forked from extern/shorewall_code
fd2a66710e
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@897 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
276 lines
19 KiB
HTML
276 lines
19 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html>
|
|
<head>
|
|
<meta content="HTML Tidy, see www.w3.org" name="generator" />
|
|
|
|
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
|
|
|
|
<title>Shoreline Firewall (Shorewall) 1.4</title>
|
|
|
|
<base target="_self" />
|
|
</head>
|
|
|
|
<body><div align="center"> <center> <table border="0" cellpadding="0"
|
|
cellspacing="0" id="AutoNumber4"
|
|
style="border-collapse: collapse; width: 100%; height: 100%;"><tbody><tr><td
|
|
width="90%"><h2>Site Problem</h2> The server that normally hosts
|
|
www.shorewall.net and ftp.shorewall.net is currently down. Until it is back
|
|
up, a small server with very limited bandwidth is being used temporarly. You
|
|
will likely experience better response time from the <a
|
|
href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
|
|
or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>. Sorry
|
|
for the inconvenience.<br /> <br /> <h2>Introduction to Shorewall</h2>
|
|
<h3>This is the Shorewall 1.4 Web Site</h3> The information on this site
|
|
applies only to 1.4.x releases of Shorewall. For older versions:<br />
|
|
<ul><li>The 1.3 site is <a href="http://www.shorewall.net/1.3" target="_top">here.</a></li><li>The
|
|
1.2 site is <a href="http://shorewall.net/1.2/" target="_top">here</a>.</li></ul>
|
|
<h3>Glossary</h3> <ul><li><a href="http://www.netfilter.org">Netfilter</a> -
|
|
the packet filter facility built into the 2.4 and later Linux kernels.</li><li>ipchains
|
|
- the packet filter facility built into the 2.2 Linux kernels. Also the name
|
|
of the utility program used to configure and control that facility.
|
|
Netfilter can be used in ipchains compatibility mode.</li><li>iptables - the
|
|
utility program used to configure and control Netfilter. The term
|
|
'iptables' is often used to refer to the combination of
|
|
iptables+Netfilter (with Netfilter not in ipchains compatibility mode).</li></ul>
|
|
<h3>What is Shorewall?</h3> The Shoreline Firewall, more commonly known as
|
|
"Shorewall", is high-level tool for configuring Netfilter. You
|
|
describe your firewall/gateway requirements using entries in a set of
|
|
configuration files. Shorewall reads those configuration files and with the
|
|
help of the iptables utility, Shorewall configures Netfilter to match your
|
|
requirements. Shorewall can be used on a dedicated firewall system, a
|
|
multi-function gateway/router/server or on a standalone GNU/Linux system.
|
|
Shorewall does not use Netfilter's ipchains compatibility mode and can
|
|
thus take advantage of Netfilter's connection state tracking
|
|
capabilities.<br /> <br /> Shorewall is <span
|
|
style="text-decoration: underline;">not</span> a daemon. Once Shorewall has
|
|
configured Netfilter, it's job is complete although the <a
|
|
href="starting_and_stopping_shorewall.htm">/sbin/shorewall program can be
|
|
used at any time to monitor the Netfilter firewall</a>.<br /> <h3>Getting
|
|
Started with Shorewall</h3> New to Shorewall? Start by selecting the <a
|
|
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
|
|
match your environment and follow the step by step instructions.<br />
|
|
<h3>Looking for Information?</h3> The <a
|
|
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a>
|
|
is a good place to start as is the Quick Search in the frame above.
