<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                                                                        
                                                                         
 
  <meta http-equiv="Content-Language" content="en-us">
                                                                        
                                                                         
 
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
                                                                        
                                                                         
 
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
                                                                        
                                                                         
 
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall FAQ</title>
                                                                        
                                                                        
                                                                        
                                         
  <meta name="Microsoft Theme" content="none">
</head>
  <body>
                                                                        
   
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#400169" height="90">
                                        <tbody>
                                         <tr>
                                          <td width="100%">             
                                                                        
                                                                        
                                                                        
                              
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
                                          </td>
                                        </tr>
                                                                        
                                                                         
 
  </tbody>                                     
</table>
                                                                        
   
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
                   port</b> 7777 to my my personal PC with IP address 192.168.1.5.
         I've     looked     everywhere and can't find <b>how to do it</b>.</a></p>
                                                                        
  
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions 
                   but it doesn't work.<br>
                            </a></p>
                                                                        
  
<p align="left"><b>1b. </b><a href="#faq1b">I'm still having problems with
              port forwarding</a></p>
                                                       
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests 
                  to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 
      in   my   local      network. <b>External clients can browse</b> http://www.mydomain.com 
            but    <b>internal  clients can't</b>.</a></p>
                                                                        
  
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 
                   subnet and I use <b>static NAT</b> to assign non-RFC1918 
  addresses          to   hosts   in  Z. Hosts in Z cannot communicate with 
  each other  using      their    external    (non-RFC1918 addresses) so they
  <b>can't access each     other using   their DNS   names.</b></a></p>
                                                                        
   
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b> 
   or <b>MSN                Instant Messenger </b>with  Shorewall. What do 
 I  do?</a></p>
                                                                        
  
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner 
                  to  check my firewall and it shows <b>some ports as 'closed' 
     rather       than     'blocked'.</b>  Why?</a></p>
                                                                        
  
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b> 
                   of my firewall and it showed 100s of ports as open!!!!</a></p>
                                                                        
  
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now 
                  I <b> can't ping</b> through the firewall</a></p>
                                                                        
   
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b> 
                   written and  how do I <b>change the destination</b>?</a></p>
                                                                        
                                                                   
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b> 
                   that work with Shorewall?</a></p>
           
<p align="left"><b>6b. <a href="#faq6b">DROP messages</a></b><a
 href="#faq6b"> on port 10619 are <b>flooding the logs</b> with their connect
   requests. Can i exclude these error messages for this port temporarily
from   logging in Shorewall?</a><br>
      </p>
           
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
   of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>.�
   They get dropped, but what the heck are they?</a><br>
      </p>
           
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
in Shorewall log messages <b>so long</b>? I thought MAC addresses were only
6 bytes in length.</a><b><br>
</b></p>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using 
'shorewall stop', I can't connect to anything</b>. Why doesn't that command 
                   work?</a></p>
                                                                        
   
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall 
                  on RedHat</b> I get messages about insmod failing -- what's 
     wrong?</a></p>
                                                                        
   
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect 
                  my  interfaces </b>properly?</a></p>
                                                                        
          
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does 
                  it  work with?</a></p>
                                                                        
   
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it 
support?</a></p>
                                                                        
   
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
                                                                        
   
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>"Shorewall"?</b></a></p>
                                                                        
  
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem 
                  and it has an internel  web server that allows me to configure/monitor 
               it   but as expected if I enable <b> rfc1918 blocking</b> for
   my   eth0     interface,       it also blocks the <b>cable modems  web
server</b></a>.</p>
                                                                        
  
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public 
                  IP  addresses, my ISP's DHCP server has an RFC 1918 address. 
     If   I  enable       RFC 1918  filtering on my external interface, <b>my 
    DHCP  client  cannot    renew   its lease</b>.</a></p>
                                                                        
   
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see 
                  out to  the net</b></a></p>
                                                                        
   
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages 
                   all over my console</b> making it unusable!<br>
                                 </a></p>
                                              <b>17</b>. <a
 href="#faq17">How   do  I  find   out   <b>why    this traffic   is</b>
getting  <b>logged?</b></a><br>
                             <br>
                             <b>18.</b> <a href="#faq18">Is there any way 
to  use   <b>aliased      ip  addresses</b>    with Shorewall, and maintain
 separate    rulesets for    different   IPs?</a><br>
                         <br>
                         <b>19. </b><a href="#faq19">I have added <b>entries
  to  /etc/shorewall/tcrules</b>         but they <b>don't </b>seem to <b>do
  anything</b>.  Why?</a><br>
                        <br>
                        <b>20. </b><a href="#faq20">I have just set  up 
a   server.      <b>Do  I have to change Shorewall to allow access to my
server    from   the  internet?<br>
              <br>
              </b></a><b>21. </b><a href="#faq21">I see these <b>strange
log   entries      </b>occasionally;    what are they?<br>
                      </a><br>
              <b>22. </b><a href="#faq22">I have some <b>iptables commands
 </b>that     I  want to <b>run when Shorewall starts.</b> Which file do
I  put them in?</a><br>
            <br>
            <b>23. </b><a href="#faq23">Why do you use such <b>ugly fonts</b> 
  on  your   <b>web site</b>?</a><br>
         <br>
         <b>24. </b><a href="#faq24">How can I <b>allow conections</b> to 
let's    say  the ssh port only<b> from specific IP Addresses</b> on the internet?</a><br>
<br>
                           
