yyOn Mon, 2 Sep 2002, Tim Burress wrote:
> Hello!
>
> I''ve been reading through the Shorewall documentation for a while
and
> have a few questions:
>
> (1) In the online documentation for /etc/shorewall/interfaces, it says
> that if the norfc1918 option appears, packets discarded as a result may
> still be logged. Where is the logging for that controlled?
>
/etc/shorewall/rfc1918.
> (2) In /etc/shorewall/rules, what is the difference between specifying a
> port in the DEST column and specifying it in the DEST PORT(S) column?
A port in the DEST column is used in DNAT or REDIRECT rules where the
original port (as specified in the DEST PORT(S) column) is to be forwarded
to a server listening on a different port (the port specified in the DEST
column).
> And then as a follow-on, why is it that ports cannot be specified using
> symbolic names from /etc/services in the DEST column?
>
Ask the iptables authors -- it''s their restriction.
> (3) What is the precise definition of "related" connections used
in the
> /etc/shorewall/rules file? I see how ftp-data could be considered
> related to the controlling ftp connection, but are there other cases?
> Where are these defined?
In Netfilter code in the kernel. Possibly this article will help:
http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html
>
> (4) How is the current (presumably average) value of the connection rate
> computed for comparison to the value specified by the LIMIT option that
> appears in /etc/shorewall/policy? If I specify 10/sec:40, does this mean
> that bursts of 40 connections/second are allowed so long as the average
> connection rate does not exceed 10/second? If so, then over what period
> is the average computed?
This is an iptables/Netfilter feature that is just passed through by
Shorewall. "man iptables" and search for "rate" and
you''ll know everything
about it that I do.
>
> (5) I''m curious about the purpose of the blacklist. Does placing
> networks in the blacklist file provide a shortcut at runtime, allowing
> packets from blacklisted networks to be dropped before traversal of the
> firewall rules, or is it just an interface convenience, such that the
> blacklisted networks are mapped to firewall rules that simply precede
> all of the explicit ones?
The blacklist provides a list of IP addresses to be blocked that can be
updated without restarting the entire firewall (shorewall refresh).
>
> (6) Noting all of the warnings and recommendations against using static
> NAT, are there common situations in which you would want to use it?
>
As I write in the Shorewall Setup Guide -- I prefer to use NAT only in
cases where a system that is part of an RFC 1918 subnet needs to have
it''s
own public IP.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net