forked from extern/shorewall_code
9def7cde17
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1326 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
405 lines
18 KiB
HTML
405 lines
18 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html>
|
|
<head>
|
|
<meta content="HTML Tidy, see www.w3.org" name="generator">
|
|
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
|
|
<title>Shoreline Firewall (Shorewall) 2.0</title>
|
|
<base target="_self">
|
|
</head>
|
|
<body>
|
|
<div>
|
|
<table border="0" cellpadding="0" cellspacing="0" id="AutoNumber4"
|
|
style="border-collapse: collapse; width: 100%; height: 100%;">
|
|
<tbody>
|
|
<tr>
|
|
<td width="90%">
|
|
<h2>Introduction to Shorewall</h2>
|
|
<h3>This is the Shorewall 2.0 Web Site</h3>
|
|
<div style="margin-left: 40px;">The information on this site
|
|
applies only to 2.0.x releases of
|
|
Shorewall. For older versions:<br>
|
|
</div>
|
|
<ul>
|
|
<ul>
|
|
<li>The 1.4 site is <a href="http://www.shorewall.net/1.4"
|
|
target="_top">here.<br>
|
|
</a></li>
|
|
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
|
target="_top">here.</a></li>
|
|
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
|
target="_top">here</a>.</li>
|
|
</ul>
|
|
</ul>
|
|
<h3>Glossary</h3>
|
|
<ul>
|
|
<li><a href="http://www.netfilter.org" target="_top">Netfilter</a>
|
|
- the
|
|
packet filter facility built into the 2.4 and later Linux kernels.</li>
|
|
<li>ipchains - the packet filter facility built into the 2.2
|
|
Linux kernels. Also the name of the utility program used to configure
|
|
and control that facility. Netfilter can be used in ipchains
|
|
compatibility mode.</li>
|
|
<li>iptables - the utility program used to configure and
|
|
control Netfilter. The term 'iptables' is often used to refer to the
|
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
|
compatibility mode).</li>
|
|
</ul>
|
|
<h3>What is Shorewall?</h3>
|
|
<div style="margin-left: 40px;">The Shoreline Firewall, more
|
|
commonly known as "Shorewall", is
|
|
a high-level tool for configuring Netfilter. You describe your
|
|
firewall/gateway requirements using entries in a set of configuration
|
|
files. Shorewall reads those configuration files and with the help of
|
|
the iptables utility, Shorewall configures Netfilter to match your
|
|
requirements. Shorewall can be used on a dedicated firewall system, a
|
|
multi-function gateway/router/server or on a standalone GNU/Linux
|
|
system. Shorewall does not use Netfilter's ipchains compatibility mode
|
|
and can thus take advantage of Netfilter's <a
|
|
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
|
|
target="_top">connection
|
|
state tracking
|
|
capabilities</a>.<br>
|
|
<br>
|
|
Shorewall is <span style="text-decoration: underline;">not</span> a
|
|
daemon. Once Shorewall has configured Netfilter, it's job is complete.
|
|
After that, there is no Shorewall code running although the <a
|
|
href="starting_and_stopping_shorewall.htm">/sbin/shorewall
|
|
program can be used at any time to monitor the Netfilter firewall</a>.<br>
|
|
</div>
|
|
<h3>Getting Started with Shorewall</h3>
|
|
<div style="margin-left: 40px;">New to Shorewall? Start by
|
|
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
|
that most
|
|
closely match your environment and follow the step by step instructions.<br>
|
|
</div>
|
|
<h3>Looking for Information?</h3>
|
|
<div style="margin-left: 40px;">The <a
|
|
href="Documentation_Index.html">Documentation
|
|
Index</a> is a good place to start as is the Quick Search in the frame
|
|
above. </div>
|
|
<h3>Running Shorewall on Mandrake® with a two-interface setup?</h3>
|
|
<div style="margin-left: 40px;">If so, the documentation on this
|
|
site will not apply directly
|
|
to your setup. If you want to use the documentation that you find here,
|
|
you will want to consider uninstalling what you have and installing a
|
|
setup that matches the documentation on this site. See the <a
|
|
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
|
details.<br>
|
|
<br>
|
|
<span style="font-weight: bold;">Update: </span>I've been
|
|
informed by Mandrake Development that this problem has been corrected