<hr>                                      
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to 
                  my my personal PC with IP address 192.168.1.5. I've looked 
   everywhere           and    can't find how to do it.</h4>
                                                                        
  
<p align="left"><b>Answer: </b>The <a
 href="Documentation.htm#PortForward"> first example</a> in the <a
 href="Documentation.htm#Rules">rules file documentation</a> shows how to 
                  do port forwarding under Shorewall. The format of a port-forwarding 
            rule to a local system is as   follows:</p>
                                                                        
  
<blockquote>                                                            
                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                          <tbody>
                                           <tr>
                                            <td><u><b>ACTION</b></u></td>
                                            <td><u><b>SOURCE</b></u></td>
                                            <td><u><b>DESTINATION</b></u></td>
                                            <td><u><b>PROTOCOL</b></u></td>
                                            <td><u><b>PORT</b></u></td>
                                            <td><u><b>SOURCE PORT</b></u></td>
                                            <td><u><b>ORIG. DEST.</b></u></td>
                                          </tr>
                                          <tr>
                                            <td>DNAT</td>
                                            <td>net</td>
                                            <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
            port</i>&gt;]</td>
                                            <td><i>&lt;protocol&gt;</i></td>
                                            <td><i>&lt;port #&gt;</i></td>
                                            <td> <br>
                                          </td>
                                            <td> <br>
                                          </td>
                                          </tr>
                                                                        
                                                                        
                                                                        
     
    </tbody>                                                             
                                                 
  </table>
                                      </blockquote>
                                                                        
  
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, 
                  the rule is:</p>
                                                                        
  
<blockquote>                                                            
                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                          <tbody>
                                           <tr>
                                            <td><u><b>ACTION</b></u></td>
                                            <td><u><b>SOURCE</b></u></td>
                                            <td><u><b>DESTINATION</b></u></td>
                                            <td><u><b>PROTOCOL</b></u></td>
                                            <td><u><b>PORT</b></u></td>
                                            <td><u><b>SOURCE PORT</b></u></td>
                                            <td><u><b>ORIG. DEST.</b></u></td>
                                          </tr>
                                          <tr>
                                            <td>DNAT</td>
                                            <td>net</td>
                                            <td>loc:192.168.1.5</td>
                                            <td>udp</td>
                                            <td>7777</td>
                                            <td> <br>
                                          </td>
                                            <td> <br>
                                          </td>
                                          </tr>
                                                                        
                                                                        
                                                                        
     
    </tbody>                                                             
                                                 
  </table>
                                      </blockquote>
                                                                        
  
<div align="left">                      <font face="Courier">     </font>If
        you want to forward requests directed to a particular address ( <i>&lt;external
        IP&gt;</i> ) on your firewall to an internal system:</div>
                                                                        
  
<blockquote>                                                            
                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                          <tbody>
                                           <tr>
                                            <td><u><b>ACTION</b></u></td>
                                            <td><u><b>SOURCE</b></u></td>
                                            <td><u><b>DESTINATION</b></u></td>
                                            <td><u><b>PROTOCOL</b></u></td>
                                            <td><u><b>PORT</b></u></td>
                                            <td><u><b>SOURCE PORT</b></u></td>
                                            <td><u><b>ORIG. DEST.</b></u></td>
                                          </tr>
                                          <tr>
                                            <td>DNAT</td>
                                            <td>net</td>
                                            <td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local 
            port</i>&gt;]</td>
                                            <td><i>&lt;protocol&gt;</i></td>
                                            <td><i>&lt;port #&gt;</i></td>
                                            <td>-</td>
                                            <td><i>&lt;external IP&gt;</i></td>
                                          </tr>
                                                                        
                                                                        
                                                                        
     
    </tbody>                                                             
                                                 
  </table>
                                      </blockquote>
                                                                        
Finally,  if you need to forward a range of ports, in the PORT column specify
the range  as <i>low-port</i>:<i>high-port</i>.<br>
   
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions 
                  but  it doesn't work</h4>
                                                                        
  
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
                                                                        
  
<ul>
                                        <li>You are trying to test from inside
   your   firewall     (no,   that    won't    work -- see <a
 href="#faq2">FAQ   #2</a>).</li>
                                        <li>You have a more basic problem 
with   your   local    system    such   as  an   incorrect default gateway 
configured    (it  should    be set to   the IP   address    of your  firewall's 
internal    interface).</li>
                                                                        
  
</ul>
                                                                        
  
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
              forwarding</h4>
                            <b>Answer: </b>To further diagnose this problem:<br>
                                                       
<ul>
                              <li>As root, type "iptables -t nat -Z". This
 clears    the   NetFilter      counters   in the nat table.</li>
                              <li>Try to connect to the redirected port from
  an  external     host.</li>
                              <li>As root type "shorewall show nat"</li>
                              <li>Locate the appropriate DNAT rule. It will 
 be  in  a  chain    called        <i>&lt;source zone&gt;</i>_dnat ('net_dnat'
  in the above   examples).</li>
                              <li>Is the packet count in the first column 
non-zero?      If  so,   the   connection    request is reaching the firewall 
and is  being    redirected    to   the server.  In  this case, the problem 
is usually   a  missing  or incorrect      default gateway   setting on the 
server (the   server's  default  gateway  should    be the IP address   of 
the firewall's   interface  to the  server).</li>
                              <li>If the packet count is zero:</li>
                                                                        
