shorewall-docs-xml-5.2.3/0000775000000000000000000000000013430376104013746 5ustar rootrootshorewall-docs-xml-5.2.3/FoolsFirewall.xml0000664000000000000000000000647113427347317017262 0ustar rootroot
The Fool's Firewall Tom Eastep 2009 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Definition Occasionally, we hear from someone who has cabled his firewall's external and internal firewall interfaces to the same unmanaged switch (or mis-configured managed switch). I call this configuration The Fool's Firewall. When the external interface supports broadcast, this configuration has two very bad drawbacks: It is very insecure Both the up-stream router and the local systems can send incoming packets to the wrong interface.
Security Issue Because Fool's firewall is not physically located between the net and the local systems, the local systems are exposed to all of the systems in the same broadcast domain. Because the local systems (especially those running Windows) send broadcasts, those systems can be easily detected by using a packet sniffer. Once the systems have been spotted, it is child's play to add an IP address in Fool's internal IP network and bypass his "Firewall".
ARP Roulette The Linux IP stack implements the weak host model. As a result, it exhibits some unexpected behavior with respect to ARP. It will respond to ARP 'who-has' requests received on any interface and not just on the interface owning the address. So when the upstream router sends a 'who-has' request for Fool's external IP address, the response may come from his internal interface (and reflect the MAC address of that interface). When that happens, packets from the net start entering the firewall's internal interface. A similar problem can occur when a local system sends to the "Firewall" or to the Net. The packets may arrive on the firewall through the external interface.
shorewall-docs-xml-5.2.3/configuration_file_basics.xml0000664000000000000000000036361613427347317021713 0ustar rootroot
Configuration Files Tips and Hints Tom Eastep 2001-2019 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 5.0 and later. If you are running a version of Shorewall earlier than Shorewall 5.0.0 then please see the documentation for that release. If you copy or edit your configuration files on a system running Microsoft Windows, you must run them through dos2unix before you use them with Shorewall.
Introduction This article offers hints about how to accomplish common tasks with Shorewall. The Introduction to Shorewall is required reading for being able to use this article effectively. For information about setting up your first Shorewall-based firewall, see the Quickstart Guides.in
Files /etc/shorewall/shorewall.conf - used to set global firewall parameters. /etc/shorewall/params - use this file to set shell variables that you will expand in other files. It is always processed by /bin/sh or by the shell specified through SHOREWALL_SHELL in /etc/shorewall/shorewall.conf. /etc/shorewall/zones - partition the firewall's view of the world into zones. /etc/shorewall/policy - establishes firewall high-level policy. /etc/shorewall/initdone - An optional Perl script that will be invoked by the Shorewall rules compiler when the compiler has finished it's initialization. /etc/shorewall/interfaces - describes the interfaces on the firewall system. /etc/shorewall/hosts - allows defining zones in terms of individual hosts and subnetworks. /etc/shorewall/masq - directs the firewall where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT). /etc/shorewall/mangle - supersedes /etc/shorewall/tcrules in Shorewall 4.6.0. Contains rules for packet marking, TTL, TPROXY, etc. /etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy. /etc/shorewall/nat - defines one-to-one NAT rules. /etc/shorewall/proxyarp - defines use of Proxy ARP. /etc/shorewall/routestopped - defines hosts accessible when Shorewall is stopped. Superseded in Shorewall 4.6.8 by /etc/shorewall/stoppedrules. Not supported in Shorewall 5.0.0 and later versions. /etc/shorewall/tcrules - The file has a rather unfortunate name because it is used to define marking of packets for later use by both traffic control/shaping and policy routing. This file is superseded by /etc/shorewall/mangle in Shorewall 4.6.0. Not supported in Shorewall 5.0.0 and later releases. /etc/shorewall/tos - defines rules for setting the TOS field in packet headers. Superseded in Shorewall 4.5.1 by the TOS target in /etc/shorewall/tcrules (which file has since been superseded by /etc/shorewall/mangle). Not supported in Shorewall 5.0.0 and later versions. /etc/shorewall/tunnels - defines tunnels (VPN) with end-points on the firewall system. /etc/shorewall/blacklist - Deprecated in favor of /etc/shorewall/blrules. Lists blacklisted IP/subnet/MAC addresses. Not supported in Shorewall 5.0.0 and later releases. /etc/shorewall/blrules — Added in Shorewall 4.5.0. Define blacklisting and whitelisting. /etc/shorewall/init - commands that you wish to execute at the beginning of a shorewall start, "shorewall reload" or shorewall restart. /etc/shorewall/start - commands that you wish to execute near the completion of a shorewall start, "shorewall reload" or shorewall restart /etc/shorewall/started - commands that you wish to execute after the completion of a shorewall start, "shorewall reload" or shorewall restart /etc/shorewall/stop - commands that you wish to execute at the beginning of a shorewall stop. /etc/shorewall/stopped - commands that you wish to execute at the completion of a shorewall stop. /etc/shorewall/ecn - disable Explicit Congestion Notification (ECN - RFC 3168) to remote hosts or networks. /etc/shorewall/accounting - define IP traffic accounting rules /etc/shorewall/actions and /usr/share/shorewall/action.template allow user-defined actions. /etc/shorewall/providers - defines an alternate routing table. /etc/shorewall/rtrules - Defines routing rules to be used in conjunction with the routing tables defined in /etc/shorewall/providers. /etc/shorewall/tcdevices, /etc/shorewall/tcclasses, /etc/shorewall/tcfilters - Define complex traffic shaping. /etc/shorewall/tcrules - Mark or classify traffic for traffic shaping or multiple providers. Deprecated in Shorewall 4.6.0 in favor of /etc/shorewall/mangle. Not supported in Shorewall 5.0.0 and later releases. /etc/shorewall/tcinterfaces and /etc/shorewall-tcpri - Define simple traffic shaping. /etc/shorewall/secmarks - Added in Shorewall 4.4.13. Attach an SELinux context to selected packets. /etc/shorewall/vardir - Determines the directory where Shorewall maintains its state. /usr/share/shorewall/actions.std - Actions defined by Shorewall. /usr/share/shorewall/action.* - Details of actions defined by Shorewall. /usr/share/shorewall/macro.* - Details of macros defined by Shorewall. /usr/share/shorewall/modules — Specifies the kernel modules to be loaded during shorewall start/restart (removed in Shorewall 5.2.3). /usr/share/helpers — Added in Shorewall 4.4.7. Specifies the kernel modules to be loaded during shorewall start/restart when LOAD_HELPERS_ONLY=Yes in shorewall.conf. /usr/share/arprules — Added in Shorewall 4.5.12. Allows specification of arptables rules. /etc/shorewall/mangle -- Added in Shorewall 4.6.0. Supersedes /etc/shorewall/tcrules. If you need to change a file in /usr/share/shorewall/, copy it to /etc/shorewall and modify the copy
Man Pages Man pages are provided in section 5 for each of the Shorewall configuration files. The name of the page is formed by prefixing the file name with "shorewall-". Example — To view the manual page for /etc/shorewall/interfaces: man shorewall-interfaces The /etc/shorewall/shorewall.conf file is an exception -- the man page for that file is 'shorewall.conf': man shorewall.conf
Comments You may place comments in configuration files by making the first non-whitespace character a pound sign (#). You may also place comments at the end of any line, again by delimiting the comment from the rest of the line with a pound sign. Comments in a Configuration File # This is a comment ACCEPT net $FW tcp www #This is an end-of-line comment If a comment ends with a backslash ("\"), the next line will also be treated as a comment. See Line Continuation below.
Names When you define an object in Shorewall (Zone, Logical Interface, ipsets, Actions, etc., you give it a name. Shorewall names start with a letter and consist of letters, digits or underscores ("_"). Except for Zone names, Shorewall does not impose a limit on name length. When an ipset is referenced, the name must be preceded by a plus sign ("+"). The last character of an interface may also be a plus sign to indicate a wildcard name. Physical interface names match names shown by 'ip link ls'; if the name includes an at sign ("@"), do not include that character or any character that follows. For example, "sit1@NONE" is referred to as simply 'sit1".
Zone and Chain Names For a pair of zones, Shorewall creates two Netfilter chains; one for connections in each direction. The names of these chains are formed by separating the names of the two zones by either "2" or "-". Example: Traffic from zone A to zone B would go through chain A2B (think "A to B") or "A-B". In Shorewall 4.6, the default separator is "-" but you can override that by setting ZONE_SEPARATOR="2" in shorewall.conf (5). Prior to Shorewall 4.6, the default separator was "2". Zones themselves have names that begin with a letter and are composed of letters, numerals, and "_". The maximum length of a name is dependent on the setting of LOGFORMAT in shorewall.conf (5). See shorewall-zones (5) for details.
Capabilities Shorewall probes your system to determine the features that it supports. The result of this probing is a set of capabilities. This probing is normally done each time that the compiler is run but can also be done by executing the shorewall show capabilities command. Regardless of whether the compiler or the command does the probing, this probing may produce error messages in your system log. These log messages are to be expected and do not represent a problem; they merely indicate that capabilities that are being probed are not supported on your system. Probing may be suppressed by using a capabilities file. A capabilities file may be generated using this command: shorewall show -f capabilities > /etc/shorewall/capabilities If you use a capabilities file, be sure to regenerate it after you have performed a Shorewall upgrade to ensure that all current capabilities have been recorded in your file.
"Blank" Columns If you don't want to supply a value in a column but want to supply a value in a following column, simply enter '-' to make the column appear empty. Example:#INTERFACE BROADCAST OPTIONS br0 - routeback
Line Continuation You may continue lines in the configuration files using the usual backslash (\) followed immediately by a new line character (Enter key). ACCEPT net $FW tcp \↵ smtp,www,pop3,imap #Services running on the firewall In certain cases, leading white space is ignored in continuation lines: The continued line ends with a colon (":") The continued line ends with a comma (",") What follows does NOT apply to shorewall-params(5) and shorewall.conf(5). Example (/etc/shorewall/rules): #ACTION SOURCE DEST PROTO DPORT ACCEPT net:\ 206.124.146.177,\ 206.124.146.178,\ 206.124.146.180\ dmz tcp 873 The leading white space on the first through third continuation lines is ignored so the SOURCE column effectively contains "net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third continuation line does not end with a comma or colon, the leading white space in the last line is not ignored. A trailing backslash is not ignored in a comment. So the continued rule above can be commented out with a single '#' as follows: #ACTION SOURCE DEST PROTO DPORT #ACCEPT net:\ 206.124.146.177,\ 206.124.146.178,\ 206.124.146.180\ dmz tcp 873
Alternate Specification of Column Values - Shorewall 4.4.24 and Later Some of the configuration files now have a large number of columns. That makes it awkward to specify a value for one of the right-most columns as you must have the correct number of intervening '-' columns. This problem is addressed by allowing column values to be specified as column-name/value pairs. There is considerable flexibility in how you specify the pairs: At any point, you can enter a left curly bracket ('{') followed by one or more specifications of the following forms: column-name=value column-name=>value column-name:value The pairs must be followed by a right curly bracket ("}"). The value may optionally be enclosed in double quotes. The pairs must be separated by white space, but you can add a comma adjacent to the values for readability as in: { proto=>udp, port=1024 } You can also separate the pairs from columns by using a semicolon: ; proto:udp, port:1024 This form is incompatible with INLINE_MATCHES=Yes. See the INLINE_MATCHES option in shorewall.conf(5). In Shorewall 5.0.3, the sample configuration files and the man pages were updated to use the same column names in both the column headings and in the alternate specification format. The following table shows the column names for each of the table-oriented configuration files. Column names are case-insensitive. File Column names accounting action,chain, source, dest, proto, dport, sport, user, mark, ipsec, headers conntrack action,source,dest,proto,dport,sport,user,switch blacklist networks,proto,port,options blrules action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper ecn interface,hosts. Beginning with Shorewall 4.5.4, 'host' is a synonym for 'hosts'. hosts zone,hosts,options. Beginning with Shorewall 4.5.4, 'host' is a synonym for 'hosts'. interfaces zone,interface,broadcast,options maclist disposition,interface,mac,addresses mangle action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers masq interface,source,address,proto,port,ipsec,mark,user,switch nat external,interface,internal,allints,local netmap type,net1,interface,net2,net3,proto,dport,sport notrack source,dest,proto,dport,sport,user policy source,dest,policy,loglevel,limit,connlimit providers table,number,mark,duplicate,interface,gateway,options,copy proxyarp and proxyndp address,interface,external,haveroute,persistent rtrules source,dest,provider,priority routes provider,dest,gateway,device routestopped interface,hosts,options,proto,dport,sport rules action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper secmarks secmark,chain,source,dest,proto,dport,sport,user,mark tcclasses interface,mark,rate,ceil,prio,options tcdevices interface,in_bandwidth,out_bandwidth,options,redirect tcfilters class,source,dest,proto,dport,sport,tos,length tcinterfaces interface,type,in_bandwidth,out_bandwidth tcpri band,proto,port,address,interface,helper tcrules mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers. Beginning with Shorewall 4.5.3, 'action' is a synonym for 'mark'. tos source,dest,proto,dport,sport,tos,mark tunnels type,zone,gateway,gateway_zone. Beginning with Shorewall 4.5.3, 'gateways' is a synonym for 'gateway'. Beginning with Shorewall 4.5.4, 'gateway_zones' is a synonym for 'gateway_zone'. zones zone,type,options,in_options,out_options Example (rules file): #ACTION SOURCE DEST PROTO DPORT DNAT net loc:10.0.0.1 tcp 80 ; mark="88" Here's the same line in several equivalent formats: { action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 } ; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88" DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 } Beginning with Shorewall 5.0.11, ip[6]table comments can be attached to individual rules using the keyword. Example from the rules file: ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" } As shown in that example, when the comment contains whitespace, it must be enclosed in double quotes and any embedded double quotes must be escaped using a backslash ("\").
Using Netfilter Features not Directly Supported by Shorewall Shorewall doesn't contain built-in support for all ip[6]tables targets and matches. Nevertheless, you can still use the unsupported ip[6]tables features through several Shorewall facilities. INLINE INLINE, added in Shorewall 4. is available in the mangle, snat (masq) and rules files and allows you to specify ip[6]table text following two semicolons to the right of the column-oriented specifications. INLINE takes one optional parameter which, if present, must be a valid entry for the first column of the file. If the parameter is omitted, then you can specify the target of the rule in the text. Examples from the rules file: #ACTION SOURCE DEST ?COMMENT Drop DNS Amplification Attack Packets INLINE(DROP):info net $FW udp 53 ;; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000" ?COMMENT ?COMMENT Rule generated by the IfEvent action INLINE net $FW ;; -m recent --rcheck 10 --hitcount 5 --name SSH -s 1.2.3.4 -j MARK --or-mark 0x4000 ?COMMENT IPTABLES and IP6TABLES These are very similar to INLINE. The difference is that the parameter to IPTABLES and IP6TABLES is the ip[6]tables target of the Rule rather than a Shorewall-defined action or target. Example from the mangle file: IPTABLES(MARK --set-mark 0x4):P eth0 1.2.3.4 Inline Matches In Shorewall 4.6.0 and later, setting INLINE_MATCHES=Yes in shorewall[6].conf allows you to include ip[6]tables matches following a semicolon on any rule in the mangle, masq and rules files. Note that this is incompatible with the Alternate Input form that uses a semicolon to delimit column-oriented specifications from column=value specifications. In Shorewall 5.0.0 and later, inline matches are allowed in mangle, masq and rules following two adjacent semicolons (";;"). If alternate input is present, the adjacent semicolons should follow that input. In Shorewall 5.2.2, this support was extended to the conntrack file. INLINE_MATCHES=Yes is deprecated and is not supported in Shorewall 5.2 and beyond. Use two adjacent semicolons to introduce inline matches. Example from the masq file that spits outgoing SNAT between two public IP addresses COMB_IF !70.90.191.120/29 70.90.191.121 ;; -m statistic --mode random --probability 0.50 COMB_IF !70.90.191.120/29 70.90.191.123 If the first character of the inline matches is a plus sign ("+"), then the matches are processed before the column-oriented input in the rule. That is required when specifying additional TCP protocol parameters. Example from action.TCPFlags: DROP - - ;;+ -p 6 --tcp-flags ALL FIN,URG,PSH
Addresses In both Shorewall and Shorewall6, there are two basic types of addresses: Host Address This address type refer to a single host. In IPv4, the format is i.j.k.l where i through l are decimal numbers between 1 and 255. In IPv6, the format is a:b:c:d:e:f:g:h where a through h consist of 1 to 4 hexidecimal digits (leading zeros may be omitted). a single series of 0 addresses may be omitted. For example 2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1. Network Address A network address refers to 1 or more hosts and consists of a host address followed by a slash ("/") and a Variable Length Subnet Mask (VLSM). This is known as Classless Internet Domain Routing (CIDR) notation. The VLSM is a decimal number. For IPv4, it is in the range 0 through 32. For IPv6, the range is 0 through 128. The number represents the number of leading bits in the address that represent the network address; the remainder of the bits are a host address and are generally given as zero. Examples: IPv4: 192.168.1.0/24 IPv6: 2001:227:e857:1:0:0:0:0:1/64 In the Shorewall documentation and manpages, we have tried to make it clear which type of address is accepted in each specific case. Because Shorewall uses a colon (":") as a separator in many contexts, IPv6 addresses are best written using the standard convention in which the address itself is enclosed in square brackets: [2001:227:e857:1::1] [2001:227:e857:1:0:0:0:0:1]/64 For more information about addressing, see the Setup Guide.
Specifying SOURCE and DEST Entries in Shorewall configuration files often deal with the source (SOURCE) and destination (DEST) of connections and Shorewall implements a uniform way for specifying them. A SOURCE or DEST consists of one to three parts separated by colons (":"): ZONE — The name of a zone declared in /etc/shorewall/zones or /etc/shorewall6/zones. This part is only available in the rules file (/etc/shorewall/rules, /etc/shorewall/blrules, /etc/shorewall6/rules and /etc/shorewall6/blrules). INTERFACE — The name of an interface that matches an entry in /etc/shorewall/interfaces (/etc/shorewall6/interfaces). ADDRESS LIST — A list of one or more addresses (host or network) or address ranges, separated by commas. In an IPv6 configuration, this list must be included in square or angled brackets ("[...]" or "<...>"). The list may have exclusion. Examples. All hosts in the net zone — net Subnet 192.168.1.0/29 in the loc zone — loc:192.168.1.0/29 All hosts in the net zone connecting through ppp0net:ppp0 All hosts interfaced by eth3eth3 Subnet 10.0.1.0/24 interfacing through eth2eth2:10.0.1.0/24 Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the loc zone — loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9] The primary IP address of eth0 in the $FW zone - $FW:&eth0 (see Run-time Address Variables below) All hosts in Vatican City - net:^VA (Shorwall 4.5.4 and later - See this article).
INCLUDE Directive Any configuration file may contain INCLUDE directives. An INCLUDE directive consists of the word INCLUDE followed by a path name and causes the contents of the named file to be logically included into the file containing the INCLUDE. Relative path names given in an INCLUDE directive are resolved using the current CONFIG_PATH setting (see shorewall.conf(5)). INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives are ignored with a warning message. Beginning with Shorewall 4.4.17, the INCLUDE directive may also appear in the following extension scripts: clear findgw init isusable refresh refreshed restore restored start started stop stopped tcclear When used in these scripts, the INCLUDEd files are copied into the compiled firewall script. Prior to Shorewall 4.4.17, if you are using Shorewall Lite , it is not advisable to use INCLUDE in the params file in an export directory if you set EXPORTPARAMS=Yes in shorewall.conf (5). If you do that, you must ensure that the included file is also present on the firewall system's /etc/shorewall-lite/ directory. If you only need the params file at compile time, you can set EXPORTPARAMS=No in shorewall.conf. That prevents the params file from being copied into the compiled script. With EXPORTPARAMS=No, it is perfectly okay to use INCLUDE in the params file. Note that with Shorewall 4.4.17 and later: The variables set at compile time are available at run-time even with EXPORTPARAMS=No. The INCLUDE directive in the params file is processed at compile time and the INCLUDEd file is copied into the compiled script. Use of INCLUDE shorewall/params.mgmt:    MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3    TIME_SERVERS=4.4.4.4    BACKUP_SERVERS=5.5.5.5    ----- end params.mgmt -----    shorewall/params:    # Shorewall 1.3 /etc/shorewall/params    [..]    #######################################      INCLUDE params.mgmt         # params unique to this host here       ----- end params -----    shorewall/rules.mgmt:    ACCEPT net:$MGMT_SERVERS   $FW    tcp    22    ACCEPT $FW          net:$TIME_SERVERS    udp    123    ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22    ----- end rules.mgmt -----    shorewall/rules:    # Shorewall version 1.3 - Rules File    [..]    #######################################      INCLUDE rules.mgmt          # rules unique to this host here       ----- end rules ----- You may include multiple files in one command using an embedded shell command. Example (include all of the files ending in ".rules" in a directory:):gateway:/etc/shorewall # ls rules.d ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules gateway:/etc/shorewall # /etc/shorewall/rules:?SECTION NEW SHELL cat /etc/shorewall/rules.d/*.rules If you are the sort to put such an entry in your rules file even though /etc/shorewall/rules.d might not exist or might be empty, then you probably want: ?SECTION NEW SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true Beginning with Shorewall 4.5.2, in files other than /etc/shorewall/params and /etc/shorewall/conf, INCLUDE may be immediately preceded with '?' to signal that the line is a compiler directive and not configuration data. Example: ?INCLUDE common.rules
?FORMAT Directive A number of configuration files support multiple formats. Prior to Shorewall 4.5.11, the format was specified by a line having 'FORMAT' as the first token. This requires each of the file processors to handle FORMAT separately. In Shorewall 4.5.11, the ?FORMAT directive was created to centralize processing of FORMAT directives. The old entries, while still supported in Shorewall 4.5-4.6, are now deprecated. They are no longer supported in Shorewall 5.0 and later versions. The ?FORMAT directive is as follows: ?FORMAT format Where format is an integer. In all cases, the default format is 1. The following table shows the files that have different formats and the supported formats for each. FILE FORMATS action files (action.*) 1 and 2 conntrack 1, 2 and 3 interfaces 1 and 2 macro files (macro.*) 1 and 2 tcrules 1 and 2
?COMMENT Directive A number of files allow attaching comments to generated Netfilter rules: accounting action.* files blrules conntrack macro.* files snat nat rules secmarks tcrules tunnels Prior to Shorewall 4.5.11, comments were specified by a line having COMMENT as the first token. The remainder of the line is treated as a comment to be attached to rules. In Shorewall 4.5.11, the ?COMMENT directive was created to centralize processing of COMMENT directives. The old entries, while still supported in Shorewall 4.5 and 4.6, are now deprecated. They are no longer supported in Shorewall 5.0 and later versions. Use of this directive requires Comment support in your kernel and iptables - see the output of shorewall show capabilities. The ?COMMENT directive is as follows: ?COMMENT [ comment ] If comment is present, it will appear enclosed in /*....*/ in the output of the shorewall show and shorewall dump commands. If no comment is present, the rules generated by following entries will not have comments attached. Example (/etc/shorewall/rules): ?COMMENT Stop NETBIOS noise REJECT loc net tcp 137,445 REJECT loc net udp 137:139 ?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address DROP loc:!192.168.0.0/22 net ?COMMENT Here's the corresponding output from /sbin/shorewall-lite: gateway:~ # shorewall-lite show loc-net Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008 Counters reset Mon Oct 16 14:52:17 PDT 2006 Chain loc-net (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:' 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:1031 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:' 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1025:1031 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,445 /* Stop NETBIOS noise */ 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* Stop NETBIOS noise */ 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 /* Stop my idiotic work laptop from sending to the net with an HP source/dest IP address */ 5 316 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 gateway:~ # ?COMMENT lines in macro files work somewhat differently from other files. ?COMMENT lines in macros are ignored if COMMENT support is not available or if there was a COMMENT in use when the top-level macro was invoked. This allows the following: /usr/share/shorewall/macro.SSH: #ACTION SOURCE DEST PROTO DPORT SPORT RATE USER ?COMMENT SSH PARAM - - tcp 22 /etc/shorewall/rules:?COMMENT Allow SSH from home SSH(ACCEPT) net:$MYIP $FW ?COMMENTThe comment line in macro.SSH will not override the ?COMMENT line in the rules file and the generated rule will show /* Allow SSH from home */ when displayed through the Shorewall show and dump commands. Beginning with Shorewall 5.0.11, the alternate input format allows attaching comments to individual rules in the files listed above.
CONFIG_PATH The CONFIG_PATH option in shorewall.conf determines where the compiler searches for configuration files. The default setting is CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the compiler first looks in /etc/shorewall and if it doesn't find the file, it then looks in /usr/share/shorewall. You can change this setting to have the compiler look in different places. For example, if you want to put your own versions of standard macros in /etc/shorewall/Macros, then you could set CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall and the compiler will use your versions rather than the standard ones.
Using Shell Variables You may use the /etc/shorewall/params file to set shell variables that you can then use in the other configuration files. It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall programs The following variable names must be avoided. Those in bold font must be avoided in all Shorewall versions; those in regular font must be avoided in versions prior to 4.4.8. Any option from shorewall.conf (5) COMMAND CONFDIR DEBUG ECHO_E ECHO_N EXPORT FAST FILEMODE HOSTNAME IPT_OPTIONS NOROUTES PREVIEW PRODUCT PROFILE PURGE RECOVERING RESTOREPATH RING_BELL SHAREDIR Any name beginning with SHOREWALL_ or SW_ STOPPING TEST TIMESTAMP USE_VERBOSITY VARDIR VARLIB VERBOSE VERBOSE_OFFSET VERSION Example:
    /etc/shorewall/params NET_IF=eth0 NET_BCAST=130.252.100.255 NET_OPTIONS=routefilter,routefilter     /etc/shorewall/interfaces record: net $NET_IF $NET_BCAST $NET_OPTIONS     The result will be the same as if the record had been written net eth0 130.252.100.255 routefilter,routefilter
Variables may be used anywhere in the other configuration files. If you use "$FW" on the right side of assignments in the /etc/shorewall/params file, you must also set the FW variable in that file. Example:/etc/shorewall/zones: #ZONE TYPE OPTIONS fw firewall /etc/shorewall/params: FW=fw BLARG=$FW:206.124.146.176 Because the /etc/shorewall/params file is simply sourced into the shell, you can place arbitrary shell code in the file and it will be executed each time that the file is read. Any code included should follow these guidelines: The code should not have side effects, especially on other shorewall configuration files. The code should be safe to execute multiple times without producing different results. Should not depend on where the code is called from. Should not assume anything about the state of Shorewall. The names of any functions or variables declared should begin with an upper case letter. The /etc/shorewall/params file is processed by the compiler at compile-time and by the compiled script at run-time. If you have set EXPORTPARAMS=No in shorewall.conf, then the params file is only processed by the compiler; it is not run by the compiled script. Beginning with Shorewall 4.4.17, the values of the variables set at compile time are available at run time with EXPORTPRARMS=No. If you are using Shorewall Lite and if the params script needs to set shell variables based on the configuration of the firewall system, you can use this trick: EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0") The shorewall-lite call command allows you to call interactively any Shorewall function that you can call in an extension script. Within your configuration files, only the $VAR and ${VAR} forms of variable expansion are supported. You may not use the more exotic forms supported by the shell (${VAR:=val}, ${VAR:-val}, ...) Beginning with Shorewall 4.4.27, you may also use options in shorewall.conf (5) (e.g., $BLACKLIST_LOGLEVEL). When an option is set to 'No' in shorewall.conf, the corresponding shell variable will be empty. Options that were not set in shorewall.conf will expand to their default value. Beginning with Shorewall 4.5.2, configuration files can access variables defined in the shorewallrc file. Beginning with Shorewall 4.5.11, variables can be altered by compiler directives. ?SET variable value The variable can be specified either with or without a leading '$' to allow using both Perl and Shell variable representation. The ${...} form (e.g. ${foo}) is not allowed. The value is a Perl-compatible expression. The Shorewall compiler performs variable expansion within the expression. So variables are expanded even when they appear in single quotes. If a variable within the expression can contain a non-numeric value, it is a good idea to enclose it in quotes. Otherwise, the Shorewall compiler has to guess whether to enclose the variable's value in quotes or not. ?RESET variable Removes the named variable from the compiler's variable table. Action variables are read-only and cannot be ?SET (although you can change their values using embedded Perl). Beginning with Shorewall 4.5.13, Shorewall Variables may be set. When setting a Shorewall Variable, the variable must include the leading '@' and the @{...} form is not allowed.
Address Variables Prior to Shorewall 5.0.14, if you use address variables that refer to an optional interface, the enable command will not change/insert the rules that use the variable. Therefore, to be completely safe, if you use such address variables then you must follow a successful enable command with a reload command. Beginning with Shorewall 5.0.14, if a Shorewall-defined address variable's value has changed since the Netfilter ruleset was instantiated, then a successful enable command will automatically reload the ruleset. Given that shell variables are expanded at compile time, there is no way to cause such variables to be expanded at run time. Prior to Shorewall 4.4.17, this made it difficult (to impossible) to include dynamic IP addresses in a Shorewall-lite configuration. Version 4.4.17 implemented Run-time address variables. In configuration files, these variables are expressed as an apersand ('&') followed by the logical name of an interface defined in shorewall-interfaces (5). Wildcard interfaces (those ending in '+') are not supported and will cause a compilation error. Example: &eth0 would represent the primary IP address of eth0. Beginning with Shorewall 4.5.11, you can define your own address variables by using this syntax: &{variable} where variable is a valid shell variable name. The generated script will verify that the variable contains a valid host or network address, either from the environment or from it being assigned in your init extension script, and will raise an error if it does not. In the error case, the state of the firewall will remain unchanged. Example: /etc/shorewall/init: SMC_ADDR=10.1.10.11 /etc/shorewall/rules: test:debug net:&{SMC_ADDR} fw A second form is also available beginning with Shorewall 4.5.11 %{variable} Unlike with the first form, this form does not require the variable to be set. If the variable is empty, the generated script will supply the all-zeros address (0.0.0.0 in IPv4 and :: in IPv6). In most cases, the compiler simply omits rules containing matches on the all-zeros address. Example: /etc/shorewall/init: SMC_ADDR=10.1.10.11 /etc/shorewall/rules: test:debug net:%{SMC_ADDR} fw For a particular address variable, all references must use the same prefix character ('&' or '%'). Otherwise, the following error message is raised: ERROR: Mixed required/optional usage of address variable variable Run-time address variables may be used in the SOURCE and DEST column of the following configuration files: shorewall-accounting (5) Action files shorewall-blrules (5) Macro files shorewall-mangle (5) shorewall-nat(5) shorewall-rules (5) They may also appear in the ORIGDEST column of: shorewall-accounting (5) Macro files Action files shorewall-rules (5) For optional interfaces, if the interface is not usable at the time that the firewall starts, one of two approaches are taken, depending on the context: the all-zero address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting in no packets matching the rule (or all packets if used with exclusion). the entire rule is omitted from the ruleset. Beginning with Shorewall 4.5.1, Run-time Gateway Variables in the form of a percent sign ('%') followed by a logical interface name are also supported. These are expanded at run-time to the gateway through the named interface. For optional interfaces, if the interface is not usable at the time that the firewall starts, the nil address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting in no packets matching the rule. Run-time gateway variables may be used in the SOURCE and DEST columns of the following configuration files: shorewall-accounting (5) Action files shorewall-blrules (5) Macro files shorewall-mangle (5) shorewall-nat(5) (As a qualifier to the INTERFACE). shorewall-routes (5) shorewall-rules (5) Example: %eth0 would represent the IP address of the gateway out of eth0. If there is no gateway out of the named interface, rules containing the intefaces's run-time gateway variable are omitted.
Port Variables Beginning with Shorewall 5.1.5, Run-time Port Variables are supported. These variables have the format %{variable} and may appear any place that a port number or service name may appear. Like their address-variable counterparts above, Run-time Port Variables are most useful when Shorewall[6]-lite is being used. Example using both Run-time Address and Run-time Port Variables: /etc/shorewall/init: SERVER_PORT=4126 SERVER_ADDRESS=192.0.44.12 /etc/shorewall/rules: ACCEPT net dmz:%{SERVER_ADDRESS} tcp %{SERVER_PORT} Rather than assigning a numerical literal to SERVER_PORT in the init extension script as shown above, the variable could be assigned a dynamic value based on a database lookup. If no value is assigned to a Run-time Port Variable in the init extension script, then the value 255 is assumed. Care must be exercised when using port variables in port ranges. At run-time, the generated script will verify that each port variable is either empty or contains a valid port number or service name. It does not ensure that the low port number in a range is strictly less than the high port number, when either of these is specified as a port variable. Example: The following definitions will result in an iptables-restore failure during start/restart/reload: /etc/shorewall/init: LOW_PORT=100 HIGH_PORT=50 /etc/shorewall/rules: ACCEPT net $FW tcp ${LOW_PORT}:${HIGH_PORT}
Action Variables Action variables were introduced in Shorewall 4.4.16 and may be accessed within the body of an action. Parameter variables Parameter variables expand to the value of the corresponding action parameter. $1 is the first parameter, $2 is the second parameter and so on. Chain name Beginning with Shorewall 4.5.10, $0 expands to the name of the action chain. Shorewall generates a separate chain for each unique (action,log-level,log-tag,parameters) tupple. The first such chain has the same name as the action itself. Subsequent chains are formed by prepending '%' to the action name and appending a number to insure uniqueness. For an action called 'Action', the chains would be Action, %Action, %Action0, %Action1 and so on.
Shorewall Variables Shorewall Variables were introduced in Shorewall 4.5.11. To insure uniqueness, these variables start with the character @; the name of the variable must be enclosed in {...} when the following character is alphanumeric or is an underscore ("_"). With the exception of @0 (or it's alias @chain), Shorewall variables may only be used within an action body. Prior to Shorewall 4.5.13, Shorewall variables are read-only. Beginning with Shorewall 4.5.13, their values may be altered using the ?SET directive. The Shorewall variables are: @0 and @chain (@{0} and @{chain}) Expands to the name of the current chain. Unlike $0, @0 has all non-alphanumeric characters except underscore removed. Also unlike $0, @0 may be used in SWITCH columns in configuration files. @1, @2, ... (@{1}, @{2}, ... These are synonyms for the Action parameter variables $1, $2, etc. @loglevel (@{loglevel}) Expands to the log level specified when the action was invoked. @logtag (@{logtag}) Expands to the log tag specified when the action was invoked. @action(@{action}) Expands to the name of the action being compiled. @disposition (@{disposition}) Added in Shorewall 4.5.13. When a non-inlined action is entered, this variable is set to the empty value. When an inline action is entered, the variable's value is unchanged. @caller (@{caller}) Added in Shorewall 4.5.13. Within an action, expands to the name of the chain that invoked the action. Beginning with Shorewall 4.5.13, the values of @chain and @disposition are used to generated the --log-prefix in logging rules. When either is empty, the historical value is used to generate the --log-prefix. Within an action body, if a parameter is omitted in a DEFAULTS statement, then the value of the corresponding action and Shorewall variables is '-', while if the parameter is specified as '-' in the parameter list, the value of the action/Shorewall variable is '', if it is expanded before the DEFAULTS statement. Additionally, when an expression is evaluated, the value 0 evaluates as false, so '?IF @n' and '?IF $n' fail if the nth parameter is passed with value zero. To make testing of the presense of parameters more efficient and uniform, an new function has been added in Shorewall 5.0.7 for use in ?IF and ?ELSEIF: ?IF [!] passed(<variable>) where <variable> is an action or Shorewall variable. 'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter is not empty and its contents are other than '-'. If '!' is present, the result is inverted. In this simple form, the expression is evaluated by the compiler without having to invoke the (expensive) Perl exec() function. The 'passed' function may also be used in more complex expressions, but exec() will be invoked to evaluate those expressions.
Conditional Entries Beginning with Shorewall 4.5.2, lines in configuration files may be conditionally included or omitted based on the setting of Shell variables. The general form is: ?IF $variable <lines to be included if $variable is non-empty and non-zero> ?ELSE <lines to be omitted if $variable is non-empty and non-zero> ?ENDIF The compiler predefines two special variables that may only be used in ?IF lines: __IPV4 True if this is an IPv4 compilation __IPV6 True if this is an IPv6 compilation. Unless variable is one of these pre-defined ones, it is searched for in the following places in the order listed. the compiler's environmental variables. variables set in /etc/shorewall/params. options set in /etc/shorewall/shorewall.conf. options set in the shorewallrc file when Shorewall Core was installed. Beginning with Shorewall 4.5.11, the compiler's environmental variables are search last rather than first. If the variable is still not found: if it begins with '__', then those leading characters are stripped off. the variable is then searched for in the defined capabilities. The current set of capabilities may be obtained by the command shorewall show capabilities (the capability names are in parentheses). If it is not found in any of those places, the variable is assumed to have a value of 0 (false) in Shorewall versions prior to 4.5.11. In 4.5.11 and later, it is assumed to have the value '' (an empty string, which also evaluates to false). The setting in /etc/shorewall/params may be overridden at runtime, provided the setting in /etc/shorewall/params is done like this: [ -n "${variable:=0}" ] or like this: [ -n "${variable}" ] || variable=0 Either of those will set variable to 0 if it is not set to a non-empty value in the environment. The setting can be overridden at runtime: variable=1 shorewall restart -c # use -c to force recompilation if AUTOMAKE=Yes in /etc/shorewall/shorewall.conf The ?ELSE may be omitted if there are no lines to be omitted. The test may also be inverted using '!': ?IF ! $variable <lines to be omitted if $variable is non-empty and non-zero> ?ELSE <lines to be included if $variable is non-empty and non-zero> ?ENDIF Conditional entries may be nested but the number of ?IFs must match the number of ?ENDs in any give file. INCLUDE directives are ignored in omitted lines. ?IF $variable1 <lines to be included if $variable1 is non-empty and non-zero> ?IF $variable2 <lines to be included if $variable1 and $variable2 are non-empty and non-zero> ?ELSE <lines to be omitted if $variable1 is non-empty and non-zero and if $variable2 is empty or zero> ?ENDIF <lines to be included if $variable1 is non-empty and non-zero> ?ELSE <lines to be omitted if $variable is non-empty and non-zero> ?ENDIF Beginning with Shorewall 4.5.6, rather than a simple variable in ?IF directives, Perl-compatible expressions are allowed (after the Shorewall compiler expands all variables, the resulting expression is then evaluated by Perl). Variables in the expressions are as described above. Example: ?IF $BLACKLIST_LOGLEVEL == 6 && ! __LOG_OPTIONS Additionally, a ?ELSIF directive is supported. Example: ?IF expression-1 <lines to be included if expression-1 evaluates to true (non-empty and non-zero) ?ELSIF expression1-2 <lines to be included if expression-1 evaluates to false (zero or empty) and expression-2 evaluates to true ?ELSIF expression-3 <lines to be included if expression-1 and expression-2 both evalute to false and expression-3 evalutes to true ?ELSE <lines to be included if all three expressions evaluate to false. ?ENDIF Beginning in Shorewall 5.0.7, an error can be raised using the ?ERROR directive: ?ERROR message Variables in the message are evaluated and the result appears in a standard Shorewall ERROR: message. Example from the 5.0.7 action.GlusterFS: ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024 ?error Invalid value for Bricks (@1) ?elsif @2 !~ /^[01]$/ ?error Invalid value for IB (@2) ?endif The above code insures that the first action paramater is a non-zero number <= 1024 and that the second parameter is either 0 or 1. If 2000 is passed for the first parameter, the following error message is generated: ERROR: Invalid value for Bricks (2000) /usr/share/shorewall/action.GlusterFS (line 15) from /etc/shorewall/rules (line 45) In Shorewall 5.0.8, ?WARNING and ?INFO directives were added. ?WARNING message ?INFO message ?WARNING message produces a standard Shorewall WARNING: message, while ?INFO produces a similar message which is prefaced by INFO: rather than WARNING:. Both write the message to STDERR. The message is also written to the STARTUP_LOG, if any, provided that the command is start, try, restart, reload, refresh, or one of the safe-* commands. See the VERBOSE_MESSAGES option in shorewall.conf(5) for additional information. In Shorewall 5.1.4, the behavior of ?ERROR, ?WARNING and ?INFO was changed when they appear in an action file. Rather than reporting the action filename and line number, the generated message reports where the action was invoked. For example, the GlusterFS message above was changed to: ERROR: Invalid value (2000) for the GlusterFS Bricks argument /etc/shorewall/rules (line 45)
Embedded Shell and Perl Earlier versions of Shorewall offered extension scripts to allow users to extend Shorewall's functionality. Extension scripts were designed to work under the limitations of the Bourne Shell. With the current Perl-based compiler, Embedded scripts offer a richer and more flexible extension capability. While inline scripts may be written in either Shell or Perl, those written in Perl have a lot more power. They may be used in all configuration files except /etc/shorewall/params and /etc/shorewall/shorewall.conf. Note:In this section, '[' and ']' are meta-characters which indicate that what they enclose is optional and may be omitted. Single line scripts take one of the following forms: [?]PERL <perl script> [?]SHELL <shell script> The optional leading question mark (?) is allowed in Shorewall 4.5.5 and later. Shell scripts run in a child shell process and their output is piped back to the compiler which processes that output as if it were embedded at the point of the script. Example: The following entries in /etc/shorewall/rules are equivalent:SHELL for z in net loc dmz; do echo "ACCEPT $z fw tcp 22"; doneACCEPT net fw tcp 22 ACCEPT loc fw tcp 22 ACCEPT dmz fw tcp 22 Perl scripts run in the context of the compiler process using Perl's eval() function. Perl scripts are implicitly prefixed by the following: package Shorewall::User; use Shorewall::Config ( qw/shorewall/ ); To produce output that will be processed by the compiler as if it were embedded in the file at the point of the script, pass that output to the Shorewall::Config::shorewall() function. The Perl equivalent of the above SHELL script would be:PERL for ( qw/net loc dmz/ ) { shorewall "ACCEPT $_ fw tcp 22"; }A couple of more points should be mentioned: Compile-time extension scripts are also implicitly prefixed by "package Shorewall::User;". A compile extension script is supported. That script is run early in the compilation process and allows users to load additional modules and to define data and functions for use in subsequent embedded scripts and extension scripts. Manual Chains may be added in the compile extension script.. Multi-line scripts use one of the following forms:[?]BEGIN SHELL <shell script> [?]END [ SHELL ][?]BEGIN PERL [;] <perl script> [?]END [ PERL ] [;] The optional leading question mark (?) is allowed in Shorewall 4.5.5 and later.
Using DNS Names I personally recommend strongly against using DNS names in Shorewall configuration files. If you use DNS names and you are called out of bed at 2:00AM because Shorewall won't start as a result of DNS problems then don't say that you were not forewarned. Host addresses in Shorewall configuration files may be specified as either IP addresses or DNS Names. DNS names in iptables rules aren't nearly as useful as they first appear. When a DNS name appears in a rule, the iptables utility resolves the name to one or more IP addresses and inserts those addresses into the rule. So changes in the DNS->IP address relationship that occur after the firewall has started have absolutely no effect on the firewall's rule set. For some sites, using DNS names is very risky. Here's an example: teastep@ursa:~$ dig pop.gmail.com ; <<>> DiG 9.4.2-P1 <<>> pop.gmail.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1774 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0 ;; QUESTION SECTION: ;pop.gmail.com. IN A ;; ANSWER SECTION: pop.gmail.com. 300 IN CNAME gmail-pop.l.google.com. gmail-pop.l.google.com. 300 IN A 209.85.201.109 gmail-pop.l.google.com. 300 IN A 209.85.201.111 Note that the TTL is 300 -- 300 seconds is only 5 minutes. So five minutes later, the answer may change! So this rule may work for five minutes then suddently stop working: #ACTION SOURCE DEST PROTO DPORT POP(ACCEPT) loc net:pop.gmail.com There are two options in shorewall[6].conf(5) that affect the use of DNS names in Shorewall[6] config files: DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at compile time; when set to Yes, DNS Names are resolved at runtime. AUTOMAKE - When set to Yes, start, restart and reload only result in compilation if one of the files on the CONFIG_PATH has changed since the the last compilation. So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation will only take place at boot time if a change had been make to the config but no restart or reload had taken place. This is clearly spelled out in the shorewall.conf manpage. So with these settings, so long as a 'reload' or 'restart' takes place after the Shorewall configuration is changes, there should be no DNS-related problems at boot time. When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change makes it necessary to recompile an existing firewall script, the option must be used with the reload or restart command to force recompilation. If your firewall rules include DNS names then, even if DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes: If your /etc/resolv.conf is wrong then your firewall may not start. If your /etc/nsswitch.conf is wrong then your firewall may not start. If your Name Server(s) is(are) down then your firewall may not start. If your startup scripts try to start your firewall before starting your DNS server then your firewall may not start. Factors totally outside your control (your ISP's router is down for example), can prevent your firewall from starting. You must bring up your network interfaces prior to starting your firewall, or the firewall may not start. Each DNS name must be fully qualified and include a minimum of two periods (although one may be trailing). This restriction is imposed by Shorewall to insure backward compatibility with existing configuration files. Valid DNS Names mail.shorewall.net shorewall.net. (note the trailing period). Invalid DNS Names mail (not fully qualified) shorewall.net (only one period) DNS names may not be used as: The server address in a DNAT rule (/etc/shorewall/rules file) In the ADDRESS column of an entry in /etc/shorewall/masq. In the /etc/shorewall/nat file. These restrictions are imposed by Netfilter and not by Shorewall.
Comma-separated Lists Comma-separated lists are allowed in a number of contexts within the configuration files. A comma separated list: Must not have any embedded white space.+ Valid: routefilter,dhcp,arpfilter Invalid: routefilter,     dhcp,     arpfilter If you use line continuation to break a comma-separated list, the comma must be the last thing on the continued line before '\' unless the continuation line has no leading white space. Entries in a comma-separated list may appear in any order.
Complementing an Address, Subnet, Protocol or Port List Where specifying an IP address, a subnet or an interface, you can precede the item with ! to specify the complement of the item. For example, !192.168.1.4 means any host but 192.168.1.4. There must be no white space following the !. Similarly, in columns that specify an IP protocol, you can precede the protocol name or number by "!". For example, !tcp means "any protocol except tcp". This also works with port lists, providing that the list contains 15 or fewer ports (where a port range counts as two ports). For example !ssh,smtp means "any port except 22 and 25". In Shorewall 4.4.19 and later, icmp type lists are supported but complementing an icmp type list is not supported. You may, however, complement a single icmp (icmp6) type.
Exclusion Lists Where a comma-separated list of addresses is accepted, an exclusion list may also be included. An exclusion list is a comma-separated list of addresses that begins with "!". Example: !192.168.1.3,192.168.1.12,192.168.1.32/27 The above list refers to "All addresses except 192.168.1.3, 192.168.1.12 and 192.168.1.32-192.168.1.63. Exclusion lists can also be added after a network address. Example: 192.168.1.0/24!192.168.1.3,192.168.1.12,192.168.1.32/27 The above list refers to "All addresses in 192.168.1.0-192.168.1.255 except 192.168.1.3, 192.168.1.12 and 192.168.1.32-192.168.1.63.
IP Address Ranges If you kernel and iptables have iprange match support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP address>. Example: 192.168.1.5-192.168.1.12. To see if your kernel and iptables have the required support, use the shorewall show capabilities command: >~ shorewall show capabilities ... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Not available Policy Match: Available Physdev Match: Available IP range Match: Available <--------------
Protocol Number/Names and Port Numbers/Service Names Unless otherwise specified, when giving a protocol number you can use either an integer or a protocol name from /etc/protocols. Similarly, when giving a port number you can use either an integer or a service name from /etc/services. The rules compiler translates protocol names to protocol numbers and service names to port numbers itself. Also, unless otherwise documented, a protocol number/name can be preceded by '!' to specify "All protocols except this one" (e.g., "!tcp").
Port Ranges If you need to specify a range of ports, the proper syntax is <low port number>:<high port number>. For example, if you want to forward the range of tcp ports 4000 through 4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is: #ACTION SOURCE DESTINATION PROTO DPORT DNAT net loc:192.168.1.3 tcp 4000:4100 If you omit the low port number, a value of zero is assumed; if you omit the high port number, a value of 65535 is assumed. Also, unless otherwise documented, a port range can be preceded by '!' to specify "All ports except those in this range" (e.g., "!4000:4100"). Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to separate the two port numbers; when using service names, the colon must still be used. #ACTION SOURCE DESTINATION PROTO DPORT DNAT net loc:192.168.1.3 tcp 4000-4100
Port Lists In most cases where a port or port range may appear, a comma-separated list of ports or port ranges may also be entered. Shorewall requires the Netfilter multiport match capability if ports lists are used (see the output of "shorewall show capabilities"). Also, unless otherwise documented, a port list can be preceded by '!' to specify "All ports except these" (e.g., "!80,443"). Prior to Shorewall 4.4.4, port lists appearing in the shorewall-routestopped (5) file may specify no more than 15 ports; port ranges appearing in a list count as two ports each.
ICMP and ICMP6 Types and Codes When dealing with ICMP, the DEST PORT specifies the type or type and code. You may specify the numeric type, the numeric type and code separated by a slash (e.g., 3/4) or you may use a type name. Type names for IPv4 and their corresponding type or type/code are: echo-reply' => 0 destination-unreachable => 3 network-unreachable => 3/0 host-unreachable => 3/1 protocol-unreachable => 3/2 port-unreachable => 3/3 fragmentation-needed => 3/4 source-route-failed => 3/5 network-unknown => 3/6 host-unknown => 3/7 network-prohibited => 3/9 host-prohibited => 3/10 TOS-network-unreachable => 3/11 TOS-host-unreachable => 3/12 communication-prohibited => 3/13 host-precedence-violation => 3/14 precedence-cutoff => 3/15 source-quench => 4 redirect => 5 network-redirect => 5/0 host-redirect => 5/1 TOS-network-redirect => 5/2 TOS-host-redirect => 5/3 echo-request => 8 router-advertisement => 9 router-solicitation => 10 time-exceeded => 11 ttl-zero-during-transit => 11/0 ttl-zero-during-reassembly=> 11/1 parameter-problem => 12 ip-header-bad => 12/0 required-option-missing => 12/1 timestamp-request => 13 timestamp-reply => 14 address-mask-request => 17 address-mask-reply => 18 Type names for IPv6 and their corresponding type or type/code are: destination-unreachable => 1 no-route' => 1/0 communication-prohibited => 1/1 address-unreachable' => 1/3 port-unreachable' => 1/4 packet-too-big => 2 time-exceeded' => 3 ttl-exceeded' => 3 ttl-zero-during-transit => 3/0 ttl-zero-during-reassembly => 3/1 parameter-problem => 4 bad-header => 4/0 unknown-header-type => 4/1 unknown-option => 4/2 echo-request => 128 echo-reply => 129 router-solicitation => 133 router-advertisement => 134 neighbour-solicitation => 135 neighbour-advertisement => 136 redirect => 137 Shorewall 4.4 does not accept lists if ICMP (ICMP6) types prior to Shorewall 4.4.19.
Using MAC Addresses Media Access Control (MAC) addresses can be used to specify packet source in several of the configuration files. In order to control traffic to/from a host by its MAC address, the host must be on the same network as the firewall. To use this feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) included. MAC addresses are 48 bits wide and each Ethernet Controller has a unique MAC address. In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers separated by colons. MAC Address of an Ethernet Controller gateway:~ # ip link ls dev eth0 4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb qlen 1000 link/ether 02:00:08:E3:FA:55 brd ff:ff:ff:ff:ff:ff gateway:~ # Because Shorewall uses colons as a separator for address fields, Shorewall requires MAC addresses to be written in another way. In Shorewall, MAC addresses begin with a tilde (~) and consist of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in the example above would be written ~02-00-08-E3-FA-55. It is not necessary to use the special Shorewall notation in the /etc/shorewall/maclist file.
Rate Limiting (Rate and Burst) Shorewall supports rate limiting in a number of ways. When specifying a rate limit, both a rate and a burst value are given. Example from shorewall.conf (5): LOGLIMIT=10/minute:5 For each logging rule, the first time the rule is reached, the packet will be logged; in fact, since the burst is 5, the first five packets will be logged. After this, it will be 6 seconds (1 minute divided by the rate of 10) before a message will be logged from the rule, regardless of how many packets reach it. Also, every 6 seconds which passes, one of the bursts will be regained; if no packets hit the rule for 30 seconds, the burst will be fully recharged; back where we started. Shorewall also supports per-IP rate limiting. Another example from shorewall.conf (5): LOGLIMIT="s:5/min:5" Here, the leading "s:" indicates that logging is to be limited by source IP address ("d:" would indicate limiting by destination IP address). "s:" is followed by the rate (5 messages per minute) and the burst (5). The rate and limit arguments have the same meaning as in the example above.
TIME Columns Several of the files include a TIME colum that allows you to specify times when the rule is to be applied. Contents of this column is a list of timeelements separated by apersands (&). Each timeelement is one of the following: timestart=hh:mm[:ss] Defines the starting time of day. timestop=hh:mm[:ss] Defines the ending time of day. contiguous Added in Shoreawll 5.0.12. When timestop is smaller than timestart value, match this as a single time period instead of distinct intervals. See the Examples below. utc Times are expressed in Greenwich Mean Time. localtz Deprecated by the Netfilter team in favor of kerneltz. Times are expressed in Local Civil Time (default). kerneltz Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time (requires iptables 1.4.12 or later). weekdays=ddd[,ddd]... where ddd is one of , , , , , or monthdays=dd[,dd],... where dd is an ordinal day of the month datestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]] Defines the starting date and time. datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]] Defines the ending date and time. Examples: To match on weekends, use: weekdays=Sat,Sun Or, to match (once) on a national holiday block: datestart=2016-12-24&datestop=2016-12-27 Since the stop time is actually inclusive, you would need the following stop time to not match the first second of the new day: datestart=2016-12-24T17:00&datestop=2016-12-27T23:59:59 During Lunch Hour The fourth Friday in the month: weekdays=Fri&monthdays=22,23,24,25,26,27,28 Matching across days might not do what is expected. For instance, weekdays=Mon&timestart=23:00&timestop=01:00 Will match Monday, for one hour from midnight to 1 a.m., and then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two hours from Montay 23:00 onwards' you need to also specify the contiguous option in the example above.
Switches There are times when you would like to enable or disable one or more rules in the configuration without having to do a shorewall reload or shorewall restart. This may be accomplished using the SWITCH column in shorewall-rules (5) or shorewall6-rules (5). Using this column requires that your kernel and iptables include Condition Match Support and you must be running Shorewall 4.4.24 or later. See the output of shorewall show capabilities and shorewall version to determine if you can use this feature. The SWITCH column contains the name of a switch. Each switch is initially in the off position. You can turn on the switch named switch1 by: echo 1 > /proc/net/nf_condition/switch1 You can turn it off again by: echo 0 > /proc/net/nf_condition/switch1 If you simply include the switch name in the SWITCH column, then the rule is enabled only when the switch is on. If you precede the switch name with ! (e.g., !switch1), then the rule is enabled only when the switch is off. Switch settings are retained over shorewall restart. Shorewall requires that switch names: begin with a letter and be composed of letters, digits, underscore ('_') or hyphen ('-'); and be 30 characters or less in length. Multiple rules can be controlled by the same switch. Example:
Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on. #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down
Logical Interface Names When dealing with a complex configuration, it is often awkward to use physical interface names in the Shorewall configuration. You need to remember which interface is which. If you move the configuration to another firewall, the interface names might not be the same. Beginning with Shorewall 4.4.4, you can use logical interface names which are mapped to the actual interface using the option in shorewall-interfaces (5). Here is an example: #ZONE INTERFACE OPTIONS net COM_IF dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0 net EXT_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2 loc INT_IF dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1 dmz VPS_IF logmartians=1,routefilter=0,routeback,physical=venet0 loc TUN_IF physical=tun+ In this example, COM_IF is a logical interface name that refers to Ethernet interface eth0, EXT_IF is a logical interface name that refers to Ethernet interface eth2, and so on. Here are a couple of more files from the same configuration: shorewall-masq (5): #INTERFACE SOURCE ADDRESS COMMENT Masquerade Local Network COM_IF 0.0.0.0/0 EXT_IF !206.124.146.0/24 206.124.146.179:persistent shorewall-providers (5) #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY Avvanta 1 0x10000 main EXT_IF 206.124.146.254 loose,fallback INT_IF,VPS_IF,TUN_IF Comcast 2 0x20000 main COM_IF detect balance INT_IF,VPS_IF,TUN_IF Note in particular that Shorewall translates TUN_IF to tun* in the COPY column.
Optional and Required Interfaces Normally, Shorewall assumes that all interfaces described in shorewall-interfaces (5) are going to be in an up and usable state when Shorewall starts or restarts. You can alter that assumption by specifying the optional option in the OPTIONS column. When an interface is marked as optional, Shorewall will determine the interface state at start, reload and restart and adjust its configuration accordingly. The arp_filter, arp_ignore, routefilter, logmartians, proxyarp and sourceroute options are not enforced when the interface is down, thus avoiding an error message such as:WARNING: Cannot set Martian logging on ppp0 If the interface is associated with a provider in shorewall-providers (5), start, reload and restart will not fail if the interface is not usable. When DETECT_DNAT_IPADDRS=Yes in shorewall.conf (5), DNAT rules in shorewall-rules (5) involving the interface will be omitted when the interface does not have an IP address. If detect is specified in the ADDRESS column of an entry in shorewall-masq (5) then the firewall still starts if the optional interface in the INTERFACE column does not have an IP address. If you don't want the firewall to start unless a given interface is usable, then specify required in the OPTIONS column of shorewall-interfaces (5). If you have installed and configured the Shorewall-init package, then when the interface becomes available, an automatic attempt will be made to start the firewall.
Shorewall Configurations Shorewall allows you to have configuration directories other than /etc/shorewall. The shorewall check, start, reload and restart commands allow you to specify an alternate configuration directory and Shorewall will use the files in the alternate directory rather than the corresponding files in /etc/shorewall. The alternate directory need not contain a complete configuration; those files not in the alternate directory will be read from /etc/shorewall. Shorewall requires that the file /etc/shorewall/shorewall.conf to always exist. Certain global settings are always obtained from that file. If you create alternative configuration directories, do not remove /etc/shorewall/shorewall.conf. This facility permits you to easily create a test or temporary configuration by copying the files that need modification from /etc/shorewall to a separate directory; modify those files in the separate directory; and specifying the separate directory in a shorewall start, shorewall reload or shorewall restart command (e.g., shorewall restart /etc/testconfig )
Saved Configurations Shorewall allows you to save the currently-running configuration in a form that permits it to be re-installed quickly. When you save the configuration using the shorewall save command, the running configuration is saved in a file in the /var/lib/shorewall directory. The default name of that file is /var/lib/shorewall/restore but you can specify a different name as part of the command. For example, the command shorewall save standard will save the running configuration in /var/lib/shorewall/standard. A saved configuration is re-installed using the shorewall restore command. Again, that command normally will restore the configuration saved in /var/lib/shorewall/restore but as with the save command, you can specify a different file name in the command. For example, shorewall restore standard will re-install the configuration saved in /var/lib/shorewall/standard. By permitting you to save different configurations under different names, Shorewall provides a means for quickly switching between these different saved configurations. As mentioned above, the default configuration is called 'restore' but like most things in Shorewall, that default can be changed. The default name is specified using the RESTOREFILE option in /etc/shorewall/shorewall.conf. The default saved configuration is used by Shorewall in a number of ways besides in the restore command; to avoid surprises, I recommend that you read the Shorewall Operations documentation section about saved configurations before creating one.
shorewall-docs-xml-5.2.3/PortKnocking.xml0000664000000000000000000001444313427347317017120 0ustar rootroot
Port Knocking and Other Uses of 'Recent Match' Tom Eastep 2005 2006 2009 2013 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. The techniques described in this article were superseded in Shorewall 4.5.19 with the introduction of Shorewall Events. The feature described in this article require 'Recent Match' in your iptables and kernel. See the output of shorewall show capabilities to see if you have that match.
What is Port Knocking? Port knocking is a technique whereby attempting to connect to port A enables access to port B from that same host. For the example on which this article is based, see http://www.soloport.com/iptables.html which should be considered to be part of this documentation.
Implementing Port Knocking in Shorewall In order to implement this solution, your iptables and kernel must support the 'recent match' extension (see FAQ 42). In this example: Attempting to connect to port 1600 enables SSH access. Access is enabled for 60 seconds. Attempting to connect to port 1601 disables SSH access (note that in the article linked above, attempting to connect to port 1599 also disables access. This is an port scan defence as explained in the article). To implement that approach: Add an action named SSHKnock (see the Action documentation). Leave the action.SSHKnock file empty. Create /etc/shorewall/SSHKnock with the following contents.use Shorewall::Chains; if ( $level ) { log_rule_limit( $level, $chainref, 'SSHKnock', 'ACCEPT', '', $tag, 'add', '-p tcp --dport 22 -m recent --rcheck --name SSH ' ); log_rule_limit( $level, $chainref, 'SSHKnock', 'DROP', '', $tag, 'add', '-p tcp ! --dport 22 ' ); } add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' ); add_rule( $chainref, '-p tcp --dport 1599 -m recent --name SSH --remove -j DROP' ); add_rule( $chainref, '-p tcp --dport 1600 -m recent --name SSH --set -j DROP' ); add_rule( $chainref, '-p tcp --dport 1601 -m recent --name SSH --remove -j DROP' ); 1; Now if you want to protect SSH access to the firewall from the Internet, add this rule in /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SSHKnock net $FW tcp 22,1599,1600,1601 If you want to log the DROPs and ACCEPTs done by SSHKnock, you can just add a log level as in: #ACTION SOURCE DEST PROTO DPORT SSHKnock:info net $FW tcp 22,1599,1600,1601 Assume that you forward port 22 from external IP address 206.124.146.178 to internal system 192.168.1.5. In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 SSHKnock net $FW tcp 1599,1600,1601 SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178 You can use SSHKnock with DNAT on earlier releases provided that you omit the ORIGDEST entry on the second SSHKnock rule. This rule will be quite secure provided that you specify 'routefilter' on your external interface and have NULL_ROUTE_RFC1918=Yes in shorewall.conf. For another way to implement Port Knocking, see the Manual Chain documentation.
Limiting Per-IP Connection Rate This information has been moved to the Actions article.
shorewall-docs-xml-5.2.3/QOSExample.xml0000664000000000000000000003773613427347317016500 0ustar rootroot
QOS Configuration Tom Eastep 2012 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction This configuration was inspired by the one in this thread on the OpenWRT Forum: https://forum.openwrt.org/viewtopic.php?pid=154533#p154533. The configuration has been adapted to Shorewall 4.5.6 with the following changes: The configuration uses an IFB, yet only uses firewall marks in the OUTPUT and FORWARD chains to classify packets; clearly that doesn't work To be more precise, it doesn't work with an unpatched kernel. The OpenWRT script assumes an 'act_conntrack' patch which performs conntrack processing on packets before they are sent to the IFB. That patch is not generally available. The configuration presented here uses U32 classifiers (shorewall-tcfilters(5)) to classify traffic for download shaping and uses the POSTROUTING chain for upload shaping. The sample uses a weak form of P2P classification; the one presented below uses IPP2P. The OpenWRT script assumed that the uplink was ATM -- the one below makes no assumption (it specifies 'ethernet' with overhead '0').
/etc/shorewall/params The shell variables set in the OpenWRT script are set in the Shorewall params file: # local network MYNET=192.168.0.0/24 DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed UPLOAD=7000 # set xx% of real upload speed # multiports = up to 15 ports # ports to be classified as bulk #set after connection mark save and after connection mark restore TCP_BULK="1024:" #S and D ports UDP_BULK="1024:" #S and D ports # Destination ports to be classified as P2P TCP_P2P="13769" #D ports UDP_P2P="13769" #D ports IP_P2P="192.168.0.133" # Destination ports to be classified as normal TCP_NORMAL="80,443,25,20,21,110,993,995" # D ports UDP_NORMAL="" # Destination ports to be classified as Prio (overules bulk ports) TCP_PRIO="22,53" #destination ports UDP_PRIO="22,53" #destination ports # Destination ports to be classified as VoIP (overules bulk ports) TCP_VOIP="" UDP_VOIP="18080" IP_VOIP="192.168.0.226" #destination and source IP IP_VOIP="192.168.0.226" #destination and source IP #!!!!!uplink leaf class parameters!!!!!!!!! #bulk UP_LS_BULK_RATE=$(($UPLOAD*5/100)) UP_UL_BULK_RATE=$UPLOAD #settings leaf qdisc UP_BULK_RED_PROB=0.05 #red drob probability UP_BULK_RED_min=6250 #real limit. To limit BULK traffic UP_BULK_RED_min2=6250 #min for doing the calculations (burst and etc) UP_BULK_RED_max=$((2 * $UP_BULK_RED_min2 + $UP_BULK_RED_min)) UP_BULK_RED_burst=$(((5 * $UP_BULK_RED_min2) / (3 * 1000))) UP_BULK_RED_limit=$(($UP_BULK_RED_max * 5)) #P2P UP_LS_P2P_RATE=$(($UPLOAD * 5 / 100)) UP_UL_P2P_RATE=$UPLOAD #settings leaf qdisc UP_P2P_RED_PROB=0.05 #red drob probability UP_P2P_RED_min=32000 #real limit. To limit P2P traffic UP_P2P_RED_min2=32000 #min for doing the calculations (burst and etc) UP_P2P_RED_max=$((5 * $UP_P2P_RED_min2 + $UP_P2P_RED_min)) UP_P2P_RED_burst=$(((5 * $UP_P2P_RED_min2) / (3 * 1000))) UP_P2P_RED_limit=$(($UP_P2P_RED_max * 5)) #normal class UP_LS_NORMAL_RATE=$(($UPLOAD * 40 / 100)) UP_UL_NORMAL_RATE=$UPLOAD #settings leaf qdisc UP_NORMAL_RED_PROB=0.05 #red drob probability UP_NORMAL_RED_min=6250 #real limit. To limit NORMAL traffic UP_NORMAL_RED_min2=6250 #min for doing the calculations (burst and etc) UP_NORMAL_RED_max=$((2 * $UP_NORMAL_RED_min2 + $UP_NORMAL_RED_min)) UP_NORMAL_RED_burst=$(((5 * $UP_NORMAL_RED_min2) / (3 * 1000))) UP_NORMAL_RED_limit=$(($UP_NORMAL_RED_max * 5)) #prio UP_LS_PRIO_RATE=$(($UPLOAD*50/100)) UP_RT_PRIO_RATE="200" #rate in kbit UP_RT_PRIO_UMAX="400" #lengte of the packets [byte] UP_RT_PRIO_DMAX="15" #delay in ms UP_UL_PRIO_RATE=$UPLOAD #Voip UP_UL_VOIP_RATE=$UPLOAD UP_SC_VOIP_RATE="200" UP_SC_VOIP_UMAX="350" #length of the voip packets [byte] UP_SC_VOIP_DMAX="10" #delay in ms #bulk DOWN_LS_BULK_RATE=$(($DOWNLOAD*5/100)) DOWN_UL_BULK_RATE=$DOWNLOAD #leaf qdisc parameters DOWN_BULK_RED_PROB=0.05 #red drob probability DOWN_BULK_RED_min=62500 #real limit. To limit BULK traffic DOWN_BULK_RED_min2=62500 #min for doing the calculations (burst and etc) DOWN_BULK_RED_max=$((2 * $DOWN_BULK_RED_min2 + $DOWN_BULK_RED_min)) DOWN_BULK_RED_burst=$(((5 * $DOWN_BULK_RED_min2) / (3 * 1000))) DOWN_BULK_RED_limit=$(($DOWN_BULK_RED_max * 5)) #P2P DOWN_LS_P2P_RATE=$(($DOWNLOAD*5/100)) DOWN_UL_P2P_RATE=4000 #leaf qdisc parameters DOWN_P2P_RED_PROB=0.05 #red drob probability DOWN_P2P_RED_min=200000 #real limit. To limit P2P traffic DOWN_P2P_RED_min2=200000 #min for doing the calculations (burst and etc) DOWN_P2P_RED_max=$((2 * $DOWN_P2P_RED_min2 + $DOWN_P2P_RED_min)) DOWN_P2P_RED_burst=$(((5 * $DOWN_P2P_RED_min2) / (3 * 1000))) DOWN_P2P_RED_limit=$(($DOWN_P2P_RED_max * 5)) #normal class DOWN_LS_NORMAL_RATE=$(($DOWNLOAD*75/100)) DOWN_UL_NORMAL_RATE=$DOWNLOAD #leaf qdisc parameters DOWN_NORMAL_RED_PROB=0.05 #red drob probability DOWN_NORMAL_RED_min=62500 #real limit. To limit NORMAL traffic DOWN_NORMAL_RED_min2=62500 #min for doing the calculations (burst and etc) DOWN_NORMAL_RED_max=$((2 * $DOWN_NORMAL_RED_min2 + $DOWN_NORMAL_RED_min)) DOWN_NORMAL_RED_burst=$(((5 * $DOWN_NORMAL_RED_min2) / (3 * 1000))) DOWN_NORMAL_RED_limit=$(($DOWN_NORMAL_RED_max * 5)) #prio DOWN_RT_PRIO_RATE="500" #rate in kbit DOWN_RT_PRIO_UMAX="400" #length of the packets [byte]/ DOWN_RT_PRIO_DMAX="1.5" #delay in ms DOWN_UL_PRIO_RATE=$DOWNLOAD #Voip DOWN_UL_VOIP_RATE=$DOWNLOAD DOWN_SC_VOIP_RATE="250" DOWN_SC_VOIP_UMAX="350" #lengt of voip packets [byte] DOWN_SC_VOIP_DMAX="1.2" #delay in ms
/etc/shorewall/init The init file loads the ifb module, creating a single device: modprobe ifb numifbs=1 ip link set ifb0 up
/etc/shorewall/tcdevices The tcdevices file describes the two devices: #NUMBER: IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT 1:eth0 - ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0 2:ifb0 - ${DOWNLOAD}kbit hfsc eth0
/etc/shorewall/tcclasses The tcclasses file defines the class hierarchy for both devices: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS 1 1 ${UP_SC_VOIP_RATE}kbit:\ ${UP_SC_VOIP_DMAX}:\ ${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1 1 2 ${UP_RT_PRIO_RATE}kbit:\ ${UP_RT_PRIO_DMAX}:\ ${UP_RT_PRIO_UMAX} ${UP_LS_PRIO_RATE}kbit:\ ${UP_UL_PRIO_RATE}kbit 1 1 3 - ${UP_LS_NORMAL_RATE}kbit:\ ${UP_UL_NORMAL_RATE}kbit 1 red=(limit=$UP_NORMAL_RED_limit,\ min=$UP_NORMAL_RED_min,\ max=$UP_NORMAL_RED_max,\ burst=$UP_NORMAL_RED_burst,\ probability=$UP_NORMAL_RED_PROB,\ ecn) 1 4 - ${UP_LS_P2P_RATE}kbit:\ ${UP_UL_P2P_RATE}kbit 1 red=(limit=$UP_P2P_RED_limit,\ min=$UP_P2P_RED_min,\ max=$UP_P2P_RED_max,\ burst=$UP_P2P_RED_burst,\ probability=$UP_P2P_RED_PROB,\ ecn) 1 5 - ${UP_LS_BULK_RATE}kbit:\ ${UP_UL_BULK_RATE}kbit 1 default,\ red=(limit=$UP_BULK_RED_limit,\ min=$UP_BULK_RED_min,\ max=$UP_BULK_RED_max,\ burst=$UP_BULK_RED_burst,\ probability=$UP_BULK_RED_PROB,\ ecn) 2:10 - ${UP_SC_VOIP_RATE}kbit:\ ${UP_SC_VOIP_DMAX}:\ ${UP_SC_VOIP_UMAX} ${UP_UL_VOIP_RATE}kbit 1 2:20 - ${DOWN_RT_PRIO_RATE}kbit:\ ${DOWN_RT_PRIO_DMAX}:\ ${DOWN_RT_PRIO_UMAX} ${DOWN_UL_PRIO_RATE}kbit 1 2:30 - - ${DOWN_LS_NORMAL_RATE}kbit:\ ${DOWN_UL_NORMAL_RATE}kbit 1 red=(limit=$DOWN_NORMAL_RED_limit,\ min=$DOWN_NORMAL_RED_min,\ max=$DOWN_NORMAL_RED_max,\ burst=$DOWN_NORMAL_RED_burst,\ probability=$DOWN_NORMAL_RED_PROB) 2:40 - - ${DOWN_LS_P2P_RATE}kbit:\ ${DOWN_UL_P2P_RATE}kbit 1 red=(limit=$DOWN_P2P_RED_limit,\ min=$DOWN_P2P_RED_min,\ max=$DOWN_P2P_RED_max,\ burst=$DOWN_P2P_RED_burst,\ probability=$DOWN_P2P_RED_PROB) 2:50 - - ${DOWN_LS_BULK_RATE}kbit:\ ${DOWN_UL_BULK_RATE}kbit 1 default,\ red=(limit=$DOWN_BULK_RED_limit,\ min=$DOWN_BULK_RED_min,\ max=$DOWN_BULK_RED_max,\ burst=$DOWN_BULK_RED_burst,\ probability=$DOWN_BULK_RED_PROB)
/etc/shorewall/mangle The mangle file classifies upload packets: #MARK SOURCE DEST PROTO DPORT SPORT USER TEST RESTORE:T - - - - - - !0:C CONTINUE:T - - - - - - !0 2:T - - icmp 1:T - - udp $UDP_VOIP - - 0 1:T $IP_VOIP - - - - - 0 1:T - $IP_VOIP - - - - 0 2:T - - tcp $TCP_PRIO - - 0 2:T - - udp $UDP_PRIO - - 0 2:T - - tcp - $TCP_PRIO - 0 2:T - - udp - $UDP_PRIO - 0 3:T - - tcp $TCP_NORMAL - - 0 4:T - - ipp2p:all - - - 0 5:T - - tcp $TCP_BULK - - 0 5:T - - tcp - $TCP_BULK - 0 5:T - - udp $UDP_BULK - - 0 5:T - - udp - $UDP_BULK - 0 SAVE:T - - - - - - !0
/etc/shorewall/tcfilters The tcfilters file classifies download packets: #INTERFACE: SOURCE DEST PROTO DPORT SPORT TOS LENGTH # # These classify download traffic # 2:10 - $MYNET udp - $UDP_VOIP 2:20 - $MYNET tcp - $TCP_PRIO 2:20 - $MYNET udp - $UDP_PRIO 2:20 - $MYNET tcp $TCP_PRIO 2:20 - $MYNET udp $UDP_PRIO 2:30 - $MYNET tcp - $TCP_NORMAL 2:50 - $MYNET tcp $TCP_BULK 2:50 - $MYNET tcp - $TCP_BULK 2:50 - $MYNET udp $UDP_BULK 2:50 - $MYNET tcp - $UDP_BULK
shorewall-docs-xml-5.2.3/UPnP.xml0000664000000000000000000001237413427347317015333 0ustar rootroot
Shorewall and UPnP Tom Eastep 2005 2010 2013 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
UPnP Shorewall includes support for UPnP (Universal Plug and Play) using linux-igd (http://linux-igd.sourceforge.net). UPnP is required by a number of popular applications including MSN IM. From a security architecture viewpoint, UPnP is a disaster. It assumes that: All local systems and their users are completely trustworthy. No local system is infected with any worm or trojan. If either of these assumptions are not true then UPnP can be used to totally defeat your firewall and to allow incoming connections to arbitrary local systems on any port whatsoever. In short: USE UPnP AT YOUR OWN RISK. Shorewall and linux-igd implement a UPnP Internet Gateway Device. It will not allow clients on one LAN subnet to access a UPnP Media Server on another subnet.
linux-igd Configuration In /etc/upnpd.conf, you will want: create_forward_rules = yes prerouting_chain_name = UPnP forward_chain_name = forwardUPnP
Shorewall Configuration In /etc/shorewall/interfaces, you need the 'upnp' option on your external interface. Example: #ZONE INTERFACE OPTIONS net eth1 dhcp,routefilter,tcpflags,upnp If your loc->fw policy is not ACCEPT then you need this rule: #ACTION SOURCE DEST allowinUPnP loc $FW You MUST have this rule: #ACTION SOURCE DEST forwardUPnP net loc You must also ensure that you have a route to 224.0.0.0/4 on your internal (local) interface as described in the linux-igd documentation. The init script included with the Debian linux-idg package adds this route during start and deletes it during stop. Shorewall versions prior to 4.4.10 do not retain the dynamic rules added by linux-idg over a shorewall restart. If your firewall->loc policy is not ACCEPT, then you also need to allow UDP traffic from the fireawll to the local zone. ACCEPT $FW loc udp - <dynamic port range> The dynamic port range is obtained by cat /proc/sys/net/ip_local_port_range.
Shorewall on a UPnP Client It is sometimes desirable to run UPnP-enabled client programs like Transmission (BitTorrent client) on a Shorewall-protected system. Shorewall provides support for UPnP client access in the form of the upnpclient option in shorewall-interfaces (5). The upnpclient option causes Shorewall to detect the default gateway through the interface and to accept UDP packets from that gateway. Note that, like all aspects of UPnP, this is a security hole so use this option at your own risk. Note that when multiple clients behind the firewall use UPnP, they must configure their applications to use unique ports.
shorewall-docs-xml-5.2.3/IPIP.xml0000664000000000000000000001364213427347317015251 0ustar rootroot
GRE and IPIP Tunnels Tom Eastep 2001 2002 2003 2004 2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. GRE and IPIP Tunnels are insecure when used over the Internet; use them at your own risk GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded networks. The simple scripts described in the Linux Advanced Routing and Shaping HOWTO work fine with Shorewall. Shorewall also includes a tunnel script for automating tunnel configuration. If you have installed the RPM, the tunnel script may be found in the Shorewall documentation directory (usually /usr/share/doc/shorewall-<version>/).
Bridging two Masqueraded Networks Suppose that we have the following situation: We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall. The tunnel script is not installed in /etc/shorewall by default -- If you install using the tarball, the script is included in the tarball; if you install using the RPM, the file is in your Shorewall documentation directory (normally /usr/share/doc/shorewall-<version>). In the /etc/shorewall/tunnel script, set the tunnel_type parameter to the type of tunnel that you want to create. /etc/shorewall/tunnel tunnel_type=gre If you use the PPTP connection tracking modules from Netfilter Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp, ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE tunnels. On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called vpn and declare it in /etc/shorewall/zones on both systems as follows. #ZONE TYPE OPTIONS vpn ipv4 On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS vpn tosysb In /etc/shorewall/tunnels on system A, we need the following: #TYPE ZONE GATEWAY GATEWAY_ZONE ipip net 134.28.54.2 This entry in /etc/shorewall/tunnels, opens the firewall so that the IP encapsulation protocol (4) will be accepted to/from the remote gateway. In the tunnel script on system A: tunnel script on system A tunnel=tosysb myrealip=206.161.148.9 (for GRE tunnel only) myip=192.168.1.1 hisip=10.0.0.1 gateway=134.28.54.2 subnet=10.0.0.0/8 Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn zone. In /etc/shorewall/interfaces: #ZONE INTERFACE vpn tosysa In /etc/shorewall/tunnels on system B, we have: #TYPE ZONE GATEWAY GATEWAY_ZONE ipip net 206.191.148.9 And in the tunnel script on system B: tunnel script on system B tunnel=tosysa myrealip=134.28.54.2 (for GRE tunnel only) myip=10.0.0.1 hisip=192.168.1.1 gateway=206.191.148.9 subnet=192.168.1.0/24 You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them. You will need to allow traffic between the vpn zone and the loc zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file: #SOURCE DEST POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT On both systems, restart Shorewall and run the modified tunnel script with the start argument on each system. The systems in the two masqueraded subnetworks can now talk to each other
shorewall-docs-xml-5.2.3/quotes.xml0000664000000000000000000001703013427347317016023 0ustar rootroot
Quotes from Users Tom Eastep 2003 2004 Thomas M Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
What Users are saying...
AS, Poland I want to say that Shorewall documentation is the best I've ever found on the net. It's helped me a lot in understanding how network is working. It is the best of breed. It contains not only Shorewall specific topics with the assumption that all the rest is well known, but also gives some very useful background information. Thank you very much for this wonderful piece of work.
ES, Phoenix AZ, USA I have fought with IPtables for untold hours. First I tried the SUSE firewall, which worked for 80% of what I needed. Then gShield, which also worked for 80%. Then I set out to write my own IPtables parser in shell and awk, which was a lot of fun but never got me past the hey, cool stage. Then I discovered Shorewall. After about an hour, everything just worked. I am stunned, and very grateful
SE, California, USA In two words, I'd call Shorewall "brilliant simplicity". Define general rules of what it is you want to do, and let the software determine the specific rules on how to implement it. It's great only having to define specific rules for specific instances. I have a much higher degree of confidence in my firewall than I have had previously. Thank you for Shorewall!.
BC, USA The configuration is intuitive and flexible, and much easier than any of the other iptables-based firewall programs out there. After sifting through many other scripts, it is obvious that yours is the most well thought-out and complete one available.
JL, Ohio I just installed Shorewall after weeks of messing with ipchains/iptables and I had it up and running in under 20 minutes!
JV, Spain My case was almost like [the one above]. Well. instead of weeks it was months for me, and I think I needed two minutes more: One to see that I had no Internet access from the firewall itself. Other to see that this was the default configuration, and it was enough to uncomment a line in /etc/shorewall/policy. Minutes instead of months! Congratulations and thanks for such a simple and well documented thing for something as huge as iptables
MM I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without any problems. Your documentation is great and I really appreciate your network configuration info. That really helped me out alot. THANKS!!!
B.R, Netherlands [Shorewall is a] great, great project. I've used/tested may firewall scripts but this one is till now the best.
Mario Kerecki, Toronto Never in my +12 year career as a sys admin have I witnessed someone so relentless in developing a secure, state of the art, safe and useful product as the Shorewall firewall package for no cost or obligation involved.
SM, Germany one time more to report, that your great shorewall in the latest release 1.2.9 is working fine for me with SUSE Linux 7.3! I now have 7 machines up and running with shorewall on several versions - starting with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!
SE, US You have the best support of any other package I've ever used.
Name withheld by request, Europe Because our company has information which has been classified by the national government as secret, our security doesn't stop by putting a fence around our company. Information security is a hot issue. We also make use of checkpoint firewalls, but not all of the Internet servers are guarded by checkpoint, some of them are running....Shorewall.
RM, Austria thanx for all your efforts you put into shorewall - this product stands out against a lot of commercial stuff i´ve been working with in terms of flexibility, quality & support
RG, Toronto I have never seen such a complete firewall package that is so easy to configure. I searched the Debian package system for firewall scripts and Shorewall won hands down.
RP, Guatemala My respects... I've just found and installed Shorewall 1.3.3-1 and it is a wonderful piece of software. I've just sent out an email to about 30 people recommending it. :-) While I had previously taken the time (maybe 40 hours) to really understand ipchains, then spent at least an hour per server customizing and carefully scrutinizing firewall rules, I've got shorewall running on my home firewall, with rule sets and policies that I know make sense, in under 20 minutes.
shorewall-docs-xml-5.2.3/kernel.xml0000664000000000000000000003700413427347317015766 0ustar rootroot
Kernel Configuration Tom Eastep 2001-2006 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article is unmaintained.
Network Options Configuration Here's a screen shot of my Network Options Configuration: While not all of the options that I've selected are required, they should be sufficient for most applications. Here's an excerpt from the corresponding .config file (Note: If you are running a kernel older than 2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):
# # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK_DEV is not set CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y # CONFIG_IP_ROUTE_LARGE_TABLES is not set # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=y CONFIG_NET_IPGRE=y # CONFIG_NET_IPGRE_BROADCAST is not set # CONFIG_IP_MROUTE is not set # CONFIG_ARPD is not set CONFIG_INET_ECN=y CONFIG_SYN_COOKIES=y
Netfilter Configuration Here's a screen shot of my Netfilter configuration: Note that I have built everything I need as modules. You can also build everything into your kernel but if you want to be able to deal with FTP running on a non-standard port then you must modularize FTP Protocol support. Here's the corresponding part of my .config file:
# # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m # CONFIG_IP_NF_IRC is not set # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m # CONFIG_IP_NF_MATCH_TTL is not set CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_CONNTRACK=m CONFIG_IP_NF_MATCH_UNCLEAN=m # CONFIG_IP_NF_MATCH_OWNER is not set CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m # CONFIG_IP_NF_TARGET_MIRROR is not set CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_LOCAL=y # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_DSCP=m CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m # CONFIG_IP_NF_COMPAT_IPCHAINS is not set # CONFIG_IP_NF_COMPAT_IPFWADM is not set
Kernel 2.6 Netfilter Options Here's a screenshot of my modularized 2.6 Kernel config (Navigation: Device Drivers → Networking Support → Networking Options → Network Packet Filtering (replaces ipchains) → IP: Netfilter configuration): Here is the corresponding part of the .config file:
CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_CONNTRACK=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_PHYSDEV=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m CONFIG_IP_NF_NAT_LOCAL=y CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_DSCP=m CONFIG_IP_NF_TARGET_MARK=m CONFIG_IP_NF_TARGET_CLASSIFY=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m # CONFIG_IP_NF_ARPTABLES is not set # CONFIG_IP_NF_COMPAT_IPCHAINS is not set # CONFIG_IP_NF_COMPAT_IPFWADM is not set # CONFIG_IP_NF_RAW is not set CONFIG_IP_NF_MATCH_ADDRTYPE=m # CONFIG_IP_NF_MATCH_REALM is not set CONFIG_IP6_NF_QUEUE=m CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_MATCH_LIMIT=m CONFIG_IP6_NF_MATCH_MAC=m CONFIG_IP6_NF_MATCH_RT=m CONFIG_IP6_NF_MATCH_OPTS=m CONFIG_IP6_NF_MATCH_FRAG=m CONFIG_IP6_NF_MATCH_HL=m CONFIG_IP6_NF_MATCH_MULTIPORT=m CONFIG_IP6_NF_MATCH_OWNER=m CONFIG_IP6_NF_MATCH_MARK=m CONFIG_IP6_NF_MATCH_IPV6HEADER=m CONFIG_IP6_NF_MATCH_AHESP=m CONFIG_IP6_NF_MATCH_LENGTH=m CONFIG_IP6_NF_MATCH_EUI64=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_TARGET_MARK=m # CONFIG_IP6_NF_RAW is not set CONFIG_DECNET_NF_GRABULATOR=m CONFIG_BRIDGE_NF_EBTABLES=m
Kernel 2.6.16 and Later Netfilter Options Here's a screenshot of my modularized 2.6.16 Kernel config (Navigation: Networking → Networking Options → Network Packet Filtering (replaces ipchains) → Core Netfilter configuration): Note that is is particularly important to select "Netfilter Xtables support (required for ip_tables). Here's a screenshot of the IP Netfilter config (Navigation: Networking → Networking Options → Network Packet Filtering (replaces ipchains) → IP: Netfilter configuration): Here is the corresponding part of the .config file:
# # Core Netfilter Configuration # CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_DCCP=m CONFIG_NETFILTER_XT_MATCH_HELPER=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_PPTP=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_MATCH_HASHLIMIT=m CONFIG_IP_NF_MATCH_POLICY=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_DSCP=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m
Kernel 2.6.20 and Later Netfilter Options Beginning with kernel 2.6.20, the Netfilter kernel configuration was completely changed. It is split into "Core Netfilter Configuration" and "IP Netfilter Configuration". The first graphic shows the link to the Netfilter configuration from the "Networking Options" menu: The next graphic show the Core Configuration settings - these are the standard Ubuntu setting with the exception of CONNMARK Target support (Ubuntu inexplicably includes connmark match support but not CONNTRACK target support).The next graphic shows the IP Netfilter Configuration -- these are the standard Ubuntu settings.Here is the corresponding CONFIG file excerpt.CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_DCCP=m CONFIG_NETFILTER_XT_MATCH_DSCP=m CONFIG_NETFILTER_XT_MATCH_ESP=m CONFIG_NETFILTER_XT_MATCH_HELPER=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_POLICY=m CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_QUOTA=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_STATISTIC=m CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m CONFIG_NF_CONNTRACK_SUPPORT=y CONFIG_NF_CONNTRACK_ENABLED=m # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set CONFIG_NF_CONNTRACK=m CONFIG_NF_CT_ACCT=y CONFIG_NF_CONNTRACK_MARK=y CONFIG_NF_CONNTRACK_SECMARK=y CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CT_PROTO_GRE=m CONFIG_NF_CT_PROTO_SCTP=m CONFIG_NF_CONNTRACK_AMANDA=m CONFIG_NF_CONNTRACK_FTP=m CONFIG_NF_CONNTRACK_H323=m CONFIG_NF_CONNTRACK_IRC=m CONFIG_NF_CONNTRACK_NETBIOS_NS=m CONFIG_NF_CONNTRACK_PPTP=m CONFIG_NF_CONNTRACK_SIP=m CONFIG_NF_CONNTRACK_TFTP=m CONFIG_NF_CT_NETLINK=m CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_IPRANGE=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_AH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_NF_NAT=m CONFIG_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m CONFIG_NF_NAT_SNMP_BASIC=m CONFIG_NF_NAT_PROTO_GRE=m CONFIG_NF_NAT_FTP=m CONFIG_NF_NAT_IRC=m CONFIG_NF_NAT_TFTP=m CONFIG_NF_NAT_AMANDA=m CONFIG_NF_NAT_PPTP=m CONFIG_NF_NAT_H323=m CONFIG_NF_NAT_SIP=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_TARGET_TOS=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_RAW=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m
Minimal Configuration using Kernel 2.6.20 and later Massimo Burcheri has contributed this minimal configuration which is suitable for securing a laptop or desktop. It is strictly a "no-frills" configuration and represents the minimum that will work with Shorewall when using only the very basic Shorewall features described in the one-interface quickstart guide.Here are the corresponding entries from the .config file: # Networking # CONFIG_NET=y # # Networking options # # CONFIG_NETDEBUG is not set CONFIG_PACKET=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_FIB_HASH=y CONFIG_TCP_CONG_CUBIC=y CONFIG_DEFAULT_TCP_CONG="cubic" # # IP: Virtual Server Configuration # CONFIG_NETFILTER=y # # Core Netfilter Configuration # CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NF_CONNTRACK_ENABLED=m CONFIG_NF_CONNTRACK_SUPPORT=y CONFIG_NF_CONNTRACK=m CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_STATE=m # # IP: Netfilter Configuration # CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_MANGLE=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m
shorewall-docs-xml-5.2.3/MyNetwork.xml0000664000000000000000000011410513427347317016443 0ustar rootroot
My Network Configuration Tom Eastep 2009 2015 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. The ruleset shown in this article uses Shorewall features that are not available in Shorewall versions prior to 4.6.11
Introduction The configuration described in this article represents the network at shorewall.org during the summer of 2015. It uses the following Shorewall features: Two Internet Interfaces A DMZ with three "systems" using Proxy ARP and running in Linux Containers (LXC) IPv6 Access through two 6to4 Tunnels Ipsets Transparent proxy using Squid Linux runs the firewall and the servers (although they run in LXC containers on the firewall system). Linux is not used natively on any of our other systems.. I rather run Windows natively (Windows 7 Professional) and run Linux in VMs under VirtualBox. This approach has a number of advantages: Efficient disk utilization. The virtual disks used by Linux are just files in the NTFS file system. There is no need to pre-allocate one or more partitions for use by Linux. Some large applications, like Google Earth, are installed only on Windows. Avoids proprietary hardware issues. The Linux VMs emulate standard hardware that is well-supported by Linux. Avoids DRM hassles All DRM-protected media can be handled under Windows. VirtualBox is fast (when your processor supports virtualization extensions) and very easy to use. I highly recommend it!
Network Topology Our network is diagrammed in the following graphic. We have two accounts with Comcast: ComcastC This is a high-speed (40mb/8mb) link with a single dynamic IPv4 address. We are not allowed to run servers accessible through this account. ComcastB Comcast Business Class Service with a /29 (70.90.191.120/29). The wired local network is restricted to my home office. The wireless network is managed by a wireless router which we use only as an access point -- its WAN interface is unused and it is configured to not do NAT. The wireless network uses WPA2 personal security.
Shorewall Configuration This section contains excerpts from the Shorewall configuration.
/etc/shorewall/mirrors MIRRORS=62.216.169.37,\ 62.216.184.105,\ 63.229.2.114,\ ... Defines the IP addresses of the Shorewall mirror sites.
/etc/shorewall/params INCLUDE mirrors LOG="NFLOG(0,0,1)" INT_IF=eth0 TUN_IF=tun+ COMB_IF=eth2 COMC_IF=eth1 MYNET=70.90.191.120/29 #External IP addresses handled by this router DMZ_NET=70.90.191.124/31 FW_NET=70.90.191.120/30 INT_NET=172.20.1.0/24 DYN_NET=$(find_first_interface_address_if_any $COMC_IF) SMC_ADDR=10.1.10.11 [ -n "${DYN_NET:=67.170.122.219}" ] DYN_NET=${DYN_NET}/32 DMZ=fw:$DMZ_NET LISTS=:70.90.191.124 SERVER=:70.90.191.125 MAIL=172.20.1.200 PROXY=Yes STATISTICAL=Yes SQUID2=Yes [ -n "${EXPERIMENTAL:=0}" ] As shown, this file defines variables to hold the various lists of IP addresses that I need to maintain. To simplify network reconfiguration, I also use variables to define the log level and the network interfaces.
/etc/shorewall/shorewall.conf ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL=none INVALID_LOG_LEVEL= LOG_BACKEND=ULOG LOG_MARTIANS=Yes LOG_VERBOSITY=1 LOGALLNEW= LOGFILE=/var/log/ulogd/ulogd.syslogemu.log LOGFORMAT=": %s %s" LOGTAGONLY=Yes LOGLIMIT="s:5/min" MACLIST_LOG_LEVEL="$LOG" RELATED_LOG_LEVEL="$LOG" RPFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL="$LOG" SMURF_LOG_LEVEL="$LOG" STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL="$LOG" UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### ARPTABLES= CONFIG_PATH="/etc/shorewall:/etc/shorewall-common:/usr/share/shorewall:/usr/share/shorewall/Shorewall" GEOIPDIR=/usr/share/xt_geoip/LE IPTABLES=/sbin/iptables IP=/sbin/ip IPSET= LOCKFILE=/var/lib/shorewall/lock MODULESDIR= NFACCT= PATH="/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" PERL=/usr/bin/perl RESTOREFILE= SHOREWALL_SHELL=/bin/bash SUBSYSLOCK= TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT=none DROP_DEFAULT=Drop NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT=Reject ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=mangle ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No ADMINISABSENTMINDED=Yes BASIC_FILTERS=No IGNOREUNKNOWNVARIABLES=No AUTOCOMMENT=Yes AUTOHELPERS=Yes AUTOMAKE=Yes BLACKLIST="NEW,INVALID,UNTRACKED" CHAIN_SCRIPTS=No CLAMPMSS=Yes CLEAR_TC=Yes COMPLETE=No DEFER_DNS_RESOLUTION=No DELETE_THEN_ADD=No DETECT_DNAT_IPADDRS=No DISABLE_IPV6=No DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323" DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=Yes FORWARD_CLEAR_MARK=Yes HELPERS="ftp,irc" IMPLICIT_CONTINUE=No INLINE_MATCHES=Yes IPSET_WARNINGS=No IP_FORWARDING=Yes KEEP_RT_TABLES=Yes LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=mangle MACLIST_TTL=60 MANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=unreachable OPTIMIZE=All OPTIMIZE_ACCOUNTING=No REJECT_ACTION=RejectAct REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=No RESTORE_ROUTEMARKS=Yes RETAIN_ALIASES=No ROUTE_FILTER=No SAVE_ARPTABLES=Yes SAVE_IPSETS=ipv4 TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=Yes USE_RT_NAMES=Yes WARNOLDCAPVERSION=Yes WORKAROUNDS=No ZONE2ZONE=- ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=ACCEPT RELATED_DISPOSITION=REJECT RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=DROP ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS=8 PROVIDER_BITS=2 PROVIDER_OFFSET=16 MASK_BITS=8 ZONE_BITS=0 ################################################################################ # L E G A C Y O P T I O N # D O N O T D E L E T E O R A L T E R ################################################################################ IPSECFILE=zonesI don't believe that there is anything remarkable there
/etc/shorewall/actions Mirrors # Accept traffic from Shorewall Mirrors SSHLIMIT SSH_BL tarpit inline # Wrapper for TARPIT
/etc/shorewall/action.Mirrors #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE ?COMMENT Accept traffic from Mirrors ?FORMAT 2 DEFAULTS - $1 $MIRRORS I make this into an action so the rather long list of rules go into their own chain. See the rules file -- this action is used for rsync traffic.
/etc/shorewall/action.tarpit #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER $LOG { rate=s:1/min } TARPIT
/etc/shorewall/zones #ZONE TYPE fw firewall loc ip #Local Zone net ipv4 #Internet dmz ipv4 #LXC Containers smc:net ip #10.0.1.0/24
/etc/shorewall/interfaces #ZONE INTERFACE OPTIONS loc INT_IF dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=172.20.1.0/24,routeback,tcpflags=0 net COMB_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMB_IF,upnp,nosmurfs,tcpflags net COMC_IF optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$COMC_IF,upnp,nosmurfs,tcpflags,dhcp dmz br0 routeback,proxyarp=1,required,wait=30 - ifb0 ignore
/etc/shorewall/hosts #ZONE HOST(S) OPTIONS smc COMB_IF:10.1.10.0/24 mss=1400 smc COMC_IF:10.0.0.0/24
/etc/shorewall/policy #SOURCE DEST POLICY LOGLEVEL LIMIT $FW dmz REJECT $LOG $FW net REJECT $LOG ?else $FW dmz REJECT $LOG $FW net REJECT $LOG $FW all ACCEPT smc loc ACCEPT smc fw CONTINUE smc net NONE loc smc ACCEPT loc net ACCEPT loc fw REJECT $LOG net net NONE net smc NONE net all DROP:Drop $LOG 8/sec:30 dmz fw REJECT:Reject $LOG all all REJECT:Reject $LOG
/etc/shorewall/accounting #ACTION CHAIN SOURCE DESTINATION PROTO DPORT SPORT USER MARK IPSEC ?COMMENT ?SECTION PREROUTING ?SECTION INPUT ACCOUNT(fw-net,$FW_NET) - COMB_IF COUNT - COMB_IF - tcp - 80 COUNT - COMC_IF - tcp - 80 COUNT - br0:70.90.191.124 - tcp 80 = ?SECTION OUTPUT ACCOUNT(fw-net,$FW_NET) - - COMB_IF COUNT - - COMB_IF tcp 80 COUNT - - COMC_IF tcp 80 ?SECTION FORWARD ACCOUNT(dmz-net,$DMZ_NET) - br0 COMB_IF ACCOUNT(dmz-net,$DMZ_NET) - COMB_IF br0 ACCOUNT(loc-net,$INT_NET) - COMB_IF INT_IF ACCOUNT(loc-net,$INT_NET) - INT_IF COMB_IF
/etc/shorewall/blrules #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH WHITELIST net:70.90.191.126 all BLACKLIST net:+blacklist all BLACKLIST net all udp 1023:1033,1434,5948,23773 DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 DROP net:63.149.127.103 all DROP net:175.143.53.113 all DROP net:121.134.248.190 all REJECT net:188.176.145.22 dmz tcp 25 DROP net fw udp 111 Invalid(DROP) net all
/etc/shorewall/findgw if [ -f /var/lib/dhcpcd/dhcpcd-eth1.info ]; then . /var/lib/dhcpcd/dhcpcd-eth1.info echo $GATEWAY fi The Comcast line has a dynamic IP address assigned with the help of dhclient.
/etc/shorewall/isusable local status status=0 [ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status) return $statusFor use with lsm.
/etc/shorewall/lib.private start_lsm() { # # Kill any existing lsm process(es) # killall lsm 2> /dev/null # # Create the Shorewall-specific part of the LSM configuration. This file is # included by /etc/lsm/lsm.conf # # ComcastB has a static gateway while ComcastC's is dynamic # cat <<EOF > /etc/lsm/shorewall.conf connection { name=ComcastB checkip=76.28.230.1 device=$COMB_IF ttl=2 } connection { name=ComcastC checkip=76.28.230.188 device=$COMC_IF ttl=3 } EOF cat <<EOF > /var/lib/shorewall/eth0.info ETH0_GATEWAY=$SW_ETH0_GATEWAY ETH0_ADDRESS=$SW_ETH0_ADDRESS EOF # # Clear status on start # if [ $COMMAND = start ]; then for interface in eth0 eth1; do echo 0 > ${VARDIR}/$interface.status done fi # # Run LSM -- by default, it forks into the background # /usr/local/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm }This function configures and starts lsm.
/etc/shorewall/masq #INTERFACE SOURCE ADDRESS PROTO ?COMMENT Use the SMC's local net address when communicating with that net COMB_IF:10.1.10.0/24 0.0.0.0/0 %{SMC_ADDR} ?COMMENT Masquerade Local Network COMB_IF !70.90.191.120/29 70.90.191.121 ; -m statistic --mode random --probability 0.50 COMB_IF !70.90.191.120/29 70.90.191.123 COMC_IF 0.0.0.0/0 #INT_IF:172.20.1.15 172.20.1.0/24 172.20.1.254 br0 70.90.191.120/29 70.90.191.121 tcp 80 I split connections out of COMB_IF between the two IP addresses configured on the interface.
/etc/shorewall/conntrack ?FORMAT 2 #ACTION SOURCE DEST PROTO DPORT SPORT # DROP net - udp 3551 NOTRACK net - tcp 23 NOTRACK loc 172.20.1.255 udp NOTRACK loc 255.255.255.255 udp NOTRACK $FW 255.255.255.255 udp NOTRACK $FW 172.20.1.255 udp NOTRACK $FW 70.90.191.127 udp NOTRACK net:192.88.99.1 - NOTRACK $FW 192.88.99.1 ?if $AUTOHELPERS ?if __CT_TARGET && __AMANDA_HELPER CT:helper:amanda all - udp 10080 ?endif ?if __CT_TARGET && __FTP_HELPER CT:helper:ftp all - tcp 21 ?endif ?if __CT_TARGET && __H323_HELPER CT:helper:RAS all - udp 1719 CT:helper:Q.931 all - tcp 1720 ?endif ?if __CT_TARGET && __IRC_HELPER CT:helper:irc all - tcp 6667 ?endif ?if __CT_TARGET && __NETBIOS_NS_HELPER CT:helper:netbios-ns all - udp 137 ?endif ?if __CT_TARGET && __PPTP_HELPER CT:helper:pptp all - tcp 1729 ?endif ?if __CT_TARGET && __SANE_HELPER CT:helper:sane all - tcp 6566 ?endif #?if __CT_TARGET && __SIP_HELPER #CT:helper:sip all - udp 5060 #?endif ?if __CT_TARGET && __SNMP_HELPER CT:helper:snmp all - udp 161 ?endif ?if __CT_TARGET && __TFTP_HELPER CT:helper:tftp all - udp 69 ?endif ?endif This file omits the 6to4 traffic originating from 6to4 relays as well as broadcast traffic (which Netfilter doesn't handle).
/etc/shorewall/providers #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ?IF $STATISTICAL ComcastB 1 0x10000 - COMB_IF 70.90.191.126 loose,load=0.66666667,fallback ComcastC 2 0x20000 - COMC_IF detect loose,load=0.33333333 ?ELSE ComcastB 1 0x10000 - COMB_IF 70.90.191.126 nohostroute,loose,balance=2 ComcastC 2 0x20000 - COMC_IF detect nohostroute,loose,balance ?ENDIF ?IF $PROXY && ! $SQUID2 TProxy 3 - - lo - tproxy ?ENDIF root@gateway:/etc/shorewall# See the Multi-ISP article for an explaination of the multi-ISP aspects of this configuration.
/etc/shorewall/proxyarp <empty>As mentioned above, I set the proxyarp on the associated external interface instead of defining proxy ARP in this file.
/etc/shorewall/restored if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then start_lsm fi chmod 744 ${VARDIR}/stateIf lsm isn't running then start it. Make the state file world-readable.
/etc/shorewall/rtrules #SOURCE DEST PROVIDER PRIORITY 70.90.191.121,\ 70.90.191.123 - ComcastB 1000 &COMC_IF - ComcastC 1000 br0 - ComcastB 11000 172.20.1.191 - ComcastB 1000These entries simply ensure that outgoing traffic uses the correct interface.
/etc/shorewall/stoppedrules #TARGET HOST(S) DEST PROTO DPORT SPORT ACCEPT INT_IF:172.20.1.0/24 $FW NOTRACK COMB_IF - 41 NOTRACK $FW COMB_IF 41 ACCEPT COMB_IF $FW 41 ACCEPT COMC_IF $FW udp 67:68Keep the lights on while Shorewall is stopped.
/etc/shorewall/rules ################################################################################################################################################################################################ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH ?if $VERSION < 40500 ?SHELL echo " ERROR: Shorewall version is too low" >&2; exit 1 ?endif ?begin perl 1; ?end perl ?SECTION ALL #ACCEPT net:smc.shorewall.net $FW #RST(LOG) all all ?SECTION ESTABLISHED #SSH(REJECT) net loc:1.2.3.4 { time=timestart=18:48 } ?SECTION RELATED ACCEPT all dmz:70.90.191.125 tcp 61001:62000 { helper=ftp } ACCEPT dmz all tcp { helper=ftp } ACCEPT all net tcp { helper=ftp } ACCEPT all all icmp RST(ACCEPT) all all tcp ACCEPT dmz dmz ACCEPT $FW all ?SECTION INVALID DROP net all ?SECTION UNTRACKED ACCEPT net:192.88.99.1 $FW 41 tarpit net all tcp 23 Broadcast(ACCEPT)\ all $FW ACCEPT all $FW udp CONTINUE loc $FW CONTINUE $FW all ?SECTION NEW DNSAmp(ACCEPT) loc fw REJECT:$LOG loc net tcp 25 #Stop direct loc->net SMTP (Comcast uses submission). REJECT:$LOG loc net udp 1025:1031 #MS Messaging ?COMMENT Stop NETBIOS crap REJECT all net tcp 137,445 REJECT all net udp 137:139 ?COMMENT Disallow port 333 REJECT all net tcp 3333 ?COMMENT Stop Teredo REJECT all net udp 3544 ?COMMENT Stop my idiotic work laptop from sending to the net with an HP source IP address { action=DROP, source=loc:!172.20.0.0/22, dest=net } # ?COMMENT #dropInvalid net all tcp ################################################################################################################################################################################################ # Local network to DMZ # DNAT loc dmz:70.90.191.125 tcp www - 70.90.191.123 ACCEPT loc dmz tcp ssh,smtp,465,548,587,www,ftp,imaps,https,5901:5903 ACCEPT loc dmz udp 3478:3479,33434:33524 ################################################################################################################################################################################################ # SMC network to DMZ # ACCEPT smc dmz tcp ssh,smtp,465,587,www,ftp,imaps,https,5901:5903 ACCEPT smc dmz udp 33434:33524 ################################################################################################################################################################################################ # SMC network to LOC # ################################################################################################################################################################################################ # Local Network to Firewall # ?IF $SQUID2 REDIRECT loc 3128 tcp 80 {origdest="!172.20.1.0/24,70.90.191.120/29,155.98.64.80,81.19.16.0/21,10.1.10.1"} ?ENDIF ACCEPT loc fw udp 53,111,123,177,192,631,1024: SMB(ACCEPT) loc fw ACCEPT loc fw tcp 22,53,80,111,229,548,2049,3000,32765:61000 ACCEPT loc fw tcp 3128 mDNS(ACCEPT) loc fw ACCEPT loc fw tcp 5001 ACCEPT loc:172.20.2.149 fw tcp 3551 #APCUPSD ################################################################################################################################################################################################ # SMC Network to Firewall # ACCEPT smc fw udp 53,111,123,177,192,631,1024: SMB(ACCEPT) smc fw ACCEPT smc fw tcp 22,53,111,548,2049,3000,3128,32765:32768,49152 mDNS(ACCEPT) smc fw ################################################################################################################################################################################################ # SMC Network to multiple destinations # Ping(ACCEPT) smc dmz,fw ################################################################################################################################################################################################ # Local Network to Internet #REJECT:info loc net tcp 80,443 ################################################################################################################################################################################################ # Local Network to multiple destinations # Ping(ACCEPT) loc dmz,fw ################################################################################################################################################################################################ # Internet to ALL -- drop NewNotSyn packets # dropNotSyn net fw,loc,smc tcp AutoBL(SSH,60,-,-,-,-,$LOG)\ net all tcp 22 ################################################################################################################################################################################################ # Internet to DMZ # ACCEPT net dmz udp 33434:33454 ACCEPT net dmz tcp 25 - - smtp:2/min:4,mail:60/min:100 DNAT- net 70.90.191.125 tcp https - 70.90.191.123 DNAT- net 70.90.191.125 tcp http - 70.90.191.123 DNAT- all 172.20.2.44 tcp ssh - 70.90.191.123 ACCEPT net dmz:70.90.191.122 tcp https,imaps ACCEPT net dmz:70.90.191.124 tcp http,https,465,587,imaps ACCEPT net dmz:70.90.191.125 tcp http,ftp Mirrors(ACCEPT:none)\ #Continuation test net dmz tcp 873 Ping(ACCEPT) net dmz DROP net dmz tcp http,https ################################################################################################################################################################################################ # # UPnP # ACCEPT loc fw udp 1900 forwardUPnP net loc # # Silently Handle common probes # REJECT net loc tcp www,ftp,https DROP net loc icmp 8 ################################################################################################################################################################################################ # DMZ to DMZ # ################################################################################################################################################################################################ DNAT dmz dmz:70.90.191.125:80 tcp 80 - 70.90.191.121 # DMZ to Internet # ACCEPT dmz net udp ntp,domain ACCEPT dmz net tcp domain,echo,ftp,ssh,smtp,whois,www,81,nntp,https,993,465,587,2401,2702,2703,5901,8080,9418,11371 # # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking # code from processing the command and setting up the proper expectation # The following rule allows active FTP to work in these cases # but logs the connection so I can keep an eye on this potential security hole. # ACCEPT:$LOG dmz net tcp 1024: 20 Ping(ACCEPT) dmz all ################################################################################################################################################################################################ # DMZ to fw # DNS(ACCEPT) dmz $FW HTTP(ACCEPT) dmz $FW Ping(ACCEPT) dmz $FW ################################################################################################################################################################################################ # Internet to Firewall # REJECT net fw tcp www,ftp,https ACCEPT net fw udp 3478:3479,33434:33454 ACCEPT net fw tcp 22 - - s:ssh:1/min:3 ACCEPT net fw tcp 51413 ?COMMENT IPv6 tunnel ping ACCEPT net fw:70.90.191.121,70.90.191.122/31\ icmp 8 ACCEPT net:COMC_IF fw icmp 8 ?COMMENT ################################################################################################################################################################################################ # Firewall to DMZ # ACCEPT fw dmz tcp www,ftp,ssh,smtp,https,465,587,993,3128,5901 REJECT fw dmz udp 137:139 Ping(ACCEPT) fw dmz ################################################################################################################################################################################################ # Firewall to NET # DNS(ACCEPT) fw net NTP(ACCEPT) fw net DNAT- fw 172.20.1.254:3128 tcp 80 - - - !:proxy ACCEPT+ fw net tcp 43,80,443,3466 - - - - ACCEPT fw net tcp 3128 - - - !:proxy FTP(ACCEPT) fw net - - - - - proxy Git(ACCEPT) fw net - - - - - teastep ACCEPT fw net tcp 22 NNTP(ACCEPT) fw net Ping(ACCEPT) fw net ACCEPT fw net udp 33434:33524 #ACCEPT:info fw net - - - - - root ACCEPT fw net tcp 25,143,993 - - - teastep ################################################################################################################################################################################################ # ?COMMENT Freenode Probes DROP net:\ 82.96.96.3,\ 85.190.0.3 any!loc,smc ?COMMENT ################################################################################################################################################################################################
/etc/shorewall/started if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then start_lsm fi If lsm isn't running then start it.
/etc/shorewall/stopped if [ "$COMMAND" = stop -o "$COMMAND" = clear ]; then killall lsm 2> /dev/null fi chmod 744 ${VARDIR}/stateKill lsm if the command is stop or clear. Make the state file world-readable.
/etc/shorewall/tunnels #TYPE ZONE GATEWAY GATEWAY # ZONE 6to4 net 216.218.226.238 6to4 net 192.88.99.1
shorewall-docs-xml-5.2.3/template.xml0000664000000000000000000000211613427347317016315 0ustar rootroot
<authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2017</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <section> <title/> <para/> </section> </article> ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������shorewall-docs-xml-5.2.3/survey-200603.xml����������������������������������������������������������0000664�0000000�0000000�00000050766�13427347317�016605� 0����������������������������������������������������������������������������������������������������ustar �root����������������������������root�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <article> <!--$Id: template.xml 3517 2006-02-22 22:54:59Z judas_iscariote $--> <articleinfo> <title>The Shorewall Environment Survey 2006 Paul Gear 2006 Paul D. Gear Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Background In early March 2006, i embarked on the journey of surveying Shorewall users. Initially this sprang from my own curiosity: i thought that some of the systems at work on which i use Shorewall may be bigger and more complex than most others, and i wanted to find out if there are people out there who use Shorewall like i do. As started thinking about the questions i would ask, i realised that if i asked the right questions, i could create a survey that might help the Shorewall project better to understand its users. I used Zoomerang to create the survey. It has a number of tools that make it easy to create useful surveys. To get the most benefit out of Zoomerang, you have to subscribe to their professional version. In the long term, it would be great to have a practical free software alternative that could be self-hosted. A number of free content management systems such as Drupal have a survey module, but when i last looked at them, they were more limited and harder to use than Zoomerang.
Survey and results links The survey is still open as of this writing, and can be accessed at the Zoomerang survey page. Further participation is encouraged. The figures quoted in this document reflect the results at the time of writing. The public results of the survey are available. If you complete the survey, a link to the results is provided on the thank you page.
Sample size An important note about this survey is that it has a small sample size (103 complete responses at the time of writing), so any conclusions drawn should be considered tentative. To speculate on the overall number of users that this sample represents, the Debian popularity contest reports 478 installations of Shorewall, 285 of which are in active use. Assuming that the popularity contest represents 30% of the Debian installed base (likely ridiculously optimistic), this would make the number of active Shorewall systems approximately: 285 / 0.3 (percentage of Debian systems) / 0.26 (percentage Debian holds of all distributions) = 3654 (rounding up the numbers to the nearest whole, and assuming the percentages extrapolate regularly) This means that our survey represents a maximum of 2.8% of the installed base, likely far less.
Other possible inaccuracies Additionally, since the survey was open to multiple responses, it could be that some people answered the questions about themselves more than once, despite instructions to the contrary in the introduction page. There is an error in the released version of the survey for question 15 (RAM size): it was a multiple choice question rather than single choice, and thus there were more results than expected. The number of errors doesn't seem to be significant. If you notice any errors in this analysis, or have any suggestions about how to improve it, please contact the author at pgear@shorewall.net.
Results analysis
Organisations Small organisations dominate the spectrum of Shorewall users. The largest group (44%) was 1-10 users - mostly SOHO LANs based on the comments in that section. Ninety percent (90%) of Shorewall installations are in organisations with less than 500 users. The results for the questions about organisational size and the number of users serviced by Shorewall match fairly closely, which seems to indicate that the majority of Shorewall systems are servicing the entire organisation in question. The vast majority (84%) of Shorewall systems are administered by only one person. One question that needs to be asked is, "Why?" Possible reasons for this might be: Most of the organisations in which it is used are small, thus most of them will only have one person skilled in the area of packet filtering firewalls. This seems a likely scenario, but a cross correlation of the results of questions 1 and 2 with question 3 indicates that the number of administrators is fairly uniform across all sizes of organisation and user base. Shorewall works so well that people don't have to touch it much. Obviously, this is the preferred interpretation of the Shorewall project team. :-) Shorewall is too hard for new users to comprehend, so one skilled person in an organisation tends to get the job maintaining it. Equally obviously, this is a non-preferred interpretation. :-) However, being a firewall generator, Shorewall is not likely to attract the same sort of users as a web browser or music player. Shorewall administrators are a closed bunch and don't like sharing their job around. Given the nature of firewalls and packet filtering, this doesn't seem far-fetched. There doesn't seem to be an easy answer to thus question. In retrospect, since there were no responses indicating 10 or more administrators, i could have made the granularity of this question better. A question about a person's role in the organisation may also have been helpful. Possibly we could follow up with a smaller survey, specifically about the people and organisations who use Shorewall.
Users Unsurprisingly, 97% of survey respondents were male. Or to put it another way: surprisingly, there are actually 3 female Shorewall users. :-) Being male seems to be an occupational hazard of life in the IT industry, and even more so in the more "nerdy" specialisations like Linux and security. The largest age group of users is 25-34 years (42% of all respondents). There were no retirees (65 and over) or minors (under 18) in the responses. The distribution of the remaining age groups was fairly even. The largest group of users in terms of education was those with a Bachelor's degree, followed by those with a high school education. Fifty-seven percent (57%) of Shorewall users have a Bachelor's degree or better. Many users' highest qualifications are not in an IT-related discipline (42%). This remains fairly constant across the spectrum when correlated with the highest level of qualifications. Those who do not claim IT as their highest discipline come from a wide variety of other fields, including agriculture, art, business, chemistry, education, various forms of engineering, law, mathematics, physics, and theology. Almost two-thirds of users (62%) use Shorewall as part of their paid employment. Of these, 12% (7 of 58) do not use Shorewall as part of their official duties. Cross correlation with level of education revealed no major variance in this trend depending on level of education. The majority of users (73%) began using the Internet in the 1990s. A smaller majority (61%) have been using the Internet for more than 12 years (1994 or earlier). (The single response indicating use of the Internet (then ARPANET) since the 1960s seems to be an error.) The majority of users (70%) began using Linux after it reached a certain stage of maturity - around or after the release of kernel 2.0 (1996). However, nearly all respondents (97%) have been using Linux for 5 years or more, with almost half (47%) having 10 or more years experience with it. It seems fair to say that as a rule, Shorewall attracts people with plenty of experience. Around one third of users (30%) have been using Shorewall for more than 5 years, with two-thirds (66%) having used it since the 1.x series (2003 or earlier). It seems fair to say that Shorewall users seem to stick with the product once they are familiar with it. On the other hand, it seems that Shorewall is not attracting large numbers of new users, which is a concern for the future of the project.
Hardware Ninety-three percent (93%) of users run Shorewall on i386 family hardware, with a further 6% running it on x86-64/EM64T platforms. One response was received indicating use of Shorewall on MIPS (Linksys WRT platform). No responses were received for any other hardware platform. While it is not surprising that Intel would be dominant, given their market share, it seems a little skewed not to have any representatives of other architectures. A good spread of CPU power is shown in the survey responses. The largest group was 400-999 MHz (30%), with only 16% of responses indicating less than 400 MHz, and the same number greater than 2500 MHz. A number of responses in the field for additional information suggested that the machines used were either recycled desktops, or systems that were specifically built to do the job, and had been running in that role for a number of years. RAM configuration seemed to mostly mirror CPU power, with a slight bias towards higher RAM figures. The majority (52%) of systems have between 256 and 1023 MB; only 11% of systems have less than 128 MB; 28% have 1024 MB or more. This reflects the more server-oriented workload that many Shorewall systems run (see the section on server roles below). Shorewall systems on the whole tend toward smaller OS hard disks, with 42% having disks 39 GB or smaller. The largest group by a small margin was 80-159 GB at 23%, with 10-39 GB and 0-9 GB coming in a close second and third at 22% and 20% respectively.
Network The majority of Shorewall systems (82%) use between two and four network interfaces. The number of devices connected to systems closely mirrors the size of the organisations in which they are used, with 95% of systems connecting less than 500 devices, and the largest group (41%) connecting 2-10 other devices. Ninety percent (90%) of Shorewall systems are connected to 100 Mbps or faster local networks. Most systems have a broadband Internet connection or better, with only 7% having 512 Kbps or less, and 51% having 10 Mbps or better. DSL is the most common form of Internet connection, with over half the responses (51%).
Software The most popular Linux distribution on which users run Shorewall is Debian (26% of respondents), followed by a group consisting of Fedora Core (16%), Red Hat 9 and earlier (13%) and Red Hat Enterprise and derivatives (12%). The next group consists of SUSE (9%), Slackware (8%), Gentoo (6%), and LEAF/Bering (5%). The message about maintaining an up-to-date Shorewall system seems to have gotten through, with 61% of respondents running the latest stable version (3.0), and an additional 22% running the previous stable version (2.4). Only 14% of users are running unsupported older versions (2.2 and previous). The most common roles played by Shorewall systems are: External firewall/router (78%) DNS name server (61%) DHCP server (59%) Internal firewall/router (56%) Time server (55%)
Comments from users Following is a sample of the comments we received about the survey - they have been carefully sanitised to make us look good. ;-) More power to Shorewall! Shorewall Rocks! I'm amazed how easy it is every time I need to do something, even if it's been 6+ months since the last change! :) Good job and a great product. Shorewall is good, I have recommended it to several people, mostly working in the University & academic areas. Thanks to everyone who contributes to Shorewall. That's a *great* piece of software! Shorewall has been incredible. Tom has given so much of himself to this project, I can only say thank you from one person, I look up to people like him. I have used Shorewall for many systems, I am a contractor that "set up shop" all over the world. Depending on the available ISP services, this project has been flexible in every situation to date. Also, depending on my needs, it has done the same. "IP Tables made easy" is really an accurate description. I'm quite interested in seeing what the 'cross section' of Shorewall users are like. It's made my life a lot easier over the years. Thank you.
Lessons learned about survey technique
Treat surveys like releasing free software test on a small group before you go public release early and often make branches (copies) when you release alpha and beta versions merge the changes from branches (lessons you learned in those versions) into the main trunk
Start small and work towards what you want to know with specific, concrete questions I tried to do everything in one survey, and ended up confusing some people. For example, despite the fact that the survey's start page clearly says "Please answer the questions for only ONE SYSTEM running Shorewall", i received multiple comments saying that they couldn't answer accurately because they ran more than one Shorewall system. It would have been better to have two surveys: one about the people who use Shorewall, and another about the systems they run it on. Better still would be for Shorewall to automatically collect appropriate information about systems and request permission to send it to a central location for statistical analysis. How to do this and maintain users' privacy and obtain their permission efficiently is not an easy problem with a product like Shorewall, which doesn't actually stay running on user systems, and doesn't present a user interface per se.
Be prepared beforehand Within hours of the survey's release, 50% of the results were in. Within 3 days, it hit the Zoomerang basic survey limit of 100 responses. I had not planned for such an enthusiastic response, and also was too busy to download all of the results before the survey's time limit expired. Fortunately, i was able to obtain funding to allow a Zoomerang "pro" subscription to be purchased and thus provide advanced analysis, and complete downloads of the results.
Incrementally improve your surveys The final version of this survey was released still with a few bugs. The released version was just a copy of my master survey, and i continued to maintain the master after the final survey was released (and during this analysis), and i'm sure the next version will be even better.
Possible implications for the Shorewall project The users we have seem, on the whole, rather experienced, and very loyal. However, we don't seem to be attracting new users, despite new features such as multi-ISP support and integrated traffic shaping. The question about a GUI comes up frequently, and one wonders whether this is would make a significant difference in Shorewall's uptake with new users. Shorewall seems to be predominantly used in small, i386-based environments such as home LANs and small businesses. It seems to be frequently combined with a number of other basic functions, such as DNS, DHCP, NTP, VPN. Integration with (or perhaps providing a plug-in module for) a dedicated gateway distribution such as ipcop, Smoothwall, or Clark Connect might be a good way to serve the needs of our users.
Possible implications for other free software projects The essence of free software is software by the people, for the people. Knowing who the people are and what their needs are is critical to this process. If at all possible, build statistics gathering into your application, and find a way to encourage people to use it. This concrete data will help confirm the results of any surveys you might conduct.
shorewall-docs-xml-5.2.3/SharedConfig.xml0000664000000000000000000011215613427347317017044 0ustar rootroot
Shared Shorewall and Shorewall6 Configuration Tom Eastep 2017 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Netfilter separates management of IPv4 and IPv6 configurations. Each address family has its own utility (iptables and ip6tables), and changes made to the configuration of one address family do not affect the other. While Shorewall also separates the address families in this way, it is possible for Shorewall and Shorewall6 to share almost all of the configuration files. This article gives an example. What is shown here currently works best with Debian and derivatives, or when the tarball installer is used and the SPARSE option is enabled when running configure[.pl].
Environment In this example, each address family has two Internet interfaces. Both address families share a fast uplink (eth0) that has a single public IPv4 address, but can delegate IPv6 subnets to the Shorewall-based router. Both address families also have a production uplink. For IPv4, Ethernet is used (eth1) and supports the public IPv4 subnet 70.90.191.120/29. For IPv6, a Hurricane Electric 6in4 tunnel is used (sit1), which provides the public IPv6 subnet 2001:470:b:227::/64. The router also has two bridges. A DMZ bridge (br0) provides access to containers running a web server, a mail exchanger, and an IMAPS mail access server. The second bridge (br1) provides access to a container running irssi under screen, allowing constant access to and monitoring of IRC channels. Here is a diagram of this installation:
Configuration Here are the contents of /etc/shorewall/ and /etc/shorewal6/: root@gateway:~# ls -l /etc/shorewall/ total 92 -rw-r--r-- 1 root root 201 Mar 19 2017 action.Mirrors -rw-r--r-- 1 root root 109 Oct 20 09:18 actions -rw-r--r-- 1 root root 654 Oct 13 13:46 conntrack -rw-r--r-- 1 root root 104 Oct 13 13:21 hosts -rw-r--r-- 1 root root 867 Jul 1 10:50 interfaces -rw-r--r-- 1 root root 107 Jun 29 15:14 isusable -rw-r--r-- 1 root root 240 Oct 13 13:34 macro.FTP -rw-r--r-- 1 root root 559 Oct 19 12:56 mangle -rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors -rw-r--r-- 1 root root 2687 Oct 15 14:20 params -rw-r--r-- 1 root root 738 Oct 15 12:16 policy -rw-r--r-- 1 root root 1838 Oct 11 08:29 providers -rw-r--r-- 1 root root 398 Mar 18 2017 proxyarp -rw-r--r-- 1 root root 738 Nov 8 09:34 routes -rw-r--r-- 1 root root 729 Nov 7 12:52 rtrules -rw-r--r-- 1 root root 6367 Oct 13 13:21 rules -rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf -rw-r--r-- 1 root root 1090 Oct 25 15:17 snat -rw-r--r-- 1 root root 181 Jun 29 15:12 started -rw-r--r-- 1 root root 435 Oct 13 13:21 tunnels -rw-r--r-- 1 root root 941 Oct 15 11:27 zones root@gateway:~# ls -l /etc/shorewall6/ total 8 lrwxrwxrwx 1 root root 20 Jul 6 16:35 mirrors -> ../shorewall/mirrors lrwxrwxrwx 1 root root 19 Jul 6 12:48 params -> ../shorewall/params -rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf root@gateway:~# The various configuration files are described in the sections that follow. Note that in all cases, these files use the alternate format for column specification.
