol)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
NTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="PCA">
|
||||
<title><trademark>PCAnywhere</trademark></title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
PCA(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@@ -325,7 +325,7 @@ PCA(ACCEPT) <emphasis><source></emphasis> <emphasis><destination>
|
||||
<para>This information is valid only for Shorewall 3.2 or later</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
POP3(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Secure
|
||||
POP3S(ACCEPT) <source> <destination> #Unsecure Pop3</programlisting>
|
||||
</section>
|
||||
@@ -333,7 +333,7 @@ POP3S(ACCEPT) <source> <destination> #Unsecure Pop3</programlist
|
||||
<section id="PPTP">
|
||||
<title>PPTP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> 47
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 1723</programlisting>
|
||||
|
||||
@@ -344,14 +344,14 @@ ACCEPT <emphasis><source></emphasis> <emphasis><destination></e
|
||||
<section id="Rdate">
|
||||
<title>rdate</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Rdate(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="rsync">
|
||||
<title>rsync</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Rsync(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@@ -363,16 +363,16 @@ Rsync(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&
|
||||
firewall and is using the default ports</emphasis>.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
REDIRECT loc 5060 udp 5060
|
||||
ACCEPT net fw udp 5060
|
||||
ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis/></programlisting>
|
||||
ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="SSH">
|
||||
<title>SSH/SFTP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SSH(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
||||
</section>
|
||||
|
||||
@@ -380,7 +380,7 @@ SSH(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></e
|
||||
<title>SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File
|
||||
Sharing)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SMB(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis>
|
||||
SMB(ACCEPT) <emphasis><destination></emphasis> <emphasis><source></emphasis></programlisting>
|
||||
|
||||
@@ -394,7 +394,7 @@ SMB(ACCEPT) <emphasis><destination></emphasis> <emphasis><source>
|
||||
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SMTP(ACCEPT)<emphasis> <source></emphasis> <emphasis><destination></emphasis> #Insecure SMTP
|
||||
SMTPS(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #SMTP over SSL (TLS)</programlisting>
|
||||
</section>
|
||||
@@ -402,7 +402,7 @@ SMTPS(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&
|
||||
<section id="SNMP">
|
||||
<title>SNMP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SNMP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@@ -418,7 +418,7 @@ SNMP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&g
|
||||
role="bold">svnserve mode only.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SVN(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@@ -430,7 +430,7 @@ SVN(ACCEPT) <emphasis><source></emphasis> <emphasis><destination>
|
||||
insecure</emphasis>, don't use it.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Telnet(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@@ -447,14 +447,14 @@ Telnet(ACCEPT) <emphasis><source></emphasis> <emphasis><destination
|
||||
that the <filename>/etc/shorewall/modules</filename> file released with
|
||||
recent Shorewall versions contains entries for these modules.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 69</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Traceroute">
|
||||
<title>Traceroute</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Trcrt(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Good for 10 hops</programlisting>
|
||||
|
||||
<para>UDP traceroute uses ports 33434 through 33434+<max number of
|
||||
@@ -464,7 +464,7 @@ Trcrt(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&
|
||||
automatically since those sample configurations enable all ICMP packet
|
||||
types originating on the firewall itself.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT fw net icmp
|
||||
ACCEPT fw loc icmp
|
||||
ACCEPT fw ...</programlisting>
|
||||
@@ -473,7 +473,7 @@ ACCEPT fw ...</programlisting>
|
||||
<section id="NNTP">
|
||||
<title>Usenet (NNTP)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
NNTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
||||
NNTPS(ACCEPT) <source> <destination> # secure NNTP</programlisting>
|
||||
|
||||
@@ -493,13 +493,13 @@ NNTPS(ACCEPT) <source> <destination> # secure NNTP</programlisti
|
||||
<para>the following rule handles VNC traffic for VNC displays 0 -
|
||||
9.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
VNC(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
||||
</programlisting>
|
||||
|
||||
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
VNCL(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@@ -519,7 +519,7 @@ VNCL(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&g
|
||||
<para>This information is valid for Shorewall 3.2 or later.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
HTTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Insecure HTTP
|
||||
HTTPS(ACCEPT) <source> <destination> #Secure HTTP</programlisting>
|
||||
</section>
|
||||
@@ -527,7 +527,7 @@ HTTPS(ACCEPT) <source> <destination> #Secure HTTP</programlisti
|
||||
<section id="Webmin">
|
||||
<title>Webmin</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Webmin(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>Webmin
|
||||
use TCP port 10000.</para>
|
||||
</section>
|
||||
@@ -535,7 +535,7 @@ Webmin(ACCEPT) <emphasis><source></emphasis> <emphasis><destination
|
||||
<section id="Whois">
|
||||
<title>Whois</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Whois(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting></para>
|
||||
</section>
|
||||
|
||||
@@ -546,7 +546,7 @@ Whois(ACCEPT) <emphasis><source></emphasis> <emphasis><destination&
|
||||
<<emphasis>chooser</emphasis>> and the Display Manager/X
|
||||
applications are running at <<emphasis>apps</emphasis>>.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT <<emphasis>chooser</emphasis>> <<emphasis>apps</emphasis>> udp 177 #XDMCP
|
||||
ACCEPT <<emphasis>apps</emphasis>> <<emphasis>chooser</emphasis>> tcp 6000:6009 #X Displays 0-9</programlisting>
|
||||
</section>
|
||||
|
||||
@@ -44,13 +44,15 @@
|
||||
<para>If you wish to run Samba on your firewall and access shares between
|
||||
the firewall and local hosts, you need the following rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
||||
# PORT(S)
|
||||
SMB(ACCEPT) $FW loc
|
||||
SMB(ACCEPT) loc $FW</programlisting>
|
||||
|
||||
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
||||
# PORT(S)
|
||||
SMB(ACCEPT) Z1 Z2
|
||||
SMB(ACCEPT) Z2 Z1</programlisting>
|
||||
|
||||
|
||||
@@ -314,7 +314,8 @@ gateway:/etc/shorewall# </programl
|
||||
<para><filename>/etc/shorewall/shorewall.conf</filename>:
|
||||
<programlisting>MACLIST_LOG_LEVEL=NFLOG(1,0,1)</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlisting><important>
|
||||
<para>Shorewall considers <emphasis role="bold">ULOG(...)</emphasis>
|
||||
and <emphasis role="bold">NFLOG(...)</emphasis> to be <emphasis
|
||||
|
||||
@@ -106,13 +106,19 @@
|
||||
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
|
||||
|
||||
<para>If you install using the .deb, you will find that your <filename
|
||||
class="directory">/etc/shorewall</filename> directory is almost empty.