|
|
<h3>License</h3> This program is free software; you can redistribute it
|
|
and/or modify it under the terms of <a
|
|
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
|
|
Public License</a> as published by the Free Software Foundation.<br />
|
|
<p>This program is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
|
more detail.</p> <p>You should have received a copy of the GNU General
|
|
Public License along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Permission is
|
|
granted to copy, distribute and/or modify this document under the terms of
|
|
the GNU Free Documentation License, Version 1.2 or any later version
|
|
published by the Free Software Foundation; with no Invariant Sections, with
|
|
no Front-Cover, and with no Back-Cover Texts. A copy of the license is
|
|
included in the section entitled <a>"GNU Free Documentation License"</a>.<p>Copyright
|
|
© 2001-2003 Thomas M. Eastep </p> <h3>Running Shorewall on Mandrake with a
|
|
two-interface setup?</h3> If so, the documentation <b></b>on this site will
|
|
not apply directly to your setup. If you want to use the documentation that
|
|
you find here, you will want to consider uninstalling what you have and
|
|
installing a setup that matches the documentation on this site. See the <a
|
|
href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br />
|
|
<h2>News</h2> <p><b>12/07/2003 - Shorewall 1.4.9 Beta 1</b> <b><img
|
|
alt="(New)" src="images/new10.gif"
|
|
style="border: 0px solid ; width: 28px; height: 12px;" title="" /> </b></p>
|
|
<div style="margin-left: 40px;"><a
|
|
href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br />
|
|
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a>
|
|
</div> <p>Problems Corrected since version 1.4.8:</p> <ol><li>There has been
|
|
a low continuing level of confusion over the terms "Source NAT"
|
|
(SNAT) and "Static NAT". To avoid future confusion, all instances of
|
|
"Static NAT" have been replaced with "One-to-one NAT" in the
|
|
documentation and configuration files.</li><li>The description of NEWNOTSYN
|
|
in shorewall.conf has been reworded for clarity.</li><li>Wild-card rules
|
|
(those involving "all" as SOURCE or DEST) will no longer produce an
|
|
error if they attempt to add a rule that would override a NONE policy. The
|
|
logic for expanding these wild-card rules now simply skips those
|
|
(SOURCE,DEST) pairs that have a NONE policy.</li></ol> <p>Migration Issues:<br />
|
|
    None.<br /> <br /> New Features: </p> <ol><li>To
|
|
cut down on the number of "Why are these ports closed rather than
|
|
stealthed?" questions, the SMB-related rules in
|
|
/etc/shorewall/common.def have been changed from 'reject' to
|
|
'DROP'.</li><li>For easier identification, packets logged under the
|
|
'norfc1918' interface option are now logged out of chains named
|
|
'rfc1918'. Previously, such packets were logged under chains named
|
|
'logdrop'.</li><li>Distributors and developers seem to be regularly
|
|
inventing new naming conventions for kernel modules. To avoid the need to
|
|
change Shorewall code for each new convention, the MODULE_SUFFIX option has
|
|
been added to shorewall.conf. MODULE_SUFFIX may be set to the suffix for
|
|
module names in your particular distribution. If MODULE_SUFFIX is not set in
|
|
shorewall.conf, Shorewall will use the list "o gz ko o.gz".<br />
|
|
<br /> To see what suffix is used by your distribution:<br /> <br /> ls
|
|
/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter<br /> <br /> All of the
|
|
files listed should have the same suffix (extension). Set MODULE_SUFFIX to
|
|
that suffix.<br /> <br /> Examples:<br /> <br />
|
|
     If all files end in ".kzo" then set
|
|
MODULE_SUFFIX="kzo"<br />      If all
|
|
files end in ".kz.o" then set MODULE_SUFFIX="kz.o"</li><li>Support
|
|
for user defined rule ACTIONS has been implemented through two new files:<br />
|
|
<br /> /etc/shorewall/actions - used to list the user-defined ACTIONS.<br />
|
|
/etc/shorewall/action.template - For each user defined <action>,
|
|
copy this file to /etc/shorewall/action.<action> and add the
|
|
appropriate rules for that <action>. Once an <action> has
|
|
been defined, it may be used like any of the builtin ACTIONS (ACCEPT, DROP,
|
|
etc.) in /etc/shorewall/rules.<br /> <br /> Example: You want an action that
|
|
logs a packet at the 'info' level and accepts the connection.<br />
|
|
<br /> In /etc/shorewall/actions, you would add:<br /> <br />
|
|
     LogAndAccept<br /> <br /> You would then
|
|
copy /etc/shorewall/action.template to /etc/shorewall/LogAndAccept and in
|
|
that file, you would add the two rules:<br />
|
|
        LOG:info<br />
|
|
        ACCEPT<br />
|
|
<br /></li></ol> <p><b>12/03/2003 - Support Torch Passed</b> <b><img
|
|
alt="(New)" src="images/new10.gif"
|
|
style="border: 0px solid ; width: 28px; height: 12px;" title="" /></b></p>