/usr/share/shorewall/shorewallrc The key setting here is SPARSE=Very # # Created by Shorewall Core version 5.0.12-RC1 configure.pl - Sep 25 2016 09:30:55 # rc file: shorewallrc.debian.systemd # HOST=debian PREFIX=/usr SHAREDIR=${PREFIX}/share LIBEXECDIR=${PREFIX}/share PERLLIBDIR=${PREFIX}/share/shorewall CONFDIR=/etc SBINDIR=/sbin MANDIR=${PREFIX}/share/man INITDIR= INITSOURCE=init.debian.sh INITFILE= AUXINITSOURCE= AUXINITFILE= SERVICEDIR=/lib/systemd/system SERVICEFILE=$PRODUCT.service.debian SYSCONFFILE=default.debian SYSCONFDIR=/etc/default SPARSE=Very ANNOTATED= VARLIB=/var/lib VARDIR=${VARLIB}/$PRODUCT DEFAULT_PAGER=/usr/bin/less
shorewall.conf and shorewall6.conf These are the only files that are not shared between the two address families. The key setting is CONFIG_PATH in shorewall6.conf: CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall" /etc/shorewall6/ is only used for processing the params and shorewall6.conf files.
shorewall.conf The contents of /etc/shorewall/shorewall.conf are as follows: ############################################################################### # # Shorewall Version 5 -- /etc/shorewall/shorewall.conf # # For information about the settings in this file, type "man shorewall.conf" # # Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # P A G E R ############################################################################### PAGER=pager ############################################################################### # F I R E W A L L ############################################################################### FIREWALL= ############################################################################### # L O G G I N G ############################################################################### LOG_LEVEL="NFLOG(0,64,1)" BLACKLIST_LOG_LEVEL="none" INVALID_LOG_LEVEL= LOG_BACKEND=netlink LOG_MARTIANS=Yes LOG_VERBOSITY=1 LOGALLNEW= LOGFILE=/var/log/ulogd/ulogd.syslogemu.log LOGFORMAT=": %s %s" LOGTAGONLY=Yes LOGLIMIT="s:5/min" MACLIST_LOG_LEVEL="$LOG_LEVEL" RELATED_LOG_LEVEL="$LOG_LEVEL:,related" RPFILTER_LOG_LEVEL="$LOG_LEVEL:,rpfilter" SFILTER_LOG_LEVEL="$LOG_LEVEL" SMURF_LOG_LEVEL="$LOG_LEVEL" STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### ARPTABLES= CONFIG_PATH="/etc/shorewall:/usr/share/shorewall:/usr/share/shorewall/Shorewall" GEOIPDIR=/usr/share/xt_geoip/LE IPTABLES=/sbin/iptables IP=/sbin/ip IPSET= LOCKFILE=/var/lib/shorewall/lock MODULESDIR="+extra/RTPENGINE" NFACCT= PATH="/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" PERL=/usr/bin/perl RESTOREFILE= SHOREWALL_SHELL=/bin/sh SUBSYSLOCK= TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL" DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=mangle ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes AUTOHELPERS=No AUTOMAKE=Yes BALANCE_PROVIDERS=No BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" CLAMPMSS=Yes CLEAR_TC=Yes COMPLETE=No DEFER_DNS_RESOLUTION=No DELETE_THEN_ADD=No DETECT_DNAT_IPADDRS=No DISABLE_IPV6=No DOCKER=No DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323" DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200" EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=Yes FORWARD_CLEAR_MARK=No HELPERS="ftp,irc" IGNOREUNKNOWNVARIABLES=No IMPLICIT_CONTINUE=No INLINE_MATCHES=Yes IPSET_WARNINGS=Yes IP_FORWARDING=Yes KEEP_RT_TABLES=Yes LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter MACLIST_TTL=60 MANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MINIUPNPD=No MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=unreachable OPTIMIZE=All OPTIMIZE_ACCOUNTING=No PERL_HASH_SEED=12345 REJECT_ACTION= REQUIRE_INTERFACE=No RESTART=restart RESTORE_DEFAULT_ROUTE=No RESTORE_ROUTEMARKS=Yes RETAIN_ALIASES=No ROUTE_FILTER=No SAVE_ARPTABLES=No SAVE_IPSETS=ipv4 TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_NFLOG_SIZE=Yes USE_PHYSICAL_NAMES=Yes USE_RT_NAMES=Yes VERBOSE_MESSAGES=No WARNOLDCAPVERSION=Yes WORKAROUNDS=No ZERO_MARKS=No ZONE2ZONE=- ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=ACCEPT RELATED_DISPOSITION=REJECT RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=DROP ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS=8 PROVIDER_BITS=2 PROVIDER_OFFSET=16 MASK_BITS=8 ZONE_BITS=0
shorewall6.conf The contents of /etc/shorewall6/shorewall6.conf are: ############################################################################### # # Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # P A G E R ############################################################################### PAGER=pager ############################################################################### # F I R E W A L L ############################################################################### FIREWALL= ############################################################################### # L O G G I N G ############################################################################### LOG_LEVEL="NFLOG(0,64,1)" BLACKLIST_LOG_LEVEL="none" INVALID_LOG_LEVEL= LOG_BACKEND=netlink LOG_VERBOSITY=2 LOGALLNEW= LOGFILE=/var/log/ulogd/ulogd.syslogemu.log LOGFORMAT="%s %s " LOGLIMIT="s:5/min" LOGTAGONLY=Yes MACLIST_LOG_LEVEL="$LOG_LEVEL" RELATED_LOG_LEVEL= RPFILTER_LOG_LEVEL="$LOG_LEVEL" SFILTER_LOG_LEVEL="$LOG_LEVEL" SMURF_LOG_LEVEL="$LOG_LEVEL" STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE IP6TABLES= IP= IPSET= LOCKFILE= MODULESDIR="+extra/RTPENGINE" NFACCT= PERL=/usr/bin/perl PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" RESTOREFILE=restore SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall6 TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=mangle ADMINISABSENTMINDED=Yes AUTOCOMMENT=Yes AUTOHELPERS=No AUTOMAKE=Yes BALANCE_PROVIDERS=No BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" CLAMPMSS=Yes CLEAR_TC=No COMPLETE=No DEFER_DNS_RESOLUTION=Yes DELETE_THEN_ADD=No DONT_LOAD= DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200" EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=Yes FORWARD_CLEAR_MARK=No HELPERS=ftp IGNOREUNKNOWNVARIABLES=No IMPLICIT_CONTINUE=No INLINE_MATCHES=No IPSET_WARNINGS=Yes IP_FORWARDING=Keep KEEP_RT_TABLES=Yes LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MARK_IN_FORWARD_CHAIN=No MINIUPNPD=No MUTEX_TIMEOUT=60 OPTIMIZE=All OPTIMIZE_ACCOUNTING=No PERL_HASH_SEED=0 REJECT_ACTION= REQUIRE_INTERFACE=No RESTART=restart RESTORE_DEFAULT_ROUTE=No RESTORE_ROUTEMARKS=Yes SAVE_IPSETS=No TC_ENABLED=Shared TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_NFLOG_SIZE=Yes USE_PHYSICAL_NAMES=No USE_RT_NAMES=No VERBOSE_MESSAGES=No WARNOLDCAPVERSION=Yes WORKAROUNDS=No ZERO_MARKS=No ZONE2ZONE=- ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=REJECT SFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=DROP ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS=8 PROVIDER_BITS=2 PROVIDER_OFFSET=8 MASK_BITS=8 ZONE_BITS=0
params Because addresses and interfaces are different between the two address families, they cannot be hard-coded in the configuration files. /etc/shorewall/params is used to set shell variables whose contents will vary between Shorewall and Shorewall6. In the params file and in run-time extension files, the shell variable g_family can be used to determine which address family to use; if IPv4, then $g_family will expand to 4 and if IPv6, $g_family will expand to 6. The contents of /etc/shorewall/params is as follows: INCLUDE mirrors #Sets the MIRRORS variable for the Mirrors action # # Set compile-time variables depending on the address family # if [ $g_family = 4 ]; then # # IPv4 compilation # FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback interface # See /etc/shorewall/providers STATISTICAL=No # Don't use statistical load balancing LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX) MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS) SERVER=70.90.191.125 # IP address of www.shorewall.org PROXY= # Use TPROXY for local web access ALL=0.0.0.0/0 # Entire address space LOC_ADDR=172.20.1.253 # IP address of the local LAN interface FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface FAST_MARK=0x20000 # Multi-ISP mark setting for IF_FAST IPSECMSS=1460 # # Interface Options # LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,physical=eth2 FAST_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth0 PROD_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth1 DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,dhcp,nodbl,physical=br0 IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,nodbl,physical=br1 else # # IPv6 compilation # FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback interface # See /etc/shorewall/providers STATISTICAL=No # Don't use statistical load balancing LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS) MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS) SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org (HTTP, FTP and RSYNC) PROXY=3 # Use TPROXY for local web access ALL=[::]/0 # Entire address space LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN interface FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf # Default gateway through the IF_FAST interface FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAST IPSECMSS=1440 # # Interface Options # PROD_OPTIONS=forward=1,optional,physical=sit1 FAST_OPTIONS=forward=1,optional,dhcp,upnp,physical=eth0 LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2 DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0 IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1 fi
zones Here is the /etc/shorewall/zones file: ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS # # By using the 'ip' type, both Shorewall and Shorewall6 can share this file # fw { TYPE=firewall } net { TYPE=ip } loc { TYPE=ip } dmz { TYPE=ip } apps { TYPE=ip } vpn { TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
interfaces /etc/shorewall/interfaces makes heavy use of variables set in /etc/shorewall/params: # # The two address families use different production interfaces and different # # LOC_IF is the local LAN for both families # FAST_IF is a Comcast IPv6 beta uplink which is used for internet access from the local lan for both families # PROD_IF is the interface used by shorewall.org servers # For IPv4, it is eth1 # For IPv6, it is sit1 (Hurricane Electric 6in4 link) # DMZ_IF is a bridge to the production containers # IRC_IF is a bridge to a container that currently runs irssi under screen loc { INTERFACE=LOC_IF, OPTIONS=$LOC_OPTIONS } net { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS } net { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS } dmz { INTERFACE=DMZ_IF, OPTIONS=$DMZ_OPTIONS } apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS }
hosts /etc/shorewall/hosts is used to define the vpn zone: #ZONE HOSTS OPTIONS vpn { HOSTS=PROD_IF:$ALL } vpn { HOSTS=FAST_IF:$ALL } vpn { HOSTS=LOC_IF:$ALL }
policy The same set of policies apply to both address families: #SOURCE DEST POLICY LOGLEVEL RATE $FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } $FW { DEST=all, POLICY=ACCEPT } loc { DEST=net, POLICY=ACCEPT } loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT } loc { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } net { DEST=net, POLICY=NONE } net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 } net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 } dmz { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } all { DEST=all, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
providers The providers file is set up to allow for three different configurations: FALLBACK -- FAST_IF is the primary interface and PROD_IF is the fallback STATISTICAL -- Statistical load balancing between FAST_IF and PROD_IF IPv4 only -- balance between FAST_IF and PROD_IF # # This could be cleaned up a bit, but I'm leaving it as is for now # # - The two address families use different fw mark geometry # - The two address families use different fallback interfaces # - The 'balance' option doesn't work as expected in IPv6 so I have no balance configuration for Shorewall6 # - IPv4 uses the 'loose' option on PROD_IF # ?if $FALLBACK # FAST_IF is primary, PROD_IF is fallback # ?info Compiling with FALLBACK IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc } ?if __IPV4 ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent } ?else HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallback,persistent } ?endif ?elsif $STATISTICAL # Statistically balance traffic between FAST_IF and PROD_IF ?info Compiling with STATISTICAL ?if __IPV4 IPv6Beta { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary } ?else HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=track,load=0.33333333,persistent } ?endif ?else ?INFO Compiling with BALANCE IPv6Beta { NUMBER=1, MARK=0x100, INTERFACE=eth0, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent } ?if __IPV4 ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1, OPTIONS=nohostroute,loose,balance,persistent } ?else ?warning No BALANCE IPv6 configuration HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallback,persistent } ?endif ?endif Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
rtrules The routing rules are quite dependent on the address family: #SOURCE DEST PROVIDER PRIORITY # # This file ensures that the DMZ is routed out of the IF_PROD interface # and that the IPv6 subnets delegated by the Beta router are routed out # of the IF_FAST interface. # ?if __IPV4 { SOURCE=70.90.191.121,70.90.191.123,10.1.10.1 PROVIDER=ComcastB, PRIORITY=1000! } { SOURCE=&FAST_IF, PROVIDER=IPv6Beta, PRIORITY=1000! } { SOURCE=br0, PROVIDER=ComcastB, PRIORITY=11000 } ?else { SOURCE=2601:601:a000:1600::/64 PROVIDER=IPv6Beta, PRIORITY=1000! } { SOURCE=2001:470:B:227::/64, PROVIDER=HE, PRIORITY=1000! } { SOURCE=2601:601:a000:16f0::/60 PROVIDER=IPv6Beta, PRIORITY=11000 } ?endif
routes This file is used only for IPv6: #PROVIDER DEST GATEWAY DEVICE OPTIONS ?if __IPV6 # # In my version of FOOLSM (1.0.10), the 'sourceip' option doesn't work. # As a result, routing rules that specify the source IPv6 address are # not effective in routing the 'ping' request packets out of FAST_IF. # The following route solves that problem. # { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent } ?endif
actions /etc/shorewall/actions defines one action: #ACTION COMMENT Mirrors # Accept traffic from Shorewall Mirrors /etc/shorewall/action.Mirrors: #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT ?COMMENT Accept traffic from Mirrors ?FORMAT 2 DEFAULTS - $1 $MIRRORS
Macros /etc/shorewall/macro.FTP: ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - tcp 21 This is just the normal Shorewall FTP macro without the helper logic -- we take care of that in the conntrack file below.
conntrack In addition to invoking the FTP helper on TCP port 21, this file notracks some IPv4 traffic: #ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH CT:helper:ftp:P { PROTO=tcp, DPORT=21 } CT:helper:ftp:O { PROTO=tcp, DPORT=21 } ?if __IPV4 # # Don't track IPv4 broadcasts # NOTRACK:P { SOURCE=LOC_IF, DEST=172.20.1.255, PROTO=udp } NOTRACK:P { DEST=255.255.255.255, PROTO=udp } NOTRACK:O { DEST=255.255.255.255, PROTO=udp } NOTRACK:O { DEST=172.20.1.255, PROTO=udp } NOTRACK:O { DEST=70.90.191.127, PROTO=udp } ?endif
rules /etc/shorewall/rules has only a couple of rules that are conditional based on address family: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER ?SECTION ALL Ping(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 } Trcrt(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 } ?SECTION ESTABLISHED ?SECTION RELATED ACCEPT { SOURCE=all, DEST=dmz:$SERVER, PROTO=tcp, DPORT=61001:62000, helper=ftp } ACCEPT { SOURCE=dmz, DEST=all, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=all, DEST=net, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=$FW, DEST=loc, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=all, DEST=all, PROTO=icmp } RST(ACCEPT) { SOURCE=all, DEST=all } ACCEPT { SOURCE=dmz, DEST=dmz } ?SECTION INVALID RST(ACCEPT) { SOURCE=all, DEST=all } DROP { SOURCE=net, DEST=all } FIN { SOURCE=all, DEST=all } ?SECTION UNTRACKED ?if __IPV4 Broadcast(ACCEPT) { SOURCE=all, DEST=$FW } ACCEPT { SOURCE=all, DEST=$FW, PROTO=udp } CONTINUE { SOURCE=loc, DEST=$FW } CONTINUE { SOURCE=$FW, DEST=all } ?endif ?SECTION NEW ###################################################################################################### # Stop certain outgoing traffic to the net # REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 } #Stop direct loc->net SMTP (Comcast uses submission). REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 } #MS Messaging REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" } REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" } REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" } REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" } ?COMMENT ###################################################################################################### # 6in4 # ?if __IPV4 ACCEPT { SOURCE=net:216.218.226.238, DEST=$FW, PROTO=41 } ACCEPT { SOURCE=$FW, DEST=net:216.218.226.238, PROTO=41 } ?endif ###################################################################################################### # Ping # Ping(ACCEPT) { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn } Ping(ACCEPT) { SOURCE=all, DEST=net } ###################################################################################################### # SSH # AutoBL(SSH,60,-,-,-,-,$LOG_LEVEL)\ { SOURCE=net, DEST=all, PROTO=tcp, DPORT=22 } SSH(ACCEPT) { SOURCE=all, DEST=all } ?if __IPV4 SSH(DNAT-) { SOURCE=net, DEST=172.20.2.44, PROTO=tcp, DPORT=ssh, ORIGDEST=70.90.191.123 } ?endif ###################################################################################################### # DNS # DNS(ACCEPT) { SOURCE=loc,dmz,vpn,apps, DEST=$FW } DNS(ACCEPT) { SOURCE=$FW, DEST=net } ###################################################################################################### # Traceroute # Trcrt(ACCEPT) { SOURCE=all, DEST=net } Trcrt(ACCEPT) { SOURCE=net, DEST=$FW,dmz } ###################################################################################################### # Email # SMTP(ACCEPT) { SOURCE=net,$FW, DEST=dmz:$LISTS } SMTP(ACCEPT) { SOURCE=dmz:$LISTS, DEST=net:PROD_IF } SMTP(REJECT) { SOURCE=dmz:$LISTS, DEST=net } IMAPS(ACCEPT) { SOURCE=all, DEST=dmz:$MAIL } Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS } SMTPS(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS } IMAP(ACCEPT) { SOURCE=loc,vpn, DEST=net } ###################################################################################################### # NTP # NTP(ACCEPT) { SOURCE=all, DEST=net } NTP(ACCEPT) { SOURCE=loc,vpn,dmz,apps DEST=$FW } ###################################################################################################### # Squid ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } ###################################################################################################### # HTTP/HTTPS # Web(ACCEPT) { SOURCE=loc,vpn DEST=$FW } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=proxy } Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" } HTTP(ACCEPT) { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL } HTTPS(ACCEPT) { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL } Web(ACCEPT) { SOURCE=dmz,apps DEST=net,$FW } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=root } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=teastep } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=_apt } ###################################################################################################### # FTP # FTP(ACCEPT) { SOURCE=loc,vpn,apps DEST=net } FTP(ACCEPT) { SOURCE=dmz, DEST=net } FTP(ACCEPT) { SOURCE=$FW, DEST=net, USER=root } FTP(ACCEPT) { SOURCE=all, DEST=dmz:$SERVER } # # Some FTP clients seem prone to sending the PORT command split over two packets. # This prevents the FTP connection tracking code from processing the command and setting # up the proper expectation. # # The following rule allows active FTP to work in these cases # but logs the connection so I can keep an eye on this potential security hole. # ACCEPT:$LOG_LEVEL { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 } ###################################################################################################### # whois # Whois(ACCEPT) { SOURCE=all, DEST=net } ###################################################################################################### # SMB # SMBBI(ACCEPT) { SOURCE=loc, DEST=$FW } SMBBI(ACCEPT) { SOURCE=vpn, DEST=$FW } ###################################################################################################### # IRC # IRC(ACCEPT) { SOURCE=loc,apps, DEST=net } ###################################################################################################### # Rsync # Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
mangle Note that TPROXY can be enabled/disabled via a shell variable setting in /etc/shorewall/params: #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP ?if __IPV4 # # I've had a checksum issue with certain IPv4 UDP packets # CHECKSUM:T { DEST=FAST_IF, PROTO=udp } CHECKSUM:T { DEST=DMZ_IF, PROTO=udp } ?endif ?if $PROXY # # Use TPROXY for web access from the local LAN # DIVERT:R { PROTO=tcp, SPORT=80 } DIVERT:R { PROTO=tcp, DPORT=80 } TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 } ?endif
snat NAT entries are quite dependent on the address family: #ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY ?if __IPV4 MASQUERADE { SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF } MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_IF } SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, PROBABILITY=0.50, COMMENT="Masquerade Local Network" } SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" } SNAT(172.20.1.253) { SOURCE=172.20.3.0/24, DEST=LOC_IF:172.20.1.100 } ?else SNAT(&PROD_IF) { SOURCE=2601:601:8b00:bf0::/60, DEST=PROD_IF } SNAT(&FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF } ?endif
tunnels Both address families define IPsec tunnels: #TYPE ZONE GATEWAY GATEWAY_ZONE ipsecnat {ZONE=net, GATEWAY=$ALL, GATEWAY_ZONE=vpn } ipsecnat {ZONE=loc, GATEWAY=$ALL, GATEWAY_ZONE=vpn }
proxyarp This file is only used in the IPv4 configuration: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no }
isuable This is just the standard Shorewall isusable extension script: local status status=0 [ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status) return $status
started /etc/shorewall/started only does something in the IPv4 configuration, although it gets compiled into both scripts: if [ $g_family = 4 ]; then qt $IP -4 route replace 70.90.191.122 dev br0 qt $IP -4 route replace 70.90.191.124 dev br0 qt $IP -4 route replace 70.90.191.125 dev br0 fi
shorewall-docs-xml-5.2.3/blacklisting_support_ru.xml0000664000000000000000000003005513427347317021455 0ustar rootroot
Чёрные списки в Shorewall Tom Eastep 2002-2006 Thomas M. Eastep 2007 Russian Translation: Grigory Mokhin Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке GNU Free Documentation License.
Введение В Shorewall предусмотрены два вида чёрных списков, статические и динамические. Опция BLACKLISTNEWONLY в файле /etc/shorewall/shorewall.conf задаёт параметры фильтрации согласно этим спискам: BLACKLISTNEWONLY=No -- проверка осуществляется для всех входящих пакетов. Новые записи в чёрном списке позволяют прервать уже существующие соединения. BLACKLISTNEWONLY=Yes -- проверка осуществляется только для новых запросов на установление соединения. Записи в чёрном списке не влияют на уже существующие соединения. На соответствие чёрному списку проверяется только адрес источника. На соответствие чёрному списку проверяется только адрес источника . Чёрные списки закрывают доступ только хостам, перечисленным в списке, но не закрывают доступ к самим этим хостам. Динамические чёрные списки в Shorewall непригодны для случаев, когда список содержит тысячи адресов. Статические списки могут работать с большим числом адресов, но только при использовании наборов IP (ipset). Без ipset большие чёрные списки будут загружаться слишком долго и заметно снизят производительность файрвола.
Статические чёрные списки Далее описаны параметры конфигурации статических чёрных списков в Shorewall: Пакеты с хостов из чёрного списка будут отбрасываться без уведомления (drop) или с уведомлением (reject), согласно параметру BLACKLIST_DISPOSITION из файла /etc/shorewall/shorewall.conf. Пакеты с хостов из чёрного списка будут заноситься в протокол с заданным уровнем syslog согласно параметру BLACKLIST_LOGLEVEL из файла /etc/shorewall/shorewall.conf. IP-адреса или подсети, которые требуется занести в чёрный список, указываются в файле /etc/shorewall/blacklist. В этом файле можно также указать имена протоколов, номера портов или имена служб. Интерфейсы, для которых входящие пакеты проверяются на соответствие чёрному списку, задаются с помощью опции blacklist в файле /etc/shorewall/interfaces. Чёрный список из файла /etc/shorewall/blacklist можно обновить командой shorewall refresh. При наличии большого статического чёрного списка можно включить опцию DELAYBLACKLISTLOAD в файле shorewall.conf (начиная с Shorewall версии 2.2.0). Если DELAYBLACKLISTLOAD=Yes, то Shorewall будет загружать правила чёрного списка после установления соединений. Хотя при этом соединения с хостов из чёрного списка могут осуществляться в течение времени создания списка, эта опция позволяет существенно снизить время запрета соединений в ходе выполнения команд "shorewall [re]start". Для определения статического чёрного списка в Shorewall начиная с версии 2.4.0 поддерживаются наборы IP, или ipsets. Пример: #ADDRESS/SUBNET PROTOCOL PORT +Blacklistports[dst] +Blacklistnets[src,dst] +Blacklist[src,dst] #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE В этом примере задан ipset набора портов (portmap) Blacklistports для запрета трафика на целевые порты, указанные в этом ipset. Есть также списки сетей - Blacklistnets (типа nethash) и адресов - Blacklist (типа iphash), закрывающие доступ из подсетей и с отдельных адресов. Обратите внимание, что указаны [src,dst], чтобы можно было связать отдельные записи наборов с другими portmap ipset и включить чёрные списки сочетаний ( адрес источника, целевой порт). Пример: ipset -N SMTP portmap --from 1 --to 31 ipset -A SMTP 25 ipset -A Blacklist 206.124.146.177 ipset -B Blacklist 206.124.146.177 -b SMTP При этом блокируется трафик SMTP с хоста 206.124.146.177.
Динамические чёрные списки Динамические списки не имеют никаких параметров конфигурации, но настраиваются следующими командами /sbin/shorewall[-lite]: drop <список IP-адресов> - пакеты с указанных IP-адресов будут отбрасываться файрволом без уведомления. reject <список IP-адресов> - пакеты с указанных IP-адресов будут отбрасываться файрволом с уведомлением. allow <список IP-адресов> - разрешить пакеты с хостов, ранее занесённых в чёрный список командами drop или reject. save - сохранить конфигурацию динамического чёрного списка; она будет восстановлена автоматически при следующем перезапуске файрвола. show dynamic - показать конфигурацию динамического чёрного списка. Начиная с Shorewall версии 3.2.0 Beta2 доступны следующие дополнительные команды: logdrop <список IP-адресов> - пакеты с указанных IP-адресов будут заноситься в протокол и отбрасываться файрволом без уведомления. Уровень протокола задаётся опцией BLACKLIST_LOGLEVEL в ходе последнего [пере]запуска (по умолчанию - 'info', если опция BLACKLIST_LOGLEVEL не задана). logreject <список IP-адресов> - пакеты с указанных IP-адресов будут заноситься в протокол и отбрасываться файрволом с уведомлением. Уровень протокола задаётся опцией BLACKLIST_LOGLEVEL в ходе последнего [пере]запуска (по умолчанию - 'info', если опция BLACKLIST_LOGLEVEL не задана). Динамические чёрные списки не зависят от опции blacklist в файле /etc/shorewall/interfaces. Игноpиpовать пакеты с двух IP-адресов shorewall[-lite] drop 192.0.2.124 192.0.2.125 При этом блокируется доступ с хостов 192.0.2.124 и 192.0.2.125 Разрешить пакеты с IP-адреса shorewall[-lite] allow 192.0.2.125 Разрешает трафик с 192.0.2.125.
shorewall-docs-xml-5.2.3/MultiISP_ru.xml0000664000000000000000000015162413427347317016667 0ustar rootroot
Shorewall и подключение к Internet по нескольким каналам Tom Eastep 2005 2006 2007 Thomas M. Eastep 2007 Russian Translation: Grigory Mokhin Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке GNU Free Documentation License. Вы должны установить современный дистрибутив, который обновляется поставщиком, прежде чем пытаться настроить работу в этом режиме. Старые дистрибутивы не удовлетворяют минимальным требованиям, и вам потребуется перекомпилировать iptables, ядро и прочее программное обеспечение в системе. Если вы проигнорируете этот совет, то не рассчитывайте, что кто-либо сможет вам помочь.. Чтение только документации Shorewall не будет достаточным для понимания раскрываемых здесь тем. Shorewall упрощает работу с iptables, но разработчики Shorewall не имеют достаточных ресурсов, чтобы учить вас основам управляемой маршрутизации в Linux (равно как и пособие по вождению комбайна не учит правильно выращивать пшеницу). Скорее всего вам потребуется обратиться к следующим дополнительным источникам: LARTC HOWTO: http://www.lartc.org Вывод команды man ip Вывод команд ip route help и ip rule help
Поддержка нескольких соединений с Internet Начиная с версии 2.3.2 в Shorewall реализована ограниченная поддержка нескольких соединений с Internet. Ниже описаны существующие ограничения: Используется статическая конфигурация маршрутов. Поэтому не предусмотрены меры по защите от сбоя какого-либо из каналов связи с провайдером. Изменения маршрутизации и очистка кэша маршрутов осуществляются при запуске и при перезапуске Shorewall (если не указана опция "-n" для shorewall restart). Вообще говоря, в идеальном случае перезапуск пакетного фильтра никак не должен влиять на маршрутизацию. В версиях Shorewall ниже 3.4.0 маршруты и правила маршрутизации, добавляемые при запуске, не удалялись полностью в ходе выполнения команд shorewall stop, shorewall clear или shorewall restart.
Обзор Предположим, что система, в которой работает файрвол, подключена к двум провайдерам по двум интерфейсам Ethernet, как показано на рисунке. eth0 подключен к ISP1. IP-адрес eth0 - это 206.124.146.176, и шлюз провайдера имеет IP-адрес 206.124.146.254. eth1 подключен к ISP2. IP-адрес eth1 - это 130.252.99.27, и шлюз провайдера имеет IP-адрес 130.252.99.254. eth2 подключен к локальной сети. У него может быть любой IP-адрес. Все эти провайдеры должны быть перечислены в файле /etc/shorewall/providers. В записях в файле /etc/shorewall/providers можно указать, что для исходящих соединений должно быть включено распределение нагрузки по двум каналам связи с провайдерами. В записях в файле /etc/shorewall/tcrules можно указать, что некоторые исходящие соединения должны использовать определённый канал провайдера. Правила в файле /etc/shorewall/tcrules необязательны для того, чтобы настройка /etc/shorewall/providers работала, но необходимо указать уникальное значение MARK для каждого из провайдеров, чтобы Shorewall настроил правила маркировки. Если задать опцию track в файле /etc/shorewall/providers, то соединения из Internet будут автоматически маршрутизироваться обратно через правильный интерфейс на соответствующий шлюз провайдера. Это будет работать как в том случае, когда соединение обрабатывается самим файрволом, так и для соединений, маршрутизируемых или пробрасываемых к системам позади файрвола. Shorewall настраивает маршрутизацию и обновляет файл /etc/iproute2/rt_tables, включая в него имена таблиц и их номера. При этом используются функции маркировки пакетов для управления маршрутизацией. Как следствие этого возникают ограничения на записи в файле /etc/shorewall/tcrules: Маркировка пакетов для целей управления трафиком не может осуществляться в цепочке PREROUTING для соединений с участием провайдеров, для которых задана опция 'track' (см. далее). Нельзя использовать опции SAVE или RESTORE. Нельзя использовать маркировку соединений. Файл /etc/shorewall/providers может также использоваться в других сценариях маршрутизации. В документации по работе с Squid приведены примеры.
Файл /etc/shorewall/providers Далее описаны поля этого файла. Как и везде в файлах конфигурации Shorewall, укажите в поле для столбца "-", если не требуется задавать никакое значение. NAME Имя провайдера. Должно начинаться с буквы и состоять из букв и цифр. Имя провайдера становится именем сгенерированной таблицы маршрутизации для этого провайдера. NUMBER Число от 1 до 252. Оно будет номером таблицы маршрутизации для сгенерированной таблицы для этого провайдера. MARK Метка, применяемая в файле /etc/shorewall/tcrules для направления пакетов через этого провайдера. Shorewall также помечает этой меткой соединения, которые входят через этого провайдера, и восстанавливает метку пакета в цепочке PREROUTING. Метка должна быть целым числом от 1 до 255. Начиная с Shorewall версии 3.2.0 Beta 6, можно задать опцию HIGH_ROUTE_MARKS=Yes в файле /etc/shorewall/shorewall.conf. Это позволяет решить следующие задачи: Использовать метки пакетов для управления трафиком, при условии что эти метки присваиваются в цепочке FORWARD. Использовать значения меток > 255 для меток провайдера. Эти метки должны быть кратными 256 в диапазоне 256-65280 (в 16-ричном представлении 0x100 - 0xFF00, с нулевыми младшими 8 битами). DUPLICATE Имя или номер таблицы маршрутизации, которая будет продублирована. Можно указать 'main' или имя или номер ранее объявленного провайдера. Для большинства приложений здесь достаточно будет указать 'main'. INTERFACE Имя интерфейса канала связи с провайдером. В реализации поддержки нескольких подключений с провайдерами Shorewall предполагается, что каждый провайдер подключен к собственному интерфейсу. GATEWAY IP-адрес шлюза провайдера. Здесь можно указать detect для автоматического определения IP-адреса шлюза. Совет: "detect" следует указывать в том случае, если интерфейс из поля INTERFACE настраивается динамически по DHCP. OPTIONS Список параметров через запятую, описанных ниже: track Если эта опция включена, то будут отслеживаться соединения, ВХОДЯЩИЕ через этот интерфейс, чтобы ответы могли маршрутизироваться обратно через этот же интерфейс. Укажите 'track', если через этого провайдера к локальным серверам будут обращаться хосты из Internet. Вместе с 'track' всегда следует указывать опцию 'balance'. Для работы с этой функцией ядро и iptables должны поддерживать цель CONNMARK и сравнение connmark. Расширение цели ROUTE не требуется. В iptables 1.3.1 есть ошибка в реализации CONNMARK и iptables-save/iptables-restore. Поэтому при настройке нескольких провайдеров команда shorewall restore может быть не выполнена. Если это имеет место, примените исправление iptables, доступное по адресу http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff. Если используется файл /etc/shorewall/providers для настройки нескольких соединений с Internet, укажите опцию 'track', даже если в ней нет необходимости. Она помогает поддерживать длительные соединения, в которых могут быть долгие периоды отсутствия трафика. balance Опция 'balance' позволяет распределять нагрузку исходящих потоков между несколькими провайдерами. Распределение нагрузки не будет идеальным, поскольку оно осуществляется посредством маршрутов, а маршруты кэшируются. При этом маршрут к хостам, к которым часто обращаются пользователи, будет проходить всегда через одного и того же провайдера. По умолчанию всем провайдерам присваивается одинаковый вес (1). Вес конкретного провайдера можно изменить опцией balance с "=" и весом (например, balance=2). Веса отражают относительную пропускную способность каналов связи с провайдером. Они должны быть небольшими числами, потому что ядро создает дополнительные маршруты для каждого приращения веса. Если файл /etc/shorewall/providers используется для настройки нескольких соединений с Internet, укажите опцию 'balance', даже если в ней нет необходимости. Для направления всего трафика через какого-либо определенного провайдера можно использовать файл /etc/shorewall/tcrules. Если вы проигнорируете этот совет, то прочитайте FAQ 57 и FAQ 58. Если указана опция 'balance', но весь трафик по-прежнему идёт через одного провайдера, то причина этого может состоять в том, что ядро не собрано с опцией CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. У некоторых пользователей пересборка ядра с этой опцией помогла устранить неполадку. Эта неполадка присутствует в ядре SuSE 10.0, и согласно в этом случае может возникать критическая ошибка ядра. В SUSE 10.1 и SLES 10 опция CONFIG_IP_ROUTE_MULTIPATH_CACHED=n включена по умолчанию. Источник неполадки описан здесь: несовместимость между исправлениями от LARTC и опцией CONFIG_IP_ROUTE_MULTIPATH_CACHED. loose Не включать правила маршрутизации, которые принудительно направляют через данный интерфейс трафик, исходный IP-адрес которого совпадает с адресом интерфейса канала с провайдером. Эта опция полезна для определения провайдеров, которые должны использоваться только при наличии соответствующей метки пакета. Эту опцию нельзя указывать совместно с balance. optional (начиная с Shorewall 3.2.2) Shorewall определит, работает ли этот интерфейс и настроен ли его IP-адрес. Если он не настроен, то будет показано предупреждение, а сам провайдер не будет включен. Параметр 'optional' предназначен для определения состояния интерфейсов, которые могли бы вызвать сбой команды shorewall start или shorewall restart - однако даже если интерфейс находится в состоянии, в котором Shorewall может [пере]запуститься без ошибок, это не означает, что трафик может с гарантией проходить через этот интерфейс. Для тех, кто окончательно запутался в том, что такое track и balance: track управляет входящими соединениями. balance управляет исходящими соединениями. COPY Если в поле DUPLICATE указана существующая таблица, то Shorewall копирует все маршруты, проходящие через интерфейс, указанный в столбце INTERFACE, а также через интерфейс, указанный в этом поле. В этом поле следует указать все интерфейсы в системе файрвола, исключая интерфейсы Internet, указанные в поле INTERFACE этого файла.
Какие функции выполняет запись в файле providers Добавление записи в файле providers приводит к созданию альтернативной таблицы маршрутизации. Помимо этого: Если не указана опция loose, то создается правило ip для каждого IP-адреса из поля INTERFACE, которое обеспечивает маршрутизацию трафика с этого адреса через соответствующую таблицу маршрутизации. Если указана опция track, то соединения, для которых хотя бы один пакет прошел на интерфейс, указанный в поле INTERFACE, получат метку соединения, заданную в поле MARK. В цепочке PREROUTING метка пакетов, имеющих метку соединения, будет задана равной метке соединения, и такие помеченные пакеты не будут подчиняться правилам для цепочки PREROUTING, заданным в файле /etc/shorewall/tcrules. Это обеспечивает маршрутизацию через правильный интерфейс для входящих соединений. Если указана опция balance, то Shorewall заменит маршрут по умолчанию с весом 100 в таблице маршрутизации 'main' маршрутом с распределением нагрузки между шлюзами, для которых опция balance включена. Поэтому, если вы настраиваете маршруты по умолчанию, то укажите их вес меньше, чем 100, иначе маршрут, добавленный Shorewall, не будет иметь силы. Больше эти записи не делают ничего. Вспомните основной принцип, описанный в документации по маршрутизации Shorewall: Маршрутизация отвечает за то, куда направляются пакеты. После того, как маршрут пакета определён, файрвол (Shorewall) определяет, разрешить ли отправку пакета по его маршруту. Итак, если вы хотите направить трафик через определённого провайдера, то необходимо пометить этот трафик значением MARK провайдера в файле /etc/shorewall/tcrules и пометить пакет в цепочке PREROUTING; другим способом будет указание соответствующих правил в файле /etc/shorewall/rtrules. В Shorewall версий ниже 3.4.0 записи из файла /etc/shorewall/providers необратимо изменяют маршрутизацию системы, то есть эти изменения не отменяются при вызове команды shorewall stop или shorewall clear. Для того чтобы восстановить исходные маршруты, может потребоваться перезапустить сеть. Обычно это делает команда /etc/init.d/network restart или /etc/init.d/networking restart. Обратитесь к документации по сети вашего дистрибутива. Дополнительные замечания: Влияние изменений, вносимых Shorewall в таблицу маршрутизации, можно уменьшить, указав параметр metric для каждого настраиваемого маршрута по умолчанию. Shorewall создаст маршрут по умолчанию с распределением нагрузки (если опция balance включена для какого-либо из провайдеров), который не будет включать метрику и тем самым не будет заменять никакой существующий маршрут, для которого метрика отлична от нуля. Опция -n команд shorewall restart и shorewall restore позволяет предотвратить изменение маршрутизации. Файл /etc/shorewall/stopped можно также использовать для восстановления маршрутизации при остановке Shorewall. Когда система работает в обычной конфигурации маршрутизации (одна таблица), то ее содержимое можно сохранить следующим образом: ip route ls > routes Ниже приведен пример файла routes для моей системы: 192.168.1.1 dev eth3 scope link 206.124.146.177 dev eth1 scope link 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 192.168.2.0/24 via 192.168.2.2 dev tun0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254 206.124.146.0/24 dev eth3 proto kernel scope link src 206.124.146.176 169.254.0.0/16 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 206.124.146.254 dev eth3 Отредактируйте этот файл следующим образом: ip route flush table main ip route add 192.168.1.1 dev eth3 scope link ip route add 206.124.146.177 dev eth1 scope link 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 192.168.2.0/24 via 192.168.2.2 dev tun0 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 ip route add 206.124.146.177 dev eth1 scope link ip route add 206.124.146.177 dev eth1 scope link ip route add 206.124.146.177 dev eth1 scope link ip route flush cache Сохраните этот файл как /etc/shorewall/stopped. В этот файл можно также добавить следующее: ip rule ls | while read priority rule; do case ${priority%:} in 0|3276[67]) ;; *) ip rule del $rule ;; esac done Этот код удаляет все правила маршрутов, за исключением маршрута по умолчанию.
Какие функции НЕ выполняет запись в файле providers Shorewall - это инструмент для настройки Netfilter, а не процесс, который непрерывно работает в системе, поэтому записи в файле providers не обеспечивают автоматического переключения в случае сбоя одного из каналов связи с Internet .
Марсианские пакеты В конфигурации с несколькими провайдерами часто возникает типичная неполадка с "марсианскими пакетами". Если для сетевых интерфейсов задана опция routefilter в файле /etc/shorewall/interfaces (а вместе с этой опцией должны быть задана опция logmartians), то могут возникать ошибки, и в протоколе будут сообщения следующего вида: Feb 9 17:23:45 gw.ilinx kernel: martian source 206.124.146.176 from 64.86.88.116, on dev eth1 Feb 9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:08:00 Это сообщение может ввести в заблуждение. Исходным IP входящего пакета является 64.86.88.116, а целевым IP - 206.124.146.176. Следует также учитывать, что целевой IP-адрес входящего пакета мог быть уже изменен, либо в DNAT, либо записью в файле /etc/shorewall/masq (SNAT или Masquerade) для первоначального исходящего соединения. Поэтому целевой IP-адрес (206.124.146.176) может отличаться от исходного целевого IP-адреса пришедшего пакета. Эти неполадки могут возникать по следующим причинам: Оба внешних интерфейса подключены на один хаб или коммутатор. Никогда не подключайте несколько интерфейсов файрвола на один хаб, если хотите избежать неприятных и труднообъяснимых неполадок. В файле providers указаны вместе опции loose и balance. Это приводит к тому, что отдельные соединения будут перескакивать между интерфейсами, и будут возникать ошибки. Локальный трафик направляется через один из интерфейсов с помощью маркировки пакетов записью из файла /etc/shorewall/tcrules. Вместо этого следует привязать приложение к соответствующему локальному IP-адресу требуемого интерфейса. См. далее. Если больше ничего не помогает, удалите опцию routefilter для внешнего интерфейса. При этом можно добавить правила для регистрации и сбрасывания пакетов из Интернета, имеющих адрес источника из вашей локальной сети. Например, если локальная сеть в указанной выше конфигурации имеет адреса 192.168.1.0/24, то добавьте следующее правило: #ACTION SOURCE DEST DROP:info net:192.168.1.0/24 all Be sure the above rule is added before any other rules with net in the SOURCE column.
Пример Конфигурация схемы сети, показанной на рисунке в начале этого документа, описывается в файле /etc/shorewall/providers следующим образом. #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth0 206.124.146.254 track,balance eth2 ISP2 2 2 main eth1 130.252.99.254 track,balance eth2 Прочие файлы конфигурации будут иметь следующий вид: /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect … net eth1 detect … /etc/shorewall/policy: #SOURCE DESTINATION POLICY LIMIT:BURST net net DROP Если соединения файрвола будут перенаправляться с помощью правил /etc/shorewall/tcrules, или если для провайдеров указана опция balance, то независимо от того, есть ли маскируемые хосты, в файл /etc/shorewall/masq необходимо добавить следующие записи. #INTERFACE SUBNET ADDRESS eth0 130.252.99.27 206.124.146.176 eth1 206.124.146.176 130.252.99.27 Эти записи обеспечивают отправку пакетов, созданных в системе файрвола, с правильным исходным IP-адресом, соответствующим интерфейсу, через который они направляются. Если какой-либо из интерфейсов имеет динамический IP-адрес, то указанные правила можно создать с помощью переменных оболочки. Например, если eth0 имеет динамический IP-адрес: /etc/shorewall/params: ETH0_IP=$(find_first_interface_address eth0) /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth0 130.252.99.27 $ETH0_IP eth1 $ETH0_IP 130.252.99.27 Если есть маскируемые хосты, то настройте в файле /etc/shorewall/masq маскарадинг для обоих провайдеров. Например, если маскируются хосты, подключенные через eth2 то это делается так: #INTERFACE SUBNET ADDRESS eth0 eth2 206.124.146.176 eth1 eth2 130.252.99.27 Записи в файле /etc/shorewall/masq никак не влияют на то, через какого провайдера пройдёт конкретное соединение. Для этого применяются правила в файле /etc/shorewall/tcrules или /etc/shorewall/rtrules. Предположим, что требуется направить весь исходящий трафик SMTP из локальной сети через провайдера 2. В файле /etc/shorewall/tcrules укажите следующее (и в версии Shorewall ниже 3.0.0 также задайте TC_ENABLED=Yes в файле /etc/shorewall/shorewall.conf). #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 2:P <локальная сеть> 0.0.0.0/0 tcp 25
Если провайдеров больше, чем 2 Для более чем двух провайдеров требуется внести соответствующие дополнения: Для каждого внешнего адреса в файл /etc/shorewall/masq необходимо добавить записи для случаев, когда соединение, использующее этот адрес как SOURCE, направляется через интерфейс с отличным адресом. Для каждого внешнего интерфейса в файл /etc/shorewall/masq необходимо добавить записи для каждой внутренней подсети, которая будет маскироваться (или для которой применяется SNAT) через этот интерфейс. Например, для eth3 с IP-адресом 16.105.78.4 и шлюзом 16.105.78.254, необходимо добавить следующее: /etc/shorewall/providers:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth0 206.124.146.254 track,balance eth2 ISP2 2 2 main eth1 130.252.99.254 track,balance eth2 ISP3 3 3 main eth3 16.105.78.254 track,balance eth2 /etc/shorewall/masq:#INTERFACE SUBNET ADDRESS eth0 130.252.99.27 206.124.146.176 eth3 130.252.99.27 16.105.78.4 eth1 206.124.146.176 130.252.99.27 eth3 206.124.146.176 16.105.78.4 eth0 16.106.78.4 206.124.146.176 eth1 16.106.78.4 130.252.99.27 eth0 eth2 206.124.146.176 eth1 eth2 130.252.99.27 eth3 eth2 16.105.78.4
Приложения, работающие в системе файрвола Иногда возникают неполадки с приложениями, работающими в системе файрвола. Это часто имеет место, для для внешних интерфейсов в файле /etc/shorewall/interfaces указана опция routefilter (см. выше). В этом случае рекомендуется связать приложение с определенным локальным IP-адресом вместо 0. Примеры: Squid: В файле squid.conf задайте tcp_outgoing_address равным IP-адресу интерфейса, на котором будет работать Squid. Для OpenVPN задайте опцию local(--local в командной строке с IP-адресом, на котором должен принимать соединения сервер.
/etc/shorewall/rtrules Файл /etc/shorewall/rtrules добавлен в Shorewall в версии 3.2.0. Файл rtrules позволяет направлять определенный трафик через конкретного провайдера, как и записи из файла tcrules . Разница между этими двумя файлами состоит в том что записи в rtrules никак не связаны с Netfilter. В Shorewall версий ниже 3.4.0 записи из файла /etc/shorewall/rtrules необратимо изменяют маршрутизацию в системе, то есть эти изменения не отменяются при вызове команды shorewall stop или shorewall clear. Для того чтобы восстановить исходные маршруты, может потребоваться перезапустить сеть. Обычно это делает команда /etc/init.d/network restart или /etc/init.d/networking restart. Обратитесь к документации по сети вашего дистрибутива. Также обратите внимание на предупреждение в разделе Какие функции выполняет запись в файле providers.
Правила маршрутизации Правила маршрутизации управляются ядром Linux. Их можно просмотреть командой ip rule ls . При маршрутизации пакета правила обрабатываются в указанном порядке, пока не будет найден маршрут пакета. gateway:~ # ip rule ls 0: from all lookup local <=== Локальные IP-адреса (система файрвола) 10001: from all fwmark 0x1 lookup Blarg <=== Это и следующее правило генерируются 10002: from all fwmark 0x2 lookup Comcast записями 'MARK' из /etc/shorewall/providers. 20000: from 206.124.146.176 lookup Blarg <=== Это и следующее правило не генерируются, если 20256: from 24.12.22.33 lookup Comcast указана опция 'loose'; они основаны на выводе 'ip addr ls' 32766: from all lookup main <=== Это таблица маршрутизации, показанная в выводе 'iproute -n' 32767: from all lookup default <=== Эта таблица обычно пуста gateway:~ # В этом примере настроены два провайдера: Blarg и Comcast, с метками MARK 1 и 2 соответственно.
Файл rtrules Далее описаны столбцы файла: SOURCE (Необязательный) IP-адрес (подсеть или хост), с которыми совпадает исходный IP-адрес пакета. Может указываться как имя интерфейса, за которым следует необязательная часть из ":" и адреса. Если указано устройство 'lo', то пакет должен исходить из системы файрвола. DEST (Необязательный) IP-адрес (подсеть или хост), с которыми совпадает целевой IP-адрес пакета. Если опущен SOURCE или DEST, то в укажите в одном из этих полей "-". Необходимо задать хотя бы одно из полей SOURCE или DEST. PROVIDER Провайдер, через которого должен проходить трафик. Может быть задан как имя провайдера или его номер. PRIORITY Приоритет правила, определяющий порядок обработки правил. 1000-1999: перед правилами Shorewall, генерируемыми на основе меток 'MARK' 11000- 11999: после правил 'MARK', но перед правилами Shorewall, генерируемыми для интерфейсов провайдеров. 26000-26999: после интерфейсов провайдеров, но перед правилом 'default'. Правила с одинаковым приоритетом обрабатываются в том порядке, как они указаны в файле. Пример 1: Направить весь трафик, приходящий на eth1, через Comcast. #SOURCE DEST PROVIDER PRIORITY eth1 - Comcast 1000 С этим правилом вывод ip rule ls будет следующим. gateway:~ # ip rule ls 0: from all lookup local 1000: from all iif eth1 lookup Comcast 10001: from all fwmark 0x1 lookup Blarg 10002: from all fwmark 0x2 lookup Comcast 20000: from 206.124.146.176 lookup Blarg 20256: from 24.12.22.33 lookup Comcast 32766: from all lookup main 32767: from all lookup default gateway:~ #Обратите внимание, что приоритет 1000 приводит к тому, что проверка на eth1 осуществляется перед проверкой fwmark. Пример 2: Используется OpenVPN (маршрутизируемая конфигурация /tunX) в сочетании с несколькими провайдерами. В этом случае необходимо настроить правило, согласно которому трафик OpenVPN будет направляться обратно через интерфейс tunX, а не через какого-либо из провайдеров. 10.8.0.0/24 - это подсеть, выбранная для OpenVPN (сервер 10.8.0.0 255.255.255.0). #SOURCE DEST PROVIDER PRIORITY - 10.8.0.0/24 main 1000
shorewall-docs-xml-5.2.3/Anatomy.xml0000664000000000000000000010505713427347317016122 0ustar rootroot
Anatomy of Shorewall 5.0/5.1 Tom Eastep 2007 2009 2012 2015 2017 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Products Shorewall 5.0 consists of six packages. Shorewall Core. This package contains the core Shorewall shell libraries and is required to install any of the other packages. Beginning with Shorewall 5.1.0, it also includes the Command Line Interface (CLI) program common to all of the packages. Shorewall. This package must be installed on at least one system in your network. It contains everything needed to create an IPv4 firewall. Shorewall6. This package requires the Shorewall package and adds those components needed to create an IPv6 firewall. Shorewall-lite. Shorewall allows for central administration of multiple IPv4 firewalls through use of Shorewall lite. The full Shorewall product is installed on a central administrative system where compiled Shorewall scripts are generated. These scripts are copied to the firewall systems where they run under the control of Shorewall-lite. Shorewall6-lite. Shorewall allows for central administration of multiple IPv4 firewalls through use of Shorewall lite. The full Shorewall product is installed on a central administrative system where compiled Shorewall scripts are generated. These scripts are copied to the firewall systems where they run under the control of Shorewall-lite. Shorewall-init. An add-on to any of the above packages that allows the firewall state to be altered in reaction to interfaces coming up and going down. Where Upstart is not being used, this package can also be configured to place the firewall in a safe state prior to bringing up the network interfaces.
Shorewall The Shorewall package includes a large number of files which were traditionally installed in /sbin, /usr/share/shorewall, /etc/shorewall, /etc/init.d and /var/lib/shorewall/. These are described in the sub-sections that follow. Since Shorewall 4.5.2, each of these directories is now relocatable using the configure scripts included with Shorewall Core. These scripts set shell variables in the shorewallrc file which is normally installed in /usr/share/shorewall/. The name of the variable is included in parentheses in the section headings below.
/sbin ($SBINDIR) The /sbin/shorewall shell program is used to interact with Shorewall. See shorewall(8).
/usr/share/shorewall (${SHAREDIR}/shorewall) The bulk of Shorewall is installed here. action.template - template file for creating actions. action.* - standard Shorewall actions. actions.std - file listing the standard actions. compiler.pl - The configuration compiler perl program. configfiles - A directory containing configuration files to copy to create a Shorewall-lite export directory. configpath - A file containing distribution-specific path assignments. firewall - A shell program that handles the add and delete commands (see shorewall(8)). It also handles the stop and clear commands when there is no current compiled firewall script on the system. functions - A symbolic link to lib.base that provides for compatibility with older versions of Shorewall. init - A symbolic link to the init script (usually /etc/init.d/shorewall). lib.* - Shell function libraries used by the other shell programs. Most of these are actually provided by Shorewall-core. macro.* - The standard Shorewall macros. modules.* - File that drives the loading of Netfilter kernel modules. May be overridden by /etc/shorewall/modules. prog.* - Shell program fragments used as input to the compiler. Shorewall - Directory containing the Shorewall Perl modules used by the compiler. shorewallrc - A file that specifies where all of the other installed components (from all packages) are installed. version - A file containing the currently install version of Shorewall. wait4ifup - A shell program that extension scripts can use to delay until a network interface is available.
/etc/shorewall (${CONFDIR}/shorewall) This is where the modifiable IPv4 configuration files are installed.
/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or /lib/systemd/system ($SERVICEDIR) An init script is installed here. Depending on the distribution, it is named shorewall or rc.firewall. Only installed on systems where systemd is not installed. When systemd is installed, the Shorewall .service files are installed in the directory specified by the SERVICEDIR variable in /usr/share/shorewall/shorewallrc.
/var/lib/shorewall (${VARLIB}/shorewall) Shorewall doesn't install any files in this directory but rather uses the directory for storing state information. This directory may be relocated using shorewall-vardir(5). .iptables-restore-input - The file passed as input to the iptables-restore program to initialize the firewall during the last start or restart command (see shorewall(8)). .modules - The contents of the modules file used during the last start or restart command (see shorewall(8) for command information). .modulesdir - The MODULESDIR setting (shorewall.conf(5)) at the last start or restart. nat - This unfortunately-named file records the IP addresses added by ADD_SNAT_ALIASES=Yes and ADD_IP_ALIASES=Yes in shorewall.conf(5). proxyarp - Records the arp entries added by entries in shorewall-proxyarp(5). .refresh - The shell program that performed the last successful refresh command. .restart - The shell program that performed the last successful restart command. restore - The default shell program used to execute restore commands. .restore - The shell program that performed the last successful refresh, restart or start command. save - File created by the save command and used to restore the dynamic blacklist during start/restart. .start - The shell program that performed the last successful start command. state - Records the current firewall state. zones - Records the current zone contents.
Shorewall6 Shorewall6 installs its files in a number of directories:
/sbin ($SBINDIR) Prior to Shorewall 5.1.0, the /sbin/shorewall6 shell program is used to interact with Shorewall6. See shorewall6(8). Beginning with Shorewall 5.1.0, /sbin/shorewall6 is a symbolic link to /sbin/shorewall. See shorewall(8).
/usr/share/shorewall6 (${SHAREDIR}/shorewall6) The bulk of Shorewall6 is installed here. action.template - template file for creating actions. action.* - standard Shorewall actions. actions.std - file listing the standard actions. configfiles - A directory containing configuration files to copy to create a Shorewall6-lite export directory. configpath - A file containing distribution-specific path assignments. firewall - A shell program that handles the add and delete commands (see shorewall(8)). It also handles the stop and clear commands when there is no current compiled firewall script on the system. functions - A symbolic link to lib.base that provides for compatibility with older versions of Shorewall. lib.* - Shell function libraries used by the other shell programs. Macros/* - The standard Shorewall6 macros. modules - File that drives the loading of Netfilter kernel modules. May be overridden by /etc/shorewall/modules. version - A file containing the currently install version of Shorewall. wait4ifup - A shell program that extension scripts can use to delay until a network interface is available.
/etc/shorewall6 (${CONFDIR}/shorewall6) This is where the modifiable IPv6 configuration files are installed.
/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or /lib/systemd/system ($SERVICEDIR) An init script is installed here. Depending on the distribution, it is named shorewall6 or rc.firewall. Only installed on systems where systemd is not installed. When systemd is installed, the Shorewall .service files are installed in the directory specified by the SERVICEDIR variable in /usr/share/shorewall/shorewallrc.
/var/lib/shorewall6 (${VARLIB}/shorewall6) Shorewall6 doesn't install any files in this directory but rather uses the directory for storing state information. This directory may be relocated using shorewall-vardir(5). .ip6tables-restore-input - The file passed as input to the ip6tables-restore program to initialize the firewall during the last start or restart command (see shorewall6(8)). .modules - The contents of the modules file used during the last start or restart command (see shorewall(8) for command information). .modulesdir - The MODULESDIR setting (shorewall.conf(5)) at the last start or restart. .refresh - The shell program that performed the last successful refresh command. .restart - The shell program that performed the last successful restart command. restore - The default shell program used to execute restore commands. .restore - The shell program that performed the last successful refresh, restart or start command. save - File created by the save command and used to restore the dynamic blacklist during start/restart. .start - The shell program that performed the last successful start command. state - Records the current firewall state. zones - Records the current zone contents.
Shorewall-lite The Shorewall-lite product includes files installed in /sbin, /usr/share/shorewall-lite, /etc/shorewall-lite, /etc/init.d and /var/lib/shorewall-lite/. These are described in the sub-sections that follow.
/sbin ($SBINDIR) The /sbin/shorewall-lite shell program is used to interact with Shorewall lite. See shorewall-lite(8). Beginning with Shorewall 5.1.0, /sbin/shorewall-lite is a symbolic link to /sbin/shorewall. See shorewall(8).
/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or /lib/systemd/system ($SERVICEDIR) An init script is installed here. Depending on the distribution, it is named shorewall-lite or rc.firewall. Only installed on systems where systemd is not installed. When systemd is installed, the Shorewall .service files are installed in the directory specified by the SERVICEDIR variable in /usr/share/shorewall/shorewallrc.
/etc/shorewall-lite (${CONFDIR}/shorewall-lite) This is where the modifiable configuration files are installed.
/usr/share/shorewall-lite (${SHAREDIR}/shorewall-lite) The bulk of Shorewall-lite is installed here. configpath - A file containing distribution-specific path assignments. functions - A symbolic link to lib.base that provides for compatibility with older versions of Shorewall. lib.base - Shell function librarie used by the other shell programs. This is a thin wrapper around /usr/share/shorewall/lib.base. modules* - Files that drive the loading of Netfilter kernel modules. May be overridden by /etc/shorewall-lite/modules. shorecap - A shell program used for generating capabilities files. See the Shorewall-lite documentation. version - A file containing the currently install version of Shorewall. wait4ifup - A shell program that extension scripts can use to delay until a network interface is available.
/var/lib/shorewall-lite (${VARLIB}/shorewall-lite) Shorewall-lite doesn't install any files in this directory but rather uses the directory for storing state information. This directory may be relocated using shorewall-lite-vardir(5). firewall - Compiled shell script installed by running the load or reload command on the administrative system (see shorewall(8)). firewall.conf - Digest of the shorewall.conf file used to compile the firewall script on the administrative system. .iptables-restore-input - The file passed as input to the iptables-restore program to initialize the firewall during the last start or restart command (see shorewall-lite(8)). .modules - The contents of the modules file used during the last start or restart command (see shorewall-lite(8) for command information). .modulesdir - The MODULESDIR setting (shorewall.conf(5)) at the last start or restart. nat - This unfortunately-named file records the IP addresses added by ADD_SNAT_ALIASES=Yes and ADD_IP_ALIASES=Yes in shorewall.conf(5). proxyarp - Records the arp entries added by entries in shorewall-proxyarp(5). .refresh - The shell program that performed the last successful refresh command. .restart - The shell program that performed the last successful restart command. restore - The default shell program used to execute restore commands. .restore - The shell program that performed the last successful refresh, restart or start command. save - File created by the save command and used to restore the dynamic blacklist during start/restart. .start - The shell program that performed the last successful start command. state - Records the current firewall state. zones - Records the current zone contents.
Shorewall6-lite The Shorewall6-lite product includes files installed in /sbin, /usr/share/shorewall6-lite, /etc/shorewall6-lite, /etc/init.d and /var/lib/shorewall6-lite/. These are described in the sub-sections that follow.
/sbin The /sbin/shorewall6-lite shell program is use to interact with Shorewall lite. See shorewall6-lite(8). Beginning with Shorewall 5.1.0, /sbin/shorewall6-lite is a symbolic link to /sbin/shorewall. See shorewall(8).
/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or /lib/systemd/system ($SERVICEDIR) An init script is installed here. Depending on the distribution, it is named shorewall6-lite or rc.firewall. Only installed on systems where systemd is not installed. When systemd is installed, the Shorewall .service files are installed in the directory specified by the SERVICEDIR variable in /usr/share/shorewall/shorewallrc.
/etc/shorewall6-lite (${CONFDIR}/shorewall6-lite) This is where the modifiable configuration files are installed.
/usr/share/shorewall6-lite (${SHAREDIR}/shorewall6-lite) The bulk of Shorewall-lite is installed here. configpath - A file containing distribution-specific path assignments. functions - A symbolic link to lib.base that provides for compatibility with older versions of Shorewall. lib.base - Shell function librarie used by the other shell programs. This is a thin wrapper around /usr/share/shorewall/lib.base. modules* - Files that drive the loading of Netfilter kernel modules. May be overridden by /etc/shorewall-lite/modules. shorecap - A shell program used for generating capabilities files. See the Shorewall-lite documentation. version - A file containing the currently install version of Shorewall. wait4ifup - A shell program that extension scripts can use to delay until a network interface is available.
/var/lib/shorewall6-lite (${VARLIB}/shorewall6-lite) Shorewall6-lite doesn't install any files in this directory but rather uses the directory for storing state information. This directory may be relocated using shorewall-lite-vardir(5). firewall - Compiled shell script installed by running the load or reload command on the administrative system (see shorewall6(8)). firewall.conf - Digest of the shorewall.conf file used to compile the firewall script on the administrative system. .ip6tables-restore-input - The file passed as input to the ip6tables-restore program to initialize the firewall during the last start or restart command (see shorewall-lite(8)). .modules - The contents of the modules file used during the last start or restart command (see shorewall-lite(8) for command information). .modulesdir - The MODULESDIR setting (shorewall.conf(5)) at the last start or restart. .refresh - The shell program that performed the last successful refresh command. .restart - The shell program that performed the last successful restart command. restore - The default shell program used to execute restore commands. .restore - The shell program that performed the last successful refresh, restart or start command. save - File created by the save command and used to restore the dynamic blacklist during start/restart. .start - The shell program that performed the last successful start command. state - Records the current firewall state. zones - Records the current zone contents.
shorewall-docs-xml-5.2.3/PacketHandling.xml0000664000000000000000000003146013427347317017362 0ustar rootroot
Packet Handling Tom Eastep 2004 2005 2009 2014 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction This article will try to help you understand how packets pass through a firewall configured by Shorewall. You may find it useful to have a copy of the Netfilter Overview handy to refer to. The discussion that follows assumes that you are running a current kernel (2.6.20 or later) with the recommended options included. Otherwise processing may be somewhat different from described below depending on the features supported by your kernel. Where a packet is covered by steps in more than one of the following sections, processing occurs in the order in which the sections appear.
Packets Entering the Firewall from Outside Certain processing occurs on packets entering the firewall from the outside that don't occur for packets that originate on the firewall itself. The TOS field in the packet is conditionally altered based on the contents of your /etc/shorewall/tos file. This occurs in the pretos chain of the mangle table. Packets are marked based on the contents of your /etc/shorewall/mangle (/etc/shorewall/tcrules) file and the setting of MARK_IN_FORWARD_CHAIN in /etc/shorewall/shorewall.conf. This occurs in the tcpre chain of the mangle table. The destination IP address and/or port number are rewritten according to DNAT[-] and REDIRECT[-] rules in /etc/shorewall/rules. For new connection requests, this occurs in a chain in the nat table called zone_dnat where zone is the zone where the request originated. For packets that are part of an already established connection, the destination rewriting takes place without any involvement of a Netfilter rule. If the destination was not rewritten in the previous step then it may be rewritten based on entries in /etc/shorewall/nat. For new connection requests, this occurs in a nat table chain called interface_in where interface is the interface on which the packet entered the firewall. For packets that are part of an already established connection, the destination rewriting takes place without any involvement of a Netfilter rule. The packet passes through the accounting rules defined in /etc/shorewall/accounting. If FASTACCEPT=Yes in shorewall.conf and the packet is part of or related to an existing connection, it is accepted. The packet is processed according to your Blacklisting configuration (dynamic blacklist first). If BLACKLISTNEWONLY=Yes in /etc/shorewall/shorewall.conf then only new connection requests are processed. Processing occurs in the dynamic and blacklst If the interface on which the packet entered the firewall has the nosmurfs option specified in /etc/shorewall/interfaces, then if the packet is a new connection request is checked for being a smurf in the filter table's smurfs chain. If: the packet will be processed by the firewall itself the interface on which the packet arrived has the dhcp option in /etc/shorewall/interfaces. packet's protocol is UDP with destination port 67 or 68. then the packet is ACCEPTed in the filter table's interface_in chain (for example, eth0_in). Note that if the interface is its associated zones only interface, then the interface_in chain is optimized away and its rules are transferred to another chain. If the interface on which the packet entered the firewall has the tcpflags option specified in /etc/shorewall/interfaces and the packet's protocol is TCP then the TCP flags are checked by the tcpflags chain (filter table).
All Packets Regardless of whether the packet originated on the firewall or came from outside, certain processing steps are common. Packets are marked based on the contents of your /etc/shorewall/mangle file and the setting of MARK_IN_FORWARD_CHAIN in /etc/shorewall/shorewall.conf. This occurs in the tcfor chain of the mangle table. The remaining processing in this list occurs in the filter table. If either the host sending the packet or the host to which the packet is addressed is not in any defined zone then the all->all policy is applied to the packet (including logging). This can occur in the INPUT, FORWARD or OUTPUT chains. If the packet is part of an established connection or is part of a related connection then no further processing takes place in the filter table (zone12zone2 chain where zone1 is the source zone and zone2 is the destination zone). The packet is processed according to your /etc/shorewall/rules file. This happens in chains named zone12zone2 chain where zone1 is the source zone and zone2 is the destination zone. Note that in the presence of nested or overlapping zones and CONTINUE policies, a packet may go through more than one of these chains. Note: If the packet gets to this step, it did not match any rule. If the applicable policy has a common action then that action is applied (chain has the same name as the action). If the applicable policy has logging specified, the packet is logged. The policy is applied (the packet is accepted, dropped or rejected).
Packets Originating on the Firewall Packets that originate on the firewall itself undergo additional processing. The TOS field in the packet is conditionally altered based on the contents of your /etc/shorewall/tos file. This occurs in the outtos chain of the mangle table. Packets are marked based on the contents of your /etc/shorewall/mangle file. This occurs in the tcout chain of the mangle table.
Packets Leaving the Firewall Packets being sent to another host undergo additional processing. The source IP address only gets rewritten by the first matching rule below. The source IP address may be rewritten according to DNAT rules that specify SNAT. If this is a new connection request, then the rewriting occurs in a nat table chain called zone_snat where zone is the destination zone. For packets that are part of an already established connection, the destination rewriting takes place without any involvement of a Netfilter rule. If FASTACCEPT=Yes in shorewall.conf and the packet is part of or related to an existing connection, it is accepted. The source IP address may be rewritten according to an entry in the /etc/shorewall/nat file. If this is a new connection request, then the rewriting occurs in a nat table chain called interface_snat where interface is the interface on which the packet will be sent. For packets that are part of an already established connection, the destination rewriting takes place without any involvement of a Netfilter rule. The source IP address may be rewritten according to an entry in the /etc/shorewall/masq or /etc/shorewall/snat file (Shorewall 5.0.14 or later). If this is a new connection request, then the rewriting occurs in a nat table chain called interface_masq where interface is the interface on which the packet will be sent. For packets that are part of an already established connection, the destination rewriting takes place without any involvement of a Netfilter rule.
shorewall-docs-xml-5.2.3/OpenVZ.xml0000664000000000000000000006742013427347317015674 0ustar rootroot
Shorewall and OpenVZ Tom Eastep 2009 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Open Virtuoso (OpenVZ) is an open source kernel-based virtualization solution from Parallels (formerly SWSoft). Virtual servers take the form of containers (the OpenVZ documentation calls these Virtual Environments or VEs) which are created via templates. Templates are available for a wide variety of distributions and architectures. OpenVZ requires a patched kernel. Beginning with Lenny, Debian supplies OpenVZ kernels through the standard stable repository.
Shorewall on an OpenVZ Host As with any Shorewall installation involving other software, we suggest that you first install OpenVZ and get it working before attempting to add Shorewall. Alternatively, execute shorewall clear while installing and configuring OpenVZ.
Networking The default OpenVZ networking configuration uses Proxy ARP. You assign containers IP addresses in the IP network from one of your interfaces and you are expected to set the proxy_arp flag on that interface (/proc/sys/net/ipv4/conf/interface/proxy_arp). OpenVZ creates a point-to-point virtual interface in the host with a rather odd configuration. Example (Single VE with IP address 206.124.146.178): gateway:~# ip addr ls dev venet0 10: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/void gateway:~# ip route ls dev venet0 206.124.146.178 scope link gateway:~# The interface has no IP configuration yet it has a route to 206.124.146.178! From within the VE with IP address 206.124.146.178, we have the following: server:~ # ip addr ls 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/void inet 127.0.0.1/32 scope host venet0 inet 206.124.146.178/32 scope global venet0:0 server:~ # ip route ls 192.0.2.0/24 dev venet0 scope link 127.0.0.0/8 dev lo scope link default via 192.0.2.1 dev venet0 server:~ # There are a couple of unique features of this configuration: 127.0.0.1/32 is configured on venet0 although the main routing table routes loopback traffic through the lo interface as normal. There is a route to 192.0.2.0/24 through venet0 even though the interface has no IP address in that network. Note: 192.0.2.0/24 is reserved for use in documentation and for testing. The default route is via 192.0.2.1 yet there is no interface on the host with that IP address. All of this doesn't really affect the Shorewall configuration but it is interesting none the less.
Shorewall Configuration We recommend handling the strange OpenVZ configuration in Shorewall as follows: /etc/shorewall/zones: ############################################################################### #ZONE TYPE OPTIONS IN_OPTION OUT_OPTIONS net ipv4 vz ipv4 /etc/shorewall/interfaces: ############################################################################### #ZONE INTERFACE OPTIONS net eth0 proxyarp=1 vz venet0 routeback,arp_filter=0
Multi-ISP If you run Shorewall Multi-ISP support on the host, you should arrange for traffic to your containers to use the main routing table. In the configuration shown here, this entry in /etc/shorewall/rtrules is appropriate: #SOURCE DEST PROVIDER PRIORITY - 206.124.146.178 main 1000
RFC 1918 Addresses in a Container You can assign an RFC 1918 address to a VE and use masquerade/SNAT to provide Internet access to the container. This is just a normal simple Shorewall configuration as shown in the Two-interface Quick Start Guide. In this configuration the firewall's internal interface is venet0. Be sure to include the options shown above.
Shorewall in an OpenVZ Virtual Environment If you have obtained an OpenVZ VE from a hosting service provider, you may find it difficult to configure any type of firewall within your VE. There are two VE parameters that control iptables behavior within the container: --iptables name Restrict access to iptables modules inside a container (The OpenVZ claims that by default all iptables modules that are loaded in the host system are accessible inside a container; I haven't tried that). You can use the following values for name: , , , , , , , , , , , , , , , , , , , , , , , . If your provider is using this option, you may be in deep trouble trying to use Shorewall in your container. Look at the output of shorewall show capabilities and weep. Then try to get your provider to remove this restriction on your container. --numiptent num This parameter limits the number of iptables rules that are allowed within the container. The default is 100 which is too small for a Shorewall configuration. We recommend setting this to at least 200. if you see annoying error messages as shown below during start/restart, remove the module-init-tools package from the VE. server:/etc/shorewall # shorewall restart Compiling... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Preprocessing Action Files... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Compiling /etc/shorewall/policy... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Generating Transitive Closure of Used-action List... Processing /usr/share/shorewall/action.Reject for chain Reject... Processing /usr/share/shorewall/action.Drop for chain Drop... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Creating iptables-restore input... Compiling iptables-restore input for chain mangle:... Compiling /etc/shorewall/routestopped... Shorewall configuration compiled to /var/lib/shorewall/.restart Restarting Shorewall.... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... Setting up Traffic Control... Preparing iptables-restore input... Running /usr/sbin/iptables-restore... FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such file or directory FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such file or directory FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such file or directory FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such file or directory IPv4 Forwarding Enabled Processing /etc/shorewall/start ... Processing /etc/shorewall/started ... done.
Working Example This section presents a working example. This is the configuration at shorewall.net during the summer of 2009. The network diagram is shown below. The two systems shown in the green box are OpenVZ Virtual Environments (containers).
OpenVZ Configuration In the files below, items in bold font are relevant to the networking/Shorewall configuration. /etc/vz/conf (long lines folded for clarity). ## Global parameters VIRTUOZZO=yes LOCKDIR=/var/lib/vz/lock DUMPDIR=/var/lib/vz/dump VE0CPUUNITS=1000 ## Logging parameters LOGGING=yes LOGFILE=/var/log/vzctl.log LOG_LEVEL=0 VERBOSE=0 ## Disk quota parameters DISK_QUOTA=no VZFASTBOOT=no # The name of the device whose ip address will be used as source ip for VE. # By default automatically assigned. VE_ROUTE_SRC_DEV="eth3" # Controls which interfaces to send ARP requests and modify APR tables on. NEIGHBOUR_DEVS=detect ## Template parameters TEMPLATE=/var/lib/vz/template ## Defaults for VEs VE_ROOT=/home/vz/root/$VEID VE_PRIVATE=/home/vz/private/$VEID CONFIGFILE="vps.basic" #DEF_OSTEMPLATE="fedora-core-4" DEF_OSTEMPLATE="debian" ## Load vzwdog module VZWDOG="no" ## IPv4 iptables kernel modules IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner" ## Enable IPv6 IPV6="no" /etc/vz/conf/101.conf: ONBOOT="yes" # UBC parameters (in form of barrier:limit) KMEMSIZE="574890800:589781600" LOCKEDPAGES="256:256" PRIVVMPAGES="1073741824:2137483648" SHMPAGES="21504:21504" NUMPROC="240:240" PHYSPAGES="0:9223372036854775807" VMGUARPAGES="262144:9223372036854775807" OOMGUARPAGES="26112:9223372036854775807" NUMTCPSOCK="360:360" NUMFLOCK="188:206" NUMPTY="16:16" NUMSIGINFO="256:256" TCPSNDBUF="1720320:2703360" TCPRCVBUF="1720320:2703360" OTHERSOCKBUF="1126080:2097152" DGRAMRCVBUF="262144:262144" NUMOTHERSOCK="360:360" DCACHESIZE="3409920:3624960" NUMFILE="9312:9312" AVNUMPROC="180:180" NUMIPTENT="200:200" # Disk quota parameters (in form of softlimit:hardlimit) DISKSPACE="1048576:1153024" DISKINODES="200000:220000" QUOTATIME="0" # CPU fair sheduler parameter CPUUNITS="1000" VE_ROOT="/home/vz/root/$VEID" VE_PRIVATE="/home/vz/private/$VEID" OSTEMPLATE="suse-11.1-x86_64" ORIGIN_SAMPLE="vps.basic" HOSTNAME="lists.shorewall.net" IP_ADDRESS="206.124.146.177" NAMESERVER="127.0.0.1" NAME="lists" SEARCHDOMAIN="shorewall.net" This VE is the main server at shorewall.net. Note that some of the memory parameters are set ridiculously large -- I got tired of out-of-memory issues. /etc/vz/conf/102.conf (nearly default configuration on Debian): ONBOOT="yes" # UBC parameters (in form of barrier:limit) KMEMSIZE="14372700:14790164" LOCKEDPAGES="256:256" PRIVVMPAGES="65536:69632" SHMPAGES="21504:21504" NUMPROC="240:240" PHYSPAGES="0:9223372036854775807" VMGUARPAGES="33792:9223372036854775807" OOMGUARPAGES="26112:9223372036854775807" NUMTCPSOCK="360:360" NUMFLOCK="188:206" NUMPTY="16:16" NUMSIGINFO="256:256" TCPSNDBUF="1720320:2703360" TCPRCVBUF="1720320:2703360" OTHERSOCKBUF="1126080:2097152" DGRAMRCVBUF="262144:262144" NUMOTHERSOCK="360:360" DCACHESIZE="3409920:3624960" NUMFILE="9312:9312" AVNUMPROC="180:180" NUMIPTENT="200:200" # Disk quota parameters (in form of softlimit:hardlimit) DISKSPACE="1048576:1153024" DISKINODES="200000:220000" QUOTATIME="0" # CPU fair sheduler parameter CPUUNITS="1000" VE_ROOT="/home/vz/root/$VEID" VE_PRIVATE="/home/vz/private/$VEID" OSTEMPLATE="debian-5.0-amd64-minimal" ORIGIN_SAMPLE="vps.basic" HOSTNAME="server.shorewall.net" IP_ADDRESS="206.124.146.178" NAMESERVER="206.124.146.177" NAME="server" I really don't use this server for anything currently but I'm planning to eventually splt the services between the two VEs.
Shorewall Configuration on the Host Below are excerpts from the configuration files as they pertain to the OpenVZ environment. /etc/shorewall/zones: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 #Internet loc ipv4 #Local wired Zone dmz ipv4 #DMZ ... /etc/shorewall/params: NET_IF=eth3 INT_IF=eth1 VPS_IF=venet0 ... /etc/shorewall/interfaces:#ZONE INTERFACE OPTIONS net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,proxyarp=1 loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback ...This is a multi-ISP configuration so entries are required in /etc/shorewall/rtrules: #SOURCE DEST PROVIDER PRIORITY - 172.20.0.0/24 main 1000 - 206.124.146.177 main 1001 - 206.124.146.178 main 1001
Shorewall Configuration on Server If you are running Debian Squeeze, Shorewall will not work in an OpenVZ container. This is a Debian OpenVZ issue and not a Shorewall issue. I have set up Shorewall on Server (206.124.146.178) just to have an environment to test with. It is a quite vanilla one-interface configuration. /etc/shorewall/zones: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net venet0 detect dhcp,tcpflags,logmartians,nosmurfs
Working Example Using a Bridge This is the configuration at shorewall.net during the spring of 2010. Rather than using the venet0 configuration shown above, this configuration uses a bridge in preparation for adding IPv6 support in the DMZ. The eth0 interface in each of the containers is statically configured using the distributions' configuration tools (/etc/network/interfaces on Debian and Yast on OpenSuSE). The network diagram is shown below. The two systems shown in the green box are OpenVZ Virtual Environments (containers).
Bridge Configuration The following stanza in /etc/network/interfaces on the host configures the bridge. auto vzbr0 iface vzbr0 inet static pre-up /usr/sbin/brctl addbr vzbr0 address 206.124.146.176 network 206.124.146.176 broadcast 206.124.146.176 netmask 255.255.255.255 post-down /usr/sbin/brctl delbr br0
OpenVZ Configuration In the files below, items in bold font show the changes from the preceeding example. /etc/vz/conf (long lines folded for clarity). ## Global parameters VIRTUOZZO=yes LOCKDIR=/var/lib/vz/lock DUMPDIR=/var/lib/vz/dump VE0CPUUNITS=1000 ## Logging parameters LOGGING=yes LOGFILE=/var/log/vzctl.log LOG_LEVEL=0 VERBOSE=0 ## Disk quota parameters DISK_QUOTA=no VZFASTBOOT=no # The name of the device whose ip address will be used as source ip for VE. # By default automatically assigned. VE_ROUTE_SRC_DEV="eth3" # Controls which interfaces to send ARP requests and modify APR tables on. NEIGHBOUR_DEVS=detect ## Template parameters TEMPLATE=/var/lib/vz/template ## Defaults for VEs VE_ROOT=/home/vz/root/$VEID VE_PRIVATE=/home/vz/private/$VEID CONFIGFILE="vps.basic" #DEF_OSTEMPLATE="fedora-core-4" DEF_OSTEMPLATE="debian" ## Load vzwdog module VZWDOG="no" ## IPv4 iptables kernel modules IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT xt_mac ipt_owner" ## Enable IPv6 IPV6="no" /etc/vz/conf/101.conf: ONBOOT="yes" # UBC parameters (in form of barrier:limit) KMEMSIZE="574890800:589781600" LOCKEDPAGES="256:256" PRIVVMPAGES="1073741824:2137483648" SHMPAGES="21504:21504" NUMPROC="240:240" PHYSPAGES="0:9223372036854775807" VMGUARPAGES="262144:9223372036854775807" OOMGUARPAGES="26112:9223372036854775807" NUMTCPSOCK="360:360" NUMFLOCK="188:206" NUMPTY="16:16" NUMSIGINFO="256:256" TCPSNDBUF="1720320:2703360" TCPRCVBUF="1720320:2703360" OTHERSOCKBUF="1126080:2097152" DGRAMRCVBUF="262144:262144" NUMOTHERSOCK="360:360" DCACHESIZE="3409920:3624960" NUMFILE="9312:9312" AVNUMPROC="180:180" NUMIPTENT="200:200" # Disk quota parameters (in form of softlimit:hardlimit) DISKSPACE="1048576:1153024" DISKINODES="200000:220000" QUOTATIME="0" # CPU fair sheduler parameter CPUUNITS="1000" VE_ROOT="/home/vz/root/$VEID" VE_PRIVATE="/home/vz/private/$VEID" OSTEMPLATE="suse-11.1-x86_64" ORIGIN_SAMPLE="vps.basic" HOSTNAME="lists.shorewall.net" NAMESERVER="127.0.0.1" NAME="lists" SEARCHDOMAIN="shorewall.net" NETIF="ifname=eth0,mac=00:18:51:22:24:81,host_ifname=veth101.0,host_mac=00:18:51:B6:1A:F1" This VE is the mail server at shorewall.net (MX and IMAP). Note that some of the memory parameters are set ridiculously large -- I got tired of out-of-memory issues. /etc/vz/conf/102.conf (nearly default configuration on Debian): ONBOOT="yes" # UBC parameters (in form of barrier:limit) KMEMSIZE="14372700:14790164" LOCKEDPAGES="256:256" PRIVVMPAGES="65536:69632" SHMPAGES="21504:21504" NUMPROC="240:240" PHYSPAGES="0:9223372036854775807" VMGUARPAGES="33792:9223372036854775807" OOMGUARPAGES="26112:9223372036854775807" NUMTCPSOCK="360:360" NUMFLOCK="188:206" NUMPTY="16:16" NUMSIGINFO="256:256" TCPSNDBUF="1720320:2703360" TCPRCVBUF="1720320:2703360" OTHERSOCKBUF="1126080:2097152" DGRAMRCVBUF="262144:262144" NUMOTHERSOCK="360:360" DCACHESIZE="3409920:3624960" NUMFILE="9312:9312" AVNUMPROC="180:180" NUMIPTENT="200:200" # Disk quota parameters (in form of softlimit:hardlimit) DISKSPACE="1048576:1153024" DISKINODES="200000:220000" QUOTATIME="0" # CPU fair sheduler parameter CPUUNITS="1000" VE_ROOT="/home/vz/root/$VEID" VE_PRIVATE="/home/vz/private/$VEID" OSTEMPLATE="debian-5.0-amd64-minimal" ORIGIN_SAMPLE="vps.basic" HOSTNAME="server.shorewall.net" NAMESERVER="206.124.146.177" NAME="server" NETIF="ifname=eth0,mac=00:18:51:22:24:80,host_ifname=veth102.0,host_mac=00:18:51:B6:1A:F0" This server runs the rest of the services for shorewall.net (web server, ftp server, rsyncd, etc.). With a bridged configuration, the VIF for a VE must be added to the bridge when the VE starts. That is accomplished using mount files. /etc/vz/conf/101.mount: #!/bin/bash # This script source VPS configuration files in the same order as vzctl does # if one of these files does not exist then something is really broken [ -f /etc/vz/vz.conf ] || exit 1 [ -f $VE_CONFFILE ] || exit 1 # source both files. Note the order, it is important . /etc/vz/vz.conf . $VE_CONFFILE # Add the VIF to the bridge after VE has started { BRIDGE=vzbr0 DEV=veth101.0 while sleep 1; do /sbin/ifconfig $DEV 0 >/dev/null 2>&1 if [ $? -eq 0 ]; then /usr/sbin/brctl addif $BRIDGE $DEV break fi done } & /etc/vz/conf/102.mount: #!/bin/bash # This script source VPS configuration files in the same order as vzctl does # if one of these files does not exist then something is really broken [ -f /etc/vz/vz.conf ] || exit 1 [ -f $VE_CONFFILE ] || exit 1 # source both files. Note the order, it is important . /etc/vz/vz.conf . $VE_CONFFILE # Add VIF to bridge after VE has started { BRIDGE=vzbr0 DEV=veth102.0 while sleep 1; do /sbin/ifconfig $DEV 0 >/dev/null 2>&1 if [ $? -eq 0 ]; then /usr/sbin/brctl addif $BRIDGE $DEV break fi done } &
Shorewall Configuration on the Host Below are excerpts from the configuration files as they pertain to the OpenVZ environment. Again, bold font indicates change from the prior configuration. /etc/shorewall/zones: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 #Internet loc ipv4 #Local wired Zone dmz ipv4 #DMZ ... /etc/shorewall/params: NET_IF=eth3 INT_IF=eth1 VPS_IF=vzbr0 ... /etc/shorewall/interfaces:#ZONE INTERFACE OPTIONS net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0 loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback ... /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 206.124.146.177 DMZ_IF eth2 no yes 206.124.146.178 DMZ_IF eth2 no yes This is a multi-ISP configuration so entries are required in /etc/shorewall/rtrules: #SOURCE DEST PROVIDER PRIORITY - 172.20.0.0/24 main 1000 - 206.124.146.177 main 1001 - 206.124.146.178 main 1001
Shorewall Configuration on Server I have set up Shorewall on VE 101 (206.124.146.178) just to have an environment to test with. It is a quite vanilla one-interface configuration. /etc/shorewall/zones: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 /etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS net eth0 dhcp,tcpflags,logmartians,nosmurfs
shorewall-docs-xml-5.2.3/XenMyWay.xml0000664000000000000000000011664313427347317016236 0ustar rootroot
Xen and the Art of Consolidation Tom Eastep 2006 2007 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release.
Xen Network Environment Xen is a paravirtualization tool that allows you to run multiple virtual machines on one physical machine. It is available on a wide number of platforms and is included in recent SUSE distributions. Xen refers to the virtual machines as Domains. Domains are numbered with the first domain being domain 0, the second domain 1, and so on. Domain 0 (Dom0) is special because that is the domain created when the machine is booted. Additional domains (called DomU's) are created using the xm create command from within Domain 0. Additional domains can also be created automatically at boot time by using the xendomains service. Xen virtualizes a network interface named eth0 This assumes the default Xen configuration created by xend and assumes that the host system has a single Ethernet interface named eth0. in each domain. In Dom0, Xen also creates a bridge (xenbr0) and a number of virtual interfaces as shown in the following diagram. I use the term Extended Dom0 to distinguish the bridge and virtual interfaces from Dom0 itself. That distinction is important when we try to apply Shorewall in this environment. The bridge has a number of ports: peth0 — This is the port that connects to the physical network interface in your system. vif0.0 — This is the bridge port that is used by traffic to/from Domain 0. vifX.0 — This is the bridge port that is used by traffic to/from Domain X.
Before Xen Prior to adopting Xen, I had a home office crowded with 5 systems, three monitors a scanner and a printer. The systems were: Firewall Public Server in a DMZ (mail) Private Server (wookie) My personal Linux Desktop (ursa) My work system (docked laptop running Windows XP). The result was a very crowded and noisy room.
After Xen Xen has allowed me to reduce the noise and clutter considerably. I now have three systems with two monitors. I've also replaced the individual printer and scanner with a Multifunction FAX/Scanner/Printer. The systems now include: Combination Firewall/Public Server/Private Server/Wireless Gateway using Xen (created by building out my Linux desktop system). My work system. My Linux desktop (wookie, which is actually the old public server box) Most of the Linux systems run SUSE 10.1; my personal Linux desktop system and our Linux Laptop run Ubuntu "Dapper Drake". The configuration described below uses a bridged Xen Networking configuration; if you want to see how to accomplish a similar configuration using a Routed Xen configuration then please see this article. I am now using the routed configuration because it results in one fewer domains to administer. Here is a high-level diagram of our network. As shown in this diagram, the Xen system has three physical network interfaces. These are: eth0 -- connected to the switch in my office. That switch is cabled to a second switch in my wife's office where my wife has her desktop and networked printer (I sure wish that there had been wireless back when I strung that CAT-5 cable halfway across the house). eth1 -- connected to our DSL "Modem". eth2 -- connected to a Wireless Access Point (WAP) that interfaces to our wireless network. There are three Xen domains. Dom0 (DNS name ursa.shorewall.net) is used as a local file server (NFS and Samba). The first DomU (Dom name firewall, DNS name gateway.shorewall.net) is used as our main firewall and wireless gateway. The second DomU (Dom name lists, DNS name lists.shorewall.net) is used as a public Web/FTP/Mail/DNS server. Shorewall runs in Dom0 and in the firewall domain. As the developer of Shorewall, I have enough experience to be very comfortable with Linux networking and Shorewall/iptables. I arrived at this configuration after a fair amount of trial and error experimentation. If you are a Linux networking novice, I recommend that you do not attempt a configuration like this one for your first Shorewall installation. You are very likely to frustrate both yourself and the Shorewall support team. Rather I suggest that you start with something simple like a standalone installation in a domU; once you are comfortable with that then you will be ready to try something more substantial. As Paul Gear says: Shorewall might make iptables easy, but it doesn't make understanding fundamental networking principles, traffic shaping, or multi-ISP routing any easier. The same goes for Xen networking.
Domain Configuration Below are the relevant configuration files for the three domains. I use partitions on my hard drives for DomU storage devices.
/boot/grub/menu.lst — here is the entry that boots Xen in Dom0. title XEN root (hd0,1) kernel /boot/xen.gz dom0_mem=458752 sched=bvt module /boot/vmlinuz-xen root=/dev/hda2 vga=0x31a selinux=0 resume=/dev/hda1 splash=silent showopts module /boot/initrd-xen /etc/modprobe.conf.local eth1 (PCI 00:09.0) and eth2 (PCI 00:0a.0) are delegated to the firewall DomU where they become eth3 and eth4 respectively. The SUSE 10.1 Xen kernel compiles pciback as a module so the instructions for PCI delegation in the Xen Users Manual can't be followed directly (see http://wiki.xensource.com/xenwiki/Assign_hardware_to_DomU_with_PCIBack_as_module). options pciback hide=(00:09.0)(00:0a.0) install tulip /sbin/modprobe pciback ; /sbin/modprobe --first-time --ignore-install tulip options netloop nloopbacks=1 /etc/xen/auto/01-firewall — configuration file for the firewall domain # -*- mode: python; -*- # configuration name: name = "firewall" # usable ram: memory = 384 # kernel and initrd: kernel = "/xen2/vmlinuz-xen" ramdisk = "/xen2/initrd-xen" # boot device: root = "/dev/hdb2" # boot to run level: extra = "3" # network interface: vif = [ 'mac=aa:cc:00:00:00:02, bridge=xenbr0', 'mac=aa:cc:00:00:00:03, bridge=xenbr1' ] # Interfaces delegated from Dom0 pci=[ '00:09.0' , '00:0a.0' ] # storage devices: disk = [ 'phy:hdb2,hdb2,w' ] /etc/xen/auto/02-lists — configuration file for the lists domain # -*- mode: python; -*- # configuration name: name = "lists" # usable ram: memory = 512 # kernel and initrd: kernel = "/xen2/vmlinuz-xen" ramdisk = "/xen2/initrd-xen" # boot device: root = "/dev/hda3" # boot to run level: extra = "3" # network interface: vif = [ 'mac=aa:cc:00:00:00:01, bridge=xenbr1' ] hostname = name # storage devices: disk = [ 'phy:hda3,hda3,w' ]
With all three Xen domains up and running, the system looks as shown in the following diagram. The zones correspond to the Shorewall zones in the firewall DomU configuration. If you want to run a simple NAT gateway in a Xen DomU, just omit the second bridge (xenbr1), the second delegated interface, and the second DomU from the above configuration. You can then install the normal Shorewall two-interface sample configuration in the DomU. Under some circumstances, UDP and/or TCP communication from a domU won't work for no obvious reason. That happened with the lists domain in my setup. Looking at the IP traffic with tcpdump -nvvi eth1 in the firewall domU showed that UDP packets from the lists domU had incorrect checksums. That problem was corrected by arranging for the following command to be executed in the lists domain when its eth0 device was brought up: ethtool -K eth0 tx off Under SUSE 10.1, I placed the following in /etc/sysconfig/network/if-up.d/resettx (that file is executable): #!/bin/sh if [ $2 = eth0 ]; then ethtool -K eth0 tx off echo "TX Checksum reset on eth0" fi Under other distributions, the technique will vary. For example, under Debian or Ubuntu, you can just add a 'post-up' entry to /etc/network/interfaces as shown here: iface eth0 inet static address 206.124.146.177 netmask 255.255.255.0 post-up ethtool -K eth0 tx off Update. Under SUSE 10.2, communication from a domU works okay without running ethtool but traffic shaping in dom0 doesn't work! So it's a good idea to run it just to be safe. SUSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The network interfaces that connect to the net and wifi zones are delegated to the firewall DomU. When Shorewall starts during bootup of Dom0, it creates the two bridges using this /etc/shorewall/init extension script:
for bridge in xenbr0 xenbr1; do if [ -z "$(/sbin/brctl show 2> /dev/null | fgrep $bridge)" ]; then /sbin/brctl addbr $bridge /sbin/ip link set dev $bridge up fi done
Dom0 Configuration The goals for the Shorewall configuration in Dom0 are as follows: Allow traffic to flow unrestricted through the two bridges. This is done by configuring the hosts connected to each bridge as a separate zone and relying on Shorewall's implicit intra-zone ACCEPT policy to permit traffic through the bridge. Ensure that there is no stray traffic between the zones. This is a "belt+suspenders" measure since there should be no routing between the bridges (because they don't have IP addresses). The configuration is a simple one:
/etc/shorewall/zones: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall loc ipv4 dmz ipv4 /etc/shorewall/policy (Note the unusual use of an ACCEPT all->all policy): #SOURCE DEST POLICY LOGLEVEL LIMIT dmz all REJECT info all dmz REJECT info all all ACCEPT /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc xenbr0 192.168.1.255 dhcp,routeback dmz xenbr1 - routeback
Firewall DomU Configuration In the firewall DomU, I run a conventional three-interface firewall with Proxy ARP DMZ -- it is very similar to the firewall described in the Shorewall Setup Guide with the exception that I've added a fourth interface for our wireless network. The firewall runs a routed OpenVPN server to provide road warrior access for our two laptops and a bridged OpenVPN server for the wireless network in our home. Here is the firewall's view of the network: The two laptops can be directly attached to the LAN as shown above or they can be attached wirelessly -- their IP addresses are the same in either case; when they are directly attached, the IP address is assigned by the DHCP server running in Dom0 and when they are attached wirelessly, the IP address is assigned by OpenVPN. The Shorewall configuration files are shown below. All routing and secondary IP addresses are handled in the SUSE network configuration.
/etc/shorewall/shorewall.conf: STARTUP_ENABLED=Yes VERBOSITY=0 LOGFILE=/var/log/firewall LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=$LOG TCP_FLAGS_LOG_LEVEL=$LOG SMURF_LOG_LEVEL=$LOG LOG_MARTIANS=No IPTABLES=/usr/sbin/iptables PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/bash SUBSYSLOCK= MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE=standard IPSECFILE=zones IP_FORWARDING=On ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=Yes ROUTE_FILTER=No DETECT_DNAT_IPADDRS=Yes MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=No MACLIST_TTL=60 SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=Yes BLACKLIST_DISPOSITION=DROP MACLIST_TABLE=mangle MACLIST_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP /etc/shorewall/zones: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 #Internet loc ipv4 #Local wired Zone dmz ipv4 #DMZ vpn ipv4 #Open VPN clients wifi ipv4 #Local Wireless Zone /etc/shorewall/policy: #SOURCE DEST POLICY LOGLEVEL LIMIT $FW $FW ACCEPT $FW net ACCEPT loc net ACCEPT $FW vpn ACCEPT vpn net ACCEPT vpn loc ACCEPT loc vpn ACCEPT $FW loc ACCEPT wifi all REJECT $LOG loc $FW REJECT $LOG net $FW DROP $LOG 1/sec:2 net loc DROP $LOG 2/sec:4 net dmz DROP $LOG 8/sec:30 net vpn DROP $LOG all all REJECT $LOG /etc/shorewall/params (edited): MIRRORS=<comma-separated list of Shorewall mirrors> NTPSERVERS=<comma-separated list of NTP servers I sync with> POPSERVERS=<comma-separated list of server IP addresses> LOG=info INT_IF=eth0 DMZ_IF=eth1 EXT_IF=eth3 WIFI_IF=eth4 OMAK=<IP address at our second home> /etc/shorewall/init: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net $EXT_IF 206.124.146.255 dhcp,logmartians,blacklist,tcpflags,nosmurfs dmz $DMZ_IF 192.168.0.255 logmartians loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians wifi $WIFI_IF 192.168.3.255 dhcp,maclist vpn tun+ - /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL 206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie 206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop /etc/shorewall/masq (Note the cute trick here and in the following proxyarp file that allows me to access the DSL "Modem" using its default IP address (192.168.1.1)). The leading "+" is required to place the rule before the SNAT rules generated by entries in /etc/shorewall/nat above. #INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 $EXT_IF 192.168.0.0/22 206.124.146.179 /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.168.1.1 $EXT_IF $INT_IF yes 206.124.146.177 $DMZ_IF $EXT_IF yes /etc/shorewall/tunnels: #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server /etc/shorewall/actions: #ACTION Mirrors # Accept traffic from Shorewall Mirrors /etc/shorewall/action.Mirrors: #TARGET SOURCE DEST PROTO PORT SPORT ORIGDEST RATE ACCEPT $MIRRORS /etc/shorewall/rules: ?SECTION NEW ############################################################################################################################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ############################################################################################################################################################################### REJECT:$LOG loc net tcp 25 REJECT:$LOG loc net udp 1025:1031 # # Stop NETBIOS crap # REJECT loc net tcp 137,445 REJECT loc net udp 137:139 # # Stop my idiotic work laptop from sending to the net with an HP source/dest IP address # DROP loc:!192.168.0.0/22 net ############################################################################################################################################################################### # Local Network to Firewall # DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box ACCEPT loc fw tcp 22 ACCEPT loc fw tcp time,631,8080 ACCEPT loc fw udp 161,ntp,631 ACCEPT loc:192.168.1.5 fw udp 111 DROP loc fw tcp 3185 #SUSE Meta pppd Ping(ACCEPT) loc fw REDIRECT loc 3128 tcp 80 - !206.124.146.177 ############################################################################################################################################################################### # Road Warriors to Firewall # ACCEPT vpn fw tcp ssh,time,631,8080 ACCEPT vpn fw udp 161,ntp,631 Ping(ACCEPT) vpn fw ############################################################################################################################################################################### # Road Warriors to DMZ # ACCEPT vpn dmz udp domain ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 - Ping(ACCEPT) vpn dmz ############################################################################################################################################################################### # Local network to DMZ # ACCEPT loc dmz udp domain ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https - ACCEPT loc dmz tcp smtp Trcrt(ACCEPT) loc dmz ############################################################################################################################################################################### # Internet to ALL -- drop NewNotSyn packets # dropNotSyn net fw tcp dropNotSyn net loc tcp dropNotSyn net dmz tcp ############################################################################################################################################################################### # Internet to DMZ # ACCEPT net dmz udp domain ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https - ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178 ACCEPT net dmz udp 33434:33454 Mirrors net dmz tcp rsync Limit:$LOG:SSHA,3,60\ net dmz tcp 22 Trcrt(ACCEPT) net dmz ############################################################################################################################################################################## # # Net to Local # # When I'm "on the road", the following two rules allow me VPN access back home using PPTP. # DNAT net loc:192.168.1.4 tcp 1729 DNAT net loc:192.168.1.4 gre # # Roadwarrior access to Wookie # ACCEPT net:$OMAK loc tcp 22 Limit:$LOG:SSHA,3,60\ net loc tcp 22 # # ICQ # ACCEPT net loc:192.168.1.3 tcp 113,4000:4100 # # Bittorrent # ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969 ACCEPT net loc:192.168.1.3 udp 6881:6889,6969 # # Skype # ACCEPT net loc:192.168.1.6 tcp 1194 # # Traceroute # Trcrt(ACCEPT) net loc:192.168.1.3 # # Silently Handle common probes # REJECT net loc tcp www,ftp,https DROP net loc icmp 8 ############################################################################################################################################################################### # DMZ to Internet # ACCEPT dmz net udp domain,ntp ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080 ACCEPT dmz net:$POPSERVERS tcp pop3 Ping(ACCEPT) dmz net # # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking # code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases # but logs the connection so I can keep an eye on this potential security hole. # ACCEPT:$LOG dmz net tcp 1024: 20 ############################################################################################################################################################################### # Local to DMZ # ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 Trcrt(ACCEPT) loc dmz ############################################################################################################################################################################### # DMZ to Local # ACCEPT dmz loc:192.168.1.5 udp 123 ACCEPT dmz loc:192.168.1.5 tcp 21 Ping(ACCEPT) dmz loc ############################################################################################################################################################################### # DMZ to Firewall -- ntp & snmp, Silently reject Auth # ACCEPT dmz fw tcp 161,ssh ACCEPT dmz fw udp 161 REJECT dmz fw tcp auth Ping(ACCEPT) dmz fw ############################################################################################################################################################################### # Internet to Firewall # REJECT net fw tcp www,ftp,https DROP net fw icmp 8 ACCEPT net fw udp 33434:33454 ACCEPT net:$OMAK fw udp ntp ACCEPT net fw tcp auth ACCEPT net:$OMAK fw tcp 22 Limit:$LOG:SSHA,3,60\ net fw tcp 22 Trcrt(ACCEPT) net fw ############################################################################################################################################################################### # Firewall to DMZ # ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465 ACCEPT fw dmz udp domain REJECT fw dmz udp 137:139 Ping(ACCEPT) fw dmz ############################################################################################################################################################################## # Avoid logging Freenode.net probes # DROP net:82.96.96.3 all /etc/shorewall/tcdevices #INTERFACE IN_BANDWITH OUT_BANDWIDTH $EXT_IF 1300kbit 384kbit /etc/shorewall/tcclasses#INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay $EXT_IF 20 3*full/10 9*full/10 2 default $EXT_IF 30 2*full/10 6*full/10 3 /etc/shorewall/mangle#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority #over the server CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the #Shorewall Mirrors.
The tap0 device used by the bridged OpenVPN server is bridged to eth0 using a SUSE-specific SysV init script:
#!/bin/sh # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.0 # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) # # On most distributions, this file should be called /etc/init.d/shorewall. # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # If an error occurs while starting or restarting the firewall, the # firewall is automatically stopped. # # Commands are: # # bridge start Starts the bridge # bridge restart Restarts the bridge # bridge reload Restarts the bridge # bridge stop Stops the bridge # bridge status Displays bridge status # # chkconfig: 2345 4 99 # description: Packet filtering firewall ### BEGIN INIT INFO # Provides: bridge # Required-Start: boot.udev # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: starts and stops the bridge ### END INIT INFO ################################################################################ # Interfaces to be bridged -- may be listed by device name or by MAC # INTERFACES="eth0" # # Tap Devices # TAPS="tap0" ################################################################################ # Give Usage Information # ################################################################################ usage() { echo "Usage: $0 start|stop|reload|restart|status" exit 1 } ################################################################################# # Find the interface with the passed MAC address ################################################################################# find_interface_by_mac() { local mac mac=$1 local first local second local rest local dev /sbin/ip link ls | while read first second rest; do case $first in *:) dev=$second ;; *) if [ "$second" = $mac ]; then echo ${dev%:} return fi esac done } ################################################################################ # Convert MAC addresses to interface names ################################################################################ get_interfaces() { local interfaces interfaces= local interface for interface in $INTERFACES; do case $interface in *:*:*) interface=$(find_interface_by_mac $interface) [ -n "$interface" ] || echo "WARNING: Can't find an interface with MAC address $mac" ;; esac interfaces="$interfaces $interface" done INTERFACES="$interfaces" } ################################################################################ # Start the Bridge ################################################################################ do_start() { local interface get_interfaces for interface in $TAPS; do /usr/sbin/openvpn --mktun --dev $interface done /sbin/brctl addbr br0 for interface in $INTERFACES $TAPS; do /sbin/ip link set $interface up /sbin/brctl addif br0 $interface done } ################################################################################ # Stop the Bridge ################################################################################ do_stop() { local interface get_interfaces for interface in $INTERFACES $TAPS; do /sbin/brctl delif br0 $interface /sbin/ip link set $interface down done /sbin/ip link set br0 down /sbin/brctl delbr br0 for interface in $TAPS; do /usr/sbin/openvpn --rmtun --dev $interface done } ################################################################################ # E X E C U T I O N B E G I N S H E R E # ################################################################################ command="$1" case "$command" in start) do_start ;; stop) do_stop ;; restart|reload) do_stop do_start ;; status) /sbin/brctl show ;; *) usage ;; esac
shorewall-docs-xml-5.2.3/standalone.xml0000664000000000000000000007310513427347317016640 0ustar rootroot
Standalone Firewall Tom Eastep 2002-2009 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.4.0 then please see the documentation for that release.
Introduction Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the documentation. This guide doesn't attempt to acquaint you with all of the features of Shorewall. It rather focuses on what is required to configure Shorewall in one of its most common configurations: Linux system Single external IP address Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up... or connected to a LAN and you simply wish to protect your Linux system from other systems on that LAN.
System Requirements Shorewall requires that you have the iproute/iproute2 package installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the which command to check for this program: [root@gateway root]# which ip /sbin/ip [root@gateway root]#
Before you start I recommend that you read through the guide first to familiarize yourself with what's involved then go back through it again making your configuration changes. If you edit your configuration files on a Windows system, you must save them as Unix files if your editor supports that option or you must run them through dos2unix before trying to use them. Similarly, if you copy a configuration file from your Windows hard drive to a floppy disk, you must run dos2unix against the copy before using it with Shorewall. Windows Version of dos2unix Linux Version of dos2unix
Conventions Points at which configuration changes are recommended are flagged with . Configuration notes that are unique to Debian and it's derivatives are marked with .
PPTP/ADSL If you have an ADSL Modem and you use PPTP to communicate with a server in that modem, you must make the changes recommended here in addition to those detailed below. ADSL with PPTP is most commonly found in Europe, notably in Austria.
Shorewall Concepts The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you only need to deal with a few of these as described in this guide. After you have installed Shorewall, you can find the Samples as follows: If you installed using an RPM, the samples will be in the Samples/one-interface subdirectory of the Shorewall documentation directory. If you don't know where the Shorewall documentation directory is, you can find the samples using this command: ~# rpm -ql shorewall | fgrep one-interface /usr/share/doc/packages/shorewall/Samples/one-interface /usr/share/doc/packages/shorewall/Samples/one-interface/interfaces /usr/share/doc/packages/shorewall/Samples/one-interface/policy /usr/share/doc/packages/shorewall/Samples/one-interface/rules /usr/share/doc/packages/shorewall/Samples/one-interface/zones ~# If you installed using the tarball, the samples are in the Samples/one-interface directory in the tarball. If you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall/examples/one-interface.. You do not need the shorewall-doc package to have access to the samples. Note to Debian Users You will find that your /etc/shorewall directory is empty. This is intentional. If you need configuration files other than those found in /usr/share/doc/shorewall/examples/one-interface, they may be found on your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. As each file is introduced, I suggest that you look at the actual file on your system and that you look at the man page for that file. For example, to look at the man page for the /etc/shorewall/zones file, type man shorewall-zones at a shell prompt. Note: Beginning with Shorewall 4.4.20.1, there are versions of the sample files that are annotated with the corresponding manpage contents. These files have names ending in '.annotated'. You might choose to look at those files instead. Shorewall views the network where it is running as being composed of a set of zones. In the one-interface sample configuration, only two zones are defined: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 Shorewall zones are defined in /etc/shorewall/zones. Note that Shorewall recognizes the firewall system as its own zone. When the /etc/shorewall/zones file is processed, the name of the firewall zone (fw in the above example) is stored in the shell variable $FW which may be used to refer to the firewall zone throughout the Shorewall configuration. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. You express your default policy for connections from one zone to another zone in the /etc/shorewall/policy file. You define exceptions to those default policies in the /etc/shorewall/rules file. For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied. If there is a common action defined for the policy in /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is performed before the policy is applied. The purpose of the common action is two-fold: It silently drops or rejects harmless common traffic that would otherwise clutter up your log — Broadcasts for example. If ensures that traffic critical to correct operation is allowed through the firewall — ICMP fragmentation-needed for example. The /etc/shorewall/policy file included with the one-interface sample has the following policies: #SOURCE DEST POLICY LOGLEVEL LIMIT $FW net ACCEPT net all DROP info all all REJECT info The above policy will: allow all connection requests from the firewall to the Internet drop (ignore) all connection requests from the Internet to your firewall reject all other connection requests (Shorewall requires this catchall policy). The word info in the LOG LEVEL column for the last two policies indicates that packets dropped or rejected under those policies should be logged at that level. At this point, edit your /etc/shorewall/policy and make any changes that you wish.
External Interface The firewall has a single network interface. Where Internet connectivity is through a cable or DSL Modem, the External Interface will be the Ethernet adapter (eth0) that is connected to that Modem unless you connect via Point-to-Point Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol (PPTP) in which case the External Interface will be a PPP interface (e.g., ppp0). If you connect via a regular modem, your External Interface will also be ppp0. If you connect using ISDN, your external interface will be ippp0. Be sure you know which interface is your external interface. Many hours have been spent floundering by users who have configured the wrong interface. If you are unsure, then as root type ip route ls at the command line. The device listed in the last (default) route should be your external interface. Example: root@lists:~# ip route ls 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 10.13.10.0/24 dev tun1 scope link 192.168.2.0/24 via 192.168.2.2 dev tun0 206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176 10.10.10.0/24 dev tun1 scope link default via 206.124.146.254 dev eth0 root@lists:~# In that example, eth0 is the external interface. The Shorewall one-interface sample configuration assumes that the external interface is eth0. If your configuration is different, you will have to modify the sample /etc/shorewall/interfaces file accordingly. While you are there, you may wish to review the list of options that are specified for the interface. Some hints: If your external interface is ppp0 or ippp0 or if you have a static IP address, you can remove dhcp from the option list.
IP Addresses Before going further, we should say a few words about Internet Protocol (IP) addresses. Normally, your Internet Service Provider (ISP) will assign you a single IP address. That address can be assigned statically, by the Dynamic Host Configuration Protocol (DHCP), through the establishment of your dial-up connection, or during establishment of your other type of PPP (PPPoA, PPPoE, etc.) connection. RFC-1918 reserves several Private IP address ranges for use in private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 These addresses are sometimes referred to as non-routable because the Internet backbone routers will not forward a packet whose destination address is reserved by RFC-1918. In some cases though, ISPs are assigning these addresses then using Network Address Translation - NAT) to rewrite packet headers when forwarding to/from the Internet.
Logging Shorewall does not maintain a log itself but rather relies on your system's logging configuration. The following commands rely on knowing where Netfilter messages are logged: shorewall show log (Displays the last 20 Netfilter log messages) shorewall logwatch (Polls the log at a settable interval shorewall dump (Produces an extensive report for inclusion in Shorewall problem reports) It is important that these commands work properly because when you encounter connection problems when Shorewall is running, the first thing that you should do is to look at the Netfilter log; with the help of Shorewall FAQ 17, you can usually resolve the problem quickly. The Netfilter log location is distribution-dependent: Debian and its derivatives log Netfilter messages to /var/log/kern.log. Recent SuSE/OpenSuSE releases come preconfigured with syslog-ng and log netfilter messages to /var/log/firewall. For other distributions, Netfilter messages are most commonly logged to /var/log/messages. If you are running a distribution that logs Netfilter messages to a log other than /var/log/messages, then modify the LOGFILE setting in /etc/shorewall/shorewall.conf to specify the name of your log. The LOGFILE setting does not control where the Netfilter log is maintained -- it simply tells the /sbin/shorewall utility where to find the log.
Kernel Module Loading Beginning in Shorewall 4.4.7, /etc/shorewall/shorewall.conf contains a LOAD_HELPERS_ONLY option which is set to in the samples. This causes Shorewall to attempt to load the modules listed in /usr/share/shorewall/helpers. In addition, it sets sip_direct_media=0 when loading the nf_conntrack_sip module. That setting is somewhat less secure than sip_direct_media=1, but it generally makes VOIP through the firewall work much better. The modules in /usr/share/shorewall/helpers are those that are not autoloaded. If your kernel does not support module autoloading and you want Shorewall to attempt to load all netfilter modules that it might require, then set LOAD_HELPERS_ONLY=No. That will cause Shorewall to try to load the modules listed in /usr/share/shorewall/modules. That file does not set sip_direct_media=0. In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed and the behavior is the same as if LOAD_HELPERS_ONLY=Yes. If you need to modify either /usr/share/shorewall/helpers or /usr/share/shorewall/modules then copy the file to /etc/shorewall and modify the copy. Modify the setting of LOAD_HELPER_ONLY as necessary.
Enabling other Connections Shorewall includes a collection of macros that can be used to quickly allow or deny services. You can find a list of the macros included in your version of Shorewall using the command ls /usr/share/shorewall/macro.*. If you wish to enable connections from the Internet to your firewall and you find an appropriate macro in /usr/share/shorewall/macro.*, the general format of a rule in /etc/shorewall/rules is: #ACTION SOURCE DEST PROTO DPORT <macro>(ACCEPT) net $FW Be sure to add your rules after the line that reads ?SECTION NEW. You want to run a Web Server and a IMAP Server on your firewall system: #ACTION SOURCE DEST PROTO DPORT Web(ACCEPT) net $FW IMAP(ACCEPT)net $FW The Shorewall-provided macros assume that the associated service is using it's standard port and will not work with services listening on a non-standard port. You may also choose to code your rules directly without using the pre-defined macros. This will be necessary in the event that there is not a pre-defined macro that meets your requirements. In that case the general format of a rule in /etc/shorewall/rules is: #ACTION SOURCE DEST PROTO DPORT ACCEPT net $FW <protocol> <port> You want to run a Web Server and a IMAP Server on your firewall system: #ACTION SOURCE DEST PROTO DPORT ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 143 If you don't know what port and protocol a particular application uses, see here. I don't recommend enabling telnet to/from the Internet because it uses clear text (even for login!). If you want shell access to your firewall from the Internet, use SSH: #ACTION SOURCE DESTINATION PROTO DPORT SSH(ACCEPT) net $FW At this point, edit /etc/shorewall/rules to add other connections as desired.
Starting and Stopping Your Firewall The installation procedure configures your system to start Shorewall at system boot but startup is disabled so that your system won't try to start Shorewall before configuration is complete. Once you have completed configuration of your firewall, you must edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes. Users of the .deb package must edit /etc/default/shorewall and set startup=1. You must enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes. While you are editing shorewall.conf, it is a good idea to check the value of the SUBSYSLOCK option. You can find a description of this option by typing 'man shorewall.conf' at a shell prompt and searching for SUBSYSLOCK. The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is stopped, traffic is enabled on those hosts that have an entry in /etc/shorewall/stoppedrules (/etc/shorewall/routestopped in Shorewall 4.5.7 and earlier). A running firewall may be restarted using the shorewall reload command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear. If you are connected to your firewall from the Internet, do not issue a shorewall stop command unless you have either: Used ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf or added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. Also, I don't recommend using shorewall reload; it is better to create an alternate configuration and test it using the shorewall try command. The firewall will start after your network interface has been brought up. This leaves a small window between the time that the network interface is working and when the firewall is controlling connections through that interface. If this is a concern, you can close that window by installing the Shorewall Init Package.
If it Doesn't Work Re-check each of the items flagged with a red arrow above. Check your log. Check the Troubleshooting Guide. Check the FAQ.
Disabling your existing Firewall Before starting Shorewall for the first time, it's a good idea to stop your existing firewall. On older Redhat/CentOS/Fedora: service iptables stop On recent Fedora systems that run systemd, the command is: systemctl stop iptables.service If you are running SuSE, use Yast or Yast2 to stop SuSEFirewall. On other systems that use a classic SysV init system: /etc/init.d/iptables stop Once you have Shorewall running to your satisfaction, you should totally disable your existing firewall. On older Redhat/CentOS/Fedora: chkconfig --del iptables On Debian systems: update-rc.d iptables disable On recent Fedora system running systemd: systemctl disable iptables.service At this point, disable your existing firewall service.
Additional Recommended Reading I highly recommend that you review the Common Configuration File Features page -- it contains helpful tips about Shorewall features than make administering your firewall easier. Also, Operating Shorewall and Shorewall Lite contains a lot of useful operational hints.
shorewall-docs-xml-5.2.3/Documentation_Index.xml0000664000000000000000000003224313427347317020446 0ustar rootroot
Shorewall 5.0 Documentation Tom Eastep 2001-2017 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Frequently Used Articles FAQs IPv4 Manpages IPv6 Manpages Configuration File Basics Beginner Documentation Troubleshooting
Documentation for Earlier Versions Shorewall 4.4/4.6 Documentation Shorewall 4.0/4.2 Documentation
Index to the HOWTOs and Other Articles 6to4 and 6in4 Tunnels KVM (Kernel-mode Virtual Machine) Shorewall on a Laptop Accounting Linux Containers (LXC) Shorewall Perl Actions Linux-vserver Shorewall Setup Guide Aliased (virtual) Interfaces (e.g., eth0:0) Limiting Connection Rates SMB Anatomy of Shorewall Logging SNAT (Source Network Address Translation) Anti-Spoofing Measures Macros Split DNS the Easy Way AUDIT Target support MAC Verification Squid with Shorewall Bandwidth Control Manpages Starting/stopping the Firewall Blacklisting/Whitelisting Manual Chains Static (one-to-one) NAT Bridge: Bridge/Firewall Masquerading Support Bridge: No firewalling of traffic between bridge port Multiple Internet Connections from a Single Firewall Tips and Hints Building Shorewall from GIT Multiple Zones Through One Interface Traffic Shaping/QOS - Simple Compiled Programs My Shorewall Configuration Traffic Shaping/QOS - Complex Commands Netfilter Overview Transparent Proxy Configuration File Basics Network Mapping UPnP DHCP One-to-one NAT (Static NAT) OpenVZ DNAT (Destination Network Address Translation) OpenVPN Upgrade Issues Docker Operating Shorewall Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) Dynamic Zones Packet Marking VPN ECN Disabling by host or subnet Packet Processing in a Shorewall-based Firewall VPN Passthrough Events 'Ping' Management White List Creation Extension Scripts (User Exits) Port Forwarding Xen - Shorewall in a Bridged Xen DomU Fallback/Uninstall Port Information Xen - Shorewall in Routed Xen Dom0 FAQs Port Knocking (deprecated) Features Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' Forwarding Traffic on the Same Interface PPTP FTP and Shorewall Proxy ARP Fool's Firewall QuickStart Guides Helpers/Helper Modules Release Model Installation/Upgrade Requirements IPP2P Routing and Shorewall IPSEC Routing on One Interface Ipsets Samba IPv6 Support Shared Shorewall/Shorewall6 Configuration ISO 3661 Country Codes Shorewall Events Kazaa Filtering Shorewall Init Kernel Configuration Shorewall Lite
shorewall-docs-xml-5.2.3/Macros.xml0000664000000000000000000010055213427347317015731 0ustar rootroot
Macros Tom Eastep Cristian Rodríguez 2005 2016 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Overview of Shorewall Macros? Shorewall macros allow a symbolic name to be associated with a series of one or more iptables rules. The symbolic name may appear in the ACTION column of an /etc/shorewall/rules file entry and in the TARGET column of an action in which case, the traffic matching that rules file entry will be passed to the series of iptables rules named by the macro. Macros can be thought of as templates. When a macro is invoked in an /etc/shorewall/rules entry, it may be qualified by a logging specification (log level and optionally a log tag). The presence of the log level/tag causes a modified series of rules to be generated in which each packet/rule match within the macro causes a log message to be generated. There are two types of Shorewall macros: Standard Macros. These macros are released as part of Shorewall. They are defined in macro.* files in /usr/share/shorewall. Each macro.* file has a comment at the beginning of the file that describes what the macro does. As an example, here is the definition of the SMB standard macro. # # Shorewall -- /usr/share/shorewall/macro.SMB # # This macro handles Microsoft SMB traffic. You need to invoke # this macro in both directions. Beware! This rule opens a lot # of ports, and could possibly be used to compromise your firewall # if not used with care. You should only allow SMB traffic # between hosts you fully trust. # ###################################################################################### #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 135,445 PARAM - - udp 137:139 PARAM - - udp 1024: 137 PARAM - - tcp 135,139,445 If you wish to modify one of the standard macros, do not modify the definition in /usr/share/shorewall. Rather, copy the file to /etc/shorewall (or somewhere else on your CONFIG_PATH) and modify the copy. You can see a list of the Standard Macros in your version of Shorewall using the shorewall show macros command. You can see the contents of the file macro.name by typing shorewall show macro name. User-defined Macros. These macros are created by end-users. They are defined in macro.* files in /etc/shorewall or in another directory listed in your CONFIG_PATH (defined in /etc/shorewall/shorewall.conf). Most Standard Macros are parameterized. That means that you specify what you want to do (ACCEPT, DROP, REJECT, etc.) when you invoke the macro. The SMB macro shown above is parameterized (note PARAM in the TARGET column). When invoking a parameterized macro, you follow the name of the macro with the action that you want to substitute for PARAM enclosed in parentheses. Example:
/etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SMB(ACCEPT) loc $FW The above is equivalent to coding the following series of rules: #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT loc $FW udp 135,445 ACCEPT loc $FW udp 137:139 ACCEPT loc $FW udp 1024: 137 ACCEPT loc $FW tcp 135,139,445
Logging is covered in a following section. The other columns are treated as follows: SOURCE and DEST If a value other than "-" appears in both the macro body and in the invocation of the macro, then the value in the invocation is examined and the appropriate action is taken. If the value in the invocation appears to be an address (IP or MAC) or the name of an ipset, then it is placed after the value in the macro body. Otherwise, it is placed before the value in the macro body. Example 1:
/etc/shorewall/macro.SMTP #ACTION SOURCE DEST PROTO DPORT PARAM - loc tcp 25 /etc/shorewall/rules (Shorewall 4.0): #ACTION SOURCE DEST PROTO DPORT SMTP(DNAT):info net 192.168.1.5 /etc/shorewall/rules (Shorewall 4.2.0 and later): #ACTION SOURCE DEST PROTO DPORT SMTP(DNAT):info net 192.168.1.5 This would be equivalent to coding the following directly in /etc/shorewall/rules #ACTION SOURCE DEST PROTO DPORT DNAT:info net loc:192.168.1.5 tcp 25
Example 2:
/etc/shorewall/macro.SMTP #ACTION SOURCE DEST PROTO DPORT PARAM - 192.168.1.5 tcp 25 /etc/shorewall/rules #ACTION SOURCE DEST PROTO DPORT SMTP(DNAT):info net loc This would be equivalent to coding the following directly in /etc/shorewall/rules #ACTION SOURCE DEST PROTO DPORT DNAT:info net loc:192.168.1.5 tcp 25
You may also specify SOURCE or DEST in the SOURCE and DEST columns. This allows you to define macros that work in both directions. Example 3:
/etc/shorewall/macro.SMBBI (Note: there is already a standard macro like this released as part of Shorewall): #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 135,445 PARAM - - udp 137:139 PARAM - - udp 1024: 137 PARAM - - tcp 135,139,445 PARAM DEST SOURCE udp 135,445 PARAM DEST SOURCE udp 137:139 PARAM DEST SOURCE udp 1024: 137 PARAM DEST SOURCE tcp 135,139,445 /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SMBBI(ACCEPT) loc $FW This would be equivalent to coding the following directly in /etc/shorewall/rules #ACTION SOURCE DEST PROTO DPORT SPORT ACCEPT loc $FW udp 135,445 ACCEPT loc $FW udp 137:139 ACCEPT loc $FW udp 1024: 137 ACCEPT loc $FW tcp 135,139,445 ACCEPT $FW loc udp 135,445 ACCEPT $FW loc udp 137:139 ACCEPT $FW loc udp 1024: 137 ACCEPT $FW loc tcp 135,139,445
Remaining columns Any value in the invocation replaces the value in the rule in the macro.
Defining your own Macros To define a new macro: Macro names must be valid shell variable names ((must begin with a letter and be composed of letters, digits and underscore characters) as well as valid Netfilter chain names. Copy /usr/share/shorewall/macro.template to /etc/shorewall/macro.MacroName (for example, if your new macro name is Foo then copy /usr/share/shorewall/macro.template to /etc/shorewall/macro.Foo). Now modify the new file to define the new macro.
Shorewall 5.0.0 and Later The columns in a macro file are the same as those in shorewall-rules(5).
Shorewall 4.4.16 and Later Beginning with Shorewall 4.4.16, the columns in macro.template are the same as those in shorewall-rules (5). The first non-commentary line in the template must be FORMAT 2 Beginning with Shorewall 4.5.11, the preferred format is as shown below, and the above format is deprecated. ?FORMAT 2 There are no restrictions regarding the ACTIONs that can be performed in a macro. Beginning with Shorewall 4.5.10, macros may also be used as default actions. DEFAULT def where def is the default value for PARAM
Shorewall 4.4.15 and Earlier Before 4.4.16, columns in the macro.template file were as follows: ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, LOG, QUEUE, PARAM or an action name. Note that a macro may not invoke another macro. ACCEPT - allow the connection request ACCEPT+ - like ACCEPT but also excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules. NONAT - Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules but doesn't generate a rule to accept the traffic. DROP - ignore the request REJECT - disallow the request and return an icmp unreachable or an RST packet. DNAT - Forward the request to another address (and optionally another port). DNAT- - Advanced users only. Like DNAT but only generates the DNAT iptables rule and not the companion ACCEPT rule. SAME - Similar to DNAT except that the port may not be remapped and when multiple server addresses are listed, all requests from a given remote system go to the same server. SAME- - Advanced users only. Like SAME but only generates the SAME iptables rule and not the companion ACCEPT rule. REDIRECT - Redirect the request to a local port on the firewall. REDIRECT- - Advanced users only. Like REDIRECT but only generates the REDIRECT iptables rule and not the companion ACCEPT rule. CONTINUE - (For experts only). Do not process any of the following rules for this (source zone,destination zone). If The source and/or destination If the address falls into a zone defined later in /etc/shorewall/zones, this connection request will be passed to the rules defined for that (those) zone(s). LOG - Simply log the packet and continue. QUEUE - Queue the packet to a user-space application such as ftwall (http://p2pwall.sf.net). The ACTION may optionally be followed by ":" and a syslog log level (e.g, REJECT:info or DNAT:debug). This causes the packet to be logged at the specified level. SOURCE - Source hosts to which the rule applies. A comma-separated list of subnets and/or hosts. Hosts may be specified by IP or MAC address; mac addresses must begin with ~ and must use - as a separator. Alternatively, clients may be specified by interface name. For example, eth1 specifies a client that communicates with the firewall system through eth1. This may be optionally followed by another colon (:) and an IP/MAC/subnet address as described above (e.g. eth1:192.168.1.5). May also contain 'DEST' as described above. DEST - Location of Server. Same as above with the exception that MAC addresses are not allowed. Unlike in the SOURCE column, you may specify a range of up to 256 IP addresses using the syntax <first ip>-<last ip>. May also contain 'SOURCE' as described above. PROTO - Protocol - Must be tcp, udp, icmp, a number, or all. DEST PORT(S) - Destination Ports. A comma-separated list of Port names (from /etc/services), port numbers or port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). A port range is expressed as <low port>:<high port>. This column is ignored if PROTOCOL = all but must be entered if any of the following fields are supplied. In that case, it is suggested that this field contain -. If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and in the CLIENT PORT(S) list below: There are 15 or less ports listed. No port ranges are included. Otherwise, a separate rule will be generated for each port. SOURCE PORT(S) - Port(s) used by the client. If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges. If you don't want to restrict client ports but need to specify an ADDRESS in the next column, then place "-" in this column. If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and in the DEST PORT(S) list above: There are 15 or less ports listed. No port ranges are included. Otherwise, a separate rule will be generated for each port. ORIGDEST (Shorewall-perl 4.2.0 and later) To use this column, you must include 'FORMAT 2' as the first non-comment line in your macro file. If ACTION is DNAT[-] or REDIRECT[-] then if this column is included and is different from the IP address given in the DEST column, then connections destined for that address will be forwarded to the IP and port specified in the DEST column. A comma-separated list of addresses may also be used. This is most useful with the REDIRECT target where you want to redirect traffic destined for particular set of hosts. Finally, if the list of addresses begins with "!" (exclusion) then the rule will be followed only if the original destination address in the connection request does not match any of the addresses listed. For other actions, this column may be included and may contain one or more addresses (host or network) separated by commas. Address ranges are not allowed. When this column is supplied, rules are generated that require that the original destination address matches one of the listed addresses. This feature is most useful when you want to generate a filter rule that corresponds to a DNAT- or REDIRECT- rule. In this usage, the list of addresses should not begin with "!". It is also possible to specify a set of addresses then exclude part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 specifies the addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255. See shorewall-exclusion(5). See http://shorewall.net/PortKnocking.html for an example of using an entry in this column with a user-defined action rule. RATE LIMIT - You may rate-limit the rule by placing a value in this column: <rate>/<interval>[:<burst>]where <rate> is the number of connections per <interval> (sec or min) and <burst> is the largest burst permitted. If no <burst> is given, a value of 5 is assumed. There may be no whitespace embedded in the specification. Example: 10/sec:20 USER/GROUP - For output rules (those with the firewall as their source), you may control connections based on the effective UID and/or GID of the process requesting the connection. This column can contain any of the following: [!]<user number>[:] [!]<user name>[:] [!]:<group number> [!]:<group name> [!]<user number>:<group number> [!]<user name>:<group number> [!]<user inumber>:<group name> [!]<user name>:<group name> [!]+<program name> (Note: support for this form was removed from Netfilter in kernel version 2.6.14). MARK - (Added in Shorewall-4.4.2) Defines a test on the existing packet or connection mark. The rule will match only if the test returns true. Must be empty or '-' if the macro is to be used within an action. [!]value[/mask][:C] ! Inverts the test (not equal) value Value of the packet or connection mark. mask A mask to be applied to the mark before testing. :C Designates a connection mark. If omitted, the # packet mark's value is tested. CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if the macro is to be used within an action. [!]limit[:mask] May be used to limit the number of simultaneous connections from each individual host to limit connections. Requires connlimit match in your kernel and iptables. While the limit is only checked on rules specifying CONNLIMIT, the number of current connections is calculated over all current connections from the SOURCE host. By default, the limit is applied to each host but can be made to apply to networks of hosts by specifying a mask. The mask specifies the width of a VLSM mask to be applied to the source address; the number of current connections is then taken over all hosts in the subnet source-address/mask. When ! is specified, the rule matches when the number of connection exceeds the limit. TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the macro is to be used within an action. <timeelement>[&...] timeelement may be: timestart=hh:mm[:ss] Defines the starting time of day. timestop=hh:mm[:ss] Defines the ending time of day. utc Times are expressed in Greenwich Mean Time. localtz Times are expressed in Local Civil Time (default). weekdays=ddd[,ddd]... where ddd is one of , , , , , or monthdays=dd[,dd],... where dd is an ordinal day of the month datestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]] Defines the starting date and time. datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]] Defines the ending date and time. Omitted column entries should be entered using a dash ("-"). Example: /etc/shorewall/macro.LogAndAccept LOG:info ACCEPT To use your macro, in /etc/shorewall/rules you might do something like: #ACTION SOURCE DEST PROTO DPORT LogAndAccept loc $FW tcp 22
Macros and Logging Specifying a log level in a rule that invokes a user- or Shorewall-defined action will cause each rule in the macro to be logged with the specified level (and tag). The extent to which logging of macro rules occur is governed by the following: When you invoke a macro and specify a log level, only those rules in the macro that have no log level will be changed to log at the level specified at the action invocation. Example: /etc/shorewall/macro.foo #ACTION SOURCE DEST PROTO DPORT ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT foo:debug $FW net Logging in the invoked 'foo' macro will be as if foo had been defined as: #ACTION SOURCE DEST PROTO DPORT ACCEPT:debug - - tcp 22 bar:info If you follow the log level with "!" then logging will be at that level for all rules recursively invoked by the macro. Example: /etc/shorewall/macro.foo #ACTION SOURCE DEST PROTO DPORT ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT foo:debug! $FW net Logging in the invoked 'foo' macro will be as if foo had been defined as: #ACTION SOURCE DEST PROTO DPORT ACCEPT:debug - - tcp 22 bar:debug
How do I know if I should create an Action or a Macro? While actions and macros perform similar functions, in any given case you will generally find that one is more appropriate than the other. Embedded Perl is much more useful in an action than it is in a macro. So if you need access to iptables features not directly supported by Shorewall then you should use an action. Macros are expanded in-line while each action (that doesn't specify the inline option) is its own chain. So if there are a lot of rules involved in your new action/macro then it is generally better to use an action than a macro. Only the packets selected when you invoke the action are directed to the corresponding chain. On the other hand, if there are only one or two rules involved in what you want to do then a macro is more efficient. In-line actions, introduced in Shorewall 4.5.10, are very similar to macros. The advantage of in-line actions is that they may have parameters and can use the other action variables.
shorewall-docs-xml-5.2.3/Shorewall_and_Aliased_Interfaces.xml0000664000000000000000000004062113427347317023054 0ustar rootroot
Shorewall and Aliased Interfaces Tom Eastep 2001-2009 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Background The traditional net-tools contain a program called ifconfig which is used to configure network devices. ifconfig introduced the concept of aliased or virtual interfaces. These virtual interfaces have names of the form interface:integer (e.g., eth0:0) and ifconfig treats them more or less like real interfaces. ifconfig [root@gateway root]# ifconfig eth0:0 eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55 inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Base address:0x2000 [root@gateway root]# The ifconfig utility is being gradually phased out in favor of the ip utility which is part of the iproute package. The ip utility does not use the concept of aliases or virtual interfaces but rather treats additional addresses on an interface as objects in their own right. The ip utility does provide for interaction with ifconfig in that it allows addresses to be labeled where these labels take the form of ipconfig virtual interfaces. ip [root@gateway root]# ip addr show dev eth0 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100 link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0 inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0 [root@gateway root]# One cannot type ip addr show dev eth0:0 because eth0:0 is a label for a particular address rather than a device name. [root@gateway root]# ip addr show dev eth0:0 Device "eth0:0" does not exist. [root@gateway root]# The iptables program doesn't support virtual interfaces in either its -i or -o command options; as a consequence, Shorewall does not allow them to be used in the /etc/shorewall/interfaces file or anywhere else except as described in the discussion below.
Adding Addresses to Interfaces Most distributions have a facility for adding additional addresses to interfaces. If you have already used your distribution's capability to add your required addresses, you can skip this section. Shorewall provides facilities for automatically adding addresses to interfaces as described in the following section. It is also easy to add them yourself using the ip utility. The above alias was added using: ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0 You probably want to arrange to add these addresses when the device is started rather than placing commands like the above in one of the Shorewall extension scripts. For example, on RedHat systems, you can place the commands in /sbin/ifup-local: #!/bin/sh case $1 in eth0) /sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0 ;; esac RedHat systems also allow adding such aliases from the network administration GUI (which only works well if you have a graphical environment on your firewall). On Debian and LEAF/Bering systems, it is as simple as adding the command to the interface definition as follows: # Internet interface auto eth0 iface eth0 inet static address 206.124.146.176 netmask 255.255.255.0 gateway 206.124.146.254 up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0
So how do I handle more than one address on an interface? The answer depends on what you are trying to do with the interfaces. In the sub-sections that follow, we'll take a look at common scenarios. The examples in the following sub-sections assume that the local network is 192.168.1.0/24.
Separate Rules If you need to make a rule for traffic to/from the firewall itself that only applies to a particular IP address, simply qualify the $FW zone with the IP address. allow SSH from net to eth0:0 above /etc/shorewall/rules#ACTION SOURCE DEST PROTO DPORT ACCEPT net $FW:206.124.146.178 tcp 22
DNAT Suppose that I had set up eth0:0 as above and I wanted to port forward from that virtual interface to a web server running in my local zone at 192.168.1.3. That is accomplished by a single rule in the /etc/shorewall/rules file: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 If I wished to forward tcp port 10000 on that virtual interface to port 22 on local host 192.168.1.3, the rule would be: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 DNAT net loc:192.168.1.3:22 tcp 10000 - 206.124.146.178
SNAT If you wanted to use eth0:0 as the IP address for outbound connections from your local zone (eth1), then in /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth0 192.168.1.0/24 206.124.146.178 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat is: #ACTION SOURCE DEST PROTO PORT SNAT(206.124.146.178) 0.0.0.0/0 eth0 Similarly, you want SMTP traffic from local system 192.168.1.22 to have source IP 206.124.146.178:#INTERFACE SUBNET ADDRESS PROTO DPORT eth0 192.168.1.22 206.124.146.178 tcp 25 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat is: #ACTION SOURCE DEST PROTO PORT SNAT(206.124.146.178) 0.0.0.0/0 eth0 tcp 25 Shorewall can create the alias (additional address) for you if you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Addresses added by ADD_SNAT_ALIASES=Yes are deleted and re-added during shorewall restart. As a consequence, connections using those addresses may be severed. Shorewall can create the label (virtual interface) so that you can see the created address using ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows. /etc/shorewall/masq#INTERFACE SUBNET ADDRESS eth0:0 192.168.1.0/24 206.124.146.178 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat is: #ACTION SOURCE DEST PROTO PORT SNAT(206.124.146.178) 192.168.1.0/24 eth0 Shorewall can also set up SNAT to round-robin over a range of IP addresses. To do that, you specify a range of IP addresses in the ADDRESS column. If you specify a label in the INTERFACE column, Shorewall will use that label for the first address of the range and will increment the label by one for each subsequent label. /etc/shorewall/masq#INTERFACE SOURCE ADDRESS eth0:0 192.168.1.0/24 206.124.146.178-206.124.146.180 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat is: #ACTION SOURCE DEST PROTO PORT SNAT(206.124.146.178-206.24.146.180) 192.168.1.0/24 eth0 The above would create three IP addresses: eth0:0 = 206.124.146.178 eth0:1 = 206.124.146.179 eth0:2 = 206.124.146.180
One-to-one NAT If you wanted to use one-to-one NAT to link eth0:0 with local address 192.168.1.3, you would have the following in /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL 206.124.146.178 eth0 192.168.1.3 no no Shorewall can create the alias (additional address) for you if you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Addresses added by ADD_IP_ALIASES=Yes are deleted and re-added during shorewall restart. As a consequence, connections using those addresses may be severed. Shorewall can create the label (virtual interface) so that you can see the created address using ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE column as follows. /etc/shorewall/nat#EXTERNAL INTERFACE INTERNAL ALL_INTERFACES LOCAL 206.124.146.178 eth0:0 192.168.1.3 no no In either case, to create rules in /etc/shorewall/rules that pertain only to this NAT pair, you simply qualify the local zone with the internal IP address. You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3. #ACTION SOURCE DEST PROTO DPORT ACCEPT net loc:192.168.1.3 tcp 22
MULTIPLE SUBNETS Sometimes multiple IP addresses are used because there are multiple subnetworks configured on a LAN segment. This technique does not provide for any security between the subnetworks if the users of the systems have administrative privileges because in that case, the users can simply manipulate their system's routing table to bypass your firewall/router. Nevertheless, there are cases where you simply want to consider the LAN segment itself as a zone and allow your firewall/router to route between the two subnetworks. Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. You simply want your firewall to route between these two subnetworks. In /etc/shorewall/zones: #ZONE TYPE OPTIONS loc ipv4 In /etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS loc eth1 routeback In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that you want to permit. Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. You want to make these subnetworks into separate zones and control the access between them (the users of the systems do not have administrative privileges). In /etc/shorewall/zones: #ZONE TYPE OPTIONS loc ipv4 loc2 ipv4 In /etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS - eth1 In /etc/shorewall/hosts: #ZONE HOSTS OPTIONS loc eth1:192.168.1.0/24 loc2 eth1:192.168.20.0/24 In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that you want to permit. For more information on handling multiple networks through a single interface, see Routing on One Interface.
Defining a Zone-per-Address Shorewall's support for Linux Vservers can (mis-)used to create a separate zone per alias. Note that this results in a partitioning of the firewall zone. In this usage, you probably want to define an ACCEPT policy between your vserver zones and the firewall zone.
shorewall-docs-xml-5.2.3/NAT.xml0000664000000000000000000002530213427347317015126 0ustar rootroot
One-to-one NAT Tom Eastep 2001-2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
One-to-one NAT If all you want to do is forward ports to servers behind your firewall, you do NOT want to use one-to-one NAT. Port forwarding can be accomplished with simple entries in the rules file. One-to-one NAT is a way to make systems behind a firewall and configured with private IP addresses (those reserved for private use in RFC 1918) appear to have public IP addresses. Before you try to use this technique, I strongly recommend that you read the Shorewall Setup Guide. The following figure represents a one-to-one NAT environment. One-to-one NAT can be used to make the systems with the 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we assume that the interface to the upper subnet is eth0, then the following /etc/shorewall/nat file would make the lower left-hand system appear to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.19. It should be stressed that these entries in the /etc/shorewall/nat file do not automatically enable traffic between the external network and the internal host(s) — such traffic is still subject to your policies and rules. /etc/shorewall/nat#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL 130.252.100.18 eth0 10.1.1.2 no no 130.252.100.19 eth0 10.1.1.3 no no Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above example) is (are) not included in any specification in /etc/shorewall/masq (/etc/shorewall/snat) or /etc/shorewall/proxyarp. The ALL INTERFACES column is used to specify whether access to the external IP from all firewall interfaces should undergo NAT (Yes or yes) or if only access from the interface in the INTERFACE column should undergo NAT. If you leave this column empty, No is assumed . Specifying Yes in this column will not by itself allow systems on the lower LAN to access each other using their public IP addresses. For example, the lower left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and expect to be connected to the lower right-hand system. See FAQ 2a. Shorewall will automatically add the external address to the specified interface unless you specify ADD_IP_ALIASES=no (or No) in /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if you set it to Yes or yes then you must NOT configure your own alias(es). The contents of the LOCAL column determine whether packets originating on the firewall itself and destined for the EXTERNAL address are redirected to the internal ADDRESS. If this column contains yes or Yes (and the ALL INTERFACES COLUMN also contains Yes or yes) then such packets are redirected; otherwise, such packets are not redirected. This feature requires that you enabled CONFIG_IP_NF_NAT_LOCAL in your kernel. Entries in /etc/shorewall/nat only arrange for address translation; they do not allow traffic to pass through the firewall in violation of your policies. In the above example, suppose that you wish to run a web server on 10.1.1.2 (a.k.a. 130.252.100.18). You would need the following entry in /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18
ARP cache A word of warning is in order here. ISPs typically configure their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with one-to-one NAT, it will probably be HOURS before that system can communicate with the Internet. If you sniff traffic on the firewall's external interface, you can see incoming traffic for the internal system(s) but the traffic is never sent out the internal interface. You can determine if your ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows: tcpdump -nei eth0 icmp Now from 10.1.1.3, ping the ISP's gateway (which we will assume is 130.252.100.254): ping 130.252.100.254 We can now observe the tcpdump output: 13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF) 13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply Notice that the source MAC address in the echo request is different from the destination MAC address in the echo reply!! In this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 was the MAC address of the system on the lower right. In other words, the gateway's ARP cache still associates 130.252.100.19 with the NIC in that system rather than with the firewall's eth0. If you have this problem, there are a couple of things that you can try: A reading of TCP/IP Illustrated, Vol 1 by Stevens reveals Courtesy of Bradey Honsinger that a gratuitous ARP packet should cause the ISP's router to refresh their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC address for its own IP; in addition to ensuring that the IP address isn't a duplicate...
if the host sending the gratuitous ARP has just changed its hardware address..., this packet causes any other host...that has an entry in its cache for the old hardware address to update its ARP cache entry accordingly.