                                      
  <ul>
                                <li>the connection request is not reaching
 your   server    (possibly      it  is being blocked by your ISP); or</li>
                                <li>you are trying to connect to a secondary
  IP  address     on  your   firewall   and your rule is only redirecting
the  primary  IP  address    (You  need to specify   the secondary IP address 
 in the "ORIG.   DEST." column    in  your DNAT rule);  or</li>
                                <li>your DNAT rule doesn't match the connection 
   request     in  some   other   way. In that case, you may have to use a
 packet  sniffer     such  as tcpdump  or  ethereal to further diagnose the
 problem.<br>
                                </li>
                                                                        
                                      
  </ul>
                                                       
</ul>
                                                       
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com 
                  (IP 130.151.100.69) to system 192.168.1.5 in my local network. 
       External         clients  can browse http://www.mydomain.com but internal 
       clients can't.</h4>
                                                                        
  
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
                                                                        
  
<ul>
                                        <li>Having an internet-accessible 
server    in  your   local    network         is  like raising foxes in the 
corner   of your  hen   house.  If  the server     is      compromised, there's
 nothing    between  that  server  and  your other   internal        systems.
 For the    cost of another  NIC and  a cross-over  cable,   you can   put
      your   server in a DMZ such  that it is isolated  from your   local
systems    -      assuming that the  Server can be located  near the Firewall,
  of course     :-)</li>
                                        <li>The accessibility problem is
best   solved    using           <a href="shorewall_setup_guide.htm#DNS">Bind 
Version       9 "views"</a>     (or using a separate DNS server for local 
clients)  such   that www.mydomain.com     resolves to 130.141.100.69    
externally  and 192.168.1.5   internally. That's    what I do here at   
 shorewall.net  for my local systems   that use static   NAT.</li>
                                                                        
  
</ul>
                                                                        
  
<p align="left">If you insist on an IP solution to the accessibility problem 
                   rather than a DNS solution, then assuming that your external 
      interface          is  eth0  and your internal interface is eth1  and 
  that    eth1 has IP   address      192.168.1.254  with subnet 192.168.1.0/24, 
  do   the following:</p>
                                                                        
  
<p align="left">a) In /etc/shorewall/interfaces, specify "multi" as an option 
                   for eth1 (No longer required as of Shorewall version 1.3.9).</p>
                                                                        
  
<div align="left">                                      
<p align="left">b) In /etc/shorewall/rules, add:</p>
                                     </div>
                                                                        
  
<div align="left">                                      
<blockquote>                                                            
                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                          <tbody>
                                           <tr>
                                            <td><u><b>ACTION</b></u></td>
                                            <td><u><b>SOURCE</b></u></td>
                                            <td><u><b>DESTINATION</b></u></td>
                                            <td><u><b>PROTOCOL</b></u></td>
                                            <td><u><b>PORT</b></u></td>
                                            <td><u><b>SOURCE PORT</b></u></td>
                                            <td><u><b>ORIG. DEST.</b></u></td>
                                          </tr>
                                          <tr>
                                            <td>DNAT</td>
                                            <td>loc:192.168.1.0/24</td>
                                            <td>loc:192.168.1.5</td>
                                            <td>tcp</td>
                                            <td>www</td>
                                            <td>-</td>
                                            <td>130.151.100.69:192.168.1.254</td>
                                          </tr>
                                                                        
                                                                        
                                                                        
     
    </tbody>                                                             
                                                 
  </table>
                                      </blockquote>
                                      </div>
                                                                        
                                         
<div align="left">                                      
<p align="left">That rule only works of course if you have a static external 
                  IP  address. If you  have a dynamic IP address and are running
       Shorewall          1.3.4 or later then include this in  /etc/shorewall/params:</p>
                                     </div>
                                                                        
  
<div align="left">                                      
<pre>     ETH0_IP=`find_interface_address eth0`</pre>
                                      </div>
                                                                        
  
<div align="left">                                      
<p align="left">and make your DNAT rule:</p>
                                     </div>
                                                                        
  
<div align="left">                                      
<blockquote>                                                            
                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber1">
                                          <tbody>
                                           <tr>
                                            <td><u><b>ACTION</b></u></td>
                                            <td><u><b>SOURCE</b></u></td>
                                            <td><u><b>DESTINATION</b></u></td>
                                            <td><u><b>PROTOCOL</b></u></td>
                                            <td><u><b>PORT</b></u></td>
                                            <td><u><b>SOURCE PORT</b></u></td>
                                            <td><u><b>ORIG. DEST.</b></u></td>
                                          </tr>
                                          <tr>
                                            <td>DNAT</td>
                                            <td>loc:192.168.1.0/24</td>
                                            <td>loc:192.168.1.5</td>
                                            <td>tcp</td>
                                            <td>www</td>
                                            <td>-</td>
                                            <td>$ETH0_IP:192.168.1.254</td>
                                          </tr>
                                                                        
                                                                        
                                                                        
     
    </tbody>                                                             
                                                 
  </table>
                                      </blockquote>
                                      </div>
                                                                        
  
<div align="left">                                      
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE 
                   client to automatically restart Shorewall each time that 
  you    get    a  new    IP   address.</p>
                                     </div>
                                                                        