|
|
in Mandrake 10.0 Final (the problem still exists in the 10.0 Community
|
|
release).<br>
|
|
</div>
|
|
<h3>License</h3>
|
|
<div style="margin-left: 40px;">This program is free software;
|
|
you can redistribute it and/or modify it
|
|
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
|
2 of the GNU General Public License</a> as published by the Free
|
|
Software Foundation.<br>
|
|
</div>
|
|
<p style="margin-left: 40px;">This program is distributed in the
|
|
hope that it will be
|
|
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more detail.</p>
|
|
<div style="margin-left: 40px;"> </div>
|
|
<p style="margin-left: 40px;">You should have received a copy of
|
|
the GNU General Public
|
|
License along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
|
<div style="margin-left: 40px;">Permission is granted to copy,
|
|
distribute and/or modify this document
|
|
under the terms of the GNU Free Documentation License, Version 1.2 or
|
|
any later version published by the Free Software Foundation; with no
|
|
Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
|
|
A copy of the license is included in the section entitled <a>"GNU Free
|
|
Documentation License"</a>. </div>
|
|
<p>Copyright © 2001-2004 Thomas M. Eastep </p>
|
|
<hr style="width: 100%; height: 2px;">
|
|
<h2>News</h2>
|
|
<p><b>5/13/2004 - Shorewall 2.0.2</b><b> </b><b> <img
|
|
alt="(New)" src="images/new10.gif"
|
|
style="border: 0px solid ; width: 28px; height: 12px;" title=""></b></p>
|
|
<p>Problems Corrected since 2.0.1<br>
|
|
</p>
|
|
<ol>
|
|
<li>The /etc/init.d/shorewall script installed on Debian by
|
|
install.sh failed silently due to a missing file
|
|
(/usr/share/shorewall/wait4ifup). That file is not part of the normal
|
|
Shorewall distribution and is provided by the Debian maintainer.</li>
|
|
<li>A meaningless warning message out of the proxyarp file
|
|
processing has been eliminated.</li>
|
|
<li>The "shorewall delete" command now correctly removes all
|
|
dynamic rules pertaining to the host(s) being deleted. Thanks to Stefan
|
|
Engel for this correction.</li>
|
|
</ol>
|
|
Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:<br>
|
|
<ol>
|
|
<li>Extension Scripts -- In order for extension scripts to work
|
|
properly with the new iptables-save/restore integration (see New
|
|
Feature 1 below), some change may be required to your extension
|
|
scripts. If your extension scripts are executing commands other than
|
|
iptables then those commands must also be written to the restore file
|
|
(a temporary file in /var/lib/shorewall that is renamed
|
|
/var/lib/shorewall/restore-base at the end of the operation).<br>
|
|
<br>
|
|
The following functions should be of help:<br>
|
|
<br>
|
|
A. save_command() -- saves the passed command to the restore file.<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
save_command echo Operation
|
|
Complete<br>
|
|
<br>
|
|
That command would simply write "echo Operation Complete"
|
|
to the restore file.<br>
|
|
<br>
|
|
B. run_and_save_command() -- saves the passed command to the restore
|
|
file then executes it. The return value is the exit status of the
|
|
command.<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
run_and_save_command "echo 1 >
|
|
/proc/sys/net/ipv4/icmp_echo_ignore_all"<br>
|
|
<br>
|
|
Note that as in this example, when the command
|
|
involves file redirection then the entire command must be enclosed in
|
|
quotes. This applies to all of the functions described here.<br>
|
|
<br>
|
|
C. ensure_and_save_command() -- runs the passed command. If the command
|
|
fails, the firewall is restored to it's prior saved state and the
|
|
operation is terminated. If the command succeeds, the command is
|
|
written to the restore file.<br>
|
|
<br>
|
|
</li>
|
|
<li>Dynamic Zone support -- If you don't need to use the
|
|
"shorewall add" and "shorewall delete commands, you should set
|
|
DYNAMIC_ZONES=No in /etc/shorewall/shorewall.conf.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>Shorewall has now been integrated with
|
|
iptables-save/iptables-restore to provide very fast start and restart.