|
||||
This is intentional. The released configuration file skeletons may be
|
||||
found on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||
is intentional. The released configuration file skeletons may be found
|
||||
on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||
and /usr/share/doc/shorewall-common/default-config/modules to
|
||||
<filename class="directory">/etc/shorewall</filename> even if you do
|
||||
not modify those files.</para>
|
||||
</warning></para>
|
||||
|
||||
<para>As each file is introduced, I suggest that you look through the
|
||||
@@ -263,7 +269,8 @@ dmz ipv4</programlisting>
|
||||
<filename>/etc/shorewall/policy</filename> file had the following
|
||||
policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
@@ -409,11 +416,10 @@ all all REJECT info</programlisting>
|
||||
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
|
||||
</ulink>file, that file would might contain:</para>
|
||||
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
|
||||
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
|
||||
in the /etc/shorewall/interfaces file.</para>
|
||||
@@ -429,11 +435,10 @@ dmz eth2</programlisting>
|
||||
<example id="multi">
|
||||
<title>Multiple Interfaces to a Zone</title>
|
||||
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0
|
||||
loc eth1
|
||||
loc eth2</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
loc eth1 detect
|
||||
loc eth2 detect</programlisting>
|
||||
</example>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
||||
@@ -1404,7 +1409,8 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
<filename><ulink
|
||||
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
|
||||
<para>If one of your daughter's friends at address <emphasis
|
||||
@@ -1418,8 +1424,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
|
||||
<para>This example used the firewall's external IP address for DNAT.
|
||||
You can use another of your public IP addresses (place it in the
|
||||
ORIGDEST column in the rule above) but Shorewall will not add that
|
||||
address to the firewall's external interface for you.</para>
|
||||
ORIGINAL DEST column in the rule above) but Shorewall will not add
|
||||
that address to the firewall's external interface for you.</para>
|
||||
|
||||
<important>
|
||||
<para>When testing DNAT rules like those shown above, you must test
|
||||
@@ -1483,7 +1489,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
|
||||
file.</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
|
||||
192.0.2.177 eth2 eth0 No
|
||||
192.0.2.178 eth2 eth0 No</programlisting>
|
||||
|
||||
@@ -1602,7 +1608,7 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
You would do that by adding an entry in <filename><ulink
|
||||
url="NAT.htm">/etc/shorewall/nat</ulink></filename>.</para>
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
192.0.2.179 eth0 192.168.201.4 No No</programlisting>
|
||||
|
||||
<para>With this entry in place, you daughter has her own IP address
|
||||
@@ -1616,7 +1622,8 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
to use a DNAT rule for you daughter's web server -- you would rather
|
||||
just use an ACCEPT rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
||||
|
||||
<para>A word of warning is in order here. ISPs typically configure
|
||||
@@ -1712,13 +1719,14 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
||||
rules.</para>
|
||||
|
||||
<note>
|
||||
<para>Since the SPORT and ORIGDEST. Columns aren't used in this
|
||||
section, they won't be shown</para>
|
||||
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in
|
||||
this section, they won't be shown</para>
|
||||
</note>
|
||||
|
||||
<para>You probably want to allow ping between your zones:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
ACCEPT net dmz icmp echo-request
|
||||
ACCEPT net loc icmp echo-request
|
||||
ACCEPT dmz loc icmp echo-request
|
||||
@@ -1727,7 +1735,8 @@ ACCEPT loc dmz icmp echo-request</programlisting>
|
||||
<para>Let's suppose that you run mail and pop3 servers on DMZ 2 and a
|
||||
Web Server on DMZ 1. The rules that you would need are:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
||||
# PORT(S)
|
||||
ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from
|
||||
#Internet
|
||||
ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from
|
||||
@@ -1751,7 +1760,8 @@ ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW
|
||||
<para>If you run a public DNS server on 192.0.2.177, you would need to
|
||||
add the following rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
||||
# PORT(S)
|
||||
ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from
|
||||
#Internet
|
||||
ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from
|
||||
@@ -1774,7 +1784,8 @@ ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to
|
||||
scp utility can also do publishing and software update
|
||||
distribution.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
||||
# PORT(S)
|
||||
ACCEPT loc dmz tcp ssh #SSH to the DMZ
|
||||
ACCEPT net $FW tcp ssh #SSH to the
|
||||
#Firewall</programlisting>
|
||||
@@ -1805,11 +1816,22 @@ ACCEPT net $FW tcp ssh #SSH to the
|
||||
<para><filename>/etc/shorewall/interfaces</filename> (The
|
||||
<quote>options</quote> will be very site-specific).</para>
|
||||
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
|
||||
<para>The setup described here requires that your network interfaces be
|
||||
brought up before Shorewall can start. This opens a short window during
|
||||
which you have no firewall protection. If you replace
|
||||
<quote>detect</quote> with the actual broadcast addresses in the entries
|
||||
above, you can bring up Shorewall before you bring up your network
|
||||
interfaces.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 192.0.2.255
|
||||
loc eth1 192.168.201.7
|
||||
dmz eth2 192.168.202.7</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
|
||||
|
||||
@@ -1829,7 +1851,8 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST COMMENTS
|
||||
# PORT(S)
|
||||
ACCEPT net dmz icmp echo-request
|
||||
ACCEPT net loc icmp echo-request
|
||||
ACCEPT dmz loc icmp echo-request
|
||||
|
||||
@@ -194,7 +194,7 @@ eth0 External</programlisting>
|
||||
band 2.</para>
|
||||
|
||||
<note>
|
||||
<para>When an INTERFACE is specified, the PROTO, DPORT and ADDRESS
|
||||
<para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
|
||||
column must contain '-'.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@@ -203,14 +203,14 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic from a particular IP address to a specific
|
||||
priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
1 - - 192.168.1.44</programlisting>
|
||||
|
||||
<para>In this example, traffic from 192.168.1.44 will be assigned to
|
||||
priority band 1.</para>
|
||||
|
||||
<note>
|
||||
<para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
|
||||
<para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
|
||||
columns must be empty.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
@@ -219,7 +219,7 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic to/from a particular application to a specific
|
||||
priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
1 udp 1194</programlisting>
|
||||
|
||||
<para>In that example, OpenVPN traffic is assigned to priority band
|
||||
@@ -230,7 +230,7 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic that uses a particular Netfilter helper to a
|
||||