  
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an RFC1918 
                  subnet and I use static NAT to assign non-RFC1918 addresses 
    to   hosts      in   Z.  Hosts in Z cannot communicate with each other 
 using    their  external      (non-RFC1918     addresses) so they can't access
 each    other  using their    DNS  names.</h4>
                                                                        
  
<p align="left"><b>Answer: </b>This is another problem that is best solved 
                  using Bind Version 9 "views". It allows both external and 
  internal         clients       to access a NATed host using the host's DNS
  name.</p>
                                                                        
  
<p align="left">Another good way to approach this problem is to switch from
                   static NAT to Proxy ARP. That way, the hosts in Z have
non-RFC1918            addresses      and can be accessed externally and
internally using     the    same   address.  </p>
                                                                        
  
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
                                                                        
  
<p align="left">a) Specify "multi" on the entry for Z's interface in /etc/shorewall/interfaces
              (If you are running a Shorewall version earlier than 1.3.9).<br>
                                      b) Set the Z-&gt;Z policy to ACCEPT.<br>
                                      c) Masquerade Z to itself.<br>
                                      <br>
                                      Example:</p>
                                                                        
  
<p align="left">Zone: dmz<br>
                                      Interface: eth2<br>
                                      Subnet: 192.168.2.0/24</p>
                                                                        
  
<p align="left">In /etc/shorewall/interfaces:</p>
                                                                        
  
<blockquote>                                                            
                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber2">
                                          <tbody>
                                           <tr>
                                            <td><u><b>ZONE</b></u></td>
                                            <td><u><b>INTERFACE</b></u></td>
                                            <td><u><b>BROADCAST</b></u></td>
                                            <td><u><b>OPTIONS</b></u></td>
                                          </tr>
                                          <tr>
                                            <td>dmz</td>
                                            <td>eth2</td>
                                            <td>192.168.2.255</td>
                                            <td>multi</td>
                                          </tr>
                                                                        
                                                                        
                                                                        
     
    </tbody>                                                             
                                                 
  </table>
                                      </blockquote>
                                                                        
  
<p align="left">In /etc/shorewall/policy:</p>
                                                                        
  
<blockquote>                                                            
                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                                          <tbody>
                                           <tr>
                                            <td><u><b>SOURCE </b></u></td>
                                            <td><u><b>DESTINATION</b></u></td>
                                            <td><u><b>POLICY</b></u></td>
                                            <td><u><b>LIMIT:BURST</b></u></td>
                                          </tr>
                                          <tr>
                                            <td>dmz</td>
                                            <td>dmz</td>
                                            <td>ACCEPT</td>
                                            <td> <br>
                                          </td>
                                          </tr>
                                                                        
                                                                        
                                                                        
     
    </tbody>                                                             
                                                 
  </table>
                                      </blockquote>
                                                                        
                                                                   
<p align="left">In /etc/shorewall/masq:</p>
                                                                        
  
<blockquote>                                                            
                                                     
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3" width="369">
                                          <tbody>
                                           <tr>
                                            <td width="93"><u><b>INTERFACE
         </b></u></td>
                                            <td width="31"><u><b>SUBNET</b></u></td>
                                            <td width="120"><u><b>ADDRESS</b></u></td>
                                          </tr>
                                          <tr>
                                            <td width="93">eth2</td>
                                            <td width="31">192.168.2.0/24</td>
                                            <td width="120"> <br>
                                          </td>
                                          </tr>
                                                                        
                                                                        
                                                                        
     
    </tbody>                                                             
                                                 
  </table>
                                      </blockquote>
                                                                        
  
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting or MSN Instant 
   Messenger                with Shorewall. What do I do?</h4>
                                                                        
  
<p align="left"><b>Answer: </b>There is an <a
 href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection 
                  tracking/NAT module</a> that may help with Netmeeting. Look
   <a href="http://linux-igd.sourceforge.net">here</a> for a solution for
MSN   IM but be aware that there are significant security risks involved with
this  solution. Also check the Netfilter      mailing        list  archives 
 at <a href="http://www.netfilter.org">http://www.netfilter.org</a>.     
         </p>
                                                                        
     
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner 
                  to    check my firewall and it shows some ports as 'closed' 
    rather       than     'blocked'.     Why?</h4>
                                                                        
     
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x 
                  always    rejects connection requests on TCP port 113 rather 
     than     dropping        them. This is    necessary to prevent outgoing 
   connection       problems to   services    that use the    'Auth' mechanism 
   for identifying       requesting  users.  Shorewall    also rejects TCP 
    ports 135, 137 and    139  as well as  UDP ports  137-139.   These are 
 ports that are    used  by  Windows  (Windows  <u>can</u>  be configured 
  to use the DCE cell locator       on port  135). Rejecting these  connection 
 requests   rather than dropping    them    cuts down slightly on the amount 
 of Windows  chatter on LAN segments    connected      to the Firewall. </p>
                                                                        
     
<p align="left">If you are seeing port 80 being 'closed', that's probably 
                  your    ISP preventing you from running a web server in 
violation          of   your     Service    Agreement.</p>
                                                                        
     
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my 
                     firewall and it showed 100s of ports as open!!!!</h4>
                                                                        
     
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page 
                  section about    UDP scans. If nmap gets <b>nothing</b> 
back     from     your     firewall   then it reports    the port as open. 
If you    want to   see  which    UDP ports are  really open,    temporarily 
 change    your net-&gt;all     policy    to REJECT, restart  Shorewall and 
 do    the   nmap UDP scan again.</p>
                                                                        
