| Introduction.xml (shorewall-docs-xml-5.2.3.6.tar.bz2) | : | Introduction.xml (shorewall-docs-xml-5.2.6.tar.bz2) |
|---|
| | |
| skipping to change at line 19 | | skipping to change at line 19 |
|---|
| | |
| <author> | | <author> |
| <firstname>Tom</firstname> | | <firstname>Tom</firstname> |
| | |
| <surname>Eastep</surname> | | <surname>Eastep</surname> |
| </author> | | </author> |
| | |
| <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> | | <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> |
| | |
| <copyright> | | <copyright> |
|
| <year>2003-2015</year> | | <year>2003-2020</year> |
| | |
| | <year>2019</year> |
| | |
| <holder>Thomas M. Eastep</holder> | | <holder>Thomas M. Eastep</holder> |
| </copyright> | | </copyright> |
| | |
| <legalnotice> | | <legalnotice> |
| <para>Permission is granted to copy, distribute and/or modify this | | <para>Permission is granted to copy, distribute and/or modify this |
| document under the terms of the GNU Free Documentation License, Version | | document under the terms of the GNU Free Documentation License, Version |
| 1.2 or any later version published by the Free Software Foundation; with | | 1.2 or any later version published by the Free Software Foundation; with |
| no Invariant Sections, with no Front-Cover, and with no Back-Cover | | no Invariant Sections, with no Front-Cover, and with no Back-Cover |
| Texts. A copy of the license is included in the section entitled | | Texts. A copy of the license is included in the section entitled |
| | |
| skipping to change at line 129 | | skipping to change at line 131 |
|---|
| networking knowledge, I would encourage you to check out the following | | networking knowledge, I would encourage you to check out the following |
| alternatives:</para> | | alternatives:</para> |
| | |
| <itemizedlist> | | <itemizedlist> |
| <listitem> | | <listitem> |
| <para><ulink url="https://help.ubuntu.com/community/UFW">UFW | | <para><ulink url="https://help.ubuntu.com/community/UFW">UFW |
| (Uncomplicated Firewall)</ulink></para> | | (Uncomplicated Firewall)</ulink></para> |
| </listitem> | | </listitem> |
| | |
| <listitem> | | <listitem> |
|
| <para><ulink url="http://www.ipcop.org">ipcop</ulink></para> | | <para><ulink url="https://comparite.ch/free-firewall">Other free |
| | firewalls</ulink></para> |
| </listitem> | | </listitem> |
| </itemizedlist> | | </itemizedlist> |
| | |
| <para>If you are looking for a Linux firewall solution that can handle | | <para>If you are looking for a Linux firewall solution that can handle |
| complex and fast changing network environments then Shorewall is a | | complex and fast changing network environments then Shorewall is a |
| logical choice.</para> | | logical choice.</para> |
| </section> | | </section> |
| </section> | | </section> |
| | |
| <section id="Concepts"> | | <section id="Concepts"> |
| | |
| skipping to change at line 173 | | skipping to change at line 176 |
|---|
| shown in the above file) is stored in the shell variable | | shown in the above file) is stored in the shell variable |
| $<firstterm>FW</firstterm> which may be used throughout the Shorewall | | $<firstterm>FW</firstterm> which may be used throughout the Shorewall |
| configuration to refer to the firewall zone.</para> | | configuration to refer to the firewall zone.</para> |
| | |
| <para>The simplest way to define the hosts in a zone is to associate the | | <para>The simplest way to define the hosts in a zone is to associate the |
| zone with a network interface using the <ulink | | zone with a network interface using the <ulink |
| url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces
</filename></ulink> | | url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces
</filename></ulink> |
| file. In the three-interface sample, the three zones are defined using | | file. In the three-interface sample, the three zones are defined using |
| that file as follows:</para> | | that file as follows:</para> |
| | |
|
| <programlisting>#ZONE INTERFACE BROADCAST OPTIONS | | <programlisting>#ZONE INTERFACE OPTIONS |
| net eth0 detect dhcp,routefilter | | net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourcerou |
| loc eth1 detect | | te=0,physical=eth0 |
| dmz eth2 detect</programlisting> | | loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1 |
| | dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2< |
| | /programlisting> |
| | |
| <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4 | | <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4 |
|
| hosts interfacing to the firewall through eth0, the | | hosts interfacing to the firewall through NET_IF, the |
