holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity
2e4f97175d
shorewall_code/STABLE/documentation/sourceforge_index.htm
teastep 1f72beecc8 Shorewall-1.4.6b 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@684 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-08-05 18:38:21 +00:00

838 lines
44 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff">
<tbody>
<tr>
<td width="33%" height="90"
valign="middle" align="center"><a href="http://www.cityofshoreline.com">
</a><img src="images/Logo1.png"
alt="(Shorewall Logo)" width="430" height="90">
<br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a
href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more
details.<br>
<br>
You should have received
a copy of the GNU General Public
License along with this program;
if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a
href="http://shorewall.net/1.2/" target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and
follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this
site will not apply directly to your setup. If you want to
use the documentation that you find here, you will want to consider
uninstalling what you have and installing a setup that matches
the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.
<h2></h2>
<h2><b>News</b></h2>
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<b>Problems Corrected since version 1.4.6:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf then
Shorewall would fail to start with the error "ERROR: <20>Traffic Control
requires Mangle"; that problem has been corrected.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of the
tcrules file. Previously, these addresses resulted in an invalid iptables
command.</li>
<li>The "shorewall stop" command is now disabled when /etc/shorewall/startup_disabled
exists. This prevents people from shooting themselves in the foot prior to
having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages during
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were being
added to a PPP interface; the addresses were successfully added in spite
of the messages.<br>
<20><> <br>
The firewall script has been modified to eliminate the error messages.<br>
</li>
</ol>
<p><b>7/31/2003 - Snapshot 1.4.6_20030731<EFBFBD></b><b> </b></p>
<blockquote>
<p><a href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots/</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Snapshots/"
target="_top">ftp://shorewall.net/pub/shorewall/Snapshots/</a></p>
</blockquote>
<p><b>Problems Corrected since version 1.4.6:</b><br>
</p>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED variable
was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column
of the tcrules file. Previously, these addresses resulted in an invalid
iptables command.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>Once you have installed this version of Shorewall, you must
restart Shorewall before you may use the 'drop', 'reject', 'allow' or 'save'
commands.</li>
<li>To maintain strict compatibility with previous versions,
current uses of "shorewall drop" and "shorewall reject" should be replaced
with "shorewall dropall" and "shorewall rejectall" </li>
</ol>
<p><b>New Features:</b> <br>
</p>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject' commands
use the routing table to determine which of these chains is to be used for
blacklisting the specified IP address(es).<br>
<br>
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is blacklisted
using these new commands, it will be blacklisted on all of your firewall's
interfaces.</li>
<li>Thanks to Steve Herber, the 'help' command can now give command-specific
help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to /etc/shorewall/shorewall.conf.
This option has a default value of "No" for existing users which causes
Shorewall's 'stopped' state <20>to continue as it has been; namely, in the
stopped state only traffic to/from hosts listed in /etc/shorewall/routestopped
is accepted.<br>
<br>
With ADMINISABSENTMINDED=Yes (the default for new installs), in addition
to traffic to/from the hosts listed in /etc/shorewall/routestopped, Shorewall
will allow:<br>
<br>
<20><> a) All traffic originating from the firewall itself; and<br>
<20><> b) All traffic that is part of or related to an already-existing connection.<br>
<br>
<20>In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop" entered
through an ssh session will not kill the session.<br>
<br>
<20>Note though that even with ADMINISABSENTMINDED=Yes, it is still possible
for people to shoot themselves in the foot.<br>
<br>
<20>Example:<br>
<br>
<20>/etc/shorewall/nat:<br>
<br>
<20> <20> <20>206.124.146.178<EFBFBD><EFBFBD><EFBFBD> eth0:0<><30><EFBFBD> 192.168.1.5<EFBFBD><EFBFBD><EFBFBD> <br>
<br>
<20>/etc/shorewall/rules:<br>
<br>
<20><> ACCEPT<50><54><EFBFBD> net<65><74><EFBFBD> loc:192.168.1.5<EFBFBD><EFBFBD><EFBFBD> tcp<63><70><EFBFBD> 22<br>
<20><> ACCEPT<50><54><EFBFBD> loc<6F><63><EFBFBD> fw<66><77><EFBFBD> <20><><EFBFBD> tcp<63><70><EFBFBD> 22<br>
<br>
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH connection
from that computer to the firewall and confidently type "shorewall stop".
As part of its stop processing, Shorewall removes eth0:0 which kills my SSH
connection to 192.168.1.5!!!<br>
</li>
</ol>
<ol>
</ol>
<p><b>7/22/2003 - Shorewall-1.4.6a</b><b><EFBFBD> <br>
</b></p>
<b>Problems Corrected:</b><br>
<ol>
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
then Shorewall would fail to start with the error "ERROR: <20>Traffic Control
requires Mangle"; that problem has been corrected.</li>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b><EFBFBD> <br>
</b> </p>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as
well as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed
if there are no DHCP rules to add.</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<br>
<20> <20> z<><7A><EFBFBD> eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed
in 1.4.6 to allow entries of the following format:<br>
<br>
<20> <20> z<><7A> eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
options have been removed from /etc/shorewall/shorewall.conf. These
capabilities are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added.