particular priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
1 - - - - sip</programlisting>
|
||||
|
||||
<para>In this example, SIP and associated RTP traffic will be assigned
|
||||
@@ -318,11 +318,11 @@ tun0 Internal</programlisting>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
<para><filename>/etc/shorewall/tcinterfaces</filename><programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
|
||||
</programlisting>etc/shorewall/tcpri:</para>
|
||||
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
COMMENT All DMZ traffic in band 3 by default
|
||||
3 - - 70.90.191.124/31
|
||||
COMMENT Bit Torrent is in band 3
|
||||
@@ -335,7 +335,7 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
|
||||
|
||||
<para>etc/shorewall6/tcpri:</para>
|
||||
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
COMMENT All DMZ traffic in band 3 by default
|
||||
3 - - 2001:470:b:227::40/124
|
||||
COMMENT But give a boost to DNS queries
|
||||
|
||||
@@ -277,7 +277,7 @@ net ipv4</programlisting>
|
||||
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
||||
the one-interface sample has the following policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
@@ -517,19 +517,20 @@ root@lists:~# </programlisting>
|
||||
<filename>/usr/share/shorewall/macro.*</filename>, the general format of a
|
||||
rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<important>
|
||||
<para>Be sure to add your rules after the line that reads <emphasis
|
||||
role="bold">?SECTION NEW</emphasis>.</para>
|
||||
role="bold">SECTION NEW</emphasis> (?SECTION NEW in Shorewall 4.6.0 and
|
||||
later).</para>
|
||||
</important>
|
||||
|
||||
<example id="Example1">
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Web(ACCEPT) net $FW
|
||||
IMAP(ACCEPT)net $FW</programlisting>
|
||||
</example>
|
||||
@@ -545,14 +546,14 @@ IMAP(ACCEPT)net $FW</programlisting>
|
||||
a pre-defined macro that meets your requirements. In that case the general
|
||||
format of a rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
|
||||
<example id="Example2">
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT net $FW tcp 80
|
||||
ACCEPT net $FW tcp 143</programlisting></para>
|
||||
</example>
|
||||
@@ -565,7 +566,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
||||
uses clear text (even for login!). If you want shell access to your
|
||||
firewall from the Internet, use <acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SSH(ACCEPT) net $FW </programlisting>
|
||||
</important>
|
||||
|
||||
@@ -614,7 +615,7 @@ SSH(ACCEPT) net $FW </programlisting>
|
||||
(<filename><ulink
|
||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
|
||||
in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
||||
the <quote><command>shorewall reload</command></quote> command. If you
|
||||
the <quote><command>shorewall restart</command></quote> command. If you
|
||||
want to totally remove any trace of Shorewall from your Netfilter
|
||||
configuration, use <quote><command>shorewall
|
||||
clear</command></quote>.</para>
|
||||
@@ -638,7 +639,7 @@ SSH(ACCEPT) net $FW </programlisting>
|
||||
</orderedlist>
|
||||
|
||||
<para>Also, I don't recommend using <quote><command>shorewall
|
||||
reload</command></quote>; it is better to create an <emphasis><ulink
|
||||
restart</command></quote>; it is better to create an <emphasis><ulink
|
||||
url="configuration_file_basics.htm#Configs">alternate
|
||||
configuration</ulink></emphasis> and test it using the <ulink
|
||||
url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
|
||||
|
||||
@@ -165,7 +165,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>If you change your configuration and want to install the
|
||||
changes, use the <command>shorewall reload </command>command.</para>
|
||||
changes, use the <command>shorewall restart </command>command.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@@ -616,7 +616,7 @@
|
||||
<row>
|
||||
<entry align="center">/sbin/shorewall Command</entry>
|
||||
|
||||
<entry align="center">Resulting /var/lib/shorewall/firewall
|
||||
<entry align="center">Resulting /usr/share/shorewall/firewall
|
||||
Command</entry>
|
||||
|
||||
<entry align="center">Effect if the Command Succeeds</entry>
|
||||
@@ -646,15 +646,6 @@
|
||||
firewall are accepted.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>shorewall reload</entry>
|
||||
|
||||
<entry>firewall reload</entry>
|
||||
|
||||
<entry>Very similar to start, replacing the existing ruleset with
|
||||
one that reflects the current configuration file contents.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>shorewall restart</entry>
|
||||
|
||||
@@ -730,15 +721,15 @@
|
||||
transition while the compiler is running. If compilation fails, the state
|
||||
remains unchanged.</para>
|
||||
|
||||
<para>Also, <command>shorewall start</command>, <command>shorewall
|
||||
reload</command> and <command>shorewall restart</command> involve
|
||||
compilation followed by execution of the compiled script. So it is the
|
||||
compiled script that performs the state transition in these commands
|
||||
rather than <command>/usr/share/shorewall/firewall</command>.</para>
|
||||
<para>Also, <command>shorewall start</command> and <command>shorewall
|
||||
restart</command> involve compilation followed by execution of the
|
||||
compiled script. So it is the compiled script that performs the state
|
||||
transition in these commands rather than
|
||||
<command>/usr/share/shorewall/firewall</command>.</para>
|
||||
|
||||
<para>The compiled script is placed in <filename
|
||||
class="directory">/var/lib/shorewall</filename> and is named either
|
||||
<filename>.start</filename>, .reload or <filename>.restart</filename>
|
||||
depending on the command.</para>
|
||||
<filename>.start</filename> or <filename>.restart</filename> depending on
|
||||
the command.</para>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@@ -90,7 +90,7 @@
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
|
||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
@@ -148,18 +148,19 @@
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Points at which configuration changes are recommended are flagged
|
||||
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
|
||||
with <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" />.</para>
|
||||
|
||||
<para>Configuration notes that are unique to Debian and it's derivatives
|
||||
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
||||
format="GIF"/>.</para>
|
||||
format="GIF" />.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="PPTP">
|
||||
<title>PPTP/ADSL</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If you have an ADSL Modem and you use PPTP to communicate with a
|
||||
server in that modem, you must make the <ulink
|
||||
@@ -175,7 +176,7 @@
|
||||
<filename>/etc/shorewall</filename> -- for simple setups, you will only
|
||||
need to deal with a few of these as described in this guide.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>After you have installed Shorewall, locate the three-interface
|
||||
Sample configuration:</para>
|
||||
@@ -209,7 +210,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><graphic align="left" fileref="images/openlogo-nd-25.png"/>If
|
||||
<para><graphic align="left" fileref="images/openlogo-nd-25.png" />If
|
||||
you installed using a Shorewall 4.x .deb, the samples are in <emphasis
|
||||
role="bold"><filename
|
||||
class="directory">/usr/share/doc/shorewall/examples/three-interfaces</filename></emphasis>.