| <emphasis>loc</emphasis> zone as all IPv4 hosts interfacing through eth1 | | <emphasis>loc</emphasis> zone as all IPv4 hosts interfacing through LOC_IF |
| and the <emphasis>dmz</emphasis> as all IPv4 hosts interfacing through | | and the <emphasis>dmz</emphasis> as all IPv4 hosts interfacing through |
|
| eth2. It is important to note that the composition of a zone is defined in | | eth2. The interface names shown in the INTERFACE column are <emphasis> |
| terms of a combination of addresses <emphasis role="bold">and</emphasis> | | logical</emphasis> names which are used throughout the configuration to |
| | refer to the individual interfaces. The actual interface names are |
| | specified using the <emphasis role="bold">physical</emphasis> option. It |
| | is important to note that the composition of a zone is defined in terms of |
| | a combination of addresses <emphasis role="bold">and</emphasis> |
| interfaces. When using the <ulink | | interfaces. When using the <ulink |
| url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces
</filename></ulink> | | url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces
</filename></ulink> |
| file to define a zone, all addresses are included; when you want to define | | file to define a zone, all addresses are included; when you want to define |
| a zone that contains a limited subset of the IPv4 address space, you use | | a zone that contains a limited subset of the IPv4 address space, you use |
| the <ulink | | the <ulink |
| url="manpages/shorewall-hosts.html"><filename>/etc/shorewall/hosts</filename
></ulink> | | url="manpages/shorewall-hosts.html"><filename>/etc/shorewall/hosts</filename
></ulink> |
| file or you may use the nets= option in | | file or you may use the nets= option in |
| <filename>/etc/shorewall/interfaces</filename>:</para> | | <filename>/etc/shorewall/interfaces</filename>:</para> |
| | |
|
| <programlisting>#ZONE INTERFACE BROADCAST OPTIONS | | <programlisting>#ZONE INTERFACE OPTIONS |
| net eth0 detect dhcp,routefilter,nets=(!192.168.0.0/23) | | net NET_IF tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourcerou |
| loc eth1 detect nets=(192.168.0.0/24) | | te=0,physical=eth0 |
| dmz eth2 detect nets=(192.168.1.0/24)</programlisting> | | loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1, |
| | <emphasis |
| | role="bold">nets=172.20.1.0/24</emphasis> |
| | dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2 |
| | </programlisting> |
| | |
| <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4 | | <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4 |
| hosts interfacing to the firewall through eth0 <emphasis>except</emphasis> | | hosts interfacing to the firewall through eth0 <emphasis>except</emphasis> |
| for 192.168.0.0/23, the <emphasis>loc</emphasis> zone as IPv4 hosts | | for 192.168.0.0/23, the <emphasis>loc</emphasis> zone as IPv4 hosts |
| 192.168.0.0/24 interfacing through eth1 and the <emphasis>dmz</emphasis> | | 192.168.0.0/24 interfacing through eth1 and the <emphasis>dmz</emphasis> |
| as IPv4 hosts 192.168.1.0/24 interfacing through eth2 (Note that | | as IPv4 hosts 192.168.1.0/24 interfacing through eth2 (Note that |
| 192.168.0.0/24 together with 192.168.1.0/24 comprises | | 192.168.0.0/24 together with 192.168.1.0/24 comprises |
| 192.168.0.0/23).</para> | | 192.168.0.0/23).</para> |
| | |
|
| | <para>Note that the names NET_IF, LOC_IF and DMZ_IF are <emphasis>logical |
| | interface names</emphasis> which are mapped to actual physical network |
| | interfaces using the <emphasis role="bold">physical=</emphasis> option in |
| | each interface file entry.</para> |
| | |
| <para>Rules about what traffic to allow and what traffic to deny are | | <para>Rules about what traffic to allow and what traffic to deny are |
| expressed in terms of zones. <itemizedlist spacing="compact"> | | expressed in terms of zones. <itemizedlist spacing="compact"> |
| <listitem> | | <listitem> |
| <para>You express your default policy for connections from one zone | | <para>You express your default policy for connections from one zone |
| to another zone in the <ulink | | to another zone in the <ulink |
| url="manpages/shorewall-policy.html"><filename | | url="manpages/shorewall-policy.html"><filename |
| class="directory">/etc/shorewall/</filename><filename>policy</filename
></ulink> | | class="directory">/etc/shorewall/</filename><filename>policy</filename
></ulink> |
| file. The basic choices for policy are:</para> | | file. The basic choices for policy are:</para> |
| | |
| <itemizedlist> | | <itemizedlist> |
| | | |
| End of changes. 7 change blocks. |
|---|
| 14 lines changed or deleted | | 32 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 