Which is, of course, exactly what you want to do when you switch a host from being exposed to the Internet to behind Shorewall using one-to-one NAT (or Proxy ARP for that matter). Happily enough, recent versions of Redhat's iputils package include arping, whose -U flag does just that: arping -U -I <net if> <newly proxied IP> arping -U -I eth0 66.58.99.83 # for example Stevens goes on to mention that not all systems respond correctly to gratuitous ARPs, but googling for arping -U seems to support the idea that it works most of the time. To use arping with one-to-one NAT in the above example, you would have to: shorewall clear ip addr add 130.252.100.18 dev eth0 # You need to add the addresses only if Shorewall clear ip addr add 130.252.100.19 dev eth0 # deletes them arping -U -c 10 -I eth0 130.252.100.18 arping -U -c 10 -I eth0 130.252.100.19 ip addr del 130.252.100.18 dev eth0 # You need to delete the addresses only if you added ip addr del 130.252.100.19 dev eth0 # them above shorewall start You can call your ISP and ask them to purge the stale ARP cache entry but many either can't or won't purge individual entries. There are two distinct versions of arping available: arping by Thomas Habets (Debian package arping). arping as part of the iputils package by Alexey Kuznetsov (Debian package iputils-arping). You want the second one by Alexey Kuznetsov.
shorewall-docs-xml-5.2.3/ConnectionRate.xml0000664000000000000000000000677613427347317017435 0ustar rootroot
Connection Rate Limiting Tom Eastep 2008 2009 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Shorewall supports several mechanisms for limiting connection rates. These are described in the following sections. Rates are expressed in terms of a connections per unit time and a burst. An interval is calculated by dividing the unit of time by the number of connections allowed in that unit of time (connections/{||||week|month}[:burst] Example: 4/min:5 Connections = 4 Unit of time = 1 minute Interval = 1 minute/4 = 15 seconds. Burst = 5 As each connection arrives,if the burst count is > 0 the burst count is reduced by one and the connection is accepted. After each interval (15 seconds) that passes without a connection arriving, the burst count is incremented by 1 but is not allowed to exceed its initial setting (5). By default, the aggregate connection rate is limited. If the specification is preceded by "" or "", then the rate is limited per SOURCE or per DESTINATION IP address respectively.
Policy Rate Limiting The LIMIT column in the /etc/shorewall/policy file applies to TCP connections that are subject to the policy. The limiting is applied BEFORE the connection request is passed through the rules generated by entries in /etc/shorewall/rules. Those connections in excess of the limit are logged and dropped.
Rules Rate Limiting The RATE LIMIT column in the /etc/shorewall/rules file allows limiting of ACCEPT, DNAT and Action rules.
Limit Action The Limit Action is a legacy mechanism that limits connections per source IP. It does not support the notion of a burst size.
shorewall-docs-xml-5.2.3/blacklisting_support.xml0000664000000000000000000002655013427347317020754 0ustar rootroot
Shorewall Blacklisting/Whitelisting Support Tom Eastep 2002-2006 2010 2011 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Introduction Shorewall supports two different types of blacklisting; rule-based, static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf controls the degree of blacklist filtering. The BLACKLIST option lists the Netfilter connection-tracking states that blacklist rules are to be applied to (states are NEW, ESTABLISHED, RELATED, INVALID, NOTRACK). The BLACKLIST option supersedes the BLACKLISTNEWONLY option: BLACKLISTNEWONLY=No -- All incoming packets are checked against the blacklist. New blacklist entries can be used to terminate existing connections. BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new connection requests. Blacklists may not be used to terminate existing connections. For automatic blacklisting based on exceeding defined threshholds, see Events.
Rule-based Blacklisting Beginning with Shorewall 4.4.25, the preferred method of blacklisting and whitelisting is to use the blrules file (shorewall-blrules (5)). There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions, standard and custom macros as well as standard and custom actions. See shorewall-blrules (5) for details. Example: #ACTION SOURCE DEST PROTO DPORT WHITELIST net:70.90.191.126 all DROP net all udp 1023:1033,1434,5948,23773 DROP all net udp 1023:1033 DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 DROP net:221.192.199.48 all DROP net:61.158.162.9 all DROP net:81.21.54.100 all tcp 25 DROP net:84.108.168.139 all DROP net:200.55.14.18 all Beginning with Shorewall 4.4.26, the update command supports a option that causes your legacy blacklisting configuration to use the blrules file.
Chain-based Dynamic Blacklisting Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by setting DYNAMIC_BLACKLIST=Yes in shorewall.conf. Prior to that release, the feature is always enabled. Once enabled, dynamic blacklisting doesn't use any configuration parameters but is rather controlled using /sbin/shorewall[-lite] commands. Note that to and from may only be specified when running Shorewall 4.4.12 or later. drop [to|from] <ip address list> - causes packets from the listed IP addresses to be silently dropped by the firewall. reject [to|from]<ip address list> - causes packets from the listed IP addresses to be rejected by the firewall. allow [to|from] <ip address list> - re-enables receipt of packets from hosts previously blacklisted by a drop or reject command. save - save the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall is restarted. Update: Beginning with Shorewall 4.4.10, the dynamic blacklist is automatically retained over stop/start sequences and over restart and reload. show dynamic - displays the dynamic blacklisting configuration. logdrop [to|from] <ip address list> - causes packets from the listed IP addresses to be dropped and logged by the firewall. Logging will occur at the level specified by the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at the 'info' level if no BLACKLIST_LOGLEVEL was given). logreject [to|from}<ip address list> - causes packets from the listed IP addresses to be rejected and logged by the firewall. Logging will occur at the level specified by the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at the 'info' level if no BLACKLIST_LOGLEVEL was given).
Ipset-based Dynamic Blacklisting Beginning with Shorewall 5.0.8, it is possible to use an ipset to hold blacklisted addresses. The DYNAMIC_BLACKLIST option was expanded to: DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:log_tag]]]} When or is specified, the shorewall blacklist command is used to blacklist a single host or a network. The allow command is used to remove entries from the ipset. The name of the set (setname) and the level (log_level), if any, at which blacklisted traffic is to be logged may also be specified. The default set name is SW_DBL4 and the default log level is (no logging). If is given, then chain-based dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been specified. Possible options are: src-dst Normally, only packets whose source address matches an entry in the ipset are dropped. If is included, then packets whose destination address matches an entry in the ipset are also dropped. The option was added in Shorewall 5.0.13 and requires that the conntrack utility be installed on the firewall system. When an address is blacklisted using the blacklist command, all connections originating from that address are disconnected. if the option was also specified, then all connections to that address are also disconnected. =seconds Added in Shorewall 5.0.13. Normally, Shorewall creates the dynamic blacklisting ipset with timeout 0 which means that entries are permanent. If you want entries in the set that are not accessed for a period of time to be deleted from the set, you may specify that period using this option. Note that the blacklist command can override the ipset's timeout setting. Once the dynamic blacklisting ipset has been created, changing this option setting requires a complete restart of the firewall; shorewall restart if RESTART=restart, otherwise shorewall stop && shorewall start When ipset-based dynamic blacklisting is enabled, the contents of the blacklist will be preserved over stop/reboot/start sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if setname is included in the list of sets to be saved in SAVE_IPSETS.
BLACKLIST Policy and Action Beginning with Shorewall 5.1.1, it is possible to specify BLACKLIST in the POLICY column of shorewall-policy(5) when ipset-based dynamic blacklisting is being used. When a packet is disposed of via the BLACKLIST policy, the packet's sender is added to the dynamic blacklist ipset and the packet is dropped. Also available beginning with Shorewall 5.1.1 is a BLACKLIST action for use in the rules file, macros and filter table actions. Execute the shorewall show action BLACKLIST command for details.
shorewall-docs-xml-5.2.3/standalone_ru.xml0000664000000000000000000007656413427347317017362 0ustar rootroot
Одиночный файервол Tom Eastep 2002-2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Эта статья применима для Shorewall версии 3.0 и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall 3.0.0, тогда смотрите документацию для этого выпуска. Пример файлов конфигурации в составе Shorewall 3.0.0 и 3.0.1 был некорректен. Первой генерируемой ошибкой была: ERROR: No Firewall Zone Defined (ОШИБКА: Не определены зоны файервола) Исправленные файла 'зоны' ('zones') и 'интерфейсы' ('interfaces') доступны по адресу: http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.1/errata/one-interface/. Эта проблема исправлена в Shorewall 3.0.2.
Введение Установка Shorewall на отдельной Linux системе очень проста, если Вы понимаете основы и следуете данной документации. Это руководство не пытается ознакомить Вас со всеми особенностями Shorewall. Оно больше сфокусировано на том, что требуется для настройки Shorewall в наиболее типичных конфигурациях: Linux система Один внешний(публичный) IP-адрес Интернет-соединение посредством кабельного модема, DSL, ISDN, Frame Relay, коммутирумой линии ... или есть соединение с LAN и Вы просто хотите защитить Вашу Linux систему от других систем в этой LAN.
Системные требования Shorewall требует, чтобы у Вас был установлен пакет iproute/iproute2 (на RedHat, этот пакет называется iproute). Вы можете определить установлен ли этот пакет по наличию программы ip на Вашем файерволе. Как root, Вы можете использовать команду which для проверки наличия этой программы: [root@gateway root]# which ip /sbin/ip [root@gateway root]#
Перед тем как начать Я рекомендую Вам прочитать все руководство для первоначального ознакомления, а лишь затем пройти его снова, внося изменения в Вашу конфигурацию. Если Вы редактируете Ваши файлы конфигурации на Windows системе, Вы должны сохранить их как Unix файлы в том случае, если Ваш редактор поддерживает эту возможность, иначе Вы должны пропустить их через программу dos2unix перед тем как использовать их. Аналогично, если Вы копируете конфигурационный файл с Вашего жесткого диска с Windows на дискету, Вы должны воспользоваться dos2unix для копии перед ее использованием с Shorewall. Windows версия dos2unix Linux версия dos2unix
Соглашения Места, в которых рекомендуется вносить изменения, отмечены как .
PPTP/ADSL Если У Вас есть ADSL модем и Вы используете PPTP для взаимодействия с сервером на этом модеме, Вы должны сделать изменения рекоммендуемые здесь в дополнение к тем, что описаны в последующих шагах. ADSL с PPTP наиболее распространен в Европе, особенно в Австрии.
Концепции Shorewall Конфигурационные файлы Shorewall находятся в директории /etc/shorewall -- в случае простой установки Вам необходимо иметь дело только с немногими из них, как описано в этом руководстве. Замечание для пользователей Debian Если Вы при установке пользовались .deb, Вы обнаружите, что директория /etc/shorewall пуста. Это сделано специально. Поставляемые шаблоны файлов конфигурации Вы найдете на вашей системе в директории /usr/share/doc/shorewall/default-config. Просто скопируйте нужные Вам файлы из этой директории в /etc/shorewall и отредактируйте копии. Заметьте, что Вы должны скопировать /usr/share/doc/shorewall/default-config/shorewall.conf и /usr/share/doc/shorewall/default-config/modules в /etc/shorewall даже если Вы не будете изменять эти файлы. После того как Вы установили Shorewall, Вы можете найти примеры файлов настроек в следующих местах: Если Вы при установке использовали RPM, примеры будут находится в поддиректории Samples/one-interface/ директории с документацией Shorewall. Если Вы не знаете где расположена директория с документацией Shorewall, Вы можете найти примеры используя команду: ~# rpm -ql shorewall | fgrep one-interface /usr/share/doc/packages/shorewall/Samples/one-interface /usr/share/doc/packages/shorewall/Samples/one-interface/interfaces /usr/share/doc/packages/shorewall/Samples/one-interface/policy /usr/share/doc/packages/shorewall/Samples/one-interface/rules /usr/share/doc/packages/shorewall/Samples/one-interface/zones ~# Если Вы установили Shorewall из tarball'а, примеры находятся в директории Samples/one-interface внутри tarball'а. Если же Вы пользовались пакетом .deb, примеры находятся в директории /usr/share/doc/shorewall-common/examples/one-interface. По мере того как мы будем знакомится с каждым файлом, я надеюсь, что Вы просмотрите реальный файл на вашей системе -- каждый файл содержит детальное описание конфигурационных инструкций и значений по умолчанию. Shorewall видит сеть, в которой он работает, как состоящую из набора зон(zones). В случае примера конфигурации с одним интерфейсом, только две зоны определены: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 Зоны Shorewall описаны в файле /etc/shorewall/zones. Заметьте, что Shorewall рассматривает систему файервола как свою собственную зону. При обработке файла /etc/shorewall/zones имя зоны файервола (fw в примере выше) храниться в переменной shell $FW, которая может использоваться во всей конфигурации Shorewall для ссылки на сам файервол. Правила о том какой трафик разрешен, а какой запрещен выражаются в терминах зон. Вы отражаете Вашу политику по умолчанию для соединений из одной зоны в другую в файле/etc/shorewall/policy. Вы определяете исключения из политики по умолчанию в файле /etc/shorewall/rules. Для каждого запроса на соединение входящего в файервол, запрос сначала проверяется на соответствие файлу /etc/shorewall/rules. Если в этом файле не найдено правил соответствующих запросу на соединение, то применяется первая политика из файла /etc/shorewall/policy, которая соответсвует запросу. Если есть общее действие (common action) определенное для политики в файле /etc/shorewall/actions или /usr/share/shorewall/actions.std, тогда это действие выполняется перед тем как применяется политика. Файл /etc/shorewall/policy, входящий в пример с одним интерфейсом, имеет следующие политики: #SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net all DROP info all all REJECT info Политики приведенные выше будут: разрешать все запросы на соединение с файервола в Internet; отбрасывать (игнорировать) все запросы на соединение из Internet к Вашему файерволу; отвергать все другие запросы на соединение (Shorewall требует наличия такой политики, применимой для всех остальных запросов). В данный момент Вы можете отредактировать ваш файл /etc/shorewall/policy и внести изменения, какие Вы считаете необходимыми.
Внешний интерфейс Файервол имеет один сетевой интерфейс. Если соединение с Internet осуществляется при помощи кабельного или DSL Модема, Внешним интерфейсом будет ethernet-адаптер (например, eth0), который подсоединен к этому Модему, если же Вы соединены посредством протокола Point-to-Point Protocol over Ethernet (PPPoE) или Point-to-Point Tunneling Protocol (PPTP), то в этом случае Внешним интерфейсом будет PPP интерфейс (например, ppp0). Если Вы подсоединены через обычный модем, Вашим Внешним интерфейсом будет также ppp0. Если Вы соединяетесь используя ISDN, Внешним интерфейсом будет ippp0. Пример конфигурации Shorewall для одного интерфейса подразумевает, что внешний интерфейс - eth0. Если Ваша конфигурация отличается, Вам необходимо изменить файл примера /etc/shorewall/interfaces соответственно. Пока Вы здесь, Вы возможно захотите просмотреть список опций, специфичных для интерфейса. Вот несколько подсказок: Если Ваш внешний интерфейс ppp0 или ippp0, Вы можете заменить detect(обнаружить) во втором столбце на -(знак минус в ковычках). Если Ваш внешний интерфейс ppp0 или ippp0 или Вы имеете статический IP-адрес, Вы можете удалить dhcp из списка опций.
IP-адреса Перед тем как идти дальше, мы должны сказать несколько слов о Internet Protocol (IP)-адресах. Обычно, Ваш Интернет-провайдер (Internet Service Provider - ISP) назначает Вам один IP-адрес. Этот адрес может быть назначен статически, при помощи Протокола Динамического Конфигурирования Хостов (Dynamic Host Configuration Protocol - DHCP), в процессе установки Вами коммутированного соединения (обычный модем), или при установке Вами другого типа PPP (PPPoA, PPPoE и т.д.) соединения. RFC-1918 резервирует несколько диапазонов Частных (Private) IP-адресов для использования в частных сетях: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 На эти адреса иногда ссылаются как на немаршрутизируемые потому, что магистральные маршрутизаторы Интернет не переправляют пакеты, адреса назначения которых зарезервированы RFC-1918. Хотя в некоторых случаях, ISP, назначающие эти адреса, используют затем Преобразование Сетевых Адресов (Network Address Translation - NAT) для перезаписи заголовков пакетов при перенаправлении в/из Интернет. Перед запуском Shorewall, Вы должны взглянуть на IP-адрес Вашего внешнего интерфейса и, если он принадлежит одному из указанных выше диапазонов, Вы должны удалить опцию norfc1918 из записи в /etc/shorewall/interfaces.
Разрешение других соединений Shorewall включает коллекцию макросов, которые могут быть использованы для быстрого разрешения или запрещения служб. Вы можете найти список макросов включенный в Вашу версия Shorewall при помощи команды: ls /usr/share/shorewall/macro.* Если Вы хотите разрешить соединения из Интернет на Ваш файервол и Вы нашли соответствующий макрос в /etc/shorewall/macro.*, то общий формат правила в /etc/shorewall/rules такой: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) <macro>/ACCEPT net $FW Вы хотите запустить Web-сервер и IMAP-сервер на Вашем файерволе: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Web/ACCEPT net $FW IMAP/ACCEPT net $FW Вы можете также указать Ваше правило непосредственно, без использования предопределенного макроса. Это будет необходимо в случае, если нет предопределенного макроса соответствующего Вашим требованиям. В этом случае общий формат правила в /etc/shorewall/rules такой: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW <protocol> <port> Вы хотите запустить Web-сервер и IMAP-сервер на Вашем файерволе: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 143 Если Вы не знаете какой порт и протокол использует определенное приложение, смотрите здесь. Я не рекоммендую разрешать telnet в/из Интернет потому, что он использует открытый текст (даже для передачи имени и пароля!). Если Вы хотите иметь доступ к командному интерпретатору Вашего файервола из Интернет, используйте SSH: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) SSH/ACCEPT net $FW В этом месте, отредактируйте /etc/shorewall/rules для добавления необходимых соединений.
Запуск и останов Вашего файервола Процедура установки настраивает Вашу систему для запуска Shorewall при загрузке системе, но запуск остается отключен, так что система не будет пытаться запустить Shorewall до полного завершения конфигурирования. Как только Вы полностью завершите конфигурирование Вашего файервола, Вы можете включить запуск Shorewall, отредактировав файл /etc/shorewall/shorewall.conf и установив параметр STARTUP_ENABLED=Yes. Пользователи пакета .deb должны отредактировать файл /etc/default/shorewall и установить параметр STARTUP=1. Вы должны разрешить запуск путем редактирования файла /etc/shorewall/shorewall.conf и установки параметра STARTUP_ENABLED=Yes. Файервол запускается при помощи команды shorewall start и останавливается при помощи shorewall stop. Когда файервол остановливается, маршрутизация разрешается на те хосты, которые указаны в /etc/shorewall/routestopped. Запущенный файервол может быть перезапущен при помощи команды shorewall restart. Если Вы хотите полностью удалить изменения сделанные Shorewall из конфигурации Вашего Netfilter, используйте команду shorewall clear. Если Вы подсоединены к Вашему файерволу из Интернет, не используйте команду shorewall stop если Вы не добавили запись для IP-адреса, с которого Вы подсоединены, в /etc/shorewall/routestopped. Также, я не рекоммендую использовать shorewall restart; лучше создать альтернативную конфигурацию и протестировать ее при помощи команды shorewall try.
Дополнительно рекоммендуемая литература Я особо рекоммендую просмотреть Вам страницу Общих Особенностей Файлов Конфигурации -- она содержит полезные советы об особенностях Shorewall, делающую администрирование Вашего файервола проще.
История пересмотров 2.0 2005-09-12 TE Больше обновлений для 3.0 1.9 2005-09-02 CR Обновление для Shorewall 3.0 1.8 2005-07-12 TE Исправлена неверная ссылка на rfc1918. 1.7 2004-02-16 TE Файл /etc/shorewall/rfc1918 перемещен в /usr/share/shorewall. 1.6 2004-02-05 TE Обновление для Shorewall 2.0 1.5 2004-01-05 TE Стандартные изменения 1.4 2003-12-30 TE Добавлен срвет по обновлению /etc/shorewall/rfc1918. 1.3 2003-11-15 TE Начальное преобразование DocBook
shorewall-docs-xml-5.2.3/VPN.xml0000664000000000000000000001344313427347317015152 0ustar rootroot
VPN Passthrough Tom Eastep 2002 2004 2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Virtual Private Networking (VPN) It is often the case that a system behind the firewall needs to be able to access a remote network through Virtual Private Networking (VPN). The two most common means for doing this are IPsec and PPTP. The basic setup is shown in the following diagram: A system with an RFC 1918 address needs to access a remote network through a remote gateway. For this example, we will assume that the local system has IP address 192.168.1.12 and that the remote gateway has IP address 192.0.2.224. If PPTP is being used and you need to have two or more local systems connected to the same remote server at the same time, then you should be sure that the PPTP helpers modules are loaded (ip_conntrack_pptp and ip_nat_pptp or nf_conntrack_pptp and nf_nat_pptp). Using the default modules file, Shorewall (Lite) will attempt to load these modules when Shorewall (Lite) is started. If IPsec is being used, you should configure IPsec to use NAT Traversal -- Under NAT traversal the IPsec packets (protocol 50 or 51) are encapsulated in UDP packets (normally with destination port 4500). Additionally, keep-alive messages are sent frequently so that NATing gateways between the end-points will retain their connection-tracking entries. This is the way that I connect to the HP Intranet and it works flawlessly without anything in Shorewall other than my ACCEPT loc->net policy. NAT traversal is available as a patch for Windows 2K and is a standard feature of Windows XP -- simply select "L2TP IPsec VPN" from the "Type of VPN" pulldown. Alternatively, if you have an IPsec gateway behind your firewall then you can try the following: only one system may connect to the remote gateway and there are firewall configuration requirements as follows: /etc/shorewall/rules ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net:192.0.2.224 loc:192.168.1.12 50 DNAT net:192.0.2.224 loc:192.168.1.12 udp 500
The above may or may not work — your mileage may vary. NAT Traversal is definitely a better solution. To use NAT traversal:/etc/shorewall/rules with NAT Traversal ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net:192.0.2.224 loc:192.168.1.12 udp 4500 DNAT net:192.0.2.224 loc:192.168.1.12 udp 500
If you want to be able to give access to all of your local systems to the remote network, you should consider running a VPN client on your firewall. As starting points, see The /etc/shorewall/tunnels manpage.
shorewall-docs-xml-5.2.3/Shorewall-init.xml0000664000000000000000000002364613427347317017416 0ustar rootroot
Shorewall Init Tom Eastep 2010 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction The Shorewall init scripts released from shorewall.net and by most distributions start Shorewall after networking. This allows Shorewall to detect the network configuration and taylor itself accordingly. It is possible to start Shorewall prior to networking but doing so limits the set of Shorewall features that can be used. When Shorewall starts after networking, there is the possibility of unwanted connections being accepted between the time that an interface comes up and the time that Shorewall has finished starting up. Also, Shorewall has had no means of reacting when interfaces are brought up and down. Beginning with Shorewall 4.4.10, a new package, Shorewall Init, is available. Shorewall Init serves two purposes: It can 'close' the firewall before the network interfaces are brought up during boot. It can change the firewall state as the result of interfaces being brought up or taken down. These two features can be controlled independently. Shorewall Init can be used together with any combination of the other Shorewall packages. Shorewall-init works on RedHat-based, SuSE-based and Debian-based distributions.
Closing the Firewall before the Network Interfaces are brought up When Shorewall-init is first installed, it does nothing until you configure it. The configuration file is /etc/default/shorewall-init on Debian-based systems and /etc/sysconfig/shorewall-init otherwise. There are two settings in the file: PRODUCTS Lists the Shorewall packages that you want to integrate with Shorewall-init. Example: PRODUCTS="shorewall shorewall6" IFUPDOWN When set to 1, enables integration with NetworkManager and the ifup/ifdown scripts. To close your firewall before networking starts: In the Shorewall-init configuration file, set PRODUCTS to the firewall products installed on your system. Be sure that your current firewall script(s) (normally in /var/lib/<product>/firewall) is(are) compiled with the 4.4.10 compiler. Shorewall and Shorewall6 users can execute these commands: shorewall compile shorewall6 compile Shorewall-lite and Shorewall6-lite users can execute these commands on the administrative system: shorewall export firewall-name-or-ip-address shorewall6 export firewall-name-or-ip-address That's all that is required.
Integration with NetworkManager and ifup/ifdown Scripts To integrate with NetworkManager and ifup/ifdown, additional steps are required. You probably don't want to enable this feature if you run a link status monitor like FOOLSM. In the Shorewall-init configuration file, set IFUPDOWN=1. In your Shorewall interfaces file(s), set the option on any interfaces that must be up in order for the firewall to start. At least one interface must have the or option if you perform the next optional step. Optional) -- If you have specified at least one or interface, you can then disable automatic firewall startup at boot time. On Debian systems, set startup=0 in /etc/default/product. On other systems, use your service startup configuration tool (chkconfig, insserv, ...) to disable startup. If your system uses Upstart as it's system initialization daemon, you should not disable startup. Upstart is standard on recent Ubuntu and Fedora releases and is optional on Debian. The following actions occur when an interface comes up: FIREWALL STATE INTERFACE ACTION Any Required start stopped Optional start started Optional enable started Any restart The following actions occur when an interface goes down: FIREWALL STATE INTERFACE ACTION Any Required stop stopped Optional start started Optional disable started Any restart For optional interfaces, the /var/lib/product/interface.state files are maintained to reflect the state of the interface so that they may be used by the standard isusable script. Please note that the action is carried out using the current compiled script; the configuration is not recompiled. A new option has been added to shorewall.conf and shorewall6.conf. The REQUIRE_INTERFACE option determines the outcome when an attempt to start/restart/restore/refresh the firewall is made and none of the optional interfaces are available. With REQUIRE_INTERFACE=No (the default), the operation is performed. If REQUIRE_INTERFACE=Yes, then the operation fails and the firewall is placed in the stopped state. This option is suitable for a laptop with both ethernet and wireless interfaces. If either come up, the firewall starts. If neither comes up, the firewall remains in the stopped state. Similarly, if an optional interface goes down and there are no optional interfaces remaining in the up state, then the firewall is stopped. On Debian-based systems, during system shutdown the firewall is opened prior to network shutdown (/etc/init.d/shorewall stop performs a 'clear' operation rather than a 'stop'). This is required by Debian standards. You can change this default behavior by setting SAFESTOP=1 in /etc/default/shorewall (/etc/default/shorewall6, ...).
shorewall-docs-xml-5.2.3/shorewall_extension_scripts.xml0000664000000000000000000006076013427347317022356 0ustar rootroot
Extension Scripts (User Exits) Tom Eastep 2001-2010 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Extension Scripts Extension scripts are user-provided scripts that are invoked at various points during firewall start, restart, stop and clear. For each script, the Shorewall compiler creates a Bourne Shell function with the extension script as its body and calls the function at runtime. Be sure that you actually need to use an extension script to do what you want. Shorewall has a wide range of features that cover most requirements. DO NOT SIMPLY COPY RULES THAT YOU FIND ON THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE DOING WITH RESPECT TO iptables/Netfilter AND SHOREWALL. The following scripts can be supplied: lib.private -- Intended to contain declarations of shell functions to be called by other run-time extension scripts. See this article for an example of its use. compile -- Invoked by the rules compiler early in the compilation process. Must be written in Perl. init -- invoked early in shorewall start and shorewall restart initdone -- invoked after Shorewall has flushed all existing rules but before any rules have been added to the builtin chains. start -- invoked after the firewall has been started or restarted. started -- invoked after the firewall has been marked as 'running'. stop -- invoked as a first step when the firewall is being stopped. stopped -- invoked after the firewall has been stopped. clear -- invoked after the firewall has been cleared. tcclear -- invoked to clear traffic shaping when CLEAR_TC=Yes in shorewall.conf. refresh -- called in place of init when the firewall is being refreshed rather than started or restarted. refreshed -- invoked after the firewall has been refreshed. maclog -- invoked while mac filtering rules are being created. It is invoked once for each interface having 'maclist' specified and it is invoked just before the logging rule is added to the current chain (the name of that chain will be in $CHAIN). isusable -- invoked when Shorewall is trying to determine the usability of the network interface associated with an optional entry in /etc/shorewall/providers. $1 is the name of the interface which will have been determined to be up and configured before the script is invoked. The return value from the script indicates whether or not the interface is usable (0 = usable, other = unusable). Example:# Ping a gateway through the passed interface case $1 in eth0) ping -c 4 -t 1 -I eth0 206.124.146.254 > /dev/null 2>&1 return ;; eth1) ping -c 4 -t 1 -I eth1 192.168.12.254 > /dev/null 2>&1 return ;; *) # No additional testing of other interfaces return 0 ;; esac We recommend that this script only be used with ADMINISABSENTMINDED=Yes. The firewall state when this script is invoked is indeterminate. So if you have ADMINISABSENTMINDED=No in shorewall.conf(8) and output on an interface is not allowed by stoppedrules(8) then the isuasable script must blow it's own holes in the firewall before probing. save -- This script is invoked during execution of the shorewall save and shorewall-lite save commands. restored -- This script is invoked at the completion of a successful shorewall restore and shorewall-lite restore. findgw -- This script is invoked when Shorewall is attempting to discover the gateway through a dynamic interface. The script is most often used when the interface is managed by dhclient which has no standardized location/name for its lease database. Scripts for use with dhclient on several distributions are available at http://www.shorewall.net/pub/shorewall/contrib/findgw/ scfilter -- Added in Shorewall 4.4.14. Unlike the other scripts, this script is executed by the command-line tools (/sbin/shorewall, /sbin/shorewall6, etc) and can be used to reformat the output of the show connections command. The connection information is piped through this script so that the script can drop information, add information or alter the format of the information. When using Shorewall Lite or Shorewall6 Lite, the script is encapsulated in a function that is copied into the generated auxillary configuration file. That function is invoked by the 'show connections' command. The default script is as follows and simply pipes the output through unaltered. #! /bin/sh cat - postcompile -- Added in Shorewall 4.5.8. This shell script is invoked by /sbin/shorewall after a script has been compiled. $1 is the path name of the compiled script. lib.cli-user -- Added in Shorewall 5.0.2. This is actually a shell library (set of function declarations) that can be used to augment or replace functions in the standard CLI libraries. enabled -- Added in Shorewall 5.1.6. Invoked when an optional interface or provider is successfully enabled using the enable command. disabled -- Added in Shorewall 5.1.6. Invoked when an optional interface or provider is successfully disabled using the disable command. If your version of Shorewall doesn't have the file that you want to use from the above list, you can simply create the file yourself. You can also supply a script with the same name as any of the filter chains in the firewall and the script will be invoked after the /etc/shorewall/rules file has been processed but before the /etc/shorewall/policy file has been processed. The following table indicate which commands invoke the various scripts. script Commands clear clear compile check, compile, export, load, refresh, reload, restart, restore,start continue disable disable enable enable init load, refresh, reload, restart restore, start initdone check, compile, export, refresh, restart, start isusable refresh, restart, restore, start maclog check, compile, export, refresh, restart, start postcompile compile, export, load, refresh, reload, restart, restore, start refresh refresh refreshed refresh restored restore save save scfilter show connections start load, reload, restart, start started load, reload, restart, start stop stop, clear stopped stop, clear tcclear load, reload, restart, restore, start There are a couple of special considerations for commands in extension scripts: When you want to run iptables, use the command run_iptables instead. run_iptables will run the iptables utility passing the arguments to run_iptables and if the command fails, the firewall will be stopped (or restored from the last save command, if any). run_iptables should not be called from the started or restored scripts. If you wish to generate a log message, use log_rule_limit. Parameters are: Log Level Chain to insert the rule into Chain name to display in the message (this can be different from the preceding argument — see the Port Knocking article for an example of how to use this). Disposition to report in the message (ACCEPT, DROP, etc) Rate Limit (if passed as "" then $LOGLIMIT is assumed — see the LOGLIMIT option in /etc/shorewall/shorewall.conf) Log Tag ("" if none) Command (-A or -I for append or insert). The remaining arguments are passed "as is" to iptables Many of the extension scripts get executed for both the shorewall start and shorewall restart commands. You can determine which command is being executed using the contents of $COMMAND. if [ $COMMAND = start ]; then ... In addition to COMMAND, Shorewall defines three other variables that may be used for locating Shorewall files: CONFDIR - The configuration directory. Will be /etc/. The running product is defined in the g_product variable. SHAREDIR - The product shared directory. Will be /usr/share. The running product is defined in the g_product variable. VARDIR - The product state directory. Defaults /var/lib/shorewall, /var/lib/shorewall6/, /var/lib/shorewall-lite, or /var/lib/shorewall6-lite depending on which product is running, but may be overridden by an entry in ${CONFDIR}/vardir. Shell variables used in extension scripts must follow the same rules as those in /etc/shorewall/params. See this article.
Compile-time vs Run-time Scripts Shorewall runs some extension scripts at compile-time rather than at run-time. The following table summarizes when the various extension scripts are run: Compile-time Run-time compile clear initdone disable maclog enable Per-chain (including those associated with actions) init postcompile isusable start started stop stopped tcclear refresh refreshed restored scfilter The contents of each run-time script is placed in a shell function, so you can declare local variables and can use the return command. The functions generated from the enable and disable scripts are passed three arguments: $1 Physical name of the interface that was enabled or disabled. $2 Logical name of the interface. $3 Name of the Provider, if any, associated with the interface. As described above, the function generated from the isusable script is passed a single argument that names a network interface. With the exception of postcompile, compile-time extension scripts are executed using the Perl 'eval `cat <file>`' mechanism. Be sure that each script returns a 'true' value; otherwise, the compiler will assume that the script failed and will abort the compilation. Each compile-time script is implicitly prefaced with: package Shorewall::User; Most scripts will need to begin with the following line:use Shorewall::Chains;For more complex scripts, you may need to 'use' other Shorewall Perl modules -- browse /usr/share/shorewall/Shorewall/ to see what's available. When a script is invoked, the $chainref scalar variable will hold a reference to a chain table entry. $chainref->{name} contains the name of the chain $chainref->{table} holds the table name To add a rule to the chain:add_rule( $chainref, <the rule> [ , <break lists> ] );Where <the rule> is a scalar argument holding the rule text. Do not include "-A <chain name>" Example:add_rule( $chainref, '-j ACCEPT' ); The add_rule() function accepts an optional third argument; If that argument evaluates to true and the passed rule contains a --dports or --sports list with more than 15 ports (a port range counts as two ports), the rule will be split into multiple rules where each resulting rule has 15 or fewer ports in its --dports and --sports lists. To insert a rule into the chain: insert_rule( $chainref, <rulenum>, <the rule> );The log_rule_limit() function works like it did in the shell compiler with three exceptions: You pass the chain reference rather than the name of the chain. The commands are 'add' and 'insert' rather than '-A' and '-I'. There is only a single "pass as-is to iptables" argument (so you must quote that part). Example:log_rule_limit( 'info' , #Log Level $chainref , #Chain to add the rule to $chainref->{name}, #Name of the chain as it will appear in the log prefix 'DROP' , #Disposition of the packet '', #Limit '' , #Log tag 'add', #Command '-p tcp' #Added to the rule as-is );Note that in the 'initdone' script, there is no default chain ($chainref). You can obtain a reference to a standard chain by:my $chainref = $chain_table{<table>}{<chain name>};Example:my $chainref = $chain_table{filter}{INPUT}; You can also use the hash references $filter_table, $mangle_table and $nat_table to access chain references in the three main tables. Example: my $chainref = $filter_table->{INPUT}; #Same as above with a few less keystrokes; runs faster too For imformation about the 'compile' extension script, see the Manual Chains article.
shorewall-docs-xml-5.2.3/GnuCopyright.xml0000664000000000000000000005424513427347317017136 0ustar rootroot GNU Free Documentation License Version 1.2, November 2002
PREAMBLE The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.
APPLICABILITY AND DEFINITIONS This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law. A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition. The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.
VERBATIM COPYING You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies.
COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.
MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version: Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement. State on the Title page the name of the publisher of the Modified Version, as the publisher. Preserve all the copyright notices of the Document. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice. Include an unaltered copy of this License. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section. Preserve any Warranty Disclaimers. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.
COMBINING DOCUMENTS You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".
COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.
AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.
TRANSLATION Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail. If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.
TERMINATION You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.
ADDENDUM: How to use this License for your documents To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page: If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the "with...Texts." line with this:
with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation. If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.
shorewall-docs-xml-5.2.3/shorewall_features.xml0000664000000000000000000002145713427347317020411 0ustar rootroot
Shorewall 5.0 Features Tom Eastep 2001-2016 Thomas M Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Features Uses Netfilter's connection tracking facilities for stateful packet filtering. Can be used in a wide range of router/firewall/gateway applications . Completely customizable using configuration files. No limit on the number of network interfaces. Allows you to partition the network into zones and gives you complete control over the connections permitted between each pair of zones. Multiple interfaces per zone and multiple zones per interface permitted. Supports nested and overlapping zones. Supports centralized firewall administration. Shorewall installed on a single administrative system. May be a Windows PC running Cygwin or an Apple MacIntosh running OS X. Centrally generated firewall scripts run on the firewalls under control of Shorewall-lite. QuickStart Guides (HOWTOs) to help get your first firewall up and running quickly A GUI is available via Webmin 1.060 and later (http://www.webmin.com) Extensive documentation is available in both Docbook XML and HTML formats. Flexible address management/routing support (and you can use all types in the same firewall): Masquerading/SNAT. Port Forwarding (DNAT). One-to-one NAT. Proxy ARP. NETMAP. Multiple ISP support (Multiple Internet Links from the same firewall/gateway) Blacklisting of individual IP addresses and subnetworks is supported. Operational Support. Commands to start, stop and clear the firewall Supports status monitoring with an audible alarm when an interesting packet is detected. Wide variety of informational commands. VPN Support. IPsec, GRE, IPIP and OpenVPN Tunnels. PPTP clients and Servers. Support for Traffic Control/Shaping. Wide support for different GNU/Linux Distributions. RPM and Debian packages available. Includes automated install, upgrade and uninstall facilities for users who can't use or choose not to use the RPM or Debian packages. Included as a standard part of LEAF/Bering (router/firewall on a floppy, CD or compact flash). Media Access Control (MAC) Address Verification. Traffic Accounting. Bridge/Firewall support IPv6 Support Works with a wide range of Virtualization Solutions: KVM Xen Linux-Vserver OpenVZ VirtualBox LXC Docker (Shorewall 5.0.6 and later)
shorewall-docs-xml-5.2.3/Shorewall-Lite.xml0000664000000000000000000010125213427347317017336 0ustar rootroot
Shorewall Lite Tom Eastep 2006-2011 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation appropriate for your version.
Overview Shorewall has the capability to compile a Shorewall configuration and produce a runnable firewall program script. The script is a complete program which can be placed on a system with Shorewall Lite installed and can serve as the firewall creation script for that system.
Shorewall Lite Shorewall Lite is a companion product to Shorewall and is designed to allow you to maintain all Shorewall configuration information on a single system within your network. You install the full Shorewall release on one system within your network. You need not configure Shorewall there and you may totally disable startup of Shorewall in your init scripts. For ease of reference, we call this system the 'administrative system'. The administrative system may be a GNU/Linux system, a Windows system running Cygwin or an Apple MacIntosh running OS X. Install from a shell prompt using the install.sh script. On each system where you wish to run a Shorewall-generated firewall, you install Shorewall Lite. For ease of reference, we will call these systems the 'firewall systems'. The firewall systems do NOT need to have the full Shorewall product installed but rather only the Shorewall Lite product. Shorewall and Shorewall Lite may be installed on the same system but that isn't encouraged. On the administrative system you create a separate 'export directory' for each firewall system. You copy the contents of /usr/share/shorewall/configfiles into each export directory. Users of Debian and derivatives that install the package from their distribution will be disappointed to find that /usr/share/shorewall/configfiles does not exist on their systems. They will instead need to either: Copy the files in /usr/share/doc/shorewall/default-config/ into each export directory. Copy /etc/shorewall/shorewall.conf into each export directory and remove /etc/shorewall from the CONFIG_PATH setting in the copied files. or Download the Shorewall tarball corresponding to their package version. Untar and copy the files from the configfiles sub-directory in the untarred shorewall-... directory. After copying, you may need to change two setting in the copy of shorewall.conf: CONFIG_PATH=/usr/share/shorewall STARTUP_LOG=/var/log/shorewall-lite-init.log Older versions of Shorewall included copies of shorewall.conf with these settings already modified. This practice was discontinued in Shorewall 4.4.20.1. Prior to Shorewall 4.5.8, the /etc/shorewall/shorewall.conf file was used to determine the VERBOSITY setting which determines how much output the compiler generates. All other settings were taken from the shorewall.conf file in the remote systems export directory. Prior to Shorewall 4.5.8, if you want to be able to allow non-root users to manage remote firewall systems, then the files /etc/shorewall/params and /etc/shorewall/shorewall.conf must be readable by all users on the administrative system. Not all packages secure the files that way and you may have to change the file permissions yourself. Prior to Shorewall 4.5.14, /etc/shorewall/params must be readable by non-root users or each export directory must have its own params file. On each firewall system, If you are running Debian or one of its derivatives like Ubuntu then edit /etc/default/shorewall-lite and set startup=1. On the administrative system, for each firewall system you do the following (this may be done by a non-root user who has root ssh access to the firewall system): modify the files in the corresponding export directory appropriately (i.e., just as you would if you were configuring Shorewall on the firewall system itself). It's a good idea to include the IP address of the administrative system in the stoppedrules file. It is important to understand that with Shorewall Lite, the firewall's export directory on the administrative system acts as /etc/shorewall for that firewall. So when the Shorewall documentation gives instructions for placing entries in files in the firewall's /etc/shorewall, when using Shorewall Lite you make those changes in the firewall's export directory on the administrative system. The CONFIG_PATH variable is treated as follows: The value of CONFIG_PATH in /etc/shorewall/shorewall.conf is ignored when compiling for export (the -e option in given) and when the load or reload command is being executed (see below). The value of CONFIG_PATH in the shorewall.conf file in the export directory is used to search for configuration files during compilation of that configuration. The value of CONFIG_PATH used when the script is run on the firewall system is "/etc/shorewall-lite:/usr/share/shorewall-lite". Prior to Shorewall 4.5.14, the export directory should contain a params file, even if it is empty. Otherwise, /sbin/shorewall will attempt to read /etc/shorewall/params. If the remote system has a different directory layout from the administrative system, then the export directory should contain a copy of the remote system's shorewallrc file (normally found in /usr/share/shorewall/shorewallrc). cd <export directory> /sbin/shorewall load firewall The load command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and starts Shorewall Lite on the remote system via ssh. Example (firewall's DNS name is 'gateway'): /sbin/shorewall load gateway Although scp and ssh are used by default, you can use other utilities by setting RSH_COMMAND and RCP_COMMAND in /etc/shorewall/shorewall.conf. The first time that you issue a load command, Shorewall will use ssh to run /usr/share/shorewall-lite/shorecap on the remote firewall to create a capabilities file in the firewall's administrative direction. It also uses scp to copy the shorewallrc file from the remote firewall system. See below. If you later need to change the firewall's configuration, change the appropriate files in the firewall's export directory then: cd <export directory> /sbin/shorewall reload firewall The reload command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and restarts Shorewall Lite on the remote system via ssh. The reload command also supports the '-c' option. There is a shorewall-lite.conf file installed as part of Shorewall Lite (/etc/shorewall-lite/shorewall-lite.conf). You can use that file on the firewall system to override some of the settings from the shorewall.conf file in the export directory. Settings that you can override are:
VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE
You will normally never touch /etc/shorewall-lite/shorewall-lite.conf unless you run Debian or one of its derivatives (see above). The /sbin/shorewall-lite program included with Shorewall Lite supports the same set of commands as the /sbin/shorewall program in a full Shorewall installation with the following exceptions:
add compile delete refresh reload try safe-start safe-restart show actions show macros
On systems with only Shorewall Lite installed, I recommend that you create a symbolic link /sbin/shorewall and point it at /sbin/shorewall-lite. That way, you can use shorewall as the command regardless of which product is installed.
ln -sf shorewall-lite /sbin/shorewall
Module Loading As with a normal Shorewall configuration, the shorewall.conf file can specify LOAD_HELPERS_ONLY which determines if the modules file (LOAD_HELPERS_ONLY=No) or helpers file (LOAD_HELPERS_ONLY=Yes) is used. Normally, the file on the firewall system is used. If you want to specify modules at compile time on the Administrative System, then you must place a copy of the appropriate file (modules or helpers) in the firewall's configuration directory before compilation. In Shorewall 4.4.17, the EXPORTMODULES option was added to shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any modules or helpers file found on the CONFIG_PATH on the Administrative System during compilation will be used. In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed and the behavior is that which was formerly obtained by setting LOAD_HELPERS_ONLY=Yes.
Converting a system from Shorewall to Shorewall Lite Converting a firewall system that is currently running Shorewall to run Shorewall Lite instead is straight-forward. On the administrative system, create an export directory for the firewall system. Copy the contents of /etc/shorewall/ from the firewall system to the export directory on the administrative system. On the firewall system: Be sure that the IP address of the administrative system is included in the firewall's export directory stoppedrules file. shorewall stop We recommend that you uninstall Shorewall at this point. Install Shorewall Lite on the firewall system. If you are running Debian or one of its derivatives like Ubuntu then edit /etc/default/shorewall-lite and set startup=1. On the administrative system: It's a good idea to include the IP address of the administrative system in the firewall system's stoppedrules file. Also, edit the shorewall.conf file in the firewall's export directory and change the CONFIG_PATH setting to remove /etc/shorewall. You can replace it with /usr/share/shorewall/configfiles if you like. Example:
Before editing: CONFIG_PATH=/etc/shorewall:/usr/share/shorewall After editing: CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall
Changing CONFIG_PATH will ensure that subsequent compilations using the export directory will not include any files from /etc/shorewall other than shorewall.conf and params. If you set variables in the params file, there are a couple of issues: The params file is not processed at run time if you set EXPORTPARAMS=No in shorewall.conf. For run-time setting of shell variables, use the init extension script. Beginning with Shorewall 4.4.17, the variables set in the params file are available in the firewall script when EXPORTPARAMS=No. If the params file needs to set shell variables based on the configuration of the firewall system, you can use this trick: EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0") The shorewall-lite call command allows you to to call interactively any Shorewall function that you can call in an extension script. After having made the above changes to the firewall's export directory, execute the following commands.
cd <export directory> /sbin/shorewall load <firewall system> Example (firewall's DNS name is 'gateway'): /sbin/shorewall load gateway
The first time that you issue a load command, Shorewall will use ssh to run /usr/share/shorewall-lite/shorecap on the remote firewall to create a capabilities file in the firewall's administrative direction. See below. The load command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and starts Shorewall Lite on the remote system via ssh. If you later need to change the firewall's configuration, change the appropriate files in the firewall's export directory then: cd <export directory> /sbin/shorewall reload firewall The reload command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and restarts Shorewall Lite on the remote system via ssh. If the kernel/iptables configuration on the firewall later changes and you need to create a new capabilities file, do the following on the firewall system: /usr/share/shorewall-lite/shorecap > capabilities scp capabilities <admin system>:<this system's config dir> Or simply use the -c option the next time that you use the reload command (e.g., shorewall reload -c gateway).
Restrictions While compiled Shorewall programs (as are used in Shorewall Lite) are useful in many cases, there are some important restrictions that you should be aware of before attempting to use them. All extension scripts used are copied into the program (with the exception of those executed at compile-time by the compiler). The ramifications of this are: If you update an extension script, the compiled program will not use the updated script. The params file is only processed at compile time if you set EXPORTPARAMS=No in shorewall.conf. For run-time setting of shell variables, use the init extension script. Although the default setting is EXPORTPARAMS=Yes for compatibility, the recommended setting is EXPORTPARAMS=No. Beginning with Shorewall 4.4.17, the variables set in the params file are available in the firewall script when EXPORTPARAMS=No. If the params file needs to set shell variables based on the configuration of the firewall system, you can use this trick: EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0") The shorewall-lite call command allows you to to call interactively any Shorewall function that you can call in an extension script. You must install Shorewall Lite on the system where you want to run the script. You then install the compiled program in /usr/share/shorewall-lite/firewall and use the /sbin/shorewall-lite program included with Shorewall Lite to control the firewall just as if the full Shorewall distribution was installed. Beginning with Shorewall 4.4.9, the compiler detects bridges and sets the bridge and routeback options explicitly. That can't happen when the compilation no longer occurs on the firewall system.
The "shorewall compile" command A compiled script is produced using the compile command:
shorewall compile [ -e ] [ <directory name> ] [ <path name> ]
where
-e Indicates that the program is to be "exported" to another system. When this flag is set, neither the "detectnets" interface option nor DYNAMIC_ZONES=Yes in shorewall.conf are allowed. The created program may be run on a system that has only Shorewall Lite installed When this flag is given, Shorewall does not probe the current system to determine the kernel/iptables features that it supports. It rather reads those capabilities from /etc/shorewall/capabilities. See below for details. Also, when is specified you should have a copy of the remote firewall's shorewallrc file in the the directory specified by <directory name>. <directory name> specifies a directory to be searched for configuration files before those directories listed in the CONFIG_PATH variable in shorewall.conf. When -e <directory-name> is included, only the SHOREWALL_SHELL and VERBOSITY settings from /etc/shorewall/shorewall.conf are used and these apply only to the compiler itself. The settings used by the compiled firewall script are determined by the contents of <directory name>/shorewall.conf. Beginning with Shorewall 4.5.7.2, /etc/shorewall/shorewall.conf is not read if there is a shorewall.conf file in the specified configuration directory. <path name> specifies the name of the script to be created. If not given, ${VARDIR}/firewall is assumed (by default, ${VARDIR} is /var/lib/shorewall/)
The compile command can be used to stage a new compiled strict that can be activated later using shorewall restart -f
The /etc/shorewall/capabilities file and the shorecap program As mentioned above, the /etc/shorewall/capabilities file specifies that kernel/iptables capabilities of the target system. Here is a sample file:
# # Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008 # NAT_ENABLED=Yes MANGLE_ENABLED=Yes MULTIPORT=Yes XMULTIPORT=Yes CONNTRACK_MATCH=Yes POLICY_MATCH=Yes PHYSDEV_MATCH=Yes PHYSDEV_BRIDGE=Yes LENGTH_MATCH=Yes IPRANGE_MATCH=Yes RECENT_MATCH=Yes OWNER_MATCH=Yes IPSET_MATCH=Yes CONNMARK=Yes XCONNMARK=Yes CONNMARK_MATCH=Yes XCONNMARK_MATCH=Yes RAW_TABLE=Yes IPP2P_MATCH= CLASSIFY_TARGET=Yes ENHANCED_REJECT=Yes KLUDGEFREE=Yes MARK=Yes XMARK=Yes MANGLE_FORWARD=Yes COMMENTS=Yes ADDRTYPE=Yes TCPMSS_MATCH=Yes HASHLIMIT_MATCH=Yes NFQUEUE_TARGET=Yes REALM_MATCH=Yes CAPVERSION=40190
As you can see, the file contains a simple list of shell variable assignments — the variables correspond to the capabilities listed by the shorewall show capabilities command and they appear in the same order as the output of that command. To aid in creating this file, Shorewall Lite includes a shorecap program. The program is installed in the /usr/share/shorewall-lite/ directory and may be run as follows:
[ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] /usr/share/shorewall-lite/shorecap > capabilities
The IPTABLES and MODULESDIR options have their usual Shorewall default values. The capabilities file may then be copied to a system with Shorewall installed and used when compiling firewall programs to run on the remote system. The capabilities file may also be creating using /sbin/shorewall-lite:
shorewall-lite show -f capabilities > capabilities
Note that unlike the shorecap program, the show capabilities command shows the kernel's current capabilities; it does not attempt to load additional kernel modules.
Running compiled programs directly Compiled firewall programs are complete shell programs that support the following command line forms:
<program> [ -q ] [ -v ] [ -n ] start <program> [ -q ] [ -v ] [ -n ] stop <program> [ -q ] [ -v ] [ -n ] clear <program> [ -q ] [ -v ] [ -n ] refresh <program> [ -q ] [ -v ] [ -n ] reset <program> [ -q ] [ -v ] [ -n ] restart <program> [ -q ] [ -v ] [ -n ] status <program> [ -q ] [ -v ] [ -n ] version
The options have the same meanings as when they are passed to /sbin/shorewall itself. The default VERBOSITY level is the level specified in the shorewall.conf file used when the program was compiled.
shorewall-docs-xml-5.2.3/ISO-3661.xml0000664000000000000000000004037113427347317015536 0ustar rootroot
ISO 3661 Country Codes recognized by Shorewall Tom Eastep 2012 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Beginning with Shorewall 4.5.4, Shorewall allows matching packet SOURCE and/or DEST IP addresses by their corresponding country. That is done by specifying a comma-separated list of up to 15 ISO-3661 2-character Country Codes enclosed in square brackets ('[...]') and prefixed by a caret ('^'). When a single country code is given, the square brackets can be omitted. Example - Drop email from the Anonymous Proxy and Satellite Provider networks. /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT ?SECTION NEW DROP:info net:^[A1,A2] dmz tcp 25 Using this feature requires the GeoIP Match capability in your iptables and kernel. As of this writing, that capability requires installing xtables-addons 1.33 or later and creating a country-code database. The Shorewall compiler uses the geoip country-code database to determine the valid set of two-character alphanumeric country codes. The location of that database is currently hard-coded in xtables-addons as /usr/share/xt_geoip/. Within that directory are two sub-directories: LE -- contains the little-endian database BE -- contains the big-endian database To accomodate both big-endian and little-endian machines as well as any future ability to install the database at another location, Shorewall supports a GEOIPDIR option in shorewall.conf (5) and shorewall6.conf (5). The default value of that option is /usr/share/xt_geoip/LE. The country codes at the time of this writing are shown in the following two sections.
IPv4 A1 => "Anonymous Proxy" , A2 => "Satellite Provider" , AD => "Andorra" , AE => "United Arab Emirates" , AF => "Afghanistan" , AG => "Antigua and Barbuda" , AI => "Anguilla" , AL => "Albania" , AM => "Armenia" , AN => "Netherlands Antilles" , AO => "Angola" , AP => "Asia/Pacific Region" , AQ => "Antarctica" , AR => "Argentina" , AS => "American Samoa" , AT => "Austria" , AU => "Australia" , AW => "Aruba" , AX => "Aland Islands" , AZ => "Azerbaijan" , BA => "Bosnia and Herzegovina" , BB => "Barbados" , BD => "Bangladesh" , BE => "Belgium" , BF => "Burkina Faso" , BG => "Bulgaria" , BH => "Bahrain" , BI => "Burundi" , BJ => "Benin" , BM => "Bermuda" , BN => "Brunei Darussalam" , BO => "Bolivia" , BR => "Brazil" , BS => "Bahamas" , BT => "Bhutan" , BV => "Bouvet Island" , BW => "Botswana" , BY => "Belarus" , BZ => "Belize" , CA => "Canada" , CC => "Cocos (Keeling) Islands" , CD => "Congo, The Democratic Republic of the" , CF => "Central African Republic" , CG => "Congo" , CH => "Switzerland" , CI => "Cote D'Ivoire" , CK => "Cook Islands" , CL => "Chile" , CM => "Cameroon" , CN => "China" , CO => "Colombia" , CR => "Costa Rica" , CU => "Cuba" , CV => "Cape Verde" , CX => "Christmas Island" , CY => "Cyprus" , CZ => "Czech Republic" , DE => "Germany" , DJ => "Djibouti" , DK => "Denmark" , DM => "Dominica" , DO => "Dominican Republic" , DZ => "Algeria" , EC => "Ecuador" , EE => "Estonia" , EG => "Egypt" , EH => "Western Sahara" , ER => "Eritrea" , ES => "Spain" , ET => "Ethiopia" , EU => "Europe" , FI => "Finland" , FJ => "Fiji" , FK => "Falkland Islands (Malvinas)" , FM => "Micronesia, Federated States of" , FO => "Faroe Islands" , FR => "France" , GA => "Gabon" , GB => "United Kingdom" , GD => "Grenada" , GE => "Georgia" , GF => "French Guiana" , GG => "Guernsey" , GH => "Ghana" , GI => "Gibraltar" , GL => "Greenland" , GM => "Gambia" , GN => "Guinea" , GP => "Guadeloupe" , GQ => "Equatorial Guinea" , GR => "Greece" , GS => "South Georgia and the South Sandwich Islands" , GT => "Guatemala" , GU => "Guam" , GW => "Guinea-Bissau" , GY => "Guyana" , HK => "Hong Kong" , HN => "Honduras" , HR => "Croatia" , HT => "Haiti" , HU => "Hungary" , ID => "Indonesia" , IE => "Ireland" , IL => "Israel" , IM => "Isle of Man" , IN => "India" , IO => "British Indian Ocean Territory" , IQ => "Iraq" , IR => "Iran, Islamic Republic of" , IS => "Iceland" , IT => "Italy" , JE => "Jersey" , JM => "Jamaica" , JO => "Jordan" , JP => "Japan" , KE => "Kenya" , KG => "Kyrgyzstan" , KH => "Cambodia" , KI => "Kiribati" , KM => "Comoros" , KN => "Saint Kitts and Nevis" , KP => "Korea, Democratic People's Republic of" , KR => "Korea, Republic of" , KW => "Kuwait" , KY => "Cayman Islands" , KZ => "Kazakhstan" , LA => "Lao People's Democratic Republic" , LB => "Lebanon" , LC => "Saint Lucia" , LI => "Liechtenstein" , LK => "Sri Lanka" , LR => "Liberia" , LS => "Lesotho" , LT => "Lithuania" , LU => "Luxembourg" , LV => "Latvia" , LY => "Libyan Arab Jamahiriya" , MA => "Morocco" , MC => "Monaco" , MD => "Moldova, Republic of" , ME => "Montenegro" , MG => "Madagascar" , MH => "Marshall Islands" , MK => "Macedonia" , ML => "Mali" , MM => "Myanmar" , MN => "Mongolia" , MO => "Macau" , MP => "Northern Mariana Islands" , MQ => "Martinique" , MR => "Mauritania" , MS => "Montserrat" , MT => "Malta" , MU => "Mauritius" , MV => "Maldives" , MW => "Malawi" , MX => "Mexico" , MY => "Malaysia" , MZ => "Mozambique" , NA => "Namibia" , NC => "New Caledonia" , NE => "Niger" , NF => "Norfolk Island" , NG => "Nigeria" , NI => "Nicaragua" , NL => "Netherlands" , NO => "Norway" , NP => "Nepal" , NR => "Nauru" , NU => "Niue" , NZ => "New Zealand" , OM => "Oman" , PA => "Panama" , PE => "Peru" , PF => "French Polynesia" , PG => "Papua New Guinea" , PH => "Philippines" , PK => "Pakistan" , PL => "Poland" , PM => "Saint Pierre and Miquelon" , PR => "Puerto Rico" , PS => "Palestinian Territory, Occupied" , PT => "Portugal" , PW => "Palau" , PY => "Paraguay" , QA => "Qatar" , RE => "Reunion" , RO => "Romania" , RS => "Serbia" , RU => "Russian Federation" , RW => "Rwanda" , SA => "Saudi Arabia" , SB => "Solomon Islands" , SC => "Seychelles" , SD => "Sudan" , SE => "Sweden" , SG => "Singapore" , SH => "Saint Helena" , SI => "Slovenia" , SJ => "Svalbard and Jan Mayen" , SK => "Slovakia" , SL => "Sierra Leone" , SM => "San Marino" , SN => "Senegal" , SO => "Somalia" , SR => "Suriname" , ST => "Sao Tome and Principe" , SV => "El Salvador" , SY => "Syrian Arab Republic" , SZ => "Swaziland" , TC => "Turks and Caicos Islands" , TD => "Chad" , TF => "French Southern Territories" , TG => "Togo" , TH => "Thailand" , TJ => "Tajikistan" , TK => "Tokelau" , TL => "Timor-Leste" , TM => "Turkmenistan" , TN => "Tunisia" , TO => "Tonga" , TR => "Turkey" , TT => "Trinidad and Tobago" , TV => "Tuvalu" , TW => "Taiwan" , TZ => "Tanzania, United Republic of" , UA => "Ukraine" , UG => "Uganda" , UM => "United States Minor Outlying Islands" , US => "United States" , UY => "Uruguay" , UZ => "Uzbekistan" , VA => "Holy See (Vatican City State)" , VC => "Saint Vincent and the Grenadines" , VE => "Venezuela" , VG => "Virgin Islands, British" , VI => "Virgin Islands, U.S." , VN => "Vietnam" , VU => "Vanuatu" , WF => "Wallis and Futuna" , WS => "Samoa" , YE => "Yemen" , YT => "Mayotte" , ZA => "South Africa" , ZM => "Zambia" , ZW => "Zimbabwe" ,
IPv6 AD => "Andorra" , AE => "United Arab Emirates" , AF => "Afghanistan" , AL => "Albania" , AM => "Armenia" , AO => "Angola" , AP => "Asia/Pacific Region" , AR => "Argentina" , AS => "American Samoa" , AT => "Austria" , AU => "Australia" , AW => "Aruba" , AZ => "Azerbaijan" , BA => "Bosnia and Herzegovina" , BD => "Bangladesh" , BE => "Belgium" , BF => "Burkina Faso" , BG => "Bulgaria" , BH => "Bahrain" , BI => "Burundi" , BJ => "Benin" , BM => "Bermuda" , BN => "Brunei Darussalam" , BO => "Bolivia" , BR => "Brazil" , BS => "Bahamas" , BT => "Bhutan" , BW => "Botswana" , BY => "Belarus" , BZ => "Belize" , CA => "Canada" , CD => "Congo, The Democratic Republic of the" , CH => "Switzerland" , CI => "Cote D'Ivoire" , CK => "Cook Islands" , CL => "Chile" , CM => "Cameroon" , CN => "China" , CO => "Colombia" , CR => "Costa Rica" , CU => "Cuba" , CW => "" , CY => "Cyprus" , CZ => "Czech Republic" , DE => "Germany" , DJ => "Djibouti" , DK => "Denmark" , DO => "Dominican Republic" , DZ => "Algeria" , EC => "Ecuador" , EE => "Estonia" , EG => "Egypt" , ES => "Spain" , EU => "Europe" , FI => "Finland" , FJ => "Fiji" , FM => "Micronesia, Federated States of" , FO => "Faroe Islands" , FR => "France" , GB => "United Kingdom" , GD => "Grenada" , GE => "Georgia" , GG => "Guernsey" , GH => "Ghana" , GI => "Gibraltar" , GL => "Greenland" , GM => "Gambia" , GP => "Guadeloupe" , GR => "Greece" , GT => "Guatemala" , GU => "Guam" , GY => "Guyana" , HK => "Hong Kong" , HN => "Honduras" , HR => "Croatia" , HT => "Haiti" , HU => "Hungary" , ID => "Indonesia" , IE => "Ireland" , IL => "Israel" , IM => "Isle of Man" , IN => "India" , IQ => "Iraq" , IR => "Iran, Islamic Republic of" , IS => "Iceland" , IT => "Italy" , JE => "Jersey" , JM => "Jamaica" , JO => "Jordan" , JP => "Japan" , KE => "Kenya" , KG => "Kyrgyzstan" , KH => "Cambodia" , KN => "Saint Kitts and Nevis" , KR => "Korea, Republic of" , KW => "Kuwait" , KY => "Cayman Islands" , KZ => "Kazakhstan" , LA => "Lao People's Democratic Republic" , LB => "Lebanon" , LI => "Liechtenstein" , LK => "Sri Lanka" , LS => "Lesotho" , LT => "Lithuania" , LU => "Luxembourg" , LV => "Latvia" , LY => "Libyan Arab Jamahiriya" , MA => "Morocco" , MC => "Monaco" , MD => "Moldova, Republic of" , ME => "Montenegro" , MG => "Madagascar" , MH => "Marshall Islands" , MK => "Macedonia" , ML => "Mali" , MM => "Myanmar" , MN => "Mongolia" , MO => "Macau" , MT => "Malta" , MU => "Mauritius" , MV => "Maldives" , MW => "Malawi" , MX => "Mexico" , MY => "Malaysia" , MZ => "Mozambique" , NA => "Namibia" , NC => "New Caledonia" , NF => "Norfolk Island" , NG => "Nigeria" , NI => "Nicaragua" , NL => "Netherlands" , NO => "Norway" , NP => "Nepal" , NR => "Nauru" , NU => "Niue" , NZ => "New Zealand" , OM => "Oman" , PA => "Panama" , PE => "Peru" , PF => "French Polynesia" , PG => "Papua New Guinea" , PH => "Philippines" , PK => "Pakistan" , PL => "Poland" , PR => "Puerto Rico" , PS => "Palestinian Territory" , PT => "Portugal" , PW => "Palau" , PY => "Paraguay" , QA => "Qatar" , RO => "Romania" , RS => "Serbia" , RU => "Russian Federation" , RW => "Rwanda" , SA => "Saudi Arabia" , SB => "Solomon Islands" , SC => "Seychelles" , SD => "Sudan" , SE => "Sweden" , SG => "Singapore" , SI => "Slovenia" , SK => "Slovakia" , SL => "Sierra Leone" , SM => "San Marino" , SN => "Senegal" , SO => "Somalia" , ST => "Sao Tome and Principe" , SV => "El Salvador" , SY => "Syrian Arab Republic" , SZ => "Swaziland" , TH => "Thailand" , TK => "Tokelau" , TN => "Tunisia" , TO => "Tonga" , TR => "Turkey" , TT => "Trinidad and Tobago" , TV => "Tuvalu" , TW => "Taiwan" , TZ => "Tanzania, United Republic of" , UA => "Ukraine" , UG => "Uganda" , US => "United States" , UY => "Uruguay" , UZ => "Uzbekistan" , VA => "Holy See (Vatican City State)" , VE => "Venezuela" , VI => "Virgin Islands, U.S." , VN => "Vietnam" , VU => "Vanuatu" , WS => "Samoa" , YE => "Yemen" , ZA => "South Africa" , ZM => "Zambia" , ZW => "Zimbabwe" ,
shorewall-docs-xml-5.2.3/netmap.xml0000664000000000000000000004076313427347317016000 0ustar rootroot
Network Mapping Tom Eastep 2004-2005 2007 2011 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Why use Network Mapping Network Mapping is most often used to resolve IP address conflicts. Suppose that two organizations, A and B, need to be linked and that both organizations have allocated the 192.168.1.0/24 subnetwork. There is a need to connect the two networks so that all systems in A can access the 192.168.1.0/24 network in B and vice versa without any re-addressing.
Solution Shorewall NETMAP support is designed to supply a solution. The basic situation is as shown in the following diagram. While the link between the two firewalls is shown here as a VPN, it could be any type of interconnection that allows routing of RFC 1918 traffic. The systems in the top cloud will access the 192.168.1.0/24 subnet in the lower cloud using addresses in another unused /24. Similarly, the systems in the bottom cloud will access the 192.168.1.0/24 subnet in the upper cloud using a second unused /24. In order to apply this solution: You must be running Shorewall 2.0.1 Beta 2 or later. Your kernel must have NETMAP support. 2.6 Kernels have NETMAP support without patching while 2.4 kernels must be patched using Patch-O-Matic from netfilter.org. NETMAP support must be enabled in your kernel (CONFIG_IP_NF_TARGET_NETMAP=m or CONFIG_IP_NF_TARGET_NETMAP=y). Your iptables must have NETMAP support. NETMAP support is available in iptables 1.2.9 and later. Network mapping is defined using the /etc/shorewall/netmap file. Columns in this file are: TYPE Must be DNAT or SNAT. If DNAT, traffic entering INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2. If SNAT, traffic leaving INTERFACE with a source address in NET1 has its source address rewritten to the corresponding address in NET2. NET1 Must be expressed in CIDR format (e.g., 192.168.1.0/24). Beginning with Shorewall 4.4.24, exclusion is supported. INTERFACE A firewall interface. This interface must have been defined in /etc/shorewall/interfaces. NET2 A second network expressed in CIDR format. NET3 (Optional) - network-address Added in Shorewall 4.4.11. If specified, qualifies INTERFACE. It specifies a SOURCE network for DNAT rules and a DESTINATON network for SNAT rules. PROTO (Optional - Added in Shorewall 4.4.23.2) - protocol-number-or-name Only packets specifying this protocol will have their IP header modified. DPORT (Optional - Added in Shorewall 4.4.23.2) - port-number-or-name-list Destination Ports. A comma-separated list of Port names (from services(5)), port numbers or port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric type, a numberic type and code separated by a slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading "--" (example bit for bit-torrent). If no PORT is given, ipp2p is assumed. An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following field is supplied. SPORT (Optional - Added in Shorewall 4.4.23.2) - port-number-or-name-list Source port(s). If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges. An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following fields is supplied. Referring to the figure above, lets suppose that systems in the top cloud are going to access the 192.168.1.0/24 network in the bottom cloud using addresses in 10.10.10.0/24 and that systems in the bottom could will access 192.168.1.0/24 in the top could using addresses in 10.10.11.0. You must arrange for routing as follows: Traffic from the top cloud to 10.10.10.0/24 must be routed to eth0 on firewall 1. Firewall 1 must route traffic to 10.10.10.0/24 through firewall 2. Traffic from the bottom cloud to 10.10.11.0/24 must be routed to eth0 on firewall 2. Firewall 2 must route traffic to 10.10.11.0/24 through firewall 1.
If you are running Shorewall 4.4.22 or Earlier The entries in /etc/shorewall/netmap in firewall1 would be as follows: #TYPE NET1 INTERFACE NET2 SNAT 192.168.1.0/24 vpn 10.10.11.0/24 #RULE 1A DNAT 10.10.11.0/24 vpn 192.168.1.0/24 #RULE 1B The entry in /etc/shorewall/netmap in firewall2 would be: #TYPE NET1 INTERFACE NET2 DNAT 10.10.10.0/24 vpn 192.168.1.0/24 #RULE 2A SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B 192.168.1.4 in the top cloud connects to 192.168.1.27 in the bottom cloud In order to make this connection, the client attempts a connection to 10.10.10.27. The following table shows how the source and destination IP addresses are modified as requests are sent and replies are returned. The RULE column refers to the above /etc/shorewall/netmap entries and gives the rule which transforms the source and destination IP addresses to those shown on the next line. FROM TO SOURCE IP ADDRESS DESTINATION IP ADDRESS RULE 192.168.1.4 in upper cloud Firewall 1 192.168.1.4 10.10.10.27 1A Firewall 1 Firewall 2 10.10.11.4 10.10.10.27 2A Firewall 2 192.168.1.27 in lower cloud 10.10.11.4 192.168.1.27 192.168.1.27 in the lower cloud Firewall 2 192.168.1.27 10.10.11.4 2B Firewall 2 Firewall 1 10.10.10.27 10.10.11.4 1B Firewall 1 192.168.1.4 in upper cloud 10.10.10.27 192.168.1.4 See the OpenVPN documentation for a solution contributed by Nicola Moretti for resolving duplicate networks in a roadwarrior VPN environment.
If you are running Shorewall 4.4.23 or Later Beginning with Shorewall 4.4.23, you can bridge two duplicate networks with one router, provided that your kernel and iptables include Rawpost Table Support. That support is used to implement Stateless NAT which allows for performing DNAT in the rawpost table POSTROUTING and OUTPUT chains and for performing SNAT in the raw table PREROUTING chain. Using this support, only firewall1 requires /etc/shorewall/netmap. Two additional entries are added. #TYPE NET1 INTERFACE NET2 SNAT 192.168.1.0/24 vpn 10.10.11.0/24 DNAT 10.10.11.0/24 vpn 192.168.1.0/24 SNAT:P 192.168.1.0/24 vpn 10.10.10.0/24 DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24 The last two entries define Stateless NAT by specifying a chain designator (:P for PREROUTING and :T for POSTROUTING respectively). See shorewall-netmap (5) for details.
IPv6 Beginning with Shorewall6 4.4.24, IPv6 support for Netmap is included. This provides a way to use private IPv6 addresses internally and still have access to the IPv6 internet. IPv6 netmap is stateless which means that there are no Netfilter helpers for applications that need them. As a consequence, applications that require a helper (FTP, IRC, etc.) may experience issues. For IPv6, the chain designator (:P for PREROUTING or :T for POSTROUTING) is required in the TYPE column. Normally SNAT rules are placed in the POSTROUTING chain while DNAT rules are placed in PREROUTING. To use IPv6 Netmap, your kernel and iptables must include Rawpost Table Support. IPv6 Netmap has been verified at shorewall.net using the configuration shown below. IPv6 support is supplied from Hurricane Electric; the IPv6 address block is 2001:470:b:227::/64. Because of the limitations of IPv6 NETMAP (no Netfilter helpers), the servers in the DMZ have public addresses in the block 2001:470:b:227::/112. The local LAN uses the private network fd00:470:b:227::/64 with the hosts autoconfigured using radvd. This block is allocated from the range (fc00::/7) reserved for Unique Local Addresses. The /etc/shorewall6/netmap file is as follows: #TYPE NET1 INTERFACE NET2 NET3 PROTO DEST SOURCE # PORT(S) PORT(S) SNAT:T fd00:470:b:227::/64 HE_IF 2001:470:b:227::/64 DNAT:P 2001:470:b:227::/64!2001:470:b:227::/112\ HE_IF fd00:470:b:227::/64 HE_IF is the logical name for interface sit1. On output, the private address block is mapped to the public block. Because autoconfiguration is used, none of the local addresses falls into the range fd00:470:b:227::/112. That range can therefore be excluded from DNAT. While the site local network that was used is very similar to the public network (only the first word is different), that isn't a requirement. We could have just as well used fd00:bad:dead:beef::/64 The MacBook Pro running OS X Lion refused to autoconfigure when radvd advertised a site-local network (fec0:470:b:227/64) but worked fine with the unique-local network (fd00:470:b:227::/64). Note that site-local addresses were deprecated in RFC3879. This whole scheme isn't quite as useful as it might appear. Many IPv6-enabled applications (web browsers, for example) are smart enough to recognize unique local addresses and will only use IPv6 to communicate with other such local addresses.
shorewall-docs-xml-5.2.3/IPSEC-2.6.xml0000664000000000000000000007531713427347317015665 0ustar rootroot
IPsec Tom Eastep Roberto Sanchez 2004 2005 2006 2009 2016 Thomas M. Eastep 2007 Roberto C. Sanchez Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release. Shorewall does not configure IPsec for you -- it rather configures netfilter to accommodate your IPsec configuration. The information in this article is only applicable if you plan to have IPsec end-points on the same system where Shorewall is used. While this article shows configuration of IPsec using ipsec-tools, Shorewall configuration is exactly the same when using OpenSwan or any of the other Swan derivatives. When running a Linux kernel prior to 2.6.20, the Netfilter+IPsec and policy match support are broken when used with a bridge device. The problem was corrected in Kernel 2.6.20 as a result of the removal of deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See the "Shorewall-perl and Bridged Firewalls" article.
Shorwall and Kernel 2.6 IPsec This is not a HOWTO for Kernel 2.6 IPsec -- for that, please see http://www.ipsec-howto.org/. The 2.6 Linux Kernel introduced new facilities for defining encrypted communication between hosts in a network. The network administrator defines a set of Security Policies which are stored in the kernel as a Security Policy Database (SPD). Security policies determine which traffic is subject to encryption. Security Associations are created between pairs of hosts in the network (one SA for traffic in each direction); these SAs define how traffic is to be encrypted. Outgoing traffic that is to be encrypted according to the contents of the SPD requires an appropriate SA to exist. SAs may be created manually using setkey(8) but most often, they are created by a cooperative process involving the ISAKMP protocol and a daemon included in your IPsec package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) . Incoming traffic is verified against the SPD to ensure that no unencrypted traffic is accepted in violation of the administrator's policies. There are three ways in which IPsec traffic can interact with Shorewall policies and rules: Traffic that is encrypted on the firewall system. The traffic passes through Netfilter twice -- first as unencrypted then encrypted. Traffic that is decrypted on the firewall system. The traffic passes through Netfilter twice -- first as encrypted then as unencrypted. Encrypted traffic that is passed through the firewall system. The traffic passes through Netfilter once. In cases 1 and 2, the encrypted traffic is handled by entries in /etc/shorewall/tunnels (don't be mislead by the name of the file -- transport mode encrypted traffic is also handled by entries in that file). The unencrypted traffic is handled by normal rules and policies. Under the 2.4 Linux Kernel, the association of unencrypted traffic and zones was made easy by the presence of IPsec pseudo-interfaces with names of the form ipsecN (e.g. ipsec0). Outgoing unencrypted traffic (case 1.) was sent through an ipsecN device while incoming unencrypted traffic (case 2) arrived from an ipsecN device. The 2.6 kernel-based implementation does away with these pseudo-interfaces. Outgoing traffic that is going to be encrypted and incoming traffic that has been decrypted must be matched against policies in the SPD and/or the appropriate SA. Shorewall provides support for policy matching in three ways: In /etc/shorewall/masq (/etc/shorewall/snat when running Shorewall 5.0.14 or later), traffic that will later be encrypted is exempted from MASQUERADE/SNAT using existing entries. If you want to MASQUERADE/SNAT outgoing traffic that will later be encrypted, you must include the appropriate indication in the IPSEC column in that file. The /etc/shorewall/zones file allows you to associate zones with traffic that will be encrypted or that has been decrypted. A new option (ipsec) has been provided for entries in /etc/shorewall/hosts. When an entry has this option specified, traffic to/from the hosts described in the entry is assumed to be encrypted. In summary, Shorewall provides the facilities to replace the use of IPsec pseudo-interfaces in zone and MASQUERADE/SNAT definition. There are two cases to consider: Encrypted communication is used to/from all hosts in a zone. The value ipsec is placed in the TYPE column of the /etc/shorewall/zones entry for the zone. By default, encrypted communication is not used to communicate with the hosts in a zone. The value ipv4 is placed in the TYPE column of the /etc/shorewall/zones entry for the zone and the new ipsec option is specified in /etc/shorewall/hosts for any hosts requiring secure communication. For simple zones such as are shown in the following examples, the two techniques are equivalent and are used interchangeably. It is redundant to have ipsec in the TYPE column of the /etc/shorewall/zones entry for a zone and to also have the ipsec option in /etc/shorewall/hosts entries for that zone. Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in /etc/shorewall/zones can be used to match the zone to a particular (set of) SA(s) used to encrypt and decrypt traffic to/from the zone and the security policies that select which traffic to encrypt/decrypt. This article provides guidance regarding configuring Shorewall to use with IPsec. For configuring IPsec itself, consult your IPsec product's documentation.
IPsec Gateway on the Firewall System Suppose that we have the following situation: We want systems in the 192.168.1.0/24 sub-network to be able to communicate with systems in the 10.0.0.0/8 network. We assume that on both systems A and B, eth0 is the Internet interface. To make this work, we need to do two things: Open the firewall so that the IPsec tunnel can be established (allow the ESP protocol and UDP Port 500). Allow traffic through the tunnel. Opening the firewall for the IPsec tunnel is accomplished by adding an entry to the /etc/shorewall/tunnels file. In /etc/shorewall/tunnels on system A, we need the following
/etc/shorewall/tunnels — System A: #TYPE ZONE GATEWAY GATEWAY_ZONE ipsec net 134.28.54.2 /etc/shorewall/tunnels — System B: #TYPE ZONE GATEWAY GATEWAY_ZONE ipsec net 206.162.148.9
If either of the endpoints is behind a NAT gateway then the tunnels file entry on the other endpoint should specify a tunnel type of ipsecnat rather than ipsec and the GATEWAY address should specify the external address of the NAT gateway. You need to define a zone for the remote subnet or include it in your local zone. In this example, we'll assume that you have created a zone called vpn to represent the remote subnet.
/etc/shorewall/zones — Systems A and B: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS net ipv4 vpn ipv4
Remember the assumption that both systems A and B have eth0 as their Internet interface. You must define the vpn zone using the /etc/shorewall/hosts file. The hosts file entries below assume that you want the remote gateway to be part of the vpn zone — If you don't wish the remote gateway included, simply omit its IP address from the HOSTS column.
/etc/shorewall/hosts — System A #ZONE HOSTS OPTIONS vpn eth0:10.0.0.0/8,134.28.54.2 ipsec /etc/shorewall/hosts — System B #ZONE HOSTS OPTIONS vpn eth0:192.168.1.0/24,206.162.148.9 ipsec
If you want to keep things simple, you can simply not restrict the set of addresses in the ipsec zones:
#ZONE HOSTS OPTIONS vpn eth0:0.0.0.0/0 ipsec
Assuming that you want to give each local network free access to the remote network and vice versa, you would need the following /etc/shorewall/policy entries on each system:
#SOURCE DEST POLICY LEVEL BURST:LIMIT loc vpn ACCEPT vpn loc ACCEPT
If you need access from each firewall to hosts in the other network, then you could add:
#SOURCE DEST POLICY LEVEL BURST:LIMIT $FW vpn ACCEPT
If you need access between the firewall's, you should describe the access in your /etc/shorewall/rules file. For example, to allow SSH access from System B, add this rule on system A:
#ACTION SOURCE DEST PROTO POLICY ACCEPT vpn:134.28.54.2 $FW
If you have hosts that access the Internet through an IPsec tunnel, then it is a good idea to set the MSS value for traffic from those hosts explicitly in the /etc/shorewall/zones file. For example, if hosts in the vpn zone access the Internet through an ESP tunnel then the following entry would be appropriate: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS vpn ipsec mode=tunnel mss=1400 You should also set FASTACCEPT=No in shorewall.conf to ensure that both the SYN and SYN,ACK packets have their MSS field adjusted. Note that CLAMPMSS=Yes in shorewall.conf isn't effective with the 2.6 native IPsec implementation because there is no separate IPsec device with a lower mtu as there was under the 2.4 and earlier kernels.
Mobile System (Road Warrior) Suppose that you have a laptop system (B) that you take with you when you travel and you want to be able to establish a secure connection back to your local network. Road Warrior VPN You need to define a zone for the laptop or include it in your local zone. In this example, we'll assume that you have created a zone called vpn to represent the remote host.
/etc/shorewall/zones — System A #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS net ipv4 vpn ipsec loc ipv4
In this instance, the mobile system (B) has IP address 134.28.54.2 but that cannot be determined in advance. In the /etc/shorewall/tunnels file on system A, the following entry should be made:
#TYPE ZONE GATEWAY GATEWAY_ZONE ipsec net 0.0.0.0/0 vpn
the GATEWAY_ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the gateway system itself comprises the peer subnetwork; in other words, the remote gateway is a standalone system. The VPN zone is defined using the /etc/shorewall/hosts file:
/etc/shorewall/hosts — System A: #ZONE HOSTS OPTIONS vpn eth0:0.0.0.0/0
You will need to configure your through the tunnel policy as shown under the first example above. On the laptop:
/etc/shorewall/zones - System B: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS vpn ipsec net ipv4 loc ipv4 /etc/shorewall/tunnels - System B: #TYPE ZONE GATEWAY GATEWAY_ZONE ipsec net 206.162.148.9 vpn /etc/shorewall/hosts - System B: #ZONE HOSTS OPTIONS vpn eth0:0.0.0.0/0
Mobile System (Road Warrior) with Layer 2 Tunneling Protocol (L2TP) This section is based on the previous section. Please make sure that you read it thoroughly and understand it. The setup described in this section is more complex because you are including an additional layer of tunneling. Again, make sure that you have read the previous section and it is highly recommended to have the IPsec-only configuration working first. Additionally, this section assumes that you are running IPsec, xl2tpd and pppd on the same system that is running shorewall. However, configuration of these additional services is beyond the scope of this document. Getting layer 2 tunneling to work is an endeavour unto itself. However, if you succeed it can be very convenient. Reasons why you might want configure layer 2 tunneling protocol (L2TP): You want to give your road warrior an address that is in the same segment as the other hosts on your network. Your road warriors are using a legacy operating system (such as MS Windows or Mac OS X) and you do not want them to have to install third party software in order to connect to the VPN (both MS Windows and Mac OS X include VPN clients which natively support L2TP over IPsec, but not plain IPsec). You like a challenge. Since the target for a VPN including L2TP will (almost) never be a road warrior running Linux, I will not include the client side of the configuration. The first thing that needs to be done is to create a new zone called l2tp to represent the tunneled layer 2 traffic.
/etc/shorewall/zones — System A #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS et ipv4 vpn ipsec l2tp ipv4 loc ipv4
Since the L2TP will require the use of pppd, you will end up with one or more ppp interfaces (each representing an individual road warrior connection) for which you will need to account. This can be done by modifying the interfaces file. (Modify with additional options as needed.)
/etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter loc eth1 192.168.1.255 l2tp ppp+ -
The next thing that must be done is to adjust the policy so that the traffic can go where it needs to go. First, you need to decide if you want for hosts in your local zone to be able to connect to your road warriors. You may or may not want to allow this. For example, one reason you might want to allow this is so that your support personnel can use ssh, VNC or remote desktop to fix a problem on the road warrior's laptop. Second, you need to decide if you want the road warrior to have access to hosts on the local network. You generally want to allow this. For example, if you have DNS servers on your local network that you want the road warrior to use. Or perhaps the road warrior needs to mount NFS shares or needs to access intranet sites which are not visible from the public Internet. Finally, you need to decide if you want the road warriors to be able to access the public Internet. You probably want to do this, unless you are trying to create a situation where when the road warrior connects to the VPN, it is no longer possible to send traffic from the road warrior's machine to the public Internet. Please note that this not really a strong security measure. The road warrior could trivially modify the routing table on the remote machine to have only traffic destined for systems on the VPN local network go through the secure channel. The rest of the traffic would simply travel over an Ethernet or wireless interface directly to the public Internet. In fact, this latter situation is dangerous, as a simple mistake could easily create a situation where the road warrior's machine is acting as a router between your local network and the public Internet, which you certainly do not want to happen. In short, it is best to allow the road warrior to connect to the public Internet by default.
/etc/shorewall/policy: #SOURCE DEST POLICY LOGLEVEL LIMIT $FW all ACCEPT loc net ACCEPT loc l2tp ACCEPT # Allows local machines to connect to road warriors l2tp loc ACCEPT # Allows road warriors to connect to local machines l2tp net ACCEPT # Allows road warriors to connect to the Internet net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info
The final step is to modify your rules file. There are three important components. First, you must allow the l2tp traffic to reach the xl2tpd process running on the firewall machine. Second, you must add rules to open up ports on the firewall to the road warrior for services which are running on the firewall. For example, if you are running a webserver on the firewall that must be accessible to road warriors. The reason for the second step is that the policy does not by default allow unrestricted access to the firewall itself. Finally, you should protect an exploit where an attacker can exploit your LT2P server due to a hole in the way that L2TP interacts with UDP connection tracking.
/etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SPORT ?SECTION ESTABLISHED # Prevent IPsec bypass by hosts behind a NAT gateway L2TP(REJECT) net $FW REJECT $FW net udp - 1701 ?SECTION NEW # l2tp over the IPsec VPN ACCEPT vpn $FW udp 1701 # webserver that can only be accessed internally HTTP(ACCEPT) loc $FW HTTP(ACCEPT) l2tp $FW HTTPS(ACCEPT) loc $FW HTTPS(ACCEPT) l2tp $FW
Transport Mode In today's wireless world, it is often the case that individual hosts in a network need to establish secure connections with the other hosts in that network. In that case, IPsec transport mode is an appropriate solution. Shorewall configuration goes as follows:
/etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS net eth0 routefilter,dhcp,tcpflags /etc/shorewall/tunnels: #TYPE ZONE GATEWAY GATEWAY # ZONE ipsec net 192.168.20.0/24 loc /etc/shorewall/zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS loc ipsec mode=transport net ipv4 /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS loc eth0:192.168.20.0/24 It is worth noting that although loc is a sub-zone of net, because loc is an IPsec-only zone it does not need to be defined before net in /etc/shorewall/zones. /etc/shorewall/policy: #SOURCE DEST POLICY LOGLEVEL LIMIT $FW all ACCEPT loc $FW ACCEPT net loc NONE loc net NONE net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info Since there are no cases where net<->loc traffic should occur, NONE policies are used.
IPCOMP If your IPsec tunnel or transport mode connection fails to work with Shorewall started and you see log messages like the following when you try to use the connection, the problem is that ip compression is being used.Feb 18 23:43:52 vpngw kernel: Shorewall:vpn2fw:REJECT:IN=eth2 OUT= MAC=00:e0:81:32:b3:5e:00:18:de:12:e5:15:08:00 SRC=172.29.59.58 DST=172.29.59.254 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=25600 DF PROTO=4The solution is to add an IPCOMP tunnel to /etc/shorewall/tunnels as follows:#TYPE ZONE GATEWAY GATEWAY # ZONE ipip vpn 0.0.0.0/0The above assumes that the name of your IPsec vpn zone is vpn. Note that this protocol 4 (IPIP) traffic appears to originate in the vpn zone, but it's source IP address is that of the remote gateway. As a consequence, that address must be included in the definition of the remote zone. If you haven't done that, the traffic will be dropped in the INPUT chain.
Using SNAT to Force Traffic over an IPsec Tunnel Cases can arise where you need to use an IPsec tunnel to access a remote network, but you have no control over the associated security polices. In such cases, the resulting tunnel is accessible from your firewall but not from your local networks. Let's take an example: Remote gateway 192.0.2.26 Remote subnet 172.22.4.0/24 Your public IP address is 192.0.2.199 Your Internet-facing interface is eth0 Your local network is 192.168.219.0/24 You want to access 172.22.4.0/24 from 192.168.219.0/24 The IPsec tunnel is configured between 172.22.4.0/24 and 192.0.2.199 You need to configure as follows. /etc/shorewall/zones: #ZONE TYPE OPTIONS ... vpn ip # Note that the zone cannot be declared as type ipsec ... /etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS net eth0 nets=(!172.22.4.0/24),... # You must exclude the remote network from the net zone /etc/shorewall/hosts: #ZONE HOSTS OPTIONS vpn eth0:172.22.4.0/24 mss=1380,destonly vpn eth0:0.0.0.0/0 mss=1380,ipsec /etc/shorewall/snat: SNAT(192.0.2.199) 192.168.219.0/24 eth0:172.22.4.0/24 /etc/shorewall/tunnels: #TYPE ZONE GATEWAY GATEWAY_ZONE ipsec net 192.0.2.26 vpn
shorewall-docs-xml-5.2.3/Shorewall-5.xml0000664000000000000000000005253213427347317016613 0ustar rootroot
Shorewall 5 Tom Eastep 2015 2016 2017 2018 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction There are currently three principle groups of changes that distinguish Shorewall 5 from Shorewall 4: Cruft Removal - over the years, as new ways to accomplish various tasks are added to Shorewall, support for the old way of doing things has generally been retained but deprecated. Shorewall 5 drops support for those deprecated features. Changes to CLI commands - In order to make command names more accurately reflect what the associated commands do, a number of commands have been renamed or the function that they perform has been changed. CLI unification - Beginning with Shorewall 5.1.0, there is a single CLI program (/sbin/shorewall or /usr/sbin/shorewall depending on your distribution). Each of these groups is described in more detail in the sections that follow.
Cruft Removal Removal of superseded features makes the code cleaner and easier to extend while also reducing compilation and execution time. The following subsections detail the features that are no longer supported in Shorewall 5.
Scripts Compiled with Shorewall 4.4.7 or Earlier Shorewall 5 cannot correctly run scripts compiled with Shorewall 4.4.7 or earlier releases. Such scripts must be recompiled with 4.4.8 or later prior to upgrading to Shorewall 5.
Workarounds Over the years, a number of workarounds have been added to Shorewall to work around defects in other products. In current distributions, those defects have been corrected, and in 4.6.11, a WORKAROUNDS configuration option was added to disable those workarounds. In Shorewall 5, the WORKAROUNDS setting is still available in the shorewall[6].conf files but: Its default setting has been changed to No. All workarounds for old distributions have been eliminated. If there is a need to add new workarounds in the future, those workarounds will be enabled by WORKAROUNDS=Yes.
Removal of Configuration Options A number of configuration options have been eliminated in Shorewall 5. The following options have been eliminated and the functionality that they enabled is been removed: EXPORTPARAMS IPSECFILE LEGACY_FASTSTART CHAIN_SCRIPTS (Removed in Shorewall 5.1). MODULE_SUFFIX (Removed in Shorewall 5.1.7). Shorewall can now locate modules independent of their suffix (extension). INLINE_MATCHES (Removed in Shorewall 5.2). Inline matches are now separated from column-oriented input by two adjacent semicolons (";;"). MAPOLDACTIONS (Removed in Shorewall 5.2). A compilation warning is issued when any of these options are encountered in the .conf file, and the shorewall[6] update command will remove them from the configuration file. These options have been eliminated because they have been superseded by newer options. LOGRATE and LOGBURST (superseded by LOGLIMIT) WIDE_TC_MARKS (superseded by TC_BITS) HIGH_ROUTE_MARKS (superseded by PROVIDER_OFFSET) BLACKLISTNEWONLY (superseded by BLACKLIST) A fatal compilation error is emitted if any of these options are present in the .conf file, and the shorewall[6] update command will replace these options with equivalent setting of the options that supersede them.
Obsolete Configuration Files Support has been removed for the 'blacklist', 'tcrules', 'routestopped', 'notrack', 'tos' and 'masq' files. The update command is available to convert the 'tcrules' and 'tos' files to the equivalent 'mangle' file, to convert the 'blacklist' file into an equivalent 'blrules' file, and to convert the 'masq' file to the equivalent 'snat' file. As in Shorewall 4.6.12, the update command converts the 'routestopped' file into the equivalent 'stoppedrules' file and converts a 'notrack' file to the equivalent 'conntrack' file. Note that in Shorewall 5.2, the update command
Macro and Action Formats Originally, macro and action files had formats that were different from that of the rules file, Format-1 action files had the following columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) RATE USER/GROUP MARK Format-1 macro files were similar but did not support the MARK column. Format-2 macro and action files have these columns: TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER/GROUP MARK CONNLIMIT TIME HEADERS (Only valid for IPv6) SWITCH HELPER Notice that the first five columns of both sets are the same (although the port-valued column names have changed, the contents are the same). In Shorewall 5, support for format-1 macros and actions has been dropped and all macros and actions will be processed as if ?FORMAT 2 were included before the first entry. Given that the vast majority of actions and macros only use the first five columns, this change will be of no concern to most users, but will cause compilation errors if columns beyold the fifth one are populated.
COMMENT, FORMAT and SECTION Lines COMMENT, FORMAT and SECTION Lines now require the leading question mark ("?"). In earlier releases, the question mark was optional. The shorewall[6] update -D command in Shorewall 4.6 will insert the question marks for you.
CLI Command Changes A number of commands have been renamed and/or now perform a different function.
restart The restart command now does a true restart and is equivalent to a stop followed by a start.
load The function performed by the Shorewall-4 load command is now performed by the remote-start command.
reload In Shorewall 5, the reload command now performs the same function as the restart command did in Shorewall 4. The action taken by the Shorewall-4 reload command is now performed by the remote-restart command. For those that can't get used to the idea of using reload in place of restart, a RESTART option has been added to shorewall[6].conf. The option defaults to 'restart' but if set to 'reload', then the restart command does what it did in earlier releases. Beginning with Shorewall 5.0.1 and Shorewall 4.6.13.2, the update command will set RESTART=reload to maintain compatibility with earlier releases. Shorewall 5.0.0 created the setting LEGACY_RESTART=No which was equivalent to RESTART=restart. Under Shorewall 5.0.1 and later, update will convert LEGACY_RESTART to the equivalent RESTART setting.
refresh Given the availability of ipset-based blacklisting, the refresh command was eliminated in Shorewall 5.2. Some users may have been using refresh as a lightweight form of reload. The most common of these uses seem to be for reloading traffic shaping after an interface has gone down and come back up. The best way to handle this situation under 5.2 is to make the interface 'optional' in your /etc/shorewall[6]/interfaces file, then either: Install Shorewall-init and enable IFUPDOWN; or Use the reenable command when the interface comes back up in place of the refresh command.
CLI Unification Prior to Shorewall 5.1, there were four separate CLI programs: /sbin/shorewall or /usr/sbin/shorewall depending on your distribution. Packaged with Shorewall and used to control Shorewall. /sbin/shorewall6 or /usr/sbin/shorewall6 depending on your distribution. Packaged with Shorewall6 and used to control Shorewall6. /sbin/shorewall-lite or /usr/sbin/shorewall-lite depending on your distribution. Packaged with Shorewall-lite and used to control Shorewall-lite. /sbin/shorewall6-lite or /usr/sbin/shorewall6-lite depending on your distribution. Packaged with Shorewall6-lite and used to control Shorewall6-lite. Each of these programs had their own (largely duplicated) manpage. Beginning with Shorewall 5.1, there is a single CLI program (/sbin/shorewall or /usr/sbin/shorewall) packaged with Shorewall-core. The Shorewall6, Shorewall-lite and Shorewall6-lite packages create a symbolic link to that program; the links are named shorewall6, shorewall-lite and shorewall6-lite respectively. These symbolic links are for backward compatibility only; all four products can be managed using the single CLI program itself. The manpages shorewall6(8), shorewall-lite(8) and shorewall6-lite(8) are skeletal and refer the reader to shorewall(8).
Upgrading to Shorewall 5 For detailed upgrade information, please consult the 'Migration Issues' section of the release notes for the version that you are upgrading to. It is strongly recommended that you first upgrade your installation to a 4.6 release that supports the option to the update command; 4.6.13.2 or later is preferred. Once you are on that release, execute the shorewall update -A command (and shorewall6 update -A if you also have Shorewall6). Finally, add ?FORMAT 2 to each of your macro and action files and be sure that the check command does not produce errors -- if it does, you can shuffle the columns around to make them work on both Shorewall 4 and Shorewall 5. These steps can also be taken after you upgrade, but your firewall likely won't start or work correctly until you do. The update command in Shorewall 5 has many fewer options. The , , , and options have been removed -- the updates triggered by those options are now performed unconditionally. The and options have been retained - both enable checking for issues that could result if INLINE_MATCHES were to be set to Yes. The -i option was removed in Shorewall 5.2, given that the INLINE_MATCHES option was also removed.
CHAIN_SCRIPTS Removal Prior to the availability of ?[BEGIN] PERL .... ?END PERL, the only way to create Perl code to insert rules into a chain was to use a per-Chain script with the same name as the chain. The most common use of these scripts was with Actions where an action A would have an empty action.A file and then a file named A that contained Perl code. This was a hack, at best, and has been deprecated since embedded Perl has been available in action files. In Shorewall 5.1, the compiler notices that action.A is empty and looks for a file named A on the CONFIG_PATH. If that file is found, the compiler raises a fatal error: ERROR: File action.A is empty and file A exists - the two must be combined as described in the Migration Considerations section of the Shorewall release notes To resolve this issue, one of two approaches can be taken depending on what the script A does. If script A is simply inserting rules with ip[6]tables matches and/or targets that Shorewall doesn't directly support, they can probably be coded in the action.A file using the IP[6]TABLES action and/or inline matches. For example, the following script DNSDDOS use Shorewall::Chains; add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|" -j DROP); add_rule $chainref, q(-m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|" -j DROP); add_rule $chainref, q(-j ACCEPT); 1; can be coded in action.DNSDDOS as: DROP - - ;; -m string --algo bm --from 30 --to 31 --hex-string "|010000010000000000000000020001|" DROP - - ;; -m string --algo bm --from 30 --to 31 --hex-string "|000000010000000000000000020001|" ACCEPT - - The other approach is to simply convert A into embedded Perl in action.A. Consider this SSHKnock script: use Shorewall::Chains; if ( $level ) { log_rule_limit( $level, $chainref, 'SSHKnock', 'ACCEPT', '', $tag, 'add', '-p tcp --dport 22 -m recent --rcheck --name SSH ' ); log_rule_limit( $level, $chainref, 'SSHKnock', 'DROP', '', $tag, 'add', '-p tcp --dport ! 22 ' ); } add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' ); add_rule( $chainref, '-p tcp --dport 632 -m recent --name SSH --remove -j DROP' ); add_rule( $chainref, '-p tcp --dport 633 -m recent --name SSH --set -j DROP' ); add_rule( $chainref, '-p tcp --dport 634 -m recent --name SSH --remove -j DROP' ); 1; Because this script uses the implicit $level and $tag variables, it must remain in Perl. This mostly involves simply moving the SSHKnock script into action.SSHKnock, but requires some additional code in action.SSHKnock as shown in bold font below: ?begin perl use Shorewall::Config; use Shorewall::Chains; my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging; if ( $level ) { log_rule_limit( $level, $chainref, 'SSHKnock', 'ACCEPT', '', $tag, 'add', '-p tcp --dport 22 -m recent --rcheck --name SSH ' ); log_rule_limit( $level, $chainref, 'SSHKnock', 'DROP', '', $tag, 'add', '-p tcp --dport ! 22 ' ); } add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' ); add_rule( $chainref, '-p tcp --dport 632 -m recent --name SSH --remove -j DROP' ); add_rule( $chainref, '-p tcp --dport 633 -m recent --name SSH --set -j DROP' ); add_rule( $chainref, '-p tcp --dport 634 -m recent --name SSH --remove -j DROP' ); 1; ?end perl
shorewall-docs-xml-5.2.3/useful_links.xml0000664000000000000000000001330313427347317017205 0ustar rootroot shorewall-docs-xml-5.2.3/Dynamic.xml0000664000000000000000000001522013427347317016066 0ustar rootroot
Dynamic Zones Tom Eastep 2009 2013 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Overview There is sometimes a need to be able to define a zone whose members are unknown at compile-time. For example, you may wish to require authentication of internal users before allowing them access to the internet. When a user is authenticated, the user's IP address is added to the zone of users permitted web access. Shorewall provides basic support for defining such zones. This support is based on ipset. Most current distributions have ipset, but you may need to install the xtables-addons package.
Dynamic Zones Prior to Shorewall 4.5.9, when multiple records for a zone appear in /etc/shorewall/hosts, Shorewall would create a separate ipset for each interface. This meant that an add or delete command was required for each of the interface, when the address involved was reachable via multiple interfaces. Beginning with Shoreawll 4.5.9, it is possible to have a single ipset shared among all interfaces. This also simplifies management of dynamic zone contents for dynamic zones associated with only a single interface. The earlier implementation described below is still available in these later releases.
Defining a Dynamic Zone A dynamic zone is defined by specifying the dynamic_shared option in the zones file and using the dynamic keyword in the hosts list. /etc/shorewall/zones:#NAME TYPE OPTIONS net ipv4 rsyncok:loc ipv4 dynamic_shared/etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc eth0 - … loc eth1 - … /etc/shorewall/hosts: #ZONE HOSTS OPTIONS rsyncok eth0:dynamic rsyncok eth1:dynamic When the dynamic_shared option is specified, a single ipset is created; the ipset has the same name as the zone. In the above example, rsyncok is a sub-zone of the single zone loc. Making a dynamic zone a sub-zone of multiple other zones is also supported.
Adding a Host to a Dynamic Zone. Adding a host to a dynamic zone is accomplished by adding the host's IP address to the appropriate ipset. Shorewall provldes a command for doing that:
shorewall add zone address ...
Example:
shorewall add rsyncok 70.90.191.124
Deleting a Host from a Dynamic Zone Deleting a host from a dynamic zone is accomplished by removing the host's IP address from the appropriate ipset. Shorewall provldes a command for doing that:
shorewall delete zone address ...
Example:
shorewall delete rsyncok 70.19.191.124
The command can only be used when the ipset involved is of type iphash. For other ipset types, the ipset command must be used directly.
Listing the Contents of a Dynamic Zone The shorewall show command may be used to list the current contents of a dynamic zone.
shorewall show dynamic zone
Example:
shorewall show dynamic rsyncok rsyncok: 70.90.191.122 70.90.191.124
Dynamic Zone Contents and Shorewall stop/start/restart When SAVE_IPSETS=Yes in shorewall.conf, the contents of a dynamic zone survive shorewall stop/shorewall start and shorewall restart. During shorewall stop, the contents of the ipsets are saved in the file ${VARDIR}/ipsets.save (usually /var/lib/shorewall/ipsets.save). During shorewall start, the contents of that file are restored to the sets. During both shorewall start and shorewall restart, any new ipsets required as a result of a configuration change are added.
shorewall-docs-xml-5.2.3/ports.xml0000664000000000000000000005301613427347317015656 0ustar rootroot
Ports Required for Various Services/Applications Tom Eastep Cristian Rodriguez R. 2001- Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate. This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release
Important Notes Shorewall distribution contains a library of user-defined macros that allow for easily allowing or blocking a particular application. ls /usr/share/shorewall/macro.* for the list of macros in your distribution. If you find what you need, you simply use the macro in a rule. For example, to allow DNS queries from the dmz zone to the net zone: #ACTION SOURCE DEST DNS(ACCEPT) dmz net In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see FAQ 30) or you may want DROP or REJECT if you are trying to block the application. Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you: #ACTION SOURCE DEST PROTO DPORT FTP(ACCEPT) <source> <destination> You would code your rule as follows: #ACTION SOURCE DESTINATION PROTO DPORT FTP(DNAT) net dmz:192.168.1.4
Auth (identd) It is now the 21st Century ; don't use identd in production anymore. #ACTION SOURCE DESTINATION PROTO DPORT Auth(ACCEPT) <source> <destination>
BitTorrent This information is valid only for Shorewall 3.2 or later. This rule assumes that your BitTorrent client listens on the default port(s) #ACTION SOURCE DESTINATION PROTO DPORT BitTorrent(ACCEPT)<source> <destination>
DNS #ACTION SOURCE DESTINATION PROTO DPORT DNS(ACCEPT) <source> <destination> Note that if you are setting up a DNS server that supports recursive resolution, the server is the <destination> for resolution requests (from clients) and is also the <source> of recursive resolution requests (usually to other servers in the 'net' zone). So for example, if you have a public DNS server in your DMZ that supports recursive resolution for local clients then you would need: #ACTION SOURCE DESTINATION PROTO DPORT DNS(ACCEPT) all dmz DNS(ACCEPT) dmz net Recursive Resolution means that if the server itself can't resolve the name presented to it, the server will attempt to resolve the name with the help of other servers.
Emule This information is valid only for Shorewall 3.2 or later. In contrast to how the rest of this article is organized, for emule I will give you the rules necessary to run emule on a single machine in your loc network (since that's what 99.99% of you want to do). Assume that: The internal machine running emule has IP address 192.168.1.4. You use Masquerading or SNAT for the local network. The zones are named as they are in the two- and three-interface QuickStart guides). Your loc->net policy is ACCEPT /etc/shorewall/rules: #ACTION SOURCE DESTINATION PROTO DPORT Edonkey(DNAT) net loc:192.168.1.4 #if you wish to enable the Emule webserver, add this rule too. DNAT net loc:192.168.1.4 tcp 4711
FTP #ACTION SOURCE DESTINATION PROTO DPORT FTP(ACCEPT) <source> <destination> Look here for much more information.
Gnutella The internal machine running a Gnutella Client has IP address 192.168.1.4. You use Masquerading or SNAT for the local network. The zones are named as they are in the two- and three-interface QuickStart guides). Your loc->net policy is ACCEPT #ACTION SOURCE DESTINATION PROTO DPORT Gnutella(DNAT) net loc:192.168.1.4
ICQ/AIM #ACTION SOURCE DESTINATION PROTO DPORT ICQ(ACCEPT) <source> net
IMAP When accessing your mail from the Internet, use only IMAP over SSL. This information is valid only for Shorewall 3.2 or later. #ACTION SOURCE DESTINATION PROTO DPORT IMAP(ACCEPT) <source> <destination> # Unsecure IMAP IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.
IPsec #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <source> <destination> 50 ACCEPT <source> <destination> 51 ACCEPT <source> <destination> udp 500 ACCEPT <destination> <source> 50 ACCEPT <destination> <source> 51 ACCEPT <destination> <source> udp 500 Lots more information here and here.
LDAP This information is valid only for Shorewall 3.2 or later. #ACTION SOURCE DESTINATION PROTO DPORT LDAP(ACCEPT) <source> <destination> #Insecure LDAP LDAPS(ACCEPT) <source> <destination> # LDAP over SSL
<trademark>My\SQL</trademark> This information is valid only for Shorewall 3.2 or later. Allowing access from untrusted hosts to your MySQL server represents a severe security risk. DO NOT USE THIS if you don't know how to deal with the consequences, you have been warned. #ACTION SOURCE DESTINATION PROTO DPORT MySQL(ACCEPT) <source> <destination>
NFS #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111 ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp For more NFS information, see http://lists.shorewall.net/~kb/.
NTP (Network Time Protocol) #ACTION SOURCE DESTINATION PROTO DPORT NTP(ACCEPT) <source> <destination>
<trademark>PCAnywhere</trademark> #ACTION SOURCE DESTINATION PROTO DPORT PCA(ACCEPT) <source> <destination>
POP3 If Possible , Avoid this protocol , use IMAP instead. This information is valid only for Shorewall 3.2 or later #ACTION SOURCE DESTINATION PROTO DPORT POP3(ACCEPT) <source> <destination> # Secure POP3S(ACCEPT) <source> <destination> #Unsecure Pop3
PPTP #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <source> <destination> 47 ACCEPT <source> <destination> tcp 1723 Lots more information here and here.
rdate #ACTION SOURCE DESTINATION PROTO DPORT Rdate(ACCEPT) <source> <destination>
rsync #ACTION SOURCE DESTINATION PROTO DPORT Rsync(ACCEPT) <source> <destination>
Siproxd This assumes siproxd is running on the firewall and is using the default ports. #ACTION SOURCE DESTINATION PROTO DPORT REDIRECT loc 5060 udp 5060 ACCEPT net fw udp 5060 ACCEPT net fw udp 7070:7089
SSH/SFTP #ACTION SOURCE DESTINATION PROTO DPORT SSH(ACCEPT)<source> <destination>
SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File Sharing) #ACTION SOURCE DESTINATION PROTO DPORT SMB(ACCEPT) <source> <destination> SMB(ACCEPT) <destination> <source> Also, see this page.
SMTP This information is valid only for Shorewall 3.2 or later. #ACTION SOURCE DESTINATION PROTO DPORT SMTP(ACCEPT) <source> <destination> #Insecure SMTP SMTPS(ACCEPT) <source> <destination> #SMTP over SSL (TLS)
SNMP #ACTION SOURCE DESTINATION PROTO DPORT SNMP(ACCEPT) <source> <destination>
SVN This information is valid only for Shorewall 3.2 or later. This rule is for Subversion running in svnserve mode only. #ACTION SOURCE DESTINATION PROTO DPORT SVN(ACCEPT) <source> <destination>
Telnet The telnet protocol is very insecure, don't use it. #ACTION SOURCE DESTINATION PROTO DPORT Telnet(ACCEPT) <source> <destination>
TFTP You must have TFTP connection tracking support in your kernel. If modularized, the modules are ip_conntrack_tftp (and ip_nat_tftp if any form of NAT is involved) These modules may be loaded using entries in /etc/shorewall/modules. The ip_conntrack_tftp module must be loaded first. Note that the /etc/shorewall/modules file released with recent Shorewall versions contains entries for these modules. #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <source> <destination> udp 69
Traceroute #ACTION SOURCE DESTINATION PROTO DPORT Trcrt(ACCEPT) <source> <destination> #Good for 10 hops UDP traceroute uses ports 33434 through 33434+<max number of hops>-1. Note that for the firewall to respond with a TTL expired ICMP reply, you will need to allow ICMP 11 outbound from the firewall. The standard Shorewall sample configurations all set this up for you automatically since those sample configurations enable all ICMP packet types originating on the firewall itself. #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT fw net icmp ACCEPT fw loc icmp ACCEPT fw ...
Usenet (NNTP) #ACTION SOURCE DESTINATION PROTO DPORT NNTP(ACCEPT) <source> <destination> NNTPS(ACCEPT) <source> <destination> # secure NNTP TCP Port 119
VNC This information is valid only for Shorewall 3.2 or later. Vncviewer to Vncserver -- TCP port 5900 + <display number>. the following rule handles VNC traffic for VNC displays 0 - 9. #ACTION SOURCE DESTINATION PROTO DPORT VNC(ACCEPT) <source> <destination> Vncserver to Vncviewer in listen mode -- TCP port 5500. #ACTION SOURCE DESTINATION PROTO DPORT VNCL(ACCEPT) <source> <destination>
<trademark>Vonage</trademark> The standard Shorewall loc->net ACCEPT policy is all that is required for Vonage IP phone service to work, provided that you have loaded the tftp helper modules (add the following entries to /etc/shorewall/modules if they are not there already):
Web Access This information is valid for Shorewall 3.2 or later. #ACTION SOURCE DESTINATION PROTO DPORT HTTP(ACCEPT) <source> <destination> #Insecure HTTP HTTPS(ACCEPT) <source> <destination> #Secure HTTP
Webmin #ACTION SOURCE DESTINATION PROTO DPORT Webmin(ACCEPT) <source> <destination> Webmin use TCP port 10000.
Whois #ACTION SOURCE DESTINATION PROTO DPORT Whois(ACCEPT) <source> <destination>
X/XDMCP Assume that the Chooser and/or X Server are running at <chooser> and the Display Manager/X applications are running at <apps>. #ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <chooser> <apps> udp 177 #XDMCP ACCEPT <apps> <chooser> tcp 6000:6009 #X Displays 0-9
Other Source of Port Information Didn't find what you are looking for -- have you looked in your own /etc/services file? Still looking? Try http://www.networkice.com/advice/Exploits/Ports
shorewall-docs-xml-5.2.3/troubleshoot.xml0000664000000000000000000005426013427347317017242 0ustar rootroot shorewall-docs-xml-5.2.3/Anti-Spoofing.xml0000664000000000000000000001110213427347317017152 0ustar rootroot
Countering Spoofing Attempts Tom Eastep 2012 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Spoofing is the practice of sending packets with a forged source address in an attempt to circumvent security measures. Shorewall supports a variety of measures to counter spoofing attacks.
The <emphasis>routefilter</emphasis> Interface Option This shorewall-interfaces (5) option was the first measure implemented and uses /proc/sys/net/ipv4/conf/*/rp_filter. Many distributions set this option by default for all ip interfaces. The option works by determining the reverse path (the route from the packets destination to its source); it that route does not go out through the interface that received the packet, then the packet is declared to be a martian and is dropped. A kernel log message is generated if the interface's option is set (/proc/sys/net/ipv4/conf/*/log_martians). While this option is simple to configure, it has a couple of disadvantages: It is not supported by IPv6. It does not use packet marks so it doesn't work with some Multi-ISP configurations. The log messages produces are obscure and confusing.
Hairpin Filtering Spoofing can be used to exploit Netfilter's connection tracking to open arbitrary firewall ports. Attacks of this type establish a connection to a server that uses separate control and data connections such as an FTP server. It then sends a packet addressed to itself and from the server. Such packets are sent back out the same interface that received them (hairpin). In cases where the option can't be used, Shorewall 4.4.20 and later will set up hairpinning traps (see the SFILTER_DISPOSITION and SFILTER_LOG_LEVEL options in shorewall.conf (5)). This automatic hairpin trapping is disabled on interfaces with the option.
The <emphasis>rpfilter</emphasis> Interface Option A new iptables/ip6tables match (rpfilter) was added in kernel 3.4.4. This match performs reverse path evaluation similar to but without the disadvantages: It is supported by both IPv4 and IPv6. It uses packet marks so it works with all Multi-ISP configurations. It produces standard Shorewall/Netfilter log messages controlled by the RPFILTER_LOG_LEVEL option in shorewall.conf (5)). Both the disposition and auditing can be controlled using the RPFILTER_DISPOSITION option in shorewall.conf (5)).
shorewall-docs-xml-5.2.3/ProxyARP.xml0000664000000000000000000003510313427347317016170 0ustar rootroot
Proxy ARP Tom Eastep 2001-2006 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Overview Proxy ARP (RFC 1027) is a way to make a machine physically located on one network appear to be logically part of a different physical network connected to the same router/firewall. Typically it allows us to hide a machine with a public IP address on a private network behind a router, and still have the machine appear to be on the public network "in front of" the router. The router "proxys" ARP requests and all network traffic to and from the hidden machine to make this fiction possible. Consider a router with two interface cards, one connected to a public network PUBNET and one connected to a private network PRIVNET. We want to hide a server machine on the PRIVNET network but have it accessible from the PUBNET network. The IP address of the server machine lies in the PUBNET network, even though we are placing the machine on the PRIVNET network behind the router. By enabling proxy ARP on the router, any machine on the PUBNET network that issues an ARP "who has" request for the server's MAC address will get a proxy ARP reply from the router containing the router's MAC address. This tells machines on the PUBNET network that they should be sending packets destined for the server via the router. The router forwards the packets from the machines on the PUBNET network to the server on the PRIVNET network. Similarly, when the server on the PRIVNET network issues a "who has" request for any machines on the PUBNET network, the router provides its own MAC address via proxy ARP. This tells the server to send packets for machines on the PUBNET network via the router. The router forwards the packets from the server on the PRIVNET network to the machines on the PUBNET network. The proxy ARP provided by the router allows the server on the PRIVNETnetwork to appear to be on the PUBNET network. It lets the router pass ARP requests and other network packets in both directions between the server machine and the PUBNET network, making the server machine appear to be connected to the PUBNET network even though it is on the PRIVNET network hidden behind the router. Before you try to use this technique, I strongly recommend that you read the Shorewall Setup Guide.
Example The following figure represents a Proxy ARP environment. Proxy ARP can be used to make the systems with addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) subnet. Assuming that the upper firewall interface is eth0 and the lower interface is eth1, this is accomplished using the following entries in /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 130.252.100.18 eth1 eth0 no yes 130.252.100.19 eth1 eth0 no yes Be sure that the internal systems (130.242.100.18 and 130.252.100.19 in the above example) are not included in any specification in /etc/shorewall/masq (/etc/shorewall/snat on Shorewall 5.0.14 or later) or /etc/shorewall/nat. I've used an RFC1918 IP address for eth1 - that IP address is largely irrelevant (see below). The lower systems (130.252.100.18 and 130.252.100.19) should have their subnet mask and default gateway configured exactly the same way that the Firewall system's eth0 is configured. In other words, they should be configured just like they would be if they were parallel to the firewall rather than behind it. Do not add the Proxy ARP'ed address(es) (130.252.100.18 and 130.252.100.19 in the above example) to the external interface (eth0 in this example) of the firewall. It should be stressed that entries in the proxyarp file do not automatically enable traffic between the external network and the internal host(s) — such traffic is still subject to your policies and rules. While the address given to the firewall interface is largely irrelevant, one approach you can take is to make that address the same as the address of your external interface! In the diagram above, eth1 has been given the address 130.252.100.17, the same as eth0. Note though that the VLSM is 32 so there is no network associated with this address. This is the approach that I take with my DMZ. To permit Internet hosts to connect to the local systems, you use ACCEPT rules. For example, if you run a web server on 130.252.100.19 which you have configured to be in the loc zone then you would need this entry in /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT ACCEPT net loc:130.252.100.19 tcp 80 Your distribution's network configuration GUI may not be capable of configuring a device in this way. It may complain about the duplicate address or it may configure the address incorrectly. Here is what the above configuration should look like when viewed using ip (the line "inet 130.252.100.17/32 scope global eth1" is the most important): gateway:~# ip addr ls eth1 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:d1:db:12 brd ff:ff:ff:ff:ff:ff inet 130.252.100.17/32 scope global eth1 gateway:~# Note in particular that there is no broadcast address. Here is an ifcfg-eth-id-00:a0:cc:d1:db:12 file from SUSE that produces this result (Note: SUSE ties the configuration file to the card by embedding the card's MAC address in the file name): BOOTPROTO='static' BROADCAST='130.252.100.17' IPADDR='130.252.100.17' MTU='' NETMASK='255.255.255.255' NETWORK='130.252.100.17' REMOTE_IPADDR='' STARTMODE='onboot' UNIQUE='8otl.IPwRm6bNMRD' _nm_name='bus-pci-0000:00:04.0' Here is an excerpt from a Debian /etc/network/interfaces file that does the same thing: ... auto eth1 iface eth1 inet static address 130.252.100.17 netmask 255.255.255.255 broadcast 0.0.0.0 ...
ARP cache A word of warning is in order here. ISPs typically configure their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with Proxy ARP, it will probably be HOURS before that system can communicate with the Internet. If you sniff traffic on the firewall's external interface, you can see incoming traffic for the internal system(s) but the traffic is never sent out the internal interface. You can determine if your ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows: tcpdump -nei eth0 icmp Now from 130.252.100.19, ping the ISP's gateway (which we will assume is 130.252.100.254): ping 130.252.100.254 We can now observe the tcpdump output: 13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF) 13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.19 : icmp: echo reply Notice that the source MAC address in the echo request is different from the destination MAC address in the echo reply!! In this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still associates 130.252.100.19 with the NIC in that system rather than with the firewall's eth0. If you have this problem, there are a couple of things that you can try: A reading of TCP/IP Illustrated, Vol 1 by Stevens reveals Courtesy of Bradey Honsinger that a gratuitous ARP packet should cause the ISP's router to refresh their ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC address for its own IP; in addition to ensuring that the IP address isn't a duplicate...
if the host sending the gratuitous ARP has just changed its hardware address..., this packet causes any other host...that has an entry in its cache for the old hardware address to update its ARP cache entry accordingly.
Which is, of course, exactly what you want to do when you switch a host from being exposed to the Internet to behind Shorewall using proxy ARP (or one-to-one NAT for that matter). Happily enough, recent versions of Redhat's iputils package include arping, whose -U flag does just that: arping -U -I <net if> <newly proxied IP> arping -U -I eth0 66.58.99.83 # for example Stevens goes on to mention that not all systems respond correctly to gratuitous ARPs, but googling for arping -U seems to support the idea that it works most of the time. To use arping with Proxy ARP in the above example, you would have to: shorewall clear ip addr add 130.252.100.18 dev eth0 ip addr add 130.252.100.19 dev eth0 arping -U -c 10 -I eth0 130.252.100.18 arping -U -c 10 -I eth0 130.252.100.19 ip addr del 130.252.100.18 dev eth0 ip addr del 130.252.100.19 dev eth0 shorewall start You can call your ISP and ask them to purge the stale ARP cache entry but many either can't or won't purge individual entries. There are two distinct versions of arping available: arping by Thomas Habets (Debian package arping). arping as part of the iputils package by Alexey Kuznetsov (Debian package iputils-arping). You want the second one by Alexey Kuznetsov.
IPv6 - Proxy NDP The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery Protocol). Beginning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP in a manner similar to Proxy ARP support in Shorewall: The configuration file is /etc/shorewall6/proxyndp (see shorewall6-proxyndp (5)). The ADDRESS column of that file contains an IPv6 address. It should be noted that IPv6 implements a "strong host model" whereas Linux IPv4 implements a "weak host model". In the strong model, IP addresses are associated with interfaces; in the weak model, they are associated with the host. This is relevant with respect to Proxy NDP in that a multi-homed Linux IPv6 host will only respond to neighbor discoverey requests for IPv6 addresses configured on the interface receiving the request. So if eth0 has address 2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to neighbor discoverey requests for 2001:470:b:227::44, the following entry in /etc/shorewall6/proxyndp is required: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 2001:470:b:227::44 - eth1 Yes A practical application is shown in the Linux Vserver article.
shorewall-docs-xml-5.2.3/GenericTunnels.xml0000664000000000000000000001056313427347317017434 0ustar rootroot
Generic Tunnels Tom Eastep 2001 2002 2003 2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Shorewall includes built-in support for a wide range of VPN solutions. If you have need for a tunnel type that does not have explicit support, you can generally describe the tunneling software using generic tunnels.
Bridging two Masqueraded Networks Suppose that we have the following situation: We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall. Suppose that you have tunneling software that uses two different protocols: TCP port 1071 GRE (Protocol 47) The tunnel interface on system A is tun0 and the tunnel interface on system B is also tun0. On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called vpn and declare it in /etc/shorewall/zones on both systems as follows. #ZONE TYPE OPTIONS vpn ipv4 On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS vpn tun0 10.255.255.255 In /etc/shorewall/tunnels on system A, we need the following: #TYPE ZONE GATEWAY GATEWAY_ZONE generic:tcp:1071 net 134.28.54.2 generic:47 net 134.28.54.2 These entries in /etc/shorewall/tunnels, opens the firewall so that TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will be accepted to/from the remote gateway. #ZONE INTERFACE BROADCAST OPTIONS vpn tun0 192.168.1.255 In /etc/shorewall/tunnels on system B, we have: #TYPE ZONE GATEWAY GATEWAY_ZONE generic:tcp:1071 net 206.191.148.9 generic:47 net 206.191.148.9 You will need to allow traffic between the vpn zone and the loc zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file: #SOURCE DEST POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT On both systems, restart Shorewall and start your VPN software on each system. The systems in the two masqueraded subnetworks can now talk to each other
shorewall-docs-xml-5.2.3/starting_and_stopping_shorewall.xml0000664000000000000000000006654013427347317023175 0ustar rootroot
Operating Shorewall and Shorewall Lite Tom Eastep 2004 2005 2006 2007 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
/sbin/shorewall and /sbin/shorewall-lite /sbin/shorewall is the program that you use to interact with Shorewall. Normally the root user's PATH includes /sbin and the program can be run from a shell prompt by simply typing shorewall followed by a command. In some releases of KDE, the default configuration of the konsole program is brain dead with respect to the "Root Console". It executes the command "su" where it should execute "su -"; the latter will cause a login shell to be created which will in turn set PATH properly. You can correct this problem as follows: Click on "Settings" on the toolbar and select "Configure Konsole" Select the "Session" tab. Click on "Root Console" Change the Execute command from "su" to "su -" Click on "Save Session" Click on "Ok" To see a list of supported commands, use the help command: shorewall help To get further information about a particular command, use the man command: man shorewall The program /sbin/shorewall-lite performs a similar role with Shorewall-lite. For a more complete description of the files and directories involved in Shorewall and Shorewall-lite, see the Shorewall Anatomy article.
Starting, Stopping and Clearing As explained in the Introduction, Shorewall is not something that runs all of the time in your system. Nevertheless, for integrating Shorewall into your initialization scripts it is useful to speak of starting Shorewall and stopping Shorewall. Shorewall is started using the shorewall start command. Once the start command completes successfully, Netfilter is configured as described in your Shorewall configuration files. If there is an error during shorewall start, then if you have a saved configuration then that configuration is restored. Otherwise, an implicit shorewall stop is executed. shorewall start is implemented as a compile and go; that is, the configuration is compiled and if there are no compilation errors then the resulting compiled script is executed. If there are compilation errors, the command is aborted and the state of the firewall is not altered. Shorewall is stopped using the shorewall stop command. The shorewall stop command does not remove all Netfilter rules and open your firewall for all traffic to pass. It rather places your firewall in a safe state defined by the contents of your /etc/shorewall/stoppedrules file and the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf. If you want to remove all Netfilter rules and open your firewall for all traffic to pass, use the shorewall clear command. If you change your configuration and want to install the changes, use the shorewall reload command. For additional information, see the Shorewall State Diagram section.
/etc/init.d/shorewall and /etc/init.d/shorewall-lite Because of the different requirements of distribution packaging systems, the behavior of /etc/init.d/shorewall and /etc/init.d/shorewall-lite is not consistent between distributions. As an example, when using the distribution Shorewall packages on Debian and Ubuntu systems, running /etc/init.d/shorewall stop will actually execute the command /sbin/shorewall clear rather than /sbin/shorewall stop! So don't expect the meaning of start, stop, restart, etc. to be consistent between /sbin/shorewall (or /sbin/shorewall-lite) and your init scripts unless you got your Shorewall package from shorewall.net. Update:
In Shorewall 4.4.0 and later, the tarballs from shorewall.net follow the Debian convention when installed on a Debian or Ubuntu system. Beginning with Shorewall 4.4.10, you can revert to the prior behavior by setting SAFESTOP=1 in /etc/default/shorewall, /etc/default/shorewall6, etc.
Tracing Command Execution and other Debugging Aids Shorewall includes features for tracing and debugging. Commands involving the compiler can have the word trace inserted immediately after the command. Example: shorewall trace check -r This produces a large amount of diagnostic output to standard out during the compilation step. If entered on a command that doesn't invoke the compiler, trace is ignored. Commands that invoke a compiled fireawll script can have the word debug inserted immediately after the command. Example: shorewall debug restart debug causes altered behavior of scripts generated by the Shorewall compiler. These scripts normally use ip[6]tables-restore to install the Netfilter ruleset, but with debug, the commands normally passed to iptables-restore in its input file are passed individually to ip[6]tables. This is a diagnostic aid which allows identifying the individual command that is causing ip[6]tables-restore to fail; it should be used when ip[6]tables-restore fails when executing a COMMIT command. The debug feature is strictly for problem analysis. When debug is used: The firewall is made 'wide open' before the rules are applied. The stoppedrules file is not consulted. The rules are applied in the canonical ip[6]tables-restore order. So if you need critical hosts to be always available during start/restart, you may not be able to use debug.
Having Shorewall Start Automatically at Boot Time The .rpm, .deb and .tgz all try to configure your startup scripts so that Shorewall will start automatically at boot time. If you are using the install.sh script from the .tgz and it cannot determine how to configure automatic startup, a message to that effect will be displayed. You will need to consult your distribution's documentation to see how to integrate the /etc/init.d/shorewall script into the distribution's startup mechanism. Shorewall startup is disabled by default. Once you have configured your firewall, you can enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather edit /etc/default/shorewall and set startup=1. If you use dialup or some flavor of PPP where your IP address can change arbitrarily, you may want to start the firewall in your /etc/ppp/ip-up.local script. I recommend just placing /sbin/shorewall restart in that script.
Saving a Working Configuration for Error Recovery and Fast Startup Once you have Shorewall working the way that you want it to, you can use shorewall save to save the commands necessary to recreate that configuration in a restore script. In its simplest form, the save command is just: shorewall save That command creates the default restore script, /var/lib/shorewall/restore. The default may be changed using the RESTOREFILE option in /etc/shorewall/shorewall.conf. A different file name may also be specified in the save command: shorewall save <filename> Where <filename> is a simple file name (no slashes). Once created, the default restore script serves several useful purposes: If you change your configuration and there is an error when you try to restart Shorewall, the restore script will be run to restore your firewall to working order. Bootup is faster (although with Shorewall-perl, the difference is minimal). The -f option of the start command (e.g., shorewall -f start) causes Shorewall to look for the default restore script and if it exists, the script is run. When using Shorewall-shell, this is much faster than starting Shorewall using the normal mechanism of reading the configuration files and running iptables dozens or even hundreds of times. The default is to not use -f. If you wish to change the default, you must set the OPTIONS shell variable in either /etc/default/shorewall or /etc/sysconfig/shorewall (if your distribution provides neither of these files, you must create one or the other). Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was added to /etc/shorewall/shorewall.conf. When LEGACY_FASTSTART=No, the compiled script that did the last successful start or restart will be used. The shorewall restore command can be used at any time to quickly configure the firewall. shorewall restore [ <filename> ] If no <filename> is given, the default restore script is used. Otherwise, the script /var/lib/shorewall/<filename> is used. The ability to have multiple restore scripts means that you can save different Shorewall firewall configurations and switch between them quickly using the restore command. Restore scripts may be removed using the shorewall forget command: shorewall forget [ <filename> ] If no <filename> is given, the default restore script is removed. Otherwise, /var/lib/shorewall/<filename> is removed (of course, you can also use the Linux rm command from the shell prompt to remove these files).
Additional Configuration Directories The CONFIG_PATH setting in /etc/shorewall/shorewall.conf determines where Shorewall looks for configuration files. The default setting is CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that /etc/shorewall is searched first and if the file is not found then /usr/share/shorewall is searched. You can change the value of CONFIG_PATH to cause additional directories to be searched but CONFIG_PATH should always include both /etc/shorewall and /usr/share/shorewall. When an alternate configuration directory is specified as described in the next section, that directory is searched before those directories listed in CONFIG_PATH. Example - Search /etc/shorewall, /etc/shorewall/actiondir and /usr/share/shorewall in that order: CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall The above is the setting that I once used to allow me to place all of my user-defined 'action.' files in /etc/shorewall/actiondir.
Alternate Configuration Directories As explained above, Shorewall normally looks for configuration files in the directories specified by the CONFIG_PATH option in /etc/shorewall/shorewall.conf. The shorewall start, shorewall restart, shorewall check, and shorewall try commands allow you to specify an additional directory for Shorewall to check before looking in the directories listed in CONFIG_PATH. shorewall {start|restart|check} <configuration-directory> shorewall try <configuration-directory> [ <timeout> ] If a <configuration-directory> is specified, each time that Shorewall is going to read a file, it will first look in the <configuration-directory> . If the file is present in the <configuration-directory>, that file will be used; otherwise, the directories in the CONFIG_PATH will be searched. When changing the configuration of a production firewall, I recommend the following: If you haven't saved the current working configuration, do so using shorewall save. mkdir /etc/test cd /etc/test <copy any files that you need to change from /etc/shorewall to . and change them here> shorewall check ./ <correct any errors found by check and check again> shorewall restart ./ If the restart fails, your configuration will be restored to its state at the last shorewall save. When the new configuration works then just: cp -f * /etc/shorewall cd rm -rf /etc/test shorewall save Shorewall requires that the file /etc/shorewall/shorewall.conf to always exist. Certain global settings are always obtained from that file. If you create alternative configuration directories, do not remove /etc/shorewall/shorewall.conf.
Commands The general form of a command is:
shorewall [ <options> ] <command> [ <command options> ] [ <argument> ... ] Available options are: -c <directory> Specifies an alternate configuration directory. Use of this option is deprecated. -f Specifies fast restart. See the start command below. -n Prevents the command from changing the firewall system's routing configuration. -q Reduces the verbosity level (see VERBOSITY setting in shorewall.conf). May be repeated (e.g., "-qq") with each instance reducing the verbosity level by one. -v Increases the verbosity level (see VERBOSITY setting in shorewall.conf). May be repeated (e.g., "-vv") with each instance increasing the verbosity level by one. -x Causes all iptables -L commands to display actual packet and byte counts. -t All progress messages are timestamped with the date and time. In addition, the -q and -v options may be repeated to make the output less or more verbose respectively. The default level of verbosity is determined by the setting of the VERBOSITY option in /etc/shorewall/shorewall.conf. For Shorewall Lite, the general command form is: shorewall-lite [ <options> ] <command> [ <command options> ] [ <argument> ... ] where the options are the same as with Shorewall. The complete documentation for each command may be found in the shorewall and shorewall-lite man pages.
Shorewall State Diagram The Shorewall State Diagram is depicted below. /sbin/shorewall Command Resulting /var/lib/shorewall/firewall Command Effect if the Command Succeeds shorewall start firewall start The system filters packets based on your current Shorewall Configuration shorewall stop firewall stop Only traffic allowed by ACCEPT entries in /etc/shorewall/stoppedrules is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then in addition, all existing connections are retained and all connection requests from the firewall are accepted. shorewall reload firewall reload Very similar to start, replacing the existing ruleset with one that reflects the current configuration file contents. shorewall restart firewall restart Logically equivalent to firewall stop;firewall start shorewall add firewall add Adds a host or subnet to a dynamic zone shorewall delete firewall delete Deletes a host or subnet from a dynamic zone shorewall refresh firewall refresh Reloads rules dealing with static blacklisting, traffic control and ECN. shorewall reset firewall reset Resets traffic counters shorewall clear firewall clear Removes all Shorewall rules, chains, addresses, routes and ARP entries. shorewall try firewall -c <new configuration> restart If unsuccessful then firewall start (standard configuration) If timeout then firewall restart (standard configuration) The only time that a program other than /usr/share/shorewall[-lite[/firewall performs a state transition itself is when the shorewall[-lite] restore command is executed. In that case, the /var/lib/shorewall[-lite]/restore program sets the state to "Started". With any command that involves compilation, there is no state transition while the compiler is running. If compilation fails, the state remains unchanged. Also, shorewall start, shorewall reload and shorewall restart involve compilation followed by execution of the compiled script. So it is the compiled script that performs the state transition in these commands rather than /usr/share/shorewall/firewall. The compiled script is placed in /var/lib/shorewall and is named either .start, .reload or .restart depending on the command.
shorewall-docs-xml-5.2.3/Manpages6.xml0000664000000000000000000001553013427347317016327 0ustar rootroot
Shorewall6 5.0 Manpages Tom Eastep 2007-2014 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. These manpages are for Shorewall6 5.0 and later only. They describe features and options not available on earlier releases.The manpages for Shorewall 4.4-4.6 are available here.
