forked from extern/shorewall_code
f1a38f0724
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2068 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
387 lines
17 KiB
HTML
387 lines
17 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
|
|
<title>Shoreline Firewall (Shorewall) 2.0</title>
|
|
<base target="_self">
|
|
<meta name="GENERATOR" content="OpenOffice.org 1.1.1 (Linux)">
|
|
<meta name="CREATED" content="20040920;15031500">
|
|
<meta name="CHANGED" content="20040920;15183300">
|
|
</head>
|
|
<body dir="ltr" lang="en-US">
|
|
<h1>Shorewall 2.x</h1>
|
|
<p><b>Tom Eastep</b><br>
|
|
<br>
|
|
The information on this site applies only
|
|
to 2.x releases of Shorewall. For older versions:</p>
|
|
<ul>
|
|
<li>
|
|
<p style="margin-bottom: 0in;">The 1.4 site is <a
|
|
href="http://www.shorewall.net/1.4" target="_top">here.</a></p>
|
|
</li>
|
|
<li>
|
|
<p style="margin-bottom: 0in;">The 1.3 site is <a
|
|
href="http://www.shorewall.net/1.3" target="_top">here.</a> </p>
|
|
</li>
|
|
<li>
|
|
<p>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
|
target="_top">here</a>. </p>
|
|
</li>
|
|
</ul>
|
|
<p>The current 2.2 Stable Release is 2.2.3 -- Here are the <a
|
|
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.3/releasenotes.txt">release
|
|
notes</a> and here are the <a
|
|
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.3/known_problems.txt">known
|
|
problems</a> and <a
|
|
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.3/errata/">updates</a>.<br>
|
|
</p>
|
|
<p><a
|
|
href="http://lists.shorewall.net/pipermail/shorewall-announce/2004-December/000451.html"><span
|
|
style="font-weight: bold;">End of
|
|
support life for Shorewall 1.4 -- Upgrading to Shorewall 2.2</span></a><br>
|
|
<br>
|
|
Copyright © 2001-2005 Thomas M. Eastep</p>
|
|
<p>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License,
|
|
Version 1.2 or any later version published by the Free Software
|
|
Foundation; with no Invariant Sections, with no Front-Cover, and with
|
|
no Back-Cover Texts. A copy of the license is included in the section
|
|
entitled “<a href="GnuCopyright.htm" target="_self">GNU
|
|
Free Documentation License</a>”.</p>
|
|
<p>2005-05-01</p>
|
|
<hr style="width: 100%; height: 2px;">
|
|
<h3>Table of Contents</h3>
|
|
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
|
to Shorewall</a></p>
|
|
<p style="margin-left: 0.83in; margin-bottom: 0in;"><a href="#Glossary">Glossary</a><br>
|
|
<a href="#WhatIs">What
|
|
is Shorewall?</a><br>
|
|
<a href="#GettingStarted">Getting Started with
|
|
Shorewall</a><br>
|
|
<a href="#Info">Looking for Information?</a><br>
|
|
<a href="#Mandrake">Running
|
|
Shorewall on Mandrake® with a two-interface setup?</a><br>
|
|
<a href="#License">License</a></p>
|
|
<p style="margin-bottom: 0in; margin-left: 40px;"><a href="#2_0_10">News</a></p>
|
|
<p style="margin-left: 0.83in; margin-bottom: 0in;"><span
|
|
style="text-decoration: underline;"></span><a href="#LinuxFest">Tom
|
|
spoke at LinuxFest NW 2005</a><br>
|
|
<a href="#2_2_3">Shorewall
|
|
2.2.3</a><br>
|
|
<a href="#2_0_17">Shorewall
|
|
2.0.17</a><br>
|
|
<a href="#2_2_2">Shorewall
|
|
2.2.2</a><br>
|
|
</p>
|
|
<div style="margin-left: 40px;"><br>
|
|
<a href="#Leaf">Leaf</a><br>
|
|
<br>
|
|
<a href="#OpenWRT">OpenWRT</a><br>
|
|
</div>
|
|
<p style="margin-left: 40px;"><a href="#Donations">Donations</a></p>
|
|
<h2><a name="Intro"></a>Introduction to Shorewall</h2>
|
|
<h3><a name="Glossary"></a>Glossary</h3>
|
|
<ul>
|
|
<li>
|
|
<p style="margin-bottom: 0in;"><a href="http://www.netfilter.org/"
|
|
target="_top">Netfilter</a> - the packet filter facility built into
|
|
the 2.4 and later Linux kernels. </p>
