Shorewall 3.x Documentation Tom Eastep 2006-03-10 2001-2006 Thomas M. Eastep 3.0.0 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release. The complete Shorewall Documentation is available for download in both Docbook XML and HTML formats. Frequently asked questions: FAQs If you are new to Shorewall, please read these two articles first. Introduction to Shorewall QuickStart Guides (HOWTOS) The following article is also recommended reading for newcomers. Configuration File Basics Comments in configuration files Line Continuation INCLUDE Directive Port Numbers/Service Names Port Ranges Using Shell Variables Using DNS Names Complementing an IP address or Subnet IP Address Ranges Shorewall Configurations (making a test configuration) Using MAC Addresses in Shorewall The remainder of the Documentation supplements the QuickStart Guides. Please review the appropriate guide before trying to use this documentation directly. This index is in alphabetical order. 2.6 Kernel Accounting Actions Aliased (virtual) Interfaces (e.g., eth0:0) Bandwidth Control Blacklisting Static Blacklisting using /etc/shorewall/blacklist Dynamic Blacklisting using /sbin/shorewall Bridging Bridge/Firewall (control traffic through the bridge) Simple Bridge (don't need to control traffic through the bridge) Commands (Description of all /sbin/shorewall commands) Compiled Firewall Programs (Shorewall 3.1 and later) Configuration File Reference Manual accounting actions and action.template blacklist hosts interfaces ipsec maclist macros and macro.template masq modules nat netmap params policy providers proxyarp rfc1918 routestopped rules shorewall.conf tcclasses tcdevices tcrules tos tunnels usersets and users zones Corporate Network Example (Contributed by a Graeme Boyle) DHCP ECN Disabling by host or subnet Error Messages Extension Scripts (How to extend Shorewall without modifying Shorewall code through the use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped, etc.) Fallback/Uninstall FAQs Features Forwarding Traffic on the Same Interface FTP and Shorewall Getting help or answers to questions Installation/Upgrade IPP2P IPSEC IPSEC using Kernel 2.6 and Shorewall 2.1 or Later. Ipsets Kazaa Filtering Kernel Configuration Logging Macros MAC Verification Multiple Internet Connections from a Single Firewall Multiple Zones Through One Interface My Shorewall Configuration (How I personally use Shorewall) Netfilter Overview Network Mapping One-to-one NAT (Static NAT) OpenVPN Operating Shorewall Packet Processing in a Shorewall-based Firewall 'Ping' Management Port Information Which applications use which ports Ports used by Trojans Port Knocking and Other Uses of the 'Recent Match' PPTP Proxy ARP Release Model Requirements Routing and Shorewall Routing on One Interface Samba Shorewall Setup Guide Introduction Shorewall Concepts Network Interfaces Addressing, Subnets and Routing IP Addresses Subnets Routing Address Resolution Protocol (ARP) RFC 1918 Setting up your Network Routed Non-routed SNAT DNAT Proxy ARP One-to-one NAT Rules Odds and Ends DNS Starting and Stopping the Firewall SMB Squid with Shorewall Starting/stopping the Firewall Description of all /sbin/shorewall commands How to safely test a Shorewall configuration change Static (one-to-one) NAT Support Traffic Accounting Traffic Shaping/QOS Troubleshooting (Things to try if it doesn't work) UPnP Upgrade Issues VPN 6to4 Basics GRE and IPIP IPSEC IPSEC/PPTP passthrough from a system behind your firewall to a remote network OpenVPN (My personal choice) Other VPN types PPTP White List Creation Xen Xen the way that I use it Tight Firewall in Xen Dom0