|
||||
@@ -247,7 +248,8 @@
|
||||
a set of zones. In the three-interface sample configuration, the following
|
||||
zone names are used:</para>
|
||||
|
||||
<para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
@@ -303,7 +305,7 @@ dmz ipv4</programlisting>Zone names are defined in
|
||||
<para>The <filename>/etc/shorewall/policy</filename> file included with
|
||||
the three-interface sample has the following policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
@@ -313,7 +315,7 @@ all all REJECT info</programlisting>
|
||||
commented out. If you want your firewall system to have full access to
|
||||
servers on the Internet, uncomment that line.</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT</programlisting>
|
||||
</important>
|
||||
|
||||
@@ -349,7 +351,7 @@ $FW net ACCEPT</programlisting>
|
||||
local network from a security perspective. If you want to do this, add
|
||||
these two policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc $FW ACCEPT
|
||||
$FW loc ACCEPT</programlisting>
|
||||
|
||||
@@ -361,7 +363,7 @@ $FW loc ACCEPT</programlisting>
|
||||
<emphasis>net</emphasis> zone even though connections are not allowed from
|
||||
the <emphasis>loc</emphasis> zone to the firewall itself.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
||||
file and make any changes that you wish.</para>
|
||||
@@ -375,7 +377,7 @@ $FW loc ACCEPT</programlisting>
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG"/>
|
||||
<imagedata align="center" fileref="images/dmz1.png" format="PNG" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure>
|
||||
@@ -419,7 +421,7 @@ root@lists:~# </programlisting>
|
||||
the external interface.</para>
|
||||
</caution>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>I<emphasis role="bold">f your external interface is <filename
|
||||
class="devicefile">ppp0</filename> or <filename
|
||||
@@ -461,7 +463,7 @@ root@lists:~# </programlisting>
|
||||
exactly one default route via your ISP's Router.</para>
|
||||
</caution>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The Shorewall three-interface sample configuration assumes that the
|
||||
external interface is <filename class="devicefile">eth0</filename>, the
|
||||
@@ -526,7 +528,7 @@ root@lists:~# </programlisting>
|
||||
<title>Example sub-network</title>
|
||||
|
||||
<tgroup cols="2">
|
||||
<colspec align="left"/>
|
||||
<colspec align="left" />
|
||||
|
||||
<tbody>
|
||||
<row>
|
||||
@@ -571,7 +573,7 @@ root@lists:~# </programlisting>
|
||||
directly. To communicate with systems outside of the subnetwork, systems
|
||||
send packets through a gateway (router).</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Your local computers (Local Computers 1 & 2) should be
|
||||
configured with their default gateway set to the IP address of the
|
||||
@@ -594,7 +596,7 @@ root@lists:~# </programlisting>
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/dmz2.png"/>
|
||||
<imagedata fileref="images/dmz2.png" />
|
||||
</imageobject>
|
||||
|
||||
<caption><para>The default gateway for the DMZ computers would be
|
||||
@@ -650,7 +652,7 @@ root@lists:~# </programlisting>
|
||||
class="directory">/etc/shorewall/</filename><filename>masq</filename>
|
||||
file.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If your external firewall interface is <filename
|
||||
class="devicefile">eth0</filename> then you do not need to modify the file
|
||||
@@ -663,7 +665,7 @@ root@lists:~# </programlisting>
|
||||
modify the SOURCE column to list just your local interface (10.10.10.0/24
|
||||
in the above example).</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If your external IP is static, you can enter it in the third column
|
||||
in the <filename
|
||||
@@ -671,7 +673,7 @@ root@lists:~# </programlisting>
|
||||
entry if you like although your firewall will work fine if you leave that
|
||||
column empty. Entering your static IP in column 3 makes processing
|
||||
outgoing packets a little more efficient.<graphic align="left"
|
||||
fileref="images/openlogo-nd-25.png"/></para>
|
||||
fileref="images/openlogo-nd-25.png" /></para>
|
||||
|
||||
<para><emphasis role="bold">If you are using the Debian package, please
|
||||
check your <filename>shorewall.conf</filename> file to ensure that the
|
||||
@@ -734,7 +736,7 @@ root@lists:~# </programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If you are running a distribution that logs netfilter messages to a
|
||||
log other than <filename>/var/log/messages</filename>, then modify the
|
||||
@@ -774,7 +776,7 @@ root@lists:~# </programlisting>
|
||||
<filename>/usr/share/shorewall/modules</filename> then copy the file to
|
||||
<filename>/etc/shorewall</filename> and modify the copy.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
|
||||
</section>
|
||||
@@ -799,7 +801,7 @@ root@lists:~# </programlisting>
|
||||
|
||||
<para>The general form of a simple port forwarding rule in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNAT net dmz:<emphasis><server local IP address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
If you don't specify the <emphasis><varname><server
|
||||
port></varname></emphasis>, it is assumed to be the same as
|
||||
@@ -814,7 +816,7 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[:<e
|
||||
<title>You run a Web Server on DMZ Computer 2 and you want to forward
|
||||
incoming TCP port 80 to that system</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Web(DNAT) net dmz:10.10.11.2
|
||||
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
||||
<listitem>
|
||||
@@ -831,7 +833,8 @@ Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
||||
(<systemitem class="ipaddress">10.10.11.2</systemitem>) or you
|
||||
must use DNAT from the loc zone as well (see below).</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
Web(DNAT) loc dmz:10.10.11.2 - - - <replaceable>external-ip-address</replaceable></programlisting>
|
||||
|
||||
<para>where <replaceable>external-ip-address</replaceable> is the
|
||||
@@ -843,7 +846,8 @@ Web(DNAT) loc dmz:10.10.11.2 - - -
|
||||
you have problems connecting to your web server, try the following
|
||||
rule and try connecting to port 5000 (e.g., connect to
|
||||
<literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your
|
||||
external IP).<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
external IP).<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
||||
# PORT(S)
|
||||
DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
@@ -851,7 +855,8 @@ DNAT net dmz:10.10.11.2:80 tcp 5000</programlisting></para>
|
||||
<para>If you want to be able to access your server from the local
|
||||
network using your external address, then if you have a static
|
||||
external IP you can replace the loc->dmz rule above
|
||||
with:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
with:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If
|
||||
you have a dynamic IP then you must ensure that your external
|
||||
interface is up before starting Shorewall and you must take steps
|
||||
@@ -866,7 +871,8 @@ DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><
|
||||
|
||||
<listitem>
|
||||
<para>Make your <literal>loc->dmz</literal> rule:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT(S) DEST
|
||||
DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para>
|
||||
</listitem>
|
||||
</orderedlist></para>
|
||||
@@ -880,7 +886,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
||||
</itemizedlist></para>
|
||||