|
|
</li>
|
|
<li>
|
|
<p style="margin-bottom: 0in;">ipchains - the packet filter
|
|
facility built into the 2.2 Linux kernels. Also the name of the utility
|
|
program used to configure and control that facility. Netfilter can be
|
|
used in ipchains compatibility mode. </p>
|
|
</li>
|
|
<li>
|
|
<p>iptables - the utility program used to configure and control
|
|
Netfilter. The term 'iptables' is often used to refer to the
|
|
combination of iptables+Netfilter (with Netfilter not in ipchains
|
|
compatibility mode). </p>
|
|
</li>
|
|
</ul>
|
|
<h3><a name="WhatIs"></a>What is Shorewall?</h3>
|
|
<p style="margin-left: 0.42in;">The Shoreline Firewall, more commonly
|
|
known as "Shorewall", is a high-level tool for configuring
|
|
Netfilter. You describe your firewall/gateway requirements using
|
|
entries in a set of configuration files. Shorewall reads those
|
|
configuration files and with the help of the iptables utility,
|
|
Shorewall configures Netfilter to match your requirements. Shorewall
|
|
can be used on a dedicated firewall system, a multi-function
|
|
gateway/router/server or on a standalone GNU/Linux system. Shorewall
|
|
does not use Netfilter's ipchains compatibility mode and can thus
|
|
take advantage of Netfilter's <a
|
|
href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html"
|
|
target="_top">connection
|
|
state tracking capabilities</a>.<br>
|
|
<br>
|
|
Shorewall is <u>not</u> a
|
|
daemon. Once Shorewall has configured Netfilter, it's job is
|
|
complete. After that, there is no Shorewall code running although the
|
|
<a href="starting_and_stopping_shorewall.htm">/sbin/shorewall program
|
|
can be used at any time to monitor the Netfilter firewall</a>.<br>
|
|
</p>
|
|
<p style="margin-left: 0.42in;">Shorewall is not the easiest to use of
|
|
the available iptables configuration tools but I believe that it is the
|
|
most flexible and powerful. So if you are looking for a simple
|
|
point-and-click set-and-forget Linux firewall solution that requires a
|
|
minimum of networking knowledge, I would encourage you to check out the
|
|
following alternatives:</p>
|
|
<ul style="margin-left: 40px;">
|
|
<li><a href="http://www.m0n0.ch/wall">http://www.m0n0.ch/wall</a></li>
|
|
<li><a href="http://www.fs-security.com/">http://www.fs-security.com/</a><br>
|
|
</li>
|
|
</ul>
|
|
<p style="margin-left: 0.42in;">On the other hand, if you are looking
|
|
for a Linux firewall solution that can handle complex and fast changing
|
|
network environments then Shorewall is a logical choice.<br>
|
|
</p>
|
|
<h3><a name="GettingStarted"></a>Getting Started with Shorewall</h3>
|
|
<p style="margin-left: 0.42in;">New to Shorewall? Start by selecting
|
|
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
|
that most closely matches your environment and follow the step by
|
|
step instructions.</p>
|
|
<h3><a name="Info"></a>Looking for Information?</h3>
|
|
<p style="margin-left: 0.42in;">The <a href="Documentation_Index.html">Documentation
|
|
Index</a> is a good place to start as is the Site Search in the
|
|
frame above. network</p>
|
|
<h3><a name="Mandrake"></a>Running Shorewall on Mandrake® with a
|
|
two-interface setup?</h3>
|
|
<p style="margin-left: 0.42in;">If so, the documentation on this site
|
|
will not apply directly to your setup. If you want to use the
|
|
documentation that you find here, you will want to consider
|
|
uninstalling what you have and installing a setup that matches the
|
|
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
|
QuickStart Guide</a> for details.<br>
|
|
<br>
|
|
<b>Update: </b>I have been
|
|
informed by Mandrake Development that this problem has been corrected