|
|
The elements of this integration are as follows:<br>
|
|
<br>
|
|
a) The 'shorewall save' command now saves the current configuration in
|
|
addition to the current dynamic blacklist. If you have dynamic zones,
|
|
you will want to issue 'shorewall save' when the zones are empty or the
|
|
current contents of the zones will be restored by the 'shorewall
|
|
restore' and 'shorewall -f start' commands.<br>
|
|
<br>
|
|
b) The 'shorewall restore' command has been added. This command
|
|
restores the configuration at the time of the last 'save'.<br>
|
|
<br>
|
|
c) The -f (fast) option has been added to 'shorewall start'. When
|
|
specified (e.g. 'shorewall -f start'), shorewall will perform a
|
|
'shorewall restore' if there is a saved configuration. If there is no
|
|
saved configuration, a normal 'shorewall start' is performed.<br>
|
|
<br>
|
|
d) The /etc/init.d/shorewall script now translates the 'start' command
|
|
into 'shorewall -f start' so that fast restart is possible.<br>
|
|
<br>
|
|
e) When a state-changing command encounters an error and there is
|
|
current saved configuration, that configuration will be restored
|
|
(currently, the firewall is placed in the 'stopped' state).<br>
|
|
<br>
|
|
f) If you have previously saved the running configuration and want
|
|
Shorewall to discard it, use the 'shorewall forget' command. WARNING:
|
|
iptables 1.2.9 is broken with respect to iptables-save; if your kernel
|
|
has connection tracking match support, you must patch iptables 1.2.9
|
|
with the iptables patch availale from the Shorewall errata page.<br>
|
|
<br>
|
|
</li>
|
|
<li>The previous implementation of dynamic zones was difficult
|
|
to maintain. I have changed the code to make dynamic zones optional
|
|
under the control of the DYNAMIC_ZONES option in
|
|
/etc/shorewall/shorewall.conf.<br>
|
|
<br>
|
|
</li>
|
|
<li>In earlier Shorewall 2.0 releases, Shorewall searches in
|
|
order the following directories for configuration files.<br>
|
|
<br>
|
|
a) The directory specified in a 'try' command or specified using the -c
|
|
option.<br>
|
|
b) /etc/shorewall<br>
|
|
c) /usr/share/shorewall<br>
|
|
<br>
|
|
In this release, the CONFIG_PATH option is added to shorewall.conf.
|
|
CONFIG_PATH contains a list of directory names separated by colons
|
|
(":"). If not set or set to a null value (e.g., CONFIG_PATH="") then
|
|
"CONFIG_PATH=/etc/shorewall:/usr/share/shorewall" is assumed. Now
|
|
Shorewall searches for shorewall.conf according to the old rules and
|
|
for other configuration files as follows:<br>
|
|
<br>
|
|
a) The directory specified in a 'try' command or specified using the -c
|
|
option.<br>
|
|
b) Each directory in $CONFIG_PATH is searched in sequence.<br>
|
|
<br>
|
|
In case it is not obvious, your CONFIG_PATH should include
|
|
/usr/share/shorewall and your shorewall.conf file must be in the
|
|
directory specified via -c or in a try command, in /etc/shorewall or in
|
|
/usr/share/shorewall.<br>
|
|
<br>
|
|
For distribution packagers, the default CONFIG_PATH is set in
|
|
/usr/share/shorewall/configpath. You can customize this file to have a
|
|
default that differs from mine.<br>
|
|
<br>
|
|
</li>
|
|
<li>Previously, in /etc/shorewall/nat a Yes (or yes) in the
|
|
LOCAL column would only take effect if the ALL INTERFACES column also
|
|
contained Yes or yes. Now, the LOCAL columns contents are treated
|
|
independently of the contents of the ALL INTERFACES column.<br>
|
|
<br>
|
|
</li>
|
|
<li>The folks at Mandrake have created yet another kernel
|
|
module naming convention (module names end in "ko.gz"). As a
|
|
consequence, beginning with this release, if MODULE_SUFFIX isn't
|
|
specified in shorewall.conf, then the default value is "o gz ko o.gz
|
|
ko.gz".<br>
|
|
<br>
|
|
</li>
|
|
<li>An updated bogons file is included in this release.<br>
|
|
<br>
|
|
</li>
|
|
<li>In /etc/shorewall/rules and in action files generated from
|
|
/usr/share/shorewall/action.template, rules that perform logging can
|
|
specify an optional "log tag". A log tag is a string of alphanumeric
|
|
characters and is specified by following the log level with ":" and the
|
|
log tag.<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
ACCEPT:info:ftp
|
|
net dmz
|
|
tcp 21<br>
|
|
<br>
|
|
The log tag is appended to the log prefix generated by the LOGPREFIX
|
|
variable in /etc/shorewall/conf. If "ACCEPT:info" generates the log
|
|
prefix "Shorewall:net2dmz:ACCEPT:" then "ACCEPT:info:ftp" will generate
|
|
"Shorewall:net2dmz:ACCEPT:ftp " (note the trailing blank). The maximum
|
|