This option may be specified in /etc/shorewall/interfaces and overrides
the setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses
in /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
is enabled for address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets
other than the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance
(round-robin) over a set of servers. Servers may be specified in
a range of addresses given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
<20> <20> DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT
configuration options have been removed and have been replaced by
code that detects whether these capabilities are present in the current
kernel. The output of the start, restart and check commands have been
enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter
capabilities:<br>
<20> <20>NAT: Available<br>
<20> <20>Packet Mangling: Available<br>
<20> <20>Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension
has been added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in netfilter's
connection tracking table. Shorewall automatically detects the availability
of this extension and reports its availability in the output of the
start, restart and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter
capabilities:<br>
<20> <20>NAT: Available<br>
<20> <20>Packet Mangling: Available<br>
<20> <20>Multi-port Match: Available<br>
<20> <20>Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by
Shorewall is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will
not create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two
netfilter rules; one in the nat table and one in the filter table.
If the Connection Tracking Match Extension is available, the rule
in the filter table is extended to check that the original destination
address was the same as specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script
(/usr/share/shorewall/firewall) may now be specified using the SHOREWALL_SHELL
parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
<20><><EFBFBD><EFBFBD><EFBFBD> ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
<20><><EFBFBD><EFBFBD><EFBFBD> [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> CIDR=192.168.1.0/24<br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NETMASK=255.255.255.0<br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NETWORK=192.168.1.0<br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> BROADCAST=192.168.1.255<br>
<20><><EFBFBD><EFBFBD><EFBFBD> [root@wookie root]#<br>
<br>
<20><><EFBFBD><EFBFBD><EFBFBD> [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> CIDR=192.168.1.0/24<br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NETMASK=255.255.255.0<br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NETWORK=192.168.1.0<br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> BROADCAST=192.168.1.255<br>
<20><><EFBFBD><EFBFBD><EFBFBD> [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash
or dash), then the ipcalc command produces incorrect information for
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce correct
information for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
<20><><EFBFBD><EFBFBD><EFBFBD> iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list
of network and host addresses. The command can be useful if you need
to construct an efficient set of rules that accept connections from
a range of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic
(ash or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
<20><><EFBFBD><EFBFBD><EFBFBD> [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.1.4/30<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.1.8/29<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.1.16/28<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.1.32/27<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.1.64/26<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.1.128/25<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.2.0/23<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.4.0/22<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.8.0/22<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.12.0/29<br>
<20><><EFBFBD><EFBFBD><EFBFBD> 192.168.12.8/31<br>
<20><><EFBFBD><EFBFBD><EFBFBD> [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in
an entry in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
<20><><EFBFBD> foo<6F><6F><EFBFBD> eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li value="11">The "shorewall check" command now includes
the chain name when printing the applicable policy for each pair of zones.<br>
<20><br>
<20><><EFBFBD> Example:<br>
<20><br>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Policy for dmz to net is REJECT using chain all2all<br>
<20><br>
This means that the policy for connections from the dmz to the internet
is REJECT and the applicable entry in the /etc/shorewall/policy was the
all-&gt;all policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol>
<b> </b>
<ol>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b><EFBFBD> <br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now
a <a href="http://shorewall.securityopensource.org.br"
target="_top">Shorewall mirror in Brazil</a>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly
in the zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with
an empty second column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or
REDIRECT[-] rule may now contain a list of addresses. If the list
begins with "!' then the rule will take effect only if the original
destination address in the connection request does not match any
of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
The firewall at shorewall.net has been upgraded
to the 2.4.21 kernel and iptables 1.2.8 (using the "official" RPM
from netfilter.org). No problems have been encountered with this
set of software. The Shorewall version is 1.4.4b plus the accumulated
changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
<p><b></b></p>
<ol>
</ol>
<p><b></b></p>
<p><b></b></p>
<blockquote>
<ol>
</ol>
</blockquote>
<p><a href="News.htm"></a></p>
<b> </b>
<p><b><a href="News.htm">More News</a></b></p>
<b>
</b>
<h2><b> </b></h2>
<b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash)
distribution called <i>Bering</i>
that features Shorewall-1.4.2 and
Kernel-2.4.20. You can find their
work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations
to Jacques and Eric on the recent release
of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></b></h1>
<b> </b>
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b>
</b></td>
<td width="88"
bgcolor="#3366ff" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note:
</b></font></strong> <font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<20></p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial"
size="-1"> <input type="text" name="words" size="15"></font><font
size="-1"> </font><font face="Arial" size="-1"> <input
type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial">
<input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top"
href="1.3/index.html"><font color="#ffffff"> </font></a><a
target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff">
<tbody>
<tr>
<td width="100%"
style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if
you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a>
Thanks!</font></font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 8/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</body>
</html>
View Git Blame Copy Permalink