|
|
in Mandrake 10.0 Final (the problem still exists in the 10.0
|
|
Community release).</p>
|
|
<h3><a name="License"></a>License</h3>
|
|
<p style="margin-left: 0.42in;">This program is free software; you can
|
|
redistribute it and/or modify it under the terms of <a
|
|
href="http://www.gnu.org/licenses/gpl.html">Version
|
|
2 of the GNU General Public License</a> as published by the Free
|
|
Software Foundation.</p>
|
|
<p style="margin-left: 0.42in;">This program is distributed in the
|
|
hope that it will be useful, but WITHOUT ANY WARRANTY; without even
|
|
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
PURPOSE. See the GNU General Public License for more detail.</p>
|
|
<p style="margin-left: 0.42in;">You should have received a copy of the
|
|
GNU General Public License along with this program; if not, write to
|
|
the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
|
|
02139, USA</p>
|
|
<p style="margin-left: 0.42in;">Permission is granted to copy,
|
|
distribute and/or modify this document under the terms of the GNU
|
|
Free Documentation License, Version 1.2 or any later version
|
|
published by the Free Software Foundation; with no Invariant
|
|
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy
|
|
of the license is included in the section entitled "GNU Free
|
|
Documentation License". </p>
|
|
<hr>
|
|
<h2><a name="News"></a>News</h2>
|
|
<span style="font-weight: bold;"><a name="LinuxFest"></a>05/01/2005 Tom
|
|
spoke at LinuxFest NW 2005 -- Bellingham Technical College,
|
|
Bellingham Washington<br>
|
|
</span><br>
|
|
Tom's presentation was entitled "Shorewall and Native IPSEC" and is
|
|
available for download <a href="LinuxFest.pdf">here (PDF Format)</a>.
|
|
<br>
|
|
<br>
|
|
<span style="font-weight: bold;"><a name="2_2_3"></a>04/07/2005
|
|
Shorewall 2.2.3<br>
|
|
</span><br>
|
|
Problems Corrected:<br>
|
|
<ol>
|
|
<li>If a zone is defined in /etc/shorewall/hosts using
|
|
<interface>:!<network> in the HOSTS column then startup
|
|
errors occur on "shorewall [re]start".</li>
|
|
<li>Previously, if "shorewall status" was run on a system whose
|
|
kernel lacked advanced routing support
|
|
(CONFIG_IP_ADVANCED_ROUTER), then no routing information was
|
|
displayed.</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>A new extension script "continue" has been added. This script is
|
|
invoked after Shorewall has set the built-in filter chains policy to
|
|
DROP, deleted any existing Netfilter rules and user chains and has
|
|
enabled existing connections. It is useful for enabling certain
|
|
communication while Shorewall is being [re]started. Be sure to delete
|
|
any rules that you add here in your /etc/shorewall/start file.</li>
|
|
<li>There has been ongoing confusion about how the
|
|
/etc/shorewall/routestopped file works. People understand how it works
|
|
with the 'shorewall stop' command but when they read that 'shorewall
|
|
restart' is logically equivalent to 'shorewall stop' followed by
|
|
'shorewall start' then they erroneously conclude that
|
|
/etc/shorewall/routestopped can be used to enable new connections
|
|
during 'shorewall restart'. Up to now, it cannot -- that file is not
|
|
processed during either 'shorewall start' or 'shorewall restart'.<br>
|
|
<br>
|
|
Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped
|
|
will be processed TWICE during 'shorewall start' and during 'shorewall
|
|
restart'. It will be processed early in the command execution to add
|
|
rules allowing new connections while the command is running and it will
|
|
be processed again when the command is complete to remove the rules
|
|
added earlier.<br>
|
|