</example>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>At this point, add the DNAT and ACCEPT rules for your
|
||||
servers.</para>
|
||||
@@ -918,7 +924,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
||||
|
||||
<listitem>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF"/></para>
|
||||
format="GIF" /></para>
|
||||
|
||||
<para>You can configure a <emphasis>Caching Name Server</emphasis>
|
||||
on your firewall or in your DMZ. <trademark>Red Hat</trademark> has
|
||||
@@ -936,10 +942,10 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
||||
<filename>/etc/shorewall/rules</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist> If you run the name server on the firewall:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS(ACCEPT) loc $FW
|
||||
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
|
||||
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS(ACCEPT) loc dmz:10.10.11.1
|
||||
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
||||
|
||||
@@ -954,7 +960,7 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
||||
<filename>/etc/shorewall/rules</filename>. The first example above (name
|
||||
server on the firewall) could also have been coded as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc $FW tcp 53
|
||||
ACCEPT loc $FW udp 53
|
||||
ACCEPT dmz $FW tcp 53
|
||||
@@ -977,24 +983,24 @@ ACCEPT dmz $FW udp 53 </programlist
|
||||
<title>Other Connections</title>
|
||||
|
||||
<para>The three-interface sample includes the following rule:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
|
||||
from your firewall and may be removed if you commented out the line in
|
||||
<filename>/etc/shorewall/policy</filename> allowing all connections from
|
||||
the firewall to the Internet.</para>
|
||||
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSH(ACCEPT) loc $FW
|
||||
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
|
||||
an SSH server on your firewall and in each of your DMZ systems and to
|
||||
connect to those servers from your local systems.</para>
|
||||
|
||||
<para>If you wish to enable other connections between your systems, the
|
||||
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) <emphasis><source zone> <destination zone></emphasis></programlisting></para>
|
||||
|
||||
<para>The general format when not using a defined macro
|
||||
is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><source zone> <destination zone> <protocol> <port> </emphasis></programlisting></para>
|
||||
|
||||
<example id="Example2">
|
||||
@@ -1003,12 +1009,12 @@ ACCEPT <emphasis><source zone> <destination zone> <protocol&g
|
||||
|
||||
<para>Using defined macros:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<para>Not using defined macros:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT net $FW tcp 53
|
||||
ACCEPT net $FW udp 53 </programlisting>
|
||||
|
||||
@@ -1022,13 +1028,13 @@ ACCEPT net $FW udp 53 </programlisting>
|
||||
<important>
|
||||
<para>I don't recommend enabling telnet to/from the Internet because it
|
||||
uses clear text (even for login!). If you want shell access to your
|
||||
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSH(ACCEPT) net $FW</programlisting></para>
|
||||
</important>
|
||||
|
||||
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF"/> Bering
|
||||
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
|
||||
users will want to add the following two rules to be compatible with
|
||||
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc $FW udp 53
|
||||
ACCEPT net $FW tcp 80 </programlisting><itemizedlist>
|
||||
<listitem>
|
||||
@@ -1039,7 +1045,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
<para>Entry 2 allows the <quote>weblet</quote> to work.</para>
|
||||
</listitem>
|
||||
</itemizedlist><inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF"/></para>
|
||||
format="GIF" /></para>
|
||||
|
||||
<para>Now modify <filename>/etc/shorewall/rules</filename> to add or
|
||||
remove other connections as required.</para>
|
||||
@@ -1104,7 +1110,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
<section id="Starting">
|
||||
<title>Starting and Stopping Your Firewall</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
||||
configures your system to start Shorewall at system boot but startup is
|
||||
@@ -1113,7 +1119,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
firewall, you can enable Shorewall startup by editing
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> and setting
|
||||
STARTUP_ENABLED=Yes.<graphic align="left"
|
||||
fileref="images/openlogo-nd-25.png"/><important>
|
||||
fileref="images/openlogo-nd-25.png" /><important>
|
||||
<para>Users of the <filename>.deb</filename> package must edit
|
||||
<filename>/etc/default/shorewall</filename> and set
|
||||
<varname>startup=1</varname>.</para>
|
||||
@@ -1132,11 +1138,11 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
(<ulink
|
||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
|
||||
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
||||
the <command>shorewall reload</command> command. If you want to totally
|
||||
the <command>shorewall restart</command> command. If you want to totally
|
||||
remove any trace of Shorewall from your Netfilter configuration, use
|
||||
<command>shorewall clear</command>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The three-interface sample assumes that you want to enable routing
|
||||
to/from <filename class="devicefile">eth1</filename> (your local network)
|
||||
@@ -1162,7 +1168,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
</orderedlist>
|
||||
|
||||
<para>Also, I don't recommend using <quote><command>shorewall
|
||||
reload</command></quote>; it is better to create an alternate
|
||||
restart</command></quote>; it is better to create an alternate
|
||||
configuration and test it using the <quote><command>shorewall
|
||||
try</command></quote> command.</para>
|
||||
</warning></para>
|
||||
@@ -1233,7 +1239,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
|
||||
<programlisting><command>systemctl disable iptables.service</command></programlisting>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
|
||||
<para>At this point, disable your existing firewall service.</para>
|
||||
</section>
|
||||
|
||||
@@ -922,7 +922,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
packets arriving on eth2 and eth3 should be marked with 2. All packets
|
||||
originating on the firewall itself should be marked with 3.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
|
||||
MARK(1) eth1 0.0.0.0/0 all
|
||||
MARK(2) eth2 0.0.0.0/0 all
|
||||
MARK(2) eth3 0.0.0.0/0 all
|
||||
@@ -935,7 +935,7 @@ MARK(3) $FW 0.0.0.0/0 all</programlisting>
|
||||
<para>All GRE (protocol 47) packets destined for 155.186.235.151
|
||||
should be marked with 12.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
|
||||
MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
|
||||
</example>
|
||||
|
||||
@@ -945,7 +945,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
|
||||
<para>All SSH request packets originating in 192.168.1.0/24 and
|
||||
destined for 155.186.235.151 should be marked with 22.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
|
||||
MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
|
||||
</example>
|
||||
|
||||
@@ -956,7 +956,8 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
|
||||
/etc/shorewall/tcdevices should be assigned to the class with mark
|
||||
value 10.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
|
||||
# PORT(S)
|
||||
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22