Section 5 — Files and Concepts
accounting - Define IP accounting rules. actions - Declare user-defined actions. blrules - shorewall6 Blacklist file. conntrack - Specify helpers for connections or exempt certain traffic from netfilter connection tracking. exclusion - Excluding hosts from a network or zone hosts - Define multiple zones accessed through a single interface interfaces - Define the interfaces on the system and optionally associate them with zones. maclist - Define MAC verification. mangle - Supersedes tcrules and describes packet/connection marking. masq - Define Masquerade/SNAT modules - Specify which kernel modules to load. nat - (added in Shorewall 4.6.4) Specify 1:1 NAT nesting - How to define nested zones. params - Assign values to shell variables used in other files. policy - Define high-level policies for connections between zones. providers - Define routing tables, usually for multiple Internet links. proxyndp - Defines Proxy NDP rtrules - Define routing rules. routes - (Added in Shorewall 4.4.15) Add additional routes to provider routing tables. rules - Specify exceptions to policies, including DNAT and REDIRECT. secmarks - Attached an SELinux context to a packet. stoppedrules - Specify connections to be permitted when Shorewall6 is in the stopped state (Added in Shoreall 4.5.8). tcclasses - Define htb classes for traffic shaping. tcdevices - Specify speed of devices for traffic shaping. tcinterfaces - Specify interfaces for simplified traffic shaping. tcpri - Classify traffic for simplified traffic shaping. tunnels - Define VPN connections with endpoints on the firewall. shorewall6.conf - Specify values for global Shorewall6 options. shorewall6-lite.conf - Specify values for global Shorewall6 Lite options. vardir - Redefine the directory where Shorewall6 keeps its state information. vardir-lite - Redefine the directory where Shorewall6 Lite keeps its state information. zones - Declare Shorewall6 zones.
Section 8 — Administrative Commands
shorewall6 - /sbin/shorewall6 command syntax and semantics. shorewall6-lite - /sbin/shorewall6-lite command syntax and semantics.
shorewall-docs-xml-5.2.3/Install.xml0000664000000000000000000014343113427347317016116 0ustar rootroot
Shorewall Installation and Upgrade Tom Eastep 2001- 2006 2009 2012 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are installing or upgrading to a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release. Before attempting installation, I strongly urge you to read and print a copy of the Shorewall QuickStart Guide for the configuration that most closely matches your own. This article only tells you how to install the product on your system. The QuickStart Guides describe how to configure the product. Before upgrading, be sure to review the Upgrade Issues. Shorewall RPMs are signed. To avoid warnings such as the followingwarning: shorewall-3.2.1-1.noarch.rpm: V3 DSA signature: NOKEY, key ID 6c562ac4 download the Shorewall GPG key and run this command: rpm --import shorewall.gpg.key
Install using RPM To install Shorewall using the RPM: Be sure that you have the correct RPM package! The standard RPM package from shorewall.net and the mirrors is known to work with SUSE, Power PPC, Trustix and TurboLinux. There is also an RPM package provided by Simon Matter that is tailored for RedHat/Fedora and another package from Jack Coates that is customized for Mandriva. All of these are available from the download page. If you try to install the wrong package, it probably won't work. Install the RPMs rpm -ivh <shorewall rpm> Some users are in the habit of using the rpm -U command for installing packages as well as for updating them. If you use that command when installing the Shorewall RPM then you will have to manually enable Shorewall startup at boot time by running chkconfig, insserv or whatever utility you use to manipulate you init symbolic links. Shorewall is dependent on the iproute package. Unfortunately, some distributions call this package iproute2 which will cause the installation of Shorewall to fail with the diagnostic: error: failed dependencies:iproute is needed by shorewall-3.2.x-1 This problem should not occur if you are using the correct RPM package (see 1., above) but may be worked around by using the --nodeps option of rpm. rpm -ivh --nodeps <rpms> Example:rpm -ivh shorewall-4.3.5-0base.noarch.rpm
Install using tarball
Versions 4.5.2 and Later Shorewall 4.5.2 introduced a change in the philosopy used by the Shorewall installers. 4.5.2 introduced the concept of shorewallrc files. These files define the parameters to the install process. During the first installation using Shorewall-core 4.5.2 or later, a shorewallrc file named ${HOME}/.shorewallrc will be installed. That file will provide the default parameters for installing other Shorewall components of the same or later version. Note that you must install Shorewall-core before installing any other Shorewall package. Each of the Shorewall packages contains a set of distribution-specific shorewallrc files: shorewallrc.apple (OS X) shorewallrc.archlinux shorewallrc.cygwin (Cygwin running on Windows) shorewallrc.debian (Debian and derivatives) shoreallrc.default (Generic Linux) shorewallrc.redhat (Fedora, RHEL and derivatives) shorewallrc.slackware shorewallrc.suse (SLES and OpenSuSE) shorewallrc.openwrt (OpenWRT) When installing 4.5.2 or later for the first time, a special procedure must be followed: Select the shorewallrc file that is closest to your needs. Review the settings in the file. If you want to change something then you have two choices: Copy the file to shorewallrc and edit the copy to meet your needs; or If the system has Bash (/bin/bash) 4.0 or later installed, you can run ./configure (see below). If you are installing 4.5.2.1 or later and your system has Perl installed, you can use the Perl version (./configure.pl). ./install.sh If you don't need to change the file, then simply: ./install.sh shorewallrcfile-that-meets-your-needs Example: ./install.sh shorewallrc.debian The shorewall-core install.sh script will store the shorewallrc file in ~/.shorewallrc where it will provide the defaults for future installations of all Shorewall products. Other packages/versions can be installed by simply typing ./install.sh
Settings in a shorewallrc file A shorewallrc file contains a number of lines of the form option=value. Because some of the installers are shared between Shorewall products, the files assume the definition of the symbol PRODUCT. $PRODUCT will contain the name of a Shorewall product (shorewall-core, shorewall, shorewall6, shorewall-lite, shorewall6-lite or shorewall-init). Valid values for option are: HOST Selects the shorewallrc file to use for default settings. Valid values are: apple OS X archlinux Archlinux cygwin Cygwin running under Windows debian Debian and derivatives (Ubuntu, Kbuntu, etc) default Generic Linux redhat Fedora, RHEL and derivatives (CentOS, Foobar, etc) slackware Slackware Linux suse SLES and OpenSuSe openwrt OpenWRT (Shorewall 5.0.2 and later) PREFIX Top-level directory under which most Shorewall components are installed. All standard shorewallrc files define this as \usr. SHAREDIR The directory where most Shorewall components are installed. In all of the standard shorewallrc file, this option has the value ${PREFIX}/share. LIBEXECDIR Directory where internal executables are stored. In the standard shorewallrc files, the default is either ${PREFIX}/share or ${PREFIX}/libexec PERLLIBDIR Directory where the Shorewall Perl modules are installed. They will be installed in this directory under the sub-directory Shorewall. Default is distribution-specific. CONFDIR Directory where subsystem configuration data is stored. Default is /etc in all shorewallrc file. SBINDIR Directory where CLI programs will be installed. Default in all shorewallrc files is /sbin. MANDIR Directory under which manpages are to be installed. Default is distribution dependent. INITDIR Directory under which SysV init scripts are installed. Default is distribution dependent. INITSOURCE File in the package that is to be installed as the SysV init script for the product. INITFILE The name of the SysV init script when installed under $INITDIR. May be empty, in which case no SysV init script will be installed. This is usually the case on systems that run systemd and on systems like Cygwin or OS X where Shorewall can't act as a firewall. AUXINITSOURCE and AUXINITFILE Analogs of INITSOURCE and INITFILE for distributions, like Slackware, that have a master SysV init script and multiple subordinate scripts. SYSTEMD The directory under which the product's .service file is to be installed. Should only be specified on systems running systemd. SERVICEFILE Added in Shorewall 4.5.20. When SYSTEMD is specified, this variable names the file to be installed as the product's .service file. If not specified, $PRODUCT.service is assumed. SYSCONFDIR The directory where package SysV init configuration files are to be installed. /etc/default on Debian and derivatives and /etc/sysconfig otherwise SYSCONFFILE The file in the Shorewall package that should be installed as ${SYSCONFDIR}/$PRODUCT ANNOTATED Value is either empty or non-empty. Non-empty indicates that files in ${CONFDIR}/${PRODUCT} should be annotated with manpage documentation. SPARSE Value is either empty or non-empty. When non-empty, only ${PRODUCT}.conf will be installed in ${CONFDIR}/${PRODUCT} VARLIB Added in Shorewall 4.5.8. Directory where subsystem state data is to be stored. Default is /var/lib. VARDIR Shorewall 4.5.7 and earlier: Directory where subsystem state data is to be stored. Default is /var/lib. Shorewall 4.5.8 and later: Default is /var/lib/$PRODUCT. From Shorewall 4.5.2 through 4.5.7, there were two interpretations of VARDIR. In the shorewallrc file, it referred to the directory where all Shorewall product state would be stored (default /var/lib). But in the code and in shorewall-vardir(5), it referred to the directory where an individual products state would be stored (e.g., /var/lib/shorewall). In Shorewall 4.5.8, the variable VARLIB was added to shorewallrc. In that release, the shorewallrc files packaged with the Shorewall products were changed to include these two lines: VARLIB=/var/lib VARDIR defaults to '${VARLIB}/${PRODUCT}' if VARLIB is specified and VARDIR isn't. The consumers of shorewallrc were changed so that if there is no VARLIB setting, then VARLIB is set to $VARDIR and $VARDIR is set to ${VARLIB}/${PRODUCT}. This allows existing shorewallrc files to be used unchanged.
configure Script The configure script requires Bash 4.0 or later. Beginning with Shorewall 4.5.2.1, a Perl version (configure.pl) of the script is included for use by packagers that have to deal with systems with earlier versions of Bash. The configure.pl script works identically to the Bash version. The configure script creates a file named shorewallrc in the current working directory. This file is the default input file to the install.sh scripts. It is run as follows: ./configure[.pl] [ option=value ] ... The possible values for option are the same as those shown above in the shorewallrc file. They may be specified in either upper or lower case and may optionally be prefixed by '--'. To facilitate use with the rpm %configure script, the following options are supported: vendor Alias for host. sharedstatedir Shorewall 4.5.2 - 4.5.7 Alias for vardir. Shorewall 4.5.8 and later. Alias for varlib. datadir Alias for sharedir. Note that %configure may generate option/value pairs that are incompatible with the configure script. The current %configure macro is: %configure \ CFLAGS="${CFLAGS:-%optflags}" ; export CFLAGS ; \ CXXFLAGS="${CXXFLAGS:-%optflags}" ; export CXXFLAGS ; \ FFLAGS="${FFLAGS:-%optflags}" ; export FFLAGS ; \ ./configure --host=%{_host} --build=%{_build} \\\ --target=%{_target_platform} \\\ --program-prefix=%{?_program_prefix} \\\ --prefix=%{_prefix} \\\ --exec-prefix=%{_exec_prefix} \\\ --bindir=%{_bindir} \\\ --sbindir=%{_sbindir} \\\ --sysconfdir=%{_sysconfdir} \\\ --datadir=%{_datadir} \\\ --includedir=%{_includedir} \\\ --libdir=%{_libdir} \\\ --libexecdir=%{_libexecdir} \\\ --localstatedir=%{_localstatedir} \\\ --sharedstatedir=%{_sharedstatedir} \\\ --mandir=%{_mandir} \\\ --infodir=%{_infodir} On Fedora 16, this expands to: CFLAGS="${CFLAGS:--O2 -g -march=i386 -mtune=i686}" ; export CFLAGS ; CXXFLAGS="${CXXFLAGS:--O2 -g -march=i386 -mtune=i686}" ; export CXXFLAGS ; FFLAGS="${FFLAGS:--O2 -g -march=i386 -mtune=i686}" ; export FFLAGS ; ./configure --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu \ --program-prefix= \ --prefix=/usr \ --exec-prefix=/usr \ --bindir=/usr/bin \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ --datadir=/usr/share \ --includedir=/usr/include \ --libdir=/usr/lib \ --libexecdir=/usr/libexec \ --localstatedir=/var \ --sharedstatedir=/var/lib \ --mandir=/usr/share/man \ --infodir=/usr/share/info The value of --host does not map to any of the valid HOST values in shorewallrc. So to use %configure on a Fedora system, you want to invoke it as follows: %configure --vendor=redhat To reset the value of a setting in shorewallrc.$host, give it a null value. For example, if you are installing on a RHEL derivative that doesn't run systemd, use this command: ./configure --vendor=redhat --systemd=
Install for Packaging. If you build your own packages, then you will want to install the Shorewall products into it's own directory tree. This is done by adding DESTDIR to the installer's environment. For example, to install a product for Debian into the /tmp/package directory: DESTDIR=/tmp/package ./install.sh shorewallrc.debian When DESTDIR is specified, the installers treat $DESTDIR as the root of the filesystem tree. In other words, the created installation is only runnable if one chroots to $DESTDIR. Please note that the uninstall.sh scripts cannot uninstall a configuration installed with non-empty DESTDIR.
Install into a Sandbox When DESTDIR is used, the resulting configuration is not runnable, because all configuration pathnames are relative to $DESTDIR. Beginning with Shorewall 4.6.4, you can create runnable configurations separate from your main configuration. Here is a sample shorewallrc file: INSTALL_DIR=/usr/local/shorewall-custom HOST=suse PREFIX=${INSTALL_DIR} SHAREDIR=${INSTALL_DIR}/share LIBEXECDIR=${INSTALL_DIR}/lib PERLLIBDIR=${INSTALL_DIR}/lib/perl5 CONFDIR=${INSTALL_DIR}/etc SBINDIR=${INSTALL_DIR}/usr/sbin MANDIR=${SHAREDIR}/man/ INITDIR=${INSTALL_DIR}/etc/init.d INITSOURCE=init.suse.sh INITFILE=${PRODUCT} AUXINITSOURCE= AUXINITFILE= SYSTEMD=${INSTALL_DIR}/etc/systemd SERVICEFILE=${PRODUCT}.service SYSCONFFILE=sysconfig SYSCONFDIR=${INSTALL_DIR}/etc/sysconfig SPARSE= ANNOTATED= VARLIB=${INSTALL_DIR}/var/lib VARDIR=${VARLIB}/${PRODUCT} SANDBOX=Yes The above shorewallrc creates a runnable configuration in /usr/local/shorewall-custom. It is triggered by adding SANDBOX to the shorewallrc file -- any non-empty value for that variable will prevent the installer from replacing the current main configuraiton.
Versions 4.5.1 and Earlier Beginning with Shorewall-4.5.0, the Shorewall packages depend on Shorewall-core. So the first step is to install that package: unpack the tarballs:tar -jxf shorewall-core-4.5.0.tar.bz2 cd to the shorewall directory (the version is encoded in the directory name as in shorewall-core-4.5.0). Type: ./install.sh To install Shorewall using the tarball and install script: unpack the tarballs:tar -jxf shorewall-4.5.0.tar.bz2 cd to the shorewall directory (the version is encoded in the directory name as in shorewall-4.3.5). Type: ./install.sh or if you are installing Shorewall or Shorewall6 version 4.4.8 or later, you may type: ./install.sh -s The -s option suppresses installation of all files in /etc/shorewall except shorewall.conf. You can copy any other files you need from one of the Samples or from /usr/share/shorewall/configfiles/. If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions. Beginning with shorewall 4.4.20.1, the installer also supports a (annotated) option. Beginning with that release, the standard configuration files (including samples) may be annotated with the contents of the associated manpage. The option enables that behavior. The default remains that the configuration files do not include documentation.
Executables in /usr and Perl Modules Distributions have different philosophies about the proper file hierarchy. Two issures are particularly contentious: Executable files in /usr/share/shorewall*. These include; getparams compiler.pl wait4ifup shorecap ifupdown Perl Modules in /usr/share/shorewall/Shorewall. To allow distributions to designate alternate locations for these files, the installers (install.sh) from 4.4.19 onward support the following environmental variables: LIBEXEC Determines where in /usr getparams, compiler.pl, wait4ifup, shorecap and ifupdown are installed. Shorewall and Shorewall6 must be installed with the same value of LIBEXEC. The listed executables are installed in /usr/${LIBEXEC}/shorewall*. The default value of LIBEXEC is 'share'. LIBEXEC is recognized by all installers and uninstallers. Beginning with Shorewall 4.4.20, you can specify an absolute path name for LIBEXEC, in which case the listed executables will be installed in ${LIBEXEC}/shorewall*. Beginning with Shorewall 4.5.1, you must specify an absolute pathname for LIBEXEC. PERLLIB Determines where in /usr the Shorewall Perl modules are installed. Shorewall and Shorewall6 must be installed with the same value of PERLLIB. The modules are installed in /usr/${PERLLIB}/Shorewall. The default value of PERLLIB is 'share/shorewall'. PERLLIB is only recognized by the Shorewall and Shorewall6 installers. Beginning with Shorewall 4.4.20, you can specify an absolute path name for PERLLIB, in which case the Shorewall Perl modules will be installed in ${PERLLIB}/Shorewall/. Beginning with Shorewall 4.5.1, you must specify an absolute pathname for PERLLIB. MANDIR Determines where the man pages are installed. Default is distribution-dependent as shown below.
Default Install Locations The default install locations are distribution dependent as shown in the following sections. These are the locations that are chosen by the install.sh scripts.
All Distributions COMPONENT LOCATION man pages /usr/share/man/ (may ve overridden using MANDIR) Shorewall Perl Modules /usr/share/shorewall/ (may be overridden using PERLLIB) Executable helper scripts (compiler.pl, getparams, wait4ifup) /usr/share/shorewall/ (may be overridden using LIBEXEC) ifupdown.sh (from Shorewall-init) /usr/share/shorewall-init/ (may be overridden using LIBEXEC)
Debian COMPONENT LOCATION CLI programs /sbin/product Distribution-specific configuration file /etc/default/product Init Scripts /etc/init.d/product ifupdown scripts from Shorewall-init /etc/network/if-up.d/shorewall, /etc/network/if-post-down.d/shorewall ppp ifupdown scripts from Shorewall-init /etc/ppp/ip-up.d/shorewall, /etc/ppp/ip-down.d/shorewall /etc/ppp/ipv6-up.d/shorewall /etc/ppp/ipv6-down.d/shorewall
Redhat and Derivatives COMPONENT LOCATION CLI programs /sbin/product Distribution-specific configuration file /etc/sysconfig/product Init Scripts /etc/rc.d/init.d/product ifupdown scripts from Shorewall-init /sbin/ifup-local, /sbin/ifdown-local ppp ifupdown scripts from Shorewall-init /etc/ppp/ip-up.local, /etc/ppp/ip-down.local
SuSE COMPONENT LOCATION CLI programs /sbin/product Distribution-specific configuration file /etc/sysconfig/product Init Scripts /etc/init.d/product ifupdown scripts from Shorewall-init /etc/sysconfig/network/if-up.d/shorewall, /etc/sysconfig/network/if-down.d/shorewall ppp ifupdown scripts from Shorewall-init /etc/ppp/ip-up.d/shorewall, /etc/ppp/ip-down.d/shorewall /etc/ppp/ipv6-up.d/shorewall /etc/ppp/ipv6-down.d/shorewall
Cygwin COMPONENT LOCATION CLI programs /bin/product Distribution-specific configuration file N/A Init Scripts N/A ifupdown scripts from Shorewall-init N/A ppp ifupdown scripts from Shorewall-init N/A
OS X COMPONENT LOCATION CLI programs /sbin/product Distribution-specific configuration file N/A Init Scripts N/A ifupdown scripts from Shorewall-init N/A ppp ifupdown scripts from Shorewall-init N/A
Install the .deb Once you have installed the .deb packages and before you attempt to configure Shorewall, please heed the advice of Lorenzo Martignoni, former Shorewall Debian Maintainer: For more information about Shorewall usage on Debian system please look at /usr/share/doc/shorewall-common/README.Debian provided by [the] shorewall Debian package. The easiest way to install Shorewall on Debian, is to use apt-get. First, to ensure that you are installing the latest version of Shorewall, please modify your /etc/apt/preferences: Package: shorewall Pin: release o=Debian,a=testing Pin-Priority: 700 Package: shorewall-doc Pin: release o=Debian,a=testing Pin-Priority: 700Then run:# apt-get update # apt-get install shorewall Once you have completed configuring Shorewall, you can enable startup at boot time by setting startup=1 in /etc/default/shorewall.
General Notes about Upgrading Shorewall Most problems associated with upgrades come from two causes: The user didn't read and follow the migration considerations in the release notes (these are also reproduced in the Shorewall Upgrade Issues). The user mis-handled the /etc/shorewall/shorewall.conf file during upgrade. Shorewall is designed to allow the default behavior of the product to evolve over time. To make this possible, the design assumes that you will not replace your current shorewall.conf file during upgrades. It is recommended that after you first install Shorewall that you modify /etc/shorewall/shorewall.conf so as to prevent your package manager from overwriting it during subsequent upgrades (since the addition of STARTUP_ENABLED, such modification is assured since you must manually change the setting of that option). If you feel absolutely compelled to have the latest options in your shorewall.conf then you must proceed carefully. You should determine which new options have been added and you must reset their value (e.g. OPTION=""); otherwise, you will get different behavior from what you expect.
Upgrade using RPM If you already have the Shorewall RPM installed and are upgrading to a new version: Be sure that you have the correct RPM package! The standard RPM package from shorewall.net and the mirrors is known to work with SUSE, Power PPC, Trustix and TurboLinux. There is also an RPM package provided by Simon Matter that is tailored for RedHat/Fedora and another package from Jack Coates that is customized for Mandriva. If you try to upgrade using the wrong package, it probably won't work. Simon Matter names his 'common' rpm 'shorewall' rather than 'shorewall-common'. If you are upgrading from a 2.x or 3.x version to a 4.x version or later, please see the upgrade issues for specific instructions. Upgrade the RPM rpm -Uvh <shorewall rpm file> Shorewall is dependent on the iproute package. Unfortunately, some distributions call this package iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic: error: failed dependencies:iproute is needed by shorewall-3.2.1-1 This may be worked around by using the --nodeps option of rpm. rpm -Uvh --nodeps <shorewall rpm> ... See if there are any incompatibilities between your configuration and the new Shorewall version and correct as necessary. shorewall check Restart the firewall. shorewall restart
Upgrade using tarball If you are upgrading from a 2.x or 3.x version to a 4.x version or later, please see the upgrade issues for specific instructions. If you are upgrading to version 4.5.0 or later, you must first install or upgrade the Shorewall-core package: unpack the tarballs:tar -jxf shorewall-core-4.5.0.tar.bz2 cd to the shorewall directory (the version is encoded in the directory name as in shorewall-core-4.5.0). Type: ./install.sh If you already have Shorewall installed and are upgrading to a new version using the tarball: unpack the tarball:tar -jxf shorewall-4.5.0.tar.bz2 cd to the shorewall-perl directory (the version is encoded in the directory name as in shorewall-4.5.0). Type: ./install.sh or if you are installing Shorewall or Shorewall6 version 4.4.8 or later, you may type: ./install.sh -s The -s option supresses installation of all files in /etc/shorewall except shorewall.conf. You can copy any other files you need from one of the Samples or from /usr/share/shorewall/configfiles/. See if there are any incompatibilities between your configuration and the new Shorewall version and correct as necessary. shorewall check Start the firewall by typing shorewall start If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions.
Upgrading the .deb When the installer asks if you want to replace /etc/shorewall/shorewall.conf with the new version, we strongly advise you to say No. See above.
Configuring Shorewall You will need to edit some or all of the configuration files to match your setup. In most cases, the Shorewall QuickStart Guides contain all of the information you need.
Uninstall/Fallback See Fallback and Uninstall.
shorewall-docs-xml-5.2.3/traffic_shaping_ru.xml0000664000000000000000000021311513427347317020342 0ustar rootroot
Управление трафиком и шейпинг трафика Tom Eastep Arne Bernin 2001-2007 Thomas M. Eastep 2005 Arne Bernin & Thomas M. Eastep 2007 Russian Translation: Grigory Mokhin Этот документ разрешается копировать, распространять и/или изменять при выполнении условий лицензии GNU Free Documentation License версии 1.2 или более поздней, опубликованной Free Software Foundation; без неизменяемых разделов, без текста на верхней обложке, без текста на нижней обложке. Копия лицензии приведена по ссылке GNU Free Documentation License. Управление трафиком - это сложная тема, и не следует ожидать от сообщества Shorewall готовых ответов на возникающие в связи с этим вопросы. Поэтому, если вам нужны готовые рецепты, как нажать кнопку, чтобы все заработало само, лучше даже не пытайтесь организовать управление трафиком с помощью Shorewall. Вас ожидают неприятные разочарования, и вряд ли кто-либо сможет вам помочь. Иначе говоря, чтение только документации Shorewall не будет достаточным для понимания раскрываемых здесь тем. Как минимум, потребуется обратиться к следующим дополнительным источникам: LARTC HOWTO: http://www.lartc.org Руководство по HTB: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm Некоторые документы с сайта http://www.netfilter.org/documentation/index.html#documentation-howto. Рекомендуем ознакомиться с очень хорошим руководством Оскара Андреассона. Вывод команды man iptables
Введение Начиная с версии 2.5.5 в Shorewall реализована встроенная поддержка управления трафиком и шейпинга трафика. В более ранних версиях эти возможности были ограниченными. Можно было использовать собственный сценарий tcstart (это можно и сейчас), но, за исключением файла tcrules, в файлах конфигурации Shorewall не была предусмотрена возможность определения классов и дисциплин очередей. До сих пор поддержка управления трафиком является неполной, например, не поддерживаются все опции (и особенно различные алгоритмы очередей) из ядра Linux, но для большинства случаев она будет достаточной. Если у вас уже есть сценарий для управления трафиком, который вы собираетесь использовать и в будущем, то соответствующие инструкции приведены по ссылке ниже в этом документе. Для того чтобы это заработало, требуется включить поддержку управления трафиком в ядре и в Shorewall, как описано далее.
Управление трафиком и шейпинг трафика в Linux В этом разделе кратко описано, как работает управление трафиком в Linux. Даже если этого должно быть достаточно для настройки управления трафиком в файлах конфигурации Shorewall, мы очень рекомендуем внимательно прочитать руководство Linux Advanced Routing and Shaping HOWTO. Во время написания этого документа текущей версией была 1.0.0. Начиная с версии 2.2, в Linux реализованы полные возможности управления трафиком. Предусмотрены различные алгоритмы, которые применяются для приоритизации очередей пакетов, выходящих с интерфейса. Стандартный алгоритм называется pfifo, и, как следует из самого названия, это очередь типа первым пришел - первым ушел. Фактически при этом никакого управления трафиком не происходит, и если какое-то соединение забивает весь канал, то этот алгоритм не сможет этого предотвратить. Для управления трафиком в Shorewall используются два алгоритма, HTB (иерархический набор маркеров) и SFQ (очередь с равноправным стохастическим упорядочением). SFQ использует простую схему: отслеживаются все соединения (tcp или udp), и трафик распределяется между ними. Обычно это работает хорошо. HTB позволяет определить набор классов, между которыми распределяется трафик. Для каждого класса можно указать минимальную и максимальную полосу пропускания, а сами классы упорядочить в иерархическую структуру, чтобы классы с меньшим приоритетом получали доступ к каналу только в том случае, если запросы более важных классы удовлетворены. Встроенные функции управления трафиком в Shorewall позволяют определить такие классы и указать для них полосу пропускания. Внутри самих классов используется SFQ, чтобы их различные внутренние потоки данных обрабатывались как равноправные. Управлять можно только исходящим трафиком. Причина этого состоит в том, что входящие пакеты уже пришли на сетевую плату, и нужно решить, что с ними делать. Их можно только сбросить, но особого смысла в этом не будет, поскольку пакет уже пришёл, пройдя через узкое место - входящий канал. Следующим узким местом может быть интерфейс, с которого уходит этот пакет, и именно на нём может образовываться очередь. Поэтому определение очередей для входящих пакетов не будет особенно полезным, эти пакеты просто нужно передать как можно быстрее на исходящий интерфейс. Есть одно исключение. Если ограничить входящий трафик значением чуть меньшим, чем фактическая пропускная способность канала, то будет исключено образование очередей на другом конце соединения. Это бывает полезно, если управление потоком на другом конце канала невозможно, а сам он подключен к сети по более быстрому каналу, например, если вы подключены к провайдеру по кабельному модему или модему DSL, а маршрутизатор провайдера подключен к быстрому магистральному каналу. Поэтому, если отбрасывать слишком быстро приходящие пакеты, то основной протокол сможет это обнаружить и снизить скорость соединения. В TCP такой механизм встроен, в UDP не встроен, но протокол, работающий поверх UDP, может иметь такой механизм. В таких случаях создание очередей будет иметь неприятные последствия, если есть пакеты, которые должны проходить в первую очередь, как, например, VoIP или ssh. Для таких соединений важно, чтобы пакеты проходили с минимальной задержкой. Для других пакетов, таких как загрузка по HTTP, задержка на несколько секунд не будет иметь значения. Если на другом конце канала образуется очередь, а маршрутизатор не поддерживает QoS или биты QoS настроены неверно, то пакеты, для которых важна минимальная задержка, будут ждать в той же очереди, что и менее важные пакеты загрузки по HTTP, и задержка может быть большой. Управление исходящим трафиком достигается посредством распределения потока пакетов по классам. Класс связан ровно с одним сетевым интерфейсом и имеет ряд атрибутов: PRIORITY - используется для указания приоритетов классов, к которым относятся отправляемые пакеты. Приоритет - это число, при этом 1 задаёт наивысший приоритет, 2 - следующий по важности и т.д. RATE - скорость, то есть минимальная гарантированная пропускная способность, которая должна обеспечиваться для класса, когда возрастает нагрузка на канал. Классы с более высоким приоритетом (меньшие значения PRIORITY) обслуживаются даже в том случае, если заданы другие классы с гарантированной пропускной способностью, но низшим приоритетом (большие значения PRIORITY). CEIL - ограничение, максимальная полоса пропускания, которая отводится для класса, когда канал свободен. MARK - метка. В Netfilter предусмотрены способы маркировки пакетов. Метки пакетов - это числа. В Shorewall они могут принимать значение от 1 до 255. Метки пакетов присваиваются различным типам пакетов согласно правилам, заданным в файле /etc/shorewall/tcrules. Для каждого интерфейса необходимо задать один класс, который будет классом по умолчанию. К этому классу будут относиться непомеченные данные, то есть пакеты, для которых не задана метка в файле /etc/shorewall/tcrules. Netfilter также поддерживает метки соединений. Метки соединений можно присвоить соединениям в правилах /etc/shorewall/tcrules, можно скопировать метку пакета в метку соединения (SAVE), или скопировать метку соединения в метку пакета (RESTORE).
Конфигурация ядра Linux Для работы требуется ядро не ниже 2.4.18. На рисунке показаны опции ядра, которые необходимо включить. Для встроенной поддержки необходимы опции HTB scheduler, Ingress scheduler, PRIO pseudoscheduler и SFQ queue. Прочие планировщики или алгоритмы очередей необязательны. Также требуются классификаторы u32 и fw из главного меню Networking Options (не показаны). На следующем рисунке показано, как я настроил QoS у себя в ядре 2.6.13: Конфигурация ядра изменилась в 2.6.16 -- вот мои рекомендации.
Включение поддержки TC в Shorewall Поддержку TC требуется включить независимо от того, применяются ли встроенные функции или вы используете собственный сценарий tcstart. Для включения встроенных функций управления трафиком в Shorewall выполните следующее: Задайте TC_ENABLED равным "Internal" в /etc/shorewall/shorewall.conf. Если TC_ENABLED=Yes, то Shorewall будет искать внешний файл tcstart (см. далее). Если задать параметр CLEAR_TC в /etc/shorewall/shorewall.conf равным Yes, то при запуске, перезапуске и остановке Shorewall будет сбрасываться текущая конфигурация управления трафиком. Обычно именно это и требуется при работе с встроенными функциями, а также с собственным сценарием tcstart. Следующие действия зависят от того, применяются ли встроенные функции или собственный сценарий. Подробнее это объясняется в следующих разделах.
Работа с встроенными функциями управления трафиком и шейпинга Встроенные в Shorewall функции управления трафиком - это тонкая оболочка для очереди входящих пакетов (ingress qdisc), HTB и SFQ. Эта оболочка позволяет выполнить следующие задачи: Определить классы HTB в файлах конфигурации Shorewall. Включить загрузку конфигурации управления трафиком вместе с загрузкой правил фильтрации пакетов и правил для меток. Распределить пакеты по классам HTB согласно значениям TOS. Отнести исходящие пакеты TCP ACK к классу HTB. Распределить пакеты по классам HTB согласно значениям меток пакетов. Встроенные в Shorewall функции управления трафиком ограничены десятью (10) устройствами. Больше никаких задач встроенные функции управления трафиком не выполняют. Поэтому, чтобы их использовать, необходимо понимать, как работает HTB и управление трафиком в Linux, и как работают метки пакетов Netfilter. За дополнительной информацией обратитесь к ссылкам, приведенным в начале этого документа. Для задания пропускной способности (как устройств, так и классов) используйте kbit или kbps (для килоБАЙТ в секунду) БЕЗ пробела между числом и единицей измерения (то есть 100kbit НО НЕ 100 kbit). Можно также использовать mbit, mbps или число (означающее байты), но поддерживаются только целые числа (0.5 использовать нельзя). Для того чтобы правильно настроить устройства, необходимо выяснить фактическую пропускную способность канала в обоих направлениях. Это особенно важно для соединений DSL или любых других, для которых пропускная способность канала не гарантирована. Не верьте числам, которые называет провайдер, но сами измерьте реальную скорость канала. В этом могут помочь различные утилиты в сети, попробуйте поискать "dsl speed test" в google (для Германии можно использовать arcor speed check). Найдите тест поближе к себе.
/etc/shorewall/tcdevices В этом файле можно задать пропускную способность способность канала для устройств, для которых будет включено управление трафиком. Это означает, что в этом файле необходимо определить параметры для устройства, чтобы для него заработало управление трафиком. Далее описаны столбцы файла: INTERFACE - Имя интерфейса. Интерфейс может быть указан не более одного раза. Использовать псевдоним интерфейса (например, eth0:0) здесь нельзя, см. FAQ #18. Также нельзя использовать символы подстановки, например, если есть несколько интерфейсов ppp, то все их необходимо здесь перечислить. В версиях Shorewall до 3.0.8 и 3.2.0 Beta 8, устройство, имя которого указано в столбце, должно было существовать в момент запуска, перезапуска или обновления Shorewall. Начиная с версии 3.0.8 и 3.2.0 Beta 8 Shorewall может определить, существует ли устройство, и настроит его только в том случае, если оно существует. Если оно не существует, то будет показано следующее предупреждение: WARNING: Device <устройство> not found -- traffic-shaping configuration skipped IN-BANDWIDTH - Пропускная способность входящего канала для этого интерфейса. Обратите внимание, что шейпинг входящего трафика невозможен, так как пакеты уже пришли. В этом столбце можно задать максимальную скорость, разрешенную для этого интерфейса, при превышении которой пакеты будут отбрасываться. Это полезно главным образом для соединений DSL или кабельных, чтобы избежать очередей в устройствах провайдера. Если не следует отбрасывать никакие пакеты, то укажите значение, превышающее фактическую максимальную скорость канала (в Shorewall начиная с версии 3.2.6 можно также указать 0). Для того чтобы определить оптимальное значение, укажите сначала значение, которое заведомо ниже, чем измеренная скорость канала (процентов на 20). Далее, в ходе загрузки файлов, измеряйте время ответа на ping между своей системой и маршрутизатором провайдера и постепенно увеличивайте это значение. Оптимальным будет значение, при превышении которого время ответа на ping будет резко расти. OUT-BANDWIDTH - Пропускная способность исходящего канала для этого интерфейса. Это максимальная скорость, с которой может работать исходящее соединение. В терминах классов tc эта скорость называется полной (full). Превышающий эту скорость исходящий трафик будет отбрасываться. Предположим, что вы работаете с PPP по Ethernet (DSL), а интерфейс - это ppp0. Устройство имеет исходящую скорость 500 кбит и входящую - 6000 кбит #INTERFACE IN-BANDWITH OUT-BANDWIDTH ppp0 6000kbit 500kbit
/etc/shorewall/tcclasses В этом файле можно задать классы, по которым будет распределяться исходящий трафик. INTERFACE - Имя интерфейса. Должно совпадать с именем интерфейса в файле /etc/shorewall/tcdevices. MARK - метка. Должна быть целым числом от 1 до 255. Эти метки задаются в файле tcrules. Они помечают пакеты, которые тем самым будут отнесены к определенным здесь классам очередей. Одни и те же метки могут использоваться для разных интерфейсов. RATE - скорость, то есть минимальная гарантированная пропускная способность, которая должна обеспечиваться для класса, когда возрастает нагрузка на канал. Классы с более высоким приоритетом обслуживаются даже в том случае, если заданы другие классы с гарантированной пропускной способностью, но низшим приоритетом. Если сумма значений RATE для всех классов, присвоенных интерфейсу, превышает OUT-BANDWIDTH для интерфейса, то предел OUT-BANDWIDTH не будет соблюдаться. CEIL - ограничение, максимальная полоса пропускания, которая отводится для данного класса, когда канал свободен. Это полезно, если есть трафик, для которого будет выделяться полная скорость канала, если более важные службы (такие как ssh) не используются. Значение "full" означает, что максимальная пропускная способность для класса определяется значением, заданным для интерфейса. PRIORITY - позволяет указать приоритет для класса. Пакеты из класса с более высоким приоритетом (то есть меньшим значением) будут обрабатываться раньше, чем пакеты с низшим приоритетом. Здесь можно просто указать значение метки, если метки присваиваются согласно приоритетам. OPTIONS - Список параметров через запятую. Возможны следующие параметры: default - класс по умолчанию для интерфейса, к которому будет отнесен весь трафик, не отнесенный к другим классам. Необходимо указать default ровно для одного класса для интерфейса. tos-<имя-tos> - позволяет указать фильтр для заданного <имени-tos>, что в свою очередь позволяет определить значение бит Type Of Service в пакете ip, вследствие чего пакет будет отнесен к этому классу. Учтите, что этот фильтр переопределяет все заданные метки, поэтому, если задать фильтр tos для класса, то все пакеты, имеющие эту метку, войдут в этот класс независимо от того, какая у них уже есть метка. Возможные значения этого параметра: tos-minimize-delay (16) tos-maximize-throughput (8) tos-maximize-reliability (4) tos-minimize-cost (2) tos-normal-service (0) Каждая из этих опций применима только для одного класса интерфейса. tcp-ack - эта опция создает фильтр tc и класс, в который помещаются все пакеты tcp ack на этом интерфейсе, размер которых не превышает 64 байта. Это позволяет ускорить загрузку. Ограничение размера пакетов ack 64 байтами служит для того, чтобы исключить из этого класса все приложения (например, p2p), которые помечают каждый пакет как пакет ack. Этому фильтру должны соответствовать только пакеты БЕЗ дополнительной нагрузки, отсюда и ограничение размера. Пакеты большего размера будут отнесены в другие классы. Эта опция применима только для одного класса интерфейса.
/etc/shorewall/tcrules Классификатор fwmark является удобным средством для классификации пакетов при управлении трафиком. В файле /etc/shorewall/tcrules эти метки представлены в виде таблицы. Глубже познакомиться с маркировкой пакетов в Netfilter/Shorewall позволяет этот документ. Обычно метка пакета ставится в цепочке PREROUTING перед тем, как осуществляется замена адресов. При этом невозможно помечать входящие пакеты согласно их целевому адресу, если применяется SNAT или Masquerading. Тем не менее, можно осуществлять маркировку пакетов в цепочке FORWARD, если задать опцию MARK_IN_FORWARD_CHAIN в файле shorewall.conf. Далее описаны столбцы файла: MARK или CLASSIFY - MARK задает значение метки, которая присваивается пакету в случае совпадения с правилом. Она должна быть целым числом от 1 до 255. Вслед за этим значением может идти : и одно из значений: F, P или "T", которые обозначают соответственно маркировку в цепочках FORWARD, PREROUTING или POSTROUTING. Если эти дополнительные спецификаторы опущены, то цепочка, в которой осуществляется маркировка пакетов, определяется следующим образом: Если SOURCE - это $FW[:<адрес>], то правило вставляется в цепочку OUTPUT. В противном случае цепочка определяется по значению опции MARK_IN_FORWARD_CHAIN из файла shorewall.conf. Спецификатор "T" был добавлен в Shorewall версии 3.3.6 и недоступен в более ранних версиях. Обычно метка присваивается пакету. Если вслед за меткой указать ":" и "C", то метка будет применяться к соединению. "C" можно сочетать с "F", "P" или "T", чтобы указать, что соединение следует пометить в определенной цепочке (например, "CF", "CP", "CT"). Предусмотрены также следующие специальные значения: RESTORE[/маска] -- восстановить метку пакета из метки соединения, используя маску, если она указана. Ядро и iptables должны поддерживать CONNMARK. Как и ранее, можно использовать дополнительные спецификаторы :P, :F или :T. SAVE[/маска] -- сохранить метку пакета в метке соединения, используя маску, если она указана. Ядро и iptables должны поддерживать CONNMARK. Как и ранее, можно использовать дополнительные спецификаторы :P, :F или :T. CONTINUE - прекратить обработку дальнейших правил маркировки в таблице. Как и ранее, можно использовать дополнительные спецификаторы :P, :F или :T. COMMENT (Начиная с Shorewall версии 3.3.3) -- остальной текст в строке будет добавлен как комментарий в правила Netfilter, генерируемые по следующим записям. Комментарий будет выделен символам "/* ... */" в выводе команды shorewall show mangle Для того чтобы комментарий не применялся к последующим строкам, укажите COMMENT в отдельной строке. При работе с CLASSIFY ядро и iptables должны поддерживать CLASSIFY. В этом случае в столбце будет содержаться классификатор (classid) в виде <основной>:<дополнительный>, где <основной> и <дополнительный> должны быть целыми числами. Он соответствует указанию 'class' в следующих модулях управления трафиком: atm cbq dsmark pfifo_fast htb prio В версиях Shorewall до 3.2.3 правила классификации всегда помещались в цепочку POSTROUTING. Начиная с Shorewall версии 3.2.3 классификация осуществляется в цепочке POSTROUTING, кроме тех случаев, когда SOURCE содержит $FW[:<адрес>], для которых классификация осуществляется в цепочке OUTPUT. При работе со встроенными функциями управления трафиком класс <основной> - это номер устройства (первая запись в файле /etc/shorewall/tcdevices - это устройство 1, вторая - устройство 2 и т.д.), а класс <дополнительный> - это значение MARK класса, перед которой стоит число "1" (для MARK со значением 1 <дополнительный> класс - это 11, для MARK со значением 22 - <дополнительный> класс 122, и т.д.). SOURCE - источник пакета. Это может быть разделенный запятыми список имен интерфейсов, IP-адресов, MAC-адресов и/или подсетей для пакетов, маршрутизируемых по общему пути. Элементы списка могут также включать имя интерфейса, к которому прибавлено ":" и адрес (например, eth1:192.168.1.0/24). Так, все пакеты для соединений, маскируемых через eth0 с других интерфейсов, можно описать одним правилом с несколькими критериями SOURCE. Однако соединение, пакеты которого приходят на eth0 по другому пути, например, из самой системы файрвола, требуют отдельного правила. Поэтому создавайте отдельное правило с $FW для пакетов, исходящих из системы файрвола. В таком правиле столбец MARK не может содержать ":P" или ":F", поскольку маркировка пакетов, исходящих из системы файрвола, всегда осуществляется в цепочке OUTPUT. MAC-адреса необходимо предварять символом "~" и использовать "-" как разделитель. Пример: ~00-A0-C9-15-39-78 DEST - назначение пакета. Список IP-адресов и/или подсетей, разделенный запятыми. Если ядро и iptables поддерживают iprange, то можно также указывать диапазоны IP-адресов. Элементы списка могут также включать имя интерфейса, к которому прибавлено ":" и адрес (например, eth1:192.168.1.0/24). Если в столбце MARK указан спецификатор в виде <основной>:<дополнительный>, то столбец может также содержать имя интерфейса. PROTO - протокол. Должен быть указан как "tcp", "udp", "icmp", "ipp2p", "ipp2p:udp", "ipp2p:all", число или "all". Для "ipp2p" требуется поддержка ipp2p в ядре и iptables. PORT(S) - целевые порты. Список имен портов (из /etc/services), номеров портов или диапазонов портов, разделенный запятыми. Если протокол - это "icmp", то столбец считается целевым типом icmp. Если протокол - это ipp2p, то столбец интерпретируется как опция ipp2p без начального "--" (например, "bit" для bit-torrent). Если PORT не указан, предполагается "ipp2p". Этот поле игнорируется, если PROTOCOL = all, но должно быть указано, если задано любое из последующих полей. В этом случае рекомендуется указывать в этом поле "-" CLIENT PORT(S) - необязательные порты, применяемые клиентом. Если они не указаны, то допускается любой целевой порт. Задается как список, разделенный запятыми, имен портов, номеров портов или диапазонов портов. USER/GROUP (Начиная с Shorewall версии 1.4.10) - Необязательный параметр имени пользователя или группы. Он может указываться, только если SOURCE - это сама система файрвола. Если значение поля задано, то правило применяется только в том случае, если программа, создавшая пакет, работает от имени указанного пользователя и/или группы. Возможные значения: [!][<имя пользователя или номер>]:[<имя группы или номер>][+<имя программы>] Двоеточие указывать необязательно, если задано только имя пользователя. Примеры: joe # программа должна выполняться пользователем joe :kids # программа выполняется участниками группы 'kids' !:kids # программа выполняется участниками группы 'kids' +upnpd # программа upnpd (эта функция была удалена из Netfilter в версии ядра 2.6.14). TEST - задает тест для проверки существующей метки пакета или соединения. Правило будет совпадать только в том случае, если тест возвращает true. Тесты имеют следующий формат: [!]<значение>[/<маска>][:C] Здесь: ! Обратное соответствие (не равно) <значение> Значение метки соединения или пакета. <маска> Маска, применяемая к метке перед сравнением :C обозначает метку соединения. Если она не указана, то сравнивается метка пакета. LENGTH - длина пакета (необязательный параметр, начиная с Shorewall версии 3.2.0). Если указано это значение, то сравнивается длина пакета с указанным значением или диапазоном значений. Диапазон задается в виде <мин>:<макс>, где можно опустить или <мин>, или <макс>, но не оба эти параметра. Если опущен <мин>, то он считается равным 0, если опущен <макс>, то совпадающим будет любой пакет, длина которого не меньше <мин>. Для этой опции необходима поддержка сравнения длины в iptables. Если значение не указано или задано как "-", то сравнение длины не выполняется. Примеры: 1024, 64:1500, :100 TOS - тип обслуживания (необязательный параметр, начиная с Shorewall версии 3.2.0 Beta 6). Стандартное имя или число.
Minimize-Delay (16) Maximize-Throughput (8) Maximize-Reliability (4) Minimize-Cost (2) Normal-Service (0)
Все пакеты, приходящие на eth1, должны иметь метку 1. Все пакеты, приходящие на eth2 и eth3, должны иметь метку 2. Все пакеты, созданные в системе файрвола, должны иметь метку 3. #MARK SOURCE DESTINATION PROTOCOL PORT(S) 1 eth1 0.0.0.0/0 all 2 eth2 0.0.0.0/0 all 2 eth3 0.0.0.0/0 all 3 $FW 0.0.0.0/0 all Все пакеты GRE (протокол 47), не созданные в системе файрвола и имеющие целевой адрес 155.186.235.151, должны иметь метку 12. #MARK SOURCE DESTINATION PROTOCOL PORT(S) 12 0.0.0.0/0 155.182.235.151 47 Все пакеты SSH, приходящие с 192.168.1.0/24 и предназначенные для 155.186.235.151, должны иметь метку 22. #MARK SOURCE DESTINATION PROTOCOL PORT(S) 22 192.168.1.0/24 155.182.235.151 tcp 22 Все пакеты SSH, проходящие через первое устройство в файле /etc/shorewall/tcdevices, должны быть отнесены в класс с меткой 10. #MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT # PORT(S) 1:110 0.0.0.0/0 0.0.0.0/0 tcp 22 1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22 Все пакеты echo ICMP должны иметь метку 1. Весь трафик протоколов p2p должен иметь метку 4. Это чуть более сложный случай. Поскольку модуль ipp2p не в состоянии распознать все пакеты в соединении как пакеты P2P, то все соединение помечается как P2P, если совпадение найдено хотя бы для одного пакета. Предполагается, что метка пакета/соединения 0 означает неклассифицированные пакеты. #MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST # PORT(S) GROUP 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 Последние четыре правила означают следующее:
"Если пакет не был классифицирован (метка пакета 0), то скопировать метку соединения в метку пакета. Если метка пакета уже задана, то никаких действий более не требуется. Если пакет относится к типу P2P, то задать метку пакета 4. Если метка пакета задана, то сохранить ее в качестве метки соединения."
Устройства ppp Если подключение к провайдеру выполняется через ppp/pppoe/pppoa, и вы используете управление трафиком, то необходимо перезапустить управление трафиком shorewall. Причина этого состоит в том, что если соединение ppp перезапускается (обычно это происходит как минимум раз в день), то все фильтры и qdisc tc, связанные с этим интерфейсом, будут удалены. Самым простым решением будет перезапуск shorewall при повторном установлении соединения. Для этого добавьте в сценарий /etc/ppp/ip-up.d следующую строку. #! /bin/sh /sbin/shorewall refresh
Рабочие примеры
Конфигурация для замены Wondershaper Встроенные функции управления трафиком позволяют полностью заменить сценарий wondershaper. Примеры файлов конфигурации приведены по адресу "http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/. Обратите внимание, что эти примеры необходимо настроить, чтобы они работали в вашей среде. В них предполагается, что интерфейс соединения с провайдером - это ppp0 (для DSL), и для другого типа соединения его необходимо изменить. Также требуется изменить параметры в файле tcdevices.wondershaper, чтобы они отвечали фактической скорости канала. Ниже приведены соответствующие строки из файлов конфигурации. В итоге получается точная замена того, что должен делать wondershaper. Но вы можете и вносить улучшения...
Файл tcdevices #INTERFACE IN-BANDWITH OUT-BANDWIDTH ppp0 5000kbit 500kbit
Файл tcclasses #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 full full 1 tcp-ack,tos-minimize-delay ppp0 2 9*full/10 9*full/10 2 default ppp0 3 8*full/10 8*full/10 2
Файл tcrules #MARK SOURCE DEST PROTO PORT(S) CLIENT USER # PORT(S) 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply # метка для трафика с низким приоритетом: # mldonkey 3 0.0.0.0/0 0.0.0.0/0 udp - 4666 Wondershaper позволяет определить набор хостов и/или портов, которым присваивается низкий приоритет. Для этого в tcrules этим хостам нужно присвоить метку 3 (как это делается в примерах файлов конфигурации).
Присвоение низкого приоритета хостам Допустим, что в сценарии wondershaper были следующие параметры (только в качестве примера): # Низкий приоритет для исходящего трафика - можно оставить пустым, # чтобы применять сетевые маски для низкого приоритета NOPRIOHOSTSRC="192.168.1.128/25 192.168.3.28" # Низкий приоритет - маска для назначения NOPRIOHOSTDST=60.0.0.0/24 # Низкий приоритет - порты источника NOPRIOPORTSRC="6662 6663" # Низкий приоритет - порты назначения NOPRIOPORTDST="6662 6663" Эти параметры будут отражены следующим образом в файле tcrules: 3 192.168.1.128/25 0.0.0.0/0 all 3 192.168.3.28 0.0.0.0/0 all 3 0.0.0.0/0 60.0.0.0/24 all 3 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 3 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663 3 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663 3 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663
Простая конфигурация Ниже приведен простой пример для общего подключения к Интернет с разных компьютеров. Фактически здесь настроен шейпинг для двух хостов с IP-адресами 192.168.2.23 и 192.168.2.42
Файл tcdevices #INTERFACE IN-BANDWITH OUT-BANDWIDTH ppp0 6000kbit 700kbit Канал имеет входящие 6 мбит и исходящие 700 кбит.
Файл tcclasses #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 5*full/10 full 1 tcp-ack,tos-minimize-delay ppp0 2 3*full/10 9*full/10 2 default ppp0 3 2*full/10 8*full/10 2 Добавляется класс для пакетов tcp ack с высоким приоритетом, чтобы ускорить загрузку. Следующие два класса совместно используют большую часть пропускной способности канала для двух хостов, и если соединение свободно, то всю пропускную способность. Так как хосты считаются равноправными, они имеют одинаковый приоритет. Последний класс предназначен для остального трафика.
Файл tcrules #MARK SOURCE DEST PROTO PORT(S) CLIENT USER # PORT(S) 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 2:F 192.168.2.23 0.0.0.0/0 all 3:F 192.168.2.42 0.0.0.0/0 all Пакеты ping icmp и ответы помечаются отдельно, как относящиеся к интерактивному классу. Для них метка ставится для обоих хостов.
Замечания для пользователей Xen Если управление трафиком включено в dom0, но исходящий трафик при этом шейпится неправильно, то причиной этого может быть "выгрузка контрольных сумм" (checksum offloading) в ваших domU. Просмотрите вывод команды "shorewall show tc". Ниже приведен пример: class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 1500 rate 76000bit ceil 230000bit burst 1537b/8 mpu 0b overhead 0b cburst 1614b/8 mpu 0b overhead 0b level 0 Sent 559018700 bytes 75324 pkt (dropped 0, overlimits 0 requeues 0) rate 299288bit 3pps backlog 0b 0p requeues 0 lended: 53963 borrowed: 21361 giants: 90174 tokens: -26688 ctokens: -14783 В приведенном примере легко обнаружить две проблемы: Скорость (299288) заметно превышает установленный предел (230000). Сообщается о большом числе огромных пакетов (90174). Эта неполадка устраняется выключением "checksum offloading" в domU с помощью программы ethtool. За инструкциями обратитесь к статье по Xen.
Применение собственных сценариев tc
Замена встроенного файла tcstart Если вы предпочитаете сами создать файл запуска tc, просто поместите его в /etc/shorewall/tcstart. В сценарии tcstart вместо вызова программы tc используйте функцию run_tc из Shorewall, чтобы при ошибке tc остановить файрвол. Задайте TC_ENABLED=Yes и CLEAR_TC=Yes Укажите сценарий /etc/shorewall/tcstart с правилами управления трафиком. Укажите также необязательный сценарий /etc/shorewall/tcclear для остановки управления трафиком. Обычно это не требуется. Если сценарий tcstart применяет классификатор fwmark, то можно помечать пакеты, используя записи из /etc/shorewall/tcrules.
Управление трафиком, внешнее по отношению к Shorewall Для того чтобы запустить управление трафиком при поднятии сетевых интерфейсов, необходимо запустить сценарий управления трафиком именно в этот момент. Это зависит от применяемого дистрибутива и здесь не описывается. После этого сделайте следующее: Задайте TC_ENABLED=No и CLEAR_TC=No Если сценарий применяет классификатор fwmark, то можно помечать пакеты, используя записи из /etc/shorewall/tcrules.
Инструменты тестирования Как минимум один пользователь Shorewall посчитал полезными следующие инструменты: http://e2epi.internet2.edu/network-performance-toolkit.html
shorewall-docs-xml-5.2.3/Shorewall_Doesnt.xml0000664000000000000000000000665413427347317017771 0ustar rootroot
Some Things that Shorewall Does Not Do Tom Eastep 2003-2009 Thomas M Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release
Shorewall Does not: Act as a Personal Firewall that allows Internet access control by application. If that's what you are looking for, try TuxGuardian. Work with an Operating System other than Linux (version >= 2.4.0) Act as a Proxy (although it can be used with a separate proxy such as Squid or Socks). Do content filtering: HTTP - better to use Squid, E2guardian, or Parental Control for that. Email -- Install something like Postfix on your firewall and integrate it with SpamAssassin , Amavisd-new and Clamav Configure/manage Network Devices (your Distribution includes tools for that).
In Addition: Shorewall generally does not contain any support for Netfilter xtables-addons features -- Shorewall only supports features from released kernels except in unusual cases.
shorewall-docs-xml-5.2.3/PacketMarking.xml0000664000000000000000000007103313427347317017226 0ustar rootroot
Packet Marking using /etc/shorewall/mangle and /etc/shorewall/tcrules Tom Eastep 2006 2013 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article includes information that applies to Shorewall version 3.2.5 and later. Not all features described here will be available in earlier releases. /etc/shorewall/mangle superseded /etc/shorewall/tcrules in Shorewall 4.6.0. /etc/shorwall/tcrules is still supported but its use is deprecated.
Packet and Connection Marks Perhaps no aspect of Shorewall causes more confusion than packet marking. This article will attempt to clear up some of that confusion. Each packet has a mark whose value is initially 0. Mark values are stored in the skb (socket buffer) structure used by the Linux kernel to track packets; the mark value is not part of the packet itself and cannot be seen with tcpdump, ethereal or any other packet sniffing program. They can be seen in an iptables/ip6tables trace -- see the iptrace command in shorewall(8) and shorewall6(8). Example (output has been folded for display ): [11692.096077] TRACE: mangle:tcout:return:3 IN= OUT=eth0 SRC=172.20.1.130 DST=206.124.146.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7212 SEQ=3 UID=0 GID=1000 MARK=0x10082 Each active connection (even those that are not yet in ESTABLISHED state) has a mark value that is distinct from the packet marks. Connection mark values can be seen using the shorewall show connections command. The default connection mark value is 0. Example (output has been folded for display ): shorewall show connections Shorewall 3.3.2 Connections at gateway - Mon Oct 2 09:08:18 PDT 2006 tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=80 packets=23 bytes=4623 src=192.136.34.98 dst=206.124.146.176 sport=80 dport=58597 packets=23 bytes=22532 [ASSURED] mark=256 use=1 … Packet marks are valid only while the packet is being processed by the firewall. Once the packet has been given to a local process or sent on to another system, the packet's mark value is no longer available. Connection mark values, on the other hand, persist for the life of the connection. Other parts of the system such as Traffic Shaping and Policy Routing cannot use connection marks — they can only use packet marks.
Packet Marking "Programs" Packet marking occurs in Netfilter's mangle table. See the Netfilter Overview article. You can think of entries in the mangle and tcrules files like instructions in a program coded in a crude assembly language. The program gets executed for each packet. That is another way of saying that if you don't program, you may have difficulty making full use of Netfilter/Shorewall's Packet Marking. Actually, the mangle/tcrules files define several programs. Each program corresponds to one of the built-in chains in the mangle table. PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in shorewall.conf, then by default entries in /etc/shorewall/mangle and /etc/shorewall/tcrules are part of the PREROUTING program. Entries specifying the ":P" suffix in the ACTION column are also part of the PREROUTING program. The PREROUTING program gets executed for each packet entering the firewall. FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf, then by default entries in/etc/shorewall/mangle and /etc/shorewall/tcrules are part of the FORWARD program. Entries specifying the ":F" suffix in the ACTION column are also part of the FORWARD program. The FORWARD program gets executed for each packet forwarded by the firewall. OUTPUT program — Entries with $FW in the SOURCE column are part of the OUTPUT program. The OUTPUT program is executed for each packet originating on the firewall itself. POSTROUTING program — Entries with a class-id in the ACTION column (and that don't specify $FW in the SOURCE column) are part of the POSTROUTING program. These rules are executed for each packet leaving the firewall. Entries specifying the ":T" suffix in the ACTION column are also part of the POSTROUTING program (Shorewall version 3.4.0 and later). INPUT program — No entries in tcrules will add entries to this program. It is executed for each packet that is targeted to the firewall itself. Note that a packet being forwarded by your firewall actually gets processed by three different programs: PREROUTING, FORWARD and POSTROUTING. Similarly, packets addressed to the firewall itself are processed by two programs (PREROUTING and INPUT) while packets originating on the firewall are likewise processed by two programs (OUTPUT and POSTROUTING). Rules in each program are executed as follows: Rules are conditionally executed based on whether the current packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT, USER, TEST, LENGTH and TOS columns. When a rule is executed, either: the current packet receives a new mark value; or the connection to which the current packet belongs receives a new mark value (":C", ":CF" or ":CP" suffix in the ACTION column); or the packet is classified for traffic shaping (class-id in the ACTION column); or the packet mark in the current packet is moved to the connection mark for the connection that the current packet is part of ("SAVE" in the ACTION column); or the connection mark value for the connection that the current packet is part of is moved to the current packet's mark ("RESTORE" in the ACTION column); or jump to a subroutine (another chain in the mangle table). These jumps are generated by Shorewall; or exit the current subroutine ("CONTINUE" in the ACTION column). Unless the subroutine is exited using CONTINUE, the current packet is always passed to the next tcrule in the subroutine.
Mark and Mask Values The mark value is held in a 32-bit field. Because packet marking is the Netfilter kludge of last resort for solving many hard technical problems, Shorewall originally reserved half of this field (16 bits) for future use. The remainder was split into two 8-bit values: The low-order eight bits are used for traffic shaping marks. These eight bits were also used for selecting among multiple providers when HIGH_ROUTE_MARKS=No in shorewall.conf. Some rules that deal with only these bits used a mask value of 0xff. The next 8 bits were used for selecting among multiple providers when HIGH_ROUTE_MARKS=Yes in shorewall.conf. These bits are manipulated using a mask value of 0xff00. As hinted above, marking rules can specify both a mark value and a mask. The mask determines the subset of the 32 bits in the mark to be used in the operation — only those bits that are on in the mask are manipulated when the rule is executed. For entries in tcrules, Shorewall-generated rules use a mask value that depends on which program the rule is part of, what the rule does, and the setting of HIGH_ROUTE_MARKS. For entries in mangle and tcrules, the default mask value is 0xffff except in these cases: RESTORE rules use a default mask value of 0xff. SAVE rules use a default mask value of 0xff. Connection marking rules use a mask value of 0xff. When WIDE_TC_MARKS was added, the number of bits reserved for TC marks was increased to 14 when WIDE_TC_MARKS=Yes and the provider mark field (when HIGH_ROUTE_MARKS=Yes) was offset 16 bits. Also, when HIGH_ROUTE_MARKS=Yes, the mask used for setting/testing TC marks was 0xffff (16 bits). Shorewall actually allows you to have complete control over the layout of the 32-bit mark using the following options in shorewall.conf (5) (these options were documented in the shorewall.conf(5) manpage in Shorewall 4.4.26): TC_BITS The number of bits at the low end of the mark to be used for traffic shaping marking. May be zero. PROVIDER_BITS The number of bits in the mark to be used for provider numbers. May be zero. PROVIDER_OFFSET The offset from the right (low-order end) of the provider number field. If non-zero, must be >= TC_BITS (Shorewall automatically adjusts PROVIDER_OFFSET's value). PROVIDER_OFFSET + PROVIDER_BITS must be <= 32. MASK_BITS Number of bits on the right of the mark to be masked when clearing the traffic shaping mark. Must be >= TC_BITS and <= PROVIDER_OFFSET (if PROVIDER_OFFSET > 0) In Shorewall 4.4.26, a new option was added: ZONE_BITS Number of bits in the mark to use for automatic zone marking (see the Shorewall Bridge/Firewall HOWTO). The relationship between these options is shown in this diagram. The default values of these options are determined by the settings of other options as follows: Default Values WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0, MASK_BITS=8 WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=Yes TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=8, MASK_BITS=8 WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=No TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=0, MASK_BITS=16 WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=Yes TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=16, MASK_BITS=16
The existence of both TC_BITS and MASK_BITS is owed to the way that WIDE_TC_MARKS was originally implemented. Note that TC_BITS is 14 rather than 16 when WIDE_TC_MARKS=Yes. Beginning with Shorewall 4.4.12, the field between MASK_BITS and PROVIDER_OFFSET can be used for any purpose you want. Beginning with Shorewall 4.4.13, the first unused bit on the left is used by Shorewall as an exclusion mark, allowing exclusion in CONTINUE, NONAT and ACCEPT+ rules. Beginning with Shorewall 4.4.26, WIDE_TC_MARKS and HIGH_ROUTE_MARKS are deprecated in favor of the options described above. The shorewall update (shorewall6 update) command will set the above options based on the settings of WIDE_TC_MARKS and HIGH_ROUTE_MARKS. In Shorewall 4.5.4, a TPROXY mark was added for TPROXY support. It is a single bit wide and is to the immediate left of the exclusion mark. The Event Mark bit was added in Shorewall 4.5.19. It is to the immediate left of the TPROXY mark, and it need not fall within the 32-bit mark unless the reset command is used in the IfEvent action.
Shorewall-defined Chains in the Mangle Table Shorewall creates a set of chains in the mangle table to hold rules defined in your /etc/shorewall/mangle (/etc/shorewall/tcrules) file. As mentioned above, chains are like subroutines in the packet marking programming language. By placing all of your rules in subroutines, CONTINUE (which generates a Netfilter RETURN rule) can be used to stop processing your rules while still allowing following Shorewall-generated rules to be executed. tcpre PREROUTING rules. tcfor FORWARD rules. tcout OUTPUT rules. tcpost POSTROUTING rules. Shorewall generates jumps to these chains from the built-in chains (PREROUTING, FORWARD, etc.).
An Example Here's the example (slightly expanded) from the comments at the top of the /etc/shorewall/mangle file. #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2 MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3 MARK(1) $FW 0.0.0.0/0 icmp echo-reply #Rule 4 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6 MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7 SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 Let's take a look at each rule: This straight-forward rule simply marks all 'ping' requests passing through the firewall with mark value 1. Note that it does not mark pings that originate on the firewall itself. Similarly, this rule marks 'ping' replies. This rule marks 'ping' requests that originate on the firewall. This rule and the next ones are part of the OUTPUT program. Similarly, this rule marks 'ping' replies from the firewall itself. Remember that even though 'ping' packets were marked in one of the first two rules, they are still passed on to rule 5 (note that packets marked by rules 3 and 4 are not processed by this rule since it is in a different program). That rule moves the connection mark to the packet mark, if the packet mark is still zero (note the '0' in the TEST column). Without the '0' in the TEST column, this rule would overwrite the marks assigned in the first two rules. If the packet mark is non-zero (note the '!0' in the TEST column), then exit — The remaining rules will not be executed in this case. The packet mark will be non-zero if this is a 'ping' packet, or if the connection mark restored in rule 5 was non-zero. The packet mark is still zero. This rule checks to see if this is a P2P packet and if it is, the packet mark is set to 4. If the packet mark is non-zero (meaning that it was set to 4 in rule 7), then save the value (4) in the connection. The next time that a packet from this same connection comes through this program, rule 6 will be executed and the P2P check will be avoided.
Examining the Marking Programs on a Running System You can see the mangle (tcrules) entries in action using the shorewall show mangle command. The sample output from that command shown below has the following in /etc/shorewall/providers: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1 Here is /etc/shorewall/mangle: #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority #over the server CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873 And here is /etc/shorewall/tcdevices and /etc/shorewall/tcclasses: #INTERFACE IN_BANDWITH OUT_BANDWIDTH eth3 1.3mbit 384kbit #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth3 10 full full 1 tcp-ack,tos-minimize-delay eth3 20 9*full/10 9*full/10 2 default eth3 30 6*full/10 6*full/10 3 I've annotated the following output with comments beginning with "<<<<" and ending with ">>>>". This example uses HIGH_ROUTE_MARKS=Yes and TC_EXPERT=No in shorewall.conf. gateway:~ # shorewall show mangle Shorewall 3.3.2 Mangle Table at gateway - Mon Oct 2 15:07:32 PDT 2006 Counters reset Mon Oct 2 07:49:52 PDT 2006 <<<< The PREROUTING Program >>>> Chain PREROUTING (policy ACCEPT 409K packets, 122M bytes) pkts bytes target prot opt in out source destination <<<< Restore the provider mark from the connection, if any >>>> 185K 77M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match !0x0/0xff00 CONNMARK restore mask 0xff00 <<<< If there is no mark in the connection and the packet came in on eth3, then jump to the routemark chain This rule is generated as a result of 'track' being specified in the providers file entry for eth3 >>>> 8804 1396K routemark all -- eth3 * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xff00 <<<< If the packet came in on eth3, jump the the tcpre chain -- packets entering on a 'track'ed interface can have their mark set to zero there >>>> 102K 52M tcpre all -- eth3 * 0.0.0.0/0 0.0.0.0/0 <<<< Otherwise, jump to the tcpre chain if there is no current provider mark -- if we would have had TC_EXPERT=Yes, this jump would have been unconditional>>>> 215K 44M tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xff00 <<<< End of PREROUTING program >>>> <<<< INPUT Program -- Shorewall generates the single rule here which turns off the provider mark in the packet after routing The rule does that by logically ANDing the mark value with 0xff which will turn off all but the low-order 8 bits >>>> Chain INPUT (policy ACCEPT 98238 packets, 16M bytes) pkts bytes target prot opt in out source destination 98234 16M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xff <<<< End of INPUT program >>>> <<<< FORWARD Program -- Shorewall generates the first rule here which turns off the provider mark in the packet after routing >>>> Chain FORWARD (policy ACCEPT 312K packets, 106M bytes) pkts bytes target prot opt in out source destination 312K 106M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xff <<<< Jump unconditionally to the tcfor chain >>>> 312K 106M tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 <<<< End of FORWARD program >>>> <<<< OUTPUT Program >>>> Chain OUTPUT (policy ACCEPT 1462K packets, 396M bytes) pkts bytes target prot opt in out source destination <<<< Restore the provider mark from the connection -- this rule was generated by Shorewall because of the 'track' option >>>> 3339 615K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match !0x0/0xff00 CONNMARK restore mask 0xff00 <<<< If there is no provider mark, then jump to the tcout chain -- if we would have had TC_EXPERT=Yes, this jump would have been unconditional >>>> 92747 28M tcout all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0/0xff00 <<<< End of FORWARD program >>>> <<<< POSTROUTING Program -- Unconditionally jump to the tcpost chain >>>> Chain POSTROUTING (policy ACCEPT 407K packets, 135M bytes) pkts bytes target prot opt in out source destination 407K 135M tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 <<<< End of FORWARD program >>>> Chain routemark (1 references) pkts bytes target prot opt in out source destination <<<< Set connection 'track' mark for packets coming in on eth3 >>>> 8804 1396K MARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 MARK or 0x100 <<<< Save any mark added above in the connection mark >>>> 8804 1396K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0/0xff00 CONNMARK save mask 0xff00 Chain tcfor (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination Chain tcpost (1 references) pkts bytes target prot opt in out source destination <<<< The next two rules are the entries in the /etc/shorewall/mangle file >>>> 65061 11M CLASSIFY all -- * eth3 192.168.0.0/22 0.0.0.0/0 CLASSIFY set 1:110 2224 2272K CLASSIFY tcp -- * eth3 206.124.146.177 0.0.0.0/0 tcp spt:873 CLASSIFY set 1:130 <<<< The following rules are generated by Shorewall and classify the traffic according to the marks in /etc/shorewall/classes >>>> 0 0 CLASSIFY all -- * eth3 0.0.0.0/0 0.0.0.0/0 MARK match 0xa/0xff CLASSIFY set 1:110 0 0 CLASSIFY all -- * eth3 0.0.0.0/0 0.0.0.0/0 MARK match 0x14/0xff CLASSIFY set 1:120 0 0 CLASSIFY all -- * eth3 0.0.0.0/0 0.0.0.0/0 MARK match 0x1e/0xff CLASSIFY set 1:130 Chain tcpre (2 references) pkts bytes target prot opt in out source destination gateway:~ #
shorewall-docs-xml-5.2.3/shorewall_prerequisites.xml0000664000000000000000000001103613427347317021467 0ustar rootroot
Shorewall Requirements Tom Eastep 2001-2006 Thomas M Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Shorewall Requires: A Linux kernel that supports Netfilter (No, it won't work on BSD or Solaris). I've tested with 2.4.2 - 2.6.16. Check here for kernel configuration information. iptables 1.2 or later (but I recommend at least version 1.3.3) Iproute (ip and "tc" utilities). The iproute package is included with most distributions but may not be installed by default. The official download site is http://developer.osdl.org/dev/iproute2/download/. Note that the Busybox versions of the iproute2 utilities (ip and tc) do not support all of the features required for advanced Shorewall use. A Bourne shell or derivative such as bash or ash. This shell must have correct support for variable expansion formats ${variable%pattern}, ${variable%%pattern}, ${variable#pattern} and ${variable##pattern}. Your shell must produce a sensible result when a number n (128 <= n <= 255) is left shifted by 24 bits. You can check this at a shell prompt by: echo $((128 << 24)) The result must be either 2147483648 or -2147483648. The firewall monitoring display is greatly improved if you have awk (gawk) installed. On the system where the Shorewall package itself is installed, you must have Perl installed (preferably Perl 5.8.10): If you want to be able to use DNS names in your Shorewall6 configuration files, then Perl 5.10 is required together with the Perl Socket6 module. Perl Cwd Module Perl File::Basename Module Perl File::Temp Module Perl Getopt::Long Module Perl Carp Module Perl FindBin Module Perl Scalar::Util Module
shorewall-docs-xml-5.2.3/ping.xml0000664000000000000000000000670413427347317015446 0ustar rootroot
ICMP Echo-request (Ping) Tom Eastep 2001-2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release. Enabling ping will also enable ICMP-based traceroute. For UDP-based traceroute, see the port information page.
'Ping' Management In Shorewall , ICMP echo-requests are treated just like any other connection request. In order to accept ping requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shorewall/rules of the form: #ACTION SOURCE DEST PROTO DPORT Ping(ACCEPT) z1 z2 Ping from local zone to firewall To permit ping from the local zone to the firewall: #ACTION SOURCE DEST PROTO DPORT Ping(ACCEPT) loc $FW If you would like to accept ping by default even when the relevant policy is DROP or REJECT, copy /usr/share/shorewall/action.Drop or /usr/share shorewall/action.Reject respectively to /etc/shorewall and simply add this line to the copy: Ping(ACCEPT) With that rule in place, if you want to ignore ping from z1 to z2 then you need a rule of the form: #ACTION SOURCE DEST PROTO DPORT Ping(DROP) z1 z2 Silently drop pings from the Internet To drop ping from the Internet, you would need this rule in /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT Ping(DROP) net $FW Note that the above rule may be used without changing the action files to prevent your log from being flooded by messages generated from remote pinging.
shorewall-docs-xml-5.2.3/Events.xml0000664000000000000000000006540713427347317015762 0ustar rootroot
Shorewall Events Tom Eastep 2013 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.5.19 and later and supersedes this article.
Overview Shorewall events were introduced in Shorewall 4.5.19 and provide a high-level interface to the Netfilter recent match capability. An event is actually a list of (IP address, timestamp) pairs, and can be tested in a number of different ways: Has event E ever occurred for IP address A (is the IP address in the list)? Has event E occurred M or more times for IP address A? Has Event E occurred in the last N seconds for IP Address A (is there an entry for the address with a timestamp falling within the last N seconds)? Has Event E occurred M or more times in the last N seconds for IP address A (are there M or more entries for the address with timestamps falling within the last N seconds)? The event interface is implemented as three parameterized Shorewall Actions: SetEvent This action initializes an event list for either the source or destination IP address in the current packets. The list will contain a single entry for the address that will have the current timestamp. ResetEvent This action removes all entries for either the source or destination IP address from an event list. IfEvent This action tests an event in one of the ways listed above, and performs an action based on the result. Events are based on the Netfilter 'recent match' capability which is required for their use. The recent-match kernel component is xt_recent which has two options that are of interest to Shorewall users: ip_list_tot The number of addresses remembered per event. Default is 100. ip_pkt_list_tot The number of packets (event occurrences) remembered per address. Default is 20. These may be changed with the xt_recent module is loaded or on the kernel bootloader runline.
Details Because these are parameterized actions, optional parameters may be omitted. Trailing omitted parameters may be omitted entirely while embedded omitted parameters are represented by a hyphen ("-"). Each event is given a name. Event names: Must begin with a letter. May be composed of letters, digits, hyphens ('-') or underscores ('_'). May be at most 29 characters in length.
SetEvent SetEvent( event, [ action ], [ src-dst ], [ disposition ] ) event Name of the event. action An action to perform after the event is initialized. May be any action that may appear in the ACTION column of shorewall-rules (5). If no action is to be performed, use COUNT. src-dst Specifies whether the source IP address (src) or destination IP address (dst) is to be added to the event. The default is src. disposition If the action involves logging, then this parameter specifies the disposition that will appear in the log entry prefix. If no disposition is given, the log prefix is determined normally. The default is ACCEPT.
ResetEvent ResetEvent( event, [ action ], [ src-dst ], [ disposition ] ) event Name of the event. action An action to perform after the event is reset. May be any action that may appear in the ACTION column of shorewall-rules (5). If no action is to be performed, use COUNT. The default is ACCEPT. src-dst Specifies whether the source IP address (src) or destination IP address (dst) is to be removed from the event. The default is src. disposition If the action involves logging, then this parameter specifies the disposition that will appear in the log entry prefix. If no disposition is given, the log prefix is determined normally.
IfEvent IfEvent( event, [ action ], [ duration ], [ hitcount ], [ src-dst], [ command[:option]..., [ disposition ] ) event Name of the event. action An action to perform if the test succeeds. May be any action that may appear in the ACTION column of shorewall-rules (5). The default is ACCEPT. duration Number of seconds over which the event is to be tested. If not specified, the test is not constrained by time. hitcount Specifies the minimum number of packets required for the test to succeed. If not specified, 1 packet is assumed. src-dst Specifies whether the source IP address (src) or destination IP address (dst) is to be tested. The default is src. command May be one of the following: check Simply test if the duration/hitcount test is satisfied. If so, the action is performed. reset Like check. If the test succeeds, the event will be reset before the action is taken. Requires the Mark in filter table capability in your kernel and iptables. update Like check. Regardless of whether the test succeeds, an entry with the current time and for the src-dst iP address will be added to the event. The default is check. option may be one of: reap Regardless of whether the test succeeds, entries for the src-dst IP address that are older than duration seconds will be deleted from the event. ttl Constrains the test to require that the packet TTL match the ttl in the original packet that created the entry. disposition If the action involves logging, then this parameter specifies the disposition that will appear in the log entry prefix. If no disposition is given, the log prefix is determined normally.
'show event' and 'show events' Commands The CLI programs (/sbin/shorewall, /sbin/shorewall-lite, etc.) support show event and show events commands. The show event command shows the contents of the events listed in the command while show events lists the contents of all events. root@gateway:~# shorewall show events Shorewall 4.5.19-Beta2 events at gateway - Sat Jul 13 07:17:59 PDT 2013 SSH src=75.101.251.91 : 2225.808, 2225.592 src=218.87.16.135 : 2078.490 SSH_COUNTER src=65.182.111.112 : 5755.790 src=113.162.155.243 : 4678.249 sticky001 src=172.20.1.146 : 5.733, 5.728, 5.623, 5.611, 5.606, 5.606, 5.589, 5.588, 5.565, 5.551, 5.543, 5.521, 5.377, 5.347, 5.347, 5.345, 5.258, 5.148, 5.048, 4.949 src=172.20.1.151 : 41.805, 41.800 sticky002 src=172.20.1.213 : 98.122, 98.105, 98.105, 98.105, 98.088, 98.088, 98.088, 98.088, 98.058, 98.058, 80.885, 53.528, 53.526, 53.526, 53.510, 53.383, 53.194, 53.138, 53.072, 3.119 src=172.20.1.146 : 4.914, 4.914, 4.898, 4.897, 4.897, 4.896, 4.896, 4.896, 4.882, 4.881, 4.875, 4.875, 4.875, 4.875, 4.875, 4.875, 4.875, 4.874, 4.874, 4.874 root@gateway:~# The SSH and SSH_COUNTER events are created using the following Automatic Blacklisting example. The sticky001 and sticky002 events are created by the SAME rule action. Each line represents one event. The list of numbers following the ':' represent the number of seconds ago that a matching packet triggered the event. The numbers are in chronological sequence, so In this event, there were 20 packets from 172.20.1.146 that arrived between 5.733 and 4.949 seconds ago: sticky001 src=172.20.1.146 : 5.733, 5.728, 5.623, 5.611, 5.606, 5.606, 5.589, 5.588, 5.565, 5.551, 5.543, 5.521, 5.377, 5.347, 5.347, 5.345, 5.258, 5.148, 5.048, 4.949 Note that there may have been earlier packets that also matched, but the system where this example was captured used the default value of the ip_pkt_list_tot xt_recent option (20). The output of these commands is produced by processing the contents of /proc/net/xt_recent/*. You can access those files directly to see the raw data. The raw times are the uptime in milliseconds. The %CURRENTTIME entry is created by the show event[s] commands to obtain the current uptime.
Examples
Automatic Blacklisting This example is for ssh, but it can be adapted for any application. The name SSH has been changed to SSHLIMIT so as not to override the Shorewall macro of the same name. /etc/shorewall/actions: #ACTION OPTION DESCRIPTION SSHLIMIT #Automatically blacklist hosts who exceed SSH connection limits SSH_BLACKLIST #Helper for SSHLIMIT /etc/shorewall/action.SSH_BLACKLIST: # # Shorewall version 4 - SSH_BLACKLIST Action # ?format 2 ############################################################################### #TARGET SOURCE DEST PROTO DPORT SPORT # # Log the Reject # LOG:warn:REJECT # # And set the SSH_COUNTER event for the SOURCE IP address # SetEvent(SSH_COUNTER,REJECT,src) /etc/shorewall/action.SSHLIMIT: # # Shorewall version 4 - SSHLIMIT Action # ?format 2 ############################################################################### #TARGET SOURCE DEST PROTO DPORT SPORT # # Silently reject the client if blacklisted # IfEvent(SSH_COUNTER,REJECT,300,1) # # Blacklist if 5 attempts in the last minute # IfEvent(SSH,SSH_BLACKLIST,60,5,src,check:reap) # # Log and reject if the client has tried to connect # in the last two seconds # IfEvent(SSH,REJECT:warn:,2,1,-,update,Added) # # Un-blacklist the client # ResetEvent(SSH_COUNTER,LOG:warn,-,Removed) # # Set the 'SSH' EVENT and accept the connection # SetEvent(SSH,ACCEPT,src) etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SSHLIMIT net $FW tcp 22 The technique demonstrated in this example is not self-cleaning. The SSH_COUNTER event can become full with blackisted addresses that never attempt to connect again. When that happens and a new entry is added via SetEvent, the least recently seen address in the table is deleted.
Generalized Automatic Blacklisting The above two actions are generalized in the AutoBL and AutoBLL actions released in Shorewall 4.5.19. Only AutoBL is invoked directly from your rules file; AutoBL invoked AutoBLL internally.
AutoBL AutoBL( event, [ Interval ], [ hitcount ], [ successive ], [ blacklist-time ], [ disposition ], [ log_level ] ) event Name of the event. The blacklisting event itself will be event_BL (analogous to SSH_COUNTER above). interval Interval, in seconds, over which hits are to be counted. Default is 60 seconds. hitcount Number of matching packets that will trigger automatic blacklisting when they arrive in interval seconds. Default is 5. successive If a matching packet arrives within this many seconds of the preceding one, it should be logged according to log_level and handled according to the disposition. If successive packets are not to be considered, enter 0. Default is 2 seconds. blacklist-time Time, in seconds, that the source IP address is to be blacklisted. Default is 300 (5 minutes). disposition The disposition of blacklisted packets. Default is DROP. log_level Log level at which packets are to be logged. Default is info. To duplicate the SSHLIMIT entry in /etc/shorewall/rules shown above: #ACTION SOURCE DEST PROTO DPORT AutoBL(SSH,-,-,-,REJECT,warn)\ net $FW tcp 22
Port Knocking This example shows a different implementation of the one shown in the Port Knocking article. In this example: Attempting to connect to port 1600 enables SSH access. Access is enabled for 60 seconds. Attempting to connect to port 1601 disables SSH access (note that in the article linked above, attempting to connect to port 1599 also disables access. This is an port scan defence as explained in the article). To implement that approach: /etc/shorewall/actions: #ACTION OPTION DESCRIPTION Knock #Port Knocking /etc/shorewall/action.Knock: # # Shorewall version 4 - Port-Knocking Action # ?format 2 ############################################################################### #ACTION SOURCE DEST PROTO DPORT IfEvent(SSH,ACCEPT:info,60,1,src,reset)\ - - tcp 22 SetEvent(SSH,ACCEPT) - - tcp 1600 ResetEvent(SSH,DROP:info) etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT Knock net $FW tcp 22,1599-1601
Stateful Port Knocking (knock with a sequence of ports) Gerhard Wiesinger has contributed a Perl module that allows you to define portknocking sequences. Download the module and copy it into your site_perl directory. Using Gerhard's module, a port-knocking rule is defined via a '?PERL' statement. This example opens the SSH port from net->fw using the knock sequence 52245, 15623, 19845: ?BEGIN PERL use KnockEnhanced; KnockEnhanced 'net', '$FW', {name => 'SSH1', log_level => 3, proto => 'tcp', target => 'ssh', knocker => [52245,15623,19845]}; ?END PERL A few notes on the parameters: The first parameter is the rule SOURCE The second parameter is the rule DEST The third parameter is a Perl hash reference that defines the remaining parameters. Each parameter is specified via param => value. proto is the protocol -- if not specified, the default is tcp seconds is the timeout between successive events -- default is 60 seconds. original_dest is the rule ORIGDEST target is the port(s) that you are trying to open. May either be a single name or number, or it may be a list of names and/or numbers separated by commas and enclosed in square brackets ("[...]"). name is a name used as the base for event and chain names. If not supplied, the first target is used, in which case the first target must be a port name. log_level specifies logging for the generated rules Port names and numbers may be optionally followed by a colon (":") and a protocol name or number to override the specified protocol. The module itself contains additional examples of its usage.
shorewall-docs-xml-5.2.3/ipsets.xml0000664000000000000000000002253013427347317016013 0ustar rootroot
Shorewall and Ipsets Tom Eastep 2005 2008 2010 2015 2017 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.4.0 then please see the documentation appropriate for your version.
What are Ipsets? Ipsets are an extension to Netfilter/iptables that are available in xtables-addons if they are not available in your current distribution. Instructions for installing xtables-addons may be found in the Dynamic Zones article. Note that xtables-addons might not be required with the 'ipset' package provided by your distribution. See also the section capabilities in the configuration file basics article and the Shorecap program. Ipset allows you to create one or more named sets of addresses then use those sets to define Netfilter/iptables rules. Possible uses of ipsets include: Blacklists. Ipsets provide an efficient way to represent large sets of addresses and you can maintain the lists without the need to restart or even refresh your Shorewall configuration. Zone definition. Using the /etc/shorewall/hosts file, you can define a zone based on the (dynamic) contents of an ipset. Again, you can then add or delete addresses to the ipset without restarting Shorewall. See the ipsets site (URL above) for additional information about ipsets.
Shorewall Support for Ipsets Support for ipsets was introduced in Shorewall version 2.3.0. In most places where a host or network address may be used, you may also use the name of an ipset prefaced by "+". Example: "+Mirrors" When using Shorewall, the names of ipsets are restricted as follows: They must begin with a letter (after the '+'). They must be composed of letters, digits, dashes ("-") or underscores ("_"). To generate a negative match, prefix the "+" with "!" as in "!+Mirrors". Example 1: Blacklist all hosts in an ipset named "blacklist" /etc/shorewall/blrules#ACTION SOURCE DEST PROTO DPORT DROP net:+blacklist Example 2: Allow SSH from all hosts in an ipset named "sshok: /etc/shorewall/rules#ACTION SOURCE DEST PROTO DPORT ACCEPT net:+sshok $FW tcp 22 The name of the ipset can be optionally followed by a comma-separated list of flags enclosed in square brackets ([...]). Each flag is either src or dst and specifies whether it is the SOURCE address or port number or the DESTINATION address or port number that should be matched. The number of flags must be appropriate for the type of ipset. If no flags are given, Shorewall assumes that the set takes a single flag and will select the flag based on the context. For example, in the blacklist file and when the ipset appears in the SOURCE column of the rules file, src is assumed. If the ipset appears in the DEST column of the rules file, dst is assumed. Note that by using [dst] in the blacklist file, you can coerce the rule into matching the destination IP address rather than the source. Beginning with Shorewall 4.4.14, multiple source or destination matches may be specified by placing multiple set names in '+[...]' (e.g., +[myset,myotherset]). When so enclosed, the set names need not be prefixed with a plus sign. Shorewall can save/restore your ipset contents with certain restrictions: You must set SAVE_IPSETS=Yes in shorewall.conf (5). You must have at least one entry in the other configuration files that uses an ipset. You cannot use an ipset in shorewall-stoppedrules (5) (shorewall-routestopped (5)). The restore command cannot restore ipset contents saved by the save command unless the firewall is first stopped. Beginning with Shorewall 4.6.4, you can save selective ipsets by setting SAVE_IPSETS to a comma-separated list of ipset names. You can also restrict the group of sets saved to ipv4 sets by setting SAVE_IPSETS=ipv4. With Shorewall 4.6.4, the SAVE_IPSETS option may specify a list of ipsets to be saved. When such a list is specified, only those ipsets together with the ipsets supporting dynamic zones are saved. Shorewall6 support for the SAVE_IPSETS option was also added in 4.6.4. When SAVE_IPSETS=Yes in shorewall6.conf(5), only ipv6 ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in shorewall.conf(5), then only ipv4 ipsets are saved. Both features require ipset version 5 or later. Although Shorewall can save the definition of your ipsets and restore them when Shorewall starts, in most cases you must use the ipset utility to initially create and load your ipsets. The exception is that Shorewall will automatically create an empty iphash ipset to back each dynamic zone.
Shorewall6 and Shorewall-init Support for Ipsets Ipset support in Shorewall6 was added in Shorewall 4.4.21. Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in shorewall6-conf(5). When set to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets by setting SAVE_IPSETS to a comma-separated list of ipset names. Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in shorewall.conf(5) won't work correctly because it saves both IPv4 and IPv6 ipsets. To work around this issue, Shorewall-init is capable restoring ipset contents during 'start' and saving them during 'stop'. To direct Shorewall-init to save/restore ipset contents, set the SAVE_IPSETS option in /etc/sysconfig/shorewall-init (/etc/default/shorewall-init on Debian and derivatives). The value of the option is a file name where the contents of the ipsets will be save to and restored from. Shorewall-init will create any necessary directories during the first 'save' operation. If you configure Shorewall-init to save/restore ipsets, be sure to set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf. If you configure SAVE_IPSETS in shorewall.conf(5) and/or shorewall6.conf(5) then do not set SAVE_IPSETS in shorewall-init.
shorewall-docs-xml-5.2.3/shorewall_setup_guide_fr.xml0000664000000000000000000034142313427347317021575 0ustar rootroot
Guide de configuration Shorewall Version Franaise de Shorewall Setup Guide Tom Eastep Fabien Demassieux Traduction Franaise initiale Guy Marcenac Adaptation franaise version 3.0 2002-2006 Thomas M. Eastep Fabien Demassieux Guy Marcenac Permission est accorde de copier, distribuer et/ou modifier ce document selon les termes de la Licence de Documentation Libre GNU (GNU Free Documentation License), version 1.2 ou toute version ultrieure publie par la Free Software Foundation ; sans section Invariables, sans premire de Couverture, et sans texte de quatrime de couverture. Une copie de la prsente Licence est incluse dans la section intitule. Une traduction franaise de la licence se trouve dans la section Licence de Documentation Libre GNU. Ce paragraphe est une traduction franaise pour aider votre comprhension. Seul le texte original en anglais prsent ci-dessous fixe les conditions d'utilisation de cette documentation. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Notes du traducteur : Le traduction initiale a t ralise par Fabien Demassieux. J'ai assur la rvision pour l'adapter la version 3 de Shorewall. Si vous trouvez des erreurs ou des amliorations y apporter vous pouvez me contacter. Cet article s'applique Shorewall 3.0 et ses versions ultrieures. Si vous utilisez une version plus ancienne de Shorewall, rfrez-vous la documentation s'appliquant votre version.
Introduction Ce guide est destin aux utilisateurs qui configurent Shorewall dans un environnement o un ensemble d'adresses IP publiques doit tre pris en compte ainsi qu' ceux qui souhaitent en savoir plus propos de Shorewall que ce que contiennent le guides pour une utilisation avec une adresse IP unique. Le champs d'application tant trs large, ce guide vous donnera des indications gnrales suivre et vous indiquera d'autres ressources si ncessaire. Shorewall a besoin que le paquetage iproute/iproute2 soit install (avec la distribution RedHat, le paquetage s'appelle iproute). Vous pouvez contrler que le paquetage est install en vrifiant la prsence du programme ip sur votre firewall. En tant que root, vous pouvez utiliser la commande which pour cela: [root@gateway root]# which ip /sbin/ip [root@gateway root]# Je vous recommande de commencer par une lecture complte du guide afin de vous familiariser avec les concepts mis en oeuvre, puis de recommencer la lecture et seulement alors d'appliquer vos modifications de configuration. Les points o des modifications s'imposent sont indiqus par . Si vous ditez vos fichiers de configuration sur un systme Windows, vous devez les enregistrer comme des fichiers Unix si votre diteur supporte cette option sinon vous devez les convertir avec dos2unix avant d'essayer de les utiliser. De la mme manire, si vous copiez un fichier de configuration depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall. Version Windows de dos2unix Version Linux de dos2unix
Les Concepts de Shorewall Les fichiers de configuration pour Shorewall sont situs dans le rpertoire /etc/shorewall -- pour de simples paramtrages, vous n'aurez faire qu'avec quelques-uns d'entre eux comme dcrit dans ce guide. Des squelettes de fichiers sont crs durant la procdure d'installation de Shorewall. Note aux utilisateurs de Debian Si vous vous servez du .deb pour installer, vous vous rendrez compte que votre rpertoire /etc/shorewall est vide. Ceci est voulu. Les squelettes des fichiers de configuration se trouvent sur votre systme dans le rpertoire /usr/share/doc/shorewall/default-config. Copiez simplement les fichiers dont vous avez besoin depuis ce rpertoire dans /etc/shorewall, puis modifiez ces copies. Remarquez que vous devez copier /usr/share/doc/shorewall/default-config/shorewall.conf et /usr/share/doc/shorewall/default-config/modules dans /etc/shorewall mme si vous ne modifiez pas ces fichiers. Au fur et mesure de la prsentation de chaque fichier, je vous suggre de jeter un oeil ceux physiquement prsents sur votre systme -- chacun des fichiers contient des instructions de configuration dtailles et des entres par dfaut. Shorewall voit le rseau o il fonctionne, comme tant compos d'un ensemble de zones. Dans ce guide nous utiliserons les zones suivantes: fw Le firewall lui-mme. net L'internet public. loc Un rseau local priv utilisant des adresses IP prives. dmz Une zone dmilitarise (DMZ) contenant les serveurs publiquement accessibles. Les Zones sont dfinies dans le fichier /etc/shorewall/zones. Le fichier /etc/shorewall/zones fourni avec la distribution est vide. Vous pouvez crer l'ensemble de zones standard dcrites au-dessus en copiant puis en collant ce qui suit dans le fichier: #ZONE TYPE OPTIONS fw firewall net ipv4 loc ipv4 dmz ipv4 Remarquez que Shorewall reconnat aussi le systme firewall comme sa propre zone - l'exemple ci-dessus suit la convention qui veut que la zone firewall soit nomme fw. Le nom de la zone firewall (fw dans l'exemple plus haut) est stock dans la variable d'environnement $FW lorsque le fichier /etc/shorewall/zones est trait. A l'exception du nom attribu la zone firewall, Shorewall n'attache aucune signification aux noms de zone. Le zones sont entirement ce que VOUS en faites. Ceci signifie que vous ne devriez pas attendre de Shorewall qu'il fasse quoi que ce soit de spcial car il s'agit de la zone internet ou car ceci est la DMZ. ditez le fichier /etc/shorewall/zones et faites-y les changements ncessaires. Les rgles qui concernent le trafic autoriser ou refuser sous exprimes en termes de Zones. Vous exprimez les politiques par dfaut entre une zone et une autre zone dans le fichier /etc/shorewall/policy. Vous dfinissez les exceptions ces politiques par dfaut dans le fichier /etc/shorewall/rules. Shorewall est construit sur les mcanismes de Netfilter, service de filtrage du noyau (kernel). Netfilter fournit une fonction de suivi de connexion qui permet une analyse d'tat des paquets (stateful inspection). Cette proprit permet aux rgles du firewall d'tre dfinies en termes de connexions plutt qu'en termes de paquets. Avec Shorewall, vous: Identifiez la zone source (client). Identifiez la zone destination (serveur). Si la politique depuis la zone du client vers la zone du serveur est ce que vous souhaitez pour cette paire client/serveur, vous n'avez rien de plus faire. Si la politique n'est pas ce que vous souhaitez, alors vous devez ajouter une rgle. Cette rgle est exprime en termes de zone client et de zone serveur. Autoriser les connexions d'un certain type depuis la zone A vers le firewall et depuis firewall vers la zone B NE SIGNIFIE PAS que ces connections sont autoriss de la zone A la zone B (autrement dit, les connexions impliquant la zone firewall ne sont pas transitives). Pour chaque connexion demandant entrer dans le firewall, la requte est en premier lieu vrifie par rapport au fichier /etc/shorewall/rules. Si aucune rgle dans ce fichier ne correspond la demande de connexion alors la premire politique dans le fichier /etc/shorewall/policy qui y correspond sera applique. S'il y a une action par dfaut dfinie pour cette politique dans /etc/shorewall/actions ou dans /usr/share/shorewall/actions.std cette action commune sera excute avant que l'action spcifie dans /etc/shorewall/rules ne soit applique. Avant Shorewall 2.2.0, le fichier /etc/shorewall/policy avait les politiques suivantes: #SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST # LEVEL fw net ACCEPT net all DROP info all all REJECT info Le fichier de politiques distribu actuellement est vide. Vous pouvez y copier et coller les entres prsentes ci-dessus comme point de dpart, puis l'adapter vos propres politiques. Les politiques prcdentes vont: Autoriser (ACCEPT) toutes les connexions de votre rseau local vers internet Ignorer (DROP) toutes les tentatives de connexions d'internet vers le firewall ou vers votre rseau local et enregistrer dans vos journaux (log) un message au niveau info (vous trouverez ici la description des niveaux de journalisation). Rejeter (REJECT) toutes les autres demandes de connexion et gnrer un message de niveau info dans votre journal. Quant la requte est rejete et que le protocole est TCP, le firewall retourne un paquet RST. Pour tous les autres protocoles, quand une requte est rejete, le firewall renvoie un paquet ICMP port-unreachable. Maintenant, ditez votre /etc/shorewall/policy et apportez-y tous les changements que vous souhaitez.
Interfaces Rseau Dans la suite du guide, nous nous rfrerons au schma ci-dessous. Bien qu'il puisse ne pas correspondre votre propre rseau, il peut tre utilis pour illustrer les aspects importants de la configuration de Shorewall. Sur ce schma: La zone DMZ est compose des systmes DMZ 1 et DMZ 2. On utilise une DMZ pour isoler ses serveurs accessibles depuis internet de ses systmes locaux. Ainsi si un des serveurs de la DMZ est compromis, vous avez encore un firewall entre le systme compromis et vos systmes locaux. La zone local est compose des systmes Local 1, Local 2 et Local 3. Tous les systmes l'extrieur du firewall, y compris ceux de votre FAI, sont dans la zone internet. La faon la plus simple pour dfinir les zones est d'associer le nom de la zone (dfinie prcdemment dans /etc/shorewall/zones) une interface rseau. Ceci est fait dans le fichier /etc/shorewall/interfaces. Le firewall illustr ci-dessus trois interfaces rseau. Lorsque la connexion internet passe par un modem cble ou ADSL l'Interface Externe sera l'adaptateur ethernet qui est connect ce Modem (par exemple eth0). Par contre, si vous vous connectez avec PPPoE (Point-to-Point Protocol over Ethernet) ou avec PPTP (Point-to-Point Tunneling Protocol), l'interface externe sera une interface ppp (par exemple ppp0). Si vous vous connectez avec un simple modem RTC, votre interface externe sera aussi ppp0. Si vous vous connectez en utilisant l'ISDN, votre interface externe sera ippp0. Si votre interface vers l'extrieur est ppp0 ou ippp0 alors vous mettrez CLAMPMSS=yes dans le fichier /etc/shorewall/shorewall.conf. Votre Interface locale sera un adaptateur ethernet (eth0, eth1 or eth2) et sera connecte un hub ou un switch. Vos ordinateurs locaux seront connects ce mme hub ou switch (note : si vous n'avez qu'un seul ordinateur en local, vous pouvez le connecter directement au firewall par un cble crois). Votre interface DMZ sera aussi un adaptateur ethernet (eth0, eth1 or eth2) et sera connect un hub ou un switch. Vos ordinateurs appartenant la DMZ seront connects ce mme hub ou switch (note : si vous n'avez qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au firewall par un cble crois). Ne connectez pas les interfaces interne et externe sur le mme hub ou le mme switch, sauf des fins de test. Vous pouvez tester en utilisant ce type de configuration si vous spcifiez l'option arp_filter ou l'option arp_ignore dans le fichier /etc/shorewall/interfaces, et ce pour toutes les interfaces connectes au hub/switch commun. Il est trs fortement dconseill d'utiliser une telle configuration avec un firewall en production. Dans la suite, nous supposerons que: L'interface externe est eth0. L'interface locale est eth1. L'interface DMZ est eth2. La configuration par dfaut de Shorewall ne dfinit le contenu d'aucune zone. Pour dfinir la configuration prsente plus haut, le fichier /etc/shorewall/interfaces doit contenir: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect rfc1918 loc eth1 detect dmz eth2 detect Remarquez que la zone $FW n'a aucune entre dans le fichier /etc/shorewall/interfaces. ditez le fichier /etc/shorewall/interfaces. Dfinissez les interfaces du rseau de votre firewall et associez chacune d'entre elles une zone. Si vous avez une zone qui est connecte par plus d'une interface, incluez simplement une entre pour chaque interface et rptez le nom de zone autant de fois que ncessaire. Interfaces Multiples associes une Zone #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect rfc1918 loc eth1 detect loc eth2 detect Vous pouvez dfinir des zones plus compliques en utilisant le fichier /etc/shorewall/hosts mais dans la plus part des cas, cela ne sera pas ncessaire. Vous trouverez des exemples dans Shorewall_and_Aliased_Interfaces.html et Multiple_Zones.html.
Adressage, Sous-rseaux et Routage Normalement, votre FAI vous attribue un ensemble d'adresses IP publiques. Vous utiliserez une de ces adresses pour configurer l'interface externe de votre firewall. Vous dciderez ensuite comment utiliser le reste de vos adresses. Avant d'aborder ce point, il nous faut rappeler le contexte. Si vous tes dj familier de l'adressage IP et du routage, vous pouvez directement aller la prochaine section. La prsentation qui suit ne fait que d'effleurer les questions de l'adressage et du routage. Si vous vous voulez en apprendre plus sur l'adressage IP et le routage, je vous recommande IP Fundamentals: What Everyone Needs to Know about Addressing & Routing, Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0 (lien).
Adressage IP Les adresses IP version 4 (IPv4) sont codes sur 32 bits. La notation w.x.y.z fait rfrence une adresse dont l'octet de poids fort a pour valeur w, le suivant a pour valeur x, etc. Si nous prenons l'adresse 192.0.2.14 et que nous l'exprimons en hexadcimal, nous obtenons C0.00.02.0Eet si nous la regardons comme un entier de 32 bits nous avons C000020E
Sous-rseaux Vous entendrez encore aujourd'hui les termes de Rseau de classe A, Rseau de classe B et Rseau de classe C. Au dbut de l'existence de l'IP, les rseaux ne pouvaient avoir que trois tailles (il y avait aussi les rseaux de classe D mais il taient utiliss diffremment): Classe A - masque de sous-rseau 255.0.0.0, taille = 2 ** 24 Classe B - masque de sous-rseau 255.255.0.0, taille = 2 ** 16 Classe C - masque de sous-rseau 255.255.255.0, taille = 256 La classe d'un rseau tait dtermine de faon unique par la valeur de l'octet de poids fort de son adresse, ainsi en regardant une adresse IP on pouvait dterminer immdiatement la valeur du masque rseau. Le masque rseau est un nombre qui combin une adresse par un ET logique, isole l'adresse du rseau auquel cette adresse appartient. Le reste de l'adresse est le numro d'hte. Par exemple, dans l'adresse de classe C 192.0.2.14, la valeur hexadcimale de l'adresse du rseau est C00002 et le numro d'hte est 0E. Comme internet se dveloppait, il devint clair qu'un partitionnement aussi grossier de l'espace d'adresses de 32 bits allait tre trs limitatif (rapidement, les grandes socits et les universits s'taient dj attribues leur propre rseau de classe A !). Aprs quelques faux dparts, la technique courante du sous-adressage de ces rseaux en plus petits sous-rseaux volua. On fait rfrence cette technique sous l'appellation de Routage Inter-Domaine Sans Classe ou Classless InterDomain Routing (CIDR). Aujourd'hui, les systmes avec lesquels vous travaillez sont probablement compatibles avec la notation CIDR. La gestion des rseaux base sur les Classes est du domaine du pass. Un sous-rseau (subnet ou subnetwork) est un ensemble contigu d'adresses IP tel que: Le nombre d'adresses dans le jeu est un multiple de 2. La premire adresse dans le jeu est un multiple de la taille du jeu. La premire adresse du sous-rseau est rserve et on s'y rfre comme tant l'adresse du sous-rseau. La dernire adresse du sous-rseau est rserve comme adresse de diffusion (broadcast) du sous-rseau. Comme vous pouvez le constater par cette dfinition, dans chaque sous-rseau de taille n il y a (n - 2) adresses utilisables (adresses qui peuvent tre attribues un hte). La premire et la dernire adresse du sous-rseau sont utilises respectivement pour identifier l'adresse du sous-rseau et l'adresse de diffusion du sous-rseau. En consquence, de petits sous-rseaux sont plus gourmands en adresses IP que des sous-rseaux plus tendus. Comme n est une puissance de deux, nous pouvons aisment calculer le Logarithme base 2 de n (log2). La taille et le logarithme base 2 pour les tailles de sous-rseau les plus communes sont donns par la table suivante: Logarithmes base 2 n log2 n (32 - log2 n) 8 3 29 16 4 28 32 5 27 64 6 26 128 7 25 256 8 24 512 9 23 1024 10 22 2048 11 21 4096 12 20 8192 13 19 16384 14 18 32768 15 17 65536 16 16
Vous constaterez que la table ci-dessus contient aussi une colonne (32 - log2 n). Ce nombre est le Masque de Sous-rseau Longueur Variable ou Variable Length Subnet Mask (VLSM) pour un sous-rseau de taille n. De la table ci-dessus, nous pouvons dduire la suivante, qui est plus facile utiliser. VLSM Taille du sous-rseau VLSM Masque de sous-rseau 8 /29 255.255.255.248 16 /28 255.255.255.240 32 /27 255.255.255.224 64 /26 255.255.255.192 128 /25 255.255.255.128 256 /24 255.255.255.0 512 /23 255.255.254.0 1024 /22 255.255.252.0 2048 /21 255.255.248.0 4096 /20 255.255.240.0 8192 /19 255.255.224.0 16384 /18 255.255.192.0 32768 /17 255.255.128.0 65536 /16 255.255.0.0 2 ** 24 /8 255.0.0.0
Notez que le VLSM est crit avec un slash (/) -- vous entendrez souvent nommer un rseau de taille 64 comme tant un slash 26 et un de taille 8 comme tant un slash 29. Le masque de sous-rseau est simplement un nombre de 32 bits avec les premiers bits correspondant au VLSM positionns 1 et les bits suivants 0. Par exemple, pour un sous-rseau de taille 64, le masque de sous-rseau dbute par 26 bits 1: 11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 = 255.255.255.192Le masque de sous-rseau a la proprit suivante: si vous appliquez un ET logique entre le masque de sous-rseau et une adresse dans le sous-rseau, le rsultat est l'adresse du sous-rseau. Tout aussi important, si vous appliquer un ET logique entre le masque de sous-rseau et une adresse en dehors du sous-rseau, le rsultat n'est PAS l'adresse du sous-rseau. Comme nous le verrons aprs, cette proprit du masque de sous-rseau est trs importante dans le routage. Pour un sous-rseau dont l'adresse est a.b.c.d et dont le VLSM est /v, nous notons le sous-rseau a.b.c.d/v en utilisant la notation CIDR. Un exemple de sous-rseau : Sous-rseau: 10.10.10.0 - 10.10.10.127 Taille du sous-rseau: 128 Adresse du sous-rseau: 10.10.10.0 Adresse de diffusion: 10.10.10.127 Notation CIDR: 10.10.10.0/25
Il existe deux sous-rseaux dgnrs qui doivent tre mentionns: le sous-rseau avec un seul membre et le sous-rseau avec 2 ** 32 membres. /32 and /0 Taille du sous-rseau Longueur VLSM Masque de sous-rseau Notation CIDR 1 32 255.255.255.255 a.b.c.d/32 32 0 0.0.0.0 0.0.0.0/0
Ainsi, chaque adresse a.b.c.d peut aussi tre crite a.b.c.d/32 et l'ensemble des adresses possibles est crit 0.0.0.0/0. Un utilisateur de Shorewall a propos cette trs utile reprsentation graphique de ces informations. Dans la suite, nous utiliserons la notation a.b.c.d/v pour dcrire la configuration IP d'une interface rseau (l'utilitaire ip utilise aussi cette syntaxe). Dans cette notation l'interface est configure avec une adresse ip a.b.c.d avec le masque de sous-rseau qui correspond au VLSM /v. 192.0.2.65/29 L'interface est configure avec l'adresse IP 192.0.2.65 et le masque de sous-rseau 255.255.255.248. /sbin/shorewall propose une commande ipcalc qui calcule automatiquement les informations d'un [sous-]rseau. Utiliser la commande <command><command>ipcalc</command></command>. shorewall ipcalc 10.10.10.0/25 CIDR=10.10.10.0/25 NETMASK=255.255.255.128 NETWORK=10.10.10.0 BROADCAST=10.10.10.127 Utiliser la commande <command><command>ipcalc</command></command>. shorewall ipcalc 10.10.10.0 255.255.255.128 CIDR=10.10.10.0/25 NETMASK=255.255.255.128 NETWORK=10.10.10.0 BROADCAST=10.10.10.127
Routage L'un des objectifs de la gestion en sous-rseaux est qu'elle pose les bases pour le routage. Ci-dessous se trouve la table de routage de mon firewall: [root@gateway root]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flgs MSS Win irtt Iface 192.168.9.1 0.0.0.0 255.255.255.255 UH 40 0 0 texas 206.124.146.177 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 206.124.146.180 0.0.0.0 255.255.255.255 UH 40 0 0 eth3 192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth3 192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2 206.124.146.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 192.168.9.0 192.0.2.223 255.255.255.0 UG 40 0 0 texas 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 206.124.146.254 0.0.0.0 UG 40 0 0 eth0 [root@gateway root]# L'interface texas est un tunnel GRE vers un site pair Dallas, au Texas. Les trois premires routes sont des routes vers des htes (host routes) puisqu'elles indiquent comment aller vers un hte unique. Dans la sortie de netstat, cela se voit trs bien au masque de sous-rseau (Genmask) 255.255.255.255, ou bien au drapeau H dans la colonne Flags . Les autres routes sont des routes rseau car elles indiquent au noyau comment router des paquets un sous-rseau. La dernire route est la route par dfaut. La passerelle mentionne dans cette route est appele la passerelle par dfaut (default gateway). Quant le noyau essaye d'envoyer un paquet une adresse IP A, il commence au dbut de la table de routage et: Il ralise un ET logique entre A et la valeur du masque de sou-rseau pour cette entre de la table. Ce rsultat est compar avec la valeur de la Destination dans cette entre de la table. Si le rsultat et la valeur de la Destination sont identiques, alors: Si la colonne Gateway n'est pas nulle, le paquet est envoy la passerelle par l'interface nomme dans la colonne Iface. Sinon, le paquet est directement envoy A travers l'interface nomme dans la colonne iface. Sinon, les tapes prcdentes sont rptes sur l'entre suivante de la table. Puisque la route par dfaut correspond toutes les adresses IP (A ET 0.0.0.0 = 0.0.0.0), les paquets qui ne correspondent aucune des autres entres de la table de routage sont envoys la passerelle par dfaut qui est gnralement un routeur de votre FAI. Prenons un exemple. Supposons que vous souhaitiez router un paquet 192.168.1.5. Cette adresse ne correspond aucune route d'hte dans la table mais lorsque nous faisons le ET logique de cette adresse avec 255.255.255.0, le rsultat est 192.168.1.0 qui correspond cette entre de la table: 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2 Donc, pour router ce paquet 192.168.1.5, il faudra le transmettre directement l'interface eth2. Un point important doit tre soulign -- tous les paquets sont envoys en utilisant la table de routage et les paquets en rponse ne sont pas un cas particulier. Il semble exister une ide fausse comme quoi les paquets rponses seraient comme les saumons et contiendraient une sorte de code gntique qui leur permettrait suivre la mme route emprunte par les paquets de requte (request) l'aller. Ce n'est pas le cas. Les rponses peuvent prendre un chemin totalement diffrent de celui pris par les paquets de la requte client l'aller -- Ces routes sont totalement indpendantes.
Protocole de Rsolution d'Adresse (ARP) Quant on envoie des paquets sur ethernet, les adresses IP ne sont pas utilises. L'adressage ethernet est bas sur les adresses MAC (Media Access Control). Chaque carte ethernet sa propre adresse MAC unique qui est grave dans une PROM lors de sa fabrication. Vous pouvez obtenir l'adresse MAC d'une carte ethernet grce l'utilitaire ip: [root@gateway root]# ip addr show eth0 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100 link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0 inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0 inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0 [root@gateway root]# Comme vous pouvez le constater, l'adresse MAC est code sur 6 octets (48 bits). L'adresse MAC est gnralement imprime sur la carte elle-mme. Comme IP utilise les adresses IP et ethernet les adresses MAC, il faut un mcanisme pour transcrire une adresse IP en adresse MAC. C'est ce dont est charg le protocole de rsolution d'adresse (Address Resolution Protocol ARP). Voici ARP en action: [root@gateway root]# tcpdump -nei eth2 arp tcpdump: listening on eth2 09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254 09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0 2 packets received by filter 0 packets dropped by kernel [root@gateway root]# Dans cet change , 192.168.1.254 (MAC 2:0:8:e3:4c:48) veut connatre l'adresse MAC du priphrique qui a l'adresse IP 192.168.1.19. Le systme ayant cette adresse IP rpond que l'adresse MAC du priphrique avec l'adresse IP 192.168.1.19 est 0:6:25:aa:8a:f0. Afin de ne pas avoir changer des information ARP chaque fois qu'un paquet doit tre envoy, le systme maintient un cache des correspondances IP<-> MAC. Vous pouvez voir le contenu du cache ARP sur votre systme (y compris sur les systmes Windows) en utilisant la commande arp [root@gateway root]# arp -na ? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1 ? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2 ? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2 ? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0 ? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2 Les points d'interrogation au dbut des lignes sont le rsultat de l'utilisation de l'option n qui empche le programme arp de rsoudre le noms DNS pour les adresses IP (la commande arp de Windows n'accepte pas cette option) . Si je n'avais pas utilis pas cette option, les points d'interrogation seraient remplacs par les noms pleinement qualifis (FQDN) correspondant chaque adresse IP. Remarquez que la dernire information dans le cache correspond celle que nous avons vue en utilisant tcpdump l'instant.
RFC 1918 Les adresses IP sont alloues par l'IANA (Internet Assigned Number Authority) qui dlgue les allocations sur une base gographique aux Registres Internet Rgionaux (RIR). Par exemple, les allocations pour les Etats-Unis et l'Afrique sub-Saharienne sont dlgues l'ARIN (American Registry for Internet Numbers). Ces RIRs peuvent leur tour dlguer des bureaux nationaux. La plupart d'entre nous ne traite pas avec ces autorits mais obtient plutt ses adresse IP de son FAI. Dans la ralit, on ne peut en gnral pas se permettre d'avoir autant d'adresses IP publiques que l'on a de priphriques en ncessitant une. C'est cette raison qui nous amne utiliser des adresses IP prives. La RFC 1918 rserve plusieurs plages d'adresses cette fin : 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Les adresses rserves par la RFC 1918 sont parfois appeles non-routables car les routeurs d'infrastructure internet ne feront pas suivre (forward) les paquets qui ont une adresse de destination de la RFC 1918. Cela est comprhensible puisque chacun peut choisir n'importe laquelle ces adresses pour son usage priv. Mais le terme de non-routable est quelque peu malencontreux car il peut amener conclure de manire errone que le trafic destin une de ces adresses ne peut tre envoy travers un routeur. Ceci est faux et les routeurs privs, dont votre firewall Shorewall, peuvent parfaitement faire suivre du trafic avec des adresses conformes la RFC 1918. Quant on choisit des adresses dans ces plages, il faut bien avoir l'esprit les choses suivantes: Comme l'espace des adresses IPv4 s'puise, de plus en plus d'organisation (y compris les FAI) commencent utiliser les adresses RFC 1918 dans leurs infrastructures. Vous ne devez pas utiliser d'adresse IP qui soit utilise par votre FAI ou une autre organisation avec laquelle vous souhaitez tablir une liaison VPN C'est pourquoi c'est une bonne ide de vrifier aprs de votre FAI s'il n'utilise pas (ou ne prvoie pas d'utiliser) des adresses prives avant de dcider quelles adresses que vous allez utiliser. Dans ce document, les adresses IP externes relles sont dans la plage 192.0.2.x. Les adresses du rseau 192.0.2.0/24 sont rserves par RFC 3330 pour l'utilisation d'adresses IP publiques dans les exemples imprims ainsi que dans les rseaux de test. Ces adresses ne doivent pas tre confondues avec les adresses 192.168.0.0/16, qui comme dcrit ci-dessus, sont rserves par la RFC 1918 pour une utilisation prive.
Configurer votre Rseau Le choix d'une configuration pour votre rseau dpend d'abord du nombre d'adresses IP publiques dont vous disposez et du nombre d'adresses IP dont vous avez besoin. Quel que soit le nombre d'adresses dont vous disposez, votre FAI peut vous servir ce jeu d'adresses de deux manires: Routes - Le trafic vers chacune de vos adresses publiques sera rout travers une seule adresse de passerelle. Cela sera gnralement fait si votre FAI vous attribue un sous-rseau complet (/29 ou plus). Dans ce cas, vous affecterez l'adresse de cette passerelle comme tant l'adresse de l'interface externe de votre firewall/routeur. Non routes - Votre FAI enverra le trafic chacune de vos adresses directement. Dans les paragraphes qui suivent, nous tudierons chacun de ces cas sparment. Avant de commencer, il y a une chose que vous devez vrifier: Si vous utilisez un paquetage Debian, vrifiez votre fichier shorewall.conf afin de vous assurer que les paramtres suivants sont convenablement fixs. Si ce n'est pas le cas, appliquez les changements ncessaires: IP_FORWARDING=On
Rout Supposons que votre fournisseur d'accs vous ait assign le sous-rseau 192.0.2.64/28 rout par 192.0.2.65. Vous avez les adresses IP 192.0.2.64 - 192.0.2.79 et l'adresse externe de votre firewall est 192.0.2.65. Votre FAI vous a aussi dit que vous devez utiliser le masque de sous-rseau 255.255.255.0 (ainsi, votre /28 est un sous-ensemble du /24, plus grand). Avec autant d'adresses IP, vous pouvez scinder votre rseau /28 en deux sous-rseaux /29 et configurer votre rseau comme l'indique le diagramme suivant. Dans l'exemple, la zone dmilitaris DMZ est dans le sous-rseau 192.0.2.64/29 et le rseau local est dans 192.0.2.72/29. La passerelle par dfaut pour les htes dans la DMZ doit tre configure 192.0.2.66 et la passerelle par dfaut pour ceux du rseau local doit tre configure 192.0.2.73. Notez que cette solution est plutt gourmande en adresses publiques puisqu'elle utilise 192.0.2.64 et 192.0.2.72 pour les adresses de sous-rseau, 192.0.2.71 et 192.0.2.79 pour les adresses de diffusion (broadcast) du rseau, et 192.0.2.66 et 168.0.2.73 pour les adresses internes sur le firewall/routeur. Elle montre nammoins comment la gestion en sous-rseaux peut fonctionner. Et si nous avions un rseau /24 plutt qu'un /28, l'utilisation de 6 adresses IP parmi les 256 disponibles serait largement justifie par la simplicit du paramtrage. Le lecteur attentif aura peut-tre remarqu que l'interface externe du firewall/Routeur est en fait incluse dans le sous-rseau DMZ (192.0.2.64/29). On peut se demander ce qui se passe quand l'hte DMZ 1 (192.0.2.67) essaye de communiquer avec 192.0.2.65. La table de routage sur l'hte DMZ 1 doit ressembler cela: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.0.2.64 0.0.0.0 255.255.255.248 U 40 0 0 eth0 0.0.0.0 192.0.2.66 0.0.0.0 UG 40 0 0 eth0 Donc, lorsque l'hte DMZ 1 voudra communiquer avec 192.0.2.65, il enverra une requte ARP "qui-a 192.0.2.65" alors qu'aucune interface sur le segment ethernet DMZ n'a cette adresse IP. Assez bizarrement, le firewall rpondra la requte avec l'adresse MAC de sa propre interface DMZ ! DMZ 1 peut alors envoyer des trames ethernet adresses cette adresse MAC et les trames seront reues correctement par le firewall/routeur. L'avertissement fait plus haut qui dconseille trs fortement la connexion de plusieurs interfaces du firewall/routeur un mme hub ou switch est une consquence directe de ce comportement plutt inattendu d'ARP de la part du noyau Linux. Quant une requte ARP destine une des adresses du firewall/routeur est envoye par un autre systme connect au mme hub ou switch, toutes les interfaces du firewall qui y sont connectes peuvent rpondre ! C'est alors la course savoir quelle rponse c'est-ici atteindra la premire l'metteur de la requte.
Non rout Si vous tes dans la situation prcdente mais que votre trafic n'est pas rout par votre FAI, vous pouvez configurer votre rseau exactement comme dcrit plus haut, au prix d'une lgre contorsion supplmentaire: spcifiez simplement l'option proxyarp sur les trois interfaces du firewall dans le fichier /etc/shorewall/interfaces. La plupart d'entre nous n'ont pas le luxe d'avoir suffisamment d'adresses publiques IP pour configurer leur rseau comme indiqu dans l'exemple prcdent (mme si la configuration est route). Dans le reste de cette section, supposons que notre FAI nous ait assign la plage d'adresses IP 192.0.2.176-180, qu'il nous ait dit d'utiliser le masque de sous-rseau 255.255.255.0 et que la passerelle par dfaut soit 192.0.2.254. De toute vidence, ce jeu d'adresses ne comprend pas de sous-rseau et n'a pas suffisamment d'adresses pour toutes les interfaces de notre rseau. Nous pouvons utiliser quatre techniques diffrentes pour contourner ce problme. La traduction d'adresses source (Source Network Address Translation SNAT). La traduction d'adresses destination (Destination Network Address Translation DNAT) nomme aussi transfert ou suivi de port (Port Forwarding). Le Proxy ARP. La traduction d'adresses rseau (Network Address Translation NAT) laquelle on fait aussi rfrence sous l'appellation de un--un NAT (one-to-one NAT). Souvent, une combinaison de ces techniques est utilise. Chacune d'entre elles sera dtaille dans la section suivante.
SNAT Avec la SNAT, un segment interne du rseau local est configur en utilisant des adresses de la RFC 1918. Quant un hte A sur ce segment interne initie une connexion vers un hte B sur internet, le firewall/routeur rcrit les enttes IP de la requte pour utiliser une de vos adresses publiques IP en tant qu'adresse source. Quant B rpond et que la rponse est reue par le firewall, le firewall change l'adresse destination par celle de la RFC 1918 de A et transfre la rponse A. Supposons que vous dcidiez d'utiliser la SNAT sur votre zone locale. Supposons galement que vous utilisiez l'adresse publique 192.0.2.176 la fois comme adresse externe du firewall et comme adresse source des requtes internet envoyes depuis cette zone. On a assign la zone locale le sous-rseau 192.168.201.0/29 (masque de sous-rseau 255.255.255.248). Dans ce cas, les systmes de la zone locale seraient configurs avec 192.168.201.1 comme passerelle par dfaut (adresse IP de l'interface local du firewall). La SNAT est configure dans Shorewall avec le fichier /etc/shorewall/masq. #INTERFACE SUBNET ADDRESS eth0 192.168.201.0/29 192.0.2.176 Cet exemple utilise la technique normale qui assigne la mme adresse publique IP pour l'interface externe du firewall et pour la SNAT. Si vous souhaitez utiliser une adresse IP diffrente, vous pouvez soit utiliser les outils de configuration rseau de votre distribution Linux pour ajouter cette adresse IP, soit mettre la variable ADD_SNAT_ALIASES=Yes dans /etc/shorewall/shorewall.conf et Shorewall ajoutera l'adresse pour vous.
DNAT Quand la SNAT est utilise, il est impossible pour les htes sur internet d'initialiser une connexion avec un des systmes internes puisque ces systmes n'ont pas d'adresses publiques IP. La DNAT fournit une mthode pour autoriser des connexions slectionnes depuis internet. Supposons que votre fille souhaite hberger un serveur Web sur son systme "Local 3". Vous pourriez autoriser les connexions d'internet son serveur en ajoutant l'entre suivante dans le fichier /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT(S) PORT(S) DEST DNAT net loc:192.168.201.4 tcp www Si une des amies de votre fille avec une adresse A veut accder au serveur de votre fille, elle peut se connecter http://192.0.2.176 (l'adresse IP externe de votre firewall). Le firewall rcrira l'adresse IP de destination 192.168.201.4 (le systme de votre fille) et lui fera suivre la requte. Quand le serveur de votre fille rpondra, le firewall remettra l'adresse source 192.0.2.176 et retournera la rponse A. Cet exemple utilise l'adresse externe IP du firewall pour la DNAT. Vous pouvez utiliser une autre de vos adresses IP publiques. Pour cela, mettez-la dans la colonne ORIGINAL DEST de la rgle ci-dessus. Par contre, Shorewall n'ajoutera pas votre place cette adresse l'interface externe du firewall. Quand vous testez des rgles DNAT comme celles prsente plus haut, vous devez le faire depuis un client A L'EXTRIEUR DE VOTRE FIREWALL (depuis la zone net). Vous ne pouvez pas tester ces rgles de l'intrieur ! Pour quelques astuces sur la rsolution de problmes avec la DNAT, voyez les FAQ 1a et 1b.
Proxy ARP Le principe du proxy ARP est: On attribue un hte H derrire notre firewall une de nos adresses publiques A et on lui donne le mme masque de sous-rseau M que celui de l'interface externe du firewall. Le firewall rpond aux requtes ARP qui-a-l'adresse A mises par les htes l'extrieur du firewall. Lorsque c'est l'hte H qui met une requte qui-a-l'adresse pour un hte situ l'extrieur du firewall et appartenant au sous-rseau dfini par A et M, c'est le firewall qui rpondra H avec l'adresse MAC de l'interface du firewall laquelle est raccord H. Pour une description plus complte du fonctionnement du Proxy ARP, vous pouvez vous rfrer la Documentation du Proxy Shorewall. Supposons que nous dcidions d'utiliser le Proxy ARP sur la DMZ de notre exemple de rseau. Ici, nous avons assign les adresses IP 192.0.2.177 au systme DMZ 1 et 192.0.2.178 au systme DMZ 2. Remarquez que nous avons assign une adresse RFC 1918 et un masque de sous-rseau arbitraires l'interface DMZ de notre firewall. Cette adresse et ce masque ne sont pas pertinents - vrifiez juste que celle-ci n'est en conflit avec aucun autre sous-rseau dj dfini. La configuration du Proxy ARP est faite dans le fichier /etc/shorewall/proxyarp. #ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTANT 192.0.2.177 eth2 eth0 No 192.0.2.178 eth2 eth0 No La variable HAVE ROUTE tant No, Shorewall ajoutera les routes d'hte pour 192.0.2.177 et 192.0.2.178 par eth2. Les interfaces ethernet des machines DMZ 1 et DMZ 2 devront tre configures avec les adresses IP donnes plus haut, mais elles devront avoir la mme passerelle par dfaut que le firewall lui-mme (192.0.2.254 dans notre exemple). Autrement dit, elles doivent tre configures exactement comme si elles taient parallles au firewall plutt que derrire lui. Ne pas ajouter le(s) adresse(s) traites par le proxy ARP (192.0.2.177 et 192.0.2.178 dans l'exemple ci-dessus) l'interface externe du firewall (eth0 dans cet exemple). Un mot de mise en garde. En gnral, les FAI configurent leurs routeurs avec un timeout de cache ARP assez lev. Si vous dplacez un systme parallle votre firewall derrire le Proxy ARP du firewall, cela peut mettre des HEURES avant que ce systme ne puisse communiquer avec internet. Il y a deux choses que vous pouvez essayer de faire: (Salutations Bradey Honsinger) Une lecture de TCP/IP Illustrated, Vol 1 de Richard Stevens rvle qu'un paquet ARP gratuit (gratuitous) peut amener le routeur de votre FAI rafrachir son cache (section 4.7). Un paquet ARP gratuit est simplement une requte d'un hte demandant l'adresse MAC associe sa propre adresse IP. En plus de garantir que cette adresse IP n'est pas duplique, si l'hte qui envoie la commande ARP gratuit vient juste de changer son adresse matrielle ..., ce paquet force tous les autres htes...qui ont une entre dans leur cache ARP pour l'ancienne adresse matrielle mettre leurs caches jour Ce qui est exactement, bien sr, ce que vous souhaitez faire lorsque vous basculez un hte qui tait directement expos sur internet vers l'arrire de votre firewall Shorewall en utilisant le proxy ARP (ou en faisant du NAT un--un pour la mme raison). Heureusement, les versions rcentes du paquetage iputils de Redhat comprennent arping, dont l'option "-U" fait cela: arping -U -I <net if> <newly proxied IP> arping -U -I eth0 66.58.99.83 # for exampleStevens continue en mentionnant que certains systmes ne rpondent pas correctement la commande ARP gratuit, mais une recherche sur google pour arping -U semble dmontrer que cela fonctionne dans la plupart des cas. Vous pouvez appeler votre FAI et lui demander de purger l'entre obsolte de son cache ARP, mais la plupart ne voudront ou ne pourront le faire. Vous pouvez vrifier si le cache ARP de votre FAI est obsolte en utilisant ping et tcpdump. Supposez que vous pensez que la passerelle routeur a une entre ARP obsolte pour 192.0.2.177. Sur le firewall, lancez tcpdump de cette faon: tcpdump -nei eth0 icmp Maintenant depuis 192.0.2.177, pingez la passerelle de votre FAI (que nous supposons tre 192.0.2.254): ping 192.0.2.254 Nous pouvons maintenant observer le rsultat de tcpdump: 13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF) 13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo replyRemarquez que l'adresse source MAC dans la requte echo est diffrente de l'adresse MAC de destination dans la rponse echo ! Dans ce cas, 0:4:e2:20:20:33 tait l'adresse MAC de l'interface rseau eth0 du firewall tandis que 0:c0:a8:50:b2:57 tait l'adresse MAC de la carte rseau de DMZ 1. En d'autre termes, le cache ARP de la passerelle associe encore 192.0.2.177 avec la carte rseau de DMZ 1 plutt qu'avec l'interface eth0 du firewall.
NAT un--un Avec le NAT un--un (one-to-one NAT), vous attribuez des adresses RFC 1918 vos systmes puis vous tablissez une correspondance un pour un de ces adresses avec les adresses IP publiques. Pour les occurrences des connexions sortantes, la traduction d'adresses sources (SNAT) sera alors effectue. Pour les occurrences des connexions entrantes, c'est la traduction d'adresses destination (DNAT) qui sera ralise. Voyons avec l'exemple prcdent du serveur web de votre fille tournant sur le systme Local 3. Souvenons-nous que dans cette configuration, le rseau local utilise la SNAT et qu'il partage l'IP externe du firewall (192.0.2.176) pour les connexions sortantes. On obtient ce rsultat grce l'entre suivante dans le fichier /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth0 192.168.201.0/29 192.0.2.176 Supposons maintenant que vous ayez dcid d'allouer votre fille sa propre adresse IP (192.0.2.179) pour l'ensemble des connexions entrantes et sortantes. Vous pouvez faire cela en ajoutant cette entre dans le fichier /etc/shorewall/nat. #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 192.0.2.179 eth0 192.168.201.4 No No Avec cette entre active, votre fille a sa propre adresse IP et les deux autres systmes locaux partagent l'adresse IP du firewall. Une fois que la relation entre 192.0.2.179 et192.168.201.4 est tablie avec l'entre ci-dessus dans le fichier nat, l'utilisation d'une rgle d'une rgle DNAT pour le serveur Web de votre fille n'est plus approprie -- vous devriez plutt utiliser une simple rgle ACCEPT: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT(S) PORT(S) DEST ACCEPT net loc:192.168.201.4 tcp www Un mot de mise en garde. En gnral, les FAI configurent leurs routeurs avec un timeout de cache ARP assez lev. Si vous dplacez un systme parallle votre firewall derrire le Proxy ARP du firewall, cela peut mettre des HEURES avant que ce systme ne puisse communiquer avec internet. Il y a deux choses que vous pouvez essayer de faire: (Salutations Bradey Honsinger) Une lecture de TCP/IP Illustrated, Vol 1 de Richard Stevens rvle qu'un paquet ARP gratuit (gratuitous) peut amener le routeur de votre FAI rafrachir son cache (section 4.7). Un paquet ARP gratuit est simplement une requte d'un hte demandant l'adresse MAC associe sa propre adresse IP. En plus de garantir que cette adresse IP n'est pas duplique, si l'hte qui envoie la commande ARP gratuit vient juste de changer son adresse matrielle ..., ce paquet force tous les autres htes...qui ont une entre dans leur cache ARP pour l'ancienne adresse matrielle mettre leurs caches jour Ce qui est exactement, bien sr, ce que vous souhaitez faire lorsque vous basculez un hte qui tait directement expos sur internet vers l'arrire de votre firewall Shorewall en utilisant le proxy ARP (ou en faisant du NAT un--un pour la mme raison). Heureusement, les versions rcentes du paquetage iputils de Redhat comprennent arping, dont l'option "-U" fait cela: arping -U -I <net if> <newly proxied IP> arping -U -I eth0 66.58.99.83 # for exampleStevens continue en mentionnant que certains systmes ne rpondent pas correctement la commande ARP gratuit, mais une recherche sur google pour arping -U semble dmontrer que cela fonctionne dans la plupart des cas. Vous pouvez appeler votre FAI et lui demander de purger l'entre obsolte de son cache ARP, mais la plupart ne voudront ou ne pourront le faire. Vous pouvez vrifier si le cache ARP de votre FAI est obsolte en utilisant ping et tcpdump. Supposez que vous pensez que la passerelle routeur a une entre ARP obsolte pour 192.0.2.177. Sur le firewall, lancez tcpdump de cette faon: tcpdump -nei eth0 icmp Maintenant depuis 192.0.2.177, pingez la passerelle de votre FAI (que nous supposons tre 192.0.2.254): ping 192.0.2.254 Nous pouvons maintenant observer le rsultat de tcpdump: 13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF) 13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo replyRemarquez que l'adresse source MAC dans la requte echo est diffrente de l'adresse MAC de destination dans la rponse echo ! Dans ce cas, 0:4:e2:20:20:33 tait l'adresse MAC de l'interface rseau eth0 du firewall tandis que 0:c0:a8:50:b2:57 tait l'adresse MAC de la carte rseau de DMZ 1. En d'autre termes, le cache ARP de la passerelle associe encore 192.0.2.177 avec la carte rseau de DMZ 1 plutt qu'avec l'interface eth0 du firewall.