<br>
|
|
The result of this change will be that during most of [re]start, new
|
|
connections will be allowed in accordance with the contents of
|
|
/etc/shorewall/routestopped.</li>
|
|
<li>The performance of configurations with a large numbers of entries
|
|
in /etc/shorewall/maclist can be improved by setting the new
|
|
MACLIST_TTL variable in /etc/shorewall/shorewall.conf.<br>
|
|
<br>
|
|
If your iptables and kernel support the "Recent Match" (see the output
|
|
of "shorewall check" near the top), you can cache the results of a
|
|
'maclist' file lookup and thus reduce the overhead associated with MAC
|
|
Verification.<br>
|
|
<br>
|
|
When a new connection arrives from a 'maclist' interface, the packet
|
|
passes through then list of entries for that interface in
|
|
/etc/shorewall/maclist. If there is a match then the source IP address
|
|
is added to the 'Recent' set for that interface. Subsequent connection
|
|
attempts from that IP address occuring within $MACLIST_TTL seconds will
|
|
be accepted without having to scan all of the entries. After
|
|
$MACLIST_TTL from the first accepted connection request from an IP
|
|
address, the next connection request from that IP address will be
|
|
checked against the entire list.<br>
|
|
<br>
|
|
If MACLIST_TTL is not specified or is specified as empty (e.g,
|
|
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
|
be cached.</li>
|
|
<li>You can now specify QUEUE as a policy and you can designate a
|
|
common action for QUEUE policies in /etc/shorewall/actions. This is
|
|
useful for sending packets to something like Snort Inline.<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_0_17"></a>03/31/2005
|
|
Shorewall 2.0.17<br>
|
|
<br>
|
|
</span>Problems Corrected:<br>
|
|
<ol>
|
|
<li>Invoking the 'rejNotSyn' action results in an error at startup.</li>
|
|
<li>The UDP and TCP port numbers in
|
|
/usr/share/shorewall/action.AllowPCA were reversed.</li>
|
|
<li>If a zone is defined in /etc/shorewall/hosts using <<span
|
|
style="font-style: italic;">interface</span>>:!<<span
|
|
style="font-style: italic;">network</span>> in the HOSTS column
|
|
then startup errors occur on "shorewall [re]start".<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"><a name="2_2_2"></a>03/12/2005
|
|
Shorewall 2.2.2<br>
|
|
</span><br>
|
|
Problems Corrected:<br>
|
|
<ol>
|
|
<li>The SOURCE column in the /etc/shorewall/tcrules file now
|
|
correctly allows IP ranges (assuming that your iptables and kernel
|
|
support ranges).<br>
|
|
</li>
|
|
<li>If A is a user-defined action and you have file /etc/shorewall/A
|
|
then when that file is invoked by Shorewall during [re]start, the $TAG
|
|
value may be incorrect.</li>
|
|
<li>Previously, if an iptables command generating a logging rule
|
|
failed, the Shorewall [re]start was still successful. This error is now
|
|
considered fatal and Shorewall will be either restored from the last
|
|
save (if any) or it will be stopped.</li>
|
|
<li>The port numbers for UDP and TCP were previously reversed in the
|
|
/usr/share/shorewall/action.AllowPCA file.</li>
|
|
<li>Previously, the 'install.sh' script did not update the
|
|
/usr/share/shorewall/action.* files.</li>
|
|
<li>Previously, when an interface name appeared in the DEST column of
|
|
/etc/shorewall/tcrules, the name was not validated against the set of
|
|
defined interfaces and bridge ports.<br>
|
|
</li>
|
|
</ol>
|
|
New Features:<br>
|
|
<ol>
|
|
<li>The SOURCE column in the /etc/shorewall/tcrules file now allows
|
|
$FW to be optionally followed by ":" and a host/network address or
|
|
address range.</li>
|
|
<li>Shorewall now clears the output device only if it is a terminal.