length of a log prefix supported by iptables is 29 characters; if a
|
|
larger prefix is generated, Shorewall will issue a warning message and
|
|
will truncate the prefix to 29 characters.<br>
|
|
<br>
|
|
</li>
|
|
<li>A new "-q" option has been added to /sbin/shorewall
|
|
commands. It causes the start, restart, check and refresh commands to
|
|
produce much less output so that warning messages are more visible
|
|
(when testing this change, I discovered a bug where a bogus warning
|
|
message was being generated).<br>
|
|
<br>
|
|
</li>
|
|
<li>Shorewall now uses 'modprobe' to load kernel modules if
|
|
that utility is available in the PATH; otherwise, 'insmod' is used.<br>
|
|
<br>
|
|
</li>
|
|
<li>It is now possible to restrict entries in the
|
|
/etc/shorewall/masq file to particular protocols and destination
|
|
port(s). Two new columns (PROTO and PORT(S)) have been added to the
|
|
file.<br>
|
|
<br>
|
|
Example:<br>
|
|
<br>
|
|
You want all outgoing SMTP traffic entering the firewall on eth1 to be
|
|
sent from eth0 with source IP address 206.124.146.177. You want all
|
|
other outgoing traffic from eth1 to be sent from eth0 with source IP
|
|
address 206.124.146.176.<br>
|
|
<br>
|
|
eth0
|
|
eth1 206.124.146.177 tcp 25<br>
|
|
eth0
|
|
eth1 206.124.146.176<br>
|
|
<br>
|
|
THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!<br>
|
|
<br>
|
|
Assuming that 10.0.0.0/8 is the only host/network connected to eth1,
|
|
the progress message at "shorewall start" would be:<br>
|
|
<br>
|
|
Masqueraded Networks and Hosts:<br>
|
|
To 0.0.0.0/0 (tcp 25) from
|
|
10.0.0.0/8 through eth0 using 206.124.146.177<br>
|
|
To 0.0.0.0/0 (all) from 10.0.0.0/8
|
|
through eth0 using 206.124.146.176<br>
|
|
<br>
|
|
</li>
|
|
<li>Two new actions are available in the /etc/shorewall/rules
|
|
file.<br>
|
|
<br>
|
|
ACCEPT+ -- Behaves like ACCEPT
|
|
with the exception that it exempts matching connections from subsequent
|
|
DNAT[-] and REDIRECT[-] rules.<br>
|
|
NONAT -- Exempts
|
|
matching connections from subsequent DNAT[-] and REDIRECT[-] rules.<br>
|
|
<br>
|
|
</li>
|
|
<li>A new extension script 'initdone' has been added. This
|
|
script is invoked at the same point as the 'common' script was
|
|
previously and is useful for users who mis-used that script under
|
|
Shorewall 1.x (the script was intended for adding rules to the 'common'
|
|
chain but many users treated it as a script for adding rules before
|
|
Shorewall's).<br>
|
|
<br>
|
|
</li>
|
|
<li>Installing/Upgrading Shorewall on Slackware has been
|
|
improved. Slackware users must use the tarball and must modify settings
|
|
in the install.sh script before running it as follows:<br>
|
|
<br>
|
|
DEST="/etc/rc.d"<br>
|
|
INIT="rc.firewall"<br>
|
|
<br>
|
|
Thanks to Alex Wilms for helping with this change.<br>
|
|
</li>
|
|
</ol>
|
|
<p><b>4/17/2004 - Presentation at LinuxFest NW</b><b><br>
|
|
</b></p>
|
|
<p>Today I gave a presentation at LinuxFest NW in Bellingham. The
|
|
presentation was entitled "<a
|
|
href="http://lists.shorewall.net/Shorewall_and_the_Enterprise.htm"
|
|
target="_blank">Shorewall
|
|
and the Enterprise</a>" and described the history of Shorewall and gave
|
|
an overview of its features.<br>
|
|
</p>
|
|
<ol>
|
|
</ol>
|
|
<p><a href="News.htm">More News</a></p>
|
|
<hr style="width: 100%; height: 2px;">
|
|
<p><a href="http://leaf.sourceforge.net" target="_top"><img
|
|
alt="(Leaf Logo)"
|
|
style="border: 0px solid ; height: 36px; width: 49px;"
|
|
src="images/leaflogo.gif" title=""></a> LEAF is an open source project
|
|
which provides a Firewall/router on a floppy, CD or CF. Several LEAF
|
|
distributions including Bering and Bering-uCLib use Shorewall as their
|
|
Netfilter configuration tool.<br>
|
|
</p>
|
|
<div>
|
|
<div style="text-align: center;"> </div>
|
|
</div>
|
|
<hr style="width: 100%; height: 2px;">
|
|
<h2><a name="Donations"></a>Donations<br>
|
|
</h2>
|
|
<p style="text-align: left;"> <big><a href="http://www.alz.org"
|
|
target="_top"><img src="images/alz_logo2.gif" title=""
|
|
alt="(Alzheimer's Association Logo)"
|
|
style="border: 0px solid ; width: 300px; height: 60px;" align="left"></a>Shorewall
|
|
is free but
|
|
if you
|
|
try it and find it useful,
|
|
please consider making a donation to the <a href="http://www.alz.org/"
|
|
target="_top">Alzheimer's Association</a>. Thanks!</big> </p>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td style="vertical-align: top;"> <br>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<p><font size="2">Updated 05/10/2004 - <a href="support.htm">Tom Eastep</a></font><br>
|
|
</p>
|
|
</body>
|
|
</html>
|