|
|
Effective today, I am reducing my participation in the day-to-day support of
|
|
Shorewall. As part of this shift to community-based Shorewall support a new
|
|
<a href="https://lists.shorewall.net/mailman/listinfo/shorewall-newbies">Shorewall
|
|
Newbies mailing list</a> has been established to field questions and
|
|
problems from new users. I will not monitor that list personally. I will
|
|
continue my active development of Shorewall and will be available via the
|
|
development list to handle development issues -- Tom. <p><b>11/07/2003 -
|
|
Shorewall 1.4.8</b><b><br /> <br /> </b> Problems Corrected since version
|
|
1.4.7:<br /> </p> <ol><li>Tuomo Soini has supplied a correction to a problem
|
|
that occurs using some versions of 'ash'. The symptom is that
|
|
"shorewall start" fails with:<br />  <br />   
|
|
local: --limit: bad variable name<br />    iptables v1.2.8:
|
|
Couldn't load match `-j':/lib/iptables/libipt_-j.so:<br />
|
|
   cannot open shared object file: No such file or directory<br />
|
|
   Try `iptables -h' or 'iptables --help' for more
|
|
information.</li><li>Andres Zhoglo has supplied a correction that avoids
|
|
trying to use the multiport match iptables facility on ICMP rules.<br />
|
|
 <br />    Example of rule that previously caused
|
|
"shorewall start" to fail:<br />  <br />
|
|
          
|
|
ACCEPT      loc  $FW 
|
|
icmp    0,8,11,12<br /> <br /></li><li>Previously, if
|
|
the following error message was issued, Shorewall was left in an
|
|
inconsistent state.<br />  <br />    Error: Unable to
|
|
determine the routes through interface xxx<br /> <br /></li><li>Handling of
|
|
the LOGUNCLEAN option in shorewall.conf has been corrected.</li><li>In
|
|
Shorewall 1.4.2, an optimization was added. This optimization involved
|
|
creating a chain named "<zone>_frwd" for most zones defined
|
|
using the /etc/shorewall/hosts file. It has since been discovered that in
|
|
many cases these new chains contain redundant rules and that the
|
|
"optimization" turns out to be less than optimal. The implementation
|
|
has now been corrected.</li><li>When the MARK value in a tcrules entry is
|
|
followed by ":F" or ":P", the ":F" or ":P"
|
|
was previously only applied to the first Netfilter rule generated by the
|
|
entry. It is now applied to all entries.</li><li>An incorrect comment
|
|
concerning Debian's use of the SUBSYSLOCK option has been removed from
|
|
shorewall.conf.</li><li>Previously, neither the 'routefilter'
|
|
interface option nor the ROUTE_FILTER parameter were working properly. This
|
|
has been corrected (thanks to Eric Bowles for his analysis and patch). The
|
|
definition of the ROUTE_FILTER option has changed however. Previously,
|
|
ROUTE_FILTER=Yes was documented as enabling route filtering on all
|
|
interfaces (which didn't work). Beginning with this release, setting
|
|
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought up
|
|
while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can coexist
|
|
with the use of the 'routefilter' option in the interfaces file.</li><li>If
|
|
MAC verification was enabled on an interface with a /32 address and a
|
|
broadcast address then an error would occur during startup.</li><li>he NONE
|
|
policy's intended use is to suppress the generating of rules that
|
|
can't possibly be traversed. This means that a policy of NONE is
|
|
inappropriate where the source or destination zone is $FW or "all".
|
|
Shorewall now generates an error message if such a policy is given in
|
|
/etc/shorewall/policy. Previously such a policy caused "shorewall
|
|
start" to fail.</li><li>The 'routeback' option was broken for
|
|
wildcard interfaces (e.g., "tun+"). This has been corrected so that
|
|
'routeback' now works as expected in this case.<br /></li></ol>
|
|
Migration Issues:<br /> <ol><li>The definition of the ROUTE_FILTER option in
|
|
shorewall.conf has changed as described in item 8) above.<br /></li></ol>
|
|
New Features:<br /> <ol><li>A new QUEUE action has been introduced for
|
|
rules. QUEUE allows you to pass connection requests to a user-space filter
|
|
such as ftwall (http://p2pwall.sourceforge.net). The ftwall program allows
|
|
for effective filtering of p2p applications such as Kazaa. For example, to
|
|
use ftwall to filter P2P clients in the 'loc' zone, you would add
|
|
the following rules:<br /> <br />    QUEUE  
|
|
loc        
|
|
net    tcp<br />    QUEUE  
|
|
loc        
|
|
net    udp<br />    QUEUE  
|
|
loc        
|
|
fw     udp<br /> <br /> You would normally want
|
|
to place those three rules BEFORE any ACCEPT rules for loc->net udp or
|
|
tcp.<br /> <br /> Note: When the protocol specified is TCP ("tcp",
|
|
"TCP" or "6"), Shorewall will only pass connection requests
|
|
(SYN packets) to user space. This is for compatibility with ftwall.</li><li>A
|
|