|
|
This avoids ugly control sequences being placed in files when
|
|
/sbin/shorewall output is redirected.</li>
|
|
<li>The output from 'arp -na' has been added to the 'shorewall
|
|
status' display.</li>
|
|
<li>The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges
|
|
to appear in port lists handled by "multiport match". If Shorewall
|
|
detects this capability, it will use "multiport match" for port lists
|
|
containing port ranges. Be cautioned that each port range counts for
|
|
TWO ports and a port list handled with "multiport match" can still
|
|
specify a maximum of 15 ports.<br>
|
|
<br>
|
|
As always, if a port list in /etc/shorewall/rules is incompatible with
|
|
"multiport match", a separate iptables rule will be generated for each
|
|
element in the list.</li>
|
|
<li>Traditionally, the RETURN target in the 'rfc1918' file has caused
|
|
'norfc1918' processing to cease for a packet if the packet's source IP
|
|
address matches the rule. Thus, if you have:<br>
|
|
<br>
|
|
<span style="font-family: monospace;">
|
|
SUBNETS TARGET</span><br
|
|
style="font-family: monospace;">
|
|
<span style="font-family: monospace;">
|
|
192.168.1.0/24 RETURN</span><br>
|
|
<br>
|
|
then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
|
|
you also have:<br>
|
|
<br>
|
|
<span style="font-family: monospace;">
|
|
SUBNETS TARGET</span><br
|
|
style="font-family: monospace;">
|
|
<span style="font-family: monospace;">
|
|
10.0.0.0/8 logdrop</span><br>
|
|
<br>
|
|
Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to
|
|
be logged and dropped since while the packet's source matches the
|
|
RETURN rule, the packet's destination matches the 'logdrop' rule.<br>
|
|
<br>
|
|
If not specified or specified as empty (e.g., RFC1918_STRICT="") then
|
|
RFC1918_STRICT=No is assumed.<br>
|
|
<br>
|
|
WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables
|
|
support 'Connection Tracking' match.<br>
|
|
</li>
|
|
</ol>
|
|
<span style="font-weight: bold;"></span><span style="font-weight: bold;"></span>
|
|
<p><a href="News.htm">More News</a></p>
|
|
<hr>
|
|
<h2><a name="Leaf"></a>Leaf</h2>
|
|
<p><a href="http://leaf.sourceforge.net/" target="_top"><font
|
|
color="#000000"><img src="images/leaflogo.gif" name="Graphic1"
|
|
alt="(Leaf Logo)" align="bottom" border="1" height="39" width="52"></font></a>
|
|
LEAF is an open source project which provides a Firewall/router on a
|
|
floppy, CD or CF. Several LEAF distributions including Bering and
|
|
Bering-uClibc use Shorewall as their Netfilter configuration tool.</p>
|
|
<hr style="width: 100%; height: 2px;">
|
|
<h2><a name="OpenWRT"></a>OpenWRT</h2>
|
|
<a href="http://openwrt.org"><img alt="(OpenWRT Logo)"
|
|
src="images/openwrt.png"
|
|
style="border: 0px solid ; width: 88px; height: 31px;" hspace="4"></a>OpenWRT
|
|
is a project which provides open source firmware for Linksys WRT54G
|
|
wireless routers. Two different Shorewall packages are available for
|
|
OpenWRT.<br>
|
|
<hr>
|
|
<h2><a name="Donations"></a>Donations</h2>
|
|
<p align="left"><a href="http://www.alz.org/" target="_top"><font
|
|
color="#000000"><img src="images/alz_logo2.gif" name="Graphic2"
|
|
alt="(Alzheimer's Association Logo)" align="right" border="1"
|
|
height="63" width="303"></font></a><a href="http://www.starlight.org/"
|
|
target="_top"><font color="#000000"><img src="images/newlog.gif"
|
|
name="Graphic3" alt="(Starlight Foundation Logo)" align="right"
|
|
border="1" height="105" width="62"></font></a><font size="4">Shorewall
|
|
is free but if you try it and find it useful, please consider making
|
|
a donation to the <a href="http://www.alz.org/" target="_top">Alzheimer's
|
|
Association</a> or to the <a href="http://www.starlight.org/"
|
|
target="_top">Starlight
|
|
Children's Foundation</a>.</font></p>
|
|
<p align="left"><font size="4">Thank You<br>
|
|
</font></p>
|
|
<p align="left"><br>
|
|
<br>
|
|
</p>
|
|
</body>
|
|
</html>
|