   
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I 
                  can't ping through the firewall</h4>
                                                                        
  
<p align="left"><b>Answer: </b>If you want your firewall to be totally open 
                  for "ping": </p>
                                                                        
  
<p align="left">a) Do NOT specify 'noping' on any interface in  /etc/shorewall/interfaces.<br>
                                      b) Copy /etc/shorewall/icmp.def to
/etc/shorewall/icmpdef<br>
                                      c) Add the following to /etc/shorewall/icmpdef: 
      </p>
                                                                        
  
<blockquote>                                                             
                                                 
  <p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request 
                  -j ACCEPT<br>
                 </p>
               </blockquote>
               For a complete description of Shorewall 'ping' management, 
see   <a href="ping.html">this page</a>.                                 
                                                 
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
                   and  how do I change the destination?</h4>
                                                                        
  
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a>  and <a
 href="Documentation.htm#Rules">rules</a>. The destination for messaged 
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). 
                 When you have changed /etc/syslog.conf, be sure to restart 
  syslogd        (on    a  RedHat system, "service syslog restart"). </p>
                                                                        
  
<p align="left">By default, older versions of Shorewall ratelimited log messages 
                  through <a href="Documentation.htm#Conf">settings</a> in 
 /etc/shorewall/shorewall.conf                 -- If you want to log all messages,
 set: </p>
                                                                        
  
<div align="left">                                      
<pre align="left">     LOGLIMIT=""<br>     LOGBURST=""<br><br>Beginning with Shorewall version 1.3.12, you can <a
 href="shorewall_logging.html">set up Shorewall to log all of its messages to a separate file</a>.<br></pre>
                                      </div>
                                                                        
  
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
                   with Shorewall?</h4>
                                                                        
  
<p align="left"><b>Answer: </b>Here are several links that may be helpful: 
                  </p>
                                                                        
  
<blockquote>                                                             
                                                 
  <p align="left"><a
 href="http://www.shorewall.net/pub/shorewall/parsefw/"> http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
                                      <a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
                                      <a
 href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a><a
 href="http://www.logwatch.org"><br>
                           http://www.logwatch.org</a><br>
     <a href="http://gege.org/iptables">http://gege.org/iptables</a><br>
                     </p>
                   </blockquote>
                   I personnaly use Logwatch. It emails me a report each
day   from   my  various    systems with each report summarizing the logged
activity   on  the  corresponding    system.                            
                                               
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
   are <b>flooding the logs</b> with their connect requests. Can i exclude
 these  error messages for this port temporarily from logging in Shorewall?</h4>
      Temporarily add the following rule:<br>
           
<pre>	DROP��� net��� fw��� udp��� 10619</pre>
           
<h4 align="left"><a name="faq6c"></a>6c. All day long I get a steady flow
   of these DROP messages from port 53 to some high numbered port.� They
get    dropped, but what the heck are they?</h4>
           
<pre>Jan� 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00<br>                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00<br>                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 </pre>
      <b>Answer: </b>There are two possibilities:<br>
           
<ol>
        <li>They are late-arriving replies to DNS queries.</li>
        <li>They are corrupted reply packets.</li>
           
</ol>
      You can distinguish the difference by setting the <b>logunclean</b> 
option   (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
 on   your external interface (eth0 in the above example). If they get logged
 twice,  they are corrupted. I solve this problem by using an /etc/shorewall/common
   file like this:<br>
           
<blockquote>                  
  <pre>#<br># Include the standard common.def file<br>#<br>. /etc/shorewall/common.def<br>#<br># The following rule is non-standard and compensates for tardy<br># DNS replies<br>#<br>run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP</pre>
      </blockquote>
      The above file is also include in all of my sample configurations available
   in the <a href="shorewall_quickstart_guide.htm">Quick Start Guides</a>.<br>
           
<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
Shorewall log messages so long? I thought MAC addresses were only 6 bytes
in length. What is labeled as the MAC address in a Shorewall log message
is actually the Ethernet frame header. In contains:<br>
 </h4>
<ul>
  <li>the destination MAC address (6 bytes)</li>
  <li>the source MAC address (6 bytes)</li>
  <li>the ethernet frame type (2 bytes)</li>
</ul>
 Example:<br>
 <br>
 MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00<br>
 
<ul>
  <li>Destination MAC address = 00:04:4c:dc:e2:28</li>
  <li>Source MAC address = 00:b0:8e:cf:3c:4c</li>
  <li>Ethernet Frame Type = 08:00 (IP Version 4)</li>
</ul>
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
                   stop', I can't connect to anything. Why doesn't that command
      work?</h4>
                                                                        
  
<p align="left">The 'stop' command is intended to place your firewall into 
                  a safe state whereby only those hosts listed in /etc/shorewall/routestopped' 
      are    activated.         If you want to totally open up your firewall, 
    you  must    use the 'shorewall         clear' command. </p>
                                                                        
  
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat, 
      I get messages about insmod failing -- what's wrong?</h4>
                                                                        
  
<p align="left"><b>Answer: </b>The output you will see looks something like 
                  this:</p>
                                                                        
  
<pre>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy<br>     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed<br>     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed<br>     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)<br>     Perhaps iptables or your kernel needs to be upgraded.</pre>
                                                                        