Rgles Shorewall dispose d'un mcanisme de macros comprenant des macros pour de nombreuses applications standard. Dans cette section nous n'utiliserons pas de macro. mais nous dfinirons les rgles directement. Avec les politiques dfinies plus tt dans ce document, vos systmes locaux (Local 1-3) peuvent accder n'importe quel serveur sur internet alors que la DMZ ne peut accder aucun autre hte, dont le firewall. A l'exception des rgles NAT qui entranent la traduction d'adresses et permettent aux requtes de connexion traduites de passer travers le firewall, la faon d'autoriser des requtes travers votre firewall est d'utiliser des rgles ACCEPT. Puisque les colonnes SOURCE PORT et ORIG. DEST. ne sont pas utilises dans cette section, elle ne seront pas affiches. Vous souhaiter certainement autoriser le ping entre vos zones: #ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT net dmz icmp echo-request ACCEPT net loc icmp echo-request ACCEPT dmz loc icmp echo-request ACCEPT loc dmz icmp echo-request Supposons que vous avez des serveurs mail et pop3 actifs sur le systme DMZ 2, et un serveur Web sur le systme DMZ 1. Les rgles dont vous avez besoin sont: #ACTION SOURCE DEST PROTO DEST COMMENTS # PORT(S) ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from #Internet ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from #Internet ACCEPT loc dmz:192.0.2.178 tcp smtp #Mail from local #Network ACCEPT loc dmz:192.0.2.178 tcp pop3 #Pop3 from local #Network ACCEPT $FW dmz:192.0.2.178 tcp smtp #Mail from the #Firewall ACCEPT dmz:192.0.2.178 net tcp smtp #Mail to the #Internet ACCEPT net dmz:192.0.2.177 tcp http #WWW from #Internet ACCEPT net dmz:192.0.2.177 tcp https #Secure WWW #from Internet ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW #from local #Network Si vous utilisez un serveur DNS public sur 192.0.2.177, vous devez ajouter les rgles suivantes: #ACTION SOURCE DEST PROTO DEST COMMENTS # PORT(S) ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from #Internet ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from #Internet ACCEPT loc dmz:192.0.2.177 udp domain #UDP DNS from #Local Network ACCEPT loc dmz:192.0.2.177 tcp domain #TCP DNS from #Local Network ACCEPT $FW dmz:192.0.2.177 udp domain #UDP DNS from #the Firewall ACCEPT $FW dmz:192.0.2.177 tcp domain #TCP DNS from #the Firewall ACCEPT dmz:192.0.2.177 net udp domain #UDP DNS to #the Internet ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to #the Internet Vous souhaiterez probablement communiquer depuis votre rseau local avec votre firewall et les systmes en DMZ -- Je recommande SSH qui, grce son utilitaire scp peut aussi faire de la diffusion et de la mise jour de logiciels. #ACTION SOURCE DEST PROTO DEST COMMENTS # PORT(S) ACCEPT loc dmz tcp ssh #SSH to the DMZ ACCEPT net $FW tcp ssh #SSH to the #Firewall
D'autres petites choses La discussion prcdente reflte ma prfrence personnelle pour l'utilisation d'un Proxy ARP associ mes serveurs en DMZ et de SNAT/NAT pour les systmes locaux. Je prfre utiliser la NAT seulement dans le cas ou un systme qui fait partie d'un sous-rseau RFC 1918 besoin d'avoir sa propre adresse IP publique. Si vous ne l'avez dj fait, ce serait une bonne ide de parcourir le fichier /etc/shorewall/shorewall.conf juste pour voir si autre chose pourrait vous intresser. Vous pouvez aussi regarder les autres fichiers de configuration que vous n'avez pas touchs pour avoir un aperu des autres possibilits de Shorewall. Dans le cas ou vous auriez perdu le fil, vous trouverez ci-dessous un jeu final des fichiers de configuration pour le rseau de notre exemple. Seuls les fichiers de la configuration initiale qui ont t modifis sont prsents. /etc/shorewall/interfaces (Les "options" sont trs dpendantes des sites). #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect rfc1918,routefilter loc eth1 detect dmz eth2 detect La configuration dcrite ici ncessite que votre rseau soit dmarr avant que Shorewall ne puisse se lancer. Ceci laisse un petit intervalle de temps durant lequel vous n'avez pas la protection d'un firewall. Si vous remplacez le detect dans les entres ci-dessus par la valeurs des adresses de diffusion (broadcoast) relles, vous pouvez activer Shorewall avant de monter vos interfaces rseau. #ZONE INTERFACE BROADCAST OPTIONS net eth0 192.0.2.255 rfc1918 loc eth1 192.168.201.7 dmz eth2 192.168.202.7 /etc/shorewall/masq - Rseau Local #INTERFACE SUBNET ADDRESS eth0 192.168.201.0/29 192.0.2.176 /etc/shorewall/proxyarp - DMZ #ADDRESS EXTERNAL INTERFACE HAVE ROUTE 192.0.2.177 eth2 eth0 No 192.0.2.178 eth2 eth0 No /etc/shorewall/nat- Le systme de ma fille #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 192.0.2.179 eth0 192.168.201.4 No No /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST COMMENTS # PORT(S) ACCEPT net dmz icmp echo-request ACCEPT net loc icmp echo-request ACCEPT dmz loc icmp echo-request ACCEPT loc dmz icmp echo-request ACCEPT net loc:192.168.201.4 tcp www #Daughter's #Server ACCEPT net dmz:192.0.2.178 tcp smtp #Mail from #Internet ACCEPT net dmz:192.0.2.178 tcp pop3 #Pop3 from #Internet ACCEPT loc dmz:192.0.2.178 tcp smtp #Mail from local #Network ACCEPT loc dmz:192.0.2.178 tcp pop3 #Pop3 from local #Network ACCEPT $FW dmz:192.0.2.178 tcp smtp #Mail from the #Firewall ACCEPT dmz:192.0.2.178 net tcp smtp #Mail to the #Internet ACCEPT net dmz:192.0.2.177 tcp http #WWW from #Internet ACCEPT net dmz:192.0.2.177 tcp https #Secure WWW #from Internet ACCEPT loc dmz:192.0.2.177 tcp https #Secure WWW #from local #Network ACCEPT net dmz:192.0.2.177 udp domain #UDP DNS from #Internet ACCEPT net dmz:192.0.2.177 tcp domain #TCP DNS from #Internet ACCEPT loc dmz:192.0.2.177 udp domain #UDP DNS from #Local Network ACCEPT loc dmz:192.0.2.177 tcp domain #TCP DNS from #Local Network ACCEPT $FW dmz:192.0.2.177 udp domain #UDP DNS from #the Firewall ACCEPT $FW dmz:192.0.2.177 tcp domain #TCP DNS from #the Firewall ACCEPT dmz:192.0.2.177 net udp domain #UDP DNS to #the Internet ACCEPT dmz:192.0.2.177 net tcp domain #TCPP DNS to #the Internet ACCEPT loc dmz tcp ssh #SSH to the DMZ ACCEPT net $FW tcp ssh #SSH to the #Firewall
DNS Compte tenu des adresses RFC 1918 et des adresses publiques utilises dans cette configuration, la seule faon logique de faire est d'avoir des serveurs DNS interne et externe spars. Vous pouvez combiner les deux dans un unique serveur BIND 9 utilisant les vues (Views). Si vous n'tes pas intress par les vues BIND 9, vous pouvez allez la section suivante. Supposons que votre domaine est foobar.net. Vous voulez que les deux systmes en DMZ s'appellent www.foobar.net et mail.foobar.net, et vous voulez que les trois systmes locaux s'appellent winken.foobar.net, blinken.foobar.net et nod.foobar.net. Vous voulez que le firewall soit connu l'extrieur sous le nom de firewall.foobar.net, que son interface vers le rseau local soit nomme gateway.foobar.net et que son interface vers la DMZ soit dmz.foobar.net. Mettons le serveur DNS sur 192.0.2.177 qui sera aussi connu sous le nom de ns1.foobar.net. Le fichier /etc/named.conf devrait ressembler cela: options { directory "/var/named"; listen-on { 127.0.0.1 ; 192.0.2.177; }; transfer-format many-answers; max-transfer-time-in 60; allow-transfer { // Servers allowed to request zone tranfers <secondary NS IP>; }; }; logging { channel xfer-log { file "/var/log/named/bind-xfer.log"; print-category yes; print-severity yes; print-time yes; severity info; }; category xfer-in { xfer-log; }; category xfer-out { xfer-log; }; category notify { xfer-log; }; }; # # This is the view presented to our internal systems # view "internal" { # # These are the clients that see this view # match-clients { 192.168.201.0/29; 192.168.202.0/29; 127.0.0.0/8; 192.0.2.176/32; 192.0.2.178/32; 192.0.2.179/32; 192.0.2.180/32; }; # # If this server can't complete the request, it should use # outside servers to do so # recursion yes; zone "." in { type hint; file "int/root.cache"; }; zone "foobar.net" in { type master; notify no; allow-update { none; }; file "int/db.foobar"; }; zone "0.0.127.in-addr.arpa" in { type master; notify no; allow-update { none; }; file "int/db.127.0.0"; }; zone "201.168.192.in-addr.arpa" in { type master; notify no; allow-update { none; }; file "int/db.192.168.201"; }; zone "202.168.192.in-addr.arpa" in { type master; notify no; allow-update { none; }; file "int/db.192.168.202"; }; zone "176.2.0.192.in-addr.arpa" in { type master; notify no; allow-update { none; }; file "db.192.0.2.176"; }; zone "177.2.0.192.in-addr.arpa" in { type master; notify no; allow-update { none; }; file "db.192.0.2.177"; }; zone "178.2.0.192.in-addr.arpa" in { type master; notify no; allow-update { none; }; file "db.192.0.2.178"; }; zone "179.2.0.192.in-addr.arpa" in { type master; notify no; allow-update { none; }; file "db.206.124.146.179"; }; }; # # This is the view that we present to the outside world # view "external" { match-clients { any; }; # # If we can't answer the query, we tell the client so # recursion no; zone "foobar.net" in { type master; notify yes; allow-update {none; }; file "ext/db.foobar"; }; zone "176.2.0.192.in-addr.arpa" in { type master; notify yes; allow-update { none; }; file "db.192.0.2.176"; }; zone "177.2.0.192.in-addr.arpa" in { type master; notify yes; allow-update { none; }; file "db.192.0.2.177"; }; zone "178.2.0.192.in-addr.arpa" in { type master; notify yes; allow-update { none; }; file "db.192.0.2.178"; }; zone "179.2.0.192.in-addr.arpa" in { type master; notify yes; allow-update { none; }; file "db.192.0.2.179"; }; }; Voici les fichiers du rpertoire /var/named (ceux qui ne sont pas prsents font en gnral partie de votre distribution BIND). db.192.0.2.176 - Zone inverse (reverse) pour l'interface externe du firewall ; ############################################################ ; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32 ; Filename: db.192.0.2.176 ; ############################################################ @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( 2001102303 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ) ; minimum (1 day) ; ; ############################################################ ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) ; ############################################################ @ 604800 IN NS ns1.foobar.net. @ 604800 IN NS <name of secondary ns>. ; ; ############################################################ ; Iverse Address Arpa Records (PTR's) ; ############################################################ 176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net. db.192.0.2.177 - Zone inverse pour le serveur www ; ############################################################ ; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32 ; Filename: db.192.0.2.177 ; ############################################################ @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( 2001102303 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ) ; minimum (1 day) ; ; ############################################################ ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) ; ############################################################ @ 604800 IN NS ns1.foobar.net. @ 604800 IN NS <name of secondary ns>. ; ; ############################################################ ; Iverse Address Arpa Records (PTR's) ; ############################################################ 177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net. db.192.0.2.178 - Zone inverse du serveur mail ; ############################################################ ; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32 ; Filename: db.192.0.2.178 ; ############################################################ @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( 2001102303 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ) ; minimum (1 day) ; ; ############################################################ ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) ; ############################################################ @ 604800 IN NS ns1.foobar.net. @ 604800 IN NS <name of secondary ns>. ; ; ############################################################ ; Iverse Address Arpa Records (PTR's) ; ############################################################ 178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net. db.192.0.2.179 - Zone inverse du serveur web public de votre fille ; ############################################################ ; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32 ; Filename: db.192.0.2.179 ; ############################################################ @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( 2001102303 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ) ; minimum (1 day) ; ; ############################################################ ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) ; ############################################################ @ 604800 IN NS ns1.foobar.net. @ 604800 IN NS <name of secondary ns>. ; ; ############################################################ ; Iverse Address Arpa Records (PTR's) ; ############################################################ 179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net. int/db.127.0.0 - Zone inverse pour localhost ; ############################################################ ; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8 ; Filename: db.127.0.0 ; ############################################################ @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( 2001092901 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ) ; minimum (1 day) ; ############################################################ ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) ; ############################################################ @ 604800 IN NS ns1.foobar.net. ; ############################################################ ; Iverse Address Arpa Records (PTR's) ; ############################################################ 1 86400 IN PTR localhost.foobar.net. int/db.192.168.201 - Zone inverse pour le rseau local. Cela ne sera visible que depuis les clients internes ; ############################################################ ; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29 ; Filename: db.192.168.201 ; ############################################################ @ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. ( 2002032501 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ) ; minimum (1 day) ; ############################################################ ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) ; ############################################################ @ 604800 IN NS ns1.foobar.net. ; ############################################################ ; Iverse Address Arpa Records (PTR's) ; ############################################################ 1 86400 IN PTR gateway.foobar.net. 2 86400 IN PTR winken.foobar.net. 3 86400 IN PTR blinken.foobar.net. 4 86400 IN PTR nod.foobar.net. int/db.192.168.202 - Zone inverse de l'interface DMZ du firewall ; ############################################################ ; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29 ; Filename: db.192.168.202 ; ############################################################ @ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. ( 2002032501 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ) ; minimum (1 day) ; ############################################################ ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) ; ############################################################ @ 604800 IN NS ns1.foobar.net. ; ############################################################ ; Iverse Address Arpa Records (PTR's) ; ############################################################ 1 86400 IN PTR dmz.foobar.net. int/db.foobar - Forward zone pour les clients internes. ;############################################################## ; Start of Authority for foobar.net. ; Filename: db.foobar ;############################################################## @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( 2002071501 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ); minimum (1 day) ;############################################################ ; foobar.net Nameserver Records (NS) ;############################################################ @ 604800 IN NS ns1.foobar.net. ;############################################################ ; Foobar.net Office Records (ADDRESS) ;############################################################ localhost 86400 IN A 127.0.0.1 firewall 86400 IN A 192.0.2.176 www 86400 IN A 192.0.2.177 ns1 86400 IN A 192.0.2.177 mail 86400 IN A 192.0.2.178 gateway 86400 IN A 192.168.201.1 winken 86400 IN A 192.168.201.2 blinken 86400 IN A 192.168.201.3 nod 86400 IN A 192.168.201.4 dmz 86400 IN A 192.168.202.1 ext/db.foobar - Forward zone pour les clients externes ;############################################################## ; Start of Authority for foobar.net. ; Filename: db.foobar ;############################################################## @ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. ( 2002052901 ; serial 10800 ; refresh (3 hour) 3600 ; retry (1 hour) 604800 ; expire (7 days) 86400 ); minimum (1 day) ;############################################################ ; Foobar.net Nameserver Records (NS) ;############################################################ @ 86400 IN NS ns1.foobar.net. @ 86400 IN NS <secondary NS>. ;############################################################ ; Foobar.net Foobar Wa Office Records (ADDRESS) ;############################################################ localhost 86400 IN A 127.0.0.1 ; ; The firewall itself ; firewall 86400 IN A 192.0.2.176 ; ; The DMZ ; ns1 86400 IN A 192.0.2.177 www 86400 IN A 192.0.2.177 mail 86400 IN A 192.0.2.178 ; ; The Local Network ; nod 86400 IN A 192.0.2.179 ;############################################################ ; Current Aliases for foobar.net (CNAME) ;############################################################ ;############################################################ ; foobar.net MX Records (MAIL EXCHANGER) ;############################################################ foobar.net. 86400 IN A 192.0.2.177 86400 IN MX 0 mail.foobar.net. 86400 IN MX 1 <backup MX>.
Quelques Points Garder en Mmoire Vous ne pouvez pas tester votre firewall depuis l'intrieur de votre rseau. Envoyer des requtes l'adresse IP externe de votre firewall ne signifie pas qu'elle seront associes votre interface externe ou la zone net. Tout trafic gnr par le rseau local sera associ l'interface locale et sera trait comme du trafic du rseau local ver le firewall (loc->fw). Les adresses IP sont des proprits des systmes, pas des interfaces. C'est une erreur de croire que votre firewall est capable de faire suivre (forward) des paquets simplement parce que vous pouvez faire un ping sur l'adresse IP de toutes les interfaces du firewall depuis le rseau local. La seule conclusion que vous puissiez faire dans ce cas est que le lien entre le rseau local et le firewall fonctionne et que vous avez probablement la bonne adresse de passerelle par dfaut sur votre systme. Toutes les adresses IP configures sur le firewall sont dans la zone $FW (fw). Si 192.168.1.254 est l'adresse IP de votre interface interne, alors vous pouvez crire $FW:192.168.1.254 dans une rgle mais vous ne devez pas crire loc:192.168.1.254. C'est aussi une absurdit d'ajouter 192.168.1.254 la zone loc en utilisant une entre dans /etc/shorewall/hosts. Les paquets de retour (reply) ne suivent PAS automatiquement le chemin inverse de la requte d'origine. Tous les paquets sont routs en se rfrant la table de routage respective de chaque hte chaque tape du trajet. Ce problme se produit en gnral lorsque on installe un firewall Shorewall en parallle une passerelle existante et qu'on essaye d'utiliser des rgles DNAT dans Shorewall sans changer la passerelle par dfaut sur les systmes recevant les requtes transfres (forwarded). Les requtes passent dans le firewall Shorewall o l'adresse de destination IP est rcrite, mais la rponse revient par l'ancienne passerelle qui, elle, ne modifiera pas le paquet. Shorewall lui-mme n'a aucune notion du dedans et du dehors. Ces concepts dpendent de la faon dont Shorewall est configur.
Dmarrer et Arrter Votre Firewall La procdure d'installation configure votre systme pour lancer Shorewall ds le boot du systme, mais le lancement est dsactiv, de faon ce que votre systme ne tente pas de lancer Shorewall avant que la configuration ne soit termine. Une fois que vous en avez fini avec la configuration du firewall, vous devez diter /etc/shorewall/shorewall.conf et y mettre STARTUP_ENABLED=Yes. Les utilisateurs des paquetages .deb doivent diter /etc/default/shorewall et mettre startup=1. Le firewall est activ en utilisant la commande shorewall start et arrt avec la commande shorewall stop. Lorsque le firewall est arrt, le routage est autoris sur les htes qui possdent une entre dans /etc/shorewall/routestopped. Un firewall qui tourne peut tre relanc en utilisant la commande shorewall restart. Si vous voulez enlever toute trace de Shorewall sur votre configuration de Netfilter, utilisez shorewall clear Modifiez /etc/shorewall/routestopped pour y configurer les htes auxquels vous voulez accder lorsque le firewall est arrt. Si vous tes connect votre firewall depuis internet, n'essayez pas d'excuter une commande shorewall stop tant que vous n'avez pas ajout une entre dans /etc/shorewall/routestopped pour l'adresse IP partir de laquelle vous tes connect . De la mme manire, je vous dconseille d'utiliser shorewall restart; il est plus intressant de crer une configuration alternative et de la tester en utilisant la commande shorewall try
shorewall-docs-xml-5.2.3/FTP.xml0000664000000000000000000006066513427347317015150 0ustar rootroot
Shorewall and FTP Tom Eastep 2003 2004 2005 2006 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.0 and later. If you are running a version of Shorewall earlier than Shorewall 4.0.0 then please see the documentation for that release.
FTP Protocol FTP transfers involve two TCP connections. The first control connection goes from the FTP client to port 21 on the FTP server. This connection is used for logon and to send commands and responses between the endpoints. Data transfers (including the output of ls and dir commands) requires a second data connection. The data connection is dependent on the mode that the client is operating in: Passive Mode (often the default for web browsers) -- The client issues a PASV command. Upon receipt of this command, the server listens on a dynamically-allocated port then sends a PASV reply to the client. The PASV reply gives the IP address and port number that the server is listening on. The client then opens a second connection to that IP address and port number. Active Mode (often the default for line-mode clients) -- The client listens on a dynamically-allocated port then sends a PORT command to the server. The PORT command gives the IP address and port number that the client is listening on. The server then opens a connection to that IP address and port number; the source port for this connection is 20 (ftp-data in /etc/services). You can see these commands in action using your linux ftp command-line client in debugging mode. Note that my ftp client defaults to passive mode and that I can toggle between passive and active mode by issuing a passive command: [teastep@wookie Shorewall]$ ftp ftp1.shorewall.net Connected to lists.shorewall.net. 220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(<*>)=- 220-You are user number 1 of 50 allowed. 220-Local time is now 10:21 and the load is 0.14. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. 500 Security extensions not implemented 500 Security extensions not implemented KERBEROS_V4 rejected as an authentication type Name (ftp1.shorewall.net:teastep): ftp 331-Welcome to ftp.shorewall.net 331- 331 Any password will work Password: 230 Any password will work Remote system type is UNIX. Using binary mode to transfer files. ftp> debug Debugging on (debug=1). ftp> ls ---> PASV 227 Entering Passive Mode (192,168,1,193,195,210) ---> LIST 150 Accepted data connection drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub 226-Options: -l 226 3 matches total ftp> passive Passive mode off. ftp> ls ---> PORT 192,168,1,3,142,58 200 PORT command successful ---> LIST 150 Connecting to port 36410 drwxr-xr-x 5 0 0 4096 Nov 9 2002 archives drwxr-xr-x 2 0 0 4096 Feb 12 2002 etc drwxr-sr-x 6 0 50 4096 Feb 19 15:24 pub 226-Options: -l 226 3 matches total ftp> Things to notice: The commands that I issued are strongly emphasized. Commands sent by the client to the server are preceded by ---> Command responses from the server over the control connection are numbered. FTP uses a comma as a separator between the bytes of the IP address. When sending a port number, FTP sends the MSB then the LSB and separates the two bytes by a comma. As shown in the PORT command, port 142,58 translates to 142*256+58 = 36410.
Linux FTP connection-tracking Given the normal loc->net policy of ACCEPT, passive mode access from local clients to remote servers will always work but active mode requires the firewall to dynamically open a hole for the server's connection back to the client. Similarly, if you are running an FTP server in your local zone then active mode should always work but passive mode requires the firewall to dynamically open a hole for the client's second connection to the server. This is the role of FTP connection-tracking support in the Linux kernel. Where any form of NAT (SNAT, DNAT, Masquerading) on your firewall is involved, the PORT commands and PASV responses may also need to be modified by the firewall. This is the job of the FTP nat support kernel function. Including FTP connection-tracking and NAT support normally means that the modules nf_conntrack_ftp and nf_nat_ftp need to be loaded. Shorewall automatically loads these helper modules from /lib/modules/<kernel-version>/kernel/net/netfilter/ and you can determine if they are loaded using the lsmod command. The <kernel-version> may be obtained by typing uname -r Note: If you are running kernel 2.6.19 or earlier, then the module names are ip_nat_ftp and ip_conntrack_ftp and they are normally loaded from /lib/modules/<kernel-version>/kernel/net/ipv4/netfilter/. Because the ftp helper modules must read and modify commands being sent over the command channel, they won't work when the command channel is encrypted through use of TLS/SSL. Example (Kernel 3.2.20) [root@lists etc]# lsmod Module Size Used by Not tainted iptable_filter 3072 1 iptable_mangle 2816 0 iptable_nat 7684 0 iptable_raw 2048 0 ip_tables 12232 4 iptable_raw,iptable_mangle,iptable_nat,iptable_filter ipt_addrtype 1920 0 ipt_ah 2048 0 ipt_CLUSTERIP 8708 0 ipt_ecn 2304 0 ipt_ECN 3072 0 ipt_iprange 1920 0 ipt_LOG 6528 0 ipt_MASQUERADE 3456 0 ipt_NETMAP 2048 0 ipt_owner 2048 0 ipt_recent 9496 0 ipt_REDIRECT 2048 0 ipt_REJECT 4608 0 ipt_SAME 2432 0 ipt_TCPMSS 4096 0 ipt_tos 1664 0 ipt_TOS 2304 0 ipt_ttl 1920 0 ipt_TTL 2432 0 ipt_ULOG 8068 0 nf_conntrack 59864 28 ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_ama nda,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_ h323,nf_conntrack_ftp,xt_helper,xt_state,xt_connmark,xt_conntrack,iptable_nat,nf_nat,nf_conntrack_ipv4 nf_conntrack_amanda 5248 1 nf_nat_amanda nf_conntrack_ftp 9728 1 nf_nat_ftp nf_conntrack_h323 50396 1 nf_nat_h323 nf_conntrack_ipv4 17932 2 iptable_nat nf_conntrack_irc 7064 1 nf_nat_irc nf_conntrack_netbios_ns 3072 0 nf_conntrack_netlink 26240 0 nf_conntrack_pptp 6912 1 nf_nat_pptp nf_conntrack_proto_gre 5632 1 nf_conntrack_pptp nf_conntrack_proto_sctp 8328 0 nf_conntrack_sip 9748 1 nf_nat_sip nf_conntrack_tftp 5780 1 nf_nat_tftp nf_nat 17964 14 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amand a,nf_conntrack_netlink,iptable_nat nf_nat_amanda 2432 0 nf_nat_ftp 3584 0 nf_nat_h323 7808 0 nf_nat_irc 2816 0 nf_nat_pptp 3840 0 nf_nat_proto_gre 3204 1 nf_nat_pptp nf_nat_sip 4608 0 nf_nat_snmp_basic 10372 0 nf_nat_tftp 1920 0 xt_CLASSIFY 1920 0 xt_comment 1920 0 xt_connmark 2432 0 xt_conntrack 2944 0 xt_dccp 3588 0 xt_hashlimit 10252 0 xt_helper 2688 0 xt_length 1920 0 xt_limit 2688 0 xt_mac 1920 0 xt_mark 1920 0 xt_MARK 2304 0 xt_multiport 3328 1 xt_NFLOG 2176 0 xt_NFQUEUE 2048 0 xt_physdev 2704 2 xt_pkttype 1920 0 xt_policy 3840 0 xt_state 2560 0 xt_tcpmss 2304 0 xt_tcpudp 3328 0 [root@lists etc]# If you want Shorewall to load these modules from an alternate directory, you need to set the MODULESDIR variable in /etc/shorewall/shorewall.conf to point to that directory.
FTP with Kernel 3.5 and Later Because of the potential for attackers to subvert Netfilter helpers like the one for FTP, the Netfilter team are in the process of eliminating the automatic association of helpers to connections. In the 3.5 kernel, it is possible to disable this automatic association, and the team have announced that automatic association will eventually be eliminated. While it is certainly more secure to add explicit rules that create these associations, for Shorewall to require users to add those rules would present a gross inconvenience during a Shorewall upgrade. To make Shorewall and kernel upgrades as smooth as possible, several new features were added to the Shorewall 4.5.7: Shorewall automatically disables the kernel's automatic association of helpers to connections on kernel 3.5 and later. An automatic association of helpers with connections that performs the same function as in the pre-3.5 kernels has been added. This automatic association is controlled by the AUTOHELPERS shorewall.conf option which is set to 'Yes' by default. A HELPERS column has been added to the /etc/shorewall/rules In the NEW section: When the ACTION is ACCEPT, DNAT or REDIRECT, the specified helper is automatically associated with the connection. HELPERS may be specified in action files, macros and in the rules file itself. In the RELATED section: The rule will only match related connections that have the named helper attached. - The standard Macros for applications requiring a helper (FTP, IRC, etc) have been modified to automatically specify the correct helper in the HELPER column. HELPER is now a valid action in /etc/shorewall/rules. This action requires that a helper be present in the HELPER column and causes the specified helper to be associated with connections matching the rule. No destination zone should be specified in HELPER rules. HELPER rules allow specification of a helper for connections that are ACCEPTed by the applicable policy. Example (loc->net policy is ACCEPT) - In /etc/shorewall/rules: #ACTION SOURCE DEST FTP(HELPER) loc - or equivalently #ACTION SOURCE DEST PROTO DPORT HELPER loc - tcp 21 { helper=ftp } The set of enabled helpers (either by AUTOHELPERS=Yes or by the HELPERS column) can be taylored using the new HELPERS option in shorewall.conf. By making AUTOHELPERS=Yes the default, users can upgrade their systems to a 3.5+ kernel without disrupting the operation of their firewalls. Beyond such upgrades, we suggest setting AUTOHELPERS=No and follow one of two strategies: Use the HELPERS column in the rules file to enable helpers as needed (preferred); or Taylor the conntrack file to enable helpers on only those connections that are required. With either of these approaches, the list if available helpers can be trimmed using the HELPERS option and rules can be added to the RELATED section of the rules file to further restrict the effect of helpers. The implementation of these new function places conditional rules in the /etc/shorewall[6]/conntrack file. These rules are included conditionally based in the setting of AUTOHELPERS. Example: #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ?if $AUTOHELPERS && __CT_TARGET ?if __FTP_HELPER CT:helper:ftp all - tcp 21 ?endif ... ?endif __FTP_HELPER evaluates to false if the HELPERS setting is non-empty and 'ftp' is not listed in that setting. For example, if you only need FTP access from your 'loc' zone, then add this rule outside of the outer-most ?if....?endif shown above. #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ... CT:helper:ftp loc - tcp 21 For an overview of Netfilter Helpers and Shorewall's support for dealing with them, see http://www.shorewall.net/Helpers.html. See https://home.regit.org/netfilter-en/secure-use-of-helpers/ for additional information.
FTP on Non-standard Ports If you are running kernel 3.5 or later and Shorewall 4.5.7 or later, then please read the preceding section. You can add appropriate entries into shorewall-rules(5) or shorewall-conntrack(5) to associate the FTP helpers with a nonstandard port. Examples using port 12345: /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the That entry will accept ftp connections on port 12345 from the net and forward them to host 192.168.1..2 and port 21 in the loc zone. /etc/shorewall/conntrack: #ACTION SOURCE DESTINATION PROTO DPORT SPORT USER SWITCH ... CT:helper:ftp loc - tcp 12345 That rule automatically associates the ftp helper with TCP port 12345 from the 'loc' zone. Otherwise, read on. If you are running kernel 2.6.19 or earlier, replace nf_conntrack_ftp with ip_conntrack_ftp in the following instructions. Similarly, replace nf_nat_ftp with ip_nat_ftp. The above discussion about commands and responses makes it clear that the FTP connection-tracking and NAT helpers must scan the traffic on the control connection looking for PASV and PORT commands as well as PASV responses. If you run an FTP server on a nonstandard port or you need to access such a server, you must therefore let the helpers know by specifying the port in /etc/shorewall/modules entries for the helpers. You should create /etc/shorewall/modules by copying /usr/share/shorewall/modules. You must have modularized FTP connection tracking support in order to use FTP on a non-standard port. if you run an FTP server that listens on port 49 or you need to access a server on the Internet that listens on that port then you would have: loadmodule nf_conntrack_ftp ports=21,49 loadmodule nf_nat_ftp # NOTE: With kernels prior to 2.6.11, you must specify the ports on this line also you MUST include port 21 in the ports list or you may have problems accessing regular FTP servers. If there is a possibility that these modules might be loaded before Shorewall starts, then you should include the port list in /etc/modules.conf: options nf_conntrack_ftp ports=21,49 options nf_nat_ftp Once you have made these changes to /etc/shorewall/modules and/or /etc/modules.conf, you must either: Unload the modules and restart shorewall: rmmod nf_nat_ftp; rmmod nf_conntrack_ftp; shorewall restart Reboot
Rules If you run an FTP server behind your firewall and your server offers a method of specifying the external IP address of your firewall, DON'T USE THAT FEATURE OF YOUR SERVER. Using that option will defeat the purpose of the ftp helper modules and can result in a server that doesn't work. If the policy from the source zone to the destination zone is ACCEPT and you don't need DNAT (see FAQ 30) then you need no rule. Otherwise, for FTP you need exactly one rule: #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST ACCEPT or <source> <destination> tcp 21 - <external IP addr> if DNAT ACTION = DNAT You need an entry in the ORIGDEST column only if the ACTION is DNAT, you have multiple external IP addresses and you want a specific IP address to be forwarded to your server. Note that you do NOT need a rule with 20 (ftp-data) in the DPORT column. If you post your rules on the mailing list and they show 20 in the DPORT column, we will know that you haven't read this article and will either ignore your post or tell you to RTFM. Shorewall includes an FTP macro that simplifies creation of FTP rules. The macro source is in /usr/share/shorewall/macro.FTP. Using the macro is the preferred way to generate the rules described above. Here are a couple of examples. Server running behind a Masquerading Gateway Suppose that you run an FTP server on 192.168.1.5 in your local zone using the standard port (21). You need this rule: #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST FTP(DNAT) net loc:192.168.1.5 Allow your DMZ FTP access to the Internet #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST FTP(ACCEPT) dmz net Note that the FTP connection tracking in the kernel cannot handle cases where a PORT command (or PASV reply) is broken across two packets or is missing the ending <cr>/<lf>. When such cases occur, you will see a console message similar to this one: Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1 or this one: 21:37:40 insert-master kernel: [832161.057782] nf_ct_ftp: dropping packet IN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1 I see this problem occasionally with the FTP server in my DMZ. My solution is to add the following rule: #ACTION SOURCE DESTINATION PROTO DPORT SPORT ORIGDEST ACCEPT:info dmz net tcp - 20 The above rule accepts and logs all active mode connections from my DMZ to the net.
shorewall-docs-xml-5.2.3/Vserver.xml0000664000000000000000000002014513427347317016140 0ustar rootroot
Shorewall and Linux-vserver Tom Eastep 2010 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Formal support for Linux-vserver was added in Shorewall 4.4.11 Beta2. The centerpiece of that support is the vserver zone type. Vserver zones have the following characteristics: They are defined on the Linux-vserver host. The $FW zone is their implicit parent. Their contents must be defined using the shorewall-hosts (5) file. The ipsec option may not be specified. They may not appear in the ZONE column of the shorewall-interfaces (5) file. Note that you don't need to run Vservers to use vserver zones; they may also be used to create a firewall sub-zone for each aliased interface. If you use these zones, keep in mind that Linux-vserver implements a very weak form of network virtualization: From a networking point of view, vservers live on the host system. So if you don't use care, Vserver traffic to/from zone z will be controlled by the fw->z and z->fw rules and policies rather than by vserver->z and z->vserver rules and policies. Outgoing connections from a vserver will not use the Vserver's address as the SOURCE IP address unless you configure applications running in the Vserver properly. This is especially true for IPv6 applications. Such connections will appear to come from the $FW zone rather than the intended Vserver zone. While you can define the vservers to be associated with the network interface where their IP addresses are added at vserver startup time, Shorewall internally associates all vservers with the loopback interface (lo). Here's an example of how that association can show up: gateway:~# shorewall show zones Shorewall 4.4.11-Beta2 Zones at gateway - Fri Jul 2 12:26:30 PDT 2010 fw (firewall) drct (ipv4) eth4:+drct_eth4 loc (ipv4) eth4:0.0.0.0/0 net (ipv4) eth1:0.0.0.0/0 vpn (ipv4) tun+:0.0.0.0/0 dmz (vserver) lo:70.90.191.124/31 gateway:~#
Vserver Zones This is a diagram of the network configuration here at Shorewall.net during the summer of 2010: I created a zone for the vservers as follows: /etc/shorewall/zones: #ZONE TYPE OPTIONS ... fw firewall loc ip #Local Zone drct:loc ipv4 #Direct internet access net ipv4 #Internet vpn ipv4 #OpenVPN clients dmz vserver #Vservers /etc/shorewall/interfaces: ?FORMAT 2 #ZONE INTERFACE OPTIONS net eth1 routeback,dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp ... /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS drct eth4:dynamic dmz eth1:70.90.191.124/31 routeback While the IP addresses 70.90.191.124 and 70.90.191.125 are configured on eth1, the actual interface name is irrelevant so long as the interface is defined in shorewall-interfaces (5). Shorewall will consider all vserver zones to be associated with the loopback interface (lo). Note that the routeback option is required if the vservers are to be able to communicate with each other. Once a vserver zone is defined, it can be used like any other zone type. Here is the corresponding IPv6 configuration. /etc/shorewall6/zones #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv6 loc ipv6 vpn ipv6 dmz vserver /etc/shorewall6/interfaces: ?FORMAT 2 #ZONE INTERFACE OPTIONS net sit1 tcpflags,forward=1,nosmurfs,routeback ... /etc/shorewall6/hosts: #ZONE HOST(S) OPTIONS dmz sit1:[2001:470:e857:1::/64] Note that I choose to place the Vservers on sit1 (the IPv6 net interface) rather than on eth1. Again, it really doesn't matter much.
Sharing an IPv6 /64 between Vservers and a LAN I have both a /64 (2001:470:b:227::/64) and a /48 (2001:470:e857::/48) from Hurricane Electric. When I first set up my Vserver configuration, I assigned addresses from the /48 to the Vservers as shown above. Given that it is likely that when native IPv6 is available from my ISP, I will only be able to afford a single /64, in February 2011 I decided to migrate my vservers to the /64. This was possible because of Proxy NDP support in Shorewall 4.4.16 and later. The new network diagram is as shown below: This change was accompanied by the following additions to /etc/shorewall6/proxyndp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 2001:470:b:227::2 - eth4 Yes Yes 2001:470:b:227::3 - eth4 Yes Yes These two entries allow the firewall to respond to NDP requests for the two Vserver IPv6 addresses received on interface eth4. As part of this change, the Lists vserver (OpenSuSE 10.3 was retired in favor of Mail (Debian Squeeze).
shorewall-docs-xml-5.2.3/two-interface.xml0000664000000000000000000017261013427347317017260 0ustar rootroot
Basic Two-Interface Firewall Tom Eastep 2002-2009 2016-2017 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.4.0 then please see the documentation for that release.
Introduction Setting up a Linux system as a firewall for a small network is a fairly straight-forward task if you understand the basics and follow the documentation. This guide doesn't attempt to acquaint you with all of the features of Shorewall. It rather focuses on what is required to configure Shorewall in its most common configuration: Linux system used as a firewall/router for a small local network. Single public IP address. If you have more than one public IP address, this is not the guide you want -- see the Shorewall Setup Guide instead. Internet connection through cable modem, DSL, ISDN, Frame Relay, dial-up ... Here is a schematic of a typical installation:
Common two interface firewall configuration
If you edit your configuration files on a Windows system, you must save them as Unix files if your editor supports that option or you must run them through dos2unix before trying to use them. Similarly, if you copy a configuration file from your Windows hard drive to a floppy disk, you must run dos2unix against the copy before using it with Shorewall. Windows Version of dos2unix Linux Version of dos2unix
System Requirements Shorewall requires that you have the iproute/iproute2 package installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the which command to check for this program: [root@gateway root]# which ip /sbin/ip [root@gateway root]# I recommend that you first read through the guide to familiarize yourself with what's involved then go back through it again making your configuration changes.
Conventions Points at which configuration changes are recommended are flagged with . Configuration notes that are unique to Debian and it's derivatives are marked with .
PPTP/ADSL If you have an ADSL Modem and you use PPTP to communicate with a server in that modem, you must make the changes recommended here in addition to those detailed below. ADSL with PPTP is most commonly found in Europe, notably in Austria.
Shorewall Concepts The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only need to deal with a few of these as described in this guide. After you have installed Shorewall, locate the two-interfaces samples: If you installed using an RPM, the samples will be in the Samples/two-interfaces/ subdirectory of the Shorewall documentation directory. If you don't know where the Shorewall documentation directory is, you can find the samples using this command: ~# rpm -ql shorewall | fgrep two-interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces/snat /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones ~# When running Shorewall 5.0.14 or later: ~# rpm -ql shorewall | fgrep three-interfaces /usr/share/doc/packages/shorewall/Samples/three-interfaces /usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules /usr/share/doc/packages/shorewall/Samples/three-interfaces/snat /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones ~# If you installed using the tarball, the samples are in the Samples/two-interfaces directory in the tarball. If you installed using a Shorewall 3.x .deb, the samples are in /usr/share/doc/shorewall/examples/two-interfaces. You must install the shorewall-doc package. If you installed using a Shorewall 4.x .deb, the samples are in /usr/share/doc/shorewall/examples/two-interfaces. You do not need the shorewall-doc package to have access to the samples. Note to Debian and Ubuntu Users If you install using the .deb, you will find that your /etc/shorewall directory is practially empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. As each file is introduced, I suggest that you look at the actual file on your system and that you look at the man page for that file. For example, to look at the man page for the /etc/shorewall/zones file, type man shorewall-zones at a shell prompt. Note: Beginning with Shorewall 4.4.20.1, there are versions of the sample files that are annotated with the corresponding manpage contents. These files have names ending in '.annotated'. You might choose to look at those files instead. Shorewall views the network where it is running as being composed of a set of zones. In the two-interface sample configuration, the following zone names are used: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall net ipv4 loc ipv4Zones are defined in the /etc/shorewall/zones file. Note that Shorewall recognizes the firewall system as its own zone - when the /etc/shorewall/zones file is processed, the name of the firewall zone is stored in the shell variable $FW which may be used to refer to the firewall zone throughout the Shorewall configuration. Rules about what traffic to allow and what traffic to deny are expressed in terms of zones. You express your default policy for connections from one zone to another zone in the /etc/shorewall/policy file. You define exceptions to those default policies in the /etc/shorewall/rules file. For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied. If there is a common action defined for the policy in /etc/shorewall/actions or /usr/share/shorewall/actions.std then that action is performed before the action is applied. The purpose of the common action is two-fold: It silently drops or rejects harmless common traffic that would otherwise clutter up your log — Broadcasts for example. If ensures that traffic critical to correct operation is allowed through the firewall — ICMP fragmentation-needed for example. The /etc/shorewall/policy file included with the two-interface sample has the following policies: #SOURCE DEST POLICY LOGLEVEL LIMIT loc net ACCEPT net all DROP info all all REJECT infoIn the two-interface sample, the line below is included but commented out. If you want your firewall system to have full access to servers on the Internet, uncomment that line. #SOURCE DEST POLICY LOGLEVEL LIMIT $FW net ACCEPT The above policy will: Allow all connection requests from your local network to the Internet Drop (ignore) all connection requests from the Internet to your firewall or local network Optionally accept all connection requests from the firewall to the Internet (if you uncomment the additional policy) reject all other connection requests. The word info in the LOG LEVEL column for the DROP and REJECT policies indicates that packets dropped or rejected under those policies should be logged at that level. It is important to note that Shorewall policies (and rules) refer to connections and not packet flow. With the policies defined in the /etc/shorewall/policy file shown above, connections are allowed from the loc zone to the net zone even though connections are not allowed from the loc zone to the firewall itself. Some people want to consider their firewall to be part of their local network from a security perspective. If you want to do this, add these two policies: #SOURCE DEST POLICY LOGLEVEL LIMIT loc $FW ACCEPT $FW loc ACCEPT At this point, edit your /etc/shorewall/policy and make any changes that you wish.
Network Interfaces The firewall has two network interfaces. Where Internet connectivity is through a cable or DSL Modem, the External Interface will be the Ethernet adapter that is connected to that Modem (e.g., eth0) unless you connect via Point-to-Point Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol (PPTP) in which case the External Interface will be a ppp interface (e.g., ppp0). If you connect via a regular modem, your External Interface will also be ppp0. If you connect via ISDN, your external interface will be ippp0. Be sure you know which interface is your external interface. Many hours have been spent floundering by users who have configured the wrong interface. If you are unsure, then as root type ip route ls at the command line. The device listed in the last (default) route should be your external interface. Example: root@lists:~# ip route ls 192.168.1.1 dev eth0 scope link 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 192.168.3.0/24 dev br0 proto kernel scope link src 192.168.3.254 10.13.10.0/24 dev tun1 scope link 192.168.2.0/24 via 192.168.2.2 dev tun0 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.254 206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176 10.10.10.0/24 dev tun1 scope link default via 206.124.146.254 dev eth0 root@lists:~# In that example, eth0 is the external interface. If your external interface is ppp0 or ippp0 then you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf. Your Internal Interface will be an Ethernet adapter (eth1 or eth0) and will be connected to a hub or switch. Your other computers will be connected to the same hub/switch (note: If you have only a single internal system, you can connect the firewall directly to the computer using a cross-over cable). Do not connect the internal and external interface to the same hub or switch except for testing.You can test using this kind of configuration if you specify the arp_filter option or the arp_ignore option in /etc/shorewall/interfaces for all interfaces connected to the common hub/switch. Using such a setup with a production firewall is strongly recommended against. Do not configure a default route on your internal interface. Your firewall should have exactly one default route via your ISP's Router. The Shorewall two-interface sample configuration assumes that the external interface is eth0 and the internal interface is eth1. If your configuration is different, you will have to modify the sample /etc/shorewall/interfaces file accordingly. While you are there, you may wish to review the list of options that are specified for the interfaces. Some hints: If your external interface is ppp0 or ippp0 or if you have a static IP address, you can remove dhcp from the option list. If your internal interface is a bridge create using the brctl utility then you must add the routeback option to the option list. Prior to Shorewall 5.1.9, you will also need to modify the snat and stopped rules file, replacing eth1 with the name of your internal interface.
IP Addresses Before going further, we should say a few words about Internet Protocol (IP) addresses. Normally, your ISP will assign you a single Public IP address. This address may be assigned via the Dynamic Host Configuration Protocol (DHCP) or as part of establishing your connection when you dial in (standard modem) or establish your PPP connection. In rare cases, your ISP may assign you a static IP address; that means that you configure your firewall's external interface to use that address permanently. However your external address is assigned, it will be shared by all of your systems when you access the Internet. You will have to assign your own addresses in your internal network (the Internal Interface on your firewall plus your other computers). RFC 1918 reserves several Private IP address ranges for this purpose: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255You will want to assign your addresses from the same sub-network (subnet). For our purposes, we can consider a subnet to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a Subnet Mask of 255.255.255.0. The address x.y.z.0 is reserved as the Subnet Address and x.y.z.255 is reserved as the Subnet Broadcast Address. In Shorewall, a subnet is described using Classless InterDomain Routing (CIDR) notation with consists of the subnet address followed by /24. The 24 refers to the number of consecutive leading 1 bits from the left of the subnet mask. Range: 10.10.10.0 - 10.10.10.255 Subnet Address: 10.10.10.0 Broadcast Address: 10.10.10.255 CIDR Notation: 10.10.10.0/24 It is conventional to assign the internal interface either the first usable address in the subnet (10.10.10.1 in the above example) or the last usable address (10.10.10.254). One of the purposes of subnetting is to allow all computers in the subnet to understand which other computers can be communicated with directly. To communicate with systems outside of the subnetwork, systems send packets through a gateway (router). Your local computers (computer 1 and computer 2 in the above diagram) should be configured with their default gateway to be the IP address of the firewall's internal interface. The foregoing short discussion barely scratches the surface regarding subnetting and routing. If you are interested in learning more about IP addressing and routing, I highly recommend IP Fundamentals: What Everyone Needs to Know about Addressing & Routing, Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0 (link). The remainder of this guide will assume that you have configured your network as shown here: The default gateway for computer's 1 & 2 would be 10.10.10.254. Your ISP might assign your external interface an RFC 1918 address. If that address is in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC 1918 subnet for your local network.
IP Masquerading (SNAT) The addresses reserved by RFC 1918 are sometimes referred to as non-routable because the Internet backbone routers don't forward packets which have an RFC-1918 destination address. When one of your local systems (let's assume computer 1 in the above diagram) sends a connection request to an Internet host, the firewall must perform Network Address Translation (NAT). The firewall rewrites the source address in the packet to be the address of the firewall's external interface; in other words, the firewall makes it appear to the destination Internet host as if the firewall itself is initiating the connection. This is necessary so that the destination host will be able to route return packets back to the firewall (remember that packets whose destination address is reserved by RFC 1918 can't be routed across the Internet so the remote host can't address its response to computer 1). When the firewall receives a return packet, it rewrites the destination address back to 10.10.10.1 and forwards the packet on to computer 1. On Linux systems, the above process is often referred to as IP Masquerading but you will also see the term Source Network Address Translation (SNAT) used. Shorewall follows the convention used with Netfilter: Masquerade describes the case where you let your firewall system automatically detect the external interface address. SNAT refers to the case when you explicitly specify the source address that you want outbound packets from your local network to use. In Shorewall, both Masquerading and SNAT are configured with entries in the /etc/shorewall/masq file (/etc/shorewall/snat when running Shorewall 5.0.14 or later). You will normally use Masquerading if your external IP is dynamic and SNAT if the IP is static. If your external firewall interface is eth0, you do not need to modify the file provided with the sample. Otherwise, edit /etc/shorewall/masq or /etc/shorewall/snat and change it to match your configuration. If your external IP is static then, if you are running Shorewall 5.0.13 or earlier, you can enter our static IP in the third column in the /etc/shorewall/masq entry if you like although your firewall will work fine if you leave that column empty (Masquerade). Entering your static IP in column 3 (SNAT) makes the processing of outgoing packets a little more efficient. When running Shorewall 5.0.14 or later, the rule in /etc/shorewall/snat must be change from a MASQUERADE rule to an SNAT rule. #ACTION SOURCE DEST PROTO PORT SNAT(static-ip) ... If you are using the Debian package, please check your shorewall.conf file to ensure that the following is set correctly; if it is not, change it appropriately: IP_FORWARDING=On
Logging Shorewall does not maintain a log itself but rather relies on your system's logging configuration. The following commands rely on knowing where Netfilter messages are logged: shorewall show log (Displays the last 20 netfilter log messages) shorewall logwatch (Polls the log at a settable interval shorewall dump (Produces an extensive report for inclusion in Shorewall problem reports) It is important that these commands work properly because when you encounter connection problems when Shorewall is running, the first thing that you should do is to look at the Netfilter log; with the help of Shorewall FAQ 17, you can usually resolve the problem quickly. The Netfilter log location is distribution-dependent: Debian and its derivatives log Netfilter messages to /var/log/kern.log. Recent SuSE/OpenSuSE releases come preconfigured with syslog-ng and log netfilter messages to /var/log/firewall. For other distributions, Netfilter messages are most commonly logged to /var/log/messages. If you are running a distribution that logs netfilter messages to a log other than /var/log/messages, then modify the LOGFILE setting in /etc/shorewall/shorewall.conf to specify the name of your log. The LOGFILE setting does not control where the Netfilter log is maintained -- it simply tells the /sbin/shorewall utility where to find the log.
Kernel Module Loading Beginning in Shorewall 4.4.7, /etc/shorewall/shorewall.conf contains a LOAD_HELPERS_ONLY option which is set to in the samples. This causes Shorewall to attempt to load the modules listed in /usr/share/shorewall/helpers. In addition, it sets sip_direct_media=0 when loading the nf_conntrack_sip module. That setting is somewhat less secure than sip_direct_media=1, but it generally makes VOIP through the firewall work much better. The modules in /usr/share/shorewall/helpers are those that are not autoloaded. If your kernel does not support module autoloading and you want Shorewall to attempt to load all netfilter modules that it might require, then set LOAD_HELPERS_ONLY=No. That will cause Shorewall to try to load the modules listed in /usr/share/shorewall/modules. That file does not set sip_direct_media=0. If you need to modify either /usr/share/shorewall/helpers or /usr/share/shorewall/modules then copy the file to /etc/shorewall and modify the copy. Modify the setting of LOAD_HELPER_ONLY as necessary. In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed, and the behavior is the same as if LOAD_HELPERS_ONLY=Yes was specified.
Port Forwarding (DNAT) One of your goals may be to run one or more servers on your local computers. Because these computers have RFC-1918 addresses, it is not possible for clients on the Internet to connect directly to them. It is rather necessary for those clients to address their connection requests to the firewall who rewrites the destination address to the address of your server and forwards the packet to that server. When your server responds, the firewall automatically performs SNAT to rewrite the source address in the response. The above process is called Port Forwarding or Destination Network Address Translation (DNAT). You configure port forwarding using DNAT rules in the /etc/shorewall/rules file. For forwarding connections from the net zone to a server in the loc zone, the general form of a simple port forwarding rule in /etc/shorewall/rules is: #ACTION SOURCE DEST PROTO DPORT DNAT net loc:<server local ip address>[:<server port>] <protocol> <port> If you want to forward traffic from the loc zone to a server in the loc zone, see Shorewall FAQ 2. Be sure to add your rules after the line that reads SECTION NEW. The server must have a static IP address. If you assign IP addresses to your local system using DHCP, you need to configure your DHCP server to always assign the same IP address to systems that are the target of a DNAT rule. Shorewall has macros for many popular applications. Look at the output of shorewall show macros to see what is available in your release. Macros simplify creating DNAT rules by supplying the protocol and port(s) as shown in the following examples. Web Server You run a Web Server on computer 2 in the above diagram and you want to forward incoming TCP port 80 to that system: #ACTION SOURCE DEST PROTO DPORT Web(DNAT) net loc:10.10.10.2 FTP Server You run an FTP Server on computer 1 so you want to forward incoming TCP port 21 to that system: #ACTION SOURCE DEST PROTO DPORT FTP(DNAT) net loc:10.10.10.1 For FTP, you will also need to have FTP connection tracking and NAT support in your kernel. For vendor-supplied kernels, this means that the ip_conntrack_ftp and ip_nat_ftp modules (nf_conntrack_ftp and nf_nat_ftp in later 2.6 kernels) must be loaded. Shorewall will automatically load these modules if they are available and located in the standard place under /lib/modules/<kernel version>/kernel/net/ipv4/netfilter. See the Shorewall FTP documentation for more information. A couple of important points to keep in mind: The Shorewall-provided macros assume that the service is using its standard port and will not work with a service listening on a non-standard port. You must test the above rule from a client outside of your local network (i.e., don't test from a browser running on computers 1 or 2 or on the firewall). If you want to be able to access your web server and/or FTP server from inside your firewall using the IP address of your external interface, see Shorewall FAQ #2. Many ISPs block incoming connection requests to port 80. If you have problems connecting to your web server, try the following rule and try connecting to port 5000. #ACTION SOURCE DEST PROTO DPORT DNAT net loc:10.10.10.2:80 tcp 5000 At this point, modify /etc/shorewall/rules to add any DNAT rules that you require. When testing DNAT rules like those shown above, you must test from a client OUTSIDE YOUR FIREWALL (in the 'net' zone). You cannot test these rules from inside the firewall! For DNAT troubleshooting tips, see FAQs 1a and 1b. For information about DNAT when there are multiple external IP addresses, see the Shorewall Aliased Interface documentation and the Shorewall Setup Guide.
Domain Name Server (DNS) Normally, when you connect to your ISP, as part of getting an IP address your firewall's Domain Name Service (DNS) resolver will be automatically configured (e.g., the /etc/resolv.conf file will be written). Alternatively, your ISP may have given you the IP address of a pair of DNS name servers for you to manually configure as your primary and secondary name servers. Regardless of how DNS gets configured on your firewall, it is your responsibility to configure the resolver in your internal systems. You can take one of two approaches: You can configure your internal systems to use your ISP's name servers. If your ISP gave you the addresses of their servers or if those addresses are available on their web site, you can configure your internal systems to use those addresses. If that information isn't available, look in /etc/resolv.conf on your firewall system -- the name servers are given in "nameserver" records in that file. You can configure a Caching Name Server on your firewall. Red Hat has an RPM for a caching name server (the RPM also requires the bindRPM) and for Bering users, there is dnscache.lrp. If you take this approach, you configure your internal systems to use the firewall itself as their primary (and only) name server. You use the internal IP address of the firewall (10.10.10.254 in the example above) for the name server address. To allow your local systems to talk to your caching name server, you must open port 53 (both UDP and TCP) from the local network to the firewall; you do that by adding the following rules in /etc/shorewall/rules. #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT)loc $FW
Other Connections The two-interface sample includes the following rules: #ACTION SOURCE DEST PROTO DPORT DNS(ACCEPT) $FW netThis rule allows DNS access from your firewall and may be removed if you uncommented the line in /etc/shorewall/policy allowing all connections from the firewall to the Internet. In the rule shown above, DNS(ACCEPT)is an example of a macro invocation. Shorewall includes a number of macros (command shorewall show macros) and you can add your own. You don't have to use defined macros when coding a rule in /etc/shorewall/rules; Shorewall will start slightly faster if you code your rules directly rather than using macros. The the rule shown above could also have been coded as follows:#ACTION SOURCE DEST PROTO DPORT ACCEPT $FW net udp 53 ACCEPT $FW net tcp 53 In cases where Shorewall doesn't include a defined macro to meet your needs, you can either define the macro yourself or you can simply code the appropriate rules directly. The sample also includes: #ACTION SOURCE DEST PROTO DPORT SSH(ACCEPT) loc $FW That rule allows you to run an SSH server on your firewall and connect to that server from your local systems. If you wish to enable other connections from your firewall to other systems, the general format using a macro is: #ACTION SOURCE DEST PROTO DPORT <macro>(ACCEPT) $FW <destination zone>The general format when not using defined macros is:#ACTION SOURCE DEST PROTO DPORT ACCEPT $FW <destination zone> <protocol> <port> Web Server on Firewall You want to run a Web Server on your firewall system: #ACTION SOURCE DEST PROTO DPORT Web(ACCEPT) net $FW Web(ACCEPT) loc $FW Those two rules would of course be in addition to the rules listed above under You can configure a Caching Name Server on your firewall. If you don't know what port and protocol a particular application uses, look here. I don't recommend enabling telnet to/from the Internet because it uses clear text (even for login!). If you want shell access to your firewall from the Internet, use SSH: #ACTION SOURCE DEST PROTO DPORT SSH(ACCEPT) net $FW Bering users will want to add the following two rules to be compatible with Jacques's Shorewall configuration.#ACTION SOURCE DEST PROTO DPORT ACCEPT loc $FW udp 53 #Allow DNS Cache to work ACCEPT loc $FW tcp 80 #Allow Weblet to work Now edit your /etc/shorewall/rules file to add or delete other connections as required.
Some Things to Keep in Mind You cannot test your firewall from the inside. Just because you send requests to your firewall external IP address does not mean that the request will be associated with the external interface or the net zone. Any traffic that you generate from the local network will be associated with your local interface and will be treated as loc->fw traffic. IP addresses are properties of systems, not of interfaces. It is a mistake to believe that your firewall is able to forward packets just because you can ping the IP address of all of the firewall's interfaces from the local network. The only conclusion you can draw from such pinging success is that the link between the local system and the firewall works and that you probably have the local system's default gateway set correctly. All IP addresses configured on firewall interfaces are in the $FW (fw) zone. If 192.168.1.254 is the IP address of your internal interface then you can write $FW:192.168.1.254 in a rule but you may not write loc:192.168.1.254. Similarly, it is nonsensical to add 192.168.1.254 to the loc zone using an entry in /etc/shorewall/hosts. Reply packets do NOT automatically follow the reverse path of the one taken by the original request. All packets are routed according to the routing table of the host at each step of the way. This issue commonly comes up when people install a Shorewall firewall parallel to an existing gateway and try to use DNAT through Shorewall without changing the default gateway of the system receiving the forwarded requests. Requests come in through the Shorewall firewall where the destination IP address gets rewritten but replies go out unmodified through the old gateway. Shorewall itself has no notion of inside or outside. These concepts are embodied in how Shorewall is configured.
Starting and Stopping Your Firewall The installation procedure configures your system to start Shorewall at system boot but startup is disabled so that your system won't try to start Shorewall before configuration is complete. Once you have completed configuration of your firewall, you must edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes. Users of the .deb package must edit /etc/default/shorewall and set startup=1. While you are editing shorewall.conf, it is a good idea to check the value of the SUBSYSLOCK option. You can find a description of this option by typing 'man shorewall.conf' at a shell prompt and searching for SUBSYSLOCK. The firewall is started using the shorewall start command and stopped using shorewall stop. When the firewall is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped (Shorewall 4.5.7 and earlier) or in /etc/shorewall/stoppedrules. A running firewall may be restarted using the shorewall reload command. If you want to totally remove any trace of Shorewall from your Netfilter configuration, use shorewall clear. The two-interface sample assumes that you want to enable routing to/from eth1 (the local network) when Shorewall is stopped. If your local network isn't connected to eth1 or if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped accordingly. If you are connected to your firewall from the Internet, do not issue a shorewall stop command unless you have either: Used ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf; or added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. Also, I don't recommend using shorewall reload; it is better to create an alternate configuration and test it using the shorewall try command. The firewall will start after your network interfaces have been brought up. This leaves a small window between the time that the network interfaces are working and when the firewall is controlling connections through those interfaces. If this is a concern, you can close that window by installing the Shorewall Init Package.
If it Doesn't Work Re-check each of the items flagged with a red arrow above. Check your log. Check the Troubleshooting Guide. Check the FAQ.
Disabling your existing Firewall Before starting Shorewall for the first time, it's a good idea to stop your existing firewall. On older Redhat/CentOS/Fedora: service iptables stop On recent Fedora systems that run systemd, the command is: systemctl stop iptables.service If you are running SuSE, use Yast or Yast2 to stop SuSEFirewall. On other systems that use a classic SysV init system: /etc/init.d/iptables stop Once you have Shorewall running to your satisfaction, you should totally disable your existing firewall. On older Redhat/CentOS/Fedora: chkconfig --del iptables On Debian systems: update-rc.d iptables disable On recent Fedora system running systemd: systemctl disable iptables.service At this point, disable your existing firewall service.
Additional Recommended Reading I highly recommend that you review the Common Configuration File Features page -- it contains helpful tips about Shorewall features than make administering your firewall easier. Also, Operating Shorewall and Shorewall Lite contains a lot of useful operational hints.
Adding a Wireless Segment to your Two-Interface Firewall Once you have the two-interface setup working, the next logical step is to add a Wireless Network. The first step involves adding an additional network card to your firewall, either a Wireless card or an Ethernet card that is connected to a Wireless Access Point. When you add a network card, it won't necessarily be detected as the next highest Ethernet interface. For example, if you have two Ethernet cards in your system (eth0 and eth1) and you add a third card that uses the same driver as one of the other two, that third card won't necessarily be detected as eth2; it could rather be detected as eth0 or eth1! You can either live with that or you can shuffle the cards around in the slots until the new card is detected as eth2. Update: Distributions are getting better about this. SuSE now associates a unique interface name with each MAC address. Other distributions have add-on packages to manage the relationship between MAC addresses and device names. Your new network will look similar to what is shown in the following figure. The first thing to note is that the computers in your wireless network will be in a different subnet from those on your wired local LAN. In the above example, we have chosen to use the network 10.10.11.0/24. Computers 3 and 4 would be configured with a default gateway IP address of 10.10.11.254. Second, we have chosen to include the wireless network as part of the local zone. Since Shorewall allows intra-zone traffic by default, traffic may flow freely between the local wired network and the wireless network. There are only two changes that need to be made to the Shorewall configuration: An entry needs to be added to /etc/shorewall/interfaces for the wireless network interface. If the wireless interface is wlan0, the entry might look like: #ZONE INTERFACE OPTIONS loc wlan0 maclist As shown in the above entry, I recommend using the maclist option for the wireless segment. By adding entries for computers 3 and 4 in /etc/shorewall/maclist, you help ensure that your neighbors aren't getting a free ride on your Internet connection. Start by omitting that option; when you have everything working, then add the option and configure your /etc/shorewall/maclist file. You may need to add an entry to the /etc/shorewall/masq file to masquerade traffic from the wireless network to the Internet. If you file looks like this: #INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC MARK eth0 10.0.0.0/8,\ 169.254.0.0/16,\ 172.16.0.0/12,\ 192.168.0.0/16 or of you are running Shorewall 5.0.14 or later, then you do not need to change the contents. Otherwise, if your Internet interface is eth0 and your wireless interface is wlan0, the entry would be: #INTERFACE SOURCE ADDRESS eth0 10.10.11.0/24 One other thing to note. To get Microsoft networking working between the wireless and wired networks, you will need either a WINS server or a PDC. I personally use Samba configured as a WINS server running on my firewall. Running a WINS server on your firewall requires the rules listed in the Shorewall/Samba documentation.
shorewall-docs-xml-5.2.3/Shorewall-perl.xml0000664000000000000000000013734213427347317017414 0ustar rootroot
Shorewall-perl Tom Eastep 2007 2009 2012 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Shorewall-perl - What is it? Shorewall-perl was released as a companion product to Shorewall in Shorewall 4.0.0. Shorewall-perl contained a re-implementation of the Shorewall compiler written in Perl. The advantages of using Shorewall-perl over Shorewall-shell (the shell-based compiler included in earlier Shorewall 3.x releases) were: The Shorewall-perl compiler was much faster. The script generated by the compiler used iptables-restore to instantiate the Netfilter configuration. So it ran much faster than the script generated by the Shorewall-shell compiler and did not stop new connections during shorewall restart. The Shorewall-perl compiler did more thorough checking of the configuration than the Shorewall-shell compiler did. The error messages produced by the compiler were better, more consistent and always included the file name and line number where the error was detected. Going forward, the Shorewall-perl compiler got all enhancements; the Shorewall-shell compilerl only got those enhancements that were easy to retrofit. Beginning with Shorewall 4.3.5, Shorewall-perl is an integral part of Shorewall and support for Shorewall-shell has been discontinued.
Shorewall-perl - The down side While there are significant advantages to using Shorewall-perl, there are also disadvantages.
Incompatibilities There are a number of incompatibilities between the Shorewall-perl compiler and the earlier one. The Perl-based compiler requires multiport match in your kernel and iptables. BRIDGING=Yes is not supported. The kernel code necessary to support this option was removed in Linux kernel 2.6.20. Alternative bridge support is provided by Shorewall-perl. DYNAMIC_ZONES=Yes is not supported in Shorewall-perl 4.2. Use an ipset to define your dytnamic zones. In Shorewall 4.4, dynamic zone support based on ipsets was added to Shorewall. The BROADCAST column in the interfaces file is essentially unused if your kernel/iptables has Address Type Match support. If that support is present and you enter anything in this column but '-' or 'detect', you will receive a warning. The 'refresh' command is now similar to restart with the exceptions that: The command fails if Shorewall is not running. A directory name cannot be specified in the command. The refresh command does not alter the Netfilter configuration except for the static blacklist (it also refreshes the mangle table, beginning with Shorewall 4.2.0). With the shell-based compiler, extension scripts were copied into the compiled script and executed at run-time. In many cases, this approach doesn't work with Shorewall Perl because (almost) the entire rule set is built by the compiler. As a result, Shorewall-perl runs some extension scripts at compile-time rather than at run-time. Because the compiler is written in Perl, your extension scripts from earlier versions will no longer work. The following table summarizes when the various extension scripts are run: Compile-time (Must be written in Perl) Run-time Eliminated initdone clear continue maclog init Per-chain (including those associated with actions) start started stop stopped tcclear Compile-time extension scripts are executed using the Perl 'eval `cat <file>`' mechanism. Be sure that each script returns a 'true' value; otherwise, the Shorewall-perl compiler will assume that the script failed and will abort the compilation. When a script is invoked, the $chainref scalar variable will usually hold a reference to a chain table entry. $chainref->{name} contains the name of the chain $chainref->{table} holds the table name To add a rule to the chain: add_rule $chainref, the-rule Where the rule is a scalar argument holding the rule text. Do not include "-A chain-name" Example: add_rule $chainref, '-j ACCEPT'; To insert a rule into the chain: insert_rule $chainref, rulenum, the-rule The log_rule_limit function works like it does in the shell compiler with three exceptions: You pass the chain reference rather than the name of the chain. The commands are 'add' and 'insert' rather than '-A' and '-I'. There is only a single "pass as-is to iptables" argument (so you must quote that part) Example: log_rule_limit 'info' , $chainref , $chainref->{name}, 'DROP' , '', #Limit '' , #Log tag 'add' '-p tcp '; Here is an example of an actual initdone script used with Shorewall 3.4:run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50 run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT Here is the corresponding script used with Shorewall-perl:use Shorewall::Chains; insert_rule $mangle_table->{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50"; insert_rule $filter_table->{INPUT}, 1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT"; insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT"; 1; The initdone script is unique because the $chainref variable is not set before the script is called. The above script illustrates how the $mangle_table, $filter_table, and $nat_table references can be used to add or insert rules in arbitrary chains. The /etc/shorewall/tos file now has zone-independent SOURCE and DEST columns as do all other files except the rules and policy files. The SOURCE column may be one of the following: [all:]<address>[,...] [all:]<interface>[:<address>[,...]] $FW[:<address>[,...]] The DEST column may be one of the following: [all:]<address>[,...] [all:]<interface>[:<address>[,...]] This is a permanent change. The old zone-based rules have never worked right and this is a good time to replace them. I've tried to make the new syntax cover the most common cases without requiring change to existing files. In particular, it will handle the tos file released with Shorewall 1.4 and earlier. Shorewall-perl insists that ipset names begin with a letter and be composed of alphanumeric characters and underscores (_). When used in a Shorewall configuration file, the name must be preceded by a plus sign (+) as with the shell-based compiler. From Shorewall-perl 4.0.0 - Shorewall 4.4.5, Shorewall was out of the ipset load/reload business with the exception of ipsets used for dynamic zones:
With scripts generated by the Perl-based Compiler, the Netfilter rule set is never cleared. That means that there is no opportunity for Shorewall to load/reload your ipsets since that cannot be done while there are any current rules using ipsets. So: Your ipsets must be loaded before Shorewall starts. You are free to try to do that with the following code in /etc/shorewall/init (it works for me; your mileage may vary): if [ "$COMMAND" = start ]; then ipset -U :all: :all: ipset -U :all: :default: ipset -F ipset -X ipset -R < /etc/shorewall/ipsets fi The file /etc/shorewall/ipsets will normally be produced using the ipset -S command. I have this in my /etc/shorewall/stop file: if ipset -S > /etc/shorewall/ipsets.tmp; then mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets fi The above extension scripts will work most of the time but will fail in a shorewall stop - shorewall start sequence if you use ipsets in your routestopped file (see below). Your ipsets may not be reloaded until Shorewall is stopped or cleared. If you specify ipsets in your routestopped file then Shorewall must be cleared in order to reload your ipsets. As a consequence, scripts generated by the Perl-based compiler will ignore /etc/shorewall/ipsets and will issue a warning if you set SAVE_IPSETS=Yes in shorewall.conf.
Beginning with Shorewall 4.4.6 (and 4.5.3), SAVE_IPSETS=Yes is once again supported. See shorewall.conf(5). Because the configuration files (with the exception of /etc/shorewall/params) are now processed by the Shorewall-perl compiler rather than by the shell, only the basic forms of Shell expansion ($variable and ${variable}) are supported. The more exotic forms such as ${variable:=default} are not supported. Both variables defined in /etc/shorewall/params and environmental variables (exported by the shell) can be used in configuration files. USE_ACTIONS=No is not supported. That option is intended to minimize Shorewall's footprint in embedded applications. As a consequence, Default Macros are not supported by Shorewall-perl. DELAYBLACKLISTLOAD=Yes is not supported. The entire rule set is atomically loaded with one execution of iptables-restore. MAPOLDACTIONS=Yes is not supported. People should have converted to using macros by now. The pre Shorewall-3.0 format of the zones file is not supported (IPSECFILE=ipsec); neither is the /etc/shorewall/ipsec file. BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This combination doesn't work in previous versions of Shorewall so the Perl-based compiler simply rejects it. Shorewall-perl has a single rule generator that is used for all rule-oriented files. This implementation enforces consistency of syntax between files. With shorewall-shell, there is a special syntax in the SOURCE column of /etc/shorewall/masq to designate "all traffic entering the firewall on this interface except...". Example:#INTERFACE SOURCE ADDRESSES eth0 eth1!192.168.4.9 ...Shorewall-perl uses syntax that is consistent with the rest of Shorewall:#INTERFACE SOURCE ADDRESSES eth0 eth1:!192.168.4.9 ... The 'allowoutUPnP' built-in action is no longer supported. In kernel 2.6.14, the Netfilter team have removed support for '-m owner --owner-cmd' which that action depended on. The PKTTYPE option is ignored by Shorewall-perl. Shorewall-perl will use Address type match if it is available; otherwise, it will behave as if PKTTYPE=No had been specified. Shorewall-perl detects dead policy file entries that result when an entry is masked by an earlier more general entry. Example: #SOURCE DEST POLICY LOG LEVEL all all REJECT info loc net ACCEPT Shorewall-shell silently accepts the above even though the loc->net policy is useless. Shorewall-perl generates a fatal compilation error. In the SOURCE column of the rules file, when an interface name is followed by a list of IP addresses, the behavior of Shorewall-perl differs from that of Shorewall-shell. Example:#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT loc:eth0:192.168.1.3,192.168.1.5 $FW tcp 22With Shorewall-shell, this rule accepts SSH connection to the firewall from 192.168.1.3 through eth0 or from 192.168.1.5 through any interface. With Shorewall-perl, the rule accepts SSH connections through eth0 from 192.168.1.3 and through eth0 from 192.168.1.5. Shorewall-shell supports this syntax that gives the same result as Shorewall-perl.#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 $fw tcp 22 Shorewall-perl does not support this alternative syntax. Shorewall-perl gives a warning if a zone name is entered in the DEST column of a nonat rule. Nonat rules include: DNAT- REDIRECT- NONAT So rather than this:#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT- net loc:192.168.1.3 tcp 21 you instead want:#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT- net 192.168.1.3 tcp 21 Supplying an interface name in the SOURCE column of /etc/shorewall/masq is deprecated as of Shorewall 4.4. Entering the name of an interface there will result in a compile-time warning: WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts To avoid this warning, replace interface names by the corresponding network() in CIDR format (e.g., 192.168.144.0/24).
Dependence on Perl Shorewall-perl is dependent on Perl which has a large disk footprint. This makes Shorewall-perl less desirable in an embedded environment. The best way to work around this limitation is to install Shorewall-perl on an administrative system and employ Shorewall-lite on your embedded systems. Shorewall-perl will run on Windows under Cygwin and on an Apple MacIntosh running OS X. Install from a shell prompt using the install.sh script.
Installing Shorewall Version 4.0 or 4.2 Shorewall 4.2 contains six packages, four of which are also included in Shorewall 4.0: Shorewall-shell - the old shell-based compiler and related components. Shorewall-perl - the new Perl-based compiler. Shorewall-common - the part of Shorewall common to both compilers. Shorewall-lite- same as the 3.4 version of Shorewall Lite. Can run scripts generated by either Shorewall-perl or Shorewall-shell. Shorewall6 - The utilities for creating and operating an Ipv6 firewall. Requires Shorewall-perl and Shorewall-common. Introduced in Shorewall 4.2.4. Shorewall6-lite - Ipv6 equivalent of Shorewall Lite. Can run scripts generated by Shoreall-perl 4.2.4 and later. If you upgrade to Shorewall Version 4.0 or 4.2, you must install Shorewall-shell and/or Shorewall-perl; in fact, if you are using the tarball for your installation, you must install Shorewall-shell and/or Shorewall-perl before you upgrade Shorewall. See the upgrade issues for details.
Compiler Selection (Shorewall 4.0-4.2) If you only install one compiler, then that compiler will be used. If you install both compilers, then the compiler actually used for IPv4 depends on the SHOREWALL_COMPILER setting in shorewall.conf. The value of this new option can be either 'perl' or 'shell'. If you add 'SHOREWALL_COMPILER=perl' to /etc/shorewall/shorewall.conf then by default, the new compiler will be used on the system. If you add it to shorewall.conf in a separate directory (such as a Shorewall-lite export directory) then the new compiler will only be used when you compile from that directory. If you only install one compiler, it is suggested that you do not set SHOREWALL_COMPILER. If both compilers are installed, you can select the compiler to use on the command line using the 'C option: '-C shell' means use the shell compiler '-C perl' means use the perl compiler The -C option overrides the setting in shorewall.conf. Example:shorewall restart -C perl When the Shorewall-perl compiler has been selected, the params file is processed using the shell option which causes all variables set within the file to be exported automatically by the shell. The Shorewall-perl compiler uses the current environmental variables to perform variable expansion within the other Shorewall configuration files.
The Shorewall Perl Modules In Shorewall 4.4 and later, Shorewall's Perl modules are installed by default in /usr/share/shorewall/Shorewall and the names of the packages are of the form Shorewall::name. So by using this directiveuse lib '/usr/share/shorewall'; You can then load the modules via normal Perl use statements.
/usr/share/shorewall/compiler.pl While the compiler is normally run indirectly using /sbin/shorewall, it can be run directly as well.compiler.pl [ option ... ] [ filename ] If a filename is given, then the configuration will be compiled and the output placed in the named file. If filename is not given, then the configuration will simply be syntax checked. Options are: -v<verbosity> --verbosity=<verbosity> The <verbosity> is a number between 0 and 2 and corresponds to the VERBOSITY setting in shorewall.conf. This setting controls the verbosity of the compiler itself. The VERBOSITY setting in the shorewall.conf file read by the compiler will determine the default verbosity for the compiled program. -e --export If given, the configuration will be compiled for export to another system. -d <directory> --directory=<directory> If this option is omitted, the configuration in /etc/shorewall is compiled/checked. Otherwise, the configuration in the named directory will be compiled/checked. -t --timestamp If given, each progress message issued by the compiler and by the compiled program will be timestamped. --debug If given, when a warning or error message is issued, it is supplemented with a stack trace. Requires the Carp Perl module. --refresh=<chainlist> If given, the compiled script's 'refresh' command will refresh the chains in the comma-separated <chainlist> rather than 'blacklst'. --log=<logfile> If given, compiler will log to this file provider that --log_verbosity is > -1. --log_verbosity=-1|0|1|2 If given, controls the verbosity of logging to the log specified by the --log parameter. -f=4|6 --family=4|6 Specifies whether an IPv4 or an IPv6 firewall is to be created. --preview Added in Shorewall 4.4.6. If no filename is given, this option causes the generated input to iptables-input to be displayed on standard output. -c --confess Added in Shorewall 4.4.20. Causes error and warning messages to include a Perl stack trace. Useful for finding the place in the code where the message is generated. -u --update Added in Shorewall 4.4.21. Causes the .conf file to be updated (shorewall update command). -a --annotate Added in Shorewall 4.4.21. Causes the updated .conf file to be annotated with documentation. Ignored unless --update is also specified. --convert Added in Shorewall 4.4.26. Causes the compiler to convert an existing blacklist file into an equivalent blrules file. --config_path=path[:path]... Added in Shorewall 4.4.26. Search path for configuration files. --shorewallrc=path Added in Shorewall 4.5.1. Specifies the location of the shorewallrc file. Example (compiles the configuration in the current directory generating a script named 'firewall' and using VERBOSITY 2)./usr/share/shorewall/compiler.pl -v 2 -d . firewall Prior to Shorewall 4.4.19, the Perl-based compiler did not process /etc/shorewall/params. To include definitions in that file, you would need to do something like the following:. /usr/share/shorewall/lib.base # In case /etc/shorewall/params does INCLUDE set -a # Export all variables set in /etc/shorewall/params . /etc/shorewall/params set +a /usr/share/compiler.pl ...
Shorewall::Compiler To avoid a proliferation of parameters to Shorewall::Compiler::compile(), that function uses named parameters. Parameter names are: script ('object' is also accepted but deprecated) Output script file. If omitted or '', the configuration is syntax checked. directory Directory. If omitted or '', configuration files are located using CONFIG_PATH. Otherwise, the directory named by this parameter is searched first. verbosity Verbosity; range -1 to 2 timestamp 0|1 -- timestamp messages. debug 0|1 -- include stack trace in warning/error messages. export 0|1 -- compile for export. chains List of chains to be reloaded by 'refresh' log File to log compiler messages to. log_verbosity Log Verbosity; range -1 to 2. family Address family: 4 or 6 preview 0 or 1. Added in Shorewall 4.4.6. A value of 1 causes the generated ruleset to be printed to standard output. confess 0 or 1. Added in Shorewall 4.4.20. A value of 1 causes error and warning messages to include a Perl stack trace. Useful for finding the place in the code where the message is generated. update 0 or 1. Added in Shorewall 4.4.21. A value of 1 causes the .conf file to be updated (shorewall update command). config_path List of pathnames separated by ':' or ''. Added in Shorewall 4.4.26. The list of directories where the compiler is to search for input files. shorewallrc Pathname of the global shorewallrc file. Added in Shorewall 4.5.1. shorewallrc1 Pathname of the export shorewallrc file. Added in Shorewall 4.5.8. Those parameters that are supplied must have defined values. Defaults are: script: '' ('check' command) directory: '' verbosity: 1 timestamp: 0 debug: 0 export: 0 chains: '' log: '' log_verbosity: -1 family: 4 preview: 0 confess: 0 update: 0 config_path: Contents of /var/lib/shorewall/configpath or /var/lib/shorewall6/configpath depending on the setting of family. shorewallrc: ''. Example: use lib '/usr/share/shorewall/'; use Shorewall::Compiler; compiler( script => '/root/firewall', log => '/root/compile.log', log_verbosity => 2 );
Shorewall::Chains use lib '/usr/share/shorewall'; use Shorewall::Chains; my $chainref1 = chain_new $table, $name1; add_rule $chainref1, $rule; insert_rule $chainref1, $ordinal, $rule; my $chainref2 = new_manual_chain $name3; my $chainref3 = ensure_manual_chain $name; log_rule_limit $level, $chainref3, $name, $disposition, $limit, $tag, $command, $predicates; my $chainref4 = $chain_table{$table}{$name}; my $chainref5 = $nat_table{$name}; my $chainref6 = $mangle_table{$name}; my $chainref7 = $filter_table{$name};Shorewall::Chains is Shorewall-perl's interface to iptables/netfilter. It creates a chain table (%chain_table) which is populated as the various tables are processed. The table (actually a hash) is two-dimensional with the first dimension being the Netfilter table name (raw, mangle, nat and filter) and the second dimension being the chain name. Each table is a hash reference -- the hash defines the attributes of the chain. See the large comment at the beginning of the module (/usr/share/shorewall-perl/Shorewall/Chains.pm). The module export the chain table along with three hash references into the table: $nat_table Reference to the 'nat' portion of the table ($chain_table{nat}). This is a hash whose key is the chain name. This variable is not set when an IPv6 firewall is being created. $mangle_table Reference to the 'mangle' portion of the table ($chain_table{mangle}). This is a hash whose key is the chain name. $filter Reference to the 'filter' portion of the table ($chain_table{filter}). This is a hash whose key is the chain name. You can create a new chain in any of the tables using new_chain(). Arguments to the function are: $table 'nat', 'mangle', or 'filter'. $name Name of the chain to create. The function creates a hash at $chain_table{$table}{$name} and populates the hash with default values. A reference to the hash is returned. Each chain table entry includes a list of rules to be added to the chain. These rules are written to the iptables-restore input file when the resulting script is executed. To append a rule to that list, call add_rule(). Arguments are: $chainref A reference to the chain table entry. $rule The rule to add. Do not include the leading '-A ' in this argument -- it will be supplied by the function. To insert a rule into that list, call insert_rule(). Arguments are: $chainref A reference to the chain table entry. $ordinal The position of the inserted rule in the list. A value of 1 inserts the rule at the head of the list, a value of 2 places the rule second in the list, and so on. $rule The rule to add. Do not include the leading '-I' in this argument -- it will be supplied by the function. To create a manual chain, use the new_manual_chain() function. The function accepts a single argument which is the name of the chain. The function returns a reference to the resulting chain table entry. A companion function, ensure_manual_chain(), can be called when a manual chain of the desired name may have already been created. If a manual chain table entry with the passed name already exists, a reference to the chain table entry is returned. Otherwise, the function calls new_manual_chain() and returns the result. To create a logging rule, call log_rule_limit(). Arguments are: $level The log level. May be specified as a name or as a number. $chainref Chain table reference for the chain to which the rule is to be added. $name The chain name to be reported in the log message (see LOGFORMAT in shorewall.conf(5)). $disposition The disposition to be reported in the log message (see LOGFORMAT in shorewall.conf(5)). $limit Rate limiting match. If an empty string is passed, the LOGRATE/LOGBURST (shorewall.conf(5)) is used. $tag Log tag. $command If 'add', append the log rule to the chain. If 'insert', then insert the rule at the beginning of the chain. $predicates Any additional matches that are to be applied to the rule.
Shorewall::Config use lib '/usr/share/shorewall'; use Shorewall::Config; warning message "This entry is bogus"; fatal_error "You have made an error"; progress_message "This will only be seen if VERBOSITY >= 2"; progress_message2 "This will only be seen if VERBOSITY >= 1"; progress_message3 "This will be seen unless VERBOSITY < 0"; The shorewall() function may be optionally included:use lib '/usr/share/shorewall'; use Shorewall::Config qw/shorewall/; shorewall $config_file_entry;The Shorewall::Config module provides basic services to Shorewall-perl. By default, it exports the functions that produce progress messages and warning/error messages. To issue a warning message, call warning_message(). The single argument describes the warning. To raise a fatal error, call fatal_error(). Again, the single argument described the error. In both cases, the function will augment the warning/error with the current configuration file and line number, if any. fatal_error() raised an exception via either confess() or die(), depending on whether the debugging stack trace is enabled or not.. The three 'progress message' functions conditionally produce output depending on the current verbosity setting. The shorewall() function is used by embedded Perl scripts to generate entries to be included in the current configuration file.
shorewall-docs-xml-5.2.3/CompiledPrograms.xml0000664000000000000000000010360513427347317017756 0ustar rootroot
Shorewall Lite and Compiled Firewall Programs Tom Eastep 2006-2010 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation appropriate for your version.
Overview Shorewall has the capability to compile a Shorewall configuration and produce a runnable firewall program script. The script is a complete program which can be placed on a system with Shorewall Lite installed and can serve as the firewall creation script for that system.
Shorewall Lite Shorewall Lite is a companion product to Shorewall and is designed to allow you to maintain all Shorewall configuration information on a single system within your network. You install the full Shorewall release on one system within your network. You need not configure Shorewall there and you may totally disable startup of Shorewall in your init scripts. For ease of reference, we call this system the 'administrative system'. The administrative system may be a GNU/Linux system, a Windows system running Cygwin or an Apple MacIntosh running OS X. Install from a shell prompt using the install.sh script. On each system where you wish to run a Shorewall-generated firewall, you install Shorewall Lite. For ease of reference, we will call these systems the 'firewall systems'. The firewall systems do NOT need to have the full Shorewall product installed but rather only the Shorewall Lite product. Shorewall and Shorewall Lite may be installed on the same system but that isn't encouraged. On the administrative system you create a separate 'export directory' for each firewall system. You copy the contents of /usr/share/shorewall/configfiles into each export directory. Users of Debian and derivatives that install the package from their distribution will be disappointed to find that /usr/share/shorewall/configfiles does not exist on their systems. They will instead need to either: Copy the files in /usr/share/doc/shorewall/default-config/ into each export directory. Copy /etc/shorewall/shorewall.conf into each export directory and remove /etc/shorewall from the CONFIG_PATH setting in the copied files. or Download the Shorewall tarball corresponding to their package version. Untar and copy the files from the configfiles sub-directory in the untarred shorewall-... directory. After copying, you may need to change two setting in the copy of shorewall.conf: Remove /etc/shorewall (/etc/shorewal6) from the setting of CONFIG_PATH STARTUP_LOG=/var/log/shorewall-lite-init.log Older versions of Shorewall included copies of shorewall.conf with these settings already modified. This practice was discontinued in Shorewall 4.4.20.1. The /etc/shorewall/shorewall.conf file is used to determine the VERBOSITY setting which determines how much output the compiler generates. All other settings are taken from the shorewall.conf file in the remote systems export directory. If you want to be able to allow non-root users to manage remote firewall systems, then the files /etc/shorewall/params and /etc/shorewall/shorewall.conf must be readable by all users on the administrative system. Not all packages secure the files that way and you may have to change the file permissions yourself. On each firewall system, If you are running Debian or one of its derivatives like Ubuntu then edit /etc/default/shorewall-lite and set startup=1. On the administrative system, for each firewall system you do the following (this may be done by a non-root user who has root ssh access to the firewall system): modify the files in the corresponding export directory appropriately (i.e., just as you would if you were configuring Shorewall on the firewall system itself). It's a good idea to include the IP address of the administrative system in the stoppedrules file. It is important to understand that with Shorewall Lite, the firewall's export directory on the administrative system acts as /etc/shorewall for that firewall. So when the Shorewall documentation gives instructions for placing entries in files in the firewall's /etc/shorewall, when using Shorewall Lite you make those changes in the firewall's export directory on the administrative system. The CONFIG_PATH variable is treated as follows: The value of CONFIG_PATH in /etc/shorewall/shorewall.conf is ignored when compiling for export (the -e option in given) and when the load or reload command is being executed (see below). The value of CONFIG_PATH in the shorewall.conf file in the export directory is used to search for configuration files during compilation of that configuration. The value of CONFIG_PATH used when the script is run on the firewall system is "/etc/shorewall-lite:/usr/share/shorewall-lite". cd <export directory> /sbin/shorewall load firewall The load command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and starts Shorewall Lite on the remote system via ssh. Example (firewall's DNS name is 'gateway'): /sbin/shorewall load gateway Although scp and ssh are used by default, you can use other utilities by setting RSH_COMMAND and RCP_COMMAND in /etc/shorewall/shorewall.conf. The first time that you issue a load command, Shorewall will use ssh to run /usr/share/shorewall-lite/shorecap on the remote firewall to create a capabilities file in the firewall's administrative direction. See below. If you later need to change the firewall's configuration, change the appropriate files in the firewall's export directory then: cd <export directory> /sbin/shorewall reload firewall The reload command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and restarts Shorewall Lite on the remote system via ssh. The reload command also supports the '-c' option. I personally place a Makefile in each export directory as follows:
# Shorewall Packet Filtering Firewall Export Directory Makefile - V3.3 # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 2006 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://www.shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ################################################################################ # Place this file in each export directory. Modify each copy to set HOST # to the name of the remote firewall corresponding to the directory. # # To make the 'firewall' script, type "make". # # Once the script is compiling correctly, you can install it by # typing "make install". # ################################################################################ # V A R I A B L E S # # Files in the export directory on which the firewall script does not depend # IGNOREFILES = firewall% Makefile% trace% %~ # # Remote Firewall system # HOST = gateway # # Save some typing # LITEDIR = /var/lib/shorewall-lite # # Set this if the remote system has a non-standard modules directory # MODULESDIR= # # Default target is the firewall script # ################################################################################ # T A R G E T S # all: firewall # # Only generate the capabilities file if it doesn't already exist # capabilities: ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities" scp root@$(HOST):$(LITEDIR)/capabilities . # # Compile the firewall script. Using the 'wildcard' function causes "*" to be expanded so that # 'filter-out' will be presented with the list of files in this directory rather than "*" # firewall: $(filter-out $(IGNOREFILES) capabilities , $(wildcard *) ) capabilities shorewall compile -e . firewall # # Only reload on demand. # install: firewall scp firewall firewall.conf root@$(HOST):$(LITEDIR) ssh root@$(HOST) "/sbin/shorewall-lite restart" # # Save running configuration # save: ssh root@$(HOST) "/sbin/shorewall-lite save" # # Remove generated files # clean: rm -f capabilities firewall firewall.conf reload
That way, after I've changed the configuration, I can simply type make or make install. The above Makefile is available at http://www.shorewall.net/pub/shorewall/contrib/Shorewall-lite/ I omit trace% because I often trace compiler execution while I'm debugging new versions of Shorewall. There is a shorewall-lite.conf file installed as part of Shorewall Lite (/etc/shorewall-lite/shorewall-lite.conf). You can use that file on the firewall system to override some of the settings from the shorewall.conf file in the export directory. Settings that you can override are:
VERBOSITY LOGFILE LOGFORMAT IPTABLES PATH SHOREWALL_SHELL SUBSYSLOCK RESTOREFILE
You will normally never touch /etc/shorewall-lite/shorewall-lite.conf unless you run Debian or one of its derivatives (see above). The /sbin/shorewall-lite program included with Shorewall Lite supports the same set of commands as the /sbin/shorewall program in a full Shorewall installation with the following exceptions:
add compile delete refresh reload try safe-start safe-restart show actions show macros
On systems with only Shorewall Lite installed, I recommend that you create a symbolic link /sbin/shorewall and point it at /sbin/shorewall-lite. That way, you can use shorewall as the command regardless of which product is installed.
ln -sf shorewall-lite /sbin/shorewall
Module Loading As with a normal Shorewall configuration, the shorewall.conf file can specify LOAD_HELPERS_ONLY which determines if the modules file (LOAD_HELPERS_ONLY=No) or helpers file (LOAD_HELPERS_ONLY=Yes) is used. Normally, the file on the firewall system is used. If you want to specify modules at compile time on the Administrative System, then you must place a copy of the appropriate file (modules or helpers) in the firewall's configuration directory before compilation. In Shorewall 4.4.17, the EXPORTMODULES option was added to shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any modules or helpers file found on the CONFIG_PATH on the Administrative System during compilation will be used.
Converting a system from Shorewall to Shorewall Lite Converting a firewall system that is currently running Shorewall to run Shorewall Lite instead is straight-forward. On the administrative system, create an export directory for the firewall system. Copy the contents of /etc/shorewall/ from the firewall system to the export directory on the administrative system. On the firewall system: Be sure that the IP address of the administrative system is included in the firewall's export directory stoppedrules file. shorewall stop We recommend that you uninstall Shorewall at this point. Install Shorewall Lite on the firewall system. If you are running Debian or one of its derivatives like Ubuntu then edit /etc/default/shorewall-lite and set startup=1. On the administrative system: It's a good idea to include the IP address of the administrative system in the firewall system's stoppedrules file. Also, edit the shorewall.conf file in the firewall's export directory and change the CONFIG_PATH setting to remove /etc/shorewall. You can replace it with /usr/share/shorewall/configfiles if you like. Example:
Before editing: CONFIG_PATH=/etc/shorewall:/usr/share/shorewall After editing: CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall
Changing CONFIG_PATH will ensure that subsequent compilations using the export directory will not include any files from /etc/shorewall other than shorewall.conf and params. If you set variables in the params file, there are a couple of issues: The params file is not processed at run time if you set EXPORTPARAMS=No in shorewall.conf. For run-time setting of shell variables, use the init extension script. Beginning with Shorewall 4.4.17, the variables set in the params file are available in the firewall script when EXPORTPARAMS=No. If the params file needs to set shell variables based on the configuration of the firewall system, you can use this trick: EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0") The shorewall-lite call command allows you to to call interactively any Shorewall function that you can call in an extension script. After having made the above changes to the firewall's export directory, execute the following commands.
cd <export directory> /sbin/shorewall load <firewall system> Example (firewall's DNS name is 'gateway'): /sbin/shorewall load gateway
The first time that you issue a load command, Shorewall will use ssh to run /usr/share/shorewall-lite/shorecap on the remote firewall to create a capabilities file in the firewall's administrative direction. See below. The load command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and starts Shorewall Lite on the remote system via ssh. If you later need to change the firewall's configuration, change the appropriate files in the firewall's export directory then: cd <export directory> /sbin/shorewall reload firewall The reload command compiles a firewall script from the configuration files in the current working directory (using shorewall compile -e), copies that file to the remote system via scp and restarts Shorewall Lite on the remote system via ssh. If the kernel/iptables configuration on the firewall later changes and you need to create a new capabilities file, do the following on the firewall system: /usr/share/shorewall-lite/shorecap > capabilities scp capabilities <admin system>:<this system's config dir> Or simply use the -c option the next time that you use the reload command (e.g., shorewall reload -c gateway).
Restrictions While compiled Shorewall programs (as are used in Shorewall Lite) are useful in many cases, there are some important restrictions that you should be aware of before attempting to use them. All extension scripts used are copied into the program (with the exception of those executed at compile-time by the compiler). The ramifications of this are: If you update an extension script, the compiled program will not use the updated script. The params file is only processed at compile time if you set EXPORTPARAMS=No in shorewall.conf. For run-time setting of shell variables, use the init extension script. Although the default setting is EXPORTPARAMS=Yes for compatibility, the recommended setting is EXPORTPARAMS=No. Beginning with Shorewall 4.4.17, the variables set in the params file are available in the firewall script when EXPORTPARAMS=No. If the params file needs to set shell variables based on the configuration of the firewall system, you can use this trick: EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0") The shorewall-lite call command allows you to to call interactively any Shorewall function that you can call in an extension script. You must install Shorewall Lite on the system where you want to run the script. You then install the compiled program in /usr/share/shorewall-lite/firewall and use the /sbin/shorewall-lite program included with Shorewall Lite to control the firewall just as if the full Shorewall distribution was installed.
The "shorewall compile" command A compiled script is produced using the compile command:
shorewall compile [ -e ] [ <directory name> ] [ <path name> ]
where
-e Indicates that the program is to be "exported" to another system. When this flag is set, neither the "detectnets" interface option nor DYNAMIC_ZONES=Yes in shorewall.conf are allowed. The created program may be run on a system that has only Shorewall Lite installed When this flag is given, Shorewall does not probe the current system to determine the kernel/iptables features that it supports. It rather reads those capabilities from /etc/shorewall/capabilities. See below for details. <directory name> specifies a directory to be searched for configuration files before those directories listed in the CONFIG_PATH variable in shorewall.conf. When -e <directory-name> is included, only the SHOREWALL_SHELL and VERBOSITY settings from /etc/shorewall/shorewall.conf are used and these apply only to the compiler itself. The settings used by the compiled firewall script are determined by the contents of <directory name>/shorewall.conf. <path name> specifies the name of the script to be created. If not given, ${VARDIR}/firewall is assumed (by default, ${VARDIR} is /var/lib/shorewall/)
The /etc/shorewall/capabilities file and the shorecap program As mentioned above, the /etc/shorewall/capabilities file specifies that kernel/iptables capabilities of the target system. Here is a sample file:
# # Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008 # NAT_ENABLED=Yes MANGLE_ENABLED=Yes MULTIPORT=Yes XMULTIPORT=Yes CONNTRACK_MATCH=Yes POLICY_MATCH=Yes PHYSDEV_MATCH=Yes PHYSDEV_BRIDGE=Yes LENGTH_MATCH=Yes IPRANGE_MATCH=Yes RECENT_MATCH=Yes OWNER_MATCH=Yes IPSET_MATCH=Yes CONNMARK=Yes XCONNMARK=Yes CONNMARK_MATCH=Yes XCONNMARK_MATCH=Yes RAW_TABLE=Yes IPP2P_MATCH= CLASSIFY_TARGET=Yes ENHANCED_REJECT=Yes KLUDGEFREE=Yes MARK=Yes XMARK=Yes MANGLE_FORWARD=Yes COMMENTS=Yes ADDRTYPE=Yes TCPMSS_MATCH=Yes HASHLIMIT_MATCH=Yes NFQUEUE_TARGET=Yes REALM_MATCH=Yes CAPVERSION=40190
As you can see, the file contains a simple list of shell variable assignments — the variables correspond to the capabilities listed by the shorewall show capabilities command and they appear in the same order as the output of that command. To aid in creating this file, Shorewall Lite includes a shorecap program. The program is installed in the /usr/share/shorewall-lite/ directory and may be run as follows:
[ IPTABLES=<iptables binary> ] [ MODULESDIR=<kernel modules directory> ] /usr/share/shorewall-lite/shorecap > capabilities
The IPTABLES and MODULESDIR options have their usual Shorewall default values. The capabilities file may then be copied to a system with Shorewall installed and used when compiling firewall programs to run on the remote system. The capabilities file may also be creating using /sbin/shorewall-lite:
shorewall-lite show -f capabilities > capabilities
Note that unlike the shorecap program, the show capabilities command shows the kernel's current capabilities; it does not attempt to load additional kernel modules.
Running compiled programs directly Compiled firewall programs are complete shell programs that support the following command line forms:
<program> [ -q ] [ -v ] [ -n ] start <program> [ -q ] [ -v ] [ -n ] stop <program> [ -q ] [ -v ] [ -n ] clear <program> [ -q ] [ -v ] [ -n ] refresh <program> [ -q ] [ -v ] [ -n ] reset <program> [ -q ] [ -v ] [ -n ] restart <program> [ -q ] [ -v ] [ -n ] status <program> [ -q ] [ -v ] [ -n ] version
The options have the same meanings as when they are passed to /sbin/shorewall itself. The default VERBOSITY level is the level specified in the shorewall.conf file used when the program was compiled.
shorewall-docs-xml-5.2.3/three-interface_ru.xml0000664000000000000000000021042313427347317020257 0ustar rootroot
Файервол с тремя интерфейсами Tom Eastep 2002-2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Эта статья применима для Shorewall версии 3.0 и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall 3.0.0, тогда смотрите документацию для этого выпуска.
Введение Установка Linux системы как файервола для небольшой сети довольно простая задача, если Вы понимаете основы и следуете документации. Это руководство не пытается ознакомить Вас со всеми особенностями Shorewall. Оно больше сфокусировано на том, что требуется для настройки Shorewall в наиболее типичных конфигурациях: Linux система, используемая как файервол/маршрутизатор для небольшой локальной сети. Один внешний (публичный) IP-адрес. Если Вы имеете более одного публичного IP-адреса, это руководство не то, что Вам нужно. Смотрите вместо этого Руководство по установке Shorewall. DeMilitarized Zone (DMZ) подсоединена к отдельному интерфейсу Ethernet. Цель DMZ - изолировать те Ваши локальные серверы, которые открыты для Интернет так, что если один из этих серверов скомпрометирован, остается еще файервол между взломанным сервером и Вашими локальными системами. Интернет-соединение посредством кабельного модема, DSL, ISDN, Frame Relay, коммутирумой линии ... Вот схема типичной установки:
schematic of a typical installation
Системные требования Shorewall требует, чтобы у Вас был установлен пакет iproute/iproute2 (на RedHat, этот пакет называется iproute). Вы можете определить установлен ли этот пакет по наличию программы ip на Вашем файерволе. Как root, Вы можете использовать команду which для проверки наличия этой программы:[root@gateway root]# which ip /sbin/ip [root@gateway root]#
Перед тем как начать Я рекомендую Вам прочитать все руководство для первоначального ознакомления, а лишь затем пройти его снова, внося изменения в Вашу конфигурацию. Если Вы редактируете Ваши файлы конфигурации на Windows системе, Вы должны сохранить их как Unix файлы в том случае, если Ваш редактор поддерживает эту возможность, иначе Вы должны пропустить их через программу dos2unix перед тем как использовать их. Аналогично, если Вы копируете конфигурационный файл с Вашего жесткого диска с Windows на дискету, Вы должны воспользоваться dos2unix для копии перед ее использованием с Shorewall. Windows версия dos2unix Linux версия dos2unix
Conventions Места, в которых рекомендуется вносить изменения, отмечены как . Замечания по настройке уникальные для проекта LEAF/Bering, отмечены как .
PPTP/ADSL Если У Вас есть ADSL модем и Вы используете PPTP для взаимодействия с сервером на этом модеме, Вы должны сделать изменения рекоммендуемые здесь в дополнение к тем, что описаны в последующих шагах. ADSL с PPTP наиболее распространен в Европе, особенно в Австрии.
Концепции Shorewall Конфигурационные файлы Shorewall находятся в директории /etc/shorewall -- в случае простой установки Вам необходимо иметь дело только с немногими из них, как описано в этом руководстве. Замечание для пользователей Debian Если Вы при установке пользовались .deb, Вы обнаружите, что директория /etc/shorewall пуста. Это сделано специально. Поставляемые шаблоны файлов конфигурации Вы найдете на вашей системе в директории /usr/share/doc/shorewall-common/default-config. Просто скопируйте нужные Вам файлы из этой директории в /etc/shorewall и отредактируйте копии. Заметьте, что Вы должны скопировать /usr/share/doc/shorewall-common/default-config/shorewall.conf и /usr/share/doc/shorewall-common/default-config/modules в /etc/shorewall даже если Вы не будете изменять эти файлы. После того как Вы установили Shorewall, Вы можете найти примеры файлов настроек в следующих местах: Если Вы при установке использовали RPM, примеры будут находится в поддиректории Samples/three-interface директории с документацией Shorewall. Если Вы не знаете где расположена директория с документацией Shorewall, Вы можете найти примеры используя команду: ~# rpm -ql shorewall | fgrep three-interfaces /usr/share/doc/packages/shorewall/Samples/three-interfaces /usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces /usr/share/doc/packages/shorewall/Samples/three-interfaces/masq /usr/share/doc/packages/shorewall/Samples/three-interfaces/policy /usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped /usr/share/doc/packages/shorewall/Samples/three-interfaces/rules /usr/share/doc/packages/shorewall/Samples/three-interfaces/zones ~# Если Вы установили Shorewall из tarball'а, примеры находятся в директории Samples/three-interface внутри tarball'а. Если же Вы пользовались пакетом .deb, примеры находятся в директории/usr/share/doc/shorewall-common/examples/three-interface. По мере того как мы будем знакомится с каждым файлом, я надеюсь, что Вы просмотрите реальный файл на вашей системе -- каждый файл содержит детальное описание конфигурационных инструкций и значений по умолчанию. Shorewall видит сеть, в которой он работает, как состоящую из набора зон(zones). В примере конфигурации с тремя интерфейсами, определены следующие зоны: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 dmz ipv4 Зоны Shorewall описаны в файле /etc/shorewall/zones. Заметьте, что Shorewall рассматривает систему файервола как свою собственную зону. При обработке файла /etc/shorewall/zones имя зоны файервола (fw в примере выше) храниться в переменной shell $FW, которая может использоваться во всей конфигурации Shorewall для ссылки на сам файервол. Правила о том какой трафик разрешен, а какой запрещен выражаются в терминах зон. Вы отражаете Вашу политику по умолчанию для соединений из одной зоны в другую в файле/etc/shorewall/policy. Вы определяете исключения из политики по умолчанию в файле /etc/shorewall/rules. Для каждого запроса на соединение входящего в файервол, запрос сначала проверяется на соответствие файлу /etc/shorewall/rules. Если в этом файле не найдено правил соответствующих запросу на соединение, то применяется первая политика из файла /etc/shorewall/policy, которая соответсвует запросу. Если есть общее действие (common action) определенное для политики в файле /etc/shorewall/actions или /usr/share/shorewall/actions.std, тогда это действие выполняется перед тем как . Файл /etc/shorewall/policy, входящий в пример с тремя интерфейсами, имеет следующие политики: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT info В примере с тремя интерфейсами строка показанная внизу закомментирована. Если Вы хотите, чтобы Ваш файервол имел полный доступ к серверам Интернет, раскомментируйте эту строчку. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPTПолитики приведенные выше будут: разрешать все запросы на соединение из Вашей локальной сети в Интернет; отбрасывать (игнорировать) все запросы на соединение из Интернет к Вашему файерволу или локальной сети; Опционально разрешать все запросы на соединение с файервола в Интернет (если Вы раскомментировали дополнительную политику); отвергать все другие запросы на соединение (Shorewall требует наличия такой политики, применимой для всех остальных запросов). Важно отметить, что политики Shorewall (и правила) ссылаются на соединения, а не на поток пакетов. С политикой определенной в файле /etc/shorewall/policy, показанной выше, разрешены соединения из зоны loc в зону net, хотя на сам файервол соединения из зоны loc не разрешены. В данный момент Вы можете отредактировать ваш файл /etc/shorewall/policy и внести изменения, какие Вы считаете необходимыми.
Сетевые интерфейсы
DMZ
Файервол имеет три сетевых интерфейса. Если соединение с Интернет осуществляется при помощи кабельного или DSL Модема, Внешним интерфейсом будет тот ethernet-адаптер (например, eth0), который подсоединен к этому Модему, если же Вы соединены посредством протокола Point-to-Point Protocol over Ethernet (PPPoE) или Point-to-Point Tunneling Protocol (PPTP), то в этом случае Внешним интерфейсом будет PPP интерфейс (например, ppp0). Если Вы подсоединены через обычный модем, Вашим Внешним интерфейсом будет также ppp0. Если Вы соединяетесь используя ISDN, Внешним интерфейсом будет ippp0. Если Ваш внешний интерфейс - это ppp0 или ippp0, тогда Вы можете захотеть установить переменную CLAMPMSS=yes в /etc/shorewall/shorewall.conf. Ваш Внешний интерфейс будет ethernet-адаптер (eth0, eth1 or eth2) и будет соединен с хабом или коммутатором. Другие Ваши компьютеры будут соединены с тем же хабом/коммутатором (заметьте: если Вы имеете только одну внутреннюю систему, Вы можете соединить файервол с этим компьютером напрямую, используя кроссоверный (cross-over) кабель. Ваш DMZ-bynthatqc будет ethernet-адаптер (eth0, eth1 or eth2) и будет соединен с хабом или комутатором. Другие Ваши компьютеры из DMZ будут соединены с тем же хабом/коммутатором (заметьте: если Вы имеете только одну систему в DMZ, Вы можете соединить файервол с этим компьютером напрямую, используя кроссоверный (cross-over) кабель. НЕ подсоединяйте внутренний и внешний интерфейсы к одному т тому же хабу или коммутатору исключая время тестирование.Вы можете провести тестирование используя данную конфигурацию, если Вы указали параметр ARP_FILTER в /etc/shorewall/interfaces для всех интерфейсов подсоединенных к общему хабу/коммутатору. Использовать такие установки на рабочем файерволе строго не рекоммендуется. Пример конфигурации Shorewall с тремя интерфейсами подразумевает, что внешний интерфейс - это eth0, внутренний - eth1, а DMZ - eth2. Если Ваша конфигурация отличается, Вы должны будете изменить пример файл /etc/shorewall/interfaces соответственно. Пока Вы здесь, Вы возможно захотите просмотреть список опций, специфичных для интерфейса. Вот несколько подсказок: Если Ваш внешний интерфейс ppp0 или ippp0, Вы можете заменить detect(обнаружить) во втором столбце на -(знак минус в ковычках). Если Ваш внешний интерфейс ppp0 или ippp0 или Вы имеете статический IP-адрес, Вы можете удалить dhcp из списка опций.
IP-адреса Перед тем как идти дальше, мы должны сказать несколько слов о Internet Protocol (IP)-адресах. Обычно, Ваш Интернет-провайдер(Internet Service Provider - ISP) назначает Вам один IP-адрес. Этот адрес может быть назначен статически, при помощи Протокола Динамического Конфигурирования Хостов (Dynamic Host Configuration Protocol - DHCP), в процессе установки Вами коммутированного соединения (обычный модем), или при установке Вами другого типа PPP (PPPoA, PPPoE и т.д.) соединения. В последнем случае Ваш ISP может назначит Вам статический IP-адрес; что означает, что Вы настраиваете внешний интерфейс Вашего файервола на использование этого адреса постоянно. Как бы ни был назначен Вам внешний адрес, он будет разделяться между всеми Вашими системами при доступе в Интернет. Вы должны будете назначить свои собственные адреса в Вашей внутренней сети (внутренний и DMZ интерфейсы на Вашем файерволе, плюс другие Ваши компьютеры). RFC-1918 резервирует несколько Частных (Private) IP-адресов для этих целей: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Перед запуском Shorewall, Вы должны взглянуть на IP-адрес Вашего внешнего интерфейса и если он входит в один указанных выше пазонов, Вы должны удалить опцию norfc1918 из строки для внешнего интерфейса в файле /etc/shorewall/interfaces. Вы можете захотеть назначить Ваши локальные адреса из одной подсети (subnet), а адреса DMZ из другой подсети . Для наших целей мы можем рассматривать подсеть состоящую из диапазона адресов x.y.z.0 - x.y.z.255. Такая подсеть будет иметь Маску Подсети (Subnet Mask) - 255.255.255.0. Адрес x.y.z.0 зарезервирован как Адрес Подсети (Subnet Address), а x.y.z.255 как Широковещательный Адрес Подсети (Subnet Broadcast Address). В Shorewall подсеть описывается с использованием нотации Бесклассовой Междоменной Маршрутизации (Classless InterDomain Routing - CIDR notation) с адресом посети оканчивающимся /24. 24 указывает число непрерывных ведущих бит установленных в 1 слева в маске подсети. Example sub-network Диапазон: 10.10.10.0 - 10.10.10.255 Адрес подсети: 10.10.10.0 Широковещательный адрес: 10.10.10.255 Нотация CIDR:: 10.10.10.0/24
Удобно назначать внутреннему интерфейсу либо первый используемый адрес подсети (10.10.10.1 в примере выше), либо последний используемый адрес (10.10.10.254). Одна из целей разбиения на подсети - это позволить всем компьютерам в подсети понимать с какими другими компьютерами можно взаимодействовать напрямую. При взаимодействии с системами находящимися вне подсети, системы посылают пакеты через шлюз (маршрутизатор) (gateway (router)). Ваши локальные компьютеры (локальные компьютеры 1 & 2 на диаграмме выше) должны быть сконфигурированы так, чтобы IP-адресом их маршрутизатора по умолчанию был IP-адрес внутреннего интерфейса файервола и Ваши компьютеры DMZ (DMZ компьютеры 1 & 2) должны иметь IP-адрес маршрутизатора по умолчанию установленным в IP-адрес DMZ- интерфейса файервола. Короткая предшествующая дискуссия лишь поверхностно затронула вопросы связанные с подсетями и маршрутизацией. Если Вы заинтересованы узнать больше об IP-адресации и маршрутизации, я очень рекомендую Основы IP: Что нужно знать каждому об адресации и маршрутизации (IP Fundamentals: What Everyone Needs to Know about Addressing & Routing), Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0 (link). Оставшаяся часть руководства расчитана на то, что Вы имеете сеть, сконфигурированную так, как показано здесь:
DMZ Маршрутизатором по умолчанию для DMZ должен быть10.10.11.254, а для локальных компьютеров 1 и 2 должен быть 10.10.10.254. Ваш ISP может назначить Вашему внешнему интерфейсу адрес из RFC-1918. Если этот адрес из подсети 10.10.10.0/24, тогда Вы должны будете выделить ДРУГУЮ подсеть RFC-1918 для вашей локальной подсети и если это 10.10.11.0/24, то Вы должны будете выделить ДРУГУЮ подсеть RFC-1918 для Вашей DMZ.
IP-маскарадинг (SNAT) Адреса зарезервированные RFC-1918 иногда называют немаршрутизируемыми потому, что магистральные маршрутизаторы Интернет не переправляют пакеты, которые имеют адрес назначения из RFC-1918. Когда одна из Ваших локальных систем (допустим computer 1) посылает запрос на соединение хосту в Интернете, файервол должен выполнить Трансляцию Сетевого Адреса (Network Address Translation - NAT). Файервол перезаписывает адрес источника в пакете адресом внешнего интерфейса файервола; другими словами, файервол делает так, чтобы это выглядело как файервол сам инициируетсоединение. Это необходимо так как хост назначения должен быть способен направить пакеты назад файерволу через маршрутизаторы (вспомним, что пакеты с адресом назначения зарезервированным RFC-1918 не могут быть маршрутизированы через Интернет и следовательно удаленный хост не сможет адресовать ответ на computer 1). Когда файервол принимает ответный пакет, он перезаписывает адрес назначения обратно в 10.10.10.1 и переправляет пакет на computer 1. На Linux системах, описанный выше процесс называют IP-маскарадингом (IP Masquerading), но Вы будете также встречать термин Преобразование Сетевого Адреса Источника (Source Network Address Translation - SNAT). Shorewall следует соглашению используемому Netfilter: Masquerade описывает случай, когда Вы позволяете своему файерволу автоматически определять адрес внешнего интерфейса. SNAT используют в случае, когда Вы определенно указываете адрес источника, который Вы хотите использовать для покидающих Вашу локальную сеть пакетов. В Shorewall оба режима Маскарадинг (Masquerading) и SNAT конфигурируются записями в файле /etc/shorewall/masq. Вы будете обычно использовать Маскарадинг, если Ваш внешний IP-адрес - динамический и SNAT, если внешний IP-адрес - статический. Если Ваш внешний интерфейс файервола - eth0, Ваш локальный интерфейс - eth1 и Ваш DMZ-нитерфейс - eth2, Вам не нужно изменять файл из примера. В противном случае, отредактируйте /etc/shorewall/masq так, чтобы он соответствовал Вашей конфигурации. А если, несмотря и вопреки всем советам, Вы используете это руководство и хотите применить NAT один-к-одному или прокси-ARP для Вашей DMZ, удалите запись для eth2 из файла /etc/shorewall/masq. Если Ваш внешний IP-адрес - статический, Вы можете ввести его в третьем столбце записи файла /etc/shorewall/masq если Вам нравиться, хотя Ваш файервол будет прекрасно работать, даже если Вы оставите этот столбец пустым. Вводя Ваш статический IP-адрес в третьем столбце, Вы делаете обработку исходящих пакетов немного более эффективной. Если Вы используете пакет Debian, проверьте пожалуйста Ваш файл shorewall.conf, чтобы убедиться, что следующее установлено правильно; если нет, измените это соответственно: IP_FORWARDING=On
Перенаправление портов (DNAT) Одной из Ваших целей может быть запуск одного или более серверов на Ваших DMZ компьютерах. Так как эти компьютеры имеют адреса из RFC-1918, то клиентам из Интернет невозможно соединиться напрямую с ними. Это более невозможно для тех клиентов, кто адресует свои запросы для соединения на файервол, который переписывает адрес назначения на адрес Вашего сервера и переправляет пакет на этот сервер. Когда Ваш сервер отвечает, файервол автоматически выполняет SNAT для перезаписи адреса источника в ответе. Описанный выше процесс называется Перенапрвление Портов (Port Forwarding) или Преобразование Сетевого Адреса Назначения (Destination Network Address Translation - DNAT). Вы настраиваете перенаправление портов при помощи правил DNAT в файле /etc/shorewall/rules. Основная форма примерного правила перенаправления портов в /etc/shorewall/rules такая: #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net dmz:<server local IP address>[:<server port>] <protocol> <port>Если Вы не указали <server port> (порт сервера), его значение будет таким же как и у <port>. Вы запускаете Web-сервер на DMZ-компьютере 2 и хотите перенаправить приходящие на порт 80 TCP-запросы на эту систему #ACTION SOURCE DEST PROTO DEST PORT(S) Web/DNAT net dmz:10.10.11.2 Web/ACCEPT loc dmz:10.10.11.2 Первая запись перенаправляет порт 80 из Интернет. Вторая запись разрешает соединения из локальной сети. Нужно иметь в виду несколько важных моментов: Когда Вы соединяетесь с Вашим сервером с Ваших локальных систем, Вы должны внутренний IP-адрес сервера (10.10.11.2). Многие ISP блокируют входящие запросы для соединения на порт 80. Если у Вас есть проблемы при соединении с Вашим Web-сервером, попробуйте следующее правило и попытайтесь соединиться с портом 5000 (например, подключитесь к http://w.x.y.z:5000, где w.x.y.z - Ваш внешний IP).#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE # PORT(S) DNAT net dmz:10.10.11.2:80 tcp 80 5000 Если Вы хотите иметь доступ к Вашим серверам из локальной сети используя Ваш внешний адрес, тогда, если Вы имеете статический внешний IP-адрес, Вы можете заменить правило loc->dmz выше на:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST DNAT loc dmz:10.10.11.2 tcp 80 - <external IP>Если же у Вас динамический внешний IP-адрес, то Вы должны убедиться, что Ваш внешний интерфейс включен перед тем как запускать Shorewall и Вам нужно выполнить следующие операции (подразумевая, что Ваш внешний интерфейс - eth0): Включить следующую строку в файл /etc/shorewall/params: ETH0_IP=$(find_interface_address eth0) Создать Ваше правило loc->dmz: #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP Если Вам нужен доступ к серверу из DMZ, используйте для доступа Ваш внешний IP-адрес, смотрите FAQ 2a. В этом месте измените добавьте правила DNAT и ACCEPT для Ваших серверов. Когда тестируете правила DNAT похожие на те, что приведены выше, Вы должны тестировать с клиента ИЗВНЕ ВАШЕГО ФАЙЕРВОЛА (в зоне net). Вы не можете протестировать эти правила изнутри файервола! Советы по разрешению проблем с DNAT, смотрите в FAQs 1a и 1b.
Сервер Доменных Имен (Domain Name Server - DNS) Normally, when you connect to your ISP, as part of getting an IP address your firewall's Domain Name Service (DNS) resolver will be automatically configured (e.g., the /etc/resolv.conf file will be written). Alternatively, your ISP may have given you the IP address of a pair of DNS name servers for you to manually configure as your primary and secondary name servers. It is your responsibility to configure the resolver in your internal systems. You can take one of two approaches: You can configure your internal systems to use your ISP's name servers. If your ISP gave you the addresses of their servers or if those addresses are available on their web site, you can configure your internal systems to use those addresses. If that information isn't available, look in /etc/resolv.conf on your firewall system -- the name servers are given in nameserver records in that file. Вы можете настроить Кэширующий Сервер Имен (Caching Name Server) на Вашем файерволе или в Вашей DMZ. Red Hat имеет RPM для кэширующего сервера имен (которому также необходим пакет bind-RPM), а для пользователей Bering существует dnscache.lrp. Если Вы пойдете этим путем, Вы настраиваете Ваши внутренние системы на использование самого файервола как первичного (и только) сервера имен. Вы используете внутренний IP-адрес файервола (10.10.10.254 в примере выше) для адреса сервера имен, если Вы запускаете сервер имен на Вашем файерволе. Чтобы позволить Вашим локальным системам общаться с Вашим кэширующим сервером имен, Вы должны открыть доступ к порту 53 (оба UDP и TCP) на файерволе из внутренней сети. Вы можете сделать это, добавив следующее правило в файл /etc/shorewall/rules. Если Вы запускаете сервер имен на файерволе: #ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT loc $FW DNS/ACCEPT dmz $FW Запуск сервера имен на DMZ-компьютере 1: #ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT loc dmz:10.10.11.1 DNS/ACCEPT $FW dmz:10.10.11.1 В правилах, показанных выше, DNS/ACCEPT - это пример предопределенного макроса (defined macro). Shorewall включает множество предопределенных макросов и Вы можете добавить Ваши собственные. Для просмотра списка макросов, включенных в Вашу версию Shorewall, запустите команду ls /usr/share/shorewall/macro.*. Вы не обязаны использовать предопределенные макросы при написании правил в файле /etc/shorewall/rules. Первый пример выше (сервер имен на файерволе) может быть также записан как: #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc $FW tcp 53 ACCEPT loc $FW udp 53 ACCEPT dmz $FW tcp 53 ACCEPT dmz $FW udp 53 В случаях когда Shorewall не имеет предопределенных макросов, отвечающих Вашим потребностям, Вы можете либо определить свой собственный макрос, либо просто записать соответствующие правила напрямую. Эта страница может помочь Вам в случае, если Вы не знаете используемые протокол и порт.
Другие соединения Пример с тремя интерфейсами включает следующие правила:#ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT $FW net Это правило разрешает доступ к DNS с Вашего файервола и может быть удалено, если Вы раскомментировали строку в /etc/shorewall/policy, разрешающую все соединения с файервола в Интернет. Пример также включает:#ACTION SOURCE DEST PROTO DEST PORT(S) SSH/ACCEPT loc $FW SSH/ACCEPT loc dmz Это правило разрешает Вам запускать SSH-сервер на Вашем файерволе и на кождой из Ваших DMZ-систем и соединяться с ним с Ваших локальных систем. Если Вы хотите разрешить другие соединения с Вашего файервола к другим системам, основной формат использования макроса такой:#ACTION SOURCE DEST PROTO DEST PORT(S) <macro>/ACCEPT <source zone> <destination zone> Основной формат при отсутствии предопределенных макросами действий такой:#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT <source zone> <destination zone> <protocol> <port> Вы хотите запустить общедоступный DNS-сервер на Вашем файерволе Используя предопределенный макрос: #ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT net $FW Не используя предопределенный макрос: #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT net $FW tcp 53 ACCEPT net $FW udp 53 Эти два правила, конечно, должны быть добавлены к тем правилам, которые указаны выше в абзаце "если Вы запускаете сервер имен на Вашем файерволе"если Вы запускаете сервер имен на Вашем файерволе. Если Вы не знаете какой порт и протокол использует конкретное приложение, смотрите здесь. Я не рекоммендую разрешать telnet в/из Интернет потому, что он использует открытый текст (даже для передачи имени и пароля!). Если Вы хотите иметь доступ к командному интерпретатору Вашего файервола из Интернет, используйте SSH:#ACTION SOURCE DEST PROTO DEST PORT(S) SSH/ACCEPT net $FW Пользователи дистрибутива Bering захотят добавить следующие два правила для совместимости с конфигурацией Shorewall от Jacques. #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc $FW udp 53 ACCEPT net $FW tcp 80 Запись 1 разрешает использование кэширующего DNS. Запись 2 разрешает работу weblet. Now modify /etc/shorewall/rules to add or remove other connections as required.
Что нужно помнить Вы не можете Ваш файервол изнутри. Только потому, что Вы посылаете запросы на внешний IP-адрес Вашего файервола не означает, что запросы будут ассоциированы с внешним интерфейсом или зоной net. Любой трафик, создаваемый из локальной сети будет ассоциироваться с Вашим локальным интерфейсом и будет воспринят как трафик loc->fw. IP-адреса - это свойства систем, а не интерфейсов. Ошибочно верить, что Ваш файервол способен переправит пакеты только потому, что Вы можете пропинговать IP-адрес всех интерфейсов файервола из локальной сети. Единственное заключение, которое Вы можете вынести из такого успешного пингования - это наличие рабочей связи между локальной системой и файерволом и то, что Вы, возможно, правильно указали маршрутизатор по умолчанию на локальной системе. Все IP-адреса, настроенные на интерфейсах файервола, принадлежат зоне $FW (fw). Если 192.168.1.254 - это IP-адрес Вашего внутреннего интерфейса, то Вы можете написать $FW:192.168.1.254 в правиле, но Вы не можете написать loc:192.168.1.254. Также не играет роли добавление адреса 192.168.1.254 в зону loc при помощи записи в файле /etc/shorewall/hosts. Ответные пакеты НЕ следуют автоматически обратно тем маршрутом, который использовал исходный запрос. Все пакеты маршрутизируются согласно таблице маршрутизации каждого хоста на всем пути. Этот вопрос обычно встает когда людч устанавливают файервол Shorewall параллельно с имеющимся шлюзом и пытаются использовать DNAT сквозь Shorewall без изменения шлюза по умолчанию системы, принимающей переправленные запросы. Запросы проходят сквозь файервол Shorewall, где изменяется IP-адрес назначения, но ответы уходят неизмененными через старый шлюз. Shorewall сам не имеет представления о внутренней и внешней стороне. Воплощение этих концепций зависит от того, как настроен Shorewall.
Запуск и останов Вашего файервола Процедура установки настраивает Вашу систему для запуска Shorewall при загрузке системе, но запуск остается отключен, так что система не будет пытаться запустить Shorewall до полного завершения конфигурирования. Как только Вы полностью завершите конфигурирование Вашего файервола, Вы можете включить запуск Shorewall, отредактировав файл /etc/shorewall/shorewall.conf и установив параметр STARTUP_ENABLED=Yes. Пользователи пакета .deb должны отредактировать файл /etc/default/shorewall и установить параметр STARTUP=1. Вы должны разрешить запуск путем редактирования файла /etc/shorewall/shorewall.conf и установки параметра STARTUP_ENABLED=Yes. Файервол запускается при помощи команды shorewall start и останавливается при помощи shorewall stop. Когда файервол остановливается, маршрутизация разрешается на те хосты, которые указаны в /etc/shorewall/routestopped. Запущенный файервол может быть перезапущен при помощи команды shorewall restart. Если Вы хотите полностью удалить изменения сделанные Shorewall из конфигурации Вашего Netfilter, используйте команду shorewall clear. Пример с двумя интерфейсами предполагает, что Вы хотите разрешить маршрутизацию к/из eth1 (локальная сеть) и eth2 (DMZ) когда Shorewall остановлен. Если эти два интерфейса не соединены с Вашей локальной сетью и DMZ или если Вы хотите разрешить другой набор хостов, измените файл /etc/shorewall/routestopped соответственно. Если Вы подсоединены к Вашему файерволу из Интернет, не используйте команду shorewall stop если Вы не добавили запись для IP-адреса, с которого Вы подсоединены, в /etc/shorewall/routestopped. Также, я не рекоммендую использовать shorewall restart; лучше создать альтернативную конфигурацию и протестировать ее при помощи команды shorewall try.
Дополнительно рекоммендуемая литература Я особо рекоммендую просмотреть Вам страницу Общих Особенностей Файлов Конфигурации -- она содержит полезные советы об особенностях Shorewall, делающую администрирование Вашего файервола проще.
shorewall-docs-xml-5.2.3/NetfilterOverview.xml0000664000000000000000000002720513427347317020173 0ustar rootroot
Netfilter Overview Tom Eastep 2003 2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Netfilter Overview Netfilter consists of three tables: Filter, Nat and Mangle. Each table has a number of build-in chains: PREROUTING, INPUT, FORWARD, OUTPUT and POSTROUTING. Rules in the various tables are used as follows: Filter Packet filtering (rejecting, dropping or accepting packets) Nat Network Address Translation including DNAT, SNAT and Masquerading Mangle General packet header modification such as setting the TOS value or marking packets for policy routing and traffic shaping. Raw Used primarily for creating exemptions from connection tracking with the NOTRACK target. Also used for stateless DNAT. Rawpost Used for stateless SNAT. The following diagram shows how packets traverse the various builtin chains within Netfilter. Note that not all table/chain combinations are used. Local Process means a process running on the Shorewall system itself. A more elaborate version of this flow is available here and this one contrasts the Netfilter flow with that of ipchains. In the above diagram are boxes similar to this: The above box gives the name of the built-in chain (INPUT) along with the names of the tables (Mangle and Filter) that the chain exists in and in the order that the chains are traversed. The above sample indicates that packets go first through the INPUT chain of the Mangle table then through the INPUT chain of the Filter table. When a chain is enclosed in parentheses, Shorewall does not use the named chain (INPUT) in that table (Mangle). Keep in mind that chains in the Nat table are only traversed for new connection requests (including those related to existing connections) while the chains in the other tables are traversed on every packet. The above diagram should help you understand the output of shorewall dump. You may also wish to refer to this article that describes the flow of packets through a Shorewall-generated firewall. Here are some excerpts from shorewall dump on a server with one interface (eth0): [root@tipper ~]# shorewall dump Shorewall 4.4.2.2 Dump at tipper - Fri Oct 16 07:38:16 PDT 2009 Counters reset Thu Oct 8 00:38:06 PDT 2009 The first table shown is the Filter table. Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6428 1417K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 967K 629M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 49 3896 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED The dynamic chain above is where dynamic blacklisting is done. The following rule indicates that all traffic destined for the firewall that comes into the firewall on eth0 is passed to a chain called eth0_in. That chain will be shown further down. 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 895K 181M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 49 3896 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Here is the eth0_in chain: Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 49 3896 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Next comes the Nat table: NAT Table Chain PREROUTING (policy ACCEPT 5593 packets, 1181K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 11579 packets, 771K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 11579 packets, 771K bytes) pkts bytes target prot opt in out source destination Next, the Mangle table: Mangle Table Chain PREROUTING (policy ACCEPT 967K packets, 629M bytes) pkts bytes target prot opt in out source destination 967K 629M tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 967K packets, 629M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 895K packets, 181M bytes) pkts bytes target prot opt in out source destination 895K 181M tcout all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 895K packets, 181M bytes) pkts bytes target prot opt in out source destination 895K 181M tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 Chain tcfor (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination Chain tcpost (1 references) pkts bytes target prot opt in out source destination Chain tcpre (1 references) pkts bytes target prot opt in out source destination And finally, the Raw table: Raw Table Chain PREROUTING (policy ACCEPT 1004K packets, 658M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 926K packets, 186M bytes) pkts bytes target prot opt in out source destination
shorewall-docs-xml-5.2.3/Accounting.xml0000664000000000000000000006425613427347317016611 0ustar rootroot
Shorewall Traffic Accounting Tom Eastep 2003-2016 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.0 and later. If you are running a version of Shorewall earlier than Shorewall 4.0.0 then please see the documentation for that release.
Accounting Basics Shorewall accounting rules are described in the file /etc/shorewall/accounting. By default, the accounting rules are placed in a chain called accounting and can thus be displayed using shorewall[-lite] show -x accounting. All traffic passing into, out of, or through the firewall traverses the accounting chain including traffic that will later be rejected by interface options such as tcpflags and maclist. The columns in the accounting file are described in shorewall-accounting (5) and shorewall6-accounting (5). In all columns except ACTION and CHAIN, the values -, any and all are treated as wild-cards. The accounting rules are evaluated in the Netfilter filter table. This is the same environment where the rules file rules are evaluated and in this environment, DNAT has already occurred in inbound packets and SNAT has not yet occurred on outbound packets. Accounting rules are not stateful -- each rule only handles traffic in one direction. For example, if eth0 is your Internet interface, and you have a web server in your DMZ connected to eth1, then to count HTTP traffic in both directions requires two rules: #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC DONE - eth0 eth1 tcp 80 DONE - eth1 eth0 tcp - 80 Associating a counter with a chain allows for nice reporting. For example: #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC web:COUNT - eth0 eth1 tcp 80 web:COUNT - eth1 eth0 tcp - 80 web:COUNT - eth0 eth1 tcp 443 web:COUNT - eth1 eth0 tcp - 443 DONE web Now shorewall show web (or shorewall-lite show web for Shorewall Lite users) will give you a breakdown of your web traffic: [root@gateway shorewall]# shorewall show web Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003 Counters reset Wed Aug 20 09:48:00 PDT 2003 Chain web (4 references) pkts bytes target prot opt in out source destination 11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 [root@gateway shorewall]# Here is a slightly different example: #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC web - eth0 eth1 tcp 80 web - eth1 eth0 tcp - 80 web - eth0 eth1 tcp 443 web - eth1 eth0 tcp - 443 COUNT web eth0 eth1 COUNT web eth1 eth0 Now shorewall show web (or shorewall-lite show web for Shorewall Lite users) simply gives you a breakdown by input and output: [root@gateway shorewall]# shorewall show accounting web Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003 Counters reset Wed Aug 20 10:24:33 PDT 2003 Chain accounting (3 references) pkts bytes target prot opt in out source destination 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 Chain web (4 references) pkts bytes target prot opt in out source destination 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 [root@gateway shorewall]# Here's how the same example would be constructed on an HTTP server with only one interface (eth0). READ THE ABOVE CAREFULLY -- IT SAYS SERVER. If you want to account for web browsing, you have to reverse the rules below. #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC web - eth0 - tcp 80 web - - eth0 tcp - 80 web - eth0 - tcp 443 web - - eth0 tcp - 443 COUNT web eth0 COUNT web - eth0 Note that with only one interface, only the SOURCE (for input rules) or the DESTINATION (for output rules) is specified in each rule. Here's the output: [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003 Counters reset Sat Oct 11 08:12:57 PDT 2003 Chain accounting (3 references) pkts bytes target prot opt in out source destination 8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 Chain web (4 references) pkts bytes target prot opt in out source destination 8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0 11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0 [root@mail shorewall]# For an example of integrating Shorewall Accounting with MRTG, see http://www.nightbrawler.com/code/shorewall-stats/.
Accounting with Bridges The structure of the accounting rules changes slightly when there are bridges defined in the Shorewall configuration. Because of the restrictions imposed by Netfilter in kernel 2.6.21 and later, output accounting rules must be segregated from forwarding and input rules. To accomplish this separation, Shorewall-perl creates two accounting chains: accounting - for input and forwarded traffic. accountout - for output traffic. If the CHAIN column contains -, then: If the SOURCE column in a rule includes the name of the firewall zone (e.g., $FW), then the default chain to insert the rule into is accountout only. Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0, then the rule is added to both accounting and accountout. Otherwise, the rule is added to accounting only.