|
||||
CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
|
||||
</example>
|
||||
@@ -974,7 +975,8 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</
|
||||
means unclassified. Traffic originating on the firewall is not covered
|
||||
by this example.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
|
||||
# PORT(S) GROUP
|
||||
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
|
||||
@@ -1000,7 +1002,8 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - -
|
||||
ensure that all VOIP packets also receive that mark (assumes that
|
||||
nf_conntrack_sip is loaded).</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNBYTES TOS HELPER
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
|
||||
# PORT(S) GROUP
|
||||
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
|
||||
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
|
||||
1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip
|
||||
@@ -1232,7 +1235,7 @@ Source IP address is 192.168.4.3 = 0xc0a80403
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
<programlisting>#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
eth0 100mbit 100mbit</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename>:</para>
|
||||
@@ -1290,7 +1293,7 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
|
||||
<section id="realtcd">
|
||||
<title>tcdevices file</title>
|
||||
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
ppp0 5000kbit 500kbit</programlisting>
|
||||
</section>
|
||||
|
||||
@@ -1306,7 +1309,8 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
|
||||
<section id="realtcr">
|
||||
<title>mangle file</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
# PORT(S)
|
||||
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
# mark traffic which should have a lower priority with a 3:
|
||||
@@ -1343,14 +1347,23 @@ NOPRIOPORTDST="6662 6663" </programlisting>
|
||||
<para>This would result in the following additional settings to the
|
||||
mangle file:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
MARK(3) 192.168.1.128/25 0.0.0.0/0 all
|
||||
<programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all
|
||||
MARK(3) 192.168.3.28 0.0.0.0/0 all
|
||||
MARK(3) 0.0.0.0/0 60.0.0.0/24 all
|
||||
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
|
||||
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
|
||||
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
|
||||
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
|
||||
|
||||
<para>Corresponding tcrules file entries are:</para>
|
||||
|
||||
<programlisting>3 192.168.1.128/25 0.0.0.0/0 all
|
||||
3 192.168.3.28 0.0.0.0/0 all
|
||||
3 0.0.0.0/0 60.0.0.0/24 all
|
||||
3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
|
||||
3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
|
||||
3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
|
||||
3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -1365,7 +1378,7 @@ MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,666
|
||||
<section id="simpletcd">
|
||||
<title>tcdevices file</title>
|
||||
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
ppp0 6000kbit 700kbit</programlisting>
|
||||
|
||||
<para>We have 6mbit down and 700kbit upstream.</para>
|
||||
@@ -1390,7 +1403,8 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
||||
<section id="simpletcr">
|
||||
<title>mangle file</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER
|
||||
# PORT(S)
|
||||
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
MARK(2):F 192.168.2.23 0.0.0.0/0 all
|
||||
@@ -1398,7 +1412,8 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
|
||||
|
||||
<para>Corresponding tcrules file:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
# PORT(S)
|
||||
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
2:F 192.168.2.23 0.0.0.0/0 all
|
||||
@@ -1457,12 +1472,13 @@ MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
|
||||
eth0 - 1000kbit hfsc</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcclasses</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
<programlisting>#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS
|
||||
# DMAX:UMAX
|
||||
1:10 1 500kbit full 1
|
||||
1:20 2 500kbit full 1
|
||||
1:10:11 3 400kbit:53ms:1500b full 2
|
||||
@@ -1633,7 +1649,8 @@ ip link set ifb0 up</command></programlisting>
|
||||
|
||||
<para>Example: <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DEST
|
||||
DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177</programlisting>
|
||||
|
||||
<para>Requests redirected by this rule will have destination IP
|
||||
@@ -1704,7 +1721,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DPORT</term>
|
||||
<term>DEST PORT(S)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Comma-separated list of destination port names or numbers.
|
||||
@@ -1714,7 +1731,7 @@ eth0 192.168.1.0/24 206.124.146.179</programlisting></para>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SPORT</term>
|
||||
<term>SOURCE PORT</term>
|
||||
|
||||
<listitem>
|
||||
<para>Comma-separated list of source port names or numbers. May
|
||||
@@ -1793,7 +1810,8 @@ qt ip link set dev ifb0 up</programlisting></para>
|
||||
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
|
||||
|
||||
<para><programlisting>
|
||||
#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
|
||||
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
# INTERFACES
|
||||
1:eth0 - 384kbit classify
|
||||
2:ifb0 - 1300kbit - eth0</programlisting>
|
||||
<filename>/etc/shorewall/tcclasses</filename>:<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
@@ -1802,7 +1820,8 @@ qt ip link set dev ifb0 up</programlisting></para>
|
||||
1:130 - 2*full/10 6*full/10 3
|
||||
2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
||||
2:120 - 2*full/10 6*full/10 2 default
|
||||
2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DPORT SPORT
|
||||
2:130 - 2*full/10 6*full/10 3</programlisting><filename>/etc/shorewall/tcfilters</filename>:<programlisting>#INTERFACE: SOURCE DEST PROTO DEST SOURCE
|
||||
#CLASS PORT(S) PORT(S)
|
||||
#
|
||||
# OUTGOING TRAFFIC
|
||||
#
|
||||
|
||||
@@ -74,7 +74,7 @@
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/basics.png" format="PNG"/>
|
||||
<imagedata align="center" fileref="images/basics.png" format="PNG" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</figure> <caution>
|
||||
@@ -121,18 +121,19 @@
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Points at which configuration changes are recommended are flagged
|
||||
with <inlinegraphic fileref="images/BD21298_.gif" format="GIF"/>.</para>
|
||||
with <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF" />.</para>
|
||||
|
||||
<para>Configuration notes that are unique to Debian and it's derivatives
|
||||
are marked with <inlinegraphic fileref="images/openlogo-nd-25.png"
|
||||
format="GIF"/>.</para>
|
||||
format="GIF" />.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="PPTP">
|
||||
<title>PPTP/ADSL</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If you have an <acronym>ADSL</acronym> Modem and you use
|
||||
<acronym>PPTP</acronym> to communicate with a server in that modem, you
|
||||
@@ -145,7 +146,7 @@
|
||||
<section id="Concepts">
|
||||
<title>Shorewall Concepts</title>
|
||||
|
||||
<para/>
|
||||
<para></para>
|
||||
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||
@@ -153,7 +154,7 @@
|
||||
this guide.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF"/><important>
|
||||
format="GIF" /><important>
|
||||
<para>After you have <ulink url="Install.htm">installed