  
<p align="left">This is usually cured by the following sequence of commands: 
                  </p>
                                                                        
  
<div align="left">                                      
<pre align="left">     service ipchains stop<br>     chkconfig --delete ipchains<br>     rmmod ipchains</pre>
                                      </div>
                                                                        
  
<div align="left">                                      
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> 
                  for  problems concerning the version of iptables (v1.2.3) 
  shipped        with     RH7.2.</p>
                                     </div>
                                                                        
  
<h4 align="left">      </h4>
                                                                     
<h4 align="left"><a name="faq9"></a>9. Why can't Shorewall detect my    interfaces
                  properly?</h4>
                                                                        
     
<p align="left">I just installed Shorewall and when I issue the start command, 
                     I see the following:</p>
                                                                        
   
<div align="left">                                        
<pre>     Processing /etc/shorewall/shorewall.conf ...<br>     Processing /etc/shorewall/params ...<br>     Starting Shorewall...<br>     Loading Modules...<br>     Initializing...<br>     Determining Zones...<br>     Zones: net loc<br>     Validating interfaces file...<br>     Validating hosts file...<br>     Determining Hosts in Zones...<br><b>     Net Zone: eth0:0.0.0.0/0<br>     Local Zone: eth1:0.0.0.0/0<br></b>     Deleting user chains...<br>     Creating input Chains...<br>     ...</pre>
                                      </div>
                                                                        
  
<div align="left">                                        
<p align="left">Why can't Shorewall detect my interfaces properly?</p>
                                     </div>
                                                                        
  
<div align="left">                                        
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
   zone is defined as all hosts that are connected through eth0 and the local
   zone is defined as all hosts connected through eth1</p>
                                     </div>
                                                                        
      
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work 
    with?</h4>
                                                                        
      
<p align="left">Shorewall works with any GNU/Linux distribution that includes 
                       the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.</p>
                                                                         
<h4 align="left">11. What Features does it have?</h4>
                                                                        
      
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall 
                  Feature      List</a>.</p>
                                                                         
<h4 align="left"><a name="faq12"></a>12. Is there a GUI?</h4>
                                                                        
      
<p align="left"><b>Answer: </b>Yes. Shorewall support is included in Webmin 
1.060 and later versions. See <a href="http://www.webmin.com">http://www.webmin.com</a> 
</p>
                                                                         
<h4 align="left"> <a name="faq13"></a>13. Why do you call it "Shorewall"?</h4>
                                                                        
      
<p align="left"><b>Answer: </b>Shorewall is a concatenation of "<u>Shore</u>line" 
                  (<a href="http://www.cityofshoreline.com">the      city 
where      I  live</a>)          and "Fire<u>wall</u>". The full name of the
product      is actually "Shoreline Firewall" but "Shorewall" is must more
commonly   used.</p>
                                                                         
<h4 align="left"> <a name="faq14"></a>14.  I'm connected via a cable modem 
                  and it has an  internal web server that allows me to configure/monitor 
               it   but as expected if I  enable rfc1918 blocking for my eth0
    interface          (the  internet one), it also blocks  the cable modems
   web server.</h4>
                                                                        
      
<p align="left">Is there any way it can add a rule before the  rfc1918 blocking 
                  that will let all traffic to and from the 192.168.100.1 
address         of   the    modem  in/out but still block all other rfc1918 
addresses?</p>
                                                                        
      
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than      1.3.1, create /etc/shorewall/start and in it, place the following:</p>
                                                                         
<div align="left">                                        
<pre>     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
                                      </div>
                                                                        
  
<div align="left">                                        
<p align="left">If you are running version 1.3.1 or later, simply add the 
                     following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</p>
                                     </div>
                                                                        
  
<div align="left">                                        
<blockquote>                                                            
                                                       
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
                                            <tbody>
                                           <tr>
                                              <td><u><b>SUBNET </b></u></td>
                                              <td><u><b>TARGET</b></u></td>
                                            </tr>
                                            <tr>
                                              <td>192.168.100.1</td>
                                              <td>RETURN</td>
                                            </tr>
                                                                        
                                                                        
                                                                        
        
    </tbody>                                                             
                                                 
  </table>
                                        </blockquote>
                                      </div>
                                                                        
    
<div align="left">                                        
<p align="left">Be sure that you add the entry ABOVE the entry for    192.168.0.0/16.<br>
                                   </p>
                                                                     
<p align="left">Note: If you add a second IP address to your external firewall 
                 interface to correspond to the modem address, you must also 
   make     an   entry      in /etc/shorewall/rfc1918 for that address. For 
  example,    if you   configure      the address 192.168.100.2 on your firewall, 
  then   you would   add two entries      to /etc/shorewall/rfc1918:  <br>
                                   </p>
                                                                     
<blockquote>                                                             
                                           
  <table cellpadding="2" border="1" style="border-collapse: collapse;">
                                       <tbody>
                                         <tr>
                                           <td valign="top"><u><b>SUBNET</b></u><br>
                                           </td>
                                           <td valign="top"><u><b>TARGET</b></u><br>
                                           </td>
                                         </tr>
                                         <tr>
                                           <td valign="top">192.168.100.1<br>
                                           </td>
                                           <td valign="top">RETURN<br>
                                           </td>
                                         </tr>
                                         <tr>
                                           <td valign="top">192.168.100.2<br>
                                           </td>
                                           <td valign="top">RETURN<br>
                                           </td>
                                         </tr>
                                                                        