Sectioned Accounting Rules Traditionally, the root of the Shorewall accounting rules has been the accounting chain. Having a single root chain has drawbacks: Many rules are traversed needlessly (they could not possibly match traffic). At any time, the Netfilter team could begin generating errors when loading those same rules (that has happened). MAC addresses may not be used in the accounting rules. The accounting chain cannot be optimized when OPTIMIZE_ACCOUNTING=Yes. The rules may be defined in any order so the rules compiler must post-process the ruleset to ensure that there are no loops and to alert the user to unreferenced chains. Beginning with Shorewall 4.4.18, the accounting structure can be created with three root chains: accountin: Rules that are valid in the INPUT chain (may not specify an output interface). accountout: Rules that are valid in the OUTPUT chain (may not specify an input interface or a MAC address). accounting: Other rules. The new structure is enabled by sectioning the accounting file in a manner similar to the rules file. The sections are INPUT, OUTPUT and FORWARD and must appear in that order (although any of them may be omitted). The first non-commentary record in the accounting file must be a section header when sectioning is used. Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added to shorewall.conf and shorewall6.conf. That setting determines the Netfilter table (filter or mangle) where the accounting rules are added. When ACCOUNTING_TABLE=mangle is specified, the available sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING. Section headers have the form: section-name When sections are enabled: You must jump to a user-defined accounting chain before you can add rules to that chain. This eliminates loops and unreferenced chains. You may not specify an output interface in the PREROUTING and INPUT sections. In the OUTPUT and POSTROUTING sections: You may not specify an input interface You may not jump to a chain defined in the INPUT or PREROUTING sections that specifies an input interface You may not specify a MAC address You may not jump to a chain defined in the INPUT or PREROUTING section that specifies a MAC address. The default value of the CHAIN column is: accountin in the INPUT section accounout in the OUTPUT section accountfwd in the FORWARD section accountpre in the PREROUTING section accountpost in the POSTROUTING section Traffic addressed to the firewall goes through the rules defined in the INPUT section. Traffic originating on the firewall goes through the rules defined in the OUTPUT section. Traffic being forwarded through the firewall goes through the rules from the FORWARD sections. Here is a sample sectioned file that used Per-IP Accounting. In this example, the dmz net corresponds to a vserver zone so lives on the firewall itself. #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC ?SECTION INPUT ACCOUNT(fw-net,$FW_NET) - COM_IF ACCOUNT(dmz-net,$DMZ_NET) - COM_IF ?SECTION OUTPUT ACCOUNT(fw-net,$FW_NET) - - COM_IF ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF ?SECTION FORWARD ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
Integrating Shorewall Accounting with Collectd Sergiusz Pawlowicz has written a nice article that shows how to integrate Shorewall Accounting with collectd to produce nice graphs of traffic activity. The article may be found at http://collectd.org/wiki/index.php/Plugin:IPTables.
Per-IP Accounting Shorewall 4.4.17 added support for per-IP accounting using the ACCOUNT target. Per-IP accounting is configured in shorewall-accounting (5) (it is currently not supported in IPv6). In the ACTION column, enter: ACCOUNT(table,network) where table is the name of an accounting table (you choose the name). All rules specifying the same table will have their per-IP counters accumulated in that table. network is an IPv4 network in CIDR notation. The network can be as large as a /8 (class A). One nice feature of per-IP accounting is that the counters survive shorewall restart. This has a downside, however. If you change the network associated with an accounting table, then you must shorewall stop; shorewall start to have a successful restart (counters will be cleared). Example: Suppose your WAN interface is eth0 and your LAN interface is eth1 with network 172.20.1.0/24. To account for all traffic between the WAN and LAN interfaces: #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1 ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0 This will create a net-loc table for counting packets and bytes for traffic between the two interfaces. The table is dumped using the iptaccount utility (part of xtables-addons): iptaccount [-f] -l net-loc Example: gateway:~# iptaccount -l net-loc libxt_ACCOUNT_cl userspace accounting tool v1.3 Showing table: net-loc Run #0 - 3 items found IP: 172.20.1.105 SRC packets: 115 bytes: 131107 DST packets: 68 bytes: 20045 IP: 172.20.1.131 SRC packets: 47 bytes: 12729 DST packets: 38 bytes: 25304 IP: 172.20.1.145 SRC packets: 20747 bytes: 2779676 DST packets: 27050 bytes: 32286071 Finished. gateway:~# For each local IP address with non-zero counters, the packet and byte count for both incoming traffic (IP is DST) and outgoing traffic (IP is SRC) are listed. The -f option causes the table to be flushed (reset all counters to zero) after printing. For a command synopsis: iptaccount --help /sbin/shorewall also supports a show ipa command (from my own gateway just after I flushed the counters using iptaccount -f -l.: gateway:~# shorewall show ipa Shorewall 4.4.18-Beta1 per-IP Accounting at gateway - Thu Feb 10 13:28:37 PST 2011 Showing table: loc-net IP: 172.20.1.146 SRC packets: 9 bytes: 574 DST packets: 9 bytes: 770 Showing table: dmz-net IP: 70.90.191.124 SRC packets: 243 bytes: 23726 DST packets: 248 bytes: 39036 IP: 70.90.191.125 SRC packets: 73 bytes: 10640 DST packets: 73 bytes: 4846 Showing table: fw-net IP: 70.90.191.121 SRC packets: 0 bytes: 0 DST packets: 4 bytes: 243 IP: 70.90.191.122 SRC packets: 11 bytes: 1338 DST packets: 8 bytes: 5465 IP: 70.90.191.123 SRC packets: 42 bytes: 4604 DST packets: 44 bytes: 10662 gateway:~#
Accounting using nfacct Beginning with the 3.3 kernels, Netfilter supports a form of accounting (nfacct) that is triggered by iptables rules but that survives purging and/or reloading the Netfilter ruleset. Shorewall support for this form of accounting was added in Shorewall 4.5.7. Use of this feature requires that the nfacct utility be installed. The nfacct utility can create, delete and display nfacct objects. These named objects consist of a packet and byte counter. Packets matching those netfilter rules that use the nfacct match cause the packet and byte count in the object named in the match to be incremented. To use nfaccnt with Shorewall, use the NFACCT target. See shorewall-accounting(5) for details. The shorewall show nfacct command is a thin wrapper around the nfacct list command.
Preserving Counters over Restart and Reboot Beginning with Shorewall 4.6.5, it is possible to preserve all ip[6]tables packet and byte counters over restarts and reboots through use of the option. This option is available in several commands. save Causes the packet and byte counters to be saved along with the chains and rules. restore Causes the packet and byte counters (if saved) to be restored along with the chains and rules. If your iptables ruleset depends on variables that are detected at run-time, either in your params file or by Shorewall-generated code, restore will use the values that were detected when the ruleset was saved, which may be different from the current values. start With Shorewall and Shorewall6, the -C option only has an effect if the option is also specified. If a previously-saved configuration is restored, then the packet and byte counters (if saved) will be restored along with the chains and rules. If your iptables ruleset depends on variables that are detected at run-time, either in your params file or by Shorewall-generated code, will use the values that were detected when the ruleset was saved, which may be different from the current values. restart If an existing compiled script is used (no recompilation required) and if that script generated the current running configuration, then the current netfilter configuration is reloaded as is so as to preserve the current packet and byte counters. If your iptables ruleset depends on variables that are detected at run-time, either in your params file or by Shorewall-generated code, will use the values that were detected when the ruleset was previously started, which may be different from the current values. If you wish to (approximately) preserve the counters over a possibly unexpected reboot, then: Create a cron job that periodically executes 'shorewall save '. Specify the and options in the STARTOPTIONS variable in either /etc/default/shorewall ( /etc/default/shorewall6, etc.) or /etc/sysconfig/shorewall (/etc/sysconfig/shorewall6, etc.), whichever is supported by your distribution. Note that not all distributions include these files so you may have to create the one(s) you need.
shorewall-docs-xml-5.2.3/samba.xml0000664000000000000000000000623513427347317015573 0ustar rootroot
Samba/SMB Tom Eastep 2002-2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release. If you wish to run Samba on your firewall and access shares between the firewall and local hosts, you need the following rules: #ACTION SOURCE DEST PROTO DPORT SPORT SMB(ACCEPT) $FW loc SMB(ACCEPT) loc $FW To pass traffic SMB/Samba traffic between zones Z1 and Z2: #ACTION SOURCE DEST PROTO DPORT SPORT SMB(ACCEPT) Z1 Z2 SMB(ACCEPT) Z2 Z1 To make network browsing (Network Neighborhood) work properly between Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I have run Samba on my firewall to handle browsing between two zones connected to my firewall. When debugging Samba/SMB problems, I recommend that you do the following: Copy action.Drop and action.Reject from /usr/share/shorewall to /etc/shorewall. Edit the copies and remove the SMB(DROP) and SMB(REJECT) lines. shorewall restart The above steps will cause SMB traffic that is dropped or rejected by policy to be logged rather than handled silently. If you are using Windows XP to test your setup,make you sure you have a properly configured client firewall . You can just remove the copies and shorewall restart when you are finished debugging.
shorewall-docs-xml-5.2.3/NewRelease.xml0000664000000000000000000000631313427347317016537 0ustar rootroot
Shorewall Release Model Tom Eastep 2011 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Identification Shorewall releases are identified by three numbers separated by periods (e.g., 4.4.16). The first two digits (e.g., 4.4) specify the major release number. The third number (e.g., 16) is the minor release number.
Release Schedule Traditionally, major releases have occurred roughly every two years, but as Shorewall has matured, new enhancements are routinely released in minor releases. Minor releases occur every 4 to 6 weeks. If a defect is discovered in a minor release for which there is no easy workaround or which can affect a large number of users, a bug-fix or point release is made. New minor and point releases are announced on the Shorewall Announcements mailing list and on the Shorewall Users mailing list. Current release information is also available on the Shorewall Home Page.
Beta Releases and Release Candidates Beta releases have their three-number identifaction follow by "-BetaN" (e.g., 4.4.17-Beta3). Beta releases are made approximately weekly and are announced on the Shorewall Development mailing list and on the Shorewall Users mailing list. At the point where the new features in a release are frozen, the Beta releases give way to release candidates. These have the three-number identification followed by "-RCN" (e.g., 4.4.17-RC1). They are announced in the same way as the betas.
shorewall-docs-xml-5.2.3/FAQ.xml0000664000000000000000000043612113427347317015120 0ustar rootroot
Shorewall FAQs Shorewall Community Tom Eastep 2001-2016 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License . This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.4.0 then please see the documentation for that release.
Installing Shorewall
Where do I find Step by Step Installation and Configuration Instructions? Answer: Check out the QuickStart Guides.
(FAQ 92) There are lots of Shorewall packages; which one(s) do I install? Answer: When first installing Shorewall 4.4.0 or later, you must install the shorewall package. If you want to configure an IPv6 firewall, you must also install shorewall6. Beginning with Shorewall 4.5, you must first install the shorewall-core package.
(FAQ 92a) Someone once told me to install shorewall-perl; anything to that? Answer: That was good advice in Shorewall 4.2 and earlier. In those releases, there were two packages that provided the basic firewalling functionality: shorewall-shell and shorewall-perl. Beginning with Shorewall 4.4.0, shorewall-shell is discontinued and shorewall-perl is renamed shorewall.
(FAQ 37) I just installed Shorewall on Debian and the /etc/shorewall directory is almost empty!!! Answer: Once you have installed the .deb package and before you attempt to configure Shorewall, please heed the advice of Lorenzo Martignoni, former Shorewall Debian Maintainer: For more information about Shorewall usage on Debian system please look at /usr/share/doc/shorewall-common/README.Debian provided by [the] shorewall-common Debian package. If you install using the .deb, you will find that your /etc/shorewall directory is almost empty. This is intentional. The released configuration file skeletons may be found on your system in the directory /usr/share/doc/shorewall-common/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies.
(FAQ 37a) I just installed Shorewall on Debian and I can't find the sample configurations. Answer: Beginning with Shorewall 4.4, the samples are in the shorewall package and are installed in /usr/share/doc/shorewall/examples/.
(FAQ 14) I can't find the Shorewall 4.4 shorewall-common, shorewall-shell and shorewall-perl packages? Where are they? Answer:In Shorewall 4.4, the shorewall-shell package was discontinued. The shorewall-common and shorewall-perl packages were combined to form a single shorewall package. In Shorewall 4.5, the shorewall-core package was added and all of the other packages depend on shorewall-core.
Upgrading Shorewall
(FAQ 66) I'm trying to upgrade to Shorewall 4.x; which of these packages do I need to install? Answer: Please see the upgrade issues.
(FAQ 34) I am trying to upgrade to Shorewall 4.4 and I can't find the shorewall-common, shorewall-shell and shorewall-perl packages? Where are they? Answer:In Shorewall 4.4, the shorewall-shell package was discontinued. The shorewall-common and shorewall-perl packages were combined to form a single shorewall package. For further information, please see the upgrade issues..
(FAQ 34a) I am trying to upgrade to Shorewall 4.4 and I'm getting errors when I try to start Shorewall. Where can I find information about these issues? Answer: Please see the upgrade issues.
(FAQ 34b) I am trying to upgrade to Shorewall 4.4 and I'm seeing warning messages when I try to start Shorewall. Where can I find information about these issues? Answer: Please see the upgrade issues.
(FAQ 76) I just upgraded my system and now masquerading doesn't work? What happened? Answer: This happens to people who ignore our advice and allow the installer to replace their working /etc/shorewall/shorewall.conf with one that has default settings. Failure to forward traffic (such as during masqueraded net access from a local network) usually means that /etc/shorewall/shorewall.conf contains the default setting IP_FORWARDING=Keep; it should be IP_FORWARDING=On. Update: Beginning with Shorewall 4.4.21, there is a shorewall update command that does a smart merge of your existing shorewall.conf and the new one.
Port Forwarding (Port Redirection)
(FAQ 1) I want to forward UDP port 7777 to my personal PC with IP address 192.168.1.5. I've looked everywhere and can't find how to do it. Answer: The format of a port-forwarding rule from the net to a local system is as follows: #ACTION SOURCE DEST PROTO DPORT DNAT net loc:local-IP-address[:local-port] protocol port-number So to forward UDP port 7777 to internal system 192.168.1.5, the rule is: #ACTION SOURCE DEST PROTO DPORT DNAT net loc:192.168.1.5 udp 7777 If you want to forward requests directed to a particular address ( external-IP ) on your firewall to an internal system: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:local-IP-address>[:local-port] protocol port-number - external-IP If you want to forward requests from a particular Internet address ( address ): #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net:address loc:local-IP-address[:local-port] protocol port-number - Finally, if you need to forward a range of ports, in the DEST PORT column specify the range as low-port:high-port. The above does not work for forwarding from the local network. If you want to do that, see FAQ 2.
(FAQ 1a) Okay -- I followed those instructions but it doesn't work Answer: That is usually the result of one of five things: You are trying to redirect a UDP port and there is already a conntrack table entry for the flow, created via an ACCEPT rule. Example: DNAT loc:192.168.0.2 dmz:192.168.1.3 udp 53 Assuming that you have installed the conntrack package, you can delete all such conntrack table entries using: conntrack -D -s 192.168.0.2 -p udp --dport 53 You are trying to test from inside your firewall (no, that won't work -- see ). You have a more basic problem with your local system (the one that you are trying to forward to) such as an incorrect default gateway (it must be set to the IP address of your firewall's internal interface; if that isn't possible for some reason, see FAQ 1f). Your ISP is blocking that particular port inbound or, for TCP, your ISP is dropping the outbound SYN,ACK response. You are running Mandriva Linux prior to 10.0 final and have configured Internet Connection Sharing. In that case, the name of your local zone is 'masq' rather than 'loc' (change all instances of 'loc' to 'masq' in your rules). You may want to consider re-installing Shorewall in a configuration which matches the Shorewall documentation. See the two-interface QuickStart Guide for details.
(FAQ 1b) I'm still having problems with port forwarding Answer: To further diagnose this problem: As root, type shorewall reset ("shorewall-lite reset", if you are running Shorewall Lite). This clears all Netfilter counters. Try to connect to the redirected port from an external host. As root type shorewall show nat ("shorewall-lite show nat", if you are running Shorewall Lite). Locate the appropriate DNAT rule. It will be in a chain called <source zone>_dnat (net_dnat in the above examples). Is the packet count in the first column non-zero? If so, the connection request is reaching the firewall and is being redirected to the server. In this case, the problem is usually a missing or incorrect default gateway setting on the local system (the system you are trying to forward to -- its default gateway must be the IP address of the firewall's interface to that system unless you use the hack described in FAQ 1f). If the packet count is zero: the connection request is not reaching your server (possibly it is being blocked by your ISP); or you are trying to connect to a secondary IP address on your firewall and your rule is only redirecting the primary IP address (You need to specify the secondary IP address in the ORIG. DEST. column in your DNAT rule); or your DNAT rule doesn't match the connection request in some other way. In that case, you may have to use a packet sniffer such as tcpdump or Wireshark to further diagnose the problem. The traffic is entering your firewall on a different interface (interfaces reversed in /etc/shorewall/interfaces?). If the packet count is non-zero, check your log to see if the connection is being dropped or rejected. If it is, then you may have a zone definition problem such that the server is in a different zone than what is specified in the DEST column. At a root prompt, type "shorewall show zones" ("shorewall-lite show zones") then be sure that in the DEST column you have specified the first zone in the list that matches OUT=<dev> and DEST= <ip>from the REJECT/DROP log message. If everything seems to be correct according to these tests but the connection doesn't work, it may be that your ISP is blocking SYN,ACK responses. This technique allows your ISP to detect when you are running a server (usually in violation of your service agreement) and to stop connections to that server from being established.
(FAQ 1c) From the Internet, I want to connect to port 1022 on my firewall and have the firewall forward the connection to port 22 on local system 192.168.1.3. How do I do that? Answer:In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT DNAT net loc:192.168.1.3:22 tcp 1022
(FAQ 1d) I have a web server in my DMZ and I use port forwarding to make that server accessible from the Internet. That works fine but when my local users try to connect to the server using the Firewall's external IP address, it doesn't work. Answer: See FAQ 2b.
(FAQ 1e) In order to discourage brute force attacks I would like to redirect all connections on a non-standard port (4104) to port 22 on the router/firewall. I notice that setting up a REDIRECT rule causes the firewall to open both ports 4104 and 22 to connections from the net. Is it possible to only redirect 4104 to the localhost port 22 and have connection attempts to port 22 from the net dropped? On systems with the "Extended Conntrack Match" (NEW_CONNTRACK_MATCH) capability (see the output of shorewall show capabilities), port 22 is opened only to connections whose original destination port is 4104 and this FAQ does not apply. Answer courtesy of Ryan: Assume that the IP address of your local firewall interface is 192.168.1.1. If you configure SSHD to only listen on that address and add the following rule, then you will have access on port 4104 from the net and on port 22 from your LAN. #ACTION SOURCE DEST PROTO DPORT DNAT net fw:192.168.1.1:22 tcp 4104
(FAQ 1f) Why must the server that I port forward to have it's default gateway set to my Shorewall system's IP address? Answer: Let's take an example. Suppose that Your Shorewall firewall's external IP address is 206.124.146.176 (eth0) and its internal IP address is 192.168.1.1 (eth1). You have another gateway router with external IP address 130.252.100.109 and internal IP address 192.168.1.254. You have an FTP server behind both routers with IP address 192.168.1.4 The FTP server's default gateway is through the second router (192.168.1.254). You have this rule on the Shorewall system:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.4 tcp 21 - 206.124.146.176 Internet host 16.105.221.4 issues the command ftp 206.124.146.176 This results in the following sequence of events: 16.105.221.4 sends a TCP SYN packet to 206.124.146.176 specifying destination port 21. The Shorewall box rewrites the destination IP address to 192.168.1.4 and forwards the packet. The FTP server receives the packet and accepts the connection, generating a SYN,ACK packet back to 16.105.221.4. Because the server's default gateway is through the second router, it sends the packet to that router. At this point, one of two things can happen. Either the second router discards or rejects the packet; or, it rewrites the source IP address to 130.252.100.109 and forwards the packet back to 16.105.221.4. Regardless of which happens, the connection is doomed. Clearly if the packet is rejected or dropped, the connection will not be successful. But even if the packet reaches 16.105.221.4, that host will reject it since it's SOURCE IP address (130.252.100.109) doesn't match the DESTINATION IP ADDRESS (206.124.146.176) of the original SYN packet. The best way to work around this problem is to change the default gateway on the FTP server to the Shorewall system's internal IP address (192.168.1.1). But if that isn't possible, you can work around the problem with the following ugly hack in /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS PROTO PORT eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21 When running Shorewall 5.0.14 or later, the eqivalent /etc/shorewall/snat file is: #ACTION SOURCE DEST PROTO PORT SNAT(192.168.1.1) 0.0.0.0/0 eth1:192.168.1.4 tcp 21 This rule has the undesirable side effect of making all FTP connections from the net appear to the FTP server as if they originated on the Shorewall system. But it will force the FTP server to reply back through the Shorewall system who can then rewrite the SOURCE IP address in the responses properly.
(FAQ 1g) I would like to redirect port 80 on my public IP address (206.124.146.176) to port 993 on Internet host 66.249.93.111 Answer: This requires a vile hack similar to the one in FAQ 2. Assuming that your Internet zone is named net and connects on interface eth0: In /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176 In /etc/shorewall/interfaces, specify the routeback option on eth0:?FORMAT 2 #ZONE INTERFACE OPTIONS net eth0 routeback /etc/shorewall/masq;#INTERFACE SOURCE ADDRESS PROTO PORT eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat file is: #ACTION SOURCE DEST PROTO PORT SNAT(206.124.146.176) 0.0.0.0/0 eth0:66.249.93.111 tcp 993 and in /etc/shorewall/shorewall.conf: IP_FORWARDING=On Like the hack in FAQ 2, this one results in all forwarded connections looking to the server (66.249.93.11) as if they originated on your firewall (206.124.146.176).
(FAQ 1h) How do I set shorewall to allow ssh on port 9022 from net? SSHD is listening on port 22. Answer: Use this rule. #ACTION SOURCE DEST PROTO DPORT REDIRECT net 22 tcp 9022 Note that the above rule will also allow connections from the net on TCP port 22. If you don't want that, see FAQ 1e.
(FAQ 1j) Why doesn't this DNAT rule work? I added this rule but I'm still seeing the log message below RULE: DNAT scnet:172.19.41.2 dmz0:10.199.198.145 udp 2055 LOG: Sep 21 12:55:37 fw001 kernel: [10357687.114928] Shorewall:scnet2fw:DROP:IN=eth2 OUT= MAC=00:26:33:dd:aa:05:00:24:f7:19:ce:44:08:00 SRC=172.19.41.2 DST=172.19.1.1 LEN=1492 TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472 Answer: There was already a conntrack entry for the failing connection before you added the rule. Install the conntrack utility program and use it to delete the entry. conntrack -D -s 172.19.41.2 -d 172.19.1.1 -p udp -sport 6367 -dport 2055
(FAQ 30) I'm confused about when to use DNAT rules and when to use ACCEPT rules. Answer: It would be a good idea to review the QuickStart Guide appropriate for your setup; the guides cover this topic in a tutorial fashion. DNAT rules should be used for connections that need to go the opposite direction from SNAT/MASQUERADE. So if you masquerade or use SNAT from your local network to the Internet then you will need to use DNAT rules to allow connections from the Internet to your local network. If you use both 1:1 NAT and SNAT/MASQUERADE, those connections that are subject to 1:1 NAT should use ACCEPT rather than DNAT. Note, however, that DNAT can be used to override 1:1 NAT so as to redirect a connection to a different internal system or port than would be the case using 1:1 NAT. You also want to use DNAT rules when you intentionally want to rewrite the destination IP address or port number. In all other cases, you use ACCEPT unless you need to hijack connections as they go through your firewall and handle them on the firewall box itself; in that case, you use a REDIRECT rule. The preceding answer should not be interpreted to mean that DNAT can only be used in conjunction with SNAT. But in common configurations using private local addresses, that is the most common usage.
(FAQ 8) I have several external IP addresses and use /etc/shorewall/nat to associate them with systems in my DMZ. When I add a DNAT rule, say for ports 80 and 443, Shorewall redirects connections on those ports for all of my addresses. How can I restrict DNAT to only a single address? Answer: Specify the external address that you want to redirect in the ORIGDEST column. Example: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net net:192.168.4.22 tcp 80,443 - 206.124.146.178
(FAQ 38) Where can I find more information about DNAT? Answer: Ian Allen has written a Paper about DNAT and Linux.
(FAQ 48) How do I Set up a Transparent HTTP Proxy with Shorewall? Answer: See Shorewall_Squid_Usage.html.
DNS and Port Forwarding/NAT
(FAQ 2) I port forward www requests to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse http://www.mydomain.com but internal clients can't. Answer: I have two objections to this setup. Having an Internet-accessible server in your local network is like raising foxes in the corner of your hen house. If the server is compromised, there's nothing between that server and your other internal systems. For the cost of another NIC and a cross-over cable, you can put your server in a DMZ such that it is isolated from your local systems - assuming that the Server can be located near the Firewall, of course :-) The accessibility problem is best solved using Split DNS (either use a separate DNS server for local clients or use Bind Version 9 views on your main name server) such that www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5 internally. I use a separate DNS server (dnsmasq) here at shorewall.net. So the best and most secure way to solve this problem is to move your Internet-accessible server(s) to a separate LAN segment with it's own interface to your firewall and follow FAQ 2b. That way, your local systems are still safe if your server gets hacked and you don't have to run a split DNS configuration (separate server or Bind 9 views). If physical limitations make it impractical to segregate your servers on a separate LAN, the next best solution it to use Split DNS. Before you complain "It's too hard to set up split DNS!", check here. If you really want to route traffic between two internal systems through your firewall, then proceed as described below. All traffic redirected through use of this technique will look to the server as if it originated on the firewall rather than on the original client! So the server's access logs will be useless for determining which local hosts are accessing the server. Assuming that your external interface is eth0 and your internal interface is eth1 and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, then: In /etc/shorewall/interfaces: ?FORMAT 2 #ZONE INTERFACE OPTIONS loc eth1 routeback In /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS PROTO PORT eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www When running Shorewall 5.0.14 or later, the corresponding /etc/shorewall/snat file is: #ACTION SOURCE DEST PROTO PORT SNAT(192.168.1.254) 192.168.1.0/24 eth1:192.168.1.5 tcp www Note: The technique described here is known as hairpinning NAT and is described in section 6 of RFC 4787. In that RFC, it is required that the external IP address be used as the source: #INTERFACE SOURCE ADDRESS PROTO PORT eth1:192.168.1.5 192.168.1.0/24 130.151.100.69 tcp www Equivalent /etc/shorewall/snat: #ACTION SOURCE DEST PROTO PORT SNAT(130.151.100.69) 192.168.1.0/24 eth1:192.168.1.5 tcp www In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69 That rule (and the second one in the previous bullet) only works of course if you have a static external IP address. If you have a dynamic IP address then make your DNAT rule: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW DNAT loc loc:192.168.1.5 tcp www - &eth0 Using this technique, you will want to configure your DHCP/PPPoE/PPTP/… client to automatically reload Shorewall each time that you get a new IP address. If your local interface is a bridge, see FAQ 2e for additional configuration steps.
(FAQ 2a) I have a zone <quote>Z</quote> with an RFC1918 subnet and I use one-to-one NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot communicate with each other using their external (non-RFC1918 addresses) so they can't access each other using their DNS names. If the ALL INTERFACES column in /etc/shorewall/nat is empty or contains Yes, you will also see log messages like the following when trying to access a host in Z from another host in Z using the destination host's public address: Oct 4 10:26:40 netgw kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200 DST=192.168.118.210 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1342 DF PROTO=TCP SPT=1494 DPT=1491 WINDOW=17472 RES=0x00 ACK SYN URGP=0 Answer: This is another problem that is best solved using split DNS. It allows both external and internal clients to access a NATed host using the host's DNS name. Another good way to approach this problem is to switch from one-to-one NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and can be accessed externally and internally using the same address. If you don't like those solutions and prefer to route all Z->Z traffic through your firewall then: Set the routeback option on the interface to Z. Set the ALL INTERFACES column in the nat file to Yes. Example: Zone: dmz, Interface: eth2, Subnet: 192.168.2.0/24, Address of server 192.168.2.2 In /etc/shorewall/interfaces: ?FORMAT 2 #ZONE INTERFACE OPTIONS dmz eth2 routeback In /etc/shorewall/masq: #INTERFACE SOURCE eth2:192.168.1.2 192.168.2.0/24 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat is: #ACTION SOURCE DEST PROTO PORT MASQUERADE 192.168.1.0/24 eth2:192.168.1.2 tcp www In /etc/shorewall/nat, be sure that you have Yes in the ALL INTERFACES column.
(FAQ 2b) I have a web server in my DMZ and I use port forwarding to make that server accessible from the Internet as www.mydomain.com. That works fine but when my local users try to connect to www.mydomain.com, it doesn't work. Answer: Let's assume the following: External IP address is 206.124.146.176 on eth0 (www.mydomain.com). Server's IP address is 192.168.2.4 You can enable access to the server from your local network using the firewall's external IP address by adding this rule: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 If your external IP address is dynamic, then you must make your DNAT rule: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW DNAT loc dmz:192.168.2.4 tcp 80 - &eth0 With dynamic IP addresses, you probably don't want to use shorewall[-lite] save and shorewall[-lite] restore.
(FAQ 2c) I tried to apply the answer to FAQ 2 to my external interface and the net zone and it didn't work. Why? Answer: Did you set IP_FORWARDING=On in shorewall.conf?
(FAQ 2d) Does Shorewall support hairpinning NAT? Answer: Yes. In the case of simple masquerade/SNAT, see FAQ 2. For one-to-one (static), NAT, simply place 'Yes' in the ALL INTERFACES column of each entry in /etc/shorewall/nat.
(FAQ 2e) I have the situation in FAQ 2 but my local interface is a bridge and the solution in FAQ 2 doesn't work Answer: Assume that the bridge is br0 and that eth2 is the bridge port that connects to the LAN containing 192.168.1.5 In addition to the steps in FAQ 2 (replacing eth1 with br0), you also need to: Set the hairpin option on eth2. brctl hairpin br0 eth2 on On Debian and derivitives, you can place that command in /etc/network/interfaces as a post-up command: auto br0 iface br0 inet static bridge_ports eth2 bridge_fd 0 bridge_maxwait 0 address 192.168.1.1 netmask 255.255.255.0 post-up /sbin/brctl hairpin br0 eth2 on Install ebtables if it is not already installed. Be sure that all traffic going out of eth2 has the correct MAC address. ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source br0-MAC-address where br0-MAC-address is the MAC address of br0. Here's a working example of /etc/shorewall/start that executes the above command. if [ $(ebtables -t nat -L POSTROUTING | wc -l) -lt 4 ]; then ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source 0:19:21:d0:61:65 fi
Blacklisting
(FAQ 63) I just blacklisted IP address 206.124.146.176 and I can still ping it. What did I do wrong? Answer: Nothing. Blacklisting an IP address blocks incoming traffic from that IP address. And if you set BLACKLISTNEWONLY=Yes in shorewall.conf, then only new connections from that address are disallowed; traffic from that address that is part of an established connection (such as ping replies) is allowed. Beginning with Shorewall 4.4.13, you can use the option in /etc/shorewall/interfaces to implement blacklisting by destination IP address. Beginning with Shorewall 4.4.26, you can use /etc/shorewall/blrules to implement arbitrary blacklist rules.
(FAQ 84) I put some IPs in the blacklist file in /etc/shorewall to block the ips but i'm still getting reports from PSAD from those ips saying they're port scanning. Shouldn't being on the blacklist drop all packets from those ips? Answer: You probably forgot to specify the blacklist option for your external interface(s) in /etc/shorewall/interfaces.
Netmeeting/MSN
(FAQ 3) I want to use Netmeeting or MSN Instant Messenger with Shorewall. What do I do? Answer: There is an H.323 connection tracking/NAT module that helps with Netmeeting. Look here for a solution for MSN IM but be aware that there are significant security risks involved with this solution. Also check the Netfilter mailing list archives at http://www.netfilter.org.
Open Ports
(FAQ 100) With Shorewall started, the output of 'iptables -L' looks like my firewall is wide open! Answer: The problem here is that a bare iptables -L command produces totally useless output. Use shorewall show instead. The shorewall show command is a wrapper around iptables -L -n -v.
(FAQ 51) How do I Open Ports in Shorewall? Answer: No one who has installed Shorewall using one of the Quick Start Guides should have to ask this question. Regardless of which guide you used, all outbound communication is open by default. So you do not need to 'open ports' for output. For input: If you installed using the Standalone Guide, then please re-read this section. If you installed using the Two-interface Guide, then please re-read these sections: Port Forwarding (DNAT), and Other Connections If you installed using the Three-interface Guide, then please re-read these sections: Port Forwarding (DNAT) and Other Connections If you installed using the Shorewall Setup Guide then you had better read the guide again -- you clearly missed a lot. Also please see the Port Forwarding section of this FAQ.
(FAQ 4) I just used an online port scanner to check my firewall and it shows some ports as <quote>closed</quote> rather than <quote>blocked</quote>. Why? Answer: The default Shorewall setup invokes the Drop action prior to enforcing a DROP policy and the default policy to all zones from the Internet is DROP. The Drop action is defined in /usr/share/shorewall/action.Drop which in turn invokes the Auth macro (defined in /usr/share/shorewall/macro.Auth) specifying the REJECT action (i.e., Auth(REJECT)). This is necessary to prevent outgoing connection problems to services that use the Auth mechanism for identifying requesting users. That is the only service which the default setup rejects. If you are seeing closed TCP ports other than 113 (auth) then either you have added rules to REJECT those ports or a router outside of your firewall is responding to connection requests on those ports. If you would prefer to 'stealth' port 113, then: If you are running Shorewall 4.4.20 or earlier, copy /usr/share/shorewall/action.Drop to /etc/shorewall/ and modify the invocation of Auth to Auth(DROP). If you are running Shorewall 4.4.21 or later, in shorewall.conf, set DROP_DEFAULT="Drop(-,DROP)". See the Action HOWTO to learn how that magic works.
(FAQ 4a) I just ran an nmap UDP scan of my firewall and it showed 100s of ports as open!!!! Answer: Take a deep breath and read the nmap manpage section about UDP scans. If nmap gets nothing back from your firewall then it reports the port as open. If you want to see which UDP ports are really open, temporarily change your net->all policy to REJECT, restart Shorewall and run the nmap UDP scan again.
(FAQ 4b) I have a port that I can't close no matter how I change my rules. I had a rule that allowed telnet from my local network to my firewall; I removed that rule and restarted Shorewall but my telnet session still works!!! Answer: Rules only govern the establishment of new connections. Once a connection is established through the firewall it will be usable until disconnected (tcp) or until it times out (other protocols). If you stop telnet and try to establish a new session your firewall will block that attempt.
(FAQ 4c) How do I use Shorewall with PortSentry? Answer: Here's a writeup describing a nice integration of Shorewall and PortSentry.
Connection Problems
Why are these packets being Dropped/Rejected? How do I decode Shorewall log messages? Please see FAQ 17.
(FAQ 5) I've installed Shorewall and now I can't ping through the firewall Answer: For a complete description of Shorewall ping management, see this page.
(FAQ 15) My local systems can't see out to the net Answer: Every time I read systems can't see out to the net, I wonder where the poster bought computers with eyes and what those computers will see when things are working properly :-). That aside, the most common causes of this problem are: The default gateway on each local system isn't set to the IP address of the local firewall interface. You can test this by: At a root shell prompt, type 'shorewall clear'. From a local system, attempt to ping the IP address of the Shorewall system's internet (external) interface. If that doesn't work, then the default gateway on the system from which you pinged is not set correctly. Be sure to 'shorewall start' after the test. The entry for the local network in the /etc/shorewall/masq file is wrong or missing. The DNS settings on the local systems are wrong or the user is running a DNS server on the firewall and hasn't enabled UDP and TCP port 53 from the local net to the firewall or from the firewall to the Internet. Forwarding is not enabled (This is often the problem for Debian users). Enter this command: cat /proc/sys/net/ipv4/ip_forward If the value displayed is 0 (zero) then set IP_FORWARDING=On in /etc/shorewall/shorewall.conf and restart Shorewall.
(FAQ 29) FTP Doesn't Work Answer: See the Shorewall and FTP page.
(FAQ 33) From clients behind the firewall, connections to some sites fail. Connections to the same sites from the firewall itself work fine. What's wrong? Answer: Most likely, you need to set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf.
(FAQ 35) I have two Ethernet interfaces to my local network which I have bridged. When Shorewall is started, I'm unable to pass traffic through the bridge. I have defined the bridge interface (br0) as the local interface in <filename>/etc/shorewall/interfaces</filename>; the bridged Ethernet interfaces are not defined to Shorewall. How do I tell Shorewall to allow traffic through the bridge? Answer: Add the option to br0 in /etc/shorewall/interfaces. For more information on this type of configuration, see the Shorewall Simple Bridge documentation.
(FAQ 64) I just upgraded my kernel to 2.6.20 (or later) and my bridge/firewall stopped working. What is wrong? Answer: In kernel 2.6.20, the Netfilter physdev match feature was changed such that it is no longer capable of matching the output device of non-bridged traffic. You will see messages such as the following in your log: Apr 20 15:03:50 wookie kernel: [14736.560947] physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. This kernel change, while necessary, means that Shorewall zones may no longer be defined in terms of bridge ports. See the Shorewall-perl bridging documentation for information about how to configure bridge/firewalls. Following the instructions in the new bridging documentation will not prevent the above message from being issued.
(FAQ 85) Shorewall is rejecting connections from my local lan because it thinks they are coming from the 'net' zone. I'm seeing this in my log: Aug 31 16:51:24 fw22 kernel: Shorewall:net2fw:DROP:IN=eth5 OUT= MAC=00:0c:29:74:9c:0c:08:00:20:b2:5f:db:08:00 SRC=10.1.50.14 DST=10.1.50.7 LEN=57 TOS=0x00 PREC=0x00 TTL=255 ID=32302 DF PROTO=UDP SPT=53289 DPT=53 LEN=37 Answer: This occurs when the external interface and an internal interface are connected to the same switch or hub. See this article for details. The solution is to never connect more than one firewall interface to the same hub or switch (an obvious exception is that when you have a switch that supports VLAN tagging and the interfaces are associated with different VLANs).
Logging
(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to spit out logs to /var/log/shorewall.log and it's not happening after I restart shorewall. LOGFILE=/var/log/shorewall.log <-- that should be the correct line, right? Answer: No, that is not correct. The LOGFILE setting tells Shorewall where to find the log; it does not determine where messages are written. See the next FAQ.
(FAQ 6) Where are the log messages written and how do I change the destination? Answer: NetFilter uses the kernel's equivalent of syslog (see man syslog) to log messages. It always uses the LOG_KERN (kern) facility (see man openlog) and you get to choose the log level (again, see man syslog) in your policies and rules. The destination for messages logged by syslog is controlled by /etc/syslog.conf (see man syslog.conf). When you have changed /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, service syslog restart). It is also possible to set up Shorewall to log all of Netfilter's messages to a separate file.
(FAQ 6a) Are there any log parsers that work with Shorewall? Answer: Here are several links that may be helpful: http://www.shorewall.net/pub/shorewall/parsefw/ http://aaron.marasco.com/linux.html http://cert.uni-stuttgart.de/projects/fwlogwatch http://www.logwatch.org I personally use fwlogwatch. It emails me a report each day from my various systems with each report summarizing the logged activity on the corresponding system; here's a sample:
fwlogwatch summary Generated Tuesday March 02 08:14:37 PST 2010 by root. 362 (and 455 older than 86400 seconds) of 817 entries in the file "/var/log/ulog/syslogemu.log" are packet logs, 138 have unique characteristics. First packet log entry: Mar 01 08:16:06, last: Mar 02 08:06:21. All entries were logged by the same host: "gateway". All entries have the same target: "-". Only entries with a count of at least 5 are shown. net-dmz DROP eth2 36 packets from 61.158.162.9 to 206.124.146.177 net-fw DROP eth0 21 packets from 89.163.162.13 to 76.104.233.98 net-fw DROP eth0 19 packets from 61.184.101.46 to 76.104.233.98 net-fw DROP eth0 12 packets from 81.157.214.103 to 76.104.233.98 net-fw DROP eth0 11 packets from 174.37.159.222 to 76.104.233.98 net-fw DROP eth0 10 packets from 221.195.73.86 to 76.104.233.98 net-dmz DROP eth2 9 packets from 202.199.158.6 to 206.124.146.177 net-fw DROP eth2 9 packets from 202.199.158.6 to 206.124.146.176 net-dmz DROP eth2 9 packets from 202.199.158.6 to 206.124.146.178 net-fw DROP eth0 6 packets from 221.192.199.35 to 76.104.233.98 net-fw DROP eth2 5 packets from 61.158.162.9 to 206.124.146.177
Fwlogwatch contains a built-in web server that allows monitoring recent activity in summary fashion.
(FAQ 6b) DROP messages on port 10619 are flooding the logs with their connect requests. Can I exclude these error messages for this port temporarily from logging in Shorewall? Answer: Temporarily add the following rule: #ACTION SOURCE DEST PROTO DPORT ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW DROP net $FW udp 10619 Alternatively, if you do not set BLACKLIST_LOGLEVEL you can blacklist the port. In /etc/shorewall/blrules: #ACTION SOURCE DEST PROTO DPORT DROP net $FW udp 10619
(FAQ 6d) Why is the MAC address in Shorewall log messages so long? I thought MAC addresses were only 6 bytes in length. Answer: What is labeled as the MAC address in a Netfilter (Shorewall) log message is actually the Ethernet frame header. It contains: the destination MAC address (6 bytes) the source MAC address (6 bytes) the Ethernet frame type (2 bytes) Example MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00 Destination MAC address = 00:04:4c:dc:e2:28 Source MAC address = 00:b0:8e:cf:3c:4c Ethernet Frame Type = 08:00 (IP Version 4)
(FAQ 16) Shorewall is writing log messages all over my console making it unusable! Answer: Just to be clear, it is not Shorewall that is writing all over your console. Shorewall issues a single log message during each start, restart, stop, etc. It is rather your logging daemon that is writing messages to your console. Shorewall itself has no control over where a particular class of messages are written. See the Shorewall logging documentation. The max log level to be sent to the console is available in /proc/sys/kernel/printk:teastep@ursa:~$ cat /proc/sys/kernel/printk 6 6 1 7 teastep@ursa:~$ The first number determines the maximum log level (syslog priority) sent to the console. Messages with priority less than this number are sent to the console. On the system shown in the example above, priorities 0-5 are sent to the console. Since Shorewall defaults to using 'info' (6), the Shorewall-generated Netfilter rule set will generate log messages that will not appear on the console. The second number is the default log level for kernel printk() calls that do not specify a log level. The third number specifies the minimum console log level while the fourth gives the default console log level. If, on your system, the first number is 7 or greater, then the default Shorewall configurations will cause messages to be written to your console. The simplest solution is to add this to your /etc/sysctl.conf file:kernel.printk = 4 4 1 7 thensysctl -p /etc/sysctl.conf
(FAQ 16a) cat /proc/sys/kernel/prink returns '4 4 1 7' and still I get dmesg filled up Answer: While we would argue that 'dmesg filled up' is not necessarily a problem, the only way to eliminate that is to set up Shorewall to log all of Netfilter's messages to a separate file.
(FAQ 16b) Why can't I see any Shorewall messages in /var/log/messages? Some people who ask this question report that the only Shorewall messages that they see in /var/log/messages are 'started', 'restarted' and 'stopped' messages. Answer: First of all, it is important to understand that Shorewall itself does not control where Netfilter log messages are written. The LOGFILE setting in shorewall.conf simply tells the /sbin/shorewall[-lite] program where to look for the log. Also, it is important to understand that a log level of "debug" will generally cause Netfilter messages to be written to fewer files in /var/log than a log level of "info". The log level does not control the number of log messages or the content of the messages. The actual log file where Netfilter messages are written is not standardized and will vary by distribution and distribution version. But anytime you see no logging, it's time to look outside the Shorewall configuration for the cause. As an example, recent SUSE releases use syslog-ng by default and write Shorewall messages to /var/log/firewall. Please see the Shorewall logging documentation for further information.
(FAQ 16c) Shorewall messages are flooding the output of 'dmesg'; how to I stop that? Answer: Switch to using ulogd.
(FAQ 16d) I set LOGFILE=/var/log/shorewall but log messages are still going to /var/log/messages. Answer: See the answer to FAQ 16b above.
(FAQ 17) Why are these packets being Dropped/Rejected? How do I decode Shorewall log messages? Answer: Logging of dropped/rejected packets occurs out of a number of chains (as indicated in the log message) in Shorewall: zone2all, zone-all, all2zone, all-zone, all2all or all-all You have a policy that specifies a log level and this packet is being logged under that policy. If you intend to ACCEPT this traffic then you need a rule to that effect. Packets logged out of these chains may have a source and/or destination that is not in any defined zone (see the output of shorewall[-lite] show zones). Remember that zone membership involves both a firewall interface and an ip address. zone12zone2 or zone1-zone2 Either you have a policy for zone1 to zone2 that specifies a log level and this packet is being logged under that policy or this packet matches a rule that includes a log level. @zone12zone2 or @zone1-zone2 You have a policy for traffic from zone1 to zone2 that specifies TCP connection rate limiting (value in the LIMIT column). The logged packet exceeds that limit and was dropped. Note that these log messages themselves are severely rate-limited so that a syn-flood won't generate a secondary DOS because of excessive log message. These log messages were added in Shorewall 2.2.0 Beta 7. zone12zone2~, zone1-zone2~ or ~blacklistnn These are the result of entries in the /etc/shorewall/blrules file. interface_mac or interface_rec The packet is being logged under the maclist interface option. blacklist The packet is being logged because the source IP is blacklisted in the /etc/shorewall/blacklist file. INPUT or FORWARD The packet has a source IP address that isn't in any of your defined zones (shorewall[-lite] show zones and look at the printed zone definitions) or the chain is FORWARD and the destination IP isn't in any of your defined zones. If the chain is FORWARD and the IN and OUT interfaces are the same or they match the same wildcard entry in /etc/shorewall/interfaces, then you probably need the routeback option on that interface in /etc/shorewall/interfaces , you need the routeback option in the relevant entry in /etc/shorewall/hosts or you've done something silly like define a default route out of an internal interface. With OPTIMIZE=1 in shorewall.conf, such packets may also be logged out of a <zone>2all chain or the all2all chain. OUTPUT The packet has a destination IP address that isn't in any of your defined zones(shorewall[-lite] show zones and look at the printed zone definitions). With OPTIMIZE=1 in shorewall.conf, such packets may also be logged out of the fw2all chain or the all2all chain. logflags The packet is being logged because it failed the checks implemented by the tcpflags interface option. sfilter On systems running Shorewall 4.4.20 or later, either the packet matched the interface option or it is being routed out of the same interface on which it arrived and the interface does not have the or interface option. Here is an example: Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47 Let's look at the important parts of this message: all2all:REJECT This packet was REJECTed out of the all2all chain -- the packet was rejected under the all->all REJECT policy (all2all above). IN=eth2 the packet entered the firewall via eth2. If you see IN= with no interface name, the packet originated on the firewall itself. OUT=eth1 if accepted, the packet would be sent on eth1. If you see OUT= with no interface name, the packet would be processed by the firewall itself. When a DNAT rule is logged, there will never be an OUT= shown because the packet is being logged before it is routed. Also, DNAT logging will show the original destination IP address and destination port number. When a REDIRECT rule is logged, the message will also show the original destination IP address and port number. SRC=192.168.2.2 the packet was sent by 192.168.2.2 DST=192.168.1.3 the packet is destined for 192.168.1.3 PROTO=UDP UDP Protocol DPT=53 The destination port is 53 (DNS) In this case, 192.168.2.2 was in the dmz zone and 192.168.1.3 is in the loc zone. I was missing the rule: ACCEPT dmz loc udp 53
(FAQ 21) I see these strange log entries occasionally; what are they? Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00 SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ] 192.0.2.3 is external on my firewall... 172.16.0.0/24 is my internal LAN Answer: First of all, please note that the above is a very specific type of log message dealing with ICMP port unreachable packets (PROTO=ICMP TYPE=3 CODE=3). Do not read this answer and assume that all Shorewall log messages have something to do with ICMP (hint -- see FAQ 17). While most people associate the Internet Control Message Protocol (ICMP) with ping, ICMP is a key piece of IP. ICMP is used to report problems back to the sender of a packet; this is what is happening here. Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade), there are many broken implementations. That is what you are seeing with these messages. When Netfilter displays these messages, the part before the "[" describes the ICMP packet and the part between the "[" and "]" describes the packet for which the ICMP is a response. Here is my interpretation of what is happening -- to confirm this analysis, one would have to have packet sniffers placed a both ends of the connection. Host 172.16.1.10 behind NAT gateway 206.124.146.179 sent a UDP DNS query to 192.0.2.3 and your DNS server tried to send a response (the response information is in the brackets -- note source port 53 which marks this as a DNS reply). When the response was returned to to 206.124.146.179, it rewrote the destination IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer had a connection on UDP port 2857. This causes a port unreachable (type 3, code 3) to be generated back to 192.0.2.3. As this packet is sent back through 206.124.146.179, that box correctly changes the source address in the packet to 206.124.146.179 but doesn't reset the DST IP in the original DNS response similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related to anything that was sent. The final result is that the packet gets logged and dropped in the all2all chain.
(FAQ 52) When I blacklist an IP address with "shorewall[-lite] drop www.xxx.yyy.zzz", why does my log still show REDIRECT and DNAT entries from that address? I blacklisted the address 130.252.100.59 using shorewall drop 130.252.100.59 but I am still seeing these log messages: Jan 30 15:38:34 server Shorewall:net_dnat:REDIRECT:IN=eth1 OUT= MAC=00:4f:4e:14:97:8e:00:01:5c:23:24:cc:08:00 SRC=130.252.100.59 DST=206.124.146.176 LEN=64 TOS=0x00 PREC=0x00 TTL=43 ID=42444 DF PROTO=TCP SPT=2215 DPT=139 WINDOW=53760 RES=0x00 SYN URGP=0 Answer: Please refer to the Shorewall Netfilter Documentation. Logging of REDIRECT and DNAT rules occurs in the nat table's PREROUTING chain where the original destination IP address is still available. Blacklisting occurs out of the filter table's INPUT and FORWARD chains which aren't traversed until later.
(FAQ 81) logdrop and logreject don't log. I love the ability to type 'shorewall logdrop ww.xx.yy.zz' and completely block a particular IP address. However, the log part doesn't happen. When I look in the logdrop chain, there is no LOG prefix. Answer: You haven't set a value for BLACKLIST_LOGLEVEL in shorewall.conf (5).
(FAQ 36) My log is filling up with these BANDWIDTH messages! Dec 15 16:47:30 heath-desktop kernel: [17182740.184000] BANDWIDTH_IN:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:23:79:02:08:00 SRC=10.119.248.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=62081 PROTO=UDP SPT=67 DPT=68 LEN=308 Dec 15 16:47:30 heath-desktop last message repeated 2 times Dec 15 16:47:30 heath-desktop kernel: [17182740.188000] BANDWIDTH_IN:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:23:79:02:08:00 SRC=10.112.70.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=62082 PROTO=UDP SPT=67 DPT=68 LEN=308 Dec 15 16:47:30 heath-desktop last message repeated 2 times Answer: The Webmin 'bandwidth' module adds commands to /etc/shorewall/start that creates rules to log every packet to/from/through the firewall. DON'T START THE BANDWIDTH SERVICE IN WEBMIN! To correct this situation once it occurs, edit /etc/shorewall/start and insert 'return 0' prior to the BANDWIDTH rules.
Routing
(FAQ 32) My firewall has two connections to the Internet from two different ISPs. How do I set this up in Shorewall? Answer: See this article about Shorewall and Multiple ISPs.
(FAQ 49) When I start Shorewall, my routing table gets blown away. Why does Shorewall do that? Answer: This is usually the consequence of a one-to-one nat configuration blunder: Specifying the primary IP address for an interface in the EXTERNAL column of /etc/shorewall/nat even though the documentation (and the comments in the file) warn you not to do that. Specifying ADD_IP_ALIASES=Yes and RETAIN_ALIASES=No in /etc/shorewall/shorewall.conf. This combination causes Shorewall to delete the primary IP address from the network interface specified in the INTERFACE column which usually causes all routes out of that interface to be deleted. The solution is to not specify the primary IP address of an interface in the EXTERNAL column.
Starting and Stopping
(FAQ 94) After I start Shorewall, ps doesn't show any shorewall process running. What is the Shorewall daemon called? Answer: Shorewall is not a daemon. It is a configuration tool that configures your kernel based on the contents of /etc/shorewall/. Once the start command completes, Shorewall has done its job and there are no Shorewall processes remaining in the system.
(FAQ 7) When I stop Shorewall using <quote>shorewall[-lite] stop</quote>, I can't connect to anything. Why doesn't that command work? Answer: The stop command places the firewall in a safe state; connections that are allowed are governed by the setting of ADMINISABSENTMINDED in shorewall.conf (5) and the contents of shorewall-stoppedrules (5). To totally open the firewall, use the clear command.
(FAQ 9) Why can't Shorewall detect my interfaces properly at startup? I just installed Shorewall and when I issue the start command, I see the following: Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Deleting user chains... Creating input Chains... ... Why can't Shorewall detect my interfaces properly? Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1. You can set the routefilter option on an internal interface if you wish to guard against 'Martians' (a Martian is a packet with a source IP address that is not routed out of the interface on which the packet was received). If you do that, it is a good idea to also set the logmartians option.
(FAQ 22) I have some iptables commands that I want to run when Shorewall starts. Which file do I put them in? Answer:You can place these commands in one of the Shorewall Extension Scripts. Be sure that you look at the contents of the chain(s) that you will be modifying with your commands so that the commands will do what is intended. Many iptables commands published in HOWTOs and other instructional material use the -A command which adds the rules to the end of the chain. Most chains that Shorewall constructs end with an unconditional DROP, ACCEPT or REJECT rule and any rules that you add after that will be ignored. Check man iptables and look at the -I (--insert) command.
(FAQ 43) I just installed the Shorewall RPM and Shorewall doesn't start at boot time. Answer: When you install using the "rpm -U" command, Shorewall doesn't run your distribution's tool for configuring Shorewall startup. You will need to run that tool (insserv, chkconfig, run-level editor, …) to configure Shorewall to start in the the default run-levels of your firewall system.
(FAQ 59) After I start Shorewall, there are lots of unused Netfilter modules loaded. How do I avoid that? Answer: Copy /usr/share/shorewall[-lite]/modules to /etc/shorewall/modules and modify the copy to include only the modules that you need. An alternative is to set LOAD_HELPERS_ONLY=Yes in shorewall.conf (5).
(FAQ 68) I have a VM under an OpenVZ system. I can't get rid of the following message: ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" failed. Answer: See the Shorewall OpenVZ article.
(FAQ 73) When I stop Shorewall, the firewall is wide open. Isn't that a security risk? It is important to understand that the scripts in /etc/init.d are generally provided by your distribution and not by the Shorewall developers. These scripts must meet the requirements of the distribution's packaging system which may conflict with the requirements of a tight firewall. So when you say "…when I stop Shorewall…" it is necessary to distinguish between the commands /sbin/shorewall stop and /etc/init.d/shorewall stop. /sbin/shorewall stop places the firewall in a safe state, the details of which depend on your /etc/shorewall/stoppedrules file (shorewall-stoppedrules(5)) and on the setting of ADMINISABSENTMINDED in /etc/shorewall/shorewall.conf (shorewall.conf(5)). /etc/init.d/shorewall stop may or may not do the same thing. In the case of Debian systems for example, that command actually executes /sbin/shorewall clear which opens the firewall completely. In other words, in the init script, stop reverses the effect of start. Beginning with Shorewall 4.4, when the Shorewall tarballs are installed on a Debian (or derivative) system, the /etc/init.d/shorewall file is the same as would be installed by the .deb. The behavior of /etc/init.d/shorewall stop is controlled by the setting of SAFESTOP in /etc/default/shorewall. When set to 0 (the default), the firewall is cleared; when set to 1, the firewall is placed in a safe state.
(FAQ 78) After restart and bootup of my Debian firewall, all traffic is blocked for hosts behind the firewall trying to connect out onto the net or through the vpn (although i can reach the internal firewall interface and obtain dumps etc). Once I issue 'shorewall clear' followed by 'shorewall start' it then works, despite the config not changing Answer: Set IP_FORWARDING=On in /etc/shorewall/shorewall.conf.
(FAQ 86) My distribution (Ubuntu) uses NetworkManager to manage my interfaces. I want to specify the upnpclient option for my interfaces which requires them to be up and configured when Shorewall starts but Shorewall is being started before NetworkManager. Answer: I faced a similar problem which I solved as follows: Don't start Shorewall at boot time (Debian and Ubuntu users may simply set startup=0 in /etc/default/shorewall) or disable in systemd using systemctl disable shorewall.service. In /etc/network/ip-up.d, I added a shorewall script as follows: #!/bin/sh shorewall status > /dev/null 2>&1 || shorewall start # Start Shorewall if it isn't already running Be sure to secure the script for execute access. Update: Beginning with Shorewall 4.4.10, there is a new Shorewall Init Package that is designed to handle this case.
(FAQ 90) Shorewall starts fine but after several minutes, it stops. Why is it doing that? Answer: Shorewall uses the presence of a chain named shorewall to indicate whether is started or stopped. That chain is created during execution of a successful start, restart or restore command and is removed during stop and clear. If shorewall status indicates that Shorewall is stopped, then something has deleted that chain. Look at the output of shorewall status; if it looks like this:
gateway:~# shorewall status Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:21:41 PDT 2010 Shorewall is stopped State:Started (Tue Jul 20 16:01:49 PDT 2010) gateway:~#
then it means that something outside of Shorewall has deleted the chain. This usually means that you were running another firewall package before you installed Shorewall and that other package has replaced Shorewall's Netfilter configuration with its own. You must remove (or at least disable) the other firewall package and restart Shorewall.
gateway:~# shorewall status Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:26:29 PDT 2010 Shorewall is stopped State:Stopped (Wed Jul 21 13:26:26 PDT 2010) gateway:~#
then a shorewall stop command has been executed (if the State shown in the output is Cleared, then a shorewall clear command was executed). Most likely, you have installed and configured the shorewall-init package and a required interface has gone down.
(FAQ 99) My /var/lib/shorewall-init.log shows that Shorewall is running at boot but after boot 'iptables -L' shows an empty configuration Answer: This is caused by your failure to disable your distributions default iptables configuration tool when you installed Shorewall. Look for a service called 'iptables' that is being started after Shorewall and disable it.
(FAQ 101) How can I speed up 'shorewall start' and 'shorewall restart' on my slow hardware? Answer: There are several steps that you can take: If your kernel supports module autoloading (and distribution default kernels almost always do), then set LOAD_HELPERS_ONLY=Yes in shorewall.conf. Set AUTOMAKE=Yes in shorewall.conf. This will avoid the compilation phase in cases where the configuration has not changed since the last time that the configuration was compiled. Don't set optimization option 8. For example, if you currently set OPTIMIZE=31, then change that to OPTIMIZE=23. Optimization option 8 combines identical chains which can result in a smaller ruleset, but it slows down the compilation of large rulesets. Rather than restart, use reload. With the default setting of RESTART=restart, restart performs stop then start, while reload avoids the stop part. Use a capabilities file: Run shorewall show -f capabilties > /etc/shorewall/capabilities Rerun that command each time you install a new kernel or a new version of shorewall.
(FAQ 103) Shorewall fails to start at boot but will start immediately after Answer: This is usually associated with SELinux. Here is an example.
(FAQ 104) I see <emphasis>kernel</emphasis> messages in my log when I start or restart Shorewall or Shorewall6 Example: > Oct 1 13:04:39 deb kernel: [ 9570.619744] xt_addrtype: ipv6 does not support BROADCAST matching Answer: These are harmless. Shorewall attempts to execute various commands to determine the capabiities of your system. If you system doesn't support a command, it will generally issue a kernel log message.
(FAQ 106) Shorewall is not starting at boot on Debian with systemd Answer: To enable start at boot, run systemctl enable shorewall.service
Multiple ISPs
(FAQ 57) I configured two ISPs in Shorewall but when I try to use the second one, it doesn't work. Answer: The Multi-ISP Documentation strongly recommends that you use the balance option on all providers even if you want to manually specify which ISP to use. If you don't do that so that your main routing table only has one default route, then you must disable route filtering. Do not specify the routefilter option on the other interface(s) in /etc/shorewall/interfaces and disable any IP Address Spoofing protection that your distribution supplies.
(FAQ 58) But if I specify 'balance' then won't Shorewall balance the traffic between the interfaces? I don't want that! Answer: Suppose that you want all traffic to go out through ISP1 (mark 1) unless you specify otherwise. Then simply add these two rules as the first marking rules in your /etc/shorewall/mangle (was tcrules) file: #ACTION SOURCE DEST MARK(1):P 0.0.0.0/0 MARK(1) $FW other MARK rules Now any traffic that isn't marked by one of your other MARK rules will have mark = 1 and will be sent via ISP1. That will work whether balance is specified or not!
Using DNS Names
(FAQ 79) Can I use DNS names in Shorewall configuration file entries in place of IP addresses? Answer: Yes, but we advise strongly against it.
Traffic Shaping
(FAQ 67) I just configured Shorewall's builtin traffic shaping and now Shorewall fails to Start. The error I receive is as follows:RTNETLINK answers: No such file or directory We have an error talking to the kernel ERROR: Command "tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid :1" FailedAnswer: This message indicates that your kernel doesn't have 'traffic policing' support. If your kernel is modularized, you may be able to resolve the problem by loading the act_police kernel module. Other kernel modules that you will need include: cls_basic cls_fw cls_u32 sch_htb sch_ingress sch_sfq
(FAQ 97) I enable Shorewall traffic shaping and now my upload rate is way below what I specified Answer: This is likely due to TCP Segmentation Offload (TSO) and/or Generic Segmentation Offload (GSO) being enabled in the network adapter. To verify, install the ethtool package and use the -k command: root@gateway:~# ethtool -k eth1 Offload parameters for eth1: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: on udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: off large-receive-offload: off ntuple-filters: off receive-hashing: off root@gateway:~# If that is the case, you can correct the problem by adjusting the minburst setting in /etc/shorewall/tcinterfaces (simple traffic shaping) or /etc/shorewall/tcdevices (complex traffic shaping). We suggest starting at 10-12kb and adjust as necessary. Example (simple traffic shaping): #INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:10kb Alternatively, you can turn off TSO and GSO using this command in /etc/shorewall/init: ethtool -K ethN tso off gso off
(FAQ 97a) I enable Shorewall traffic shaping and now my download rate is way below what I specified Answer: This is likely due to Generic Receive Offload (GRO) being enabled in the network adapter. To verify, install the ethtool package and use the -k command: root@gateway:/etc/shorewall# ethtool -k eth1 Offload parameters for eth1: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: on udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: on large-receive-offload: off ntuple-filters: off receive-hashing: off root@gateway:/etc/shorewall# To work around the issue, use this command: ethtool -K ethN gro off Beginning with Shorewall 4.4.25, another option is available in the form of a rate-estimated policing filter. Example from /etc/shorewall/tcdevices: #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS 1:COMB_IF ~20mbit:250ms:4sec ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0 To create a rate-estimated filter, precede the bandwidth with a tilde ("~"). The optional interval and decay_interval determine how often the rate is estimated and how many samples are retained for estimating. Please see http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt for details.
About Shorewall
(FAQ 10) What Distributions does Shorewall work with? Answer: Shorewall works with any GNU/Linux distribution that includes the proper prerequisites.
(FAQ 11) What Features does Shorewall have? Answer: See the Shorewall Feature List.
(FAQ 12) Is there a GUI? Answer: Yes! Shorewall support is available in Webmin. See http://www.webmin.com. But beware of the issue described in FAQ 36.
(FAQ 13) Why do you call it <quote>Shorewall</quote>? Answer: Shorewall is a concatenation of Shoreline (the city where I live) and Firewall . The full name of the product is actually Shoreline Firewall but Shorewall is much more commonly used.
(FAQ 23) Why do you use such ugly fonts on your web site? Answer: The Shorewall web site is almost font neutral (it doesn't explicitly specify fonts except on a few pages) so the fonts you see are largely the default fonts configured in your browser. If you don't like them then reconfigure your browser.
(FAQ 25) How do I tell which version of Shorewall or Shorewall Lite I am running? Answer: At the shell prompt, type: /sbin/shorewall[-lite] version -a
(FAQ 25a) It says 4.4.7.5; how do I know if it is Shorewall-shell or Shorewall-perl? Answer: It is Shorewall-perl. Shorewall-shell is discontinued in Shorewall 4.4.
(FAQ 31) Does Shorewall provide protection against.... IP Spoofing: Sending packets over the WAN interface using an internal LAP IP address as the source address? Answer: Yes. Tear Drop: Sending packets that contain overlapping fragments? Answer: This is the responsibility of the IP stack, not the Netfilter-based firewall since fragment reassembly occurs before the stateful packet filter ever touches each packet. Smurf and Fraggle: Sending packets that use the WAN or LAN broadcast address as the source address? Answer: Shorwall filters these packets under the nosmurfs interface option in /etc/shorewall/interfaces. Land Attack: Sending packets that use the same address as the source and destination address? Answer: Yes, if the routefilter interface option is selected. DOS: - SYN Dos - ICMP Dos - Per-host Dos protection Answer: Yes.
(FAQ 65) How do I accomplish failover with Shorewall? Answer: This article by Paul Gear should help you get started.
Alias IP Addresses/Virtual Interfaces
(FAQ 18) Is there any way to use aliased ip addresses with Shorewall, and maintain separate rule sets for different IPs? Answer: Yes. See Shorewall and Aliased Interfaces.
(FAQ 83) Is there no way to nest the firewall zone or create subzones? I've got a system with Linux-VServers, it's one interface (eth0) with multiple IPs Answer: Beginning with Shorewall 4.4.11 Beta 2, you can create vserver zones that are nested within the firewall zone. Prior to 4.4.11 Beta 2, there is no way to create sub-zones of the firewall zone. But you can use shell variables to make vservers easier to deal with. /etc/shorewall/params: VS1=fw:192.168.2.12 VS2=fw:192.168.2.13 VS3=fw:192.168.2.14 /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW ACCEPT $VS1 net tcp 25 DNAT net $VS1 tcp 25 etc...
Shorewall Lite
(FAQ 53) What is Shorewall Lite? Answer: Shorewall Lite is a companion product to Shorewall and is designed to allow you to maintain all Shorewall configuration information on a single system within your network. See the Compiled Firewall script documentation for details.
(FAQ 54) If I want to use Shorewall Lite, do I also need to install Shorewall on the same system? Answer: No. In fact, we recommend that you do NOT install Shorewall on systems where you wish to use Shorewall Lite. You must have Shorewall installed on at least one system within your network in order to use Shorewall Lite.
(FAQ 55) How do I decide which product to use - Shorewall or Shorewall Lite? Answer: If you plan to have only a single firewall system, then Shorewall is the logical choice. I also think that Shorewall is the appropriate choice for laptop systems that may need to have their firewall configuration changed while on the road. In the remaining cases, Shorewall Lite will work very well. At shorewall.net, the two laptop systems have the full Shorewall product installed as does my personal Linux desktop system. All other Linux systems that run a firewall use Shorewall Lite and have their configuration directories on my desktop system.
(FAQ 60) What are the compatibility restrictions between Shorewall and Shorewall Lite Answer: There are no compatibility constraints between Shorewall and Shorewall-lite.
VOIP
(FAQ 77) Shorewall is eating my Asterisk egress traffic! Somehow, my firewall config is causing a one-way audio problem in Asterisk. If a person calls into the PBX, they cannot hear me speaking, but I can hear them. If I plug the Asterisk server directly into the router, bypassing the firewall, the problem goes away. Answer: There are two things to try when VOIP problems are encountered. Both begin with executing two rmmod commands. If your kernel version is 2.6.20 or earlier:rmmod ip_nat_sip rmmod ip_conntrack_sipIf your kernel version is 2.6.21 or later:rmmod nf_nat_sip rmmod nf_conntrack_sip The first alternative seems to work for those running recent kernels (2.6.26 or later): Copy /usr/share/shorewall/modules to /etc/shorewall (/usr/share/shorewall/helpers if you have LOAD_HELPERS_ONLY in shorewall.conf). Edit the copy and change this line:
loadmodule nf_conntrack_sip
to
loadmodule nf_conntrack_sip sip_direct_media=0
shorewall restart The second alternative is to not load the sip helpers: If you are running kernel 2.6.20 or earlier, then change the DONT_LOAD specification in your shorewall.conf to:DONT_LOAD=ip_nat_sip,ip_conntrack_sip If you are running kernel 2.6.21 or later, then change Then change the DONT_LOAD specification in your shorewall.conf to:DONT_LOAD=nf_nat_sip,nf_conntrack_sip
IPv6
(FAQ 80) Does Shorewall support IPV6? Answer: Shorewall IPv6 support is currently available in Shorewall 4.2.4 and later.
(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24 or later? Answer: Shorewall implements a stateful firewall which requires connection tracking be present in ip6tables and in the kernel. Linux kernels before 2.6.20 didn't support connection tracking for IPv6. So we could not even start to develop Shorewall IPv6 support until 2.6.20 and there were significant problems with the facility until at least kernel 2.6.23. When distributions began offering IPv6 connection tracking support, it was with kernel 2.6.25. So that is what we developed IPv6 support on and that's all that we initially tested on. Subsequently, we have tested Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running 2.6.20 or later, you can try to run Shorewall6 by hacking /usr/share/shorewall/prog.footer6 and changing the kernel version test to check for your kernel version rather than 2.6.24 (20624). But after that, you are on your own. kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1) if [ $kernel -lt 20624 ]; then error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later" status=2 else Update: The above logic is found in /usr/share/shorewall/prog.footer in later Shorewall releases.
(FAQ 40) I have an interface that gets its IPv6 configuration from radvd. When I start Shorewall6, I immediately loose my default route. Why? Answer: You have configured forwarding on the interface which disables autoconfiguration of the interface. To retain autoconfiguration on the interface when Shorewall6 starts, specify forwarding=0 in the OPTIONS column on the interface's entry in shorewall6-interfaces (5).
(FAQ 96) I am starting to use ipv6, but on my ipv4 FW, when restarting Shorewall . it puts in ip6tables rules. How do i dissable that ? Answer: This is a two-step process. Set DISABLE_IPV6=No in shorewall.conf (5) and restart Shorewall. Execute these commands at a root shell prompt: ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT You will probably want to soon install Shorewall6 so that you have an IPv6 firewall as well as one for IPv4.
Wifidog
(FAQ 105) Can Shorewall work with Wifidog? Answer: Yes, with a couple of restrictions: Wifidog must be started after Shorewall. If Shorewall is restarted/reloaded, then wifidog must be restarted. FORWARD_CLEAR_MARK must be set to in shorewall.conf.
Miscellaneous
(FAQ 20) I have just set up a server. Do I have to change Shorewall to allow access to my server from the Internet? Answer: Yes. Consult the QuickStart guide that you used during your initial setup for information about how to set up rules for your server.
(FAQ 24) How can I allow connections to, let's say, the ssh port only from specific IP Addresses on the Internet? Answer: In the SOURCE column of the rule, follow net by a colon and a list of the host/subnet addresses as a comma-separated list. net:<ip1>,<ip2>,... Example: ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22
(FAQ 26) When I try to use any of the SYN options in nmap on or behind the firewall, I get <quote>operation not permitted</quote>. How can I use nmap with Shorewall? Answer: Temporarily remove any rejNotSyn, dropNotSyn, dropInvalid, NotSyn(...) and Invalid(...) rules from /etc/shorewall/rules and restart Shorewall.
(FAQ 27) I'm compiling a new kernel for my firewall. What should I look out for? Answer: First take a look at the Shorewall kernel configuration page. You probably also want to be sure that you have selected the NAT of local connections (READ HELP) on the Netfilter Configuration menu. Otherwise, DNAT rules with your firewall as the source zone won't work with your new kernel.
(FAQ 28) How do I use Shorewall as a Bridging Firewall? Answer: Shorewall Bridging Firewall support is available — check here for details.
(FAQ 39) How do I block connections to a particular domain name? I tried this rule to block Google's Adsense that you'll find on everyone's site. Adsense is a Javascript that people add to their Web pages. So I entered the rule: #ACTION SOURCE DEST PROTO REJECT fw net:pagead2.googlesyndication.com all However, this also sometimes restricts access to "google.com". Why is that? Using dig, I found these IPs for domain googlesyndication.com:216.239.37.99 216.239.39.99And this for google.com:216.239.37.99 216.239.39.99 216.239.57.99So my guess is that you are not actually blocking the domain, but rather the IP being called. So how in the world do you block an actual domain name? Answer: Packet filters like Netfilter base their decisions on the contents of the various protocol headers at the front of each packet. Stateful packet filters (of which Netfilter is an example) use a combination of header contents and state created when the packet filter processed earlier packets. Netfilter (and Shorewall's use of Netfilter) also consider the network interface(s) where each packet entered and/or where the packet will leave the firewall/router. When you specify a domain name in a Shorewall rule, the iptables program resolves that name to one or more IP addresses and the actual Netfilter rules that are created are expressed in terms of those IP addresses. So the rule that you entered was equivalent to: #ACTION SOURCE DEST PROTO REJECT $FW net:216.239.37.99 all REJECT $FW net:216.239.39.99 allGiven that name-based multiple hosting is a common practice (another example: lists.shorewall.net and www1.shorewall.net are both hosted on the same system with a single IP address), it is not possible to filter connections to a particular name by examination of protocol headers alone. While some protocols such as FTP require the firewall to examine and possibly modify packet payload, parsing the payload of individual packets doesn't always work because the application-level data stream can be split across packets in arbitrary ways. This is one of the weaknesses of the 'string match' Netfilter extension available in later Linux kernel releases. The only sure way to filter on packet content is to proxy the connections in question -- in the case of HTTP, this means running something like Squid. Proxying allows the proxy process to assemble complete application-level messages which can then be accurately parsed and decisions can be made based on the result.
(FAQ 42) How can I tell which features my kernel and iptables support? Answer: Use the shorewall[-lite] show capabilities command at a root prompt. gateway:~# shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Extended Connection Tracking Match Support: Available Old Connection Tracking Match Syntax: Not available Packet Type Match: Available Policy Match: Available Physdev Match: Available Physdev-is-bridged Support: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Available Old IPP2P Match Syntax: Not available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available Old Hashlimit Match: Not available NFQUEUE Target: Available Realm Match: Available Helper Match: Available Connlimit Match: Available Time Match: Available Goto Support: Available LOGMARK Target: Available IPMARK Target: Available LOG Target: Available Persistent SNAT: Available gateway:~#
(FAQ 19) How do I open the firewall for all traffic to/from the LAN? Answer: Add these two policies: #SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT $FW loc ACCEPT loc $FW ACCEPT You should also delete any ACCEPT rules from $FW->loc and loc->$FW since those rules are redundant with the above policies.
(FAQ 88) Can I run Snort with Shorewall? Answer: Yes. In Network Intrusion Detection System (NIDS) mode, Snort is libpcap based (like tcpdump) so it doesn't interfere with Shorewall. We have had reports that users have also been successful in using Snort in inline more with Shorewall, but no HOWTO exists at this time.
(FAQ 89) How do I connect to the web server in my aDSL modem from my local LAN? Answer: Here's what I did: My local network is 172.20.1.0/24, so I set the IP address in the modem to 172.20.1.2. The IP address of my firewall's interface to the LAN is 172.20.1.254. The logical name of the DSL interface is EXT_IF and my LAN interface is INT_IF. I added the following two configuration entries: /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS ?COMMENT DSL Modem EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat is: #ACTION SOURCE DEST PROTO PORT SNAT(172.20.1.254) 0.0.0.0/0 EXT_IF:192.168.1.2 tcp www /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 172.20.1.2 EXT_IF INT_IF no yes If you can't change the IP address of your modem and its current address isn't in your local network, then you need to change this slightly; assuming that the modem IP address is 192.168.1.1: Do not include an entry in /etc/shorewall/proxyarp. Add an IP address in 192.168.1.0/24 to your external interface using your configuration's network management tools. For Debian-based systems, that means adding this to the interface's stanza in /etc/network/interfaces: post-up /sbin/ip addr add 192.168.1.254/24 dev external-interface Your entry in /etc/shorewall/masq would then be: #INTERFACE SOURCE ADDRESS COMMENT DSL Modem EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat is: #ACTION SOURCE DEST PROTO PORT SNAT(192.168.1.254) 0.0.0.0/0 EXT_IF:192.168.1.1 tcp www
(FAQ 93) I'm not able to use Shorewall to manage a bridge. I get the following error: ERROR: BRIDGING=Yes is not supported by Shorewall 4.4.13.3. Answer: If you want to apply firewall rules to the traffic passing between bridge ports, see http://www.shorewall.net/bridge-Shorewall-perl.html. If you simply want to allow all traffic between ports, then see http://www.shorewall.net/SimpleBridge.html.
(FAQ 95) What is this $FW that I see in the configuration files and documentation? Answer: FW is a shell variable that expands to the name that you gave to the firewall zone in shorewall-zones(5). The default name for the firewall zone is fw: #ZONE TYPE OPTIONS fw firewall So, using the default or sample configurations, writing $FW is the same as writing fw. If you give the firewall zone a different name, gate for example, then writing $FW would be the same as writing gate. #ZONE TYPE OPTIONS gate firewall
Why was that done? Answer: The firewall zone has special semantics, so having a way to refer to it in a configuration-independent way makes writing the documentation, examples, macros, etc. easier.
(FAQ 98) How do I Unsubscribe from the Mailing List Answer: There are two ways: On the web Go to https://lists.sourceforge.net/lists/listinfo/shorewall-users. At the bottom of the form is a section entitled "Shorewall-users Subscribers". At the bottom of that section find:
"To unsubscribe from Shorewall-users, get a password reminder, or change your subscription options enter your subscription email address:".
Enter your email address in the box provided and click on the "Unsubscribe or edit options" button. That will take you to a second form. At the top of the second form is a box to enter your password -- enter it there then click the Unsubscribe button in the center of the form. You will be unsubscribed. If you don't remember your password, click on the Remind button at the bottom of the form and your password will be emailed to you. Via email using this link: mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe. You will receive a confirmation email shortly; follow the instructions in that email.
(FAQ 102) What is 'qt'? I see it in some of the older documentation. Answer: 'qt' stands for 'quiet'; qt() is a shell function that accepts a command with arguments as parameters. It redirects both standard out and standard error to /dev/null. It is defined in the Shorewall-core shell library lib.common.
shorewall-docs-xml-5.2.3/two-interface_ru.xml0000664000000000000000000021631313427347317017765 0ustar rootroot
Основной файервол с двумя интерфейсами Tom Eastep 2002- 2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Эта статья применима для Shorewall версии 3.0 и выше. Если Вы работаете с более ранней версией Shorewall чем Shorewall 3.0.0, тогда смотрите документацию для этого выпуска.
Введение Установка Linux системы как файервола для небольшой сети довольно простая задача, если Вы понимаете основы и следуете документации. Это руководство не пытается ознакомить Вас со всеми особенностями Shorewall. Оно больше сфокусировано на том, что требуется для настройки Shorewall в наиболее типичных конфигурациях: Linux система, используемая как файервол/маршрутизатор для небольшой локальной сети. Один внешний (публичный) IP-адрес. Если Вы имеете более одного публичного IP-адреса, это руководство не то, что Вам нужно. Смотрите вместо этого Руководство по установке Shorewall. Интернет-соединение посредством кабельного модема, DSL, ISDN, Frame Relay, коммутирумой линии ... Вот схема типичной установки:
Общая конфигурация файервола с двумя интерфейсами
Системные требования Shorewall требует, чтобы у Вас был установлен пакет iproute/iproute2 (на RedHat, этот пакет называется iproute). Вы можете определить установлен ли этот пакет по наличию программы ip на Вашем файерволе. Как root, Вы можете использовать команду which для проверки наличия этой программы:[root@gateway root]# which ip /sbin/ip [root@gateway root]#
Перед тем как начать Я рекомендую Вам прочитать все руководство для первоначального ознакомления, а лишь затем пройти его снова, внося изменения в Вашу конфигурацию. Если Вы редактируете Ваши файлы конфигурации на Windows системе, Вы должны сохранить их как Unix файлы в том случае, если Ваш редактор поддерживает эту возможность, иначе Вы должны пропустить их через программу dos2unix перед тем как использовать их. Аналогично, если Вы копируете конфигурационный файл с Вашего жесткого диска с Windows на дискету, Вы должны воспользоваться dos2unix для копии перед ее использованием с Shorewall. Windows версия dos2unix Linux версия dos2unix
Соглашения Места, в которых рекомендуется вносить изменения, отмечены как . Замечания по настройке уникальные для проекта LEAF/Bering, отмечены как .
PPTP/ADSL Если У Вас есть ADSL модем и Вы используете PPTP для взаимодействия с сервером на этом модеме, Вы должны сделать изменения рекоммендуемые здесь в дополнение к тем, что описаны в последующих шагах. ADSL с PPTP наиболее распространен в Европе, особенно в Австрии.
Концепции Shorewall Конфигурационные файлы Shorewall находятся в директории /etc/shorewall -- в случае простой установки Вам необходимо иметь дело только с немногими из них, как описано в этом руководстве. Замечание для пользователей Debian Если Вы при установке пользовались .deb, Вы обнаружите, что директория /etc/shorewall пуста. Это сделано специально. Поставляемые шаблоны файлов конфигурации Вы найдете на вашей системе в директории /usr/share/doc/shorewall-common/default-config. Просто скопируйте нужные Вам файлы из этой директории в /etc/shorewall и отредактируйте копии. Заметьте, что Вы должны скопировать /usr/share/doc/shorewall-common/default-config/shorewall.conf и /usr/share/doc/shorewall=common/default-config/modules в /etc/shorewall даже если Вы не будете изменять эти файлы. После того как Вы установили Shorewall, Вы можете найти примеры файлов настроек в следующих местах: Если Вы при установке использовали RPM, примеры будут находится в поддиректории Samples/two-interface директории с документацией Shorewall. Если Вы не знаете где расположена директория с документацией Shorewall, Вы можете найти примеры используя команду: ~# rpm -ql shorewall | fgrep two-interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces/masq /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy /usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones ~# Если Вы установили Shorewall из tarball'а, примеры находятся в директории Samples/two-interface внутри tarball'а. Если же Вы пользовались пакетом .deb, примеры находятся в директории/usr/share/doc/shorewall-common/examples/two-interface. По мере того как мы будем знакомится с каждым файлом, я надеюсь, что Вы просмотрите реальный файл на вашей системе -- каждый файл содержит детальное описание конфигурационных инструкций и значений по умолчанию. Shorewall видит сеть, в которой он работает, как состоящую из набора зон(zones). В примере конфигурации с двумя интерфейсами, определены следующие зоны: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 Зоны Shorewall описаны в файле /etc/shorewall/zones. Заметьте, что Shorewall рассматривает систему файервола как свою собственную зону. При обработке файла /etc/shorewall/zones имя зоны файервола (fw в примере выше) храниться в переменной shell $FW, которая может использоваться во всей конфигурации Shorewall для ссылки на сам файервол. Правила о том какой трафик разрешен, а какой запрещен выражаются в терминах зон. Вы отражаете Вашу политику по умолчанию для соединений из одной зоны в другую в файле/etc/shorewall/policy. Вы определяете исключения из политики по умолчанию в файле /etc/shorewall/rules. Для каждого запроса на соединение входящего в файервол, запрос сначала проверяется на соответствие файлу /etc/shorewall/rules. Если в этом файле не найдено правил соответствующих запросу на соединение, то применяется первая политика из файла /etc/shorewall/policy, которая соответсвует запросу. Если есть общее действие (common action) определенное для политики в файле /etc/shorewall/actions или /usr/share/shorewall/actions.std, тогда это действие выполняется перед тем как . Файл /etc/shorewall/policy, входящий в пример с двумя интерфейсами, имеет следующие политики: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT info В примере с двумя интерфейсами строка показанная внизу закомментирована. Если Вы хотите, чтобы Ваш файервол имел полный доступ к серверам Интернет, раскомментируйте эту строчку. #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPTПолитики приведенные выше будут: разрешать все запросы на соединение из Вашей локальной сети в Интернет; отбрасывать (игнорировать) все запросы на соединение из Интернет к Вашему файерволу или локальной сети; Опционально разрешать все запросы на соединение с файервола в Интернет (если Вы раскомментировали дополнительную политику); отвергать все другие запросы на соединение (Shorewall требует наличия такой политики, применимой для всех остальных запросов). Важно отметить, что политики Shorewall (и правила) ссылаются на соединения, а не на поток пакетов. С политикой определенной в файле /etc/shorewall/policy, показанной выше, разрешены соединения из зоны loc в зону net, хотя на сам файервол соединения из зоны loc не разрешены. В данный момент Вы можете отредактировать ваш файл /etc/shorewall/policy и внести изменения, какие Вы считаете необходимыми.
Сетевые интерфейсы Файервол имеет два сетевых интерфейса. Если соединение с Интернет осуществляется при помощи кабельного или DSL Модема, Внешним интерфейсом будет тот ethernet-адаптер (например, eth0), который подсоединен к этому Модему, если же Вы соединены посредством протокола Point-to-Point Protocol over Ethernet (PPPoE) или Point-to-Point Tunneling Protocol (PPTP), то в этом случае Внешним интерфейсом будет PPP интерфейс (например, ppp0). Если Вы подсоединены через обычный модем, Вашим Внешним интерфейсом будет также ppp0. Если Вы соединяетесь используя ISDN, Внешним интерфейсом будет ippp0. Если Ваш внешний интерфейс - это ppp0 или ippp0, тогда Вы можете захотеть установить переменную CLAMPMSS=yes в /etc/shorewall/shorewall.conf. Ваш Внешний интерфейс будет ethernet-адаптер (eth0 or eth1) и будет соединен с хабом или коммутатором. Другие Ваши компьютеры будут соединены с тем же хабом/коммутатором (заметьте: если Вы имеете только одну внутреннюю систему, Вы можете соединить файервол с этим компьютером напрямую, используя кроссоверный (cross-over) кабель. НЕ подсоединяйте внутренний и внешний интерфейсы к одному т тому же хабу или коммутатору исключая время тестирование.Вы можете провести тестирование используя данную конфигурацию, если Вы указали параметр ARP_FILTER в /etc/shorewall/interfaces для всех интерфейсов подсоединенных к общему хабу/коммутатору. Использовать такие установки на рабочем файерволе строго не рекоммендуется. Пример конфигурации Shorewall с двумя интерфейсами подразумевает, что внешний интерфейс - это eth0, а внутренний - eth1. Если Ваша конфигурация отличается, Вы должны будете изменить пример файл /etc/shorewall/interfaces соответственно. Пока Вы здесь, Вы возможно захотите просмотреть список опций, специфичных для интерфейса. Вот несколько подсказок: Если Ваш внешний интерфейс ppp0 или ippp0, Вы можете заменить detect(обнаружить) во втором столбце на -(знак минус в ковычках). Если Ваш внешний интерфейс ppp0 или ippp0 или Вы имеете статический IP-адрес, Вы можете удалить dhcp из списка опций. Если Ваш внешний интерфейс является мостом, созданным с использованием утилиты brctl, тогда Вы должны добавить опцию routeback в список опций.
IP-адреса Перед тем как идти дальше, мы должны сказать несколько слов о Internet Protocol (IP)-адресах. Обычно, Ваш Интернет-провайдер(Internet Service Provider - ISP) назначает Вам один IP-адрес. Этот адрес может быть назначен статически, при помощи Протокола Динамического Конфигурирования Хостов (Dynamic Host Configuration Protocol - DHCP), в процессе установки Вами коммутированного соединения (обычный модем), или при установке Вами другого типа PPP (PPPoA, PPPoE и т.д.) соединения. В последнем случае Ваш ISP может назначит Вам статический IP-адрес; что означает, что Вы настраиваете внешний интерфейс Вашего файервола на использование этого адреса постоянно. Как бы ни был назначен Вам внешний адрес, он будет разделяться между всеми Вашими системами при доступе в Интернет. Вы должны будете назначить свои собственные адреса в Вашей внутренней сети (внутренний интерфейс на Вашем файерволе, плюс другие Ваши компьютеры). RFC-1918 резервирует несколько Частных (Private) IP-адресов для этих целей: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Перед запуском Shorewall, Вы должны взглянуть на IP-адрес Вашего внешнего интерфейса и если он входит в один указанных выше пазонов, Вы должны удалить опцию norfc1918 из строки для внешнего интерфейса в файле /etc/shorewall/interfaces. Вы можете захотеть назначить Ваши адреса из такой же подсети (subnet). Для наших целей мы можем рассматривать подсеть состоящую из диапазона адресов x.y.z.0 - x.y.z.255. Такая подсеть будет иметь Маску Подсети (Subnet Mask) - 255.255.255.0. Адрес x.y.z.0 зарезервирован как Адрес Подсети (Subnet Address), а x.y.z.255 как Широковещательный Адрес Подсети (Subnet Broadcast Address). В Shorewall подсеть описывается с использованием нотации Бесклассовой Междоменной Маршрутизации (Classless InterDomain Routing - CIDR notation) с адресом посети оканчивающимся /24. 24 указывает число непрерывных ведущих бит установленных в 1 слева в маске подсети. Диапазон: 10.10.10.0 - 10.10.10.255 Адрес подсети: 10.10.10.0 Широковещательный адрес: 10.10.10.255 Нотация CIDR: 10.10.10.0/24 Удобно назначать внутреннему интерфейсу либо первый используемый адрес подсети (10.10.10.1 в примере выше), либо последний используемый адрес (10.10.10.254). Одна из целей разбиения на подсети - это позволить всем компьютерам в подсети понимать с какими другими компьютерами можно взаимодействовать напрямую. При взаимодействии с системами находящимися вне подсети, системы посылают пакеты через шлюз (маршрутизатор) (gateway (router)). Ваши локальные компьютеры (computer 1 и computer 2 на диаграмме выше) должны быть сконфигурированы так, чтобы IP-адресом их маршрутизатора по умолчанию был IP-адрес внутреннего интерфейса файервола. Короткая предшествующая дискуссия лишь поверхностно затронула вопросы связанные с подсетями и маршрутизацией. Если Вы заинтересованы узнать больше об IP-адресации и маршрутизации, я очень рекомендую Основы IP: Что нужно знать каждому об адресации и маршрутизации (IP Fundamentals: What Everyone Needs to Know about Addressing & Routing), Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0 (link). Оставшаяся часть руководства расчитана на то, что Вы имеете сеть, сконфигурированную так, как показано здесь: Маршрутизатором по умолчанию для computer 1 и 2 должен быть 10.10.10.254. Ваш ISP может назначить Вашему внешнему интерфейсу адрес из RFC-1918. Если этот адрес из подсети 10.10.10.0/24, тогда Вы должны будете выделить ДРУГУЮ подсеть RFC-1918 для вашей локальной подсети.
IP-маскарадинг (SNAT) Адреса зарезервированные RFC-1918 иногда называют немаршрутизируемыми потому, что магистральные маршрутизаторы Интернет не переправляют пакеты, которые имеют адрес назначения из RFC-1918. Когда одна из Ваших локальных систем (допустим computer 1) посылает запрос на соединение хосту в Интернете, файервол должен выполнить Трансляцию Сетевого Адреса (Network Address Translation - NAT). Файервол перезаписывает адрес источника в пакете адресом внешнего интерфейса файервола; другими словами, файервол делает так, чтобы это выглядело как файервол сам инициируетсоединение. Это необходимо так как хост назначения должен быть способен направить пакеты назад файерволу через маршрутизаторы (вспомним, что пакеты с адресом назначения зарезервированным RFC-1918 не могут быть маршрутизированы через Интернет и следовательно удаленный хост не сможет адресовать ответ на computer 1). Когда файервол принимает ответный пакет, он перезаписывает адрес назначения обратно в 10.10.10.1 и переправляет пакет на computer 1. На Linux системах, описанный выше процесс называют IP-маскарадингом (IP Masquerading), но Вы будете также встречать термин Преобразование Сетевого Адреса Источника (Source Network Address Translation - SNAT). Shorewall следует соглашению используемому Netfilter: Masquerade описывает случай, когда Вы позволяете своему файерволу автоматически определять адрес внешнего интерфейса. SNAT используют в случае, когда Вы определенно указываете адрес источника, который Вы хотите использовать для покидающих Вашу локальную сеть пакетов. В Shorewall оба режима Маскарадинг (Masquerading) и SNAT конфигурируются записями в файле /etc/shorewall/masq. Вы будете обычно использовать Маскарадинг, если Ваш внешний IP-адрес - динамический и SNAT, если внешний IP-адрес - статический. Если Ваш внешний интерфейс файервола - eth0, Вам не нужно изменять файл из примера. В противном случае, отредактируйте /etc/shorewall/masq и измените первый столбец на имя Вашего внешнего интерфейса и второй столбец на имя Вашего внутреннего интерфейса. Если Ваш внешний IP-адрес - статический, Вы можете ввести его в третьем столбце записи файла /etc/shorewall/masq если Вам нравиться, хотя Ваш файервол будет прекрасно работать, даже если Вы оставите этот столбец пустым. Вводя Ваш статический IP-адрес в третьем столбце, Вы делаете обработку исходящих пакетов немного более эффективной. Если Вы используете пакет Debian, проверьте пожалуйста Ваш файл shorewall.conf, чтобы убедиться, что следующее установлено правильно; если нет, измените это соответственно: IP_FORWARDING=On
Перенаправление портов (DNAT) Одной из Ваших целей может быть запуск одного или более серверов на Ваших локальных компьютерах. Так как эти компьютеры имеют адреса из RFC-1918, то клиентам из Интернет невозможно соединиться напрямую с ними. Это более невозможно для тех клиентов, кто адресует свои запросы для соединения на файервол, который переписывает адрес назначения на адрес Вашего сервера и переправляет пакет на этот сервер. Когда Ваш сервер отвечает, файервол автоматически выполняет SNAT для перезаписи адреса источника в ответе. Описанный выше процесс называется Перенапрвление Портов (Port Forwarding) или Преобразование Сетевого Адреса Назначения (Destination Network Address Translation - DNAT). Вы настраиваете перенаправление портов при помощи правил DNAT в файле /etc/shorewall/rules. Основная форма примерного правила перенаправления портов в /etc/shorewall/rules такая:#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:<server local ip address>[:<server port>] <protocol> <port>Shorewall имеет макрос (macros) для многих популярных приложений. Смотрите в /user/share/shorewall/macro.*, чтобы увидеть, что доступно в Вашем релизе. Макрос упрощает создание правил DNAT предоставляя протокол и порт(ы) как показано ниже. Web-сервер Вы запускаете Web-сервер на computer 2 и Вы хотите перенаправить входящие на порт 80 TCP-пакеты на эту систему: #ACTION SOURCE DEST PROTO DEST PORT(S) Web/DNAT net loc:192.168.1.5 FTP-сервер Вы запустили FTP-сервер на computer 1, так что Вы хотите перенаправить входящие на порт 21 TCP-пакеты на эту систему: #ACTION SOURCE DEST PROTO DEST PORT(S) FTP/DNAT net loc:10.10.10.1Для FTP Вы должны также буете иметь отслеживание FTP соединений (connection tracking) и поддержку NAT в Вашем ядре. Для ядер, предоставляемых продавцами дистрибутивов, это означает, что должны быть загружены модули ip_conntrack_ftp и ip_nat_ftp. Shorewall автоматически загрузит эти модули если они доступны и расположены в стандартных местах внутри /lib/modules/<kernel version>/kernel/net/ipv4/netfilter. Нужно иметь в виду пару важных моментов: Вы должны протестировать приведенные выше правила для клиентов вне Вашей локальной сети (т.е., не тестировать из браузера, запущенного на computer 1 или 2 или на файерволе). Если Вы хотите иметь доступ к Вашему Web-серверу и/или FTP-серверу с Вашего файервола, используя IP-адрес Вашего внешнего интерфейса, смотрите Shorewall FAQ #2. Многие ISP блокируют входящие запросы для соединения на порт 80. Если у Вас есть проблемы при соединении с Вашим Web-сервером, попробуйте следующее правило и попытайтесь соединиться с портом 5000 (например, подключитесь к http://w.x.y.z:5000, где w.x.y.z - Ваш внешний IP). #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:10.10.10.2:80 tcp 5000 В этом месте измените /etc/shorewall/rules добавив любое правило DNAT, какое Вам необходимо. Когда тестируете правила DNAT похожие на те, что приведены выше, Вы должны тестировать с клиента ИЗВНЕ ВАШЕГО ФАЙЕРВОЛА (в зоне net). Вы не можете протестировать эти правила изнутри файервола! Советы по разрешению проблем с DNAT, смотрите в FAQs 1a и 1b.
Сервер Доменных Имен (Domain Name Server - DNS) Обычно, когда Вы соединяетесь с Вашим ISP, как часть получения IP-адреса будет автоматически настроен резольвер Сервиса Доменных Имен (Domain Name Service - DNS) Вашего файервола (например, будет записан файл /etc/resolv.conf). Как альтернатива, Ваш ISP может сообщить Вам IP-адреса пары DNS-серверов, чтобы Вы вручную указали их как Ваши первичный и вторичный сервера имен. Вне зависимости от того как Вы настроете DNS на Вашем файерволе, на Вас лежит ответственность за то как будет настроен резольвер на Ваших внутренних системах. Вы можете применить один из двух подходов: Вы можете настроить Ваши внутренние системы на использование серверов имен Вашего ISP. Если Ваш ISP дал Вам адреса этих серверовthe или если эти адреса доступны на Web-сайте, Вы можете настроить Ваши внутренние системы на использование этих адресов. Если эта информация недоступна, загляните в /etc/resolv.conf на Вашем файерволе -- сервера имен указаны в записях nameserver этого файла. Вы можете настроить Кэширующий Сервер Имен (Caching Name Server) на Вашем файерволе. Red Hat имеет RPM для кэширующего сервера имен (которому также необходим пакет bind-RPM), а для пользователей Bering существует dnscache.lrp. Если Вы пойдете этим путем, Вы настраиваете Ваши внутренние системы на использование самого файервола как первичного (и только) сервера имен. Вы используете внутренний IP-адрес файервола (10.10.10.254 в примере выше) для адреса сервера имен, если Вы запускаете сервер имен на Вашем файерволе. Чтобы позволить Вашим локальным системам общаться с Вашим кэширующим сервером имен, Вы должны открыть доступ к порту 53 (оба UDP и TCP) на файерволе из внутренней сети. Вы можете сделать это, добавив следующее правило в файл /etc/shorewall/rules.#ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT loc $FW
Другие соединения Пример с двумя интерфейсами включает следующие правила:#ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT $FW netЭто правило разрешает доступ к DNS с Вашего файервола и может быть удалено, если Вы раскомментировали строку в /etc/shorewall/policy, разрешающую все соединения с файервола в Интернет. В показанном выше правиле DNS/ACCEPT - это пример привлечения макроса (macro invocation). Shorewall включает множество макросов (смотри /usr/share/shorewall/macro.*) и Вы можете добавить Ваш собственный. Вам не обязательно использовать предопределенные макросы при написании правил в файле /etc/shorewall/rules; Shorewall будет запускаться немного быстрее, если Вы будете писать Ваши правила напрямую, чем при использовании макросов. Правил, показанное выше может быть также записано как:#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT $FW net udp 53 ACCEPT $FW net tcp 53 В случаях когда Shorewall не имеет предопределенных макросов, отвечающих Вашим потребностям, Вы можете либо определить свой собственный макрос, либо просто записать соответствующие правила напрямую. Эта страница может помочь Вам в случае, если Вы не знаете используемые протокол и порт. Пример также включает: #ACTION SOURCE DEST PROTO DEST PORT(S) SSH/ACCEPT loc $FW Это правило разрешает Вам запускать SSH-сервер на Вашем файерволе и соединяться с ним с Ваших локальных систем. Если Вы хотите разрешить другие соединения с Вашего файервола к другим системам, основной формат использования макроса такой:#ACTION SOURCE DEST PROTO DEST PORT(S) <macro>/ACCEPT $FW <destination zone>Основной формат при отсутствии предопределенных макросами действий такой:#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT $FW <destination zone> <protocol> <port> Web-сервер на файрволе Вы хотите запустить Web-сервер на Вашем файерволе: #ACTION SOURCE DEST PROTO DEST PORT(S) Web/ACCEPT net $FW Web/ACCEPT loc Эти два правила, конечно, должны быть добавлены к тем правилам, которые указаны выше в абзаце Вы можете настроить Кэширующий Сервер Имен на Вашем файерволе. Если Вы не знаете какой порт и протокол использует конкретное приложение, смотрите здесь. Я не рекоммендую разрешать telnet в/из Интернет потому, что он использует открытый текст (даже для передачи имени и пароля!). Если Вы хотите иметь доступ к командному интерпретатору Вашего файервола из Интернет, используйте SSH: #ACTION SOURCE DEST PROTO DEST PORT(S) SSH/ACCEPT net $FW Пользователи дистрибутива Bering захотят добавить следующие два правила для совместимости с конфигурацией Shorewall от Jacques.#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc $FW udp 53 #Allow DNS Cache to work ACCEPT loc $FW tcp 80 #Allow Weblet to work Запись 1 разрешает использование кэширующего DNS. Запись 2 разрешает работу weblet. Теперь Вы можете отредактировать Ваш файл /etc/shorewall/rules, добавляя или удаляя другие соединения по необходимости.
Что нужно помнить Вы не можете Ваш файервол изнутри. Только потому, что Вы посылаете запросы на внешний IP-адрес Вашего файервола не означает, что запросы будут ассоциированы с внешним интерфейсом или зоной net. Любой трафик, создаваемый из локальной сети будет ассоциироваться с Вашим локальным интерфейсом и будет воспринят как трафик loc->fw. IP-адреса - это свойства систем, а не интерфейсов. Ошибочно верить, что Ваш файервол способен переправит пакеты только потому, что Вы можете пропинговать IP-адрес всех интерфейсов файервола из локальной сети. Единственное заключение, которое Вы можете вынести из такого успешного пингования - это наличие рабочей связи между локальной системой и файерволом и то, что Вы, возможно, правильно указали маршрутизатор по умолчанию на локальной системе. Все IP-адреса, настроенные на интерфейсах файервола, принадлежат зоне $FW (fw). Если 192.168.1.254 - это IP-адрес Вашего внутреннего интерфейса, то Вы можете написать $FW:192.168.1.254 в правиле, но Вы не можете написать loc:192.168.1.254. Также не играет роли добавление адреса 192.168.1.254 в зону loc при помощи записи в файле /etc/shorewall/hosts. Ответные пакеты НЕ следуют автоматически обратно тем маршрутом, который использовал исходный запрос. Все пакеты маршрутизируются согласно таблице маршрутизации каждого хоста на всем пути. Этот вопрос обычно встает когда людч устанавливают файервол Shorewall параллельно с имеющимся шлюзом и пытаются использовать DNAT сквозь Shorewall без изменения шлюза по умолчанию системы, принимающей переправленные запросы. Запросы проходят сквозь файервол Shorewall, где изменяется IP-адрес назначения, но ответы уходят неизмененными через старый шлюз. Shorewall сам не имеет представления о внутренней и внешней стороне. Воплощение этих концепций зависит от того, как настроен Shorewall.
Запуск и останов Вашего файервола Процедура установки настраивает Вашу систему для запуска Shorewall при загрузке системе, но запуск остается отключен, так что система не будет пытаться запустить Shorewall до полного завершения конфигурирования. Как только Вы полностью завершите конфигурирование Вашего файервола, Вы можете включить запуск Shorewall, отредактировав файл /etc/shorewall/shorewall.conf и установив параметр STARTUP_ENABLED=Yes. Пользователи пакета .deb должны отредактировать файл /etc/default/shorewall и установить параметр STARTUP=1. Вы должны разрешить запуск путем редактирования файла /etc/shorewall/shorewall.conf и установки параметра STARTUP_ENABLED=Yes. Файервол запускается при помощи команды shorewall start и останавливается при помощи shorewall stop. Когда файервол остановливается, маршрутизация разрешается на те хосты, которые указаны в /etc/shorewall/routestopped. Запущенный файервол может быть перезапущен при помощи команды shorewall restart. Если Вы хотите полностью удалить изменения сделанные Shorewall из конфигурации Вашего Netfilter, используйте команду shorewall clear. Пример с двумя интерфейсами предполагает, что Вы хотите разрешить маршрутизацию к/из eth1 (локальная сеть) когда Shorewall остановлен. Если Ваша локальная сеть не подсоединена к eth1 или Вы не хотите разрешать доступ к/из других хостов, измените файл /etc/shorewall/routestopped соответственно. Если Вы подсоединены к Вашему файерволу из Интернет, не используйте команду shorewall stop если Вы не добавили запись для IP-адреса, с которого Вы подсоединены, в /etc/shorewall/routestopped. Также, я не рекоммендую использовать shorewall restart; лучше создать альтернативную конфигурацию и протестировать ее при помощи команды shorewall try.
Дополнительно рекоммендуемая литература Я особо рекоммендую просмотреть Вам страницу Общих Особенностей Файлов Конфигурации -- она содержит полезные советы об особенностях Shorewall, делающую администрирование Вашего файервола проще.
Добавление сегмента беспроводной связи к Вашему файерволу с двумя интерфейсами Как только Вы будете иметь работающую конфигурацию с двумя интерфейсами, следующий логический шаг - добавление беспроводной сети. Первый шаг включает добавление дополнительной сетевой карты в Ваш файервол, либо карты беспроводного интерфейса, либо Ethernet-карты, которая соединена с Точкой Беспроводного Доступа (Wireless Access Point). Когла Вы добавляете сетевую карту, она необязательно будет определена как следующая по порядку сетевой интерфейс. Например, если Вы имеете две карты Ethernet в Вашей системе (eth0 и eth1) и Вы добавляете третью карту, которая использует такой же драйвер как и одна из имеющихся, то эта третья карта необязательно будет определена как eth2; она может определиться как eth0 или eth1! Вы можете оставить все как есть, либо можете переставлять карты в слотах до тех пор, пока новая карта не будет определена как eth2. Ваша новая сеть будет выглядеть примерно так, как показано на следующем рисунке. Во-первых необходимо отметить, что компьютеры в Вашей беспроводной сети будут принадлежать другой подсети, чем те, что находяться в проводной локальной сети. В примере выше мы выбрали для использования сеть 10.10.11.0/24. Computers 3 и 4 должны быть настроены с IP-адресом маршрутизатора по умолчанию 10.10.11.254. Во-вторых мы решили включить беспроводную сеть как часть зоны loc. Поскольку Shorewall по умолчанию разрешает внутризонный трафик, трафик может свободно перемещаться между локальными проводной и беспроводной сетями. Необходимо выполнить всего-лишь два изменения в настройках Shorewall: Нужно добавить запись для интерфейса беспроводной сети в файл /etc/shorewall/interfaces. Если беспроводной интерфейс wlan0, то запись может выглядеть так: #ZONE INTERFACE BROADCAST OPTIONS loc wlan0 detect maclist Как показано выше, я рекоммендую использовать опцию maclist для беспроводного сегмента. Добавив записи для computers 3 и 4 в файл /etc/shorewall/maclist, Вы можете быть уверенными, что Вашими соседями не сможет стать любой, используя Ваше Интернет соединение. Начните без этой опции, а когда у Вас все заработает, добавьте ее и настройте Ваш файл /etc/shorewall/maclist. Вам необходимо добавить запись в файл /etc/shorewall/masq для маскарадинга трафика из беспроводной сети в Интернет. Если Ваш Интернет-интерфейс eth0 и Ваш беспроводной интерфейс wlan0, то запись будет такой: #INTERFACE SUBNET ADDRESS eth0 wlan0 Еще одно замечание. Для того, чтобы между беспроводной и проводной сетями работала сеть Microsoft, Вам необходим либо WINS-сервер, либо PDC. Я лично пользуюсь Samba, настроенной как WINS-сервер, работающей на моем файерволе. Запуск WINS-сервера на Вашем файерволе потребует правил, перечисленных в документации Shorewall/Samba.
shorewall-docs-xml-5.2.3/XenMyWay-Routed.xml0000664000000000000000000013102013427347317017460 0ustar rootroot
Strong Firewall in a Routed Xen Dom0 Tom Eastep 2006 2007 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.0 and later. If you are running a version of Shorewall earlier than Shorewall 4.0.0 then please see the documentation for that release.
Before Xen Prior to adopting Xen, I had a home office crowded with 5 systems, three monitors a scanner and a printer. The systems were: Firewall Public Server in a DMZ (mail) Private Server (wookie) My personal Linux Desktop (ursa) My work system (docked laptop running Windows XP). The result was a very crowded and noisy room.
After Xen Xen has allowed me to reduce the noise and clutter considerably. I now have three systems with two monitors. I've also replaced the individual printer and scanner with a Multifunction FAX/Scanner/Printer. The systems now include: Combination Firewall/Public Server/Private Server/Wireless Gateway using Xen (created by building out my Linux desktop system -- Now replaced by a Hewlett-Packard Pavilion a1510y). My work system. My Linux desktop (wookie, which is actually the old public server box) The Linux systems run either OpenSuSE 10.3 or Ubuntu "Gutsy Gibbon". Here is a high-level diagram of our network. As shown in this diagram, the Xen system has three physical network interfaces. These are: eth0 -- connected to our DSL "Modem". eth1 -- connected to the switch in my office. eth2 -- connected to a Wireless Access Point (WAP) that interfaces to our wireless network. There are three Xen domains. Dom0 (DNS name gateway.shorewall.net) is used as our main firewall and wireless gateway as well as a local file server. It hosts Squid running as a transparent HTTP proxy and a DHCP server that manages IP address assignment for both the LAN and the Wireless network. A DomU (Domain name lists, DNS name lists.shorewall.net) that is used as a public Web/FTP/Mail/DNS server. A DomU (Domain name test, DNS name test.shorewall.net) that I use for Shorewall testing. Shorewall runs in Dom0. As the developer of Shorewall, I have enough experience to be very comfortable with Linux networking and Shorewall/iptables. I arrived at this configuration after a fair amount of trial and error experimentation (see Xen and the art of Consolidation). If you are a Linux networking novice, I recommend that you do not attempt a configuration like this one for your first Shorewall installation. You are very likely to frustrate both yourself and the Shorewall support team. Rather I suggest that you start with something simple like a standalone installation in a DomU; once you are comfortable with that then you will be ready to try something more substantial. As Paul Gear says: Shorewall might make iptables easy, but it doesn't make understanding fundamental networking principles, traffic shaping, or multi-ISP routing any easier. The same goes for Xen networking.
Domain Configuration Below are the relevant configuration files for the two domains. I use a partition on my hard drives for the DomU storage device. There is not much documentation about how to configure Xen for routed operation. I've tried to mark the relevant parts with bold font. The files from /etc/xen/auto shown below correspond to my configuration under Xen 3.0. I'm now running Xen 3.1 which does not use configuration files for the domains but rather keeps the configuration in a database managed by xend. See below.
/boot/grub/menu.lst — here is the entry that boots Xen in Dom0.
title Kernel-2.6.18.8-0.1-xen root (hd0,5) kernel /boot/xen.gz module /boot/vmlinuz-2.6.18.8-0.1-xen root=/dev/sda6 vga=0x31a resume=/dev/sda5 splash=silent showopts module /boot/initrd-2.6.18.8-0.1-xen
/etc/modprobe.conf.local (This may need to go in /etc/modprobe.conf or /etc/modprobe.d/options on your system)
options netloop nloopbacks=0 #Stop netloop from creating 8 useless vifs
/etc/xen/auto/01-lists — configuration file for the lists domain. Placed in /etc/xen/auto/ so it is started automatically by Xen's xendomains service.
disk = [ 'phy:/dev/sda9,hda,w', 'phy:/dev/hda,hdb,r' ] memory = 512 vcpus = 1 builder = 'linux' name = 'server' vif = [ 'mac=00:16:3e:b1:d7:90, ip=206.124.146.177, vifname=eth3' ] localtime = 0 on_poweroff = 'destroy' on_reboot = 'restart' on_crash = 'restart' extra = ' TERM=xterm' bootloader = '/usr/lib/xen/boot/domUloader.py' bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen' Note that the vifname is set to 'eth3' for the virtual interface to this DomU. This will cause the Dom0 interface to the server to have a fixed name (eth3) which makes it a lot easier to deal with in Shorewall and elsewhere. Specifying an IP address (ip=206.124.146.177) causes the vif-route script to create a host route to that IP address on eth3.
gateway:~ # ip route ls dev eth3 206.124.146.177 scope link src 206.124.146.176 gateway:~ #
Note that the source for the route is 206.124.146.176. That is the primary IP address of Dom0's eth0. Xen configures eth3 to have that same IP address.
/etc/xen/auto/02-test — configuration file for the test domain.
disk = [ 'phy:/dev/hdb4,hda,w', 'phy:/dev/hda,hdb,r' ] memory = 512 vcpus = 1 builder = 'linux' name = 'test' vif = [ 'mac=00:16:3e:83:ad:28, ip=192.168.1.7, vifname=eth4' ] localtime = 0 on_poweroff = 'destroy' on_reboot = 'restart' on_crash = 'restart' extra = ' TERM=xterm' bootloader = '/usr/lib/xen/boot/domUloader.py' bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
Excerpt from /etc/xen/xend-config.sxp:
… # It is possible to use the network-bridge script in more complicated # scenarios, such as having two outgoing interfaces, with two bridges, and # two fake interfaces per guest domain. To do things like this, write # yourself a wrapper script, and call network-bridge from it, as appropriate. # #(network-script network-bridge) … # If you are using only one bridge, the vif-bridge script will discover that, # so there is no need to specify it explicitly. # #(vif-script vif-bridge) ## Use the following if network traffic is routed, as an alternative to the # settings for bridged networking given above. (network-script network-route) (vif-script vif-route) As of this writing, the vif-route script does not set up Proxy ARP correctly. So the domU can communicate with the dom0 but not with hosts beyond the dom0. If you configure Shorewall as described below, Shorewall will correct the Proxy ARP configuration so that it will work.
Instructions for editing entries in the Xen 3.1 xend database may be found at http://www.novell.com/documentation/vmserver/config_options/index.html?page=/documentation/vmserver/config_options/data/b8uh3zr.html, The following are excerpts from the XML representations of the two user domains (produced by "xm list -l …"). lists domain:
… (features ) (on_xend_start start) (on_xend_stop shutdown) (start_time 1194710550.49) … (console_mfn 397179) (device (vif (mac 00:16:3e:b1:d7:90) (script vif-route) (ip 206.124.146.177) (vifname eth3) (type netfront) (devid 0) (uuid 55676385-7b69-09fd-4027-751b692ead75) ) ) (device (vbd …
test domain:
… (console_mfn 418003) (device (vif (uuid 64a1dd48-fa8b-7561-e90b-cd589cbeb7fa) (script vif-route) (ip 192.168.1.7) (mac 00:16:3e:83:ad:28) (vifname eth4) (devid 0) (type netfront) (backend 0) ) ) (device (vbd …
With the three Xen domains up and running, the system looks as shown in the following diagram. The zones correspond to the Shorewall zones in the Dom0 configuration. Readers who are paying attention will notice that eth4 has the same public IP address (206.124.146.176) as eth0 (and eth3), yet the test system connected to that interface has an RFC 1918 address (192.168.1.7). That configuration is established by Xen which clones the primary IP address of eth0 on all of the routed virtual interfaces that it creates. test is configured with its default route via 192.168.1.254 which is the IP address of the firewall's br0. That works because of the way that the Linux network stack treats local IPv4 addresses; by default, it will respond to ARP "who-has" broadcasts for any local address and not just for the addresses on the interface that received the broadcast (but of course the MAC address returned in the "here-is" response is that of the interface that received the broadcast). So when test broadcasts "who-has 192.168.1.254", the firewall responds with "here-is 192.168.1.254 00:16:3e:83:ad:28" (00:16:3e:83:ad:28 is the MAC of virtual interface eth4). Under some circumstances, UDP and/or TCP communication from a DomU won't work for no obvious reason. That happened with the lists domain in my setup. Looking at the IP traffic with tcpdump -nvvi eth1 in Dom0 showed that UDP packets from the lists DomU had incorrect checksums. That problem was corrected by arranging for the following command to be executed in the lists and test domains when the eth0 device was brought up: ethtool -K eth0 tx off Under OpenSuSE 10.2, I placed the following in /etc/sysconfig/network/ifcfg-eth-id-00:16:3e:b1:d7:90 (the config file for eth0): ETHTOOL_OPTIONS='-K iface tx off' Under other distributions, the technique will vary. For example, under Debian or Ubuntu, you can just add a 'post-up' entry to /etc/network/interfaces as shown here: iface eth0 inet static address 206.124.146.177 netmask 255.255.255.0 post-up ethtool -K eth0 tx off Update. Under OpenSuSE 10.2, communication from a domU works okay without running ethtool but traffic shaping in dom0 doesn't work! So it's a good idea to run it just to be safe.
Dom0 Shorewall Configuration In Dom0, I run a conventional three-interface firewall with Proxy ARP DMZ -- it is very similar to the firewall described in the Shorewall Setup Guide with the exception that I've added a fourth interface for our wireless network. The firewall runs a routed OpenVPN server to provide road warrior access for our three laptops and a bridged OpenVPN server for the wireless network in our home. Here is the firewall's view of the network: The three laptops can be directly attached to the LAN as shown above or they can be attached wirelessly -- their IP addresses are the same in either case; when they are directly attached, the IP address is assigned by the DHCP server running in Dom0 and when they are attached wirelessly, the IP address is assigned by OpenVPN. The Shorewall configuration files are shown below. All routing and secondary IP addresses are handled in the OpenSuSE network configuration.
/etc/shorewall/shorewall.conf STARTUP_ENABLED=Yes VERBOSITY=0 SHOREWALL_COMPILER=perl LOGFILE=/var/log/firewall LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=$LOG TCP_FLAGS_LOG_LEVEL=$LOG SMURF_LOG_LEVEL=$LOG LOG_MARTIANS=No IPTABLES= SHOREWALL_SHELL=/bin/ash SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= IPSECFILE=zones LOCKFILE= DROP_DEFAULT="Drop" REJECT_DEFAULT="Reject" ACCEPT_DEFAULT="none" QUEUE_DEFAULT="none" IP_FORWARDING=Yes ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=internal TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=Yes ROUTE_FILTER=No DETECT_DNAT_IPADDRS=Yes MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=No MACLIST_TABLE=mangle MACLIST_TTL=60 SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=Yes IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=Yes USE_ACTIONS=Yes OPTIMIZE=1 EXPORTPARAMS=No EXPAND_POLICIES=Yes KEEP_RT_TABLES=No DELETE_THEN_ADD=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP /etc/shorewall/zones: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS fw firewall #The firewall itself. net ipv4 #Internet loc ipv4 #Local wired Zone dmz ipv4 #DMZ vpn ipv4 #Open VPN clients wifi ipv4 #Local Wireless Zone /etc/shorewall/policy: #SOURCE DEST POLICY LOGLEVEL LIMIT $FW $FW ACCEPT $FW net ACCEPT loc net ACCEPT $FW vpn ACCEPT vpn net ACCEPT vpn loc ACCEPT loc vpn ACCEPT $FW loc ACCEPT loc $FW ACCEPT wifi all REJECT $LOG net $FW DROP $LOG 1/sec:2 net loc DROP $LOG 2/sec:4 net dmz DROP $LOG 8/sec:30 net vpn DROP $LOG all all REJECT $LOG Note that the firewall<->local network interface is wide open so from a security point of view, the firewall system is part of the local zone. /etc/shorewall/params (edited): MIRRORS=<comma-separated list of Shorewall mirrors> NTPSERVERS=<comma-separated list of NTP servers I sync with> POPSERVERS=<comma-separated list of server IP addresses> LOG=info INT_IF=br0 DMZ_IF=eth3 EXT_IF=eth0 WIFI_IF=eth2 TEST_IF=eth4 OMAK=<IP address at our second home> /etc/shorewall/init: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal /etc/shorewall/interfaces (don't specify the BROADCAST addresses if you are using Shorewall-perl): #ZONE INTERFACE BROADCAST OPTIONS net ${EXT_IF} detect dhcp,logmartians=1,blacklist dmz $DMZ_IF detect logmartians=1 loc $INT_IF detect dhcp,logmartians=1,routeback,bridge loc $TEST_IF detect optional loc $TEST1_IF detect optional wifi $WIFI_IF detect dhcp,maclist,mss=1400 vpn tun+ - /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL COMMENT One-to-one NAT 206.124.146.178 $EXT_IF:0 192.168.1.3 No No 206.124.146.180 $EXT_IF:2 192.168.1.6 No No /etc/shorewall/masq (Note the cute trick here and in the following proxyarp file that allows me to access the DSL "Modem" using its default IP address (192.168.1.1)). The leading "+" is required to place the rule before the SNAT rules generated by entries in /etc/shorewall/nat above. #INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC COMMENT Handle DSL 'Modem' +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 COMMENT Masquerade VPN clients and Wifi $EXT_IF 192.168.2.0/24 $EXT_IF 192.168.3.0/24 $EXT_IF:192.168.98.1 192.168.99.1 192.168.1.99 $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98 COMMENT Masquerade Local Network $EXT_IF 192.168.1.0/24 206.124.146.179 /etc/shorewall/proxyarp: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.168.1.1 $EXT_IF $INT_IF yes 206.124.146.177 $DMZ_IF $EXT_IF yes 192.168.1.7 $TEST_IF $INT_IF yes /etc/shorewall/tunnels: #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server /etc/shorewall/actions: #ACTION Mirrors # Accept traffic from Shorewall Mirrors /etc/shorewall/action.Mirrors: #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE ACCEPT $MIRRORS /etc/shorewall/rules: SECTION NEW ############################################################################################################################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ############################################################################################################################################################################### REJECT:$LOG loc net tcp 25 REJECT:$LOG loc net udp 1025:1031 # # Stop NETBIOS crap # REJECT loc net tcp 137,445 REJECT loc net udp 137:139 # # Stop my idiotic work laptop from sending to the net with an HP source/dest IP address # DROP loc:!192.168.0.0/22 net ############################################################################################################################################################################### # Local Network to Firewall # REDIRECT- loc 3128 tcp 80 - !192.168.1.1,192.168.0.7,206.124.146.177,155.98.64.80 ############################################################################################################################################################################### # Road Warriors to Firewall # ACCEPT vpn fw tcp ssh,time,631,8080 ACCEPT vpn fw udp 161,ntp,631 Ping(ACCEPT) vpn fw ############################################################################################################################################################################### # Road Warriors to DMZ # ACCEPT vpn dmz udp domain ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 - Ping(ACCEPT) vpn dmz ############################################################################################################################################################################### # Local network to DMZ # ACCEPT loc dmz udp domain ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https - ACCEPT loc dmz tcp smtp Trcrt(ACCEPT) loc dmz ############################################################################################################################################################################### # Internet to ALL -- drop NewNotSyn packets # dropNotSyn net fw tcp #dropNotSyn net loc tcp dropNotSyn net dmz tcp ############################################################################################################################################################################### # Internet to DMZ # ACCEPT net dmz udp domain LOG:$LOG net:64.126.128.0/18 dmz tcp smtp ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https - ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178 ACCEPT net dmz udp 33434:33454 Mirrors net dmz tcp rsync Limit:$LOG:SSHA,3,60\ net dmz tcp 22 Trcrt(ACCEPT) net dmz ############################################################################################################################################################################## # # Net to Local # # When I'm "on the road", the following two rules allow me VPN access back home using PPTP. # DNAT net loc:192.168.1.4 tcp 1729 DNAT net loc:192.168.1.4 gre # # Roadwarrior access to Ursa # ACCEPT net:$OMAK loc tcp 22 Limit:$LOG:SSHA,3,60\ net loc tcp 22 # # ICQ # ACCEPT net loc:192.168.1.3 tcp 113,4000:4100 # # Bittorrent # ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969 ACCEPT net loc:192.168.1.3 udp 6881:6889,6969 # # Real Audio # ACCEPT net loc:192.168.1.3 udp 6970:7170 # # Overnet # #ACCEPT net loc:192.168.1.3 tcp 4662 #ACCEPT net loc:192.168.1.3 udp 12112 # # OpenVPN # ACCEPT net loc:192.168.1.3 udp 1194 ACCEPT net loc:192.168.1.6 udp 1194 # Skype # ACCEPT net loc:192.168.1.6 tcp 1194 # # Traceroute # Trcrt(ACCEPT) net loc:192.168.1.3 # # Silently Handle common probes # REJECT net loc tcp www,ftp,https DROP net loc icmp 8 ############################################################################################################################################################################### # DMZ to Internet # ACCEPT dmz net udp domain,ntp ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080 ACCEPT dmz net:$POPSERVERS tcp pop3 Ping(ACCEPT) dmz net # # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking # code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases # but logs the connection so I can keep an eye on this potential security hole. # ACCEPT:$LOG dmz net tcp 1024: 20 ############################################################################################################################################################################### # Local to DMZ # ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 Trcrt(ACCEPT) loc dmz ############################################################################################################################################################################### # DMZ to Local # ACCEPT dmz loc:192.168.1.5 udp 123 ACCEPT dmz loc:192.168.1.5 tcp 21 Ping(ACCEPT) dmz loc ############################################################################################################################################################################### # DMZ to Firewall -- ntp & snmp, Silently reject Auth # #ACCEPT net loc:192.168.1.3 udp 12112 # # OpenVPN # ACCEPT net loc:192.168.1.3 udp 1194 ACCEPT net loc:192.168.1.6 udp 1194 # Skype # ACCEPT net loc:192.168.1.6 tcp 1194 # # Traceroute # Trcrt(ACCEPT) net loc:192.168.1.3 # # Silently Handle common probes # REJECT net loc tcp www,ftp,https DROP net loc icmp 8 ############################################################################################################################################################################### # DMZ to Internet # ACCEPT dmz net udp domain,ntp ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080 ACCEPT dmz net:$POPSERVERS tcp pop3 Ping(ACCEPT) dmz net # # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking # code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases # but logs the connection so I can keep an eye on this potential security hole. # ACCEPT:$LOG dmz net tcp 1024: 20 ############################################################################################################################################################################### # Local to DMZ # ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 Trcrt(ACCEPT) loc dmz ############################################################################################################################################################################### # DMZ to Local # ACCEPT dmz loc:192.168.1.5 udp 123 ACCEPT dmz loc:192.168.1.5 tcp 21 Ping(ACCEPT) dmz loc ############################################################################################################################################################################### # DMZ to Firewall -- ntp & snmp, Silently reject Auth # ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 Trcrt(ACCEPT) loc dmz ############################################################################################################################################################################### # DMZ to Local # ACCEPT dmz loc:192.168.1.5 udp 123 ACCEPT dmz loc:192.168.1.5 tcp 21 Ping(ACCEPT) dmz loc ############################################################################################################################################################################### # DMZ to Firewall -- ntp & snmp, Silently reject Auth # ACCEPT dmz fw tcp 161,ssh ACCEPT dmz fw udp 161,ntp REJECT dmz fw tcp auth Ping(ACCEPT) dmz fw ############################################################################################################################################################################### # Internet to Firewall # REJECT net fw tcp www,ftp,https DROP net fw icmp 8 ACCEPT net fw udp 33434:33454 ACCEPT net:$OMAK fw udp ntp ACCEPT net fw tcp auth ACCEPT net:$OMAK fw tcp 22 Limit:$LOG:SSHA,3,60\ net fw tcp 22 Trcrt(ACCEPT) net fw # # Bittorrent # ACCEPT net fw tcp 6881:6889,6969 ACCEPT net fw udp 6881:6889,6969 ############################################################################################################################################################################### # Firewall to DMZ # ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465 ACCEPT fw dmz udp domain REJECT fw dmz udp 137:139 Ping(ACCEPT) fw dmz ############################################################################################################################################################################## # Avoid logging Freenode.net probes # DROP net:82.96.96.3 all etc/shorewall/tcdevices #INTERFACE IN_BANDWITH OUT_BANDWIDTH $EXT_IF 1300kbit 384kbit /etc/shorewall/tcclasses#INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay $EXT_IF 20 3*full/10 9*full/10 2 default $EXT_IF 30 2*full/10 6*full/10 3 /etc/shorewall/mangle#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority #over the server CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the #Shorewall Mirrors.
The tap0 device used by the bridged OpenVPN server is created and bridged to eth1 using a SUSE-specific SysV init script:
#!/bin/sh # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.0 # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net) # # On most distributions, this file should be called /etc/init.d/shorewall. # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # If an error occurs while starting or restarting the firewall, the # firewall is automatically stopped. # # Commands are: # # bridge start Starts the bridge # bridge restart Restarts the bridge # bridge reload Restarts the bridge # bridge stop Stops the bridge # bridge status Displays bridge status # # chkconfig: 2345 4 99 # description: Packet filtering firewall ### BEGIN INIT INFO # Provides: bridge # Required-Start: boot.udev # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: starts and stops the bridge ### END INIT INFO ################################################################################ # Interfaces to be bridged -- may be listed by device name or by MAC # INTERFACES="eth1" # # Tap Devices # TAPS="tap0" ################################################################################ # Give Usage Information # ################################################################################ usage() { echo "Usage: $0 start|stop|reload|restart|status" exit 1 } ################################################################################# # Find the interface with the passed MAC address ################################################################################# find_interface_by_mac() { local mac mac=$1 local first local second local rest local dev /sbin/ip link ls | while read first second rest; do case $first in *:) dev=$second ;; *) if [ "$second" = $mac ]; then echo ${dev%:} return fi esac done } ################################################################################ # Convert MAC addresses to interface names ################################################################################ get_interfaces() { local interfaces interfaces= local interface for interface in $INTERFACES; do case $interface in *:*:*) interface=$(find_interface_by_mac $interface) [ -n "$interface" ] || echo "WARNING: Can't find an interface with MAC address $mac" ;; esac interfaces="$interfaces $interface" done INTERFACES="$interfaces" } ################################################################################ # Start the Bridge ################################################################################ do_start() { local interface get_interfaces for interface in $TAPS; do /usr/sbin/openvpn --mktun --dev $interface done /sbin/brctl addbr br0 for interface in $INTERFACES $TAPS; do /sbin/ip link set $interface up /sbin/brctl addif br0 $interface done } ################################################################################ # Stop the Bridge ################################################################################ do_stop() { local interface get_interfaces for interface in $INTERFACES $TAPS; do /sbin/brctl delif br0 $interface /sbin/ip link set $interface down done /sbin/ip link set br0 down /sbin/brctl delbr br0 for interface in $TAPS; do /usr/sbin/openvpn --rmtun --dev $interface done } ################################################################################ # E X E C U T I O N B E G I N S H E R E # ################################################################################ command="$1" case "$command" in start) do_start ;; stop) do_stop ;; restart|reload) do_stop do_start ;; status) /sbin/brctl show ;; *) usage ;; esac
shorewall-docs-xml-5.2.3/two-interface_fr.xml0000664000000000000000000020170413427347317017744 0ustar rootroot
Firewall à deux interfaces Version Française de Basic Two-Interface Firewall Tom Eastep Patrice Vetsel Traduction française initiale Fabien Demassieux Adaptation française version 2.0 Guy Marcenac Adaptation française version 3.0 et version 4.0 2002-2007 Thomas M. Eastep Patrice Vetsel Fabien Demassieux Guy Marcenac Permission est accordée de copier, distribuer et/ou modifier ce document selon les termes de la Licence de Documentation Libre GNU (GNU Free Documentation License), version 1.2 ou toute version ultérieure publiée par la Free Software Foundation ; sans section Invariables, sans première de Couverture, et sans texte de quatrième de couverture. Une copie de la présente Licence est incluse dans la section intitulée. Une traduction française de la licence se trouve dans la section Licence de Documentation Libre GNU. Ce paragraphe est une traduction française pour aider à votre compréhension. Seul le texte original en anglais présenté ci-dessous fixe les conditions d'utilisation de cette documentation. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Notes du traducteur : Le guide initial a été traduit par VETSEL Patrice et la pour la version 2 de Shorewall a été effectuée par Fabien Demassieux. J'ai assuré la révision pour l'adapter à la version 3 de Shorewall. Si vous trouvez des erreurs ou des améliorations à y apporter vous pouvez me contacter. Cet article s'applique à Shorewall 4.0 et à ses versions ultérieures. Si vous utilisez une version plus ancienne de Shorewall, référez-vous à la documentation s'appliquant à votre version. Ne tentez pas d'installer Shorewall sur un système distant. Il est pratiquement certain que vous vous enfermerez à l'extérieur de ce système.
Introduction Mettre en place un système Linux en tant que firewall pour un petit réseau est une chose assez simple, si vous comprenez les bases et que vous suivez la documentation. Ce guide ne prétend pas vous apprendre tous les rouages de Shorewall. Il se concentre sur ce qui est nécessaire pour configurer Shorewall dans son utilisation la plus courante: Un système Linux utilisé en tant que firewall/routeur pour un petit réseau local. Une seule adresse IP publique. Si vous avez plus d'une adresse IP publique, ce n'est pas le guide qui vous convient -- regardez plutôt du coté du Guide de Configuration Shorewall. Une connexion passant par un modem câble, ADSL, ISDN-RNIS, Frame Relay, RTC... Voici le schéma d'une installation typique:
Configuration standard d'un firewall avec deux interfaces
Si vous éditez vos fichiers de configuration sur un système Windows, vous devez les enregistrer comme des fichiers Unix si votre éditeur supporte cette option sinon vous devez les convertir avec dos2unix avant d'essayer de les utiliser. De la même manière, si vous copiez un fichier de configuration depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser avec Shorewall. Windows Version of dos2unix Linux Version of dos2unix
Pré-requis Système Shorewall a besoin que le package iproute/iproute2 soit installé (avec la distribution RedHat, le package s'appelle iproute). Vous pouvez vérifier que le package est installé en contrôlant la présence du programme ip sur votre firewall. En tant que root, vous pouvez utiliser la commande which pour cela: [root@gateway root]# which ip /sbin/ip [root@gateway root]# Je vous recommande de commencer par une lecture complète du guide afin de vous familiariser avec les concepts mis en oeuvre, puis de recommencer la lecture et seulement alors d'appliquer vos modifications de configuration.
Conventions Les points où des modifications s'imposent sont indiqués par . Les notes de configuration qui sont propres à LEAF/Bering sont marquées avec .
PPTP/ADSL Si vous êtes équipé d'un modem ADSL et que vous utilisez PPTP pour communiquer avec un serveur à travers ce modem, vous devez faire les changements suivants en plus de ceux décrits ci-dessous. ADSL avec PPTP est répandu en Europe, notamment en Autriche.