|
||||
Shorewall</ulink>, locate the two-interfaces samples:</para>
|
||||
|
||||
@@ -188,10 +189,10 @@
|
||||
|
||||
<listitem>
|
||||
<para><graphic align="left"
|
||||
fileref="images/openlogo-nd-25.png"/>If you installed using a
|
||||
fileref="images/openlogo-nd-25.png" />If you installed using a
|
||||
Shorewall 4.x .deb, the samples are in <emphasis
|
||||
role="bold"><filename
|
||||
class="directory">/usr/share/doc/shorewall/examples/two-interfaces</filename>.</emphasis>
|
||||
class="directory">/usr/share/doc/shorewall-common/examples/two-interfaces</filename>.</emphasis>
|
||||
You do not need the shorewall-doc package to have access to the
|
||||
samples.</para>
|
||||
|
||||
@@ -229,7 +230,8 @@
|
||||
a set of zones. In the two-interface sample configuration, the following
|
||||
zone names are used:</para>
|
||||
|
||||
<para><programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||
<para><programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4</programlisting>Zones are defined in the <ulink
|
||||
@@ -287,13 +289,13 @@ loc ipv4</programlisting>Zones are defined in the <ulink
|
||||
<para>The <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
file included with the two-interface sample has the following policies:
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the two-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the Internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT</programlisting> The above policy will:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@@ -331,11 +333,11 @@ $FW net ACCEPT</programlisting> The above policy will:
|
||||
local network from a security perspective. If you want to do this, add
|
||||
these two policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
loc $FW ACCEPT
|
||||
$FW loc ACCEPT</programlisting>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>At this point, edit your <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
@@ -347,7 +349,7 @@ $FW loc ACCEPT</programlisting>
|
||||
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/basics.png" format="PNG"/>
|
||||
<imagedata align="center" fileref="images/basics.png" format="PNG" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
|
||||
@@ -391,7 +393,7 @@ root@lists:~# </programlisting>
|
||||
the external interface.</para>
|
||||
</caution>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>I<emphasis role="bold">f your external interface is <filename
|
||||
class="devicefile">ppp0</filename> or <filename
|
||||
@@ -419,7 +421,7 @@ root@lists:~# </programlisting>
|
||||
internal interface.</emphasis> Your firewall should have exactly one
|
||||
default route via your ISP's Router.</para>
|
||||
</warning> <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF"/></para>
|
||||
format="GIF" /></para>
|
||||
|
||||
<para>The Shorewall two-interface sample configuration assumes that the
|
||||
external interface is <filename class="devicefile">eth0</filename> and the
|
||||
@@ -531,7 +533,7 @@ root@lists:~# </programlisting>
|
||||
directly. To communicate with systems outside of the subnetwork, systems
|
||||
send packets through a gateway (router).</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Your local computers (computer 1 and computer 2 in the above
|
||||
diagram) should be configured with their default gateway to be the
|
||||
@@ -548,7 +550,7 @@ root@lists:~# </programlisting>
|
||||
<para id="Diagram">The remainder of this guide will assume that you have
|
||||
configured your network as shown here: <mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/basics1.png" format="PNG"/>
|
||||
<imagedata align="center" fileref="images/basics1.png" format="PNG" />
|
||||
</imageobject>
|
||||
</mediaobject> The default gateway for computer's 1 & 2 would be
|
||||
<systemitem class="ipaddress">10.10.10.254</systemitem>. <warning>
|
||||
@@ -605,7 +607,7 @@ root@lists:~# </programlisting>
|
||||
<acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
|
||||
<acronym>IP</acronym> is static.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If your external firewall interface is <filename
|
||||
class="devicefile">eth0</filename>, you do not need to modify the file
|
||||
@@ -614,7 +616,7 @@ root@lists:~# </programlisting>
|
||||
class="directory">/etc/shorewall/</filename><filename>masq</filename> and
|
||||
change the first column to the name of your external interface.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If your external <acronym>IP</acronym> is static, you can enter it
|
||||
in the third column in the <filename
|
||||
@@ -624,7 +626,7 @@ root@lists:~# </programlisting>
|
||||
column 3 (SNAT) makes the processing of outgoing packets a little more
|
||||
efficient.</para>
|
||||
|
||||
<graphic align="left" fileref="images/openlogo-nd-25.png"/>
|
||||
<graphic align="left" fileref="images/openlogo-nd-25.png" />
|
||||
|
||||
<para>I<emphasis role="bold">f you are using the Debian package, please
|
||||
check your <filename>shorewall.conf</filename> file to ensure that the
|
||||
@@ -687,7 +689,7 @@ root@lists:~# </programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If you are running a distribution that logs netfilter messages to a
|
||||
log other than <filename>/var/log/messages</filename>, then modify the
|
||||
@@ -727,7 +729,7 @@ root@lists:~# </programlisting>
|
||||
<filename>/usr/share/shorewall/modules</filename> then copy the file to
|
||||
<filename>/etc/shorewall</filename> and modify the copy.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
|
||||
</section>
|
||||
@@ -756,7 +758,7 @@ root@lists:~# </programlisting>
|
||||
a server in the <emphasis>loc</emphasis> zone, the general form of a
|
||||
simple port forwarding rule in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNAT net loc:<emphasis><server local ip address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting><important>
|
||||
<para><emphasis role="bold">If you want to forward traffic from the
|
||||
<emphasis>loc</emphasis> zone to a server in the
|
||||
@@ -782,14 +784,14 @@ DNAT net loc:<emphasis><server local ip address></emphasis>[:<e
|
||||
<para>You run a Web Server on computer 2 in <link
|
||||
linkend="Diagram">the above diagram</link> and you want to forward
|
||||
incoming <acronym>TCP</acronym> port 80 to that system:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Web(DNAT) net loc:10.10.10.2</programlisting></para>
|
||||
</example> <example id="Example2" label="2">
|
||||
<title>FTP Server</title>
|
||||
|
||||
<para>You run an <acronym>FTP</acronym> Server on <link
|
||||
linkend="Diagram">computer 1</link> so you want to forward incoming
|
||||
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
FTP(DNAT) net loc:10.10.10.1</programlisting> For
|
||||
<acronym>FTP</acronym>, you will also need to have
|
||||
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
|
||||
@@ -827,11 +829,11 @@ FTP(DNAT) net loc:10.10.10.1</programlisting> For
|
||||
server, try the following rule and try connecting to port
|
||||
5000.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist> <inlinegraphic fileref="images/BD21298_.gif"
|
||||
format="GIF"/></para>
|
||||
format="GIF" /></para>
|
||||
|
||||
<para>At this point, modify <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> to
|
||||
@@ -879,7 +881,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><anchor id="cachingdns"/> You can configure a
|
||||
<para><anchor id="cachingdns" /> You can configure a
|
||||
<emphasis>Caching Name Server</emphasis> on your firewall.
|
||||
<trademark>Red Hat</trademark> has an <acronym>RPM</acronym> for a
|
||||
caching name server (the <acronym>RPM</acronym> also requires the
|
||||
@@ -895,7 +897,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||
network to the firewall; you do that by adding the following rules
|
||||
in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS(ACCEPT)loc $FW</programlisting></para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
@@ -905,7 +907,7 @@ DNS(ACCEPT)loc $FW</programlisting></para>
|
||||
<title>Other Connections</title>
|
||||
|
||||
<para>The two-interface sample includes the following rules:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS(ACCEPT) $FW net</programlisting>This rule allows
|
||||
<acronym>DNS</acronym> access from your firewall and may be removed if you
|
||||
uncommented the line in <filename
|
||||
@@ -920,7 +922,7 @@ DNS(ACCEPT) $FW net</programlisting>This rule allows
|
||||
<para>You don't have to use defined macros when coding a rule in
|
||||
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
|
||||
faster if you code your rules directly rather than using macros. The the
|
||||
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT $FW net udp 53
|
||||
ACCEPT $FW net tcp 53</programlisting></para>
|
||||
|
||||
@@ -928,21 +930,21 @@ ACCEPT $FW net tcp 53</programlisting></para>
|
||||
your needs, you can either define the macro yourself or you can simply
|
||||
code the appropriate rules directly.</para>
|
||||
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an
|
||||
<acronym>SSH</acronym> server on your firewall and connect to that server
|
||||
from your local systems.</para>
|
||||
|
||||
<para>If you wish to enable other connections from your firewall to other
|
||||
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<macro>(ACCEPT) $FW <emphasis><destination zone></emphasis></programlisting>The
|
||||
general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
general format when not using defined macros is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT $FW <emphasis><destination zone> <protocol> <port></emphasis></programlisting><example
|
||||
id="Example3">
|
||||
<title>Web Server on Firewall</title>
|
||||
|
||||
<para>You want to run a Web Server on your firewall system:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Web(ACCEPT) net $FW
|
||||
Web(ACCEPT) loc $FW </programlisting>Those two rules would of
|
||||
course be in addition to the rules listed above under <quote><link
|
||||
@@ -955,14 +957,14 @@ Web(ACCEPT) loc $FW </programlisting>Those two rules would of
|
||||
shell access to your firewall from the Internet, use
|
||||
<acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSH(ACCEPT) net $FW</programlisting>
|
||||
</important> <inlinegraphic fileref="images/leaflogo.gif"
|
||||
format="GIF"/>Bering users will want to add the following two rules to be
|
||||
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
format="GIF" />Bering users will want to add the following two rules to be
|
||||
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT loc $FW udp 53 #Allow DNS Cache to work
|
||||
ACCEPT loc $FW tcp 80 #Allow Weblet to work</programlisting>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Now edit your <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||
@@ -1028,7 +1030,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
<section id="Starting">
|
||||
<title>Starting and Stopping Your Firewall</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
||||
configures your system to start Shorewall at system boot but startup is
|
||||
@@ -1036,7 +1038,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
configuration is complete. Once you have completed configuration of your
|
||||
firewall, you must edit /etc/shorewall/shorewall.conf and set
|
||||
STARTUP_ENABLED=Yes.<graphic align="left"
|
||||
fileref="images/openlogo-nd-25.png"/><important>
|
||||
fileref="images/openlogo-nd-25.png" /><important>
|
||||
<para>Users of the .deb package must edit <filename
|
||||
class="directory">/etc/default/</filename><filename>shorewall</filename>
|
||||
and set <varname>startup=1</varname>.</para>
|
||||
@@ -1054,11 +1056,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
(Shorewall 4.5.7 and earlier) or in<filename> <ulink
|
||||
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
|
||||
A running firewall may be restarted using the <quote><command>shorewall
|
||||
reload</command></quote> command. If you want to totally remove any trace
|
||||
restart</command></quote> command. If you want to totally remove any trace
|
||||
of Shorewall from your Netfilter configuration, use
|
||||
<quote><command>shorewall clear</command></quote>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The two-interface sample assumes that you want to enable routing
|
||||
to/from <filename class="devicefile">eth1</filename> (the local network)
|
||||
@@ -1085,7 +1087,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
</orderedlist>
|
||||
|
||||
<para>Also, I don't recommend using <quote><command>shorewall
|
||||
reload</command></quote>; it is better to create an alternate
|
||||
restart</command></quote>; it is better to create an alternate
|
||||
configuration and test it using the <quote><command>shorewall
|
||||
try</command></quote> command.</para>
|
||||
</warning></para>
|
||||
@@ -1156,7 +1158,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
|
||||
<programlisting><command>systemctl disable iptables.service</command></programlisting>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
|
||||
<para>At this point, disable your existing firewall service.</para>
|
||||
</section>
|
||||
@@ -1200,9 +1202,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
</caution></para>
|
||||
|
||||
<para>Your new network will look similar to what is shown in the following
|
||||
figure.<graphic align="center" fileref="images/basics2.png"/></para>
|
||||
figure.<graphic align="center" fileref="images/basics2.png" /></para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The first thing to note is that the computers in your wireless
|
||||
network will be in a different subnet from those on your wired local LAN.
|
||||
@@ -1215,7 +1217,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
traffic may flow freely between the local wired network and the wireless
|
||||
network.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>There are only two changes that need to be made to the Shorewall
|
||||
configuration:</para>
|
||||
@@ -1227,8 +1229,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
network interface. If the wireless interface is <filename
|
||||
class="devicefile">wlan0</filename>, the entry might look like:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc wlan0 maclist</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc wlan0 detect maclist</programlisting>
|
||||
|
||||
<para>As shown in the above entry, I recommend using the <ulink
|
||||
url="MAC_Validation.html">maclist option</ulink> for the wireless
|
||||
@@ -1246,7 +1248,7 @@ loc wlan0 maclist</programlisting>
|
||||
from the wireless network to the Internet. If you file looks like
|
||||
this:</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC MARK
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||
eth0 10.0.0.0/8,\
|
||||
169.254.0.0/16,\
|
||||
172.16.0.0/12,\
|
||||
|
||||
@@ -120,7 +120,7 @@ loc eth2:0.0.0.0/0</programlisting>
|
||||
|
||||
<bridgehead renderas="sect4">Policy File</bridgehead>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL
|
||||
<emphasis role="bold">ops all ACCEPT
|
||||
all ops CONTINUE</emphasis>
|
||||
loc net ACCEPT
|
||||
@@ -134,7 +134,7 @@ all all REJECT info</programlisting>
|
||||
|
||||
<bridgehead renderas="sect4">Rules File</bridgehead>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) ORIGINAL DEST
|
||||
REDIRECT loc!ops 3128 tcp http</programlisting>
|
||||
|
||||
<para>This is the rule that transparently redirects web traffic to the
|
||||
|
||||
Reference in New Issue
Block a user