                                                                        
                                                               
    </tbody>                                                             
                                           
  </table>
                                   </blockquote>
                                     </div>
                                                                        
    
<div align="left">                                        
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
   addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918    filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
                                      </div>
                                                                        
    
<div align="left">                                        
<p align="left">The solution is the same as FAQ 14 above. Simply substitute 
                     the IP address of your ISPs DHCP server.</p>
                                     </div>
                                                                        
  
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to 
                  the  net</h4>
                                                                        
   
<p align="left"><b>Answer: </b>Every time I read "systems can't see out to 
                  the net", I wonder  where the poster bought computers with 
   eyes     and    what     those computers will "see"  when things are working 
   properly.      That   aside,     the most common causes of this  problem 
  are:</p>
                                                                        
   
<ol>
                                        <li>                            
                                                                        
                                                                        
         
    <p align="left">The default gateway on each local system isn't set to 
                  the    IP address of the local firewall interface.</p>
                                         </li>
                                        <li>                            
                                                                        
                                                                        
         
    <p align="left">The entry for the local network in the /etc/shorewall/masq 
                     file is wrong or missing.</p>
                                         </li>
                                        <li>                            
                                                                        
                                                                        
         
    <p align="left">The DNS settings on the local systems are wrong or the 
                     user is running a DNS server on the firewall and hasn't 
   enabled        UDP    and   TCP    port 53 from the firewall to the internet.</p>
                                         </li>
                                                                        
  
</ol>
                                                                        
  
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages 
                  all  over my console making it unusable!</h4>
                                                                        
     
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command 
                  to your startup    scripts or place it in /etc/shorewall/start. 
        Under      RedHat,    the max log level    that is sent to the console 
     is   specified     in /etc/sysconfig/init    in the    LOGLEVEL variable.<br>
                                 </p>
                                                                 
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting 
      logged?</h4>
                                 <b>Answer: </b>Logging occurs out of a number
   of  chains    (as   indicated      in  the log message) in Shorewall:<br>
                                                                 
<ol>
                                   <li><b>man1918 - </b>The destination address 
   is  listed    in  /etc/shorewall/rfc1918       with a <b>logdrop </b>target
    --  see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                                   <li><b>rfc1918</b> - The source address
 is  listed    in  /etc/shorewall/rfc1918          with a <b>logdrop </b>target 
  -- see      <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
                                  <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
       or      <b>all2all          </b>-  You have a<a
 href="Documentation.htm#Policy"> policy</a> that     specifies a  log level 
        and this packet is being logged under that policy.     If you intend 
    to   ACCEPT this traffic then you need a  <a
 href="Documentation.htm#Rules">rule</a>   to that effect.<br>
                                  </li>
                                   <li><b>&lt;zone1&gt;2&lt;zone2&gt; </b>- 
 Either    you   have   a<a href="Documentation.htm#Policy"> policy</a> for 
     <b>&lt;zone1&gt;          </b>to       <b>&lt;zone2&gt;</b> that specifies 
 a log level and this     packet is being         logged under that policy 
 or this packet matches    a     <a href="Documentation.htm#Rules">rule</a> 
 that includes a log level.</li>
                            <li><b>&lt;interface&gt;_mac</b> - The packet 
is  being    logged    under    the      <b>maclist</b> <a
 href="Documentation.htm#Interfaces">interface     option</a>.<br>
                            </li>
                                   <li><b>logpkt</b> - The packet is being
 logged    under    the       <b>logunclean</b>            <a
 href="Documentation.htm#Interfaces">interface   option</a>.</li>
                                   <li><b>badpkt </b>- The packet is being
 logged    under    the       <b>dropunclean</b>            <a
 href="Documentation.htm#Interfaces">interface  option</a> as specified  
    in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
                                   <li><b>blacklst</b> - The packet is being
  logged    because     the   source    IP  is blacklisted in the<a
 href="Documentation.htm#Blacklist">  /etc/shorewall/blacklist          </a>file.</li>
                                   <li><b>newnotsyn </b>- The packet is being 
  logged    because     it  is  a  TCP   packet that is not part of any current 
  connection    yet  it   is not a syn  packet.   Options affecting the logging 
  of such  packets   include       <b>NEWNOTSYN       </b>and       <b>LOGNEWNOTSYN
       </b>in         <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
                                  <li><b>INPUT</b> or <b>FORWARD</b> - The
 packet    has   a  source    IP  address    that isn't in any of your defined
 zones    ("shorewall    check"    and  look at the   printed zone definitions) 
 or   the chain is FORWARD   and   the destination  IP  isn't in any of your 
 defined    zones.</li>
                         <li><b>logflags </b>- The packet is being logged 
because     it  failed    the   checks implemented by the <b>tcpflags </b><a
 href="Documentation.htm#Interfaces">interface option</a>.<br>
                         </li>
                                                                 
</ol>
                                                         
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> 
              with Shorewall, and maintain separate rulesets for different 
 IPs?</h4>
                             <b>Answer: </b>Yes. You simply use the IP address
   in  your   rules    (or   if  you  use NAT, use the local IP address in
 your  rules).   <b>Note:</b>    The  ":n"  notation  (e.g., eth0:0) is deprecated 
   and will   disappear eventually.      Neither   iproute  (ip and tc) nor 
  iptables supports   that notation so  neither    does   Shorewall.  <br>
                             <br>
                             <b>Example 1:</b><br>
                             <br>
                             /etc/shorewall/rules                       
     
<pre wrap=""><span class="moz-txt-citetags"></span>     # Accept AUTH but only on address 192.0.2.125<br><span
 class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span>     ACCEPT	net	fw:192.0.2.125	tcp	auth<br><span
 class="moz-txt-citetags"></span></pre>
                             <span class="moz-txt-citetags"></span><b>Example 
  2  (NAT):</b><br>
                             <br>
                             <span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
                                                         
<pre wrap=""><span class="moz-txt-citetags"></span><span
 class="moz-txt-citetags"></span>     192.0.2.126	eth0	10.1.1.126</pre>
                             /etc/shorewall/rules                       
     
<pre wrap=""><span class="moz-txt-citetags"></span>     # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
 class="moz-txt-citetags"></span><br>     <span class="moz-txt-citetags"></span>ACCEPT	net	loc:10.1.1.126	tcp	www<span
 class="moz-txt-citetags"></span><br></pre>
                          <b>Example 3 (DNAT):<br>
                          </b>                          
<pre>     # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br>     DNAT	net	loc:10.1.1.127	tcp	smtp	-	192.0.2.127<br></pre>
                                                 
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules 
            but they don't seem to do anything. Why?</h4>
                         You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf 
            so the contents of the tcrules file are simply being ignored.<br>
                                               
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
            to change Shorewall to allow access to my server from the internet?</b><br>
                        </h4>
                        Yes. Consult the <a
 href="shorewall_quickstart_guide.htm">QuickStart       guide</a>   that
you used during your initial setup for information about      how to set
 up rules for your server.<br>
                                           
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
           what are they?<br>
                      </h4>
                                              
<blockquote>                                                            
     
  <pre>Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00<br>     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 <br>     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]<br></pre>
                      </blockquote>
                      192.0.2.3 is external on my firewall... 172.16.0.0/24 
 is  my  internal     LAN<br>
                      <br>
                      <b>Answer: </b>While most people associate the Internet 
  Control     Message     Protocol (ICMP) with 'ping', ICMP is a key piece 
 of  the internet.     ICMP   is  used to report problems back to the sender 
 of a packet; this   is  what  is happening  here. Unfortunately, where NAT 
 is involved (including     SNAT,  DNAT and Masquerade),  there are a lot 
of broken implementations.    That is  what you are seeing with  these messages.<br>
                      <br>
                     Here is my interpretation of what is happening -- to 
confirm     this   analysis,    one would have to have packet sniffers placed 
a both    ends of   the connection.<br>
                     <br>
                     Host 172.16.1.10 behind NAT gateway 206.124.146.179
sent   a  UDP   DNS   query    to 192.0.2.3 and your DNS server tried to
send a  response   (the response   information  is in the brackets -- note
source  port 53 which   marks this as  a DNS reply).  When the response was
returned  to to 206.124.146.179,    it rewrote  the destination  IP TO 172.16.1.10 
and forwarded the packet  to  172.16.1.10  who no longer had  a connection 
on UDP port 2857. This causes    a port unreachable  (type 3, code  3) to 
be generated back to 192.0.2.3.   As this packet is sent  back through  206.124.146.179, 
  that box correctly   changes the source address  in the packet  to 206.124.146.179 
  but doesn't   reset the DST IP in the original   DNS response  similarly. 
  When the ICMP   reaches your firewall (192.0.2.3),   your firewall  has 
no  record of having   sent a DNS reply to 172.16.1.10 so   this ICMP doesn't 
   appear to be related   to anything that was sent. The final   result is 
 that the packet gets logged   and dropped in the all2all chain. I  have also
 seen cases where the source   IP in the ICMP itself isn't set back  to the
 external IP of the remote NAT   gateway; that causes your firewall to  log
 and drop the packet out of the   rfc1918 chain because the source IP is
 reserved by RFC 1918.<br>
                           
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
       I want to <b>run when Shorewall starts.</b> Which file do I put them
  in?</h4>
                      You can place these commands in one of the <a
 href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
Be sure that you look at the contents of the chain(s) that you will be modifying
       with your commands to be sure that the commands will do what they
are    intended.    Many iptables commands published in HOWTOs and other
instructional    material    use the -A command which adds the rules to the
end of the chain.    Most chains    that Shorewall constructs end with an
unconditional DROP,   ACCEPT or REJECT    rule and any rules that you add
after that will be ignored.   Check "man iptables"   and look at the -I (--insert)
command.<br>
                       
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
      web site?</h4>
            The Shorewall web site is almost font neutral (it doesn't explicitly
     specify fonts except on a few pages) so the fonts you see are largely
 the   default fonts configured  in your browser. If you don't like them
then  reconfigure   your browser.<br>
                 
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say 
    the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
         In the SOURCE column of the rule, follow "net" by a colon and a
list   of  the host/subnet addresses as a comma-separated list.<br>
                 
<pre>��� net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
         Example:<br>
                 
<pre>    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22<br></pre>
<h4></h4>
                                                                        
     
<div align="left">     </div>
                          <font size="2">Last updated 2/6/2003 - <a
 href="support.htm">Tom   Eastep</a></font>                              
                      
<p><a href="copyright.htm"><font size="2">Copyright</font>              
� <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</body>
</html>