Les Concepts de Shorewall Les fichiers de configuration pour Shorewall sont situés dans le répertoire /etc/shorewall -- pour de simples paramétrages, vous n'aurez à faire qu'avec quelques-uns d'entre eux comme décrit dans ce guide. Note aux utilisateurs de Debian et de Ubuntu Si vous vous servez du .deb pour installer, vous vous rendrez compte que votre répertoire /etc/shorewall est vide. Ceci est voulu. Les squelettes des fichiers de configuration se trouvent sur votre système dans le répertoire /usr/share/doc/shorewall/default-config. Copiez simplement les fichiers dont vous avez besoin depuis ce répertoire dans /etc/shorewall, puis modifiez ces copies. Après avoir installé Shorewall, vous pourrez trouver les exemples de la manière suivante: Si vous avez installé en utilisant un RPM, les exemples seront dans le sous-répertoire Samples/two-interfaces/ du répertoire de la documentation de Shorewall. Si vous ne savez pas où se trouve le répertoire de la documentation de Shorewall, vous pouvez trouver les exemples en utilisant cette commande: ~# rpm -ql shorewall-common | fgrep two-interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces /usr/share/doc/packages/shorewall/Samples/two-interfaces/masq /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy /usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones ~# Si vous avez installé depuis le tarball, les exemples sont dans le répertoire Samples/two-interfaces du tarball. Si vous avez installé en utilisant un .deb de Shorewall 3.x, les exemples sont dans /usr/share/doc/shorewall/examples/two-interface. Il vous faut installer le paquetage shorewall-doc. Si vous avez installé en utilisant un .deb de Shorewall 4.x, les exemples sont dans /usr/share/doc/shorewall-common/examples/two-interface. Vous n'avez pas besoin d'installer le paquetage shorewall-doc pour pouvoir accéder aux exemples. Si vous installez la version 3.4.0 de Shorewall ou une version ultérieure, au fur et à mesure de la présentation de chaque fichier, je vous suggère de jeter un oeil à ceux qui sont physiquement présents sur votre système et que vous voyez la page de manuel (man page) pour ce fichier. Par exemple, tapez man shorewall-zones à l'invite du système pour voir la page de manuel du fichier /etc/shorewall/zones. Si vous installez une version antérieure à shorewall 3.4.0, au fur et à mesure de la présentation de chaque fichier, je vous suggère de jeter un oeil à ceux qui sont physiquement présents sur votre système -- chacun de ces fichiers contient des instructions de configuration détaillées et des entrées par défaut. Shorewall voit le réseau où il fonctionne, comme étant composé d'un ensemble de zones. Dans une configuration avec deux interfaces, les noms de zone suivants sont utilisés:#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 Les zones de Shorewall sont définies dans le fichier /etc/shorewall/zones. Remarquez que Shorewall reconnaît le système de firewall comme sa propre zone. Quand le fichier /etc/shorewall/zones est traité, le nom de la zone firewall est stocké dans la variable d'environnement $FW, qui peut être utilisée depuis l'ensemble des autres fichiers de configuration de Shorewall pour faire référence au firewall lui-même. Les règles à propos du trafic à autoriser et à interdire sont exprimées en utilisant le terme de zones. Vous exprimez votre politique par défaut pour les connexions d'une zone vers une autre zone dans le fichier /etc/shorewall/policy. Vous définissez les exceptions à ces politiques pas défaut dans le fichier /etc/shorewall/rules. Pour chaque connexion demandant à entrer dans le firewall, la requête est en premier lieu vérifiée par rapport au contenu du fichier /etc/shorewall/rules. Si aucune règle dans ce fichier ne correspond à la demande de connexion alors la première politique dans le fichier /etc/shorewall/policy qui y correspond sera appliquée. S'il y a une action commune définie pour cette politique dans /etc/shorewall/actions ou dans /usr/share/shorewall/actions.std cette action commune sera exécutée avant que la politique ne soit appliquée. Le but de l'action commune est double: Elle ignore (DROP) ou rejette (REJECT) silencieusement le trafic courant qui n'est pas dangereux qui sans cela encombrerait votre fichier journal - les messages de broadcast, par exemple. Elle garantit que le trafic nécessaire à un fonctionnement normal est autorisé à traverser le firewall — ICMP fragmentation-needed par exemple Le fichier /etc/shorewall/policy inclus dans l'archive d'exemple (two-interface) contient les politiques suivantes: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT infoDans le fichier d'exemple (two-interface), la ligne suivante est incluse mais elle est commentée. Si vous voulez que votre firewall puisse avoir un accès complet aux serveurs sur internet, dé-commentez cette ligne.#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT Ces politiques vont: Autoriser (ACCEPT) toutes les demandes de connexion depuis votre réseau local vers internet Ignorer (DROP) toutes les demandes de connexion depuis internet vers votre firewall ou votre réseau local Autoriser (ACCEPT) toutes les demandes de connexion de votre firewall vers internet (si vous avez dé-commenté la politique additionnelle) Rejeter (REJECT) toutes les autres requêtes de connexion. Il est important de remarquer que les politiques Shorewall (ainsi que les règles) font référence à des connexions et non pas à un flux de paquets. Avec les politiques définies dans le fichier /etc/shorewall/policy présenté plus haut, les connexions sont autorisées de la zone loc vers la zone net même si les connexions ne sont pas permises de la zone loc vers le firewall lui-même. A ce point, éditez votre fichier /etc/shorewall/policy et faites-y les changements que vous désirez.
Interfaces Réseau Le firewall possède deux interfaces réseau. Lorsque la connexion internet passe par un modem câble ou ADSL, l'Interface Externe sera l'adaptateur ethernet qui est connecté à ce Modem (par exemple eth0). Par contre, si vous vous connectez avec PPPoE (Point-to-Point Protocol over Ethernet) ou avec PPTP (Point-to-Point Tunneling Protocol), l'interface externe sera une interface ppp (par exemple ppp0). Si vous vous connectez avec un simple modem RTC, votre interface externe sera aussi ppp0. Si vous vous connectez en utilisant l'ISDN, votre interface externe sera ippp0. Assurez-vous de savoir laquelle de vos interfaces est l'interface externe. Certains utilisateurs qui avaient configuré la mauvaise interface ont passé des heures avant de comprendre leur erreur. Si vous n'êtes pas sûr, tapez la commande ip route ls en tant que root. L'interface listée à la fin (default) devrait être votre interface externe. Exemple: root@lists:~# ip route ls 192.168.1.1 dev eth0 scope link 192.168.2.2 dev tun0 proto kernel scope link src 192.168.2.1 192.168.3.0/24 dev br0 proto kernel scope link src 192.168.3.254 10.13.10.0/24 dev tun1 scope link 192.168.2.0/24 via 192.168.2.2 dev tun0 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.254 206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176 10.10.10.0/24 dev tun1 scope link default via 206.124.146.254 dev eth0 root@lists:~# Dans cette exemple, l'interface externe est eth0. Si votre interface vers l'extérieur est ppp0 ou ippp0 alors il faut mettre CLAMPMSS=yes dans le fichier /etc/shorewall/shorewall.conf. Votre Interface Interne (interface vers votre réseau local LAN) sera un adaptateur ethernet (eth1 or eth0) et sera connectée à un hub ou un switch. Vos autres ordinateurs seront connectés à ce même hub ou switch (note: Si vous avez un seul ordinateur, vous pouvez y connecter le firewall directement en utilisant un câble croisé). Ne connectez pas les interfaces interne et externe sur le même hub ou le même switch, sauf à des fins de test. Vous pouvez tester en utilisant ce type de configuration si vous spécifiez l'option arp_filter ou l'option arp_ignore dans le fichier /etc/shorewall/interfaces, et ce pour toutes les interfaces connectées au hub/switch commun. Il est très fortement déconseillé d'utiliser une telle configuration avec un firewall en production. Le fichier de configuration d'exemple pour un firewall à deux interfaces suppose que votre interface externe est eth0 et que l'interface interne est eth1. Si votre configuration est différente, vous devrez modifier le fichier /etc/shorewall/interfaces en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont spécifiées pour les interfaces. Quelques astuces: Si votre interface vers l'extérieur est ppp0 ou ippp0, vous pouvez remplacer le detect dans la seconde colonne par un - (sans guillemets). Si votre interface vers l'extérieur est ppp0 or ippp0 ou si vous avez une adresse IP statique, vous pouvez enlever dhcp dans la liste des options . Si votre interface est un bridge utilisant l'utilitaire brctl alors vous devez ajouter l'option routeback à la liste des options.
Adresses IP Avant d'aller plus loin, nous devons dire quelques mots au sujet des adresses IP. Normalement, votre Fournisseur d' Accès Internet (FAI) ne vous allouera qu'une seule adresse IP. Cette adresse peut vous être allouée par DHCP (Dynamic Host Configuration Protocol), lors de l'établissement de votre connexion (modem standard) ou bien lorsque vous établissez un autre type de connexion PPP (PPPoA, PPPoE, etc.). Dans certains cas , votre fournisseur peut vous allouer une adresse statique IP. Dans ce cas vous devez configurer l'interface externe de votre firewall afin d'utiliser cette adresse de manière permanente. Quelle que soit la façon dont votre adresse externe vous est attribuée, elle va être partagée par tous vos systèmes lors de l'accès à internet. Vous devrez assigner vos propres adresses au machines de votre réseau local (votre interface interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 réserve des plages d'adresses IP pour l'utilisation dans les réseau privés: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Avant de lancer Shorewall, il faut regarder l'adresse IP de votre interface externe, et, si elle est dans l'une des plages précédentes, vous devez enlever l'option "norfc1918" dans la ligne concernant l'interface externe dans le fichier /etc/shorewall/interfaces. Pour déterminer l'adresse IP de votre interface externe, en tant que root tapez ip addr ls dev <interface> à l'invite du système. <interface> étant votre interface externe. La ligne qui commence par inet vous donne votre adresse IP. Exemple: root@lists:~# ip addr ls dev eth0 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc htb qlen 1000 link/ether 00:02:e3:08:48:4c brd ff:ff:ff:ff:ff:ff inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0 inet6 fe80::202:e3ff:fe08:484c/64 scope link valid_lft forever preferred_lft forever root@lists:~# Dans cet exemple, l'adresse IP de votre interface externe est 206.124.146.176 Vous devrez allouer vos adresses depuis le même sous-réseau (subnet). Pour ce faire, nous pouvons considérer un sous-réseau comme étant une plage d'adresses allant de x.y.z.0 à x.y.z.255. Un tel sous-réseau aura un masque (subnet mask) de 255.255.255.0. L'adresse x.y.z.0 est réservée comme l'adresse de sous-réseau (Subnet Address) et l'adresse x.y.z.255 est réservée en tant qu'adresse de diffusion (broadcast). Dans Shorewall, un tel sous-réseau est décrit en utilisant la notation CIDR (Classless InterDomain Routing) qui consiste en l'adresse du sous-réseau suivie par /24. Le 24 indiquant le nombre consécutif de bits à 1 dans la partie gauche du masque de sous-réseau. Un exemple de sous-réseau : Etendue: 10.10.10.0 - 10.10.10.255 Adresse de sous-réseau: 10.10.10.0 Adresse de diffusion: 10.10.10.255 Notation CIDR: 10.10.10.0/24
La convention veut que l'on affecte à l'interface interne du firewall la première adresse utilisable du sous-réseau (10.10.10.1 dans l'exemple précédent) ou bien la dernière adresse utilisable (10.10.10.254). L'un des objectifs de la gestion en sous-réseaux est de permettre à tous les ordinateurs du sous-réseau de savoir avec quels autres ordinateurs ils peuvent communiquer directement. Pour communiquer avec des systèmes en dehors du sous-réseau auquel ils appartiennent, les ordinateurs doivent envoyer leurs paquets par l'intermédiaire d'une passerelle (gateway). Vos ordinateurs locaux (computer 1 et computer 2 dans le diagramme) doivent être configurés avec leur passerelle par défaut (default gateway) pointant sur l'adresse IP de l'interface interne du firewall. Cette brève présentation ne fait qu'effleurer la question des sous-réseaux et du routage. Si vous voulez en apprendre plus sur l'adressage IP et le routage, je recommande IP Fundamentals: What Everyone Needs to Know about Addressing & Routing, Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0 (link). Dans le reste de ce guide on prendra l'hypothèse que vous avez configuré votre réseau comme montré ci-dessous : La passerelle par défaut pour les ordinateurs Computer 1 et Computer 2 sera 10.10.10.254. Votre FAI (fournisseur d'accès internet) pourrait vous allouer une adresse de la RFC 1918 pour votre interface externe. Si cette adresse est le sous-réseau 10.10.10.0/24 alors vous aurez besoin d'un sous-réseau RFC 1918 DIFFÉRENT pour votre réseau local.
IP Masquerading (SNAT) On désigne parfois les adresses réservées par la RFC 1918 comme étant non-routables, car les routeurs centraux d'internet (backbone) ne font pas suivre les paquets qui ont une adresse de destination appartenant à la RFC-1918. Lorsqu'un de vos systèmes en local (supposons Computer 1 dans le schéma ci-dessus) envoie une demande de connexion à un serveur internet, le firewall doit effectuer une traduction d'adresse réseau ou Network Address Translation (NAT). Le firewall réécrit l'adresse source dans le paquet et la remplace par l'adresse de l'interface externe du firewall; en d'autres termes, le firewall fait croire à l'hôte destination sur internet que c'est le firewall lui même qui initie la connexion. Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont pour adresse de destination une adresse réservée par la RFC 1918 ne peuvent pas être routés à travers internet, donc l'hôte internet ne peut adresser sa réponse à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il réécrit l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur Computer 1. Sur les systèmes Linux, ce procédé est souvent appelé IP Masquerading mais vous verrez aussi le terme de traduction d'adresses source ou Source Network Address Translation (SNAT). Shorewall suit la convention utilisée avec Netfilter: Masquerade désigne le cas ou vous laissez votre firewall détecter automatiquement l'adresse de votre interface externe. SNAT désigne le cas où vous spécifiez explicitement l'adresse source des paquets sortant de votre réseau local. Sous Shorewall, autant le Masquerading que la SNAT sont configurés avec des entrées dans le fichier /etc/shorewall/masq. Vous utiliserez normalement le Masquerading si votre adresse IP externe est dynamique, et la SNAT si votre adresse IP externe est statique. Si l'interface externe de votre firewall est eth0, vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans le cas contraire, éditez /etc/shorewall/masq et changez la première colonne par le nom de votre interface externe, et la seconde colonne par le nom de votre interface interne. Si votre adresse externe IP est statique, vous pouvez la mettre dans la troisième colonne (SNAT) dans /etc/shorewall/masq si vous le désirez. De toutes façons votre firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de mettre votre adresse IP statique dans la troisième colonne permet un traitement des paquets sortants un peu plus efficace. Si vous utilisez un paquetage Debian, vérifiez dans votre fichier de configuration shorewall.conf que la valeur suivante est convenablement paramétrée, sinon faites les changements nécessaires: IP_FORWARDING=On
Transfert de ports (DNAT) Un de vos objectifs est peut-être de faire tourner un ou plusieurs serveurs sur nos ordinateurs locaux. Comme ces ordinateurs ont une adresse RFC-1918, il n' est pas possible pour les clients sur internet de s'y connecter directement. Il faudra plutôt à que ces clients adressent leurs demandes de connexion au firewall qui réécrira l'adresse de votre serveur comme adresse de destination, puis lui fera passer le paquet. Lorsque votre serveur retournera sa réponse, le firewall appliquera automatiquement une règle SNAT pour réécrire l'adresse source dans la réponse. Ce procédé est appelé transfert de port (Port Forwarding) ou traduction d'adresses réseau destination ou Destination Network Address Translation (DNAT). Vous configurez le transfert de port en utilisant des règles DNAT dans le fichier /etc/shorewall/rules. La forme générale d'une simple règle de transfert de port dans /etc/shorewall/rules est: #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:<server local ip address>[:<server port>] <protocol> <port> Assurez-vous d'ajouter vos règles après la ligne contenant SECTION NEW. Le serveur doit avoir une adresse IP statique. Si vous utilisez DHCP pour attribuer les adresses de votre système local, vous devez configurer votre serveur DHCP pour qu'il attribue toujours la même adresse IP aux hôtes cible d'une règle DNAT. Shorewall possède des macros pour de nombreuses applications. Regardez le résultat de la commande shorewall show macros pour avoir une liste des macros comprises dans votre version de Shorewall. Les macros simplifient la création de règles DNAT en fournissant directement le protocole et le(s) port(s) pour un service standard comme on peut le voir dans les exemples suivants: Serveur Web Si vous voulez faire tourner un serveur Web sur l'ordinateur Computer 2 dans le diagramme ci-dessus et que vous voulez faire passer les requêtes TCP sur le port 80 à ce système : #ACTION SOURCE DEST PROTO DEST PORT(S) Web/DNAT net loc:10.10.10.2 Serveur FTP Si vous faites tourner un serveur FTP sur l'ordinateur Computer 1 et que vous voulez re-diriger les requêtes TCP entrantes sur le port 21 vers ce système: #ACTION SOURCE DEST PROTO DEST PORT(S) FTP/DNAT net loc:10.10.10.1 Pour FTP, vous aurez aussi besoin d'avoir le support du suivi de connexion et du NAT pour FTP dans votre noyau (kernel). Pour les noyaux fournis dans une distribution, cela veut dire que les modules ip_conntrack_ftp et ip_nat_ftp (nf_conntrack_ftp et nf_nat_ftp dans les noyaux 2.6) doivent être disponibles. Shorewall chargera automatiquement ces modules si ils sont disponibles à leur emplacement habituel /lib/modules/<kernel version>/kernel/net/ipv4/netfilter. Pour plus d'information, reportez-vous à la documentation Shorewall FTP. Deux points importants sont à garder en mémoire : Vous devez tester les règles précédentes depuis un client à l'extérieur de votre réseau local (c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur Computer 1 ou Computer 2 ni sur le firewall). Si vous voulez avoir la possibilité d'accéder à votre serveur web ou FTP depuis l'intérieur de votre firewall en utilisant l'adresse de l'interface externe IP, consultez Shorewall FAQ #2. Quelques Fournisseurs d'Accès Internet (FAI) bloquent les requêtes de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous connecter à votre serveur web, essayez la règle suivante et connectez vous sur le port 5000 (c.a.d., connectez vous à http://w.x.y.z:5000 ou w.x.y.z est votre IP externe). #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:10.10.10.2:80 tcp 5000 Maintenant, modifiez /etc/shorewall/rules pour ajouter les règles DNAT dont vous avez besoin. Quand vous testez des règles DNAT telles que celles présentées plus haut, vous devez les tester depuis un client A L'EXTÉRIEUR DE VOTRE FIREWALL (depuis la zone net). Vous ne pouvez pas tester ces règles de l'intérieur ! Pour des astuces en cas de problème avec la DNAT, allez lire les FAQ 1a et 1b. Si vous avez besoin d'information pour paramétrer les règles DNAT pour des adresses externes multiples, consultez la Shorewall Aliased Interface documentation et le Guide de configuration Shorewall.
Service de Noms de Domaines (DNS) Normalement, quand vous vous connectez à votre fournisseur d'accès (FAI), en même temps que vous obtenez votre adresse IP, votre resolver pour le Service des Noms de Domaines ou Domain Name Service (DNS) pour le firewall est configuré automatiquement (c.a.d., le fichier /etc/resolv.conf est mis à jour). Il arrive que votre fournisseur d'accès vous donne une paire d'adresse IP pour les serveurs DNS afin que vous configuriez manuellement vos serveurs de noms primaire et secondaire. Quelle que soit la manière dont le DNS est configuré sur votre firewall, il est de votre responsabilité de configurer le resolver sur chacun de vos systèmes internes. Vous pouvez procéder d'une de ces deux façons : Vous pouvez configurer votre système interne pour utiliser les serveurs de noms de votre fournisseur d'accès. Si votre fournisseur vous donne les adresses de ses serveurs ou si ces adresses sont disponibles sur son site web, vous pouvez les utiliser pour configurer vos systèmes internes. Si cette information n' est pas disponible, regardez dans /etc/resolv.conf sur votre firewall -- les noms des serveurs sont donnés dans l'enregistrement "nameserver" de ce fichier. Vous pouvez configurer un cache DNS (Caching Name Server) sur votre firewall. Red Hat fournit un RPM pour serveur cache DNS (ce RPM à aussi besoin aussi du paquetage RPM bind) et pour les utilisateurs de Bering, il y a le paquetage dnscache.lrp. Si vous adoptez cette approche, vous configurez vos systèmes internes pour utiliser le firewall lui même comme étant le seul serveur de noms primaire. Vous utilisez l'adresse IP interne du firewall (10.10.10.254 dans l'exemple précédent) pour adresse du serveur de nom. Pour permettre à vos systèmes locaux d'accéder à votre serveur cache DNS, vous devez ouvrir le port 53 (à la fois UDP and TCP) depuis le réseau local vers le firewall; vous ferez ceci en ajoutant les règles suivantes dans /etc/shorewall/rules. #ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT loc $FW
Autres Connexions Les fichiers exemples inclus dans l'archive pour le firewall à deux interfaces (two-interface) contiennent les règles suivantes :#ACTION SOURCE DEST PROTO DEST PORT(S) DNS/ACCEPT $FW netCes règles autorisent l'accès DNS à partir de votre firewall et peuvent être enlevées si vous avez dé-commenté la ligne dans /etc/shorewall/policy autorisant toutes les connexions depuis le firewall vers internet. Dans la règle ci-dessus, DNS/ACCEPT est un exemple d'invocation d'une macro. Shorewall offre un certain nombre de macros pré-définies (voir /usr/share/shorewall/macro.*). Vous pouvez également ajouter vos propres macros. Vous n'êtes pas obligés d'utiliser des macros. Vous pouvez aussi ajouter des régles dans le fichier /etc/shorewall/rules. Shorewall démarrera légèrement plus rapidement si vous codez directement vos règles que si vous utilisez les macros. La régle vue ci-dessus aurait également pu être codée comme cela: #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT $FW net udp 53 ACCEPT $FW net tcp 53 Au cas ou Shorewall n'inclue pas de macro pré-définie qui vous convienne, vous pouvez définir une macro vous-même ou bien coder directement les régles appropriées. L'exemple inclue aussi la règle suivante: #ACTION SOURCE DEST PROTO DEST PORT(S) SSH/ACCEPT loc $FWCette régle autorise un serveur SSH sur votre firewall et la connexion à celui-ci depuis votre réseau local. Si vous souhaitez autoriser d'autre connexions de votre firewall vers d'autres systèmes, la syntaxe générale d'une macro est: #ACTION SOURCE DEST PROTO DEST PORT(S) <macro>/ACCEPT $FW <destination zone>La syntaxe générale lorsqu'on n'utilise pas de macro est:#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT $FW <destination zone> <protocol> <port> Serveur Web sur le Firewall Si vous voulez ouvrir un serveur web sur votre firewall et que vous voulez le rendre accessible depuis le réseau local et depuis l'extérieur: #ACTION SOURCE DEST PROTO DEST PORT(S) Web/ACCEPT net $FW Web/ACCEPT loc $FWCes deux régles devraient évidemment s'ajouter à celles listées avant dans Vous pouvez configurer un cache DNS sur votre firewall. Si vous ne savez pas quel port(s) et protocole(s) une application particulière utilise, vous pouvez regarder ici. Je ne recommande pas d'autoriser telnet vers/de internet parce qu'il utilise du texte en clair (même pour le login !). Si vous voulez un accès shell à votre firewall, utilisez SSH:#ACTION SOURCE DEST PROTO DEST PORT(S) SSH/ACCEPT net $FW Les utilisateurs de Bering pourront ajouter les deux régles suivantes pour rester compatible avec la configuration du firewall de Jacques (Jacques's Shorewall configuration).#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc $FW udp 53 #Allow DNS Cache to work ACCEPT loc $FW tcp 80 #Allow Weblet to work Maintenant, éditez votre fichier de configuration /etc/shorewall/rules pour ajouter, modifier ou supprimer d'autres connexions suivant vos besoins.
Journalisation (log) Shorewall ne produit pas un fichier journal lui-même, mais il s'appuie sur votre configuration de la journalisation système. Les commandes suivantes nécessitent un bonne configuration de la journalisation, car elles ont besoin de connaître le fichier dans lequel netfilter enregistre ses messages. shorewall show log (Affiche les 20 derniers messages enregistrés par netfilter) shorewall logwatch (Consulte le fichier journal à un intervalle régulier paramétrable) shorewall dump (Produit un état très détaillé à inclure à vos rapports d'anomalie) Il est important que ces commandes fonctionnent correctement. En effet, lorsque vous rencontrez des problèmes de connexion alors que shorewall est actif, la première chose que vous devriez faire est de regarder le journal netfilter, et vous pourrez généralement résoudre rapidement votre problème en vous aidant de la FAQ 17 de Shorewall. La plupart du temps, les messages de Netfilter sont journalisés dans le fichier /var/log/messages. Certaines version récentes de SuSE/OpenSuSE sont pré configurées pour utiliser syslog-ng et journalisent les messages de netfilter dans le fichier /var/log/firewall. Si votre distribution enregistre les message de netfilter dans un autre fichier que /var/log/messages, il faut modifier le paramètre LOGFILE dans le fichier /etc/shorewall/shorewall.conf et y spécifier le nom de votre fichier journal. Le paramètre LOGFILE ne contrôle pas le fichier dans lequel netfilter va enregistrer ses messages -- Il indique simplement à /sbin/shorewalloù trouver le fichier journal.
Quelques Points à Garder en Mémoire Vous ne pouvez pas tester votre firewall depuis l'intérieur de votre réseau. Envoyer des requêtes à l'adresse IP externe de votre firewall ne signifie pas qu'elle seront associées à votre interface externe ou à la zone net. Tout trafic généré par le réseau local sera associé à l'interface locale et sera traité comme du trafic du réseau local vers le firewall (loc->fw). Les adresses IP sont des propriétés des systèmes, pas des interfaces. C'est une erreur de croire que votre firewall est capable de faire suivre (forward) des paquets simplement parce que vous pouvez faire un ping sur l'adresse IP de toutes les interfaces du firewall depuis le réseau local. La seule conclusion que vous puissiez tirer dans ce cas est que le lien entre le réseau local et le firewall fonctionne et que vous avez probablement la bonne adresse de passerelle par défaut sur votre système. Toutes les adresses IP configurées sur le firewall sont dans la zone $FW (fw). Si 192.168.1.254 est l'adresse IP de votre interface interne, alors vous pouvez écrire $FW:192.168.1.254 dans une régle mais vous ne devez pas écrire loc:192.168.1.254. C'est aussi une absurdité d'ajouter 192.168.1.254 à la zone loc en utilisant une entrée dans /etc/shorewall/hosts. Les paquets de retour (reply) ne suivent PAS automatiquement le chemin inverse de la requête d'origine. Tous les paquets sont routés en se référant à la table de routage respective de chaque hôte à chaque étape du trajet. Ce problème se produit en général lorsque on installe un firewall Shorewall en parallèle à une passerelle existante et qu'on essaye d'utiliser des règles DNAT dans Shorewall sans changer la passerelle par défaut sur les systèmes recevant les requêtes transférées (forwarded). Les requêtes passent dans le firewall Shorewall où l'adresse de destination IP est réécrite, mais la réponse revient par l'ancienne passerelle qui, elle, ne modifiera pas le paquet. Shorewall lui-même n'a aucune notion du dedans et du dehors. Ces concepts dépendent de la façon dont Shorewall est configuré.
Démarrer et Arrêter Votre Firewall La procédure d'installation configure votre système pour lancer Shorewall dès le boot du système, mais le lancement est désactivé, de façon à ce que votre système ne tente pas de lancer Shorewall avant que la configuration ne soit terminée. Une fois que vous en avez fini avec la configuration du firewall, vous devez éditer /etc/shorewall/shorewall.conf et y mettre STARTUP_ENABLED=Yes. Les utilisateurs des paquetages .deb doivent éditer /etc/default/shorewall et mettre startup=1. Le firewall est activé en utilisant la commande shorewall start et arrêté avec la commande shorewall stop. Lorsque le firewall est arrêté, le routage est autorisé sur les hôtes qui possèdent une entrée dans /etc/shorewall/routestopped. Un firewall qui tourne peut être relancé en utilisant la commande shorewall restart. Si vous voulez enlever toute trace de Shorewall sur votre configuration de Netfilter, utilisez shorewall clear Les fichier de l'exemple Firewall à Deux Interfaces (two-interface) supposent que vous voulez autoriser le routage depuis ou vers eth1 (le réseau local) lorsque Shorewall est arrêté. Si votre réseau local n' est pas connecté à eth1 ou que vous voulez permettre l'accès depuis ou vers d'autres hôtes, modifiez /etc/shorewall/routestopped en conséquence. Si vous êtes connecté à votre firewall depuis internet, n'essayez pas d'exécuter une commande shorewall stop tant que vous n'avez pas ajouté une entrée dans /etc/shorewall/routestopped pour l'adresse IP à partir de laquelle vous êtes connecté . De la même manière, je vous déconseille d'utiliser shorewall restart; il est plus intéressant de créer une configuration alternative et de la tester en utilisant la commande shorewall try
Si cela ne marche pas Vérifiez à nouveau chacun des points repérés par un flèche rouge. Vérifiez vos journaux. Vérifiez le Troubleshooting Guide. Vérifiez la FAQ.
Autres Lectures Recommandées Je vous recommande vivement de lire la page des Fonctionnalités Générales des Fichiers de Configuration -- elle contient des astuces sur des possibilités de Shorewall qui peuvent rendre plus aisée l'administration de votre firewall Shorewall.
Ajouter un Segment Sans-fil à votre Firewall à deux interfaces Maintenant que vous avez une configuration à deux interfaces qui marche, l'étape suivante logique est d'ajouter un réseau sans-fil. La première chose à faire est d'ajouter une carte à votre firewall, soit une carte sans-fil soit une carte ethernet reliée à un point d'accès sans-fil. Quant vous ajoutez une carte réseau à un machine, il se peut qu'elle ne soit pas détectée comme celle suivant la plus haute interface. Par exemple, si vous avez deux cartes sur votre système (eth0 and eth1) et que vous en ajoutez une troisième qui utilise le même driver qu'une des deux autres, cette troisième carte ne sera pas obligatoirement détectée en tant que eth2. Elle peut très bien être détectée en tant que eth0 ou eth1! Vous pouvez soit faire avec, soit intervertir les cartes dans les slots jusqu'à obtenir la valeur eth2 pour la nouvelle carte. Update: Les distributions s'améliorent sur ce point. SuSE associe maintenant un nom d'interface unique à chaque adresse MAC. D'autres distributions ont des paquetages additionnels qui permettent de gérer la relation entre l'adresse MAC et le nom de périphérique. Votre nouveau réseau ressemblera à la figure ci-dessous. La première chose à remarquer est que les ordinateurs sur votre réseau sans-fil seront sur un sous-réseau différent de celui de votre réseau local câblé LAN. Dans l'exemple, nous avons choisi de lui attribuer le réseau 10.10.11.0/24. Les ordinateurs Computer 3 et Computer 4 seront configurés avec une passerelle par défaut dont l'adresse IP sera 10.10.11.254. Ensuite, nous avons choisi d'inclure le réseau sans-fil à la zone local. Puisque Shorewall autorise le trafic intra-zone par défaut, le trafic pourra circuler librement entre le réseau local câblé et le réseau sans-fil. Il n'y a que deux changements à effectuer à la configuration de Shorewall: Une entrée doit être ajouté au fichier d'interfaces /etc/shorewall/interfaces pour l'interface du réseau sans-fil. Si l'interface du réseau sans-fil est wlan0, l'entrée correspondante devrait ressembler à: #ZONE INTERFACE BROADCAST OPTIONS loc wlan0 detect maclist Comme montré dans l'entrée ci-dessus, je recommande d'utiliser l'option maclist pour le segment sans-fil. En ajoutant les entrées pour les ordinateurs Computer 3 et Computer 4 dans le fichier /etc/shorewall/maclist, vous contribuez à vous assurer que vos voisins n'utiliseront pas votre connexion internet. Commencez sans cette option. Lorsque tout fonctionne, ajoutez l'option et configurez votre fichier /etc/shorewall/maclist. Vous devez ajouter une entrée au fichier /etc/shorewall/masq afin de permettre le trafic de votre réseau sans-fil vers internet. Si votre interface internet est eth0 et votre interface sans-fil est wlan0, l'entrée sera: #INTERFACE SUBNET ADDRESS eth0 wlan0 Autre chose. Pour que le réseau Microsoft fonctionne entre réseau filaire et sans-fil, vous avez besoin d'un serveur WINS ou bien d'un PDC. Personnellement, j'utilise Samba configuré en serveur WINS sur mon firewall. Utiliser un serveur WINS sur le firewall nécessite de configurer les régles nécessaires listées dans le document Shorewall/Samba.
shorewall-docs-xml-5.2.3/KVM.xml0000664000000000000000000000740313427347317015143 0ustar rootroot
KVM (Kernel-mode Virtual Machine) Tom Eastep 2008 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Kernel-mode Virtual Machines (http://kvm.qumranet.com/) is a virtualization platform that leverages the virtualization capabilities available with current microprocessors from both Intel and AMD. For an overview of KVM, please see my 2008 Linuxfest Northwest presentation. I use KVM to implement a number of virtual machines running various Linux Distributions. The following diagram shows the entire network. My personal laptop (Ursa) hosts the virtual machines. As shown in the diagram, Ursa has routes to the Internet through both the Linksys WRT300N and through my Shorewall firewall. This allows me to test the Shorewall Multi-ISP feature. The Linux Bridges shown in the diagram are, of course, actually within their associated system (Firewall or Ursa) but I've pictured them separately.
Networking Configuration I use a network configuration where each VM has its own VNET and tap device and the tap devices are all configured as ports on a Linux Bridge. For clarity, I've only shown four of the virtual machines available on the system. I run dmsmasq to act as a DHCP server and name server for the VMs. The bridge is configured using the script described in my Linuxfest presentation linked above. The script may be found at http://www.shorewall.net/pub/shorewall/contrib/kvm/kvm. With this configuration, and with only a single network interface on the laptop, this is just a simple two-interface masquerading setup where the local network interface is br0. As with all bridges, br0 must be configured with the option in shorewall-interfaces(5). For additional information about this setup, including the Shorewall configuration, see http://www.shorewall.net/MultiISP.html#Shared
shorewall-docs-xml-5.2.3/Install_fr.xml0000664000000000000000000007203113427347317016602 0ustar rootroot
Installation et mise à jour de Shorewall Version française de Shorewall Installation and Upgrade Tom Eastep Guy Marcenac Adaptation française 2001- 2007 Thomas M. Eastep Guy Marcenac Permission est accordée de copier, distribuer et/ou modifier ce document selon les termes de la Licence de Documentation Libre GNU (GNU Free Documentation License), version 1.2 ou toute version ultérieure publiée par la Free Software Foundation ; sans section Invariables, sans première de Couverture, et sans texte de quatrième de couverture. Une copie de la présente Licence est incluse dans la section intitulée. Une traduction française de la licence se trouve dans la section Licence de Documentation Libre GNU. Ce paragraphe est une traduction française pour aider à votre compréhension. Seul le texte original en anglais présenté ci-dessous fixe les conditions d'utilisation de cette documentation. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Notes du traducteur : Si vous trouvez des erreurs ou si vous avez des améliorations à apporter à cette traduction vous pouvez me contacter. Cet article s'applique à Shorewall 3.0 et à ses versions ultérieures. Si vous êtes en train d'installer ou de mettre à jour vers une version antérieure à Shorewall 3.0.0, merci de vous référer à la documentation de cette version. Avant de vous lancer dans l'installation, je vous encourage vivement à lire et à imprimer une copie du guide pratique présenté dans Shorewall QuickStart et décrivant la configuration la plus proche de la votre. Avant toute mise à jour, assurez-vous d'avoir passé en revue les problèmes de mise à jour. Les RPM Shorewall sont signés. Pour éviter d'avoir des avertissements tels que le suivantwarning: shorewall-3.2.1-1.noarch.rpm: V3 DSA signature: NOKEY, key ID 6c562ac4 téléchargez la clé GPG Shorewall puis exécutez cette commande: rpm --import shorewall.gpg.key
Installation avec un RPM Pour installer Shorewall avec un RPM: Assurez-vous d'avoir le paquetage RPM adéquat! On sait que le paquetage RPM standard de shorewall.net et des miroirs fonctionne avec SUSE, Power PPC, Trustix et TurboLinux. Il existe un paquetage fourni par Simon Matter construit pour RedHat/Fedora ainsi qu'un autre paquetage de Jack Coates adapté pour Mandriva. Il sont tous disponibles sur la page de téléchargement. Si vous tentez d'installer le mauvais paquetage, il ne fonctionnera probablement pas. Si vous installez Shorewall 4.0.0 ou une version ultérieure, vous aurez besoin d'installer au moins deux paquetages. Soit vous installerez Shorewall-shell (le compilateur de configuration classique basé sur le shell) et/ou Shorewall-perl (Le compilateur écrit en perl, plus récent et plus rapide). Shorewall-common Si c'est la première fois que vous installez Shorewall, nous vous recommandons vivement d'installer Shorewall-perl. Installer les RPMs rpm -ivh <compiler rpm> ... <shorewall-common rpm> Certains utilisateurs ont l'habitude d'utiliser la commande rpm -U pour installer et pour mettre à jour leurs paquetages. Si vous utilisez cette commande pour installer le RPM Shorewall vous devrez activer manuellement le lancement de Shorewall au démarrage en utilisant chkconfig, insserv ou l'utilitaire que vous utilisez pour manipuler les liens symboliques pour init. Certains utilisateurs SUSE ont rencontré un problème dans lequel le rpm signale un conflit avec un noyau de version <= 2.2 alors qu'un noyau 2.4 est installé. Si ceci se produit, utilisez simplement l'option rpm --nodeps. rpm -ivh --nodeps <rpms> Shorewall dépend du paquetage iproute. Malheureusement, certaines distribution nomment ce paquetage iproute2 ce qui provoque un échec de l'installation de Shorewall avec le diagnostic suivant: error: failed dependencies:iproute is needed by shorewall-3.2.x-1 Ce problème ne devrait pas survenir si vous utilisez le bon paquetage RPM (voir 1., ci-dessus), mais il peut être contourné en utilisant l'option --nodeps de rpm. rpm -ivh --nodeps <rpms> Exemple:rpm -ivh shorewall-perl-4.0.0-1.noarch.rpm shorewall-common-4.0.0-1.noarch.rpm Simon Matter nomme 'shorewall' son rpm 'common' au lieu de 'shorewall-common'. C'est pourquoi, si vous installez ses RPMs, la commande à utiliser sera:rpm -ivh shorewall-perl-4.0.0-1.noarch.rpm shorewall-4.0.0-1.noarch.rpm Éditez les fichiers de configuration pour qu'ils correspondent à votre configuration. VOUS NE POUVEZ PAS SIMPLEMENT INSTALLER LE RPM ET LANCER UNE COMMANDE shorewall start. UN MINIMUM DE CONFIGURATION EST NÉCESSAIRE AVANT QUE VOTRE FIREWALL NE DÉMARRE. SI VOUS EXÉCUTEZ UNE COMMANDE start ET QUE LE LANCEMENT DU FIREWALL ÉCHOUE, VOTRE SYSTÈME N'ACCEPTERA PLUS AUCUN TRAFIC RÉSEAU. SI CELA SE PRODUIT, EXÉCUTEZ LA COMMANDE shorewall clear POUR RÉTABLIR LA CONNECTIVITÉ RÉSEAU. Activez le démarrage de shorewall en éditant le fichier /etc/shorewall/shorewall.conf et mettez STARTUP_ENABLED à Yes). Lancez le firewall avec shorewall start
Installer avec le fichier tarball Si vous installez Shorewall 4.0.0 ou une version ultérieure, vous aurez besoin d'installer au moins deux paquetages. Soit vous installerez Shorewall-shell (le compilateur de configuration classique basé sur le shell) et/ou Shorewall-perl (Le compilateur écrit en perl, plus récent et plus rapide). Shorewall-common Si c'est la première fois que vous installez Shorewall, nous vous recommandons vivement d'installer Shorewall-perl. Pour installer Shorewall-perl et Shorewall-common avec le tarball et le script d'installation: Décompressez les tarballs:tar -jxf shorewall-common-4.0.0.tar.bz2 tar -jxf shorewall-perl-4.0.0.tar.bz2 Allez dans le répertoire shorewall-perl (la version est codée dans le nom de répertoire comme par exemple dans shorewall-perl-4.0.0). Tapez: ./install.sh Allez dans le répertoire shorewall-common (la version est codée dans le nom de répertoire comme par exemple dans shorewall-common-4.0.0). Tapez: ./install.sh Éditez les fichiers de configuration pour qu'ils correspondent à votre configuration. Activez le démarrage de shorewall en éditant le fichier /etc/shorewall/shorewall.conf et en y mettant STARTUP_ENABLED=Yes. Lancez le firewall avec shorewall start Si le script d'installation n'a pas réussi à configurer Shorewall pour qu'il soit lancé automatiquement au démarrage du système, allez voir ces instructions.
Installer avec le .deb Après avoir installé les paquetages .deb, avant de commencer à configurer Shorewall, vous devriez prendre connaissance de ce conseil de Lorenzo Martignoni, le mainteneur Debian de Shorewall: Pour plus d'information quant à l'utilisation de Shorewall sur un système Debian vous devriez aller voir le fichier /usr/share/doc/shorewall/README.Debian distribué avec le paquetage Debian de Shorewall. Le façon la plus simple d'installer Shorewall sur Debian est d'utiliser apt-get: apt-get install shorewall Pour être certain d'installer la dernière version de Shorewall, vous devriez modifier votre fichier /etc/apt/preferences Package: shorewall Pin: release o=Debian,a=testing Pin-Priority: 700 Package: shorewall-doc Pin: release o=Debian,a=testing Pin-Priority: 700Puis exécutez# apt-get update # apt-get install shorewall Lorsque vous avez fini de configurer Shorewall, vous pouvez activer son lancement au démarrage du système en positionnant startup=1 dans le fichier /etc/default/shorewall.
Observations générales sur les mises à jour de Shorewall La plupart des problèmes de mise à jour ont pour cause: L'utilisateur n'a pas lu et suivi les considération de migration présentées dans les notes de mise à jour (release notes) (ces notes sont aussi reproduites dans le document Shorewall Upgrade Issues). L'utilisateur a mal géré son fichier /etc/shorewall/shorewall.conf durant la mise à niveau. Shorewall est conçu pour permettre à son comportement par défaut d'évoluer dans le temps. Pour que ce la soit possible, il est supposé de conception que vous ne remplacerez pas votre fichier shorewall.conf lors des mises à jour. Il est donc recommandé de modifier votre fichier /etc/shorewall/shorewall.conf après la première installation de shorewall de façon à empêcher votre gestionnaire de paquets de l'écraser lors de mises à jour ultérieures (même pour l'ajout de STARTUP_ENABLED, une telle modification est garantie puisque vous devez changer son paramètrage manuellement). Si vous vous sentez vraiment tenu d'avoir les derniers commentaires et options dans votre fichier shorewall.conf, vous devrez procéder très prudemment. Vous devrez déterminer quelles nouvelles options ont été introduites. Vous devrez réinitialiser la valeur de ces nouvelles options (par exemple OPTION=""), sinon, vous obtiendrez un comportement différent de celui auquel vous vous attendez.
Mise à jour avec un RPM Si le RPM Shorewall est déjà installé et que vous mettez à jour vers une nouvelle version: Assurez-vous d'avoir le bon paquetage RPM! On sait que le paquetage RPM standard de shorewall.net et des miroirs fonctionne avec SUSE, Power PPC, Trustix et TurboLinux. Il existe un paquetage fourni par Simon Matter construit pour RedHat/Fedora ainsi qu'un autre paquetage de Jack Coates adapté pour Mandriva. Si vous tentez d'installer le mauvais paquetage, il ne fonctionnera probablement pas. Simon Matter nomme 'shorewall' son rpm 'common' au leu de 'shorewall-common'. Si vous faites une mise à jour depuis une version 2.x or 3.x vers une version 4.x, vous trouverez des instructions spécifiques pour les problèmes de mise à jour. Procédez à la mise à jour rpm -Uvh <compiler rpm file> ... <shorewall-common rpm file> Certains utilisateur de SUSE ont rencontré un problème dans lequel rpm signale un conflit avec un noyau de version <= 2.2 alors qu'un noyau 2.4 est installé. Si ceci vous arrive, vous pouvez simplement utiliser l'option --nodeps de rpm. rpm -Uvh --nodeps <shorewall-common rpm> <compiler rpm> ... Shorewall dépend du paquetage iproute. Malheureusement, certaines distributions nomment ce paquetage iproute2 ce qui provoquera un échec de la mise à jour avec le diagnostic suivant: error: failed dependencies:iproute is needed by shorewall-3.2.1-1 Ceci peut être contourné en utilisant l'option --nodeps de rpm. rpm -Uvh --nodeps <shorewall rpm> <compiler-rpm> ... Contrôlez si il existe des incompatibilités entre votre configuration et votre nouvelle version de Shorewall et corrigez quand cela est nécessaire. shorewall check Redémarrez le firewall. shorewall restart
Mise à niveau avec le tarball Si vous faites une mise à jour depuis une version 2.x or 3.x vers une version 4.x, vous trouverez des instructions spécifiques pour les problèmes de mise à jour. Si Shorewall est déjà installé et que vous procédez à une mise à jour de version avec le tarball: Décompressez les tarballs:tar -jxf shorewall-common-4.0.0.tar.bz2 tar -jxf shorewall-perl-4.0.0.tar.bz2 tar -jxf shorewall-shell-4.0.0.tar.bz2 (if you use this compiler) Allez dans le répertoire shorewall-perl (la version est codée dans le nom de répertoire comme par exemple dans shorewall-perl-4.0.0). Tapez: ./install.sh Effectuez les deux étapes ci-dessus pour le répertoire shorewall-shell si vous utilisez ce compilateur. Allez dans le répertoire shorewall-common (la version est codée dans le nom de répertoire comme par exemple dans shorewall-common-4.0.0). Tapez: ./install.sh Contrôlez si il existe des incompatibilités entre votre configuration et votre nouvelle version de Shorewall et corrigez quand cela est nécessaire. shorewall check Lancez le firewall avec shorewall start Si le script d'installation n'a pas réussi à configurer Shorewall pour un démarrage automatique au boot du système, reportez-vous à ces instructions.
Mettre à jour avec le .deb Lorsque le programme d'installation vous demande sir vous voulez remplacer le fichier de configuration /etc/shorewall/shorewall.conf par la nouvelle version, nous vous recommandons très fortement de refuser. Voir ci-dessus.
Mettre à jour avec le .lrp Ceci est une contribution de Charles Steinkuehler postée sur la liste de diffusion Leaf:
c'est *TRÈS* simple... mettez un nouveau CD et redémarrez le système :-) En réalité, je ne plaisante que très peu... c'est exactement de cette manière que je mets à jour mes firewall de production. La fonction de sauvegarde partielle que j'ai ajoutée à Dachstein permet de stocker séparément les données de configuration et le reste du paquetage. Une fois les données de configuration séparées du reste du paquetage, il devient facile de procéder à la mise à jour du paquetage en conservant votre configuration courante (dans mon cas, il me suffit d'insérer un nouveau CD et de rebooter). L'idée générale est d'utiliser un backup partiel pour sauvegarder votre configuration, de remplacer le paquetage, puis de restaurer vos anciens fichiers de configuration. Les instructions pas-à-pas données ci-après proposent une manière d'y parvenir (on suppose l'utilisation d'un système LEAF conventionnel sur une seule disquette): Faites une copie de sauvegarde de votre disquette firewall ('NEW'). C'est sur cette disquette que vous allez ajouter le(s) paquetage(s) à jour. Formattez une disquette que vous utiliserez comme emplacement temporaire pour vos fichiers de configuration ('XFER'). Cette disquette devrait avoir le même format que votre disquette firewall (une autre copie de sauvegarde de votre disquette firewall ferait très bien l'affaire). Assurez-vous de disposer d'une copie fonctionnelle de votre firewall existant ('OLD') dans un endroit sûr, et que vous N'UTILISEREZ PAS PENDANT ce processus. De cette façon, si quoi que ce soit se passait mal, vous pourriez simplement rebooter avec cette disquette OLD pour revenir à une configuration fonctionnelle. Retirez la disquette firewall courante et remplacez-la par la disquette XFER. Utilisez le menu de sauvegarde de lrcfg pour réaliser un backup partiel du(des) paquetage(s) que vous voulez mettre à jour en vous assurant de sauvegarder les fichiers sur la disquette XFER. Dans le menu de sauvegarde: t e <enter> p <enter> b <package1> <enter> b <package2> <enter> ... Téléchargez et copiez le(s) paquetage(s) que vous voulez mettre à jour sur la disquette NEW Rebootez votre firewall en utilisant la disquette NEW... à ce point du processus, les paquetages que vous mettez à jour sont avec leur configuration par défaut. Montez la disquette XFER (mount -t msdos /dev/fd0u1680 /mnt) Allez dans le répertoire racine (cd /) Extrayez manuellement les données de configuration de chaque paquetage que vous avez mis à jour: tar -xzvf /mnt/package1.lrp tar -xzvf /mnt/package2.lrp ... Démontez (umount /mnt) puis retirez la disquette XFER En utilisant lrcfg, faites une sauvegarde COMPLÈTE de vos paquetages mis à jour. Rebootez et vérifiez que le firewall fonctionne comme prévu. Il peut être nécessaire d'ajuster certains fichiers de configuration pour qu'ils fonctionnent convenablement avec les nouveaux binaires. On peut utiliser le nouveau fichier de paquetage <paquetage>.local pour fixer précisément quels fichiers du backup partiel seront inclus ou pas (pour plus détails se reporter au Dachstein-CD README). Si ce fichier n'existe pas, le script de backup suppose que tous les fichiers de <paquetage>.list qui résident dans /etc ou dans /var/lib/lrpkg font partie de la configuration et sont utilisés pour créer le backup partiel. Si Shorewall installe quoi que ce soit dans /etc qui ne soit pas un fichier de configuration modifié par l'utilisateur, un fichier shorewall.local approprié devrait être créé avant de faire le backup partiel [Remarque de l'éditeur: Shorewall ne place dans /etc/ que des fichiers modifiables par l'utilisateur]. Il est évidemment possible de réaliser tout cela 'sur-place', sans utiliser plusieurs disquettes, et même sans faire de backup partiel (c.a.d. copier les fichiers de configuration courants dans /tmp, extraire manuellement le nouveau paquetage sur le firewall en cours d'exécution, copier et fusionner les données de configuration depuis /tmp et du backup... ou autre), mais quiconque est capable de cette gymnastique en ligne de commande le fait sans doute déjà, sans avoir besoin d'instructions détaillées! :-)
Pour des informations concernant d'autres outils de mise à jour LEAF/Bering, consultez cet article de Alex Rhomberg.
Configurer Shorewall Vous devrez éditer certains voire la totalité des fichiers de configuration pour obtenir la configuration que vous souhaitez. Dans la plupart des cas, les guides de démarrage rapide shorewall contiennent toute l'information dont vous aurez besoin.
Désinstaller / Revenir à la version antérieure Voir Fallback and Uninstall.
shorewall-docs-xml-5.2.3/FAQ_fr.xml0000664000000000000000000032445713427347317015617 0ustar rootroot
FAQ Shorewall Version Franaise de Shorewall FAQs Shorewall Community Tom Eastep Guy Marcenac Adaptation franaise 2001-2006 Thomas M. Eastep Guy Marcenac Permission est accorde de copier, distribuer et/ou modifier ce document selon les termes de la Licence de Documentation Libre GNU (GNU Free Documentation License), version 1.2 ou toute version ultrieure publie par la Free Software Foundation ; sans section Invariables, sans premire de Couverture, et sans texte de quatrime de couverture. Une copie de la prsente Licence est incluse dans la section intitule. Une traduction franaise de la licence se trouve dans la section Licence de Documentation Libre GNU. Ce paragraphe est une traduction franaise pour aider votre comprhension. Seul le texte original en anglais prsent ci-dessous fixe les conditions d'utilisation de cette documentation. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License . Notes du traducteur : Si vous trouvez des erreurs ou si vous avez des amliorations apporter cette traduction vous pouvez me contacter. Cet article s'applique Shorewall 3.0 et ses versions ultrieures. Si vous utilisez une version plus ancienne de Shorewall, rfrez-vous la documentation s'appliquant votre version.
Installation de Shorewall
O puis-je trouver des instructions d'installation et de configuration pas pas ? Rponse: Allez voir les guides de dmarrage rapide.
(FAQ 37) Je viens d'installer Shorewall sur Debian et le rpertoire /etc/shorewall est vide!!! Rponse: Aprs avoir install le paquetage .deb, avant de commencer configurer Shorewall, vous devriez prendre connaissance de ce conseil de Lorenzo Martignoni, le mainteneur Debian de Shorewall: Pour plus d'information quant l'utilisation de Shorewall sur un systme Debian vous devriez aller voir le fichier /usr/share/doc/shorewall/README.Debian distribu avec le paquetage Debian de Shorewall. Si vous vous servez du .deb pour installer, vous vous rendrez compte que votre rpertoire /etc/shorewall est vide. Ceci est voulu. Les squelettes des fichiers de configuration se trouvent sur votre systme dans le rpertoire /usr/share/doc/shorewall/default-config. Copiez simplement les fichiers dont vous avez besoin depuis ce rpertoire dans /etc/shorewall, puis modifiez ces copies. Remarquez que vous devez copier /usr/share/doc/shorewall/default-config/shorewall.conf et /usr/share/doc/shorewall/default-config/modules dans /etc/shorewall mme si vous ne modifiez pas ces fichiers.
(FAQ 44) Je n'arrive pas installer ou mettre jour le RPM - J'ai le message d'erreur "error: failed dependencies:iproute is needed..." Rponse: Lisez les Instructions d'installation!
(FAQ 50) Quand j'installe ou que je mets jour, j'obtiens de multiples instances du message suivant "warning: user teastep does not exist - using root" Rponse: Vous pouvez sans aucun risque ignorer ce message. Il tait d une erreur mineure de paquetage qui a t corrige depuis. Cela ne change rien dans l'utilisation de Shorewall.
Transfert de port (Redirection de Port)
(FAQ 1) Je veux rediriger le port UDP 7777 vers mon PC personnel qui a l'adresse 192.1683.1.5. J'ai cherch partout et je ne trouve pas comment faire. Rponse: Le premier exemple de la documentation du fichier rules vous indique comment faire du transfert de port avec Shorewall. Le format d'une rgle de redirection de port vers un systme local se prsente comme suit: #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:<adresse IP locale>[:<port local>] <protocole> <n port> Ainsi pour rediriger le port UDP 7777 vers le systme interne 192.168.1.5, la rgle est: #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.1.5 udp 7777 Si vous voulez rediriger vers un systme interne les requtes envoyes une adresse donne (<IP externe>) sur votre firewall: #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # PORT DEST. DNAT net loc:<adresse IP locale>[:<port local>]<protocole> <n port> - <IP externe> Enfin, si vous avez besoin de rediriger une plage de ports, spcifiez la plage de ports <premier port>:<dernier port> dans la colonne DEST PORT.
(FAQ 1a) D'accord -- j'ai suivi toutes ces instruction, mais cela ne marche toujours pas. Rponse: Ceci se produit gnralement lorsque: Vous tentez de tester depuis l'intrieur de votre firewall (non, cela ne marchera pas -- allez voir la FAQ 2 ). Vous avez un problme plus lmentaire de configuration de votre systme local (celui vers lequel vous tentez de rediriger les paquets), une mauvaise passerelle par dfaut par exemple (elle devrait tre configure avec l'adresse IP de l'interface interne de votre firewall). Votre FAI bloque le trafic entrant sur ce port particulier. Vous utilisez une version de Mandriva antrieure la 10.0 final et vous avez configur le partage de connexion internet. Si c'est le cas, le nom de votre zone locale n'est pas 'loc' mais 'masq' (dans vos rgles changez toutes les instances de 'loc' pour 'masq'). Vous pouvez envisager de r-installer Shorewall avec une configuration conforme la documentation de Shorewall. Voir le guide Firewall deux interfaces pour plus de dtails.
(FAQ 1b) J'ai malgr tout encore des problmes avec la redirection de port Rponse: pour aller plus avant dans le diagnostic du problme: En tant que root, tapez iptables -t nat -Z . Ceci remet zro les compteurs Netfilter de la table nat. Essayez de vous connecter au port redirig depuis un hte externe. En tant que root, tapez shorewall[-lite] show nat Reprez la rgle DNAT approprie. Elle sera dans une chane nomme <zone source>_dnat (net_dnat dans les exemples ci-dessus). Est-ce que le dcompte de paquets dans la premire colonne est suprieur zro ? Si cela est le cas, la requte de connexion atteint le firewall et est bien redirige vers le serveur. Dans ce cas, le problme vient en gnral de l'absence de paramtrage ou d'un paramtrage erron de la passerelle par dfaut sur le systme local (celui vers lequel vous essayez de transfrer les paquets -- sa passerelle par dfaut devrait tre l'adresse IP de l'interface du firewall connecte ce systme local). Si le dcompte de paquets est gal zro: La requte de connexion n'arrive pas jusqu' votre serveur (il est possible que votre FAI bloque ce port) Vous essayez de vous connecter une adresse IP secondaire sur votre firewall et votre rgle ne redirige que l'adresse IP primaire (dans votre rgle DNAT vous devez spcifier l'adresse IP secondaire dans la colonne ORIG. DEST.) Pour d'autres raisons, votre rgle DNAT ne correspond pas la requte de connexion. Dans ce cas, pour aller plus loin dans le diagnostic, vous pourrez avoir vous servir d'un sniffer de paquets comme tcpdump ou ethereal. Si le nombre de paquets est diffrent de zro, vrifiez dans votre log si la connexion est droppe ou rejete. Si c'est le cas, il est possible que vous ayez un problme de dfinition de zone qui fasse que le serveur soit dans une zone diffrente de ce qui est spcifi dans la colonne DEST. A l'invite root, tapez "shorewall[-lite] show zones" et assurez-vous que vous avez bien spcifi dan la colonne DEST la premire zone de la liste qui correspond OUT=<dev> et DEST=<ip> dans le message REJECT/DROP de votre fichier log.
(FAQ 1c) Je voudrais que lorsque je me connecte depuis internet au port 1022 de mon firewall, cette connexion soit redirige vers le port 22 de mon systme local 192.168.1.3. Comment faire ? Rponse:Dans le fichier /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.1.3:22 tcp 1022
(FAQ 1d) J'ai un serveur web dans man DMZ et j'utilise le transfert de port pour rendre ce serveur accessible depuis internet. Cela fonctionne trs bien sauf lorsque mes utilisateurs locaux essayent de se connecter au serveur en utilisant l'adresse IP externe du firewall. Rponse: Supposons que: L'adresse IP externe est 206.124.146.176 sur eth0. L'adresse IP du serveur est 192.168.2.4 Vous pouvez activer l'accs au serveur depuis votre rseau local en utilisant l'adresse IP externe du firewall. Pour cela, vous pouvez ajouter cette rgle: #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT DEST DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 Si votre adresse IP externe est dynamique, vous devez faire comme suit: Dans /etc/shorewall/params: ETH0_IP=`find_interface_address eth0` Pour les utilisateurs de 2.1.0 et des versions ultrieures: ETH0_IP=`find_first_interface_address eth0` Et votre rgle DNAT deviendra: #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # PORT DEST. DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP
(FAQ 1e) Dans le but de dcourager les attaques en force brute, je voudrais rediriger toutes les connexions internet arrivant sur un port non standard (4104) vers le port 22 du firewall/routeur. J'ai remarqu que lorsque je paramtre une rgle REDIRECT sur le firewall, il ouvre sur internet les deux ports 4104 et 22 . Est-il possible de rediriger seulement le port 4104 vers le port 22 de localhost et que toutes les tentatives de connexion depuis internet au port 22 soient ignores ? Rponse: avec l'aimable autorisation de Ryan: en supposant que l'adresse de l'interface locale de votre firewall soit 192.168.1.1, si vous configurez SSHD pour qu'il n'coute que sur cette interface et que vous ajoutez la rgle suivante, le port 4104 sera en coute sur internet et le port 22 sera en coute sur votre LAN. #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net fw:192.168.1.1:22 tcp 4104
(FAQ 30) Quand doit-on utiliser des rgles DNAT et quand doit-on utiliser des rgles ACCEPT ? Rponse: Je vous suggre de revenir au guides de dmarrage rapide adapt votre configuration. Ces guides couvrent ce sujet sous un angle didactique. Vous devriez utiliser des rgles DNAT pour les connexions qui doivent aller dans le sens inverse de celles en provenance de la SNAT/Masquerade. Ainsi, si vous utilisez la SNAT ou Masquerade depuis votre rseau local vers internet, vous aurez besoin d'utiliser des rgles DNAT pour autoriser les connexions d'internet vers votre rseau local. Vous utiliserez galement des rgles DNAT si vous voulez r-crire l'adresse IP ou le numro de port destination. Si vous avez besoin d'intercepter des connexions lorsqu'elles arrivent sur le firewall et que vous voulez les traiter sur le firewall lui-mme, vous utiliserez une rgle REDIRECT. Dans tous les autres cas, vous utiliserez ACCEPT.
(FAQ 38) O trouver plus d'information sur la DNAT? Rponse: Ian Allen a crit cet article au sujet de la DNAT et Linux.
(FAQ 48) Comment configurer un proxy transparent avec Shorewall? Rponse: Vous pouvez voir Shorewall et Squid.
DNS et Transfert de Port/Traduction d'Adresses Rseau NAT
(FAQ 2) Je transfre (port forward) toutes les requtes web soumises www.mondomaine.com (IP 130.151.100.69) vers le systme 192.168.1.5 de mon rseau local. Les clients externes peuvent accder http://www.mondomaine.com mais les clients internes ne le peuvent pas. Rponse: j'ai deux objections cette configuration. Avoir un serveur sur votre rseau local accessible depuis internet est comme lever des loups cot de votre poulailler. Si le serveur est compromis, il n'y a rien entre ce serveur et vos autres systmes locaux. Pour le prix d'un adaptateur ethernet et d'un cble crois, vous pouvez mettre votre serveur en DMZ de telle faon qu'il soit isol de vos systmes locaux - en supposant que le serveur puisse tre install cot de votre firewall, bien entendu :-) La meilleure solutions pour l'accessibilit votre serveur est d'utiliser les vues de Bind Version 9 (ou bien d'utiliser un serveur DNS spar pour les clients locaux) afin que www.mondomaine.com soit rsolu en 130.141.100.69 pour les clients externes et en 192.168.1.5 pour les clients internes. C'est ce que je fait ici shorewall.net pour mes systmes locaux qui utilisent la NAT un--un (one-to-one NAT). Supposons que votre interface externe soit eth0, que votre interface interne soit eth1 et que eth1 ait l'adresse 192.168.1.254 sur le sous-rseau 192.168.1.0/24: tout le trafic redirig par cette bidouille sera vu par le serveur comme provenant du firewall (192.168.1.254) au lieu de venir du client d'origine! Ce qui fait que les logs d'accs du serveur seront inutilisables pour dterminer quels htes locaux accdent au serveur. Dans /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect routeback Dans /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS PROTO PORT(S) eth1:192.168.1.5 eth1 192.168.1.254 tcp www Dans /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # PORT DEST. DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69 Bien entendu, cette rgle ne fonctionnera que si vous avez une adresse IP externe statique. Si vous avez une adresse dynamique vous devez inclure ceci dans /etc/shorewall/params: ETH0_IP=`find_first_interface_address eth0` et votre rgle DNAT deviendra: #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # PORT DEST. DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP Lorsque vous utilisez cette technique, il vous faudra configurer votre client DHCP/PPPoE de faon ce qu'il relance shorewall chaque fois qu'il obtient une nouvelle adresse IP.
(FAQ 2a) J'ai une zone <quote>Z</quote> avec un sous-rseau RFC 1918 et j'utilise la NAT un--un (one-to-one NAT) pour assigner des adresses non-RFC1918 aux htes de la zone <quote>Z</quote>. Les htes dans la zone <quote>Z</quote> ne peuvent pas communiquer entre eux en utilisant leur adresse externe (adresses non-FRC1918) et donc ils ne peuvent pas communiquer en utilisant leurs noms DNS. Si la colonne ALL INTERFACES dans le fichier /etc/shorewall/nat est vide ou contient Yes, vous verrez aussi dans votre journal des messages comme celui-ci chaque fois que vous tenterez d'accder un hte de la zone Z depuis un autre hte de la zone Z en utilisant son adresse publique: Oct 4 10:26:40 netgw kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200 DST=192.168.118.210 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=1342 DF PROTO=TCP SPT=1494 DPT=1491 WINDOW=17472 RES=0x00 ACK SYN URGP=0 Rponse: C'est encore un problme trs bien rsolu par l'utilisation des vues de Bind Version 9. Les clients internes comme les clients externes peuvent alors accder aux htes NATs en utilisant leur nom rseau. Une autre bonne faon d'approcher le problme est d'abandonner la NAT un--un au profit du Proxy ARP. De cette faon, les machines dans Z ont des adresses non-RFC1918 et on peut y accder aussi bien depuis l'intrieur que depuis l'extrieur en utilisant la mme adresse. Si vous n'aimez pas ces solutions et que vous prfrez btement router tout le trafic de Z vers Z par votre firewall: Activez l'option routeback sur l'interface vers Z. Mettez Yes dans la colonne ALL INTERFACES du fichier nat. Exemple: Zone: dmz Interface: eth2 Ssous-rseau: 192.168.2.0/24 Addresse: 192.168.2.254 Dans le fichier /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS dmz eth2 192.168.2.255 routeback Dans le fichier /etc/shorewall/nat, assurez-vous d'avoir Yes dans la colonne ALL INTERFACES. Dans le fichier /etc/shorewall/masq: #INTERFACE SUBNETS ADDRESS eth2 eth2 192.168.2.254 Tout comme dans la bidouille prsente dans la FAQ2 ci-dessus, le trafic de la dmz vers la dmz semblera provenir du firewall et non du vritable hte source.
(FAQ 2b) J'ai un serveur web dans ma DMZ et je me sers du transfert de port pour le rendre accessible sur internet en tant que www.mondomaine.com. Cela marche trs bien sauf pour mes utilisateurs locaux lorsqu'ils tentent de se connecter www.mondomaine.com. Rponse: Supposons que: L'adresse externe IP soit 206.124.146.176 sur eth0 (www.mondomaine.com). L'adresse IP du serveur soit 192.168.2.4 Vous pouvez autoriser les machines du rseau local accder votre serveur en utilisant l'adresse IP externe du firewall. Il suffit d'ajouter cette rgle: #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT DEST DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 Si votre adresse IP externe vous est alloue dynamiquement, vous devez faire comme suit: Dans le fichier /etc/shorewall/params: ETH0_IP=`find_first_interface_address eth0` Et votre rgle DNAT deviendra: #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # PORT DEST. DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP Avec des adresses IP dynamiques, vous n'utiliserez pas shorewall[-lite] save ni shorewall[-lite] restore.
(FAQ 2c) J'ai essay d'appliquer la rponse la FAQ 2 mon interface externe et la zone net. Cela ne marche pas. Pourquoi ? Rponse: Avez-vous activ IP_FORWARDING=On dans shorewall.conf?
Netmeeting/MSN
(FAQ 3) Je veux utiliser Netmeeting ou la messagerie instantane MSN avec Shorewall. Que faire ? Rponse: Il existe un module de suivi de connexion H.323 qui est d'un grand secours avec Netmeeting. Prenez cependant en compte cet article rcent d'un des dveloppeurs de Netfilter:
> Je sais que PoM -ng va traiter ce problme, mais en attendant qu'il soit prt, > et que tous les extras y soient ports, existe-t-il un moyen d'utiliser le patch > noyau pour le module de suivi de connexion H.323 avec un noyau 2.6 ? > j'utilise un noyau 2.6.1 et le noyau 2.4 n'est pas install sur le systme, c'est > pourquoi je ne peux pas envisager de revenir en 2.4 ... et le module n'a pas > encore t port en 2.6, dommage. > Quelles options ai-je part d'installer une application gatekeeper (qui ne > fonctionne pas dans mon rseau) ou un proxy (ce que je prfrerais viter) ? Je suggre tous de configurer un proxy (gatekeeper): le module est vraiment nul et ne mrite pas d'exister. a a t un trs bon outil de dveloppement et de deboguage de l'interface newnat.
Vous pouvez aller voir ici une solution pour la messagerie instantane MSN. Vous devez avoir conscience que cette solution comporte des risques de scurit significatifs. Vous pouvez galement vrifier auprs de la liste de diffusion de Netfilter http://www.netfilter.org.
Ports ouverts
(FAQ 51) Comment ouvrir des ports dans Shorewall? Rponse: Aucune personne ayant install Shorewall en utilisant un des Guides de Dmarrage Rapide ne devrait avoir poser cette question. Quel que soit le guide que vous avez utilis, toutes les communications sortantes sont ouvertes par dfaut. Vous n'avez donc pas "ouvrir de port" en sortie. En entre: Si vous avez install en utilisant le guide Firewall Monoposte (une interface), relisez cette section SVP. Si vous avez utilis le guide Firewall deux interfaces pour installer merci de relire ces sections: Transfert de ports (DNAT), et Autres connexions Si vous avez utilis le guide Firewall trois interfaces pour installer merci de relire ces sections: Transfert de ports (DNAT) et Autres Connexions Si vous avez install en utilisant le Guide de configuration Shorewall vous feriez mieux de lire le guide nouveau -- vous avez vraiment rat beaucoup de choses. Voyez galement la section Transfert de Ports de cette FAQ.
(FAQ 4) Je viens juste d'utiliser un scanner de port en ligne pour vrifier le paramtrage de mon firewall et certains ports apparaissent <quote>ferms</quote> (closed) alors que d'autres sont <quote>bloqus</quote> (blocked). Pourquoi ? Rponse: La configuration par dfaut de Shorewall invoque l'action Drop avant de mettre en oeuvre une politique DROP, et la politique par dfaut d'internet vers toutes les zones est DROP. L'action Drop est dfinie dans le fichier /usr/share/shorewall/action.Drop qui invoque lui-mme la macro Auth (dfinie dans le fichier /usr/share/shorewall/macro.Auth) qui spcifie l'action REJECT (c.a.d., Auth/REJECT). Cela est ncessaire pour viter les problmes de connexion sortante des services qui utilisent le mcanisme Auth pour identifier les utilisateurs. C'est le seul service configur par dfaut pour rejeter (REJECT) les paquets. Si vous voyez d'autres ports TCP ferms autres que le port 113 (auth) c'est que vous avez ajout des rgles REJECT pour ces ports ou bien qu'un routeur l'extrieur de votre firewall rpond aux requtes de connexion sur ce port.
(FAQ 4a) Je viens d'excuter un scan UDP de mon firewall avec nmap et il trouve des centaines de ports ouverts!!!! Rponse: Respirez fond et lisez la section man de nmap au sujet des scans UDP. Si nmap n'a aucun retour de votre firewall, il donnera ce port comme tant ouvert. Si vous voulez voir quels sont les ports UDP rellement ouverts, modifiez temporairement votre politique net->all pour REJECT, relancez Shorewall et refaites le scan UDP nmap.
(FAQ 4b) Quoi que je change dans mes rgles, Il y a un port que je n'arrive pas fermer. J'avais une rgle qui autorisait telnet de mon rseau local vers mon firewall. Je l'ai enleve et j'ai relanc Shorewall mais ma session telnet fonctionne encore!!! Rponse: Les rgles traitent de l'tablissement de nouvelles connexions. Lorsqu'une connexion est tablie par le firewall, elle restera utilisable jusqu' la dconnexion tcp ou jusqu'au time out pour les autres protocoles. Si vous fermez votre session telnet et que vous essayez d'tablir un nouvelle session, votre firewall bloquera cette tentative.
(FAQ 4c) Comment utiliser Shorewall avec PortSentry? Answer: Vous trouverez ici la description d'une bonne intgration de Shorewall et PortSentry.
(FAQ 4d) Comment utiliser Shorewall avec Snort-Inline? Rponse: Allez voir cette contribution de Michael Cooke.
Problmes de connexion
(FAQ 5) J'ai install Shorewall et je ne peux plus <quote>pinger</quote> travers le firewall Rponse: Pour une description complte de la gestion du ping par Shorewall, voyez cette page.
(FAQ 15) Mes systmes locaux ne peuvent rien voir sur internet Rponse: Chaque fois que je lis mes systmes ne peuvent rien voir sur internet, je me demande o l'auteur a bien pu acheter des ordinateurs avec des yeux et ce que ces ordinateurs peuvent bien voir lorsque tout fonctionne convenablement. Ceci mis part, les causes habituelles ce type de problmes sont: L'adresse de la passerelle par dfaut n'est pas configure l'adresse de l'interface locale du firewall sur chacun des systmes locaux. L'entr pour le rseau local dans le fichier /etc/shorewall/masq est errone ou manquante. La configuration du DNS sur les systmes locaux est mauvaise ou bien l'utilisateur fait tourner un serveur DNS sur le firewall et il n'a pas autoris le port 53 UDP et TCP de son firewall vers internet. Le forwarding n'est pas activ (ceci est souvent le cas pour les utilisateurs Debian). Excutez cette commande: cat /proc/sys/net/ipv4/ip_forward Si la valeur est 0 (zro) mettez IP_FORWARDING=On dans le fichier /etc/shorewall/shorewall.conf et relancez Shorewall.
(FAQ 29) FTP ne fonctionne pas Rponse: Voir la page Shorewall et FTP.
(FAQ 33) Depuis mes clients derrire le firewall les connexions vers certains sites chouent. Les connexions vers les mmes sites, mais depuis le firewall fonctionnent. Qu'est-ce qui ne va pas ? Rponse: Trs probablement, il vous faudra mettre CLAMPMSS=Yes dans le fichier /etc/shorewall/shorewall.conf.
(FAQ 35) J'ai deux interfaces ethernet vers mon rseau local que j'ai montes en pont (bridge). Quand Shorewall est dmarr, je n'arrive pas faire passer le trafic travers le pont. J'ai dfini l'interface pont (br0) comme interface locale dans /etc/shorewall/interfaces. Les interfaces ethernet <quote>pontes</quote> ne sont pas dfinies pour Shorewall. Comment demander Shorewall d'autoriser le trafic travers le pont ? Rponse: ajouter l'option routeback l'interface br0 dans le fichier /etc/shorewall/interfaces. Pour plus d'information sur ce type de configuration, voir la documentation pour un pont simple avec Shorewall.
Journalisation
(FAQ 6) O sont enregistrs les messages de journalisation et comment modifier leur destination ? Rponse: NetFilter utilise l'quivalent noyau de syslog (voir man syslog) pour journaliser les messages. Il utilise toujours le dispositif LOG_KERN (voir man openlog) et vous devez choisir le niveau de journalisation (log level, voir man syslog) dans vos politiques et dans vos rgles. La destination des messages journaliss par syslog est contrle avec /etc/syslog.conf (voir man syslog.conf). Lorsque vous avez modifi /etc/syslog.conf, assurez-vous de redmarrer syslogd (sur un systme RedHat, service syslog restart). Par dfaut, les versions plus anciennes de Shorewall limitaient le taux de journalisation des messages grce des paramtres du fichier /etc/shorewall/shorewall.conf -- Si vous voulez journaliser tous les messages, positionnez ces paramtres comme suit: LOGLIMIT="" LOGBURST="" On peut galement paramtrer Shorewall pour qu'il enregistre les messages de journalisation dans un fichier spar.
(FAQ 6a) Existe-t-il des analyseur de journal qui fonctionnent avec Shorewall? Rponse: Voil plusieurs liens qui peuvent vous aider: http://www.shorewall.net/pub/shorewall/parsefw/ http://www.fireparse.com http://cert.uni-stuttgart.de/projects/fwlogwatch http://www.logwatch.org http://gege.org/iptables http://home.regit.org/ulogd-php.html Personnellement, j'utilise Logwatch. Il m'envoie chaque jour par courriel un rapport pour chacun de mes diffrents systmes. Chaque rapport rsume l'activit journalise sur le systme correspondant.
(FAQ 6b) Mes journaux sont inonds de messages DROP pour des requtes de connections sur le port 10619. Puis-je exclure temporairement de la journalisation Shorewall les messages d'erreur pour ce port ? Rponse: Ajoutez temporairement la rgle suivante: #ACTION SOURCE DEST PROTO DEST PORT(S) DROP net fw udp 10619 Sinon, si vous ne mettez pas le paramtre BLACKLIST_LOGLEVEL et que vous avez spcifi l'option 'blacklist' sur votre interface externe dans le fichier /etc/shorewall/interfaces, vous pouvez blacklister le port. Dans le fichier /etc/shorewall/blacklist: #ADDRESS/SUBNET PROTOCOL PORT - udp 10619
(FAQ 6d) Pourquoi l'adresse MAC dans les messages de journalisation Shorewall est-elle si longue ? Je pensais que l'adresse MAC ne faisait que 6 octets. Rponse: Ce qui est labelis comme adresse MAC dans les messages de journalisation Shorewall est en fait l'entte de la trame ethernet. Elle contient: l'adresse MAC de destination (6 octets) l'adresse MAC source (6 octets) le type de trame ethernet (2 octets) Exemple MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00 adresse MAC de destination = 00:04:4c:dc:e2:28 adresse MAC source = 00:b0:8e:cf:3c:4c type de trame ethernet = 08:00 (IP Version 4)
(FAQ 16) Shorewall crit ses messages de journalisation directement sur ma console et la rend inutilisable! Rponse: Trouvez o klogd est dmarr (ce sera depuis un des fichiers du rpertoire /etc/init.d -- sysklogd, klogd, ...). Modifiez ce fichier ou le fichier de configuration appropri de telle manire que klogd soit dmarr avec -c <n> avec <n> tant un niveau de journalisation infrieur ou gal 5; ou alors Voir la page man de dmesg (man dmesg). Vous devez ajouter une commande dmesg adapte dans vos scripts de dmarrage ou la placer dans le fichier /etc/shorewall/start. Sous RedHat et Mandriva, le niveau de journalisation maximum envoy la console est spcifi par la variable LOGLEVEL du fichier /etc/sysconfig/init. Positionnez LOGLEVEL=5 pour liminer de la console les messages de niveau info. Sous Debian, vous pouvez mettre KLOGD=-c 5 dans le fichier /etc/init.d/klogd afin d'liminer de la console les messages de niveau info (log level 6). Sous SUSE, ajoutez -c 5 KLOGD_PARAMS dans le fichier /etc/sysconfig/syslog fin d'liminer de la console les messages de niveau info (log level 6).
(FAQ 17) Pourquoi ces paquets sont-ils ignors/rejets (dropped/rejected)? Comment dcode-t-on les messages de journalisation Shorewall? Rponse: Avec Shorewall, les paquets ignors/rejets peuvent avoir t journaliss en sortie d'un certain nombre de chanes (comme indiqu dans le message): man1918 or logdrop L'adresse destination est liste dans le fichier /usr/share/shorewall/rfc1918 avec une cible logdrop -- voir /usr/share/shorewall/rfc1918. rfc1918 or logdrop L'adresse source ou destination est liste dans le fichier /usr/share/shorewall/rfc1918 avec un cible logdrop -- voir /usr/share/shorewall/rfc1918. Si vous voyez des paquets rejets par la chane rfc1918 et que ni l'adresse IP source ni l'adresse IP de destination ne sont rserves par la RFC 1918, cela provient la plupart du temps d'un ancien fichier rfc1918 dans /etc/shorewall (ceci arrive le plus frquemment lorsque vous utilisez une Debian ou un de ses drivs). Le fichier rfc1918 incluait aussi bien les bogons que les trois plages rserves par la RFC 1918. Il tait install dans le rpertoire /etc/shorewall. Maintenant le fichier ne contient que les trois plages d'adresse de la RFC 1918 et il est install dans le rpertoire /usr/share/shorewall. Retirez le fichier rfc1918 prim de votre rpertoire /etc/shorewall. all2<zone>, <zone>2all or all2all Vous avez une politique qui spcifie un niveau de journalisation et ce paquet a t journalis par cette politique. Si vous voulez autoriser (ACCEPT) ce trafic, il vous faudra une rgle cette fin. <zone1>2<zone2> Ou bien vous avez une politique pour le trafic de la <zone1> vers la <zone2> qui spcifie un niveau de journalisation et ce paquet a t journalis par cette politique ou alors ce paquet correspond une rgle incluant un niveau de journalisation. A partir de Shorewall 3.3.3, les paquets loggs par ces chaines peuvent avoir une source et/ou une destination n'appartenant aucune zone dfinie (voir le rsultat de la commande shorewall[-lite] show zones). Souvenez-vous que l'appartenance une zone ncessite la fois une interface du firewall et une adresse ip. @<source>2<dest> Vous avez une politique pour le trafic de <source> vers <dest> dans laquelle vous avez spcifi un taux de limitation des connexions TCP (les valeurs dans la colonne LIMIT:BURST). Les paquet journalis dpassait cette limite et a t ignor (DROP). Il faut noter que ces messages au journal sont eux-mme svrement limits afin qu'une inondation SYN (syn-flood) ne provoque pas un dni de service (DOS) secondaire par un nombre excessif de messages de journalisation. Ces messages ont t introduits dans Shorewall 2.2.0 Beta 7. <interface>_mac Ce paquet a t journalis par l'option d'interface maclist . logpkt Ce paquet a t journalis par l'option d'interface logunclean. badpkt Ce paquet a t journalis par l'option d'interface dropunclean tel que spcifi dans le paramtre LOGUNCLEAN du fichier /etc/shorewall/shorewall.conf . blacklst Ce paquet a t journalis parce que l'adresse IP source est inscrite dans la liste noire /etc/shorewall/blacklist. INPUT or FORWARD Ce paquet a une adresse IP source qui n'est dfinie dans aucune de vos zones (shorewall[-lite] show zones et regardez les dfinitions de zones) ou alors la chane est FORWARD et l'adresse IP de destination ne figure dans aucune de vos zones dfinies. Si la chane est FORWARD et les interfaces IN et OUT sont identiques, vous avez sans doute besoin de l'option routeback sur cette interface dans le fichier /etc/shorewall/interfaces ou bien vous avez besoin de l'option routeback pour l'entre adquate dans le fichier /etc/shorewall/hosts . A partir de 3.3.3, de tels paquets peuvent aussi tre loggs par les chaines <zone>2all et all2all. OUTPUT Ce paquet a une adresse IP destination qui n'est dfinie dans aucune de vos zones (shorewall check et regardez les dfinitions de zones). A partir Shorewall 3.3.3, de tels paquets peuvent aussi tre loggs par les chaines fw2all et all2all. logflags Ce paquet a t journalis parce qu'il a chou aux contrles mis en oeuvre par l'option d'interface tcpflags. Exemple: Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47 Examinons les partie importantes de ce message: all2all:REJECT Ce paquet a t rejet (REJECT) par la chane all2all -- le paquet a t rejet par la politique all->all REJECT (voir all2all ci-dessus). IN=eth2 Le paquet est arriv dans le firewall par eth2. Lorsque vous voyez IN= sans aucun nom d'interface, c'est que le paquet provient du firewall lui-mme. OUT=eth1 Si il avait t autoris, ce paquet aurait t transmis eth1. Lorsque vous voyez OUT= sans aucun nom d'interface, c'est que le paquet aurait t trait par le firewall lui-mme. Lorsqu'une rgle DNAT est journalise, on n'a jamais de OUT= parce que le paquet est journalis avant d'tre rout. Par ailleurs, la journalisation DNAT donnera l'adresse IP destination et le numro de port destination d'origine. SRC=192.168.2.2 Ce paquet a t envoy par 192.168.2.2 DST=192.168.1.3 Ce paquet a pour destination 192.168.1.3 PROTO=UDP Le protocole est UDP DPT=53 Le port de destination est le port 53 (DNS) Pour plus d'informations concernant les messages de journalisation, voir http://logi.cc/linux/netfilter-log-format.php3. Dans ce cas, 192.168.2.2 tait dans la zone dmz et 192.168.1.3 tait dans la zone loc. Il me manquait la rgle suivante: ACCEPT dmz loc udp 53
(FAQ 21) Je vois occasionnellement ces tranges messages dans mon journal. De quoi s'agit-il? Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00 SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ] 192.0.2.3 est externe mon firewall... mon rseau local est 172.16.0.0/24 Rponse: Bien que la plupart des gens associent ICMP (Internet Control Message Protocol) ping, ICMP est une pice cl de IP. ICMP sert informer l'expditeur d'un paquet des problmes rencontrs. C'est ce qui se produit ici. Malheureusement, de nombreuses implmentations ne fonctionnent pas ds lors que la traduction d'adresses est implique (y compris SNAT, DNAT et Masquerade). C'est ce que vous voyez avec travers ces messages. Quand Netfilter renvoie ces messages, la partie prcdent le "[" dcrit le paquet ICMP, et la partie entre "[" et "]" dcrit le paquet pour lequel ICMP rpond. Voici mon interprtation de ce qui se passe -- pour confirmer l'analyse, il faudrait avoir un sniffeur de paquets chacune des extrmits de la connexion. L'hte 172.16.1.10 plac derrire la passerelle NAT 206.124.146.179 a envoy une requte DNS UDP 192.0.2.3 et votre serveur DNS a tent d'envoyer un rponse (l'information en rponse est entre les crochets -- remarquez le port source 53 qui indique qu'il s'agit d'une rponse DNS). Quand la rponse a t envoye 206.124.146.179, le firewall a rcrit l'adresse IP destination 172.16.1.10 puis a fait suivre le paquet 172.16.1.10 qui n'avait plus de connexion UDP sur le port 2857. Ceci provoque la gnration d'un message ICMP port unreachable (type 3, code 3) en retour vers 192.0.2.3. Ce paquet est renvoy par 206.124.146.179 qui change correctement l'adresse source dans le paquet pour 206.124.146.179 mais ne modifie pas de la mme faon l'IP destination dans la rponse DNS d'origine. Lorsque le paquet ICMP atteint votre firewall (192.0.2.3), celui-ci n'a aucun enregistrement lui indiquant qu'il a envoy une rponse DNS 172.16.1.10 et par consquent ce paquet ICMP semble n'tre associ rien de ce qui a t envoy. Le rsultat est que ce paquet est journalis et ignor (DROP) par la chane all2all. J'ai galement vu des cas dans lesquels la source IP dans le paquet ICMP lui-mme n'est pas r-crite l'adresse externe de la passerelle NAT distante. Dans ce cas votre firewall va journaliser et ignorer (DROP) le paquet par la chane rfc1918 cas son IP source est rserve par la RFC 1918.
(FAQ 52) Quand je blackliste une adresse IP avec "shorewall[-lite] drop www.xxx.yyy.zzz", pourquoi est-ce qu'il y a toujours des entres REDIRECT et DNAT en provenance de cette adresse dans mon journal ? J'ai blacklist l'adresse 130.252.100.59 avec la commande shorewall drop 130.252.100.59 mais je vois toujours ces messages dans le journal: Jan 30 15:38:34 server Shorewall:net_dnat:REDIRECT:IN=eth1 OUT= MAC=00:4f:4e:14:97:8e:00:01:5c:23:24:cc:08:00 SRC=130.252.100.59 DST=206.124.146.176 LEN=64 TOS=0x00 PREC=0x00 TTL=43 ID=42444 DF PROTO=TCP SPT=2215 DPT=139 WINDOW=53760 RES=0x00 SYN URGP=0 Rponse: Veuillez vous rfrer Shorewall Netfilter Documentation. La journalisation des rgles REDIRECT et DNAT se produit dans la chane PREROUTING de la table nat dans laquelle l'adresse est toujours valide. Le blacklistage se produit dans les chanes INPUT et FORWARD de la table filter qui ne sont traverses que plus tard.
(FAQ 56) Quand je dmarre ou redmarre Shorewall, je vois ces messages dans mon fichier log. Est-ce grave ?
modprobe: Can't locate module ipt_physdev modprobe: Can't locate module iptable_raw
Rponse: Non. Ceci se produit lorsque shorewall teste votre systme pour dterminer les fonctions qu'il supporte. Ils ne prsentent aucun risque.
Routage
(FAQ 32) J'ai deux connexions internet avec deux FAI diffrents sur mon firewall. Comment le configurer avec Shorewall? Rponse: voir cet article sur Shorewall et le routage.
(FAQ 49) Quand je dmarre Shorewall, ma table de routage est dtruite. Pourquoi Shorewall fait-il cela? Rponse: Ceci est en gnral la consquence d'une btise dans la configuration du NAT un--un (one-to-one NAT): Vous spcifiez l'adresse IP primaire d'une interface dans la colonne EXTERNAL du fichier /etc/shorewall/nat alors que la documentation et les commentaires dans le fichier vous mettent en garde contre une telle configuration. Vous spcifiez ADD_IP_ALIASES=Yes et RETAIN_ALIASES=No dans le fichier /etc/shorewall/shorewall.conf. Cette combinaison fait dtruire par Shorewall l'adresse primaire de l'interface rseau spcifie dans la colonne INTERFACE, ce qui a en gnral pour consquence de dtruire routes les routes sortantes de cette interface. La solution est de ne pas spcifier l'adresse primaire d'une interface dans la colonne EXTERNAL.
Dmarrer et arrter Shorewall
(FAQ 7) Quand j'arrte Shorewall avec la commande <quote>shorewall[-lite] stop</quote>, je ne peux plus me connecter quoi que ce soit. Pourquoi cette commande ne fonctionne-t-elle pas? Rponse: La commande stop est prvue pour mettre votre firewall dans un tat de scurit o seuls les htes lists dans le fichier /etc/shorewall/routestopped sont activs. Si vous voulez ouvrir compltement votre firewall, il vous faut utiliser la commande shorewall clear.
(FAQ 8) Quand je tente de lancer Shorewall sur RedHat, je reois des messages d'erreur insmod -- qu'est-ce qui ne va pas? Rponse: La sortie que vous avez ressemble ceci: /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. En gnral, ce problme est corrig par la squence de commandes qui suit: service ipchains stop chkconfig --delete ipchains rmmod ipchains Par ailleurs, assurez-vous d'avoir vrifi dans l'errata que vous n'avez pas de problmes li la version d'iptables (v1.2.3) distribue avec RH7.2.
(FAQ 8a) Quand je tente de lancer Shorewall sur une RedHat, je reois un message qui me renvoie la FAQ #8 Rponse: Ceci se traite en gnral avec la squence de commandes prsente ci-dessus dans la .
(FAQ 9) Pourquoi Shorewall ne russit-il pas dtecter convenablement mes interfaces au dmarrage? Je viens d'installer Shorewall et quand je lance la commande start, voil ce qui se passe : Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Deleting user chains... Creating input Chains... ... Pourquoi est-ce que Shorewall ne dtecte-t-il pas correctement mes interfaces? Rponse: La sortie ci-dessus est parfaitement normale. La zone Net est dfinie comme tant compose de toutes les machines connectes eth0 et la zone Local est dfinie comme tant compose de toutes celles connectes eth1. Si vous utilisez Shorewall 1.4.10 ou une version plus rcente, vous pouvez envisager de paramtrer l'option d'interface detectnet pour votre interface locale (eth1 dans l'exemple ce-dessus). Ceci forcera Shorewall restreindre la zone locale aux seuls rseaux routs par cette interface.
(FAQ 22) Je voudrais excuter certaines commandes iptables au dmarrage de Shorewall. Dans quel fichier les mettre? Rponse: Vous pouvez placer ces commandes dans une des Scripts d'Extension Shorewall. Assurez-vous de bien examiner le contenu des chanes que vos commandes vont modifier afin d'tre certain que ces commandes feront bien ce qu'elles sont censes faire. De nombreuses commandes publies dans des guides (HOWTOs) ainsi que dans d'autres modes opratoires font usage de la commande -A qui ajoute les rgles en fin de chane. La plupart des chanes construites par Shorewall se terminent par une rgle inconditionnelle DROP, ACCEPT ou REJECT et donc toute rgle que vous pourriez ajouter aprs serait ignore. Consultez man iptables et prenez connaissance de la commande -I (--insert).
(FAQ 34) Comment acclrer le dmarrage (start/restart)? Rponse: L'utilisation d'un shell lger tel que ash peut diminuer de faon trs significative le temps ncessaire pour dmarrer (start/restart) Shorewall. Voyez la variable SHOREWALL_SHELL dans le fichier shorewall.conf . Utilisez un mulateur de terminal rapide -- en particulier la console KDE dfile beaucoup plus vite que le terminal Gnome. Vous pouvez galement utiliser l'option '-q' si vous redmarrez distance ou depuis un terminal lent (ou rediriger la sortie vers un fichier comme dans shorewall restart > /dev/null). Mettez votre matriel niveau. De nombreux utilisateurs ont constat que mme une amlioration modeste de la CPU et de la vitesse de la mmoire (par exemple passer d'un P3 avec de la SDRAM un P4 avec de la DDR) avait des effets trs significatifs. Les CPU dotes de la technologie EM64T, aussi bien celles d'AMD que celles d'Intel, montrent des performances de redmarrage trs acceptables, mme si vous avez un jeu de rgles assez complexe. Shorewall offre galement une fonction de dmarrage rapide. Pour l'utiliser: Avec Shorewall dans l'tat dmarr, excutez shorewall save. Cela va crer le script /var/lib/shorewall/restore. Utilisez l'option -f avec la commande start (par exemple, shorewall -f start). Ceci forcera Shorewall chercher le script /var/lib/shorewall/restore et l'excuter si il existe. Excuter /var/lib/shorewall/restore prend beaucoup moins de temps que d'excuter un shorewall start complet. Le script /etc/init.d/shorewall excut au dmarrage du systme utilise l'option -f. Le script /var/lib/shorewall/restore peut tre excut tout moment pour restaurer le firewall. Il peut tre invoqu directement ou bien indirectement en utilisant la commande shorewall restore. Si vous modifiez votre configuration de Shorewall, vous devez excuter un shorewall start (sans -f) ou un shorewall restart avant de refaire un shorewall save. La commande shorewall save sauvegarde la configuration qui tournait au moment o elle a t excute et non celle que reprsentent les fichiers de configuration que vous avez modifis. De mme, si vous modifiez votre configuration Shorewall et que vous tes satisfait du rsultat, vous devez excuter une commande shorewall save, sans quoi vous reviendriez l'ancienne configuration enregistre dans /var/lib/shorewall/restore lors du prochain dmarrage de votre systme. Finalement, le temps pendant lequel les nouvelles connexions sont bloques durant le redmarrage de Shorewall peut tre rduit dans de trs grande proportions en upgradant vers Shorewall 3.2 ou une version ultrieure. A partir de la 3.2, shorewall [re]start procde en deux tapes: La configuration courante est compile afin de produire un programme shell conu pour votre configuration. Si la compilation se droule sans erreur, le programme compil est excut pour [re]dmarrer votre firewall.
(FAQ 43) Je viens d'installer le RPM Shorewall et Shorewall ne dmarre pas au lancement du systme (boot). Rponse: Quand vous installez avec la commande "rpm -U", Shorewall n'excute pas les outils de votre distribution qui configurent le dmarrage de Shorewall. Vous devrez excuter cet outils vous-mme (insserv, chkconfig, run-level editor, …) pour que Shorewall dmarre aux niveaux d'excutions (run-level) auxquels vous voulez l'utiliser.
(FAQ 45) Pourquoi est-ce que "shorewall[-lite] start" choue lorsque je tente de mettre en place SNAT/Masquerade? shorewall start produit la sortie suivante: … Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy ACCEPT for loc0 to net using chain loc02net Policy ACCEPT for loc1 to net using chain loc12net Policy ACCEPT for wlan to net using chain wlan2net Masqueraded Networks and Hosts: iptables: Invalid argument ERROR: Command "/sbin/iptables -t nat -A …" Failed Rponse: Dans 99.999% des cas, cette erreur provient d'un problme de comptabilit des versions d'iptables et du noyau. Votre iptables doit tre compil en utilisant un arbre de sources du noyau qui soit compatible au niveau Netfilter avec le noyau que vous excutez sur votre systme. Si vous recompilez iptables avec les paramtres par dfaut puis que vous l'installez, il sera install dans /usr/local/sbin/iptables. Comme on peut le voir ci-dessus, votre variable IPTABLES est configure /sbin/iptables dans votre fichier shorewall.conf.
(FAQ 59) Aprs le dmarrage de Shorewall, de nombreux modules netfilter inutiliss sont chargs. Comment viter cela ? Rponse: Copiez /usr/share/shorewall/modules (ou /usr/share/shorewall/xmodules suivant le cas) vers /etc/shorewall/modules et modifiez cette copie pour qu'elle ne contienne que les modules dont vous avez besoin.
(FAQ 61) Je viens juste d'installer le nouveau kernel Debian, et maintenant "shorewall start" choue avec le message "ipt_policy: matchsize 116 != 308". Qu'est-ce qui ne va pas? Rponse: Votre version d'iptables est incompatible avec votre kernel. recompilez iptables en utilisant les headers de votre nouveau kernel; ou bien si vous n'avez pas besoin du support de "policy match" (vous n'utilisez pas l'implmentation IPSEC du kernel 2.6) vous pouvez renommer /lib/iptables/libipt_policy.so.
Multiples FAIs
(FAQ 57) J'ai configur deux FAIs dans Shorewall mais quand j'essaye d'utiliser le second, cela ne fonctionne pas. Rponse: La documentation Multi-ISP vous recommande trs fortement d'utiliser l'option d'quilibrage (balance) pour tous les FAIs mme si vous voulez spcifier manuellement quel FAI utiliser. Si vous ne le faites pas et que votre table principale de routage n'a qu'une seule route par dfaut, vous devez dsactiver le filtrage de route. Ne spcifiez pas l'option routefilter sur l'autre interface dans /etc/shorewall/interfaces et dsactivez toute protections contre le spoofing d'adresses IP que votre distribution pourrait offrir.
(FAQ 58) Mais si je spcifie 'balance' est-ce que shorewall ne va pas quilibrer le trafic entre les interfaces ? Je ne veux pas qu'il le fasse ! Rponse: Supposez que vous vouliez que tout le trafic passe par le FAI1 (mark 1) jusqu' ce que vous spcifiez diffremment. Dans ce cas, ajoutez simplement ces deux rgles comme premires rgles de marquage dans votre fichier /etc/shorewall/tcrules: #MARK SOURCE DEST 1:P 0.0.0.0/0 1:P $FW <other MARK rules> Maintenant, tout le trafic qui n'est pas marqu par une de vos autres rgles de marquage aura mark=1 et sera envoy par le FAI1. Ceci fonctionnera que l'option balance soit spcifie ou pas.
Au sujet de Shorewall
(FAQ 10) Sur quelles distributions Shorewall tourne-t-il? Rponse: Shorewall fonctionnera sur n'importe quelle distribution GNU/Linux distribution runissant les pr-requis Shorewall indiqus dans ce document.
(FAQ 11) Quelles sont les caractristiques de Shorewall ? Rponse: voir la liste des caractristiques de Shorewall.
(FAQ 12) Existe-t-il une interface graphique? Rponse: Oui. Webmin offre le support de Shorewall 3.x partir dans sa version 1.300. Voir http://www.webmin.com
(FAQ 13) Pourquoi l'avez-vous appel <quote>Shorewall</quote>? Rponse: Shorewall est le rsultat de la concatnation de Shoreline (la ville o je vis) et de Firewall . En fait le nom complet du produit est Shoreline Firewall mais on utilise plus communment Shorewall.
(FAQ 23) Pourquoi utilisez-vous des polices de caractres aussi affreuses sur votre site web? Rponse: Le site web de Shorewall est presque entirement neutre en ce qui concerne les polices ( l'exception de quelques pages il ne spcifie explicitement aucune police). Les polices que vous voyez sont largement celles configures par dfaut dans votre navigateur. Si vous ne les aimez pas reconfigurez votre navigateur.
(FAQ 25) Comment savoir quelle version de Shorewall ou de Shorewall Lite j'utilise? Rponse: A l'invite du systme, tapez: /sbin/shorewall[-lite] version
(FAQ 31) Est-ce que Shorewall fournit une protection contre.... IP Spoofing: envoyer des paquets par l'interface WAN en se servant d'adresses IP du rseau local comme adresse source? Rponse: Oui. Tear Drop: Envoyer des paquets contenant des fragments qui se recouvrent ? Rponse: Ceci est de la responsabilit de la pile IP, ce n'est pas celle d'un firewall bas sur Netfilter car le r-assemblage des fragments est fait avant que le filtre de paquets ne voie chaque paquet. Smurf and Fraggle: Envoyer des paquets qui utilisent comme adresse source l'adresse de diffusion (broadcast) du WAN ou du LAN? Rponse: On peut configurer Shorewall pour le faire avec sa fonction de liste noire (blacklist). A partir de la version 2.0.0, Shorewall filtre ces paquets avec l'option d'interface nosmurfs dans le fichier /etc/shorewall/interfaces. Land Attack: Envoyer des paquets utilisant la mme adresse comme source et comme destination? Rponse: Oui lorsque l'option d'interface routefilter est slectionne. DOS: Dni de Service SYN Dos - ICMP Dos - protection DOS par hte Rponse: Shorewall offre la possibilit de limiter les paquets SYN les paquets ICMP. Netfilter tel qu'il est inclus dans les noyaux Linux standard ne supporte pas la mise en oeuvre de limitations par hte distant sauf en utilisant une rgle explicite qui spcifie l'adresse IP de l'hte. Cette forme de limitation est supporte par Shorewall.
(FAQ 36) Est-ce que Shorewall tourne sur le noyau Linux 2.6? Rponse: Shorewall fonctionne avec les noyaux 2.6 avec les deux restrictions suivantes: Dans les noyaux 2.6 jusqu'au 2.6.16, Netfilter/iptables n'offre pas un support complet d'IPSEC -- il existe des patch pour le noyau et pour iptables. Vous trouverez des dtails la page Shorewall IPSEC-2.6. Les noyaux 2.6 n'offrent pas le support des options logunclean et dropunclean du fichier /etc/shorewall/interfaces. Le support de ces options a galement t retir de Shorewall dans la version 2.0.0.
RFC 1918
(FAQ 14) Je suis connect avec un modem cble qui a son propre serveur web interne utilis pour le paramtrage et la supervision. Mais bien entendu, si j'active le blocage des adresse de la RFC 1918 sur mon interface internet eth0, le serveur web du modem est bloqu lui aussi. Est-il possible de rajouter une rgle avant la rgle de blocage rfc1918 de faon autoriser tout le trafic en provenance et destination de 192.168.100.1, adresse de mon modem, tout en continuant filtrer les autres adresses rfc1918? Rponse: Ajoutez ce qui suit dans le fichier /etc/shorewall/rfc1918 (Remarque: Si vous utilisez 2.0.0 ou une version ultrieure, il est possible que ayez pralablement copier le fichier /usr/share/shorewall/rfc1918 vers /etc/shorewall/rfc1918): Assurez-vous d'ajouter l'entre AU-DESSUS de l'entre pour 192.168.0.0/16. #SUBNET TARGET 192.168.100.1 RETURN Si vous ajoutez une seconde adresse IP l'interface externe de votre firewall qui corresponde l'adresse du modem, vous devez ajouter une entre pour cette adresse dans le fichier /etc/shorewall/rfc1918. Par exemple, si vous configurez l'adresse 192.168.100.2 sur votre firewall, vous devrez ajouter les deux entres suivantes dans le fichier /etc/shorewall/rfc1918: #SUBNET TARGET 192.168.100.1 RETURN 192.168.100.2 RETURN
(FAQ 14a) Bien qu'il assigne des adresses IP publiques, le serveur DHCP de mon FAI a une adresse de la RFC 1918. Si j'active le filtrage RFC 1918 sur mon interface externe, mon client DHCP ne peut plus renouveler son bail. Rponse: La solution est la mme que dans la FAQ 14 prsente au-dessus. Substituez-y simplement l'adresse du serveur DHCP de votre FAI.
(FAQ 14b) Je me connecte internet par PPPoE. Quand j'essaye de me connecter au serveur web incorpor mon modem DSL, la connexion est refuse. Dans mon journal je peux voir ce qui suit: Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Rponse: Le fait que le message soit journalis par la chane OUTPUT signifie que l'adresse de destination n'appartient aucune des zones dfinies (voir la FAQ 17). Vous devez: Ajouter une zone pour votre modem dans le fichier /etc/shorewall/zones: #ZONE TYPE OPTIONS modem ipv4 Dans le fichier /etc/shorewall/interfaces, associer cette zone avec l'interface laquelle votre modem est connect (eth0 dans l'exemple): #ZONE INTERFACE BROADCAST OPTIONS modem eth0 detect Autoriser le trafic web vers le modem dans le fichier /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT fw modem tcp 80 ACCEPT loc modem tcp 80 Notez qu'un grand nombre de ces modems cable/DSL n'a pas de passerelle par dfaut ou alors que leur passerelle par dfaut est fixe une adresse IP diffrente de l'adresse que vous avez attribue votre interface externe. Dans un cas comme dans l'autre, vous pouvez avoir des difficults naviguer sur votre modem depuis votre rseau local, mme si toutes les routes sont correctement tablies sur votre firewall. Pour rsoudre ce problme, on masquerade le trafic depuis rseau local vers le modem. /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth0 eth1 # eth1 = interface to local network A titre d'exemple lorsque le modem cable/ADSL est pont (bridge), vous pouvez aller voir ma configuration. Dans ce cas, je masquerade en utilisant l'adresse IP de mon interface locale!
Adresses Alias IP/Interfaces virtuelles
(FAQ 18) Existe-t-il un moyen d'utiliser des adresses IP aliases avec Shorewall, et de maintenir des jeux de rgles spars pour ces diffrentes adresses IP? Rponse: Oui. Voyez Shorewall et les interfaces aliases.
Shorewall Lite
(FAQ 53) Qu'est-ce que Shorewall Lite? Rponse: Shorewall Lite est un produit partenaire de Shorewall. Il est conu pour vous permettre de maintenir les informations de toutes vos configurations de Shorewall sur un seul systme dans votre rseau. Pour plus de dtails, voir Compiled Firewall script documentation.
(FAQ 54) Si je veux installer Shorewall Lite, est-ce que je dois aussi installer Shorewall sur le mme systme ? Rponse: Non. En fait, nous recommandons que vous n'installiez pas Shorewall sur les systmes sur lesquels vous souhaitez utiliser Shorewall Lite. Vous devez avoir install Shorewall sur au moins un des systmes de votre rseau pour pouvoir utiliser Shorewall Lite.
(FAQ 55) Comment dcider quel produit utiliser - Shorewall ou Shorewall Lite? Rponse: Si vous prvoyez d'avoir un seul firewall, Shorewall est le choix logique. Je pense aussi que Shorewall est le choix le plus appropri pour un portable car vous pouvez avoir changer sa configuration lorsque vous tes en dplacement. Dans tous les autres cas, Shorewall Lite fonctionnera trs bien. A shorewall.net, les deux portables ainsi que mon ordinateur de bureau linux sont installs avec la version complte de Shorewall. Tous les autres systmes Linux qui ont un firewall utilisent Shorewall Lite et leurs rpertoires de configuration sont sur mon ordinateur de bureau.
(FAQ 60) Quelles restrictions de compatibilit existent entre Shorewall et Shorewall Lite Rponse: Voir le tableau ci-dessous (C = Compltement compatible avec toutes les fonctionnalits disponibles, P1 = Compatible mais la totalit des fonctions de Shorewall ne sont pas disponibles, P2 = Compatible mais la totalit des fonctions de Shorewall Lite ne sont pas disponibles, I = incompatible). Shorewall Lite 3.2.0 Shorewall Lite 3.2.1 Shorewall Lite 3.2.2 Shorewall Lite 3.2.3 Shorewall 3.2.0 C C P2 P2 Shorewall 3.2.1 C C C P2 Shorewall 3.2.2 P1 P1 C C Shorewall 3.2.3 P1 P1 C C
Divers
(FAQ 20) Je viens d'installer un serveur. Dois-je modifier Shorewall pour autoriser les accs internet mon serveur? Rponse : Oui. Consultez le guides de dmarrage rapide que vous avez utilis pour votre configuration initiale afin d'avoir des informations ncessaires l'criture des rgles pour votre serveur.
(FAQ 24) Comment puis-je autoriser des connexions internet au port ssh, par exemple, mais seulement depuis certaines adresses IP spcifiques? Rponse : Dans la colonne SOURCE de la rgle, faites suivre net de : puis d'une liste spare par des virgules d'adresses de machines ou de sous-rseaux net:<ip1>,<ip2>,... Exemple: ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22
(FAQ 26) Quand j'essaye d'utiliser nmap avec n'importe laquelle des options SYN depuis le firewall lui-mme ou depuis n'importe quelle machine derrire le firewall, j'obtiens une erreur <quote>operation not permitted</quote>. Comment utiliser nmap avec Shorewall?" Rponse : Retirez temporairement les rgles rejNotSyn, dropNotSyn and dropInvalid du fichier /etc/shorewall/rules et relancez Shorewall.
(FAQ 27) Je compile un nouveau noyau (kernel) pour mon firewall. A quoi devrais-je faire attention? Rponse : Commencez par regarder la page de configuration du noyau pour Shorewall. Vous souhaiterez sans doute vous assurer que vous avez bien slectionn NAT of local connections (READ HELP) dans le menu de configuration de Netfilter. Sans cela, les rgles DNAT ayant votre firewall comme zone source ne fonctionneraient pas avec votre nouveau noyau.
(FAQ 27a) Je viens de compiler (ou j'ai tlcharg ou rcupr par n'importe quel autre moyen) et d'installer un nouveau noyau et Shorewall ne dmarre plus. Je sais que les options de mon noyau sont correctes. Les dernires lignes de la trace de dmarrage sont les suivantes: + run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE + '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0. 0/0 -j MASQUERADE' ']' + run_iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE + iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument + '[' -z '' ']' + stop_firewall + set +x Rponse: votre noyau contient des enttes incompatibles avec celles utilises pour compiler votre programme iptables. Vous devez recompiler iptables en utilisant l'arbre de sources de votre nouveau noyau.
(FAQ 28) Comment utiliser Shorewall en pont filtrant (Bridging Firewall)? Rponse : Le support Shorewall pour les ponts filtrant existe — voir ici pour les dtails.
(FAQ 39) Comment bloquer les connexion un domaine particulier? J'ai essay de bloquer Adsense de Google. Adsense est un Javascript que les gens ajoutent leur pages web. J'ai ajout la rgle suivante: #ACTION SOURCE DEST PROTO REJECT fw net:pagead2.googlesyndication.com all Cependant, ceci bloque parfois les accs "google.com". Pourquoi? Avec dig, je trouve les adresses IP suivantes pour le domaine googlesyndication.com:216.239.37.99 216.239.39.99Et celles-ci pour google.com:216.239.37.99 216.239.39.99 216.239.57.99Je suppose donc que ce n'est pas le domaine qui est bloqu mais plutt ses adresses IP. Comment bloquer rellement un nom de domaine? Rponse: Les filtres de paquets basent leurs dcisions sur le contenu des diffrents enttes de protocole qui se trouvent au dbut de chaque paquet. Les filtres de paquet suivi d'tats (dont Netfilter est un exemple) utilisent une combinaison du contenu de l'entte et de l'tat de la connexion cr lors du traitement de paquets prcdents. Netfilter (et l'usage qui en est fait par Shorewall) prend galement en compte l'interface rseau sur laquelle chaque paquet est entr ou sur laquelle le paquet va quitter le routeur/firewall. Lorsque vous spcifiez un nom de domaine dans une rgle Shorewall, le programme iptables rsout ce nom en une ou plusieurs adresses IP et les vritables rgles qui seront cres sont exprimes avec ces adresses IP. C'est pourquoi la rgle que vous avez entre est quivalente : #ACTION SOURCE DEST PROTO REJECT fw net:216.239.37.99 all REJECT fw net:216.239.39.99 allSachant que l'hbergement multiple bas sur le nom d'hte est une pratique courante (par exemple, lists.shorewall.net et www1.shorewall.net sont hbergs tous les deux sur le mme systme avec un seule adresse IP), il n'est pas possible de filtrer les connexions vers un nom particulier au seul examen des enttes de protocole. Alors que certains protocoles tels que FTP ncessitent que le firewall examine et ventuellement modifie les donnes (payload) du paquet, analyser les donnes de paquets individuellement ne fonctionne pas toujours car le flux de donnes de niveau application peut tre fractionn de manire arbitraire entre les paquets. Ceci est une des faiblesses de l'extension 'string match' de Netfilter que l'on trouve dans le Patch-O-Matic-ng. Le seul moyen sr pour filtrer sur le contenu des paquets est d'utiliser un proxy pour les connexions concernes -- dans le cas de HTTP, on pourra utiliser une application telle que Squid. Lorsqu'on utilise un proxy, celui-ci r-assemble des messages complets de niveau applicatif qui peuvent alors tre analyss de manire prcise.
(FAQ 42) Comment connatre quelles sont les fonctions supportes par mon noyau et ma version d'iptables? Rponse: En tant que root, utilisez la commande shorewall[-lite] show capabilities. gateway:~# shorewall show capabilities Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Available ROUTE Target: Available Extended MARK Target: Available CONNMARK Target: Available Connmark Match: Available Raw Table: Available gateway:~#
(FAQ 19) Comment ouvrir le firewall pour tout le trafic de/vers le LAN? Rponse : Ajoutez ces deux politiques: #SOURCE DESTINATION POLICY LOG LIMIT:BURST # LEVEL $FW loc ACCEPT loc $FW ACCEPT Vous pouvez galement supprimer toutes les rgles ACCEPT de $FW->loc et loc->$FW car ces rgles sont maintenant redondantes avec les deux politiques fixes ci-dessus.
shorewall-docs-xml-5.2.3/traffic_shaping.xml0000664000000000000000000027073713427347317017651 0ustar rootroot
Complex Traffic Shaping/Control Tom Eastep Arne Bernin 2001-2013 Thomas M. Eastep 2005 Arne Bernin & Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Traffic shaping is complex and the Shorewall community is not well equipped to answer traffic shaping questions. So if you are the type of person who needs "insert tab A into slot B" instructions for everything that you do, then please don't try to implement traffic shaping using Shorewall. You will just frustrate yourself and we won't be able to help you. Said another way, reading just Shorewall documentation is not going to give you enough background to use this material. At a minimum, you will need to refer to at least the following additional information: The LARTC HOWTO: http://www.lartc.org The HTB User's Guide: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm HFSC Scheduling with Linux: http://linux-ip.net/articles/hfsc.en/ Some of the documents listed at http://www.netfilter.org/documentation/index.html#documentation-howto. The tutorial by Oskar Andreasson is particularly good. The output of man iptables
Introduction Beginning with Shorewall 4.4.6, Shorewall includes two separate implementations of traffic shaping. This document describes the original implementation which is complex and difficult to configure. A much simpler version is described in Simple Traffic Shaping/Control and is highly recommended unless you really need to delay certain traffic passing through your firewall. Shorewall has builtin support for traffic shaping and control. This support does not cover all options available (and especially all algorithms that can be used to queue traffic) in the Linux kernel but it should fit most needs. If you are using your own script for traffic control and you still want to use it in the future, you will find information on how to do this, later in this document. But for this to work, you will also need to enable traffic shaping in the kernel and Shorewall as covered by the next sections.
Linux traffic shaping and control This section gives a brief introduction of how controlling traffic with the Linux kernel works. Although this might be enough for configuring it in the Shorewall configuration files, we strongly recommend that you take a deeper look into the Linux Advanced Routing and Shaping HOWTO. At the time of writing this, the current version is 1.0.0. Since kernel 2.2, Linux has extensive support for controlling traffic. You can define different algorithms that are used to queue the traffic before it leaves an interface. The standard one is called pfifo and is (as the name suggests) of the type First In First out. This means, that it does not shape anything, if you have a connection that eats up all your bandwidth, this queuing algorithm will not stop it from doing so. For Shorewall traffic shaping we use three algorithms: HTB (Hierarchical Token Bucket), HFSC (Hierarchical Fair Service Curves) and SFQ (Stochastic Fairness Queuing). SFQ is easy to explain: it just tries to track your connections (tcp or udp streams) and balances the traffic between them. This normally works well. HTB and HFSC allow you to define a set of classes, and you can put the traffic you want into these classes. You can define minimum and maximum bandwidth settings for those classes and order them hierarchically (the less prioritized classes only get bandwidth if the more important have what they need). Additionally, HFSC allows you to specify the maximum queuing delay that a packet may experience. Shorewall builtin traffic shaping allows you to define these classes (and their bandwidth limits), and it uses SFQ inside these classes to make sure, that different data streams are handled equally. If SFQ's default notion of a 'stream' doesn't work well for you, you can change it using the flow option described below. You can shape incoming traffic through use of an Intermediate Functional Block (IFB) device. See below. But beware: using an IFB can result in queues building up both at your ISPs router and at your own. You shape and control outgoing traffic by assigning the traffic to classes. Each class is associated with exactly one network interface and has a number of attributes: PRIORITY - Used to give preference to one class over another when selecting a packet to send. The priority is a numeric value with 1 being the highest priority, 2 being the next highest, and so on. RATE - The minimum bandwidth this class should get, when the traffic load rises. Classes with a higher priority (lower PRIORITY value) are served even if there are others that have a guaranteed bandwidth but have a lower priority (higher PRIORITY value). CEIL - The maximum bandwidth the class is allowed to use when the link is idle. MARK - Netfilter has a facility for marking packets. Packet marks have a numeric value which is limited in Shorewall to the values 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes in shorewall.conf (5) ). You assign packet marks to different types of traffic using entries in the /etc/shorewall/mangle file (Shorewall 4.6.0 or later) or /etc/shorewall/tcrules (Prior to Shorewall 4.6.0). In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS which specifies the width in bits of the traffic shaping mark field. The default is based on the setting of WIDE_TC_MARKS so as to provide upward compatibility. See the Packet Marking using /etc/shorewall/mangle article. One class for each interface must be designated as the default class. This is the class to which unmarked traffic (packets to which you have not assigned a mark value in /etc/shorewall/mangle) is assigned. Netfilter also supports a mark value on each connection. You can assign connection mark values in /etc/shorewall/mangle (/etc/shorewall/tcrules), you can copy the current packet's mark to the connection mark (SAVE), or you can copy the connection mark value to the current packet's mark (RESTORE). For more information, see this article.
Linux Kernel Configuration You will need at least kernel 2.4.18 for this to work, please take a look at the following screenshot for what settings you need to enable. For builtin support, you need the HTB scheduler, the Ingress scheduler, the PRIO pseudoscheduler and SFQ queue. The other scheduler or queue algorithms are not needed. This screen shot shows how I configured QoS in a 2.6.16 Kernel: And here's my recommendation for a 2.6.21 kernel:
Enable TC support in Shorewall You need this support whether you use the builtin support or whether you provide your own tcstart script. To enable the builtin traffic shaping and control in Shorewall, you have to do the following: Set TC_ENABLED to "Internal" in /etc/shorewall/shorewall.conf. Setting TC_ENABLED=Yes causes Shorewall to look for an external tcstart file (See a later section for details). Setting CLEAR_TC parameter in /etc/shorewall/shorewall.conf to Yes will clear the traffic shaping configuration during Shorewall [re]start and Shorewall stop. This is normally what you want when using the builtin support (and also if you use your own tcstart script) The other steps that follow depend on whether you use your own script or the builtin solution. They will be explained in the following sections.
Using builtin traffic shaping/control Shorewall's builtin traffic shaping feature provides a thin layer on top of the ingress qdesc, HTB and SFQ. That translation layer allows you to: Define HTB and/or HFSC classes using Shorewall-style column-oriented configuration files. Integrate the reloading of your traffic shaping configuration with the reloading of your packet-filtering and marking configuration. Assign traffic to HTB or HFSC classes by TOS value. Assign outgoing TCP ACK packets to an HTB or HFSC class. Assign traffic to HTB and/or HFSC classes based on packet mark value or based on packet contents. Those few features are really all that builtin traffic shaping/control provides; consequently, you need to understand HTB and/or HFSC and Linux traffic shaping as well as Netfilter packet marking in order to use the facility. Again, please see the links at top of this article. For defining bandwidths (for either devices or classes) please use kbit or kbps (for Kilobytes per second) and make sure there is NO space between the number and the unit (it is 100kbit not 100 kbit). Using mbit, mbps or a raw number (which means bytes) could be used, but note that only integer numbers are supported (0.5 is not valid). To properly configure the settings for your devices you need to find out the real up- and downstream rates you have. This is especially the case, if you are using a DSL connection or one of another type that do not have a guaranteed bandwidth. Don't trust the values your provider tells you for this; especially measuring the real download speed is important! There are several online tools that help you find out; search for "dsl speed test" on google (For Germany you can use arcor speed check). Be sure to choose a test site located near you.
/etc/shorewall/tcdevices This file allows you to define the incoming and outgoing bandwidth for the devices you want traffic shaping to be enabled. That means, if you want to use traffic shaping for a device, you have to define it here. For additional information, see shorewall-tcdevices (5). Columns in the file are as follows: INTERFACE - Name of interface. Each interface may be listed only once in this file. You may NOT specify the name of an alias (e.g., eth0:0) here; see FAQ #18. You man NOT specify wildcards here, e.g. if you have multiple ppp interfaces, you need to put them all in here! Shorewall will determine if the device exists and will only configure the device if it does exist. If it doesn't exist or it is DOWN, the following warning is issued: WARNING: Device <device name> is not in the UP state -- traffic-shaping configuration skipped Shorewall assigns a sequential interface number to each interface (the first entry in /etc/shorewall/tcdevices is interface 1, the second is interface 2 and so on) You can also explicitly specify the interface number by prefixing the interface name with the number and a colon (":"). Example: 1:eth0. Device numbers are expressed in hexidecimal. So the device following 9 is A, not 10. IN-BANDWIDTH - The incoming Bandwidth of that interface. Please note that when you use this column, you are not traffic shaping incoming traffic, as the traffic is already received before you could do so. This Column allows you to define the maximum traffic allowed for this interface in total, if the rate is exceeded, the excess packets are dropped. You want this mainly if you have a DSL or Cable Connection to avoid queuing at your providers side. If you don't want any traffic to be dropped set this to a value faster than your interface maximum rate, or to 0 (zero). To determine the optimum value for this setting, we recommend that you start by setting it significantly below your measured download bandwidth (20% or so). While downloading, measure the ping response time from the firewall to the upstream router as you gradually increase the setting.The optimal setting is at the point beyond which the ping time increases sharply as you increase the setting. For fast lines, the actually download speed may be well below what you specify here. If you have this problem, then follow the bandwidth with a ":" and a burst size. The default burst is 10kb, but on my 50mbit line, I specify 200kb. (50mbit:200kb). OUT-BANDWIDTH - Specify the outgoing bandwidth of that interface. This is the maximum speed your connection can handle. It is also the speed you can refer as "full" if you define the tc classes. Outgoing traffic above this rate will be dropped. OPTIONS — A comma-separated list of options from the following list: classify If specified, classification of traffic into the various classes is done by CLASSIFY entries in /etc/shorewall/mangle (/etc/shorewall/tcrules) or by entries in /etc/shorewall/tcfilters. No MARK value will be associated with classes on this interface. hfsc Shorewall normally uses the Hierarchical Token Bucket (HTB) queuing discipline. When is specified, the Hierarchical Fair Service Curves (HFSC) discipline is used instead. linklayer Added in Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified, causes scheduler packet size manipulation as described in tc-stab (8). When this option is given, the following options may also be given after it: mtu=mtu The device MTU; default 2048 (will be rounded up to a power of two) mpu=mpubytes Minimum packet size used in calculations. Smaller packets will be rounded up to this size tsize=tablesize Size table entries; default is 512 overhead=overheadbytes Number of overhead bytes per packet REDIRECTED INTERFACES — Entries are appropriate in this column only if the device in the INTERFACE column names a Intermediate Functional Block (IFB). It lists the physical interfaces that will have their input shaped using classes defined on the IFB. Neither the IFB nor any of the interfaces listed in this column may have an IN-BANDWIDTH specified. You may specify zero (0) or a dash ("-:) in the IN-BANDWIDTH column. IFB devices automatically get the classify option. <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the interface for this. The device has an outgoing bandwidth of 500kbit and an incoming bandwidth of 6000kbit</para> <programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH ppp0 6000kbit 500kbit</programlisting> </example> </section> <section id="tcclasses"> <title>/etc/shorewall/tcclasses This file allows you to define the actual classes that are used to split the outgoing traffic. For additional information, see shorewall-tcclasses (5). INTERFACE - Name of interface. Users may also specify the interface number. Must match the name (or number) of an interface with an entry in /etc/shorewall/tcdevices. If the interface has the classify option in /etc/shorewall/tcdevices, then the interface name or number must be followed by a colon and a class number. Examples: eth0:1, 4:9. Class numbers must be unique for a given interface. Normally, all classes defined here are sub-classes of a root class that is implicitly defined from the entry in shorewall-tcdevices(5). You can establish a class hierarchy by specifying a parent class (e.g., interface:parent-class:class) -- the number of a class that you have previously defined. The sub-class may borrow unused bandwidth from its parent. Class numbers are expressed in hexidecimal. So the class following class 9 is A, not 10. MARK - The mark value which is an integer in the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or set TC_BITS=14 in shorewall.conf (5) ). You define these marks in the mangle or tcrules file, marking the traffic you want to go into the queuing classes defined in here. You can use the same marks for different Interfaces. You must specify "-' in this column if the device specified in the INTERFACE column has the classify option in /etc/shorewall/tcdevices. In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS which specifies the width in bits of the traffic shaping mark field. The default is based on the setting of WIDE_TC_MARKS so as to provide upward compatibility. RATE - The minimum bandwidth this class should get, when the traffic load rises. Please note that first the classes which equal or a lesser priority value are served even if there are others that have a guaranteed bandwidth but a lower priority. If the sum of the RATEs for all classes assigned to an INTERFACE exceed that interfaces's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit will not be honored. When using HFSC, this column may contain 1, 2 or 3 pieces of information separated by colons (":"). In addition to the minimum bandwidth, leaf classes may specify realtime criteria: DMAX (maximum delay in milliseconds) and optionally UMAX (the largest packet expected in the class). See below for details. CEIL - The maximum bandwidth this class is allowed to use when the link is idle. Useful if you have traffic which can get full speed when more important services (e.g. interactive like ssh) are not used. You can use the value "full" in here for setting the maximum bandwidth to the defined output bandwidth of that interface. PRIORITY - you have to define a priority for the class. packets in a class with a higher priority (=lesser value) are handled before less prioritized ones. You can just define the mark value here also, if you are increasing the mark values with lesser priority. OPTIONS - A comma-separated list of options including the following: default - this is the default class for that interface where all traffic should go, that is not classified otherwise. defining default for exactly one class per interface is mandatory! tos-<tosname> - this lets you define a filter for the given <tosname> which lets you define a value of the Type Of Service bits in the ip package which causes the package to go in this class. Please note, that this filter overrides all mark settings, so if you define a tos filter for a class all traffic having that mark will go in it regardless of the mark on the package. You can use the following for this option: tos-minimize-delay (16) tos-maximize-throughput (8) tos-maximize-reliability (4) tos-minimize-cost (2) tos-normal-service (0) Each of this options is only valid for one class per interface. tcp-ack - if defined causes an tc filter to be created that puts all tcp ack packets on that interface that have an size of <=64 Bytes to go in this class. This is useful for speeding up downloads. Please note that the size of the ack packets is limited to 64 bytes as some applications (p2p for example) use to make every package an ack package which would cause them all into here. We want only packets WITHOUT payload to match, so the size limit. Bigger packets just take their normal way into the classes. This option is only valid for class per interface. occurs=number - Typically used with an IPMARK entry in mangle or tcrules. Causes the rule to be replicated for a total of number rules. Each rule has a successively class number and mark value. When 'occurs' is used: The associated device may not have the 'classify' option. The class may not be the default class. The class may not have any 'tos=' options (including 'tcp-ack'). The class should not specify a MARK value. If one is specified, it will be ignored with a warning message. The 'RATE' and 'CEIL' parameters apply to each instance of the class. So the total RATE represented by an entry with 'occurs' will be the listed RATE multiplied by number. For additional information, see mangle (5) or tcrules (5). flow=keys - Shorewall attaches an SFQ queuing discipline to each leaf HTB and HFSC class. SFQ ensures that each flow gets equal access to the interface. The default definition of a flow corresponds roughly to a Netfilter connection. So if one internal system is running BitTorrent, for example, it can have lots of 'flows' and can thus take up a larger share of the bandwidth than a system having only a single active connection. The classifier (module cls_flow) works around this by letting you define what a 'flow' is. The clasifier must be used carefully or it can block off all traffic on an interface! The flow option can be specified for an HTB or HFSC leaf class (one that has no sub-classes). We recommend that you use the following: Shaping internet-bound traffic: flow=nfct-src Shaping traffic bound for your local net: flow=dst These will cause a 'flow' to consists of the traffic to/from each internal system. When more than one key is give, they must be enclosed in parenthesis and separated by commas. To see a list of the possible flow keys, run this command:
tc filter add flow help
Those that begin with "nfct-" are Netfilter connection tracking fields. As shown above, we recommend flow=nfct-src; that means that we want to use the source IP address before SNAT as the key. Shorewall cannot determine ahead of time if the flow classifier is available in your kernel (especially if it was built into the kernel as opposed to being loaded as a module). Consequently, you should check ahead of time to ensure that both your kernel and 'tc' utility support the feature. You can test the 'tc' utility by typing (as root):
tc filter add flow help
If flow is supported, you will see: Usage: ... flow ... [mapping mode]: map key KEY [ OPS ] ... [hashing mode]: hash keys KEY-LIST ... ... If 'flow' is not supported, you will see: Unknown filter "flow", hence option "help" is unparsable If your kernel supports module autoloading, just type (as root):
modprobe cls_flow
If 'flow' is supported, no output is produced; otherwise, you will see: FATAL: Module cls_flow not found. If your kernel is not modularized or does not support module autoloading, look at your kernel configuration (either /proc/config.gz or the .config file in /lib/modules/<kernel-version>/build/ If 'flow' is supported, you will see: NET_CLS_FLOW=m or NET_CLS_FLOW=y. For modularized kernels, Shorewall will attempt to load /lib/modules/<kernel-version>/net/sched/cls_flow.ko by default. pfifo - When specified for a leaf class, the pfifo queing discipline is applied to the class rather than the sfq queuing discipline. limit=number - Added in Shorewall 4.4.3. When specified for a leaf class, specifies the maximum number of packets that may be queued within the class. The number must be > 2 and less than 128. If not specified, the value 127 is assumed red=(redoption,...) - Added in Shorewall 4.5.6. When specified on a leaf class, causes the class to use the red queuing discipline rather than SFQ. See tc-red (8) for additional information. See shorewall-tcdevices (5) for a description of the allowable redoptions. fq_codel[=(codeloption,...)] - Added in Shorewall 4.5.12. When specified on a leaf class, causes the class to use the FQ CODEL (Fair-queuing Controlled-delay) queuing discipline rather than SFQ. See tc-fq_codel (8) for additional information. See shorewall-tcclasses (5) for a description of the allowable codloptions.
/etc/shorewall/mangle and /etc/shorewall/rules Unlike rules in the shorewall-rules(5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches. Also unlike rules in the shorewall-rules(5) file, the mangle (tcrules) file is not stateful. So every packet that goes into, out of or through your firewall is subject to entries in the mangle (tcrules) file. Because mangle (tcrules) entries are not stateful, it is necessary to understand basic IP socket operation. Here is an edited excerpt from a post on the Shorewall Users list:
For the purposes of this discussion, the world is separated into clients and servers. Servers provide services to clients. When a server starts, it creates a socket and binds the socket to an address. For AF_INET (IPv4) and AF_INET6 (IPv6) sockets, that address is an ordered triple consisting of an IPv4 or IPv6 address, a protocol, and possibly a port number. Port numbers are only used when the protocol is TCP, UDP, SCTP or DCCP. The protocol and port number used by a server are typically well-known so that clients will be able to connect to it or send datagrams to it. So SSH servers bind to TCP port 22, SMTP servers bind to TCP port 25, etc. We will call this port the SERVER PORT. When a client want to use the service provided by a server, it also creates a socket and, like the server's socket, the client's socket must be bound to an address. But in the case of the client, the socket is usually given an automatic address binding. For AF_INET and AF_INET6 sockets. the IP address is the IP address of the client system (loose generalization) and the port number is selected from a local port range. On Linux systems, the local port range can be seen by cat /proc/sys/net/ipv4/ip_local_port_range. So it is not possible in advance to determine what port the client will be using. Whatever it is, we'll call it the CLIENT PORT. Now:
Packets sent from the client to the server will have:
SOURCE PORT = CLIENT PORT DEST PORT = SERVER PORT
Packets sent from the server to the client will have:
SOURCE PORT = SERVER PORT DEST PORT = CLIENT PORT
Since the SERVER PORT is generally the only port known ahead of time, we must categorize traffic from the server to the client using the SOURCE PORT.
The fwmark classifier provides a convenient way to classify packets for traffic shaping. The /etc/shorewall/mangle (/etc/shorewall/tcrules) file is used for specifying these marks in a tabular fashion. For an in-depth look at the packet marking facility in Netfilter/Shorewall, please see this article. For marking forwarded traffic, you must either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F qualifier (see below). See shorewall-mangle(5) and shorewall-tcrules(5) for a description of the entries in these files. Note that the mangle file superseded the tcrules file in Shorewall 4.6.0. The following examples are for the mangle file. <para>All packets arriving on eth1 should be marked with 1. All packets arriving on eth2 and eth3 should be marked with 2. All packets originating on the firewall itself should be marked with 3.</para> <programlisting>#ACTION SOURCE DEST PROTO DPORT MARK(1) eth1 0.0.0.0/0 all MARK(2) eth2 0.0.0.0/0 all MARK(2) eth3 0.0.0.0/0 all MARK(3) $FW 0.0.0.0/0 all</programlisting> </example> <example id="Example2"> <title/> <para>All GRE (protocol 47) packets destined for 155.186.235.151 should be marked with 12.</para> <programlisting>#ACTION SOURCE DEST PROTO DPORT MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting> </example> <example id="Example3"> <title/> <para>All SSH request packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22.</para> <programlisting>#ACTION SOURCE DEST PROTO DPORT MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting> </example> <example id="Example4"> <title/> <para>All SSH packets packets going out of the first device in in /etc/shorewall/tcdevices should be assigned to the class with mark value 10.</para> <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22 CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting> </example> <example id="Example5"> <title/> <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer traffic with packet mark 4.</para> <para>This is a little more complex than otherwise expected. Since the ipp2p module is unable to determine all packets in a connection are P2P packets, we mark the entire connection as P2P if any of the packets are determined to match. We assume packet/connection mark 0 to means unclassified. Traffic originating on the firewall is not covered by this example.</para> <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting> <para>The last four rules can be translated as:</para> <blockquote> <para>"If a packet hasn't been classified (packet mark is 0), copy the connection mark to the packet mark. If the packet mark is set, we're done. If the packet is P2P, set the packet mark to 4. If the packet mark has been set, save it to the connection mark."</para> </blockquote> </example> <example> <title/> <para>Mark all forwarded VOIP connections with connection mark 1 and ensure that all VOIP packets also receive that mark (assumes that nf_conntrack_sip is loaded).</para> <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNBYTES TOS HELPER RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 1 0.0.0.0/0 0.0.0.0/0 all - - - - - - sip SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting> </example> </section> <section id="ppp"> <title>ppp devices If you use ppp/pppoe/pppoa) to connect to your Internet provider and you use traffic shaping you need to restart shorewall traffic shaping. The reason for this is, that if the ppp connection gets restarted (and it usually does this at least daily), all tc filters/qdiscs related to that interface are deleted. The easiest way to achieve this, is just to restart shorewall once the link is up. To achieve this add a small executable script to/etc/ppp/ip-up.d. #! /bin/sh /sbin/shorewall refresh
Sharing a TC configuration between Shorewall and Shorewall6 Beginning with Shorewall 4.4.15, the traffic-shaping configuration in the tcdevices, tcclasses and tcfilters files can be shared between Shorewall and Shorewall6. Only one of the products can control the configuration but the other can configure CLASSIFY rules in its own mangle or tcrules file that refer to the shared classes. To defined the configuration in Shorewall and shared it with Shorewall6: Set TC_ENABLED=Internal in shorewall.conf (5). Set TC_ENABLED=Shared in shorewall6.conf (5). Create symbolic links from /etc/shorewall6 to /etc/shorewall/tcdevices and /etc/shorewall/tcclasses: ln -s ../shorewall/tcdevices /etc/shorewall6/tcdevices ln -s ../shorewall/tcclasses /etc/shorewall6/tcclasses If you need to define IPv6 tcfilter entries, do so in /etc/shorewall/tcfilters. That file now allows entries that apply to IPv6. Shorewall6 compilations to have access to the tcdevices and tcclasses files although it will create no output. That access allows CLASSIFY rules in /etc/shorewall6/mangle to be validated against the TC configuration. In this configuration, it is Shorewall that controls TC configuration (except for IPv6 mangle). You can reverse the settings in the files if you want to control the configuration using Shorewall6.