BLACKLISTNEWNONLY option has been added to shorewall.conf. When this option
|
|
is set to "Yes", the blacklists (dynamic and static) are only
|
|
consulted for new connection requests. When set to "No" (the default
|
|
if the variable is not set), the blacklists are consulted on every packet.<br />
|
|
<br /> Setting this option to "No" allows blacklisting to stop
|
|
existing connections from a newly blacklisted host but is more expensive in
|
|
terms of packet processing time. This is especially true if the blacklists
|
|
contain a large number of entries.</li><li>Chain names used in the
|
|
/etc/shorewall/accounting file may now begin with a digit ([0-9]) and may
|
|
contain embedded dashes ("-").</li></ol> <p><b>10/26/2003 -
|
|
Shorewall 1.4.7a and 1.4.7b win brown paper bag awards</b> <b><img
|
|
align="middle" alt="" src="images/j0233056.gif"
|
|
style="border: 0px solid ; width: 50px; height: 80px;" title="" />Shorewall
|
|
1.4.7c released.</b></p> <ol><li>The saga with "<zone>_frwd"
|
|
chains continues. The 1.4.7c script produces a ruleset that should work for
|
|
everyone even if it is not quite optimal. My apologies for this ongoing
|
|
mess.<br /></li></ol> <p><b>10/24/2003 - Shorewall 1.4.7b</b></p> <p>This is
|
|
a bugfx rollup of the 1.4.7a fixes plus:<br /> </p> <ol><li>The fix for
|
|
problem 5 in 1.4.7a was wrong with the result that
|
|
"<zone>_frwd" chains might contain too few rules. That wrong
|
|
code is corrected in this release.<br /></li></ol> <p><b>10/21/2003 -
|
|
Shorewall 1.4.7a</b></p> <p>This is a bugfix rollup of the following problem
|
|
corrections:<br /> </p> <ol><li>Tuomo Soini has supplied a correction to a
|
|
problem that occurs using some versions of 'ash'. The symptom is
|
|
that "shorewall start" fails with:<br />  <br />
|
|
   local: --limit: bad variable name<br />   
|
|
iptables v1.2.8: Couldn't load match
|
|
`-j':/lib/iptables/libipt_-j.so:<br />    cannot open
|
|
shared object file: No such file or directory<br />    Try
|
|
`iptables -h' or 'iptables --help' for more information.<br />
|
|
<br /></li><li>Andres Zhoglo has supplied a correction that avoids trying to
|
|
use the multiport match iptables facility on ICMP rules.<br />  <br />
|
|
   Example of rule that previously caused "shorewall
|
|
start" to fail:<br />  <br />
|
|
          
|
|
ACCEPT      loc  $FW 
|
|
icmp    0,8,11,12<br /> <br /></li><li>Previously, if
|
|
the following error message was issued, Shorewall was left in an
|
|
inconsistent state.<br />  <br />    Error: Unable to
|
|
determine the routes through interface xxx<br /> <br /></li><li>Handling of
|
|
the LOGUNCLEAN option in shorewall.conf has been corrected.</li><li>In
|
|
Shorewall 1.4.2, an optimization was added. This optimization involved
|
|
creating a chain named "<zone>_frwd" for most zones defined
|
|
using the /etc/shorewall/hosts file. It has since been discovered that in
|
|
many cases these new chains contain redundant rules and that the
|
|
"optimization" turns out to be less than optimal. The implementation
|
|
has now been corrected.</li><li>When the MARK value in a tcrules entry is
|
|
followed by ":F" or ":P", the ":F" or ":P"
|
|
was previously only applied to the first Netfilter rule generated by the
|
|
entry. It is now applied to all entries.<br /></li></ol> <p><a
|
|
href="News.htm">More News</a></p> <p><a href="http://leaf.sourceforge.net"
|
|
target="_top"><img alt="(Leaf Logo)" border="0" height="36"
|
|
src="images/leaflogo.gif" width="49" /></a> Jacques Nilo and Eric Wolzak
|
|
have a LEAF (router/firewall/gateway on a floppy, CD or compact flash)
|
|
distribution called <i>Bering</i> that features Shorewall-1.4.2 and
|
|
Kernel-2.4.20. You can find their work at: <a
|
|
href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo<br />
|
|
</a></p> <b>Congratulations to Jacques and Eric on the recent release of
|
|
Bering 1.2!!!<br /> <br /> </b> <div style="text-align: center;"> <div
|
|
style="text-align: center;"><a href="http://www.shorewall.net" target="_top"><img
|
|
alt="(Protected by Shorewall)" src="images/ProtectedBy.png"
|
|
style="border: 0px solid ; width: 216px; height: 45px;" title="" /></a></div>
|
|
</div> <h2><a name="Donations"></a>Donations</h2> <p
|
|
style="text-align: left;"><a href="http://www.starlight.org"><img
|
|
align="left" alt="(Starlight Logo)" hspace="10" src="images/newlog.gif"
|
|
style="border: 4px solid ; width: 57px; height: 100px;" title="" /></a><br />
|
|
<big>Shorewall is free but if you try it and find it useful, please consider
|
|
making a donation to <a href="http://www.starlight.org">Starlight
|
|
Children's Foundation</a>. Thanks!</big><br /> <a
|
|
href="http://www.starlight.org"></a></p></td></tr></tbody></table> </center>
|
|
</div> <p><font size="2">Updated 12/21/2003 - <a href="support.htm">Tom
|
|
Eastep</a></font><br /> </p></body>
|
|
</html> |