Per-IP Traffic Shaping Some network administrators feel that they have to divy up their available bandwidth by IP address rather than by prioritizing the traffic based on the type of traffic. This gets really awkward when there are a large number of local IP addresses. This section describes the Shorewall facility for making this configuration less tedious (and a lot more efficient). Note that it requires that you install xtables-addons. So before you try this facility, we suggest that first you add the following OPTION to each external interface described in /etc/shorewall/tcdevices: flow=nfct-src If you shape traffic on your internal interface(s), then add this to their entries: flow=dst You may find that this simple change is all that is needed to control bandwidth hogs like Bit Torrent. If it doesn't, then proceed as described in this section. The facility has two components: An IPMARK MARKing command in /etc/shorewall/mangle (/etc/shorewall/tcrules). An occurs OPTION in /etc/shorewall/tcclasses. The facility is currently only available with IPv4. In a sense, the IPMARK target is more like an IPCLASSIFY target in that the mark value is later interpreted as a class ID. A packet mark is 32 bits wide; so is a class ID. The major class occupies the high-order 16 bits and the minor class occupies the low-order 16 bits. So the class ID 1:4ff (remember that class IDs are always in hex) is equivalent to a mark value of 0x104ff. Remember that Shorewall uses the interface number as the major number where the first interface in tcdevices has major number 1, the second has major number 2, and so on. The IPMARK target assigns a mark to each matching packet based on the either the source or destination IP address. By default, it assigns a mark value equal to the low-order 8 bits of the source address. The syntax is as follows:
IPMARK[([{src|dst}][,[mask1][,[mask2][,[shift]]]])]
Default values are: src mask1 = 0xFF mask2 = 0x00 shift = 0 src and dst specify whether the mark is to be based on the source or destination address respectively. The selected address is first shifted right by shift, then LANDed with mask1 and then LORed with mask2. The shift argument is intended to be used primarily with IPv6 addresses. Example: IPMARK(src,0xff,0x10100) Source IP address is 192.168.4.3 = 0xc0a80403 0xc0a80403 >> 0 = 0xc0a80403 0xc0a80403 LAND 0xFF = 0x03 0x03 LOR 0x10100 = 0x10103 So the mark value is 0x10103 which corresponds to class id 1:103. It is important to realize that, while class IDs are composed of a major and a minor value, the set of minor values must be unique. You must keep this in mind when deciding how to map IP addresses to class IDs. For example, suppose that your internal network is 192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs 1:1 through 1:6. But 1:1 is the class ID of the base HTB class on interface 1. So you might chose instead to use IPMARK(src,0xFF,0x10100) as shown in the example above so as to avoid minor class 1. The occurs option in /etc/shorewall/tcclasses causes the class definition to be replicated many times. The synax is:
occurs=number
When occurs is used: The associated device may not have the classify option. The class may not be the default class. The class may not have any tos= options (including tcp-ack). The class should not specify a MARK value. Any MARK value given is ignored with a warning. The RATE and CEIL parameters apply to each instance of the class. So the total RATE represented by an entry with occurs will be the listed RATE multiplied by number. Example: /etc/shorewall/tcdevices: #INTERFACE IN_BANDWIDTH OUT_BANDWIDTH eth0 100mbit 100mbit /etc/shorewall/tcclasses: #DEVICE MARK RATE CEIL PRIORITY OPTIONS eth0:101 - 1kbit 230kbit 4 occurs=6 The above defines 6 classes with class IDs 0x101-0x106. Each class has a guaranteed rate of 1kbit/second and a ceiling of 230kbit. /etc/shoreall/mangle or /etc/shoreall/tcrules: #ACTION SOURCE DEST IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0 This facility also alters the way in which Shorewall generates a class number when none is given. Prior to the implementation of this facility, the class number was constructed by concatinating the MARK value with the either '1' or '10'. '10' was used when there were more than 10 devices defined in /etc/shorewall/tcdevices. With this facility, a new method is added; class numbers are assigned sequentially beginning with 2. The WIDE_TC_MARKS option in shorewall.conf selects which construction to use. WIDE_TC_MARKS=No (the default) produces pre-Shorewall 4.4 behavior. WIDE_TC_MARKS=Yes (TC_BITS >= 14 in Shorewall 4.4.26 and later) produces the new behavior.
Real life examples
A Shorewall User's Experience Chuck Kollars has provided an excellent writeup about his traffic shaping experiences.
Configuration to replace Wondershaper You are able to fully replace the wondershaper script by using the buitin traffic control.. In this example it is assumed that your interface for your Internet connection is ppp0 (for DSL), if you use another connection type, you have to change it. You also need to change the settings in the tcdevices.wondershaper file to reflect your line speed. The relevant lines of the config files follow here. Please note that this is just a 1:1 replacement doing exactly what wondershaper should do. You are free to change it...
tcdevices file #INTERFACE IN_BANDWITH OUT_BANDWIDTH ppp0 5000kbit 500kbit
tcclasses file #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 5*full/10 full 1 tcp-ack,tos-minimize-delay ppp0 2 3*full/10 9*full/10 2 default ppp0 3 2*full/10 8*full/10 2
mangle file #ACTION SOURCE DEST PROTO DPORT SPORT USER MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply # mark traffic which should have a lower priority with a 3: # mldonkey MARK(3):F 0.0.0.0/0 0.0.0.0/0 udp - 4666 Wondershaper allows you to define a set of hosts and/or ports you want to classify as low priority. To achieve this , you have to add these hosts to tcrules and set the mark to 3 (true if you use the example configuration files).
Setting hosts to low priority lets assume the following settings from your old wondershaper script (don't assume these example values are really useful, they are only used for demonstrating ;-): # low priority OUTGOING traffic - you can leave this blank if you want # low priority source netmasks NOPRIOHOSTSRC="192.168.1.128/25 192.168.3.28" # low priority destination netmasks NOPRIOHOSTDST=60.0.0.0/24 # low priority source ports NOPRIOPORTSRC="6662 6663" # low priority destination ports NOPRIOPORTDST="6662 6663" This would result in the following additional settings to the mangle file: #ACTION SOURCE DEST PROTO DPORT SPORT USER MARK(3) 192.168.1.128/25 0.0.0.0/0 all MARK(3) 192.168.3.28 0.0.0.0/0 all MARK(3) 0.0.0.0/0 60.0.0.0/24 all MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663 MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663
A simple setup This is a simple setup for people sharing an Internet connection and using different computers for this. It just basically shapes between 2 hosts which have the ip addresses 192.168.2.23 and 192.168.2.42
tcdevices file #INTERFACE IN_BANDWITH OUT_BANDWIDTH ppp0 6000kbit 700kbit We have 6mbit down and 700kbit upstream.
tcclasses file #INTERFACE MARK RATE CEIL PRIORITY OPTIONS ppp0 1 10kbit 50kbit 1 tcp-ack,tos-minimize-delay ppp0 2 300kbit full 2 ppp0 3 300kbit full 2 ppp0 4 90kbit 200kbit 3 default We add a class for tcp ack packets with highest priority, so that downloads are fast. The following 2 classes share most of the bandwidth between the 2 hosts, if the connection is idle, they may use full speed. As the hosts should be treated equally they have the same priority. The last class is for the remaining traffic.
mangle file #ACTION SOURCE DEST PROTO DPORT SPORT USER MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(2):F 192.168.2.23 0.0.0.0/0 all MARK(3):F 192.168.2.42 0.0.0.0/0 all Corresponding tcrules file: #ACTION SOURCE DEST PROTO DPORT SPORT USER 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 2:F 192.168.2.23 0.0.0.0/0 all 3:F 192.168.2.42 0.0.0.0/0 all We mark icmp ping and replies so they will go into the fast interactive class and set a mark for each host.
A Warning to Xen Users If you are running traffic shaping in your dom0 and traffic shaping doesn't seem to be limiting outgoing traffic properly, it may be due to "checksum offloading" in your domU(s). Check the output of "shorewall show tc". Here's an excerpt from the output of that command: class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 1500 rate 76000bit ceil 230000bit burst 1537b/8 mpu 0b overhead 0b cburst 1614b/8 mpu 0b overhead 0b level 0 Sent 559018700 bytes 75324 pkt (dropped 0, overlimits 0 requeues 0) rate 299288bit 3pps backlog 0b 0p requeues 0 lended: 53963 borrowed: 21361 giants: 90174 tokens: -26688 ctokens: -14783 There are two obvious problems in the above output: The rate (299288) is considerably larger than the ceiling (230000). There are a large number (90174) of giants reported. This problem will be corrected by disabling "checksum offloading" in your domU(s) using the ethtool utility. See the one of the Xen articles for instructions.
An HFSC Example As mentioned at the top of this article, there is an excellent introduction to HFSC at http://linux-ip.net/articles/hfsc.en/. At the end of that article are 'tc' commands that implement the configuration in the article. Those tc commands correspond to the following Shorewall traffic shaping configuration. /etc/shorewall/tcdevices: #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS eth0 - 1000kbit hfsc /etc/shorewall/tcclasses: #INTERFACE MARK RATE CEIL PRIORITY OPTIONS 1:10 1 500kbit full 1 1:20 2 500kbit full 1 1:10:11 3 400kbit:53ms:1500b full 2 1:10:12 4 100kbit:30ms:1500b full 2 The following sub-section offers some notes about the article.
Where Did all of those Magic Numbers come from? As you read the article, numbers seem to be introduced out of thin air. I'll try to shed some light on those. There is very clear development of these numbers: 12ms to transfer a 1500b packet at 1000kbits/second. 100kbits per second with 1500b packets, requires 8 packets per second. A packet from class 1:12 must be sent every 120ms. Total transmit delay can be no more than 132ms (120 + 12). We then learn that the queuing latency can be reduced to 30ms if we use a two-part service curve whose first part is 400kbits/second. Where did those come from? The latency is calculated from the rate. If it takes 12ms to transmit a 1500 byte packet at 1000kbits/second, it takes 30ms to transmit a 1500b at 400kbits/second. For the slope of the first part of the service curve, in theory we can pick any number between 100 (the rate of class 1:12) and 500 (the rate of the parent class) with higher numbers providing lower latency. The final curious number is the latency for class 1:11 - 52.5ms. It is a consequence of everything that has gone before. To acheive 400kbits/second with 1500-byte packets, 33.33 packets per second are required. So a packet from class 1:11 must be sent every 30 ms. As the article says, "...the maximum transmission delay of this class increases from 30ms to a total of 52.5 ms.". So we are looking for an additional 22.5 ms. Assume that both class 1:11 and 1:12 transmit for 30 ms at 400kbits/second. That is a total of 800kbits/second for 30ms. So Class 1:11 is punished for the excess. How long is the punishment? The two classes sent 24,000 bits in 30ms; they are only allowed 0.030 * 500,000 = 15,000. So they are 9,000 bits over their quota. The amount of time required to transmit 9,000 bits at 400,000 bits/second is 22.5ms!.
Intermediate Functional Block (IFB) Devices The principles behind an IFB is fairly simple: It looks like a network interface although it is never given an IPv4 configuration. Because it is a network interface, queuing disciplines can be associated with an IFB. The magic of an IFB comes in the fact that a filter may be defined on a real network interface such that each packet that arrives on that interface is queued for the IFB! In that way, the IFB provides a means for shaping input traffic. To use an IFB, you must have IFB support in your kernel (configuration option CONFIG_IFB). Assuming that you have a modular kernel, the name of the IFB module is 'ifb' and may be loaded using the command modprobe ifb (if you have modprobe installed) or insmod /path/to/module/ifb. By default, two IFB devices (ifb0 and ifb1) are created. You can control that using the numifbs option (e.g., modprobe ifb numifbs=1). To create a single IFB when Shorewall starts, place the following two commands in /etc/shorewall/init: modprobe ifb numifbs=1 ip link set ifb0 up Entries in /etc/shorewall/mangle or /etc/shorewall/tcrules have no effect on shaping traffic through an IFB. To allow classification of such traffic, the /etc/shorewall/tcfilters file has been added. Entries in that file create u32 classification rules.
/etc/shorewall/tcfilters While this file was created to allow shaping of traffic through an IFB, the file may be used for general traffic classification as well. The file is similar to shorewall-mangle(5) with the following key exceptions: The first match determines the classification, whereas in the mangle file, the last match determines the classification. ipsets are not supported DNS Names are not supported Address ranges and lists are not supported Exclusion is not supported. filters are applied to packets as they appear on the wire. So incoming packets will not have DNAT applied yet (the destination IP address will be the external address) and outgoing packets will have had SNAT applied. The last point warrants elaboration. When looking at traffic being shaped by an IFB, there are two cases to consider: Requests — packets being sent from remote clients to local servers. These packets may undergo subsequent DNAT, either as a result of entries in /etc/shorewall/nat or as a result of DNAT or REDIRECT rules. Example: /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net dmz:192.168.4.5 tcp 80 - 206.124.146.177 Requests redirected by this rule will have destination IP address 206.124.146.177 and destination port 80. Responses — packets being sent from remote servers to local clients. These packets may undergo subsequent DNAT as a result of entries in /etc/shorewall/nat or in /etc/shorewall/masq. The packet's destination IP address will be the external address specified in the entry. Example: /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS eth0 192.168.1.0/24 206.124.146.179 When running Shorewall 5.0.14 or later, the equivalent /etc/shorewall/snat would be: #ACTION SOURCE DEST ... SNAT(206.124.146.179) 192.168.1.0/24 eth0 HTTP response packets corresponding to requests that fall under that rule will have destination IP address 206.124.146.179 and source port 80. Beginning with Shorewall 4.4.15, both IPv4 and IPv6 rules can be defined in this file. See shorewall-tcfilters (5) for details. Columns in the file are as follow. As in all Shorewall configuration files, a hyphen ("-") may be used to indicate that no value is supplied in the column. CLASS The interface name or number followed by a colon (":") and the class number. SOURCE SOURCE IP address (host or network). DNS names are not allowed. DEST DESTINATION IP address (host or network). DNS names are not allowed. PROTO Protocol name or number. DPORT Comma-separated list of destination port names or numbers. May only be specified if the protocol is TCP, UDP, SCTP or ICMP. Port ranges are supported except for ICMP. SPORT Comma-separated list of source port names or numbers. May only be specified if the protocol is TCP, UDP or SCTP. Port ranges are supported. TOS Specifies the value of the TOS field. The value can be any of the following: hex-number hex-number/hex-number The hex-numbers must be exactly two digits (e.g., 0x04). LENGTH Must be a power of 2 between 32 and 8192 inclusive. Packets with a total length that is strictly less than the specified value will match the rule. Example: I've used this configuration on my own firewall. The IFB portion is more for test purposes rather than to serve any well-reasoned QOS strategy. /etc/shorewall/init:qt modprobe ifb numifbs=1 qt ip link set dev ifb0 up /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST - ifb0 /etc/shorewall/tcdevices: #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT 1:eth0 - 384kbit classify 2:ifb0 - 1300kbit - eth0 /etc/shorewall/tcclasses:#INTERFACE MARK RATE CEIL PRIORITY OPTIONS 1:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay 1:120 - 2*full/10 6*full/10 2 default 1:130 - 2*full/10 6*full/10 3 2:110 - 5*full/10 full 1 tcp-ack,tos-minimize-delay 2:120 - 2*full/10 6*full/10 2 default 2:130 - 2*full/10 6*full/10 3/etc/shorewall/tcfilters:#INTERFACE: SOURCE DEST PROTO DPORT SPORT # # OUTGOING TRAFFIC # 1:130 206.124.146.178 - tcp - 49441,49442 #BITTORRENT on wookie 1:110 206.124.146.178 #wookie 1:110 206.124.146.179 #SNAT of internal systems 1:110 206.124.146.180 #Work Laptop 1:110 - - icmp echo-request,echo-reply 1:110 - - icmp echo-reply 1:130 206.124.146.177 - tcp - 873,25 #Bulk Traffic # # INCOMING TRAFFIC # 2:110 - 206.124.146.178 #Wookie 2:110 - 206.124.146.179 #SNAT Responses 2:110 - 206.124.146.180 #Work Laptop 2:130 - 206.124.146.177 tcp 25 #Incoming Email. You can examine the installed filters with the shorewall show filters command. What follows shows the output for eth0 with the filters shown above. Bold font are comments explaining the rules.gateway:~ # shorewall-lite show filters Shorewall Lite 4.1.6 Classifiers at gateway - Fri Mar 21 08:06:47 PDT 2008 Device eth1: Device eth2: Device eth0: filter parent 1: protocol ip pref 10 u32 filter parent 1: protocol ip pref 10 u32 fh 3: ht divisor 1 <========= Start of table 3. parses TCP header filter parent 1: protocol ip pref 10 u32 fh 3::800 order 2048 key ht 3 bkt 0 flowid 1:130 (rule hit 102 success 0) match 03690000/ffff0000 at nexthdr+0 (success 0 ) <========= SOURCE PORT 873 goes to class 1:130 filter parent 1: protocol ip pref 10 u32 fh 2: ht divisor 1 <========= Start of table 2. parses ICMP header filter parent 1: protocol ip pref 10 u32 fh 2::800 order 2048 key ht 2 bkt 0 flowid 1:110 (rule hit 0 success 0) match 08000000/ff000000 at nexthdr+0 (success 0 ) <========= ICMP Type 8 goes to class 1:110 filter parent 1: protocol ip pref 10 u32 fh 2::801 order 2049 key ht 2 bkt 0 flowid 1:110 (rule hit 0 success 0) match 00000000/ff000000 at nexthdr+0 (success 0 ) <========= ICMP Type 0 goes to class 1:110 filter parent 1: protocol ip pref 10 u32 fh 1: ht divisor 1 <========= Start of table 1. parses TCP header filter parent 1: protocol ip pref 10 u32 fh 1::800 order 2048 key ht 1 bkt 0 flowid 1:130 (rule hit 0 success 0) match c1210000/ffff0000 at nexthdr+0 (success 0 ) <========= SOURCE PORT 49441 goes to class 1:130 filter parent 1: protocol ip pref 10 u32 fh 1::801 order 2049 key ht 1 bkt 0 flowid 1:130 (rule hit 0 success 0) match c1220000/ffff0000 at nexthdr+0 (success 0 ) <========= SOURCE PORT 49442 goes to class 1:130 filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 <========= Start of Table 800. Packets start here! =============== The following 2 rules are generated by the class definition in /etc/shorewall/classes ================== filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:110 (rule hit 2204 success 138) match 00060000/00ff0000 at 8 (success 396 ) <========= TCP match 05000000/0f00ffc0 at 0 (success 250 ) <========= Header length 20 and Packet Length < 64 match 00100000/00ff0000 at 32 (success 138 ) <========= ACK filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:110 (rule hit 2066 success 0) match 00100000/00100000 at 0 (success 0 ) <========= Minimize-delay goes to class 1:110 =============== Jump to Table 1 if the matches are met ================== filter parent 1: protocol ip pref 10 u32 fh 800::802 order 2050 key ht 800 bkt 0 link 1: (rule hit 2066 success 0) match ce7c92b2/ffffffff at 12 (success 1039 ) <========= SOURCE 206.124.146.178 match 00060000/00ff0000 at 8 (success 0 ) <========= PROTO TCP offset 0f00>>6 at 0 eat filter parent 1: protocol ip pref 10 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:110 (rule hit 2066 success 1039) match ce7c92b2/ffffffff at 12 (success 1039 ) <========= SOURCE 206.124.146.178 goes to class 1:110 filter parent 1: protocol ip pref 10 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:110 (rule hit 1027 success 132) match ce7c92b3/ffffffff at 12 (success 132 ) <========= SOURCE 206.124.146.179 goes to class 1:110 filter parent 1: protocol ip pref 10 u32 fh 800::805 order 2053 key ht 800 bkt 0 flowid 1:110 (rule hit 895 success 603) match ce7c92b4/ffffffff at 12 (success 603 ) <========= SOURCE 206.124.146.180 goes to class 1:110 =============== Jump to Table 2 if the matches are met ================== filter parent 1: protocol ip pref 10 u32 fh 800::806 order 2054 key ht 800 bkt 0 link 2: (rule hit 292 success 0) match 00010000/00ff0000 at 8 (success 0 ) <========= PROTO ICMP offset 0f00>>6 at 0 eat =============== Jump to Table 3 if the matches are met ================== filter parent 1: protocol ip pref 10 u32 fh 800::807 order 2055 key ht 800 bkt 0 link 3: (rule hit 292 success 0) match ce7c92b1/ffffffff at 12 (success 265 ) <========= SOURCE 206.124.146.177 match 00060000/00ff0000 at 8 (success 102 ) <========= PROTO TCP offset 0f00>>6 at 0 eat
Understanding the output of 'shorewall show tc' The shorewall show tc (shorewall-lite show tc) command displays information about the current state of traffic shaping. For each device, it executes the following commands: echo Device $device: tc -s -d qdisc show dev $device echo tc -s -d class show dev $device echo So, the traffic-shaping output is generated entirely by the tc utility. Here's the output of for eth0. The configuration is the one shown in the preceding section (the output was obtained almost 24 hours later than the shorewall show filters output shown above). Device eth0: ============== The primary queuing discipline is HTB (Hierarchical Token Bucket) ==================== qdisc htb 1: r2q 10 default 120 direct_packets_stat 9 ver 3.17 Sent 2133336743 bytes 4484781 pkt (dropped 198, overlimits 4911403 requeues 21) <=========== Note the overlimits and dropped counts rate 0bit 0pps backlog 0b 8p requeues 21 ============== The ingress filter. If you specify IN-BANDWIDTH, you can see the 'dropped' count here. ========= In this case, the packets are being sent to the IFB for shaping qdisc ingress ffff: ---------------- Sent 4069015112 bytes 4997252 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 ============ Each of the leaf HTB classes has an SFQ qdisc to ensure that each flow gets its turn ============ qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 613372519 bytes 2870225 pkt (dropped 0, overlimits 0 requeues 6) rate 0bit 0pps backlog 0b 0p requeues 6 qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 18434920 bytes 60961 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 1501528722 bytes 1553586 pkt (dropped 198, overlimits 0 requeues 15) rate 0bit 0pps backlog 11706b 8p requeues 15 ============= Class 1:110 -- the high-priority class =========== Note the rate and ceiling calculated from 'full' class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4800 rate 192000bit ceil 384000bit burst 1695b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0 Sent 613372519 bytes 2870225 pkt (dropped 0, overlimits 0 requeues 0) rate 195672bit 28pps backlog 0b 0p requeues 0 <=========== Note the current rate of traffic. There is no queuing (no packet backlog) lended: 2758458 borrowed: 111773 giants: tokens: 46263 ctokens: 35157 ============== The root class ============ class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7 Sent 2133276316 bytes 4484785 pkt (dropped 0, overlimits 0 requeues 0) <==== Total output traffic since last 'restart' rate 363240bit 45pps backlog 0b 0p requeues 0 lended: 1081936 borrowed: 0 giants: 0 tokens: -52226 ctokens: -52226 ============= Bulk Class (outgoing rsync, email and bittorrent) ============ class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 1900 rate 76000bit ceil 230000bit burst 1637b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0 Sent 1501528722 bytes 1553586 pkt (dropped 198, overlimits 0 requeues 0) rate 162528bit 14pps backlog 0b 8p requeues 0 <======== Queuing is occurring (8 packet backlog). The rate is still below the ceiling. lended: 587134 borrowed: 966459 giants: 0 During peak activity, the rate tops out at around 231000 (just above ceiling). tokens: -30919 ctokens: -97657 ================= Default class (mostly serving web pages) =============== class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 230000bit burst 1637b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0 Sent 18434920 bytes 60961 pkt (dropped 0, overlimits 0 requeues 0) rate 2240bit 2pps backlog 0b 0p requeues 0 lended: 57257 borrowed: 3704 giants: 0 tokens: 156045 ctokens: 54178
Using your own tc script
Replacing builtin tcstart file If you prefer your own tcstart file, just install it in /etc/shorewall/tcstart. In your tcstart script, when you want to run the tc utility, use the run_tc function supplied by Shorewall if you want tc errors to stop the firewall. Set TC_ENABLED=Yes and CLEAR_TC=Yes Supply an /etc/shorewall/tcstart script to configure your traffic shaping rules. Optionally supply an /etc/shorewall/tcclear script to stop traffic shaping. That is usually unnecessary. If your tcstart script uses the fwmark classifier, you can mark packets using entries in /etc/shorewall/mangle or /etc/shorewall/tcrules.
Traffic control outside Shorewall To start traffic shaping when you bring up your network interfaces, you will have to arrange for your traffic shaping configuration script to be run at that time. How you do that is distribution dependent and will not be covered here. You then should: Set TC_ENABLED=No and CLEAR_TC=No If your script uses the fwmark classifier, you can mark packets using entries in /etc/shorewall/mangle or /etc/shorewall/tcrules.
Testing Tools At least one Shorewall user has found this tool helpful: http://e2epi.internet2.edu/network-performance-toolkit.html
shorewall-docs-xml-5.2.3/OPENVPN.xml0000664000000000000000000006042513427347317015636 0ustar rootroot
OpenVPN Tunnels and Bridges Simon Matter Tom Eastep 2003 2004 2005 2006 Simon Mater Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 3.0 and later and to OpenVPN 2.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release. OpenVPN is a robust and highly configurable VPN (Virtual Private Network) daemon which can be used to securely link two or more private networks using an encrypted tunnel over the Internet. OpenVPN is an Open Source project and is licensed under the GPL. OpenVPN can be downloaded from http://openvpn.net/. Unless there are interoperability issues (the remote systems do not support OpenVPN), OpenVPN is my choice any time that I need a VPN. It is widely supported -- I run it on both Linux and Windows. It requires no kernel patching. It is very easy to configure. It just works!
Preliminary Reading I recommend reading the VPN Basics article if you plan to implement any type of VPN.
Bridging two Masqueraded Networks Suppose that we have the following situation: We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy file and OpenVPN. While it was possible to use the Shorewall start and stop script to start and stop OpenVPN, I decided to use the init script of OpenVPN to start and stop it. On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called vpn and declare it in /etc/shorewall/zones on both systems as follows.
/etc/shorewall/zones — Systems A & B #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS vpn ipv4
On system A, the 10.0.0.0/8 will comprise the vpn zone.
In /etc/shorewall/interfaces on system A: #ZONE INTERFACE OPTIONS vpn tun0
In /etc/shorewall/tunnels on system A, we need the following:
#TYPE ZONE GATEWAY GATEWAY_ZONE openvpn net 134.28.54.2
This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN traffic on the default port 1194/udp will be accepted to/from the remote gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:
/etc/shorewall/tunnels with port 7777: #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:7777 net 134.28.54.2
Similarly, if you want to use TCP for your tunnel rather than UDP (the default), then you can define /etc/shorewall/tunnels like this:
/etc/shorewall/tunnels using TCP: #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:tcp net 134.28.54.2
Finally, if you want to use TCP and port 7777:
/etc/shorewall/tunnels using TCP port 7777: #TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:tcp:7777 net 134.28.54.2
This is the OpenVPN config on system A:
dev tun local 206.162.148.9 remote 134.28.54.2 ifconfig 192.168.99.1 192.168.99.2 route 10.0.0.0 255.0.0.0 192.168.99.2 tls-server dh dh1024.pem ca ca.crt cert my-a.crt key my-a.key comp-lzo verb 5
Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn zone
In /etc/shorewall/interfaces on system B: #ZONE INTERFACE BROADCAST OPTIONS vpn tun0
In /etc/shorewall/tunnels on system B, we have:
#TYPE ZONE GATEWAY GATEWAY_ZONE openvpn net 206.191.148.9
And in the OpenVPN config on system B:
dev tun local 134.28.54.2 remote 206.162.148.9 ifconfig 192.168.99.2 192.168.99.1 route 192.168.1.0 255.255.255.0 192.168.99.1 tls-client ca ca.crt cert my-b.crt key my-b.key comp-lzo verb 5
You will need to allow traffic between the vpn zone and the loc zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:
/etc/shorewall/policy on systems A & B #SOURCE DEST POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT
On both systems, restart Shorewall and start OpenVPN. The systems in the two masqueraded subnetworks can now talk to each other.
Roadwarrior OpenVPN 2.0 provides excellent support for roadwarriors. Consider the setup in the following diagram: On the gateway system (System A), we need a zone to represent the remote clients — we'll call that zone road.
/etc/shorewall/zones — System A: #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS road ipv4
On system A, the remote clients will comprise the road zone.
In /etc/shorewall/interfaces on system A: #ZONE INTERFACE OPTIONS road tun+
In /etc/shorewall/tunnels on system A, we need the following:
#TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:1194 net 0.0.0.0/0
If you are running Shorewall 2.4.3 or later, you might prefer the following in /etc/shorewall/tunnels on system A. Specifying the tunnel type as openvpnserver has the advantage that the VPN connection will still work if the client is behind a gateway/firewall that uses NAT.
#TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:1194 net 0.0.0.0/0
We want the remote systems to have access to the local LAN — we do that with an entry in /etc/shorewall/policy (assume that the local LAN comprises the zone loc).
#SOURCE DESTINATION POLICY road loc ACCEPT
The OpenVPN configuration file on system A is something like the following:
dev tun server 192.168.2.0 255.255.255.0 dh dh1024.pem ca /etc/certs/cacert.pem crl-verify /etc/certs/crl.pem cert /etc/certs/SystemA.pem key /etc/certs/SystemA_key.pem port 1194 comp-lzo user nobody group nogroup ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key push "route 192.168.1.0 255.255.255.0" verb 3
Configuration on the remote clients follows a similar line. We define a zone to represent the remote LAN:
/etc/shorewall/zones — System B: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS home ipv4
On system A, the hosts accessible through the tunnel will comprise the home zone.
In /etc/shorewall/interfaces on system B: #ZONE INTERFACE BROADCAST OPTIONS home tun0
In /etc/shorewall/tunnels on system B, we need the following:
#TYPE ZONE GATEWAY GATEWAY_ZONE openvpn:1194 net 206.162.148.9
Again, if you are running Shorewall 2.4.3 or later, in /etc/shorewall/tunnels on system B you might prefer:
#TYPE ZONE GATEWAY GATEWAY_ZONE openvpnclient:1194 net 206.162.148.9
We want the remote client to have access to the local LAN — we do that with an entry in /etc/shorewall/policy.
#SOURCE DESTINATION POLICY $FW home ACCEPT
The OpenVPN configuration on the remote clients is along the following line:
dev tun remote 206.162.148.9 up /etc/openvpn/home.up tls-client pull ca /etc/certs/cacert.pem cert /etc/certs/SystemB.pem key /etc/certs/SystemB_key.pem port 1194 user nobody group nogroup comp-lzo ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3
If you want multiple remote clients to be able to communicate openly with each other then you must: Include the client-to-client directive in the server's OpenVPN configuration; or Specify the routeback option on the tun+ device in /etc/shorewall/interfaces.
Roadwarrior with Duplicate Network Issue The information in this section was contributed by Nicola Moretti. If your local lan uses a popular RFC 1918 network like 192.168.1.0/24, there will be times when your roadwarriors need to access your lan from a remote location that uses that same network. This may be accomplished by configuring a second server on your firewall that uses a different port and by using NETMAP in your Shorewall configuration. The server configuration in the above diagram is modified as shown here:
dev tun server 192.168.3.0 255.255.255.0 dh dh1024.pem ca /etc/certs/cacert.pem crl-verify /etc/certs/crl.pem cert /etc/certs/SystemA.pem key /etc/certs/SystemA_key.pem port 1195 comp-lzo user nobody group nogroup ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key push "route 172.20.1.0 255.255.255.0" verb 3
In /etc/shorewall/netmap, put these entries:
#TYPE NET1 INTERFACE NET2 SNAT 192.168.1.0/24 tun1 172.20.1.0/24 DNAT 172.20.1.0/24 tun1 192.168.1.0/24
The roadwarrior can now connect to port 1195 and access the lan on the right as 172.20.1.0/24.
Roadwarrior with IPv6 While OpenVPN supports tunneling of IPv6 packets, the version of the code that I run under OS X on my Macbook Pro does not support that option. Nevertheless, I am able to take IPv6 on the road with me by creating a 6to4 tunnel through the OpenVPN IPv6 tunnel. In this configuration, the IPv4 address pair (172.20.0.10,172.20.0.11) is used for the OpenVPN tunnel and (2001:470:e857:2::1,2001:470:e857:2::2) is used for the 6to4 tunnel. Here are my config files: Server (conventional routed server config):
dev tun local 70.90.191.121 server 172.20.0.0 255.255.255.128 dh dh1024.pem ca /etc/certs/cacert.pem crl-verify /etc/certs/crl.pem cert /etc/certs/gateway.pem key /etc/certs/gateway_key.pem port 1194 comp-lzo user nobody group nogroup keepalive 15 45 ping-timer-rem persist-tun persist-key client-config-dir /etc/openvpn/clients ccd-exclusive client-to-client push "route 172.20.1.0 255.255.255.0" verb 3 In the CCD file for the Macbook Pro: ifconfig-push 172.20.0.11 172.20.0.10 From /etc/network/interfaces (very standard 6to4 tunnel configuration): auto mac iface mac inet6 v4tunnel address 2001:470:e857:2::1 netmask 64 endpoint 172.20.0.11 local 172.20.1.254 Note that while the remote endpoint (172.20.0.11) is also the remote endpoint of the OpenVPN tunnel, the local endpoint (172.20.1.254) of the 6to4 tunnel is not the local endpoint of the OpenVPN tunnel (that;s 172.20.0.10). 172.20.1.254 is the IPv4 address of the Shorewall firewall's LAN interface. The following excerpts from the Shorewall configuration show the parts of that configuration that are relevant to these two tunnels (bold font). This is not a complete configuration. /etc/shorewall/zones: #ZONE TYPE fw firewall loc ip #Local Zone drct:loc ipv4 #Direct internet access net ipv4 #Internet vpn ipv4 #OpenVPN clients /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc INT_IF detect dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5 net COM_IF detect dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs vpn TUN_IF+ detect physical=tun+,routeback - sit1 - ignore - mac - ignore - EXT_IF - ignore - lo - ignore /etc/shorewall/tunnels: #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:udp net 6to4 net 6to4 vpn Similarly, here are excerpts from the Shorewall6 configuration. /etc/shorewall6/zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6 loc ipv6 rest ipv6 /etc/shorewall6/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net sit1 detect tcpflags,forward=1,nosmurfs,routeback loc eth4 detect tcpflags,forward=1 loc mac detect tcpflags,forward=1 rest eth+ Note that in the IPv6 firewall configuration, the remove Macbook Pro is considered to be part of the local zone (loc).
Client (conventional routed client config):
client dev tun proto udp remote gateway.shorewall.net 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ca ca.crt cert mac.crt key mac.key ns-cert-type server comp-lzo verb 3 up /Users/teastep/bin/up down /Users/teastep/bin/down /Users/teastep/bin/up: #!/bin/bash LOCAL_IP=172.20.0.11 LOCAL_IPV6=2001:470:e857:2::2 REMOTE_IP=172.20.1.254 REMOTE_IPV6=2001:470:e857:2::1 TUNNEL_IF=gif0 if [ $(ifconfig gif0 | wc -l ) -eq 1 ]; then # # Tunnel interface is not configured yet # /sbin/ifconfig $TUNNEL_IF tunnel $LOCAL_IP $REMOTE_IP /sbin/ifconfig $TUNNEL_IF inet6 $LOCAL_IPV6 $REMOTE_IPV6 prefixlen 128 else /sbin/ifconfig $TUNNEL_IF up fi /sbin/route -n add -inet6 default $REMOTE_IPV6 > /dev/null 2>&1 /Users/teastep/bin/down: #!/bin/bash TUNNEL_IF=gif0 /sbin/ifconfig $TUNNEL_IF down /sbin/route -n delete -inet6 default > /dev/null 2>&1
Bridged Roadwarrior If you want to use a bridged OpenVPN configuration rather than a routed configuration, then follow any of the available HOWTOs to set up the bridged configuration. Then: In your current Shorewall two-interface configuration, replace references to your internal interface with the name of the bridge; and Set the routeback option in the bridge's entry in /etc/shorewall/interfaces; end Add this entry to /etc/shorewall/tunnels: #TYPE ZONE GATEWAY GATEWAY_ZONE openvpnserver:1194 net 0.0.0.0/0 This will make the roadwarrior part of your local zone.
Bridging Two Networks Occasionally, the need arises to have a single LAN span two different geographical locations. OpenVPN allows that to be done easily. Consider the following case: Part of the 192.168.1.0/24 network is in one location and part in another. The two LANs can be bridged with OpenVPN as described in this section. This example uses a fixed shared key for encryption. OpenVPN configuration on left-hand firewall: remote 130.252.100.109 dev tap0 secret /etc/openvpn/bridgekey OpenVPN configuration on right-hand firewall: remote 206.124.146.176 dev tap0 secret /etc/openvpn/bridgekey The bridges can be created by manually making the tap device tap0 and bridgeing it with the local ethernet interface. Assuming that the local interface on both sides is eth1, the following stanzas in /etc/network/interfaces (Debian and derivatives) will create the bridged interfaces. The stanzas below were written before bridges could be defined in /etc/network/interfaces. For current usage, see bridge-utils-interfaces (5). /etc/network/interfaces on the left-hand firewall: iface br0 inet static pre-up /usr/sbin/openvpn --mktun --dev tap0 pre-up /usr/sbin/brctl addbr br0 address 192.168.1.254 network 192.168.1.0 broadcast 192.168.1.255 netmask 255.255.255.0 post-up /sbin/ip link set tap0 up post-up /usr/sbin/brctl addif br0 tap0 post-up /sbin/ip link set eth1 up post-up /usr/sbin/brctl addif br0 eth1 post-down /usr/sbin/brctl delbr br0 post-down /usr/sbin/openvpn --rmtun --dev tap0 post-down /sbin/ip link set eth1 down /etc/network/interfaces on the right-hand firewall: iface br0 inet static pre-up /usr/sbin/openvpn --mktun --dev tap0 pre-up /usr/sbin/brctl addbr br0 address 192.168.1.253 network 192.168.1.0 broadcast 192.168.1.255 netmask 255.255.255.0 post-up /sbin/ip link set tap0 up post-up /usr/sbin/brctl addif br0 tap0 post-up /sbin/ip link set eth1 up post-up /usr/sbin/brctl addif br0 eth1 post-down /usr/sbin/brctl delbr br0 post-down /usr/sbin/openvpn --rmtun --dev tap0 post-down /sbin/ip link set eth1 down The Shorewall configuration is just a Simple Bridge.
shorewall-docs-xml-5.2.3/IPv6Support.xml0000664000000000000000000004562713427347317016701 0ustar rootroot
Shorewall IPv6 Support Tom Eastep 2008 2009 2016 2017 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Overview Beginning with Shorewall 4.2.4, support for firewalling IPv6 is included as part of Shorewall.
Prerequisites In order to use Shorewall with IPv6, your firewall must meet the following prerequisites: Kernel 2.6.24 or later. Iptables 1.4.0 or later (1.4.1.1 is strongly recommended) If you wish to include DNS names in your IPv6 configuration files, you must have Perl 5.10 and must install the Perl Socket6 library.
Packages Shorewall IPv6 support introduced two new packages: Shorewall6. This package provides /sbin/shorewall6 which is the IPv6 equivalent of /sbin/shorewall. /sbin/shorewall only handles IPv4 while /sbin/shorewall6 handles only IPv6.. Shorewall6 depends on Shorewall. The Shorewall6 configuration is stored in /etc/shorewall6. Shorewall6 Lite. This package is to IPv6 what Shorewall Lite is to IPv4. The package stores its configuration in /etc/shorewall6-lite. As with Shorewall Lite, Shorewall6 Lite usually requires no configuration changes on the firewall system.
IPv4/IPv6 Interaction IP connections are either IPv4 or IPv6; there is no such thing as a mixed IPv4/6 connecton. IPv4 connections are controlled by Shorewall (or Shorewall-lite); IPv6 connections are controlled by Shorewall6 (or Shorewall6-lite). Starting and stopping the firewall for one address family has no effect on the other address family. As a consequence, there is very little interaction between Shorewall and Shorewall6.
DISABLE_IPV6 An obvious area where the configuration of Shorewall affects Shorewall6 is the DISABLE_IPV6 setting in /etc/shorewall/shorewall.conf. When configuring Shorewall6, you will want to set DISABLE_IPV6=No and restart Shorewall or Shorewall-lite.
TC_ENABLED Another area where their configurations overlap is in traffic shaping; the tcdevices and tcclasses files do exactly the same thing in both Shorewall and Shorewall6. Consequently, you will have TC_ENABLED=Internal in Shorewall or in Shorewall6 and TC_ENABLED=No in the other product. Also, you will want CLEAR_TC=No in the configuration with TC_ENABLED=No. Regardless of which product has TC_ENABLED=Internal: IPv4 packet marking is controlled by /etc/shorewall/mangle (Shorewall 4.6.0 and later) or by /etc/shorewall/tcrules IPv6 packet marking is controlled by /etc/shorewall6/mangle (Shorewall 4.6.0 and later) or by /etc/shorewall6/tcrules
KEEP_RT_TABLES Multi-ISP users will need to be aware of this one. When there are entries in the providers file, Shorewall normally installs a modified /etc/iproute2/rt_tables during shorewall start and shorewall restart and restores a default file during shorewall stop. Setting KEEP_RT_TABLES=Yes in shorewall.conf(5) stops Shorewall (Shorewall lite) from modifying /etc/iproute2/rt_tables. Shorewall6 is also capable of modifying /etc/iproute2/rt_tables in a similar way. Our recommendation to Multi-ISP users is to: Select the same names for similar providers. Set KEEP_RT_TABLES=No in shorewall.conf(5) and set KEEP_RT_TABLES=Yes in shorewall6.conf(5). These setting allow Shorewall to control the contents of /etc/iproute2/rt_tables.
6TO4 If you are using a 6to4 tunnel for your IPv6 connectivity, you need an entry in /etc/shorewall/tunnels.#TYPE ZONE GATEWAY GATEWAY_ZONE 6to4 net
Shorewall6 Differences from Shorewall Configuring and operating Shorewall6 is very similar to configuring Shorewall with some notable exceptions: Default Zone Type The default zone type in Shorewall6 is ipv6. It is suggested that you specify ipv6 in the TYPE column of /etc/shorewall6/zones and a type of ipv4 in /etc/shorewall/zones; that way, if you run the wrong utility on a configuration, you will get an instant error. Interface Options The following interface options are available in /etc/shorewall6/interfaces: blacklist Same as in Shorewall bridge Same as in Shorewall dhcp Interface is assigned by IPv6 DHCP or the firewall hosts an IPv6 DHCP server on the interface. maclist Same as in Shorewall nosmurfs Checks the source IP address of packets arriving on the interface and drops packets whose SOURCE address is: An IPv6 multicast address The subnet-router anycast address for any of the global unicast addresses assigned to the interface. An RFC 2526 anycast address for any of the global unicast addresses assigned to the interface. optional Same as in Shorewall routeback Same as in Shorewall sourceroute[={0|1}] Same as in Shorewall tcpflags Same as in Shorewall mss=mss Same as in Shorewall forward[={0|1}] Override the setting of IP_FORWARDING in shorewall6.conf with respect to how the system behaves on this interface. If 1, behave as a router; if 0, behave as a host. Host Options The following host options are available in /etc/shorewall6/hosts: blacklist Same as in Shorewall maclist Same as in Shorewall routeback Same as in Shorewall tcpflags Same as in Shorewall Specifying Addresses Shorewall follows the usual convention of distinguishing IPv6 address by enclosing them in square brackets ("[" and "]"). Anywhere that an address or address list follows a colon (":"), the address or list may be enclosed in square brackets to improve readability. Example (/etc/shorewall6/rules): #ACTION SOURCE DEST PROTO DPORT ?SECTION NEW ACCEPT net $FW:[2002:ce7c:92b4::3] tcp 22 When the colon is preceeded by an interface name, the angle brackets are required. This is true even when the address is a MAC address in Shorewall format. Example (/etc/shorewall6/rules): #ACTION SOURCE DEST PROTO DPORT ?SECTION NEW ACCEPT net:wlan0:[2002:ce7c:92b4::3] $FW tcp 22 Prior to Shorewall 4.5.4, angled brackets ("<" and ">") were used. While these are still accepted, their use is deprecated in favor of square brackets. Example (/etc/shorewall6/rules): #ACTION SOURCE DEST PROTO DPORT SECTION NEW ACCEPT net:wlan0:<2002:ce7c:92b4::3> $FW tcp 22 Prior to Shorewall 4.5.9, network addresses were required to be enclosed in either angle brackets or square brackets (e.g. [2001:470:b:787::/64]). Beginning with Shorewall 4.5.9, the more common representation that places the VLSM outside the brackets is accepted and preferred (e.g., [2001:470:b:787::]/64). Beginning with Shorewall 4.5.14, the rules compiler translates "<" and ">" to "[" and "]" respectively before parsing. So square brackets may appear in error messages even when angled brackets were used. Stopped State When Shorewall6 or Shorewall6 Lite is in the stopped state, the following traffic is still allowed. Traffic with a multicast destination IP address (ff00::/8). Traffic with a link local source address (ff800::/8) Traffic with a link local destination address. Multi-ISP The Linux IPv6 stack does not support balancing (multi-hop) routes. Thehe and options in shorewall6-providers(5) and USE_DEFAULT_RT=Yes in shorewall6.conf(5) are supported, but at most one provider can have the option and at most one provider can have the option. /sbin/shorewall6 and /sbin/shorewall6-lite Commands Several commands supported by /sbin/shorewall and /sbin/shorewall-lite are not supported by /sbin/shorewall6 and /sbin/shorewall6-lite: hits ipcalc iprange Macros The Shorewall6 package depends on Shorewall for application macros. Only certain address-family specific macros such as macro.AllowICMPs are included in Shorewall6. As a consequence, /usr/share/shorewall/ is included in the default Shorewall6 CONFIG_PATH.
Installing IPv6 Support You will need at least the following packages: Shorewall 4.3.5 or later. Shorewall6 4.3.5 or later. You may also with to install Shorewall6-lite 4.3.5 or later on your remote firewalls to allow for central IPv6 firewall administration.
Shared Shorewall/Shorewall6 Configuration Files Normally, the configuration files for Shorewall are kept in /etc/shorewall/ and those for Shorewall6 are kept in /etc/shorewall6/. It is possible, however, to share almost all of those files as shown in this article.
More information about IPv6 I strongly suggest that you read the Linux IPv6 HOWTO. The 6to4 Tunnels page also includes instructions for setting up your first IPv6 environment. In addition to the Linux IPv6 HOWTO, I have found the following two books to be useful: IPv6 Essentials, Silvia Hagen, 2002, O'Reilly Media, Inc, ISBN 0-596-00125-8. O'Reilly published a second edition of this book in 2006. IPV6 Theory, Protocol, and Practice, Second Edition, Pete Loshin, 2004, Morgan-Kaufmann Publishers, IBSN 1-55860-820-9
shorewall-docs-xml-5.2.3/Internals.xml0000664000000000000000000010213013427347317016436 0ustar rootroot
Shorewall Internals Tom Eastep 2012 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction This document provides an overview of Shorewall internals. It is intended to ease the task of approaching the Shorewall code base by providing a roadmap of what you will find there.
History Shorewall was originally written entirely in Bourne Shell. The chief advantage of this approach was that virtually any platform supports the shell, including small embedded environments. The initial release was in early 2001. This version ran iptables, ip, etc. immediately after processing the corresponding configuration entry. If an error was encountered, the firewall was stopped. For this reason, the routestopped file had to be very simple and foolproof. In Shorewall 3.2.0 (July 2006), the implementation was changed to use the current compile-then-execute architecture. This was accompilished by modifying the existing code rather than writing a compiler/generator from scratch. The resulting code was fragile and hard to maintain. 3.2.0 also marked the introduction of Shorewall-lite. By 2007, the compiler had become unmaintainable and needed to be rewritten. I made the decision to write the compiler in Perl and released it as a separate Shorewall-perl packets in Shorewall 4.0.0 (July 2007). The shell-based compiler was packaged in a Shorewall-shell package. An option (SHOREWALL_COMPILER) in shorewall.conf specified which compiler to use. The Perl-based compiler was siginificantly faster, and the compiled script also ran much faster thanks to its use of iptables-restore. Shorewall6 was introduced in Shorewall 4.2.4 (December 2008). Support for the old Shell-based compiler was eliminated in Shorewall 4.4.0 (July 2009). Shorewall 4.5.0 (February 2012) marked the introduction of the current architecture and packaging.
Architecture The components of the Shorewall product suite fall into five broad categories: Build/Install subsystem Command Line Interface (CLI) Run-time Libraries Compiler Configuration files (including actions and macros)
Build/Install Subsystem The Shorewall Build/Install subsystem packages the products for release and installs them on an end-user's or a packager's system. It is diagrammed in the following graphic. The build environment components are not released and are discussed in the Shorewall Build Article. The end-user/packager environment consists of the configure and configure.pl programs in Shorewall-core and an install.sh program in each product.
CLI The CLI is written entirely in Bourne Shell so as to allow it to run on small embedded systems within the -lite products. The CLI programs themselves are very small; then set global variables then call into the CLI libraries. Here's an example (/sbin/shorewall): PRODUCT=shorewall # # This is modified by the installer when ${SHAREDIR} != /usr/share # . /usr/share/shorewall/shorewallrc g_program=$PRODUCT g_libexec="$LIBEXECDIR" g_sharedir="$SHAREDIR"/shorewall g_sbindir="$SBINDIR" g_perllib="$PERLLIBDIR" g_confdir="$CONFDIR"/shorewall g_readrc=1 . $g_sharedir/lib.cli shorewall_cli $@ As you can see, it sets the PRODUCT variable, loads the shorewallrc file, sets the global variables (all of which have names beginning with "g_", loads lib.cli, and calls shorewall_cli passing its own arguments. There are two CLI libraries: lib.cli in Shorewall Core and lib.cli-std in Shorewall. The lib.cli library is always loaded by the CLI programs; lib-cli-std is also loaded when the product is 'shorewall' or 'shorewall6'. lib.cli-std overloads some functions in lib.cli and also provides logic for the additional commands supported by the full products. The CLI libraries load two additional Shell libraries from Shorewall.core: lib.base and lib.common (actually, lib.base loads lib.common). These libraries are separete from lib.cli for both historical and practicle reasons. lib.base (aka functions) can be loaded by application programs, although this was more common in the early years of Shorewall. In addition to being loaded by the CLIs, lib.common is also copied into the generated script by the compilers.
Run-time Libraries Thare are two libraries that are copied into the generated script by the compiler: lib.common from Shorewall-core and lib.core from Shorewall. The "outer block" of the generated script comes from the Shorewall file prog.footer.
Compiler With the exception of the getparams Shell program, the compiler is written in Perl. The compiler main program is compiler.pl from Shorewall.conf; it's run-line arguments are described in the Shorewall Perl Article. It is invoked by the compiler function in lib.cli-std. The compiler is modularized as follows: Accounting.pm (Shorewall::Accounting). Processes the accounting file. Chains.pm (Shorewall::Chains). This is the module that provides an interface to iptables/Netfilter for the other modules. The optimizer is included in this module. Config.pm (Shorewall::Config). This is a multi-purpose module that supplies several related services: Error and Progress message production. Pre-processor. Supplies all configuration file handling including variable expansion, ?IF...?ELSE...?ENDIF processing, INCLUDE directives and embedded Shell and Perl. Output script file creation with functions to write into the script. The latter functions are no-ops when the check command is being executed. Capability Detection Miscellaneous utility functions. Compiler.pm (Shorewall::Compiler). The compiler() function in this module contains the top-leve of the compiler. IPAddrs.pm (Shorewall::IPAddrs) - IP Address validation and manipulation (both IPv4 and IPv6). Also interfaces to NSS for protocol/service name resolution. Misc.pm (Shorewall::Misc) - Provides services that don't fit well into the other modules. Nat.pm (Shorewall::Nat) - Handles all nat table rules. Processes the masq, nat and netmap files. Proc.pm (Shorewall::Proc) - Handles manipulation of /proc/sys/. Providers.pm (Shorewall::Providers) - Handles policy routing; processes the providers file. Proxyarp.pm (Shorewall::Proxyarp) - Processes the proxyarp file. Raw.pm (Shorewall::Raw) - Handles the raw table; processes the conntrack (formerly notrack) file. Rules.pm (Shorewall::Rules) - Contains the logic for process the policy and rules files, including macros and actions. Tc.pm (Shorewall::Tc) - Handles traffic shaping. Tunnels.pm (Shorewall::Tunnels) - Processes the tunnels file. Zones.pm (Shorewall::Zones) - Processes the zones, interfaces and hosts files. Provides the interface to zones and interfaces to the other modules. Because the params file can contain arbitrary shell code, it must be processed by a shell. The body of getparams is as follows: # Parameters: # # $1 = Path name of params file # $2 = $CONFIG_PATH # $3 = Address family (4 or 6) # if [ "$3" = 6 ]; then PRODUCT=shorewall6 else PRODUCT=shorewall fi # # This is modified by the installer when ${SHAREDIR} != /usr/share # . /usr/share/shorewall/shorewallrc g_program="$PRODUCT" g_libexec="$LIBEXECDIR" g_sharedir="$SHAREDIR"/shorewall g_sbindir="$SBINDIR" g_perllib="$PERLLIBDIR" g_confdir="$CONFDIR/$PRODUCT" g_readrc=1 . $g_sharedir/lib.cli CONFIG_PATH="$2" set -a . $1 >&2 # Avoid spurious output on STDOUT set +a export -p The program establishes the environment of the Shorewall or Shoreall6 CLI program since that is the environment in which the params file has been traditionally processed. It then sets the - option so that all newly-created variables will be exported and invokes the params file. Because the STDOUT file is a pipe back to the compiler, no spurious output must be sent to that file; so getparams redirect params output to STDOUT. After the script has executed, an export -p command is executed to send the contents of the environ array back to the compiler. Regrettably, the various shells (and even different versions of the same shell) produce quite different output from export -p. The Perl function Shorewall::Config::getparams() detects which species of shell was being used and stores the variable settings into the %params hash. Variables that are also in %ENV are only stored in %params if there value in the output from the getparams script is different from that in %ENV.
Configuration Files The configuration files are all well-documented. About the only thing worth noting is that some macros and actions are duplicated in the Shorewall and Shorewall6 packages. Because the Shorewall6 default CONFIG_PATH looks in ${SHAREDIR}/shorewall6 before looking in ${SHARDIR_/shorewall, this allows Shorewall6 to implement IPv6-specific handling where required.
The Generated Script The generated script is completely self-contained so as to avoid version dependencies between the Shorewall version used to create the script and the version of Shorewall-common installed on the remote firewall. The operation of the generated script is illustrated in this diagram. The Netfilter ruleset is sometimes dependent on the environment when the script runs. Dynamic IP addresses and gateways, for example, must be detected when the script runs. As a consequence, it is the generated script and not the compiler that creates the input for iptables-restore. While that input could be passed to iptables-restore in a pipe, it is written to ${VARDIR}/.iptables_restore-input so that it is available for post-mortem analysis in the event that iptables-restore fails. For the other utilities (ip, tc, ipset, etc), the script runs them passing their input on the run-line.
Compiler Internals Because the compiler is the most complex part of the Shorewall product suite, I've chosen to document it first. Before diving into the details of the individual modules, lets take a look at a few general things.
Modularization While the compiler is modularized and uses encapsulation, it is not object-oriented. This is due to the fact that much of the compiler was written by manually translating the earlier Shell code. Module data is not completely encapsulated. Heavily used tables, most notably the Chain Table (%chain_table) in Shorewall::Chains is exported for read access. Updates to module data is always encapsulated.
Module Initialization While currently unused and untested, the Compiler modules are designed to be able to be loaded into a parent Perl program and the compiler executed repeatedly without unloading the modules. To accomodate that usage scenario, variable data is not initialized at declaration time or in an INIT block, but is rather initialized in an initialize function. Because off of these functions have the same name ("initialize"), they are not exported but are rather called using a fully-qualified name (e.g., "Shorewall::Config::initialize"). Most of the the initialization functions accept arguements. Those most common argument is the address family (4 or 6), depending on whether an IPv4 or IPv6 firewall is being compiled. Each of the modules that are address-family dependent have their own $family private (my) variable.
Module Dependence Here is the module dependency tree. To simplify the diagram, direct dependencies are not shown where there is also a transitive dependency.
Config Module As mentioned above, the Config module offers several related services. Each will be described in a separate sub-section.
Pre-processor Unlike preprocessors like ccp, the Shorewall pre-processor does it's work each time that the higher-level modules asks for the next line of input. The major exported functions in the pre-processor are: open_file( $ ) The single argument names the file to be opened and is usually a simple filename such as shorewall.conf. open_file calls find_file who traverses the CONFIG_PATH looking for a file with the requested name. If the file is found and has non-zero size, it is opened, module-global variables are set as follows, and the fully-qualified name of the file is returned by the function. $currentfile Handle for the file open $currentfilename (exported) The fully-qualified name of the file. $currentlinenumber Set to zero. If the file is not found or if it has zero size, false ('') is returned. push_open( $ ) Sometimes, the higher-level modules need to suspend processing of the current file and open another file. An obvious example is when the Rules module encounters a macro invocation and needs to process the corresponding macro file. The push_open function is called in these cases. push_open pushes $currentfile, $currentfilename, $currentlinenumber and $ifstack onto @includestack, copies @includestack into a local array, pushes a reference to the local array onto @openstack, and empties @includestack As its final step, push_open calls open_file. pop_open() The pop_open function must be called after the file opened by push_open is processed. This is true even in the case where push_open returned false. pop_open pops @openstack and restores $currentfile, $currentfilename, $currentlinenumber, $ifstack and @includestack. close_file() close_file is called to close the current file. Higher-level modules should only call close_file to close the current file prior to end-of-file. first_entry( $ ) This function is called to specify what happens when the first non-commentary and no-blank line is read from the open file. The argument may be either a scalar or a function reference. If the argument is a scalar then it is treaded as a progress message that should be issued if the VERBOSITY setting is >= 1. If the argument is a function reference, the function (usually a closure) is called. first_entry may called after a successful call to open_file. If it is not called, then the pre-processor takes no action when the first non-blank non-commentary line is found. first_entry returns no significant value. read_a_line( $ ) This function delivers the next logical input line to the caller. The single argument is defined by the following constants: use constant { PLAIN_READ => 0, # No read_a_line options EMBEDDED_ENABLED => 1, # Look for embedded Shell and Perl EXPAND_VARIABLES => 2, # Expand Shell variables STRIP_COMMENTS => 4, # Remove comments SUPPRESS_WHITESPACE => 8, # Ignore blank lines CHECK_GUNK => 16, # Look for unprintable characters CONFIG_CONTINUATION => 32, # Suppress leading whitespace if # continued line ends in ',' or ':' DO_INCLUDE => 64, # Look for INCLUDE <filename> NORMAL_READ => -1 # All options }; The actual argument may be a bit-wise OR of any of these constants. The function does not return the logical line; that line is rather stored in the module-global variable $currentline (exported). The function simply returns true if a line was read or false if end-of-file was reached. read_a_line automatically calls close_file at EOF. split_line1 Most of the callers of read_a_line want to treat each line as whitespace-separated columns. The split_line and split_line1 functions return an array containing the contents of those columns. The arguments to split_line1 are: A => column-number pair for each of the columns in the file. These are used to process lines that use the alternate input methods and also serve to define the number of columns in the file's records. A hash reference defining => number-of-columns pairs. For example "{ COMMENT => 0, FORMAT 2 }" allows COMMENT lines of an unlimited number of space-separated tokens and it allows FORMAT lines with exactly two columns. The hash reference must be the last argument passed. If there are fewer space-separated tokens on the line than specified in the arguments, then "-" is returned for the omitted trailing columns. split_line split_line simply returns split_line1( @_, {} ).
Error and Progress Message Production There are several exported functions dealing with error and warning messages: fatal_error The argument(s) to this function describe the error. The generated error message is: "ERROR: @_" followed by the name of the file and the line number where the error occurred. The mesage is written to the STARTUP_LOG, if any. The function does not return but rather passes the message to die or to confess, depending on whether the "-T" option was specified. warning_message The warning_message is very similar to fatal_error but avoids calling die or confess. It also prefixes the argument(s) with "WARNING: " rather than "ERROR: ". It message is written to Standard Out and to the STARTUP_LOG, if any. progress_message, progress_message2, progress_message3 and progress_message_nocompress These procedures conditionally write their argument(s) to Standard Out and to the STARTUP_LOG (if any), depending on the settings of VERBOSITY and and LOG_VERBOSITY respectively. progress_message only write messages when the verbosity is 2. This function also preserves leading whitespace while removing superflous embedded whitespace from the messages. progress_message2 writes messages with the verbosity is >= 1. progress_message3 writes messages when the verbosity is >= 0. progress_message_nocompress is like progress_message except that it does not preserve leading whitespace nor does it eliminate superfluous embedded whitespacve from the messages.
Script File Handling The functions involved in script file creation are: create_temp_script( $$ ) This function creates and opens a temporary file in the directory where the final script is to be placed; this function is not called when the check command is being processed. The first argument is the fully-qualified name of the output script; the second (boolean) argument determines if the compilation is for export. The function returns no meaningful value but sets module-global variables as follows: $script Handle of the open script file. $dir The directory in which the script was created. $tempfile The name of the temporary file. $file This fully-qualified name of the script file. finalize_script( $ ) This function closes the temporary file and renames it to the
shorewall-docs-xml-5.2.3/LennyToSqueeze.xml0000664000000000000000000011222313427347317017435 0ustar rootroot
Issues when Upgrading to Shorewall 4.4 (Upgrading from Debian Lenny to Squeeze) Tom Eastep 2009 2010 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Debian Lenny includes Shorewall version 4.0.15 while Squeeze includes Shorewall 4.4. Because there are significant differences between the two product versions, some users may experience upgrade issues. This article outlines those issues and offers advice for dealing with them. Although this article is targeted specifically at Lenny -> Squeeze upgrades, it should be useful to any Shorewall-shell user upgrading to Shorewall 4.4.x. Footnotes are used to flag areas where non-Debian users may experience different results.
Packaging Differences The first key difference between Shorewall 4.0 and Shorewall 4.4 is in the packaging Most distributions use a similar packaging structure. Note, however, that the 'shorewall' package in Simon Mater's RPMs for RedHat/Fedora/CentOS is like the Lenny shorewall-common package. . In Lenny, there are six Shorewall packages: shorewall-common — Contains the basic components needed to create an IPv4 firewall. shorewall-shell — The legacy Shorewall configuration compiler written in Bourne shell. shorewall — A transitional package that depends on shorewall-common and shorewall-shell. Installing this package installs both shorewall-common and shorewall-shell. shorewall-perl — A re-implementation of the Shorewall configuration compiler in Perl. This compiler has many advantages over the shell-based compiler: The compiler is much faster The compiler does a much better job of validating the configuration, thus avoiding run-time errors. The compiler produces better and more consistent diagnostic messages. The compiler produces a script that runs much faster and that does not reject/drop connections during start/restart. shorewall-lite — A small package that can run scripts generated by shorewall-shell or shorewall-perl. Allows centralized firewall administration. shorewall-doc — Documentation. In Squeeze, there are six slightly different packages: shorewall — Contains everything needed to create an IPv4 firewall. It combines the former shorewall-common and shorewall-perl packages. shorewall6 — Depends on shorewall. Adds those components needed to create an IPv6 firewall. shorewall-lite — Same as in Lenny; only runs IPv4 firewall scripts. shorewall6-lite — Similar to shorewall-lite, except that it only runs IPv6 firewall scripts. shorewall-init — Allows the firewall to be closed before interfaces are brought up and also allows the firewall to react to interfaces coming up and going down. shorewall-doc — Documentation. Do not purge the old packages (shorewall-common, shorewall-shell and shorewall-perl) until after the new shorewall package has been installed. The key change in Squeeze that may produce upgrade issues is that Squeeze does not include the shell-based configuration compiler. As a consequence, unless you are already using Shorewall-perl on Lenny, an upgrade from Lenny to Squeeze will mean that you will be switching from the old shell-based compiler to the new Perl-based compiler Note that Perl is a required package on Debian. If you are running an embedded distribution which does not include Perl and it is not feasible to install Perl on your firewall, then you should consider installing Shorewall on another system in your network (may be a Windows system running Cygwin or an Apple MacIntosh running OS X) and installing Shorewall-lite on your firewall. . While the two compilers are highly compatible, there are some differences. Those differences are detailed in the following sections.
Issues Most Likely to Cause Problems or Concerns
shorewall.conf As always, when upgrading from one major release of Shorewall to another, the installer will prompt you about replacing your existing shorewall.conf with the updated one from the package. Shorewall is designed with the assumption that users will never replace shorewall.conf and retaining your existing file will always produce upward-compatible behavior. That having been said, there are a few settings that you may have in your shorewall.conf that will cause compilation warning or error messages after the upgrade. BLACKLISTNEWONLY If you have BLACKLISTNEWONLY=No together with FASTACCEPT=Yes, you will receive this error: ERROR: BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes To eliminate the error, reverse the setting of one of the options. This combination never worked correctly in earlier versions -- to duplicate the earlier behavior, you will want to set BLACKLISTNEWONLY=Yes. BRIDGING If you have set this option to Yes, you will receive the following error: ERROR: BRIDGING=Yes is not supported by Shorewall 4.4.x You should not be receiving this error if you are upgrading from Lenny since BRIDGING=Yes did not work in that release either If you are upgrading from a release using a kernel earlier than 2.6.20, then BRIDGING=Yes did work correctly with Shorewall-shell. . If you have a bridge configuration where you want to control connections through the bridge, you will want to visit http://www.shorewall.net/bridge-Shorewall-perl.html Kernel 2.6.20 or later is required. . DELAYBLACKLISTLOAD If you have set this option to Yes, you will receive the following warning: WARNING: DELAYBLACKLIST=Yes is not supported by Shorewall 4.4.x To eliminate the warning, set DELAYBLACKLISTLOAD=No or remove the setting altogether. DYNAMIC_ZONES If you have set this option to Yes, you will receive the following warning: WARNING: DYNAMIC_ZONES=Yes is not supported by Shorewall 4.4.x To eliminate the warning, set DYNAMIC_ZONES=No or remove the setting altogether. See this article to learn how to set up Dynamic Zones under Shorewall 4.4. FW If a setting for FW appears in your shorewall.conf file, you will receive this warning: WARNING: Unknown configuration option (FW) ignored. Remove the setting from the file and modify your /etc/shorewall/zones file as described below. IPSECFILE If you have specified IPSECFILE=ipsec or IPSECFILE= or if you do not have a setting for IPSECFILE, then you will receive the following error: ERROR: IPSECFILE=ipsec is not supported by Shorewall 4.4.x To eliminate the warning, you will need to: Set IPSECFILE=zones Modify your /etc/shorewall/zones file as described below. PKTTYPE The PKTTYPE option is ignored by Shorewall-perl. Shorewall-perl will use Address type match if it is available; otherwise, it will behave as if PKTTYPE=No had been specified. RFC1918_LOG_LEVEL If you have specified any setting for this option, you will receive the following warning: WARNING: RFC1918_LOG_LEVEL=value ignored. The 'norfc1918' interface/host option is no longer supported. To eliminate the warning, set RFC1918_LOG_LEVEL= or simply remove the setting altogether. RFC1918_STRICT If you have set this option to Yes, you will receive the following warning: WARNING: RFC1918_STRICT=Yes is not supported by Shorewall 4.4.x To eliminate the warning, set RFC1918_STRICT=No or remove the setting altogether. SAVE_IPSETS Shorewall 4.4.0-4.4.5 will issue a warning if you set SAVE_IPSETS=Yes in shorewall.conf: WARNING SAVE_IPSETS=Yes is not supported by Shorewall 4.4.x To eliminate this message, you will need to set SAVE_IPSETS=No or remove the setting altogether. See below for additional information regarding ipsets in Shorewall 4.4. SHOREWALL_COMPILER If you have specified SHOREWALL_COMPILER=shell, you will receive the following warning message: WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell support has been removed in this release To eliminate the warning, set SHOREWALL_COMPILER=perl or simply remove the setting altogether. USE_ACTIONS If you have set this option to No, you will receive the following warning: WARNING: USE_ACTIONS=No is not supported by Shorewall 4.4.x To eliminate the warning, set USE_ACTIONS=Yes or remove the setting altogether.
/etc/shorewall/zones If the column headings in your /etc/shorewall/zones file look like this: #ZONE DISPLAY COMMENTS net Net The big bad net loc Local The local LAN then you are using the original zones file format that has been deprecated since Shorewall 3.0. You will need to convert to the new file format which has the following headings: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS You will need to add an entry for your firewall zone. The default name for the firewall zone is 'fw' but may have been overriden in your old configuration using the FW option in shorewall.conf. #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall The remainder of your zones will have type 'ipv4' unless they are mentioned in your /etc/shorewall/ipsec file (see below). #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 # The big bad net loc ipv4 # The local LAN
/etc/shorewall/ipsec This file is no longer used -- its specifications are now included in /etc/shorewall/zones. Take this example: #ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS ipsec1 Yes ipsec2 No This would translate to the following entries in /etc/shorewall/zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS ipsec1 ipsec4 ipsec2 ipv4 Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied from /etc/shorewall/ipsec to /etc/shorewall/zones.
/etc/shorewall/interfaces The BROADCAST column is essentially unused in Squeeze. If it contains anything except 'detect' or '-', then you will receive this warning Users whose kernel and/or iptables do not include Address Type Match Support can continue to list broadcast addresses in this column; no warning will be issued. :
WARNING: Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available
To eliminate the warning, replace the contents of the BROADCAST column with '-' or 'detect'. The 'norfc1918' option has been removed. If you specify the option, you will receive the following warning:
WARNING: Support for the norfc1918 interface option has been removed from Shorewall
To eliminate the warning, simply remove the 'norfc1918' option from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes as a replacement (see shorewall.conf (5)).
/etc/shorewall/hosts The 'norfc1918' option has been removed. If you specify the option, you will receive the following warning:
WARNING: The 'norfc1918' option is no longer supported
To eliminate the warning, simply remove the 'norfc1918' option from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes as a replacement (see shorewall.conf (5)).
/etc/shorewall/policy Shorewall 4.4 detects dead policy file entries that result when an entry is masked by an earlier more general entry. Example: #SOURCE DEST POLICY LOG LEVEL all all REJECT info loc net ACCEPT Shorewall-shell silently accepted the above even though the loc->net policy is useless. Shorewall-perl generates a fatal compilation error:
ERROR: Policy "loc net ACCEPT" duplicates earlier policy "all all REJECT"
/etc/shorewall/masq There is a long tradition of specifying an interface name in the SOURCE column of this file. Masquerading/SNAT occurs in the Netfilter POSTROUTING chain where an incoming interface may not be specified in iptables rules. Consequently, while processing the shorewall start and shorewall restart commands, the generated script must examine the firewall's main routing table to determine those networks that are routed out of the interface; the script then adds a MASQUERADE/SNAT rule for connections from each of those networks. This additional processing requires the named interface to be up and configured when Shorewall starts or restarts. Users often complain that Shorewall fails to start at boot time because a VPN interface that is named as a masq SOURCE isn't up and configured during boot. To emphasize this restriction, if an interface is named in the SOURCE column of one or more entries, a single warning is issued as follows:
WARNING: Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/restarts
To suppress this warning, replace the interface name with the list of networks that are routed out of the interface. Example. Existing entry: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP eth0 eth1 Current routing configuration: gateway:~# ip route ls dev eth1 172.20.1.0/24 proto kernel scope link src 172.20.1.254 224.0.0.0/4 scope link gateway:~# Replacement entry: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP eth0 172.20.1.0/24 Note that no entry is included for 224.0.0.0/4 since that is the multicast IP range and there should never be any packets with a SOURCE IP address in that network.
/etc/shorewall/rules If you include a destination zone in a 'nonat' rule, Shorewall issues the following warning:
WARNING: Destination zone (zonename) ignored.
Nonat rules include:
DNAT- REDIRECT- NONAT
To eliminate the warning, remove the DEST zone. Example. Before: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT(S) PORT(S) DEST LIMIT GROUP NONAT loc net tcp 80 After: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT(S) PORT(S) DEST LIMIT GROUP NONAT loc - tcp 80 Shorewall 4.4 versions prior to 4.4.19 do not support icmp type lists in the DEST PORT(S) column. Only a single ICMP type may be listed. If you have a shell variable with a list of ICMP types that you use in a rule, you can work around this limitation as follows. Replace this rule: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT(S) PORT(S) DEST LIMIT GROUP ACCEPT z1 z2 icmp $ITYPES with: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT(S) PORT(S) DEST LIMIT GROUP BEGIN SHELL for type in $ITYPES; do ACCEPT z1 z2 icmp $type done END SHELL
/etc/shorewall/routestopped The 'critical' option is no longer needed and hence is no longer supported. If you have critical hosts defined, you will receive this warning:
WARNING: The 'critical' option is no longer supported (or needed)
To suppress the warning, simply remove the option. Shorewall 4.4 also treats the routestopped file differently from earlier releases. Previously, the routestopped file was parsed during shorewall stop processing so that changes made to the file while Shorewall was running would be applied at the next stop. This is no longer the case -- the routestopped file is processed during compilation just like the rest of the configuration files so that when shorewall stop is issued, the firewall will pass traffic based on the contents of the routestopped file at the last start or restart. If you change the routestopped file and now want to stop the firewall, you can run this sequence of commands: shorewall compile shorewall stop
/etc/shorewall/tos The /etc/shorewall/tos file now has zone-independent SOURCE and DEST columns as do all other files except the rules and policy files. The SOURCE column may be one of the following: [all:]<address>[,...] [all:]<interface>[:<address>[,...]] $FW[:<address>[,...]] The DEST column may be one of the following: [all:]<address>[,...] [all:]<interface>[:<address>[,...]] This is a permanent change. The old zone-based rules have never worked right and this is a good time to replace them. We have tried to make the new syntax cover the most common cases without requiring change to existing files. In particular, it will handle the tos file released with Shorewall 1.4 and earlier.
Extension Scripts With the shell-based compiler, all extension scripts were copied into the compiled script and executed at run-time. In some cases, this approach doesn't work with Shorewall Perl because (almost) the entire rule set is built by the compiler. As a result, Shorewall-perl runs some extension scripts at compile-time rather than at run-time. Because the compiler is written in Perl, these extension scripts from earlier versions will no longer work. The following table summarizes when the various extension scripts are run: Compile-time (Must be written in Perl) Run-time Eliminated initdone clear continue maclog init Per-chain (including those associated with actions) start started stop stopped tcclear Compile-time extension scripts are executed using the Perl 'eval `cat <file>`' mechanism. Be sure that each script returns a 'true' value; otherwise, the Shorewall-perl compiler will assume that the script failed and will abort the compilation. When a script is invoked, the $chainref scalar variable will usually hold a reference to a chain table entry. $chainref->{name} contains the name of the chain $chainref->{table} holds the table name To add a rule to the chain: add_rule $chainref, the-rule Where the rule is a scalar argument holding the rule text. Do not include "-A chain-name" Example: add_rule $chainref, '-j ACCEPT'; To insert a rule into the chain: insert_rule $chainref, rulenum, the-rule The log_rule_limit function works like it does in the shell compiler with three exceptions: You pass the chain reference rather than the name of the chain. The commands are 'add' and 'insert' rather than '-A' and '-I'. There is only a single "pass as-is to iptables" argument (so you must quote that part Example: log_rule_limit 'info' , $chainref , $chainref->{name}, 'DROP' , '', #Limit '' , #Log tag 'add' '-p tcp '; Here is an example of an actual initdone script used with Shorewall 3.4:run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50 run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT Here is the corresponding script used with Shorewall 4.4:use Shorewall::Chains; insert_rule $mangle_table->{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50"; insert_rule $filter_table->{INPUT}, 1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT"; insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT"; 1; The initdone script is unique because the $chainref variable is not set before the script is called. The above script illustrates how the $mangle_table, $filter_table, and $nat_table references can be used to add or insert rules in arbitrary chains.
Ipsets Shorewall 4.4 insists that ipset names begin with a letter and be composed of alphanumeric characters, underscores (_) and dashes (-). When used in a Shorewall configuration file, the name must be preceded by a plus sign (+) as with the shell-based compiler. Shorewall 4.4.6 re-introduced SAVE_IPSETS=Yes with slightly different semantics: The contents of the ipsets are saved during processing of the stop command in addition to during processing of the save command. The contents of the ipsets are restored during processing of the start command in addition to during processing of the restore command. When restore is being run when Shorewall is not in the stopped state (such as when it is run to recover from a failed start, restart or refresh) ipsets are not restored. Specifying an ipset in shorewall-routestopped (5) is prohibited when SAVE_IPSETS=Yes.
Simple Traffic Shaping If you find that output bandwidth is extremely limited, it is likely due to TCP Segmentation Offload (TSO) and/or Generic Segmentation Offload (GSO) being enabled in the network adapter. To verify that, install the ethtool package and use the -k command: root@gateway:~# ethtool -k eth1 Offload parameters for eth1: rx-checksumming: on tx-checksumming: on scatter-gather: on tcp-segmentation-offload: on udp-fragmentation-offload: off generic-segmentation-offload: on generic-receive-offload: off large-receive-offload: off ntuple-filters: off receive-hashing: off root@gateway:~# If that is the case, you can correct the problem by adjusting the minburst setting in /etc/shorewall/tcinterfaces. We suggest starting at 10-12kb and adjust as necessary. Example: #INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:10kb Alternatively, you can turn off TSO and GSO using this command in /etc/shorewall/init: ethtool -k ethN tso off gso off
Additional Sources of Information The following articles provide additional information. Shorewall Perl Incompatibilities Upgrade Issues
shorewall-docs-xml-5.2.3/images/0000775000000000000000000000000013430376103015212 5ustar rootrootshorewall-docs-xml-5.2.3/images/Fools.dia0000664000000000000000000000470613427347317016775 0ustar rootroot[o8)a_\x@  tȶjkG IIyϾ$%7,$1[h 4"u9GϿ|Y%}qތ JgFeoê?|` 0_鮖 QődbA6re咗_V..nY^a\JN,´R-󻨻N1 mb9.Tνzyݪy6 Ѭ>.fY6xdwKCfo=;4vg}!X./u?6{"6 ?`ZD& #RnDYPC J0U^2g/MLߟc!fPps>$$>IrĶ|Dn[sUIһU}bvz/;kx},-2_e<@">t~\K ' OD5̸B!Db 'FKQ4rOhwj]#Wð4*Dbܗ}M||Wq+LQ`_d:8vveOd ϲ.r܉"EЉ*yĽ=>Rei/`MbO|2̬/<9nhS0 }} Jp~FJauT,䈏1Ժ]{{8` 1Q9t$F7v& LK^ʯdJ'^BǼ9>KK/.5 s_ /I5/c=0=0=0/3/QOm 5cĜCXC!uxM6Jv,现>$TjҶ;X: ƒdm|@A=;J8M )GVr:SZekwm l ‹MbFfr4^ȐEP]BU}~K; ̬Vt)ި@R86}li)NBcY1~%+XH4+C)Ҍu!5J#41"%ʹgKS 6n>P>qfb¯`cpi\#`6cQoYQ32ZWA]cc^o3OUH`us2H6ټa^^Ard#oI_G-6= @<B)|vpPRgn2Qq> >LMIμOȁk2 1)RMfB5e&I!F(D,P8[BN5宥ǯhɤ%S'YCC$u&䄸`c}α@mfslBx0N ikR\NG6GEMSM2¯u~f=qxٲt*qu3-JH!) $1I2%ICʨH8*C VDHp[Uv !~uat@Rmʸob뙇.)T_q4,,`8A8iN<LDz[,"KHhYTAZbw(]'o9h*C`P)l~I Q"]Z?B'~k7őPhq6-)D{6L'lPZ;a6ȏ`d[ƒP0%Ɩ$jA u?do-&Sd].sǮ20ϳ}cܻ$JC1_h5NMkfIbP/v_πr1GhB '[;'9;q̫1{s﮶~XW6shorewall-docs-xml-5.2.3/images/Network2011b.png0000664000000000000000000030577313427347317020051 0ustar rootrootPNG  IHDR8?4bbKGD IDATxy\\0; @VB.Q㒸6]ֶ.ֶݴ^[u[GMMb}$,aa`!@p| 49l(pՅȐ#8>@Bh, \9LJ $"""""""' Gp4 Ӌ#cznW{!""2hH W7'<_o"""""""v@01]szM ^!""v@:]ŵuzFn  \=Rs|q"]TDDDDDDD[pCӛׯ"""ËFp 8DDDDbu"#:6ƈ#p;Cpu:6pW WWW]MdCUH Q!ơљgfq4=tJp;D턇:q8Cq:Cq;qvmvjL#`xQYIz$C\־`24EEpp0{ ;Le$$ !&1Șh‰ ,yJivkh**t{Q]E֭Lٶqx镉p)*"""KwHs391PRF2"!(lYQUWOye%Զ0|i۷<(uHpQ!""pHJsgDGG6DœCcS*ʎ[7%;?DD$( \ 8[>-Ӧe)KM%=-Ʉwt(q)%U݇+=[tHp.r#an7 WV2F$!F=ګ?8t̜4qg>`mdZ'D"""B.`8iq:=1-Nc4Etbё eBh(N'v[Gۃ&\쫪|f[]׹Afc\Oplɹ8mꢣi)<ƈc:[Zslh ۺEDDDDD1G3Xul>RSIN'ݍr_5PVSCYa155d99o۰{_3&[Zjz<8Ppt|^Zʞ#;*1ij6:TTp`~ܕ\Yfmڨ""S!""p"][.b꤉$[]R].-eBF!v0_z!KK.IDdR!""p_&3f0cd"B.IG~aq9kVW$"2,) \ 8%}.5Ӧ33w"v[V9&lƘ-[ңli$aEHR͡;0c:3&NtWvcۻD64X]ȰCDD$piI!!8<K^qZf .6Dsr6`s&nu"]j s.CzmqY(Jg|Nq^k׮q"*  8Q0Bmu ^̛Li| a?C8*CdhQ3ը@8?Fch(!N餮ERueH/;ksu 7yA*+?10#3P 6Vf۾ٿm̠UיÛ И(n8TY[KV!=x|RrDZ+_ 3p8"9uS6kSN<'cv^m_9VߊXY2MQF͎C Ameӓ2y={2;l# _#99qN;Z>&UqFI)d,0#^~x? 4OhK[ǽ ?ep^?304p`D^L r?|{LG7½^!}dp5P]ݻ.E˯X_#**_xĉq:KCiM}>G_7mZ x(c61z x_S{oC':ϟ0aW0!ǝ$HDDDDzfCMԎwǝ!gL⢣z>XdgĊ|G.e?<c9pA{9򕯐r:ׯc +bL2Ox^t4\|e!;0+Lv E 2Q ? 3b3jHo:3ڂ0x_ˉtlZ Akjm#HNgx HooDDZ~3 4ЍR ! &Klu)B}(f~:eee<,YSj{[ ҏ 7|>1g>X))q`L` ,@ fJ=,#f3p֛X03]lWk{2ݾzYL~Ǘ0>L1!㡓+GR F4EůpTfƎ3)LNDE91:i45ػ?>ޮ֏aDR XjMMM\wu} %99&Gr87Ihhhڵk%wrv&!vaFr430F[3JqLH :{x 3M'y%S/bg""""'kX߹{͙˛-!>dF&$0)&auy"mvl6;[< _|YaLk!$$ݻwqFnN3^|Ej4L@p=:TƸqٿ_=}j"3+D7t=puω/48Io긎ZWnH ˀgɜyKOJd ,.rbN'fNヘ>7^2"uƏOii)/K.ؼy399v|>1}LΝ:Z|qbˆJO"""""0 ʄ&*0ebb.IGQ̛ˑ}.Y--=?YH^ŷ򸦢ǷfIx~RTTɈ),\Fbb)ղw^}J &*:u~dgf~zFlH@SΘX~=e_|r춺s&qSO=Ÿq9sqy^x7#+jpkR3XܳJT:V&x{%rf!BNfP:2G8\,)'kEV*-i̚={… ;OIK @mmee| <<_jyl0߸TDDDDDap*\rgNLxrDErbqOB]..~5K Ja<>%/_w_oSSѵkגwIFcpZ8|/|aqSRv'!!mz##ciljl8xrեlٺGƠ'/.yS^%Ȅ8=cz<**dVt58#F/r%tj*[oɘ18!x<^KYp!펴9 #FN+χ@Kl7}&eDYinui۔uŕ>5WpS'ėJirOٓ {nZZZ:uj^|‰Lߍ̞=p*+˸իWp?cz[x婧PTt իihj$5-i_H ڻʄFNCxh ;}W,2Ҭ.eۺS} ^xo5Kvñ+=W?HmZʱP!kXxyd~ /Wp^>>+>Qdk T 114r8cեPͥKfQYY e[KJ{ۻw/8+4UW7v{9fsʲe+j0O>y7+W.#..wyW^711TW@QQ1;w$3;Ǻ80?_i*7nrXV"""(>Vx8Ý'#s=.όTST>:Sr[]JX32Qx:~ԨZZ`IIcǎcر;Q45Ց=z#ώ!(wޡb8nlP!""""4#8|6['O%ҌҽchDillr6QQyj!qD.n G<"##lS]e-jNzX^yqV~FZZ<}Y:i|3$&5S4rCDDDDxA3pT!Djy7۷g#m5}-E=yxXNJVVV`"j"##mOO`HHH;8ē[~KHH(yyێ=Hbb"qF G&>N+ cڶ}?{OqZ IDAT55x,/g<Kƾql@K]']#`.wӏ{NI!ʎnMUU1.Wথ"|*+)(؃cγeV2jtr*ZЌ? ifoGsqp>='߾ɒZlj^[A~<6˅/&<<.nr;wn?--.KOˊ_dtF2!!]Oo# 7DDDDD4GAFDtASw7R_Wio.9^\-[)/+vlΚ/:RGO-m6"IϑژAc{}>xxN*BCHHrk{8MᆈH'6G#!,^"-H$ɨH uu\lٳDTDX5xAxtWcx+2v`|K0 jbc.E p#xeiE"""""/hWᅬ_~"6jc.C`%f1!G 8"},*p. dLȑ iԩCDDDDUPUhv5 p o#/CDDDDS U_ټ vv[]H hvZ] a18eYφg 6"lhw^O7QTQauI"r];duA2$„sR^a d$""""=6>?hfK9eaWCI"}V&ClL<|roM#ut  *h5& ohu)"l|d71o4\ U)C\5L$pC3}]M/m0Hb#D Lkw 03$%=]""""w2h|b? |Xrf4"莅֔+C|`< |9y{)?54z}n?n_^;h߸茹m6 \_:i' ۅ>߾3}v0q},Ŭ!f% u<#@:Ђa0bFqT zyݞ}mh53\.`Twώs` P*p-fǹI fR$ p3C#n9~2\nOv: N>Z}KDDDDz6Gp?&~R.EO<+?Y_nk؄i:&/dtKR E++0#9 kFrtUfJ4f4qLXP񹍘XbGVWm,p(Fu躽/5Gp۵Z&jjN:K,ǘr[@6P <f>b6Xc|riŒ0X˘]<L08߿-cZԯOQ:g7eV!g5˹+`JuX]F'W1M!K5ρo?"fE ZŬ~rDDDDDNH0A#ZBhU3nr`V P < @R1=:HDodx6>><)׊Pg!%@ҪjI |3՘Ӏ4zib+ r3HDDDDdQPYɒ<ɖ;xL6PS^ֳǿ-꺁ZYHDDD(r tVًϧC".z5KTe=^=b Ӕw�MK41wmST<؏~xM/obFL9ŒN &|;S=1_uiZYm2`RUDDDDN̆w>94m*MgVnDw01oWԀVl&L3A.݅ec4! `F6qEW<@&* bFkT 0#WcdLV?e.e=Ӂ@GK1BV 9 c_3HQq^[S ׭Xuo͈2v T <b.cˆ17"Ӄ0l{Ê0##|vVNd cbF 3zRDD= w1AH.jk( \rv/ь*Y1!qoŬPq_ϴ`—s/fp,{\t"LV kA{SZC D)*"""KGEE+y$+=Aڸ&'6*jЯ/c]$<ҟkUHGUF;4lmV:  jk<D.LgCTű…&Iqe1">ul?xpfN?(הuh poEeu9VŽ0o+kAnhӧ" rkR|pŒćp.ƆYYsyMɈG$ׯ#;<^յVVRVT>Ϝüٳ kʫkضe {ˆVᦎocz*,Č83Ec!'LU W٘Q0 o-FCDD$p)gU4fߘ1CB&2.# %ᠻqf].ꛚ*Ԋr&o͟2a޸R6~v 3M:76QVSMȑvz>ݴ>zwGj`L^ ;.Raj.>"CcMqz:'!,½^B}=>h1&kjH)*&>2 0aB;]%w fi#;vHvj\ 6_<ȴ[մ:쟆 :.4 4f91 [E2"""KE|6Q4}^ka߸;1|K+91"""KGYr_zsgf3d"Iqy;wˏ>T-ښn1Aǥ#r,>[eY#1#]α") \ 8f߾Y6@# چF>ٵƒۯ(7cU$vT3eڠW7|ׁ(lK+#4r=7ܜ 9ACSkwdRhFs56c6'_/C@[OO5*Ӽ4yGX>ʂDCDD$p)B0x&0u$6}US_{1 77SXT^3MLkQ#< L\< mNv8xz>P,CDD$p)R-N'&ʦLai8K 8l;ԱY&&9[n)Pa!36mˈsKauNeh~H̨K@`x<o SmeY u^焷X]tCHRļv;˯Y§giSؓCedf2 磼BVT0}.}eJh juJFwgf֬t L`Yow\p1v Fsgeo.9"""K09ZK(%y|Llm J0+^VM%b^Lz//)gy*FCcX% w?ϗPx1|wKP!""p vv;fFپ;I*/JjVa ?ڛF[A{k`=<5r|A^YxdzbcGq^]!NHR1l6>w/\s-#SG16;PgeY{!{v㩉)<ƈ1uUWS[S"yMeY*#{kk;2>8Ǣ*%;sgNϏ?϶j/WOPp.P]T4\u5f&3#4B/訩gJO1cfKW[;\iTz0]p1[ˑ9|E,$ל9?>'CDD$p)ʓXJMNQd:T P^]M<ꫫd+ZQbŽ0KӶ ΡY~ѸxԄ'\"gesYGcw]OWAHR!'%‹Y7g.I1Ѥee{j+ 17>BDes6#4KxOhkV۟MT 0[ Xw||G:/}fYᅲ} 8Ci e"H5Ԕb"#.O^/G(.,i;wV2KrJ7۽x̤&'._zXsG#sgHG`P!""pH GY7wpGHBLvjnRJkj*,W1sF\. >`mY:v\Y9l6?{wUq5첺 dYb䒢iݤۦmLZL^.撩bo *p~LLay?9s>~_<=wҁqjs:06={sr:>mT(T)T2," IDATNWJXFWP/oJyxI x"cvWD'h+sۺl4Ͱxh \w`'SI,͸z\w/ߑU lֈYʹǶQ8!""Rx!w%ٙ5kqį|X,xRn8S''lc >!q s#DL5>NP!j?JgMHڇIZ` vo }?8;lhJ<Ҵf9oS8 8DDD 6~R([+^VD9o@ àN889b#;;S$HJL 1&II$&`g+.WP:E\%>"gu YᖭyX,>eb14m܀ss)4e)T{bBKp"NX=\"ÃxIpv&ޞ'g1쓓qNH-6hbbRRn9`pi{%rjٱܠ_ӨA}"nܾD""""ʼn g쓓)y=#͎""y$ڥ?1.,W+) s0\UqCDDDPCDDrϊ9r/,qӣp.)}7yt6=o-I*n$zw&""wmcӇٺ`ݙE|l5ky?""""Fp]X3`,T}8y.%SsTcm :Y D*pH9917xNypb=#9^;;r+6q#%ōJeKaq)ӉHZ*p*)_s)>_Hy.%7U^{(n4*eOF GPDDDDҲ`eI\Kw%_smw #uƐ{.&'mzg$""RheZ7}6}o&% F΋JG7*1T <?fWO=7 FBF}sL:ܟƒ̫vLa̳A8|9kB*8DD$x:Zx{,M*.8Q=Ь=.1ϴ% `N.;gxJ zRюÑ785si퉋ýDž'ZҺw'*^r{d75ZWpzB=ly:&n㡲t-b"bq: Dorl:OuY.Ըsܣda lH+b/~o$1~_T{Q`t}5n$&$2 e軑QL#7LCI+4EQˎv>8DD'X 1v"GJo&v#crJFyguK:r| xRVT+>EW{9 e*pH]NH??De<98z57%"ZbJ?&C~Jko'Q嶅J.#tos|\*p=;Do̿S9V*Ieg3@4'n$> 6dzRVw.,E P!wvĄim[DDDDr ""+ b\J睧{ܭ1{y3 )7ưL.3)׻v_O׊""""rT\d_ȫFZOyq7%͌ڌuHt{GZEEDDE@ō X~N7__pdLM$"""R|!""=. tGZX 1{QSO*p-9+%(oBڇ#-_ h ]f)T$mS-/ﯯqJZ借vtFS/*p`V)#fֆ+@4< MM$"""R|ha& pujJv4k>sd LIdeSIviK#8DD+3a-(8 G%c%,$`b0`40ADDD$/!"RLú PY(,}82| 8cjDDDD$!"R@K6z SK7S $"""RD!"R4"uT&}7 225EuºJ+\35HѣH1``-j4Z )#{seW7!XI!9S-ZEED :Mb_߿Lĺ2Iax`m8uIau}@U` $-"""RxiHQX|I*nEU 8jr{U @aj"A"֥_llf{TpU kѩ3ph 45Hg"""""V"""R=fg)0HDDpBD;~8?ضmvvv|8;;-l۶7n̮]̎L+BJJ 'Nb""""!"R͙3aÆEʕ={6mڴ1;VTR]$_p!?HLLw̚5 '''c j2*"RH]v={ҿ֭aaaEPdI|||f={dxxx0o<|Inܸav,BABhӦM4hЀEٳYx1K6;Z&';mڴaӦMTPuѺuk"""̎%"""R!"R$$$0|pڶm˙3gxGؽ{73;ZSP > !!!ԨQP8yٱDDDD 48DD мysƏ.7oFfG7:t$yVZl۶ rykv,K0 4iž={Y&[ne̘1888/_8xI򇷷7[lM6͎͛%"""R !"R]xN:8ݻi޼LQzpdիٳ'tRc8*pP+W~^2eW_av4PdI]Fxxq򍓓_&>>ݻ_KDDD@QCDetܙK.Ѷm[O?mv8HΎ?|0dyc*p vqL6 '''>S֭[GŊ͎V`>53f`oo{Nj/HrrٱDDDDLH¸qx9|0u~W_b@)}828p K,DL>ݻov,S!"bӧOӺukz-xW ~fG+RGp@ΝYnJbҥiv,Ө!"bӠA6oތk׮eҤI*=82-[T7o&00X5_Ibav :yХKf̘AٲeMNV111\v%KtN"((Cˏ?Hڵ͎%"""4CD$mݺ 0o<ܘ>}:K.Uq#, ?i*UFHH='O$ Pc+8DD͛75jZԩS4k֌ݻw /Q[)S7ҡC"""hݺ5֭3;HQCD$9r-Z0zhm}grI}82۷/7n'M)TcӦMQF͛yqpp0;Z:&')x3gӇɓ'KDDD$ϩ!"G"""xꩧ>aÆѱcG.\@V Sq#988pc6;NֻwoVX;gϦk׮ƚKDDD$ש!"KC&M2e |lذ*UHRk׮?ʕcʕnݚ+WKDDD$W!"rRRR0a͛7gԩS;vobgyE}8NӦM ח_N:ev,\w""ٳk׎7xD Ν;iܸъ*pd_ڵپ};СChт}KDDD$W!"C} 4`ƍTP+WWWW :t$7o&00s裏bv,{UTDDRtt4̚5 N:1sLʗ/or%>>www, 8::Pw,]%J`:wlv,}v6lȬYpuu/?&pqqח$9bvBŅŋ3h x駙9sٱDDDDrLlHJJw!00ǏӸqcvɐ!CX,f+ԇ3m4ƌCrr2/cǎ5;H!"rǎe˖{0|pvaẒ>w/ΎѣG3l0RRR̎%"""rWTYfѨQ#~VO?ĸqprr2;:t( ,ٙ)Sлwo͎%"""m*pdʕ+t֍ͳ>KXXfG4MQ-ݺuc͚5xzzpB:vHttٱDDDDEda/O>fǒLDEE克 7nHEž={С.\dժUTPX""""""IHH^]v?T(<==R >^xMMB8򆻻;+VwDEEѱcG.\hv,[!"Ҳe˨_>֭lٲ,]ӧfv4K:t$E~- ݛ)SKbb#K""?Tb%&&AѵkW._LPP{K.fGRaX4iƍ0 ѣblOj1 HaebE O>9rƏ?O/ʕ+˗9s +W6;N7{l^x8p ӦMSϚB$g^a~ 9Ƚ)򒓓hѢG~ܹ_~Yō"B}8WYt)̜9~8cI.j NժU4 'RV-Z*PV-, ;b0|vڅbKwɓ'cXLJA."" "R""eڶ^:'O?VZDFFRT)WYj:uk׮̝;rJLL ۗ%Kj*:vid([,ͧ""śFpHI^۷/QQQt֍{Qbxm۶o>Zh4a$mqٳw}X,J*Shժ΄vZbbb3g^\\\hժm[nG;;;rJ]!"EʦM߿?OÃ>XΜ9CժU}+իtԉ;vPLVZC=dv,DvF;dwD58q.\B ]v_Mbooώ;xGHLLd׮]k׎Ѷ}Ŋ gŊoߞ$\]]oG#8DD4ӲoR\$&&2|pڶmӧi޼9wVqR \|˗/X*]46lSN\r6mڰfcIK1|p"##f͚5o޶MjP @߾}ٵkWS%''E||<#GAԬY‘#G㏱X,|9rB͚55W^CThtA~aƏcƌa֭oH̕MNR|tR @LL O=|ٱ$3m4vM \2SL^mZpttgϞ<899nsΥN:jՊuRv|:)T0A_>۵kgB:0 NJ&MߩY&[nwߵٖC}8 +F͛7ׯ~ٱ$ȸ3h HHH^:{??? 112ePT)0 o7U۶m9pIII:u!C1Ov{HѦ R_CCC#$$gggoNll,;wL]WңG<<]\\hڴ)!!!>zkذ!Ǐ=qO}\tΝ;3tPbccyٽ{7͛77;$u X,|?bPS*pu888֭[IHH`̘1$&&yfBCCqppu7x`/^̬YꫯXx1eӧOOjƍ<Ʋf^z饻ʜHXX;wnxb,X@XXÆ =7~|2ۧo+W^z\ҥKxbk<<<̎&& /̼yprrO?O>$&&KDDD(b-[k.^|Eϟٳgga̙4hЀm۶{;111bnnn =R"..t9::Ŷm۲˚UիW[oq!SŒܴܸqFdO)~bccy/1 6m0{l*Wlv4);FZR O6;qFvJtt4ڵX"""RhIڷoO\\f͢k׮888O3gbbbFjq#+re-[v{ٻw/!!!ZMN&M:u*NNNL0u֩!6p[T 6mڰi&*Tuhݺqqq2[7݊ޞÇma޽;ݺuOcǎZ+V.___n[%pss믿i=裶K(sle|ڧ)))?~ok~m#ԇy Fɓ'͎%"R(=zÇCt)))闥7FҥrIII%KKF 777֭qe】4}'O4Wnƻ{Sx;wQl[sիg=zoxzz{nv'}Jw)UV`X,_6̎%X^ ={Q$ FÆ 1̎Te|/ۉHw޿Z[ԃCrŒyO)<,X!CۛYfdv,)}ƌ7nq$ QQQt҅M6QdI-[F``ٱMb]L2ԭ[޽{s^jxx8CeƍEjؽ{w[8?_>޽f1@P^=AE@o߾ՋH:w޽{Uܐl4Ed͚5t֍HXtٱ]JJ ]ڵkӯ_?lr[G^a,[oX֯_O""R|!"/41)mF oqssc,_rʙM :u*p,XCOݙ>}ٱ򝓓|g >3vXa0qDjժUV?8;;SZ5>t6dKkɶ&m>>> 4[3{lj׮#Ϸ=M6ФIyYd-M4 ___uwKrg/;);dn!""&2DDLh=ڰ7iӦÇ͎%Pbb`۫_K!Cd#!^'O4v ׯc;`L0=FDDqe駟6?qǎk߿߈3fΜiFoy΀h7f͚=G0ʔ)cϘ>}qܹt|grGDD]v%'a5u6imٲpww7\\\ry >|hڴȑ#DcI!gj^YL6V:thͶ `8995?4 0]fFom;vBDVMdFٲeoyٳgeXphÆ F5 wtt4fΜiۦFYXషOd:egT?f8::+W>D8;X01ʗh06ms6q4ȸ _u+\BY>|O z^???YYhQJbx<cĈvf醛ժU3lbv$)tb͎"wiɒ%F% ֭ovmkyiV={$<<+Vо}{puuUR_|{ ??t=V3͝Qrr2)))qܹLs딝m6nȓO>I||<3f̠Gw0 ) .\  {kv 9}!tp}tcf&, Z]d<ªU|EU\] )%⋻̎RǴiHLLe˖ڷoԩS vڬ_3rHBCCh׮9Bm{z+W +Vw޶:W0HLL/$88poߞ}]p _fxG6mY˺u߿?,YSϚKԟ29D@@[l!((M6Ț5k6;ZHLLѣL6)S3j(+ >ɓ'cooOHH'OL_iӦaXx7lJrr2^^^3f̘\;@c=FRطo?xs _5M͝V58~8+Vm۶e\lOǤI8p`#R98@п?t ͚c~=̛}d'|@m`j֬}իVkb+pd|~V]w]\\hڴ)!!!Ɍ]+1nwE~(Y$%JC:u*[veNws/իs x "<<@Tܐ\MN"9Un]mۆ{Gȑ#fuvvvxyyѮ];<ȬYXv-%Jm̴iؽ{7*TrL2^{uܙ||| O?_sΥN:jՊuRv\;7F/%J`С׏ڶͰaOٹs'>>>hтΝ;߲3gRNuFyo&;);ۤ.+UTC0(]:#ܹYo;d?IMxHU4,_{~n[s֦o߂_صk'k֬F ox 80#pww'&&(ʔ)Cfxwh߾=cǎeԨQ^c믿repS1RꫯhҤ 6lٲDDDСC֮]ŋINN=zxtwޝEٲŋ-K-L}|͚5iԨ3fՋC1m46lh8oɓ' rJV\ ;5hggg8~m7#Ό3z {o߾7,ٹ~uhk_~%[y7 ٲWTĉi֬Ϗ;v0b7$ϸQjU)ʔ)ƍСnݚu֙KDHI{}ddە/oS{n03/.nL`fq|!*nbժTn-nH  ٳgT>~///zԩS6l~:ywlg5#܈%660pssKxȒm;Eٳ'xyyr}q5bbbXhݻwm>֬Y͛7UMʕ+c )S&sݾ3B \t~zنfNd_f$::+Wdvy7neN/Νr4jԈ=kXX?~a, f„ ꇲ'xիWtRݵL͛78p | NNN̚5+L)Z4CrsDž :{v#8 :rqck#~ѰX?zk&h=@fͺy*|yuxkor!nB>xz>Z#82QvЁ08Ѯ];~m_n+t֍)S-[dժU\iuؑŋ{Cv©#81b... <ѣG{iӦ,_Sn].F2eh׮k׮3mq#3w%ܹsO77tdsSv_FO=~-| yf4[Zw{RWyx'}c\r3sL:udv,)Fԩի9x E#s̡||ӇK.+M "kÆIoۨlim,ڭXR.n<|`a MqqIWܐǐ!C8q"[lIuI&.]{{{kuoooi֬=wʔ)<3IF˸WRKUV-<<}p1J('|СCb۶mиqc۪NRt|7 87oҿf̘f"Rd봔+8a}ǭ ?ӶIlIr2Ԭ N#m߾kWXΰyu:vlưaQ7R7N )_III{lْcǎѸqcvK/↘&uÇ5ܽ۷/˗/͍ٳgӵkWbcc͎/Ǝbɴ d }aw߳'b0v܎'RX,+]xiX4}q#+p򤵀XW`iܚ#Ƚ"cǏo߾l߾;;;|M4,3,Y9}4ժU3;:qFx V\I۶mYre/4igСlܸVw61m}vΝ;)_>sN+~2*OQիtޝM= SqC _hhc۶mԭ[ТE"gn={LwMkvggg|A,Y>fϞMڵqttߟXJJ }8::RZ5>CRRRlۤNϩZ*vg7 'RV-Z*mXZX,%ϟbaڵ }ݗ.ɓX,àA5;v,L4+R\9dk|l[D7wȕ٧SQ@չR0%%6nH dΜ9,\RJrB{ڇСC&'VR%nJ`` gΜe˖رX~EOS~}[g[￳pB87n#GGDEEѭ[7F|~ǁlŏ &k@dd$ `ĈL8{-[ߧutۥe0vXf̘Apppv/7o`PT)HtttRihhn'"RUTEK̶ f /?~FBDD\d)*U&[IHH`L8Zh~Rmڴ֭[ӢE BBB̎# >>޽{tR\]]Yp!:u2;Vquu%..t6nȫj ȗ_~ɀ_SϞ=KJy&NNNX,[Zj>}p9<*UZjٳ}]z"u]h4E8qqqa :ӧӵkWO?ov\UM6qV^ȑ#z*oRJq>ʗ/@ 8w-L[keɩShժ΄vZbbbXx1;vdՄn֭[5j{ƍW\e:t(NNN :7|SSQDNTxDD΃D*p0<4hЀ%KPFtg E-eʔO?_~,EgggիǤIȓ͛7_~oct҅-[چ憹sgEojRRNԮ5 ?7|xjժܹsi֬Y>$w>>>,Yk׮ّ$3m4y8p ϟgԨQfGg>>>8q3gd`*Uxy^ޜ={K.ͥK"SJN8 l\]]yGY> IDAT~=}͛7C<Ì7K.Ѯ]t+ٓpVXAIJJާ4i҄7rƕRNr"͛ :E ;8 ŋ̳>˰aXr1l,LW_ѤI6l믿N~2-f>o'uϏs<ɼh"zɢExXb#GsȨe˶l۷ƅw߭]pkֹ˓'O=#*mơCK1RB ѣx"'O=3=8qm۶+p?{wU>p; (((f[{fYZ&fkhnok\JEqpM4TqFs]spsssON;'xwwwΞ= o:t(-?d,]#Gx x7>}:˖-Cpa-[ƞ={??'|!C;viVTZdΝkL4_~+W2aV\ $/e\-_Nٓg} [es=!/$007nؾ(MwE˖-t.\Kc~iذ!{!>>;wCѭ[B_CA222HMM+ضm-Z`T^-[j*In2ɸ^s$Ǝƍt1p@RSSV M6eʌ3ٙc/zj?>ӧOgÆ T\͛7`z0a9'OVZԯ_ &OljcL`888V-0`HׯߟΝ;Ӽys6mjу 6W_Qre>#M￟BIFpgggSQ0NGrr2 ״q$ý{=4gr1qvv5BĖ1k4Əɓ5k׮]cŊVm3g"8{6UiOCڴioD&O@.]Xf|-4!^x<<<ӧ6mƍlٲWWW{f}o{nz)u9yMȹ{{Ϫ~FŨQu;)))ys3fLK/K/d6.^Opp0ժUwf !ʟ{ 9m_t??_% G%7۶m㫯bС|W2;w>mرi7o$$$GZ1t\\\8b~W?>}~5lXS\v_~16ǏgDDD&L K2P[Ν9pݻw_~sܹ3Z 'NdΜ9L>m۶;raڴi &MT?BX/55:mepu,L%`ժUL<9s0n8<<<:tim(KL:-[*3gP~}@Ú>Ɍs0a͚5∹J* QjԨ_M\\ƲvZ<<,i0=BBB{Wyfv97ٳ}viʪUx衇LH\\#wШQ#hfDEEѹsgf͚Ezz:'N4M7Ņnݺep5nܘÇI9uꔽB!HCɉ3gһwo6nh8quu%&&u֡:w.-[r!֭޽{qrrwhBؔJW +T@Z_yꩧv:u_wXB!Ipeff?ulJJV`0Mo גr=smKHHO?H+v_Ν;tޝa !$!DS3;aժU٦J QIGGG6loAJJ  `ʕK!E !*jΈ#%8C9Qڨj/_΢Edܸq̛7a !$QFT*YAD!,a[oիj,XѣGlB!D! a@T*3m۷o*-Z.9ZС$dvッQQQ$&&;QJ 6-[PR% GrrB!$QF[ҵ 4;v׍Ϲ\C8}4G)("7V/p{#JgyjժeoJtu=޽kBT,fe aLrҥKy-GG}Dr{饗9s&۷o?Jʕh׮˗//?]voP!Ξ=^硇w8k۶-[n>|;{nիgJTʮ=T\.BQIYj<Zbʔ)&8 p6l5lؐsa0 ?:陭i0`&MbӦMl޼>}"JRCX# #GЭ[7Ξ=Kٽ{Qyk77_w#Q8#í*WǍ$m|B!%STʙ7mk.ZlN3v႙?dx0eǎ*Ʃ+Y ///zIƍիWE!l% @$ZR 4СCmۖ(:tѣGV3&7lràpc%7^%a.?^BTl(gQ->>̽{ѿؾ};۷o~jR2e QQQL2E !Θ s$,V?3< 7o䩧"88a$7_̳A/ZǚڌqF"%B XŅիWÃ.]{nwGmG#lBAӦMh4DFFCeDJزe #Gd͚5ݛ/!C;4Jٵ^T_݅Ky1h56uZ:վdǍ-R_Ba;w>`0,r-4m0 IpT`AAAL0f͚Y|̠Aعs'{!(DDDXsOVիU/_&66ɓ';40MK/P'cwYs*ɍ?fLBkf͏6]899#-H92p@//E1YBΟ?Ϲs$!Rx]6&Mbʔ)驘);pû䆣7^N]rQZB¨Q*JxyLB ! ۷KQ$o&5kd,]X29IQGG^xmbƸ;~G7BV"NNe=IQ!'z#eپ};+WfݺuݛD{e{݈j!:ιU}q7GGBB!*rءvD]ta߾}<3SOsNŷKh*#^ M sLj}ELFdqu쫜$7B Ip!KFDDFsDkݺ5Gk׮=z:{n6lhJMF+R25Ǩ˸fɍӧFG!!+ 4 99K.;QNpZjEXX۷ٳ+OەFkndVr&.F.1n$ӧ7|$7B+Ip!0(JzUڵks:wMǎ9x`1EX8ۃǧ䆋 @۶]ENnOn#$!(n߆ҿ<(Ip!0V^ 㶬TBpp0/tڕ-[#\FxȨBWp m"3ݍq# =H7B .=l;C:.\wH !XR&gCӱqFƏʕ+ׯ+WdԨQ%F3JRe/E>g/KrCQl <\y)} dfJJB!* c#,,Α{ڸq#fҥKdޟ63ia0%0nϏFO>VZ̛7ѣGs5Ν[/SrcztlQ q^%{~ +9  i5JoV &zP”QQgխ ~~<_{zBϞ(Ip!0;v,)))8p:m5asΥvڌ;yqu/_^bXpJkrO#|Ό*QD?έ.rB#5ΟWƤy>>M*~~UK6~Q:HC!DQzuW΍7|2 4wHZ-nbȐ! 7///gԨQԨQrJbccot6?WVvOnčA##E>gׇ "\(&&ZށJט1ty3.^s3<x]z/0Ip!P 0tbpnݚ~P7oNllٶܻwz|:ut֍_N:Lڵ {  $PX|rã?VӦWs'fH""7t(IIVR|Utuh-*rLBL!1N'1qu^8*I(n #2$ `ȴwBRCjj|||̶9s&|r_~u:ZhoF׮]9u۷gϞ=r,OnԬAT߯"֘+/~6PɍÆIEd{7$h%i=Hj\bOOq:qDB IpooO=_e[3 !N?h,%*6??eP;G"%9͞=ٳg[||~8|0={tЁ;w?;Ii(,P=sոL"Ӡ֐Ц56wС4i_ an=G!DIIy0XqAQO__xpq)Ip/WWhg#8u*Pwl-v}C0.+#8=ԨQ}ϳw^:w̖-[xꩧ g̯PoT'G^Ejw9~=wX}lAOĂVBM\\VϝSQQJ팼Ԩ$/U|%9\qq7=Prm= JU0`"t_>UTƍܸqRLʕ+}v^}U֭[G=y g /hX\kn5׬)Tr/RU+"~[Btp!( cR\./jLjlB$8c|?SSSU9::t-[~`ƌ QsQz=?#k׮f͚,]oaЊU~pQ~PZedѣW+qs{oo%!DY& !;y7~ӓtm3DAY`Lt֍6mڐx+VP IIxxx9B!ϏG* a7*%KPNNv Dt>}xIg*Դ!**@TTz?ezI6Q#9W*[.$Di# !Sx,{X~ t(eTmdz%7*UҡRia<=;L!NpdԬY#Fh"^_gZgzh*U"#9Q*%%%NDDz0 瞙Bj5l}Dqzs _@)D!>}ޛ?f$''Ь'e H۶Ӯ][XQ44nϬY姂BX˘ +YҮ];-[fZ%==I&_0tP>#4Es?tՎ;wcxST/kQqFϟow/?&&&2dիW_~Y7ni&*UT>K=zPK"~Kv^'""0먨(?G֭xh /@RLB EaÆddd߸v&?`-c0[eN}͔ ZK̞~4P ?#kb`ƍ 2%K ʖ0[.3f̰hA s1 2'|2W&6l`РAOQt,o.`֭իW3c ^{5><)w {/ٓ;vOcUff׮ޝIyQbRSS9iJIXXiD۷<iڴ)ѴiSV3gJ2(sݎBBwgdKnlذ|oiӎۛ*9ViȏٳKrC,prrܹs*UVO? @l%׭[@=L۾S 1&>gʕf]zٳg[o^3ntGѡCts󧦦̞=Y~)ӧO7[m{Çӭ[7~wqvM lvR??"$!ʱ7oJ`z.^Hzzzxxx닿iD?^^^E$Dt̟,\8~^0%7֮]KR5kXfs̥<*F'7$Yi4|}}9}4z{P$$$sϡRXbi{dd$i5,om۶W_qq)o>Oy!˲ǘ<ϏaÆxe~s[\ 44޽{i֬k֬e˖8rݺuٳoߞݻwVNQ ;!$##K.eKb_Ǚh1%0Keyr!$8Ds̟δlɍ s1i)..Nָl gg ?InN>MXXXۗ?kך}]P]myȑ#ٵk5k%K0k,jܶk.z-L+7]p!> _Os<ߺu+z20~tR ]taȐ!)-WW^>|;vжmb;T{q\};)ׯ;!,.gDD))y+G&Mt%|BIp ٓδ\57;2S8-ҡC\572g"Ea06lg֭3~oooz=7Vll,i6dfϞM}kδߒm+㏌=/{ 6**aD,\HV†RRRL#0u1޽1:TחSRť@QDTgϞ20&76nX~Z`GGyÔXb䆆 0oRInac=ŒxWyWMۍopMիW7nƍcԩv9o]iԨQ)(( &ЬY3_*hA[n{يN>8Orr2ݻw?hKڵywyW~:ӧO[L9n+עEJnu:|z u9XW8z=aaaDDDp9É"###cjԨA@@iqD{BASSyْ3ju٘<ȣ<$%%'+prOn4Vhڴ)ZK.hjX"B/jݎk׮mvxa8p E/|uVϟmVeٲe,[,߸,VT* .VZ̘1k׮7T_s("-^Tǫu:|M#56k1D(ʺt.\k0<oolKY * !IprS,\8}3%7sRRhٲeeZJgFӺ}hԨc\م'/g㈏(%%;MnG #44T߿?5jԠO>lذcO<9sH:cUZ-SHʕ23!BQ r\v-cj5^^^JVRv!Di& Q.wЧO7n ({vJ׮]Krm"#\E|?Srej֬^^hfrri)ɍƒغukpaO;wlӆ jܩV S/kNZ3gP {aqF*'%Q%%%X5N'1&3ݻ1...%%|BH9w435[r4h޼Z=[5j5ii^'"BWR"dihWoLBhY @V8t'MWI18:2x0NyS6mHgYMqh440 In111zRQQQfԭ[ה03WeQoί(NʹsY`*}.rr 1. 4t:'+:Nzzԩ?q#Jr#~rCKݺXcInQD@VR4om:T  pҒ JphTZ-,PhQ:ryӔu2n߾1oZjjժ%|"/ă#\=w x{Crue$8DܘF޽lprѣG/\]rނ{ ڵ7iҪ69_^ GG u;|}}QTV+(.*NɉޓF)t\ ^ŋI75ϏF2`߇?~ Ԑd'#> һw/mҧJZ#iiJ:5*Uqc?VZARa?Ԍ 5Z:uX@a+...4lؐK.C\R43CF/eddpҥ,we`DP> Kq LI$ Qz=k(?o77ڴi˽{wIMMfz[bW\f-9fHI1P:P16=]@@}Ipa{*G#LIwHBBBBJbѤIt:] _()okҥx򜙩$};!JȑjE$Q <xJcǎՖ5em֏i:99(UێQ^eܘ\l ʕ]0`(.Eq%BBNpN[5ԩˠAqrr9+'7]ۓwGGInQ6BCCJ+ܠ+ɍ"HII6ܹs޽1:δR/K _(f͂o' eTG^Rڞ:w>rfj+=e}moZUAJTT4]}x;GV:ICI!!0cXl޼NQ\BعsM{MOOIC%jՒ͸T"me\7w%39 qqqzˆ0"###cjԨA@@iqDj@Uw0iԩw_ؾvteXo#%lLs'UkJtt4c\sԒ(US Z}){!))oo *Dq2&81 eb]CK;Qd˳t.\kpN3 DEEea|}ڵBQ$!D)# !J? +Q}Nxmn߶x]Z4;7Sg!RSS9iJI:舏VVZ1 !$8(%HKKU8UP;G"Dڬ:u?xwQ&sr6Mpܼy3WCsEL6XQFhlanBےD:uʕ+E N:OLL uԱwHB~*zM,oΝKmBK\$..|(A!#.΢<2n"3#ê8VܹWؑkff&'N_gʕ\|NG˖-ׯgfÆ 8qw?;v,O=TJn|wlܸӧO3>d_|Aff&m2~k7w'XA Q*<3ܹ&Mappѣ;wf߾}G4>*%|9DG5׬̏?re۶\4*r% 3mVy|}}6_'NPJ6mJ@@xyyV#40 ݻwwNNNt:RSS`0jt$''{bə3ghѢb>reTIy Х |~~J`ndenڇ{С9 6ҡ9FYc^] Cd$Ԯ & ǞU^0mb/4Sp0'Ng?ҩ=43gE  $"D)##8Օs|jIU*AAAgI2&7Ǜ MT *Y@8<G -mSX'nAR7lÇ.Ɵ~7ڣFo*S*ƍZֶ1w}~ӏ?*qLnX# cVe/.D9HBBŅnݺep(7..4='Ox<ڵR۹s'+رcm (ʂmˋ`0=( A>xmXפ%m,}mX<Ϟ Ř%Kzuxp+hkmsחmq?Ŕ ۶sY֏5}[cNQB-1,e$5}{oI|" !J!Y*V:B؆JCՒxW֮w8B6m͕O?XY³U|SywOyVe=ic[eՍƍ┅?e ܸ7oq@U"YZ=0Ҙl޽%$!D)$ST@FpQj7䟃zԆ0GYshУ|5٣Lس֭SV =ݠ 22`gNhN^%u(.70ޒkKb:qBŒ\oQx7!JJ`vH ! K3}:)׮!ʣm :1ϔG~ 1~n˯E^> b+(vKTDO=e9ceJBV;!*$&B<2ԛ7sO!Dزyu@$8(edjiڴ)p{#Dj2wS V=y2*ggz--[ɓ'ɴQT*T\e\K+IpQ YEE;:BXG=y2\ >RpԎ'&ra&NC=zbҥ?~ba|RR ݺuV8==憛Ǐvڿ5;w븜_Pi6^ 8*~Y\P֭[ӧWfƌݛ<|BICR:--8;F#De\*VFpQO>e˖{ҥK={`ުU+.\P`{s77"#+KO^RSS 6%8>SOc|Bd!J u^J51uس - l䄣/*wwW&1Kb(HZ<{6ϛGFRRm4h!Cr郫W~<ȁ c޽ݻJ*ѦM:uO<>S/FxPTX´=22,6K[k۶m|W?~|*۷?^x"wߑ?~<;vȷe~scξ}pqqݻ7zf͚fZZ»JBg̑ԢQ> ;v…0kVɜ,իWM%iӦh4"##IKKBX*399s l8M~3 ֬I݅JnTIjvNܹ߹cque 8ׯs<9wc߾}899裏ҹsg:vH۶mqvv:ޢHMMo߾矬]>fݜnj9]vQf|[d fL~񘋱gϞ}Ϸ}A˒i.+1g֭4*8jҥ t!C =# ?؞#`j'Bn߆GHx;U 7={,0ZEx1ܩܛIz:B؇^^^?p7on(PRR%Xa lZsbYszԉyHyA>PV-oM gϚpttGSNtؑRc06lg֭3~oooz=7Vll,[غnބ~}} ':Æ)K Jr_RڀΝe`ptG?OQ-i% n 8~I7!D)%+a?RCaHK5 }kl5x9}4qqqlݺմ*KFFwߥk׮Ѯ];f̘App0 6gʔ)||gy>ް}vÔ)S [6hZ]j [6L2Ű}vC|||Η4øq UT1TR0n8CZZ ?318::5ja?qiii-Z>TVDbeϷzZLa9s-ZKzXR%EJ2z=ǎ)}T>#),=aC]^z.e+W}iiJ*Ճ^sFO`\0籖Q#%RFqܺvBC~e :RL hBYXFjpQ  !* ! ϩ^=|z>7atޝݻȑ#GL cǎqIN<ɲeP4oޜ'x;ұcGYLes孢|gJrU:q|9Mp2\ѷ^<֪6K][ylmBŜ_T6(#]%:A5/?9oC$8(Eqiy1!DruuA$''s8Ua77Ιõ[!{S(<̟?s-8 x'qvv&44+W2`ԩ?6le!JVD%cT9RֿB-Z9JeJЫWءC?Tοtȑ_ƎpeUm?XeWx|2S$ P2l [oYw/U}E%t;w͕UQlaeJɓʴ9yeg%*")2*D)1h 6mڔm8chݺ0a˗/cGJ[QNGӹsu8׶n%]d9q℩ǡCr-=O5jЧO!-:t 88zp_aԃCfQ9=z#GCxx8_|1۶msSO׶ZjlwW8p ?,[)sSsg6= 'Ou}Ǡj)--[[n?dΝlڴ~#FШQ#G)uslb;d5zbãqH#F\\Æ cذamܹ9Krr2??`ѣGN£[naED"~J*(!b8ٿ?VZv$.?dĉ})SԩSygs='N$...޽;;3 oZϺ1cܰI:u꫹3j޼y9=QQQ_dgg,.&Lȑ#yo^ȑ#9r^{ rTkޝtN(ZjqW0ydVXꫯԩYYY,X~.իӣGx;o)"~r*4TC]{-1]h+v#^:f6#))˗h"-Z?Opp0g}vN >}c]Hes8!b3Wc6G"r?^d> 4ApqϟORRseҥ,[e˖/D$Gо}]k>})S?p5~af̘_;øqHOOxlawEQЁMO<QHH={d֬Y:t(gFA͛yw9r$7I&9w}v߂1%8DWkז\zIl޼:|8p ~=СCL<И_x&LPoر#[l)ۿo>A=Vu)f͚puRc}UܰaD'$,QA{HN'ݺuo93 <իuVMM7D||< 4`ذaL:7} "GTC$(!b/]wŪUs͛^ۼٟ_ͻҥK )ٳiݺ5W]uU~Fo-cǸ+p8k>/(={695Y\ɯ.dڶm{G_@7|8Qڙ:GTT#,,@LNԩw}7YYYZs2w\͛Ν;裏rzg)ZzG B"jѢN[V&_4hPC#?|wEN8i$ƏOP玟\̙ShSNqW(ja翞Og̘sU-ͅ^Yj'm[6>8'NU[;1UrȂر#;vddggvڜIII駟駟Pv휢m۶捈HP {ٸq# CfHNNСC9_ƛ5kGΝp8r_n=͛7?GUvv67psaƌ 4ȧE_ؾky睜mM6eÆ $&&l۰aCco^@T[72NnDGuԩS#pЮ];ڵk?O#%%//ZjѧO^ &lE$)!炂4DEjՊ׳v2IpӇ~3gzdذa?Yf|!6lӰI&C=DppO4-'{O:uEQ?|vŜ8q"OÇ3arѳgϜ޼p:q֭[dLZp:UkZ.ɣFQFD&z1z{.uOڴiC6mظqcNcΜ9ܹ//0CzM~۷/;v<=Bݼy5س'0JwFGv l Rq9E9vʢElJD\ƏO???^syri& իu`̘19=ɓq:^/ u{QFԯ_7޾}{˜^EzJpvqƱu֜{eڴiѯ_?|M4hg`w8:|۶ >U*Hؽ{!Tz[#99/pDB5itޝ-ZHլY/<߁ÇHJJg…,\gy9眓3O>~3Z!!dd@FHIKTQECTD굱vZ# !5jHу$TLL ^z)^z)Ge9 e˖d,Yĉ cǎ9EKCm Z5];Ҿ}[C)̡C(!'!E=8D*V3Ym}v]ʚH2f 8ǏpœK.e,_^z ڷo#11Zj|"I p%86lؠE ጎݳҶkWڶoow8"Z*^x!^x!'OdѢE̙3sxbV\ʕ+yWp8mۖ~Hbb 44R9WzzGvڥr>)" ;;[CTD@LL }vMs)3*ljo"vRo`Ϟ=ܹvݻ9tPN;);mD'i޵+v; %$$=zУGƍGFF9C%* `9aCDDʏ"dԨQ9,#|Z[AJ'kWtnw8"]v4n +Vʕ0wY̓a4ԯofѬ;EHH;x0E?>3%8DTvv0ElTvZ#_PHIntN^GR s1wCVYs@RYv킏>2 @ݺ;֭A,++LGbcc^:"%L IDAT%XCJ.Mºt)p? |U7СԪYS ? f5|^.71w.}fڵOڶ5Cv ^RCDDGmڴa_^ ]oX{ҋ/t>}: ||>^ ԪYn<߼9ǜ9fv2 @LLnD3fO)uJpUhTu82k޼!H)77[t\oe]}|gHK;QLΡC `/ҫ,""#ͤ"""Y&f|ӳÕؼ,UBϞG߾&QIGJ۶Je^eiHk7 EKׯ4 @Dt[kW +≉;)%8DDD|԰aC"##III$""Jz0tY[t:=,`ݺdGb"vE/""">r8jՊ˗vZziLԁk1 _d+fM0Wv-ZګDFT GDDTCDDij΂!CaJ1 SOEYZzq`,8v;@"""Š:"""ީQ.,WNJofy93#g-$ADH1zp[HDDDKL \rYؘ??hetY&M`HH-ZڧIH1(!""R:p,XXX&O h.hib# ;AfͨR ۷oĉD:H /4 @j*Zx1ZeW^ڴ-Zگ)|*"~",&N'-Z`͚5lذs9DDD*p,&1wIx,ZkךeӦU z^ʓfQc30j? rP*_o _Cp}w eE=8D䬳΢aÆԭ[ Pn]&L@vvvǦkH9QCDD~U@^fy!0J]5<̓͛ƍML-MyRZE}[%\̙3KT"""""ޠAoCիIHH}{SB 7qp6 @-y۷'P|:FNßUZ̮Ӿ}{VY#Z%7DDDDDJ>_`,YYreny`hHJJ.aZ9""T ሔ`5 hos,Jn 8lmk¿ /N8Emw~r"K՟EK l.(ڷMiٲ {;"effew~G @kw"r֘G2Jp`\P58$/M+HԃCmBDDDSC$5BDhm5S 4!_ Jp\Jpl2 pdiTdT$C1XB9iY?>NfY8kĞdAEDDD)!h˜?=PuIHck`k,'oK%""blذԸt%7DDDRRC$hX"w؟ĞvcS]-{$m)J0Buuka~4"0U4.)F"eEEFA:0%Jn_}qDEm*F%|Z˿oYa-_7Z"%TbDɶ\=*ڴicw8蓏shѼ>aaU8ylH=8FP`ڹ8mz]">ow"8kI lˇ)[l'-[4 ,ለ.{pL%7q۾~gO_my@rsY.RL`b:JRZfKnf$qqqvc,^uN?Fq8Riʪ_ nz$8Knc[GțW$G݁&ߍV#Y?β;۳`Z6#((;bz% XagP"""o?qڸo_wJ+ rA&JpnWF/ھ-T:Xcjb]*VDD$ ~Ts{|a5J-"WX>tKpz&M˖v/^FP7ӋU ZΘY:= ܍0VDo`f83}/̰)@|=WDDį?IqOj';b,D^=L\#DpnNbmx rL/0=A/̼3`dE/"""$/-nq{<"){v "R>$7`zY܂|a&(i8H @k,Lb&`8𣵿5y|zc=,z),"RQ5nZb*DJ$pTO-tӍZ[ܶa -Tgw@~۷d͚8O/222gnvbib1\&ZW0ӿHR1>6L6Îb Kpl5s0ofu1u:m">S ѧiPĺu+Y%8qO056&6cw×n?8ؘ?*1@DU޽ϣmۊQ+V,,aePh~m=sO+٦a."""!kpTV""""""C @UkӈT2Jpz(!"""""bQC$PBDDDDD?(!PC$PiX7:m;(!4+D 8CR+h mkD"""RF T""% 8 |F2^I'I9][DDDʕ"J=8D4U/`O^⭶ 𜨘f+hdӝ!*m!xG=& b]cNl K@cr_iwm޼N޴qrJF @ DTHYܶMzcz{|+`.X^5Ok[h뀛8o k`ww6c1ɏV3 8_QCyi$U0!""R(!4LEDʂ{"`1z)q1 &Z^*m0_GZ۾q̗K[8}Lϐ;nm\=L\qײ{R''o^'_^˹(0Sᤵ4 =<%a Jd;.yi & d d%Ipx*WE$ԴVr0mǀYEu/|{R^ H W)-}1:bq6LG=uͥƋߋyJF @VL*)) s/Yϟo7s;}PL4S@W Q@4.( ZFӢm")\Hf4&"*e~1/c ]\#5p.3KJil;05>kpb\f˺޶ Sף6޼N޴qM{7gQ!""RI8n""~$SЖ0bdm kR93fΜ|M(lb97 4d]# "[ś,ՙ={ESж<*d!~MUMo͛눈҂XtP~jBlKMMŠ^U|Jp2O{yl/{ KJL`0j;Jl̯0Ly93Ʌ&8Ō?Γ󬵧1qMyܞ`mFQ]cPDDD&))p/pTvGVBC+oew(E|g9OLg<&"Ss*f(GGx_$0Jΰ[ۻ1Ip|cmwRRRVݡ_~DΎ;Mtzl",ү0^ =Sb1'fpLa!a3sEI4 Lbp?z<%wvoeG'1/(]Q)y^(K|MDʖkfJ_ͺsg N`m!>T v,f;N%{Anj1v&z8T\%TP!!)a3ܶT߅;q=;!bygG(踂\I \I\Uqd`֧7q Om!rr4a׋HQì୷LݤIp=л7>lz}gY֙Cf&|a?4ۆ 3.ιWdddcvƌDϞJn8̔+L`]05bf@fTo`fm_ayr!0Gֶ0<]= Sں޽pQC$VQx#0$CIr/&|{,B3G0=ҵc#05Acx)SGob i=3ӓE"+h֢>Ly*=zNDf+WŽwCfȃ&8v4mۙU+qpf̊Wǚ5п?kWso=ԩsBAll:{;H%w М/[ܞ?Ru1S!>O0UoK"Z ^݉)PQamket }WL3$Mq)b̿`UüphI>mJD4h AVph} {@:w(6-FI=ES @iXDa>R"=ֺm{O3&L1$ ;W xSGD }{©Sn=bG60u2Y̬+E<7?6K&p饥sn\ tpb>pozxo. 3K6"fhY!g~Y 3 &Q1z/μRT@WD3Sw)G뗲I3#)־qO`fXfmgyXdz::aN;c ܃٘^$j^$Mc $݋7j`zd$`fꅩ })g~][n1KA y%9T!b@D*cqO [=0=fݝVO GfzASL`b*`_L.0_g[{L}ԛ1ɋj)G{ghL݋kf8=Lļb d.aZq}+N6U=80[csVCDD,*"AiygX 1]c\jv0‡a~-߹Ga,x 2S?#dkڽssݎbJLU{-'U B᳢80ݛo{IY+ImafgqwSnjΝ7hؚ^!Rf#bW: c]r ^\a=ùYakxi Ϸ_P+1鷺Z_In,r۟d?Zn ZPφ!##o?-M-cÖip]|5u*4kv[5xz7|U0p T!!а!x#y9Z.8V__3cJf͔J{؋0_$,1cƜO,cf[/sA;/­uv(mApDJ}31ɉ]s oA? j(f΄c`z8~vfpEpY?[0 G֛ۿ7)⾞\bfQ=76>}r|%\vYz.ѺW4&">s}1)*@ӂXre/~:loccʔiӈ >hٲɍfbgß;dDf"#x Sw;nm0o1Lwwz.4'3u?_^vc<V@ K0Ŕ|aIq^ڷ7bf qqO'LƍW\ޛ6]u-o{jwm&fZSO${[@ݺ&a2vlz7(JoL͑%KLFLG &0<݋zzp 9L Ձ]0B䆫F͛7-Vrc_v7#mq7Z,뱈/M)(ԁ5{绡 2;%} ic H =PqHlޛ ]`w8###mokIKˠy&LɍwCʮݴjGHy~Nk. 00u h3SW끽eO#ċ+ɱ #"""ŢG~?+zkI _BVv&ISVsp@vG!Ra$>؁еS"۟wq@r⣕Yjj:M679s1Z7󑪣1R  [\IjOf-@3ˊg )h*"""~A 7AѣG o>6 %7D6 \0 =3v:3 pɍɯL4Z4#ȗ2ܨI\"("0E{?z^ ) dbn$L$_DDDVJp>¨ʊ+Te$<  B!G{vԫǙ?CZQe]Yliэ,ٰ` Ǘ5}zvch@эg_|Ktt4i+j \A! Ws9Af(th]P 2Yp*ӧ2IKKcfCL-QlHD̥K//?/;òefP#Gsgؼn ~;5>6ntSڵ~8+α*$EI<̜i^c!<ʞHMM#550J,, v!4} Ÿ#-DI)g݁=Jsqc%7JPV`f9v%"Rf̀⋡ukyuw3ehv6igmڀIz{.['uA*x1Xt%9wRM0f͂2MEG6l5k6ҨQC)m$>ݻ{7]DDD0ZDD*6k0S' y9 & B?(Xazv[9=,ج,Ûo®]Pz+T}~Z0~ruOZL wmW"2iDG{>ھL۷Cݺppǻ֯j^;)!p\sH(3/L;  `Krizv\Ӧ0m\vYn >С>kb>x1SOdxσm;o}0d|u]'aZsl>m)z`$ozLbƁ ܓxO.s׬SS߾72IDDוW^<=nf/"Ҝ096$̤t?k?` ?7Cr"F 3Me |MBخ䆈(2xa !#?$?Ǝ5I@ J*5)!""E+n 7ASCDDJKKg6kXJ"""TdTDDIKK'yPrCDDD*%8DDDԱcٻwOǤIn(!"""Yr s.;кu .Wm]EW"""R(!"yBUN8aM4N`f|8IIG #!tNrȥصk7˗d̘1L#W_7 BBr6ɍnawHQCj@:Ё&4avSeavcR+(YH -+rp84dtZp JIl6-h3ۃ7m$Z֒Iݷ-~`ٲݽٙdkSr~)'N#"2&xymP:iH]-)JpTpըF75;]25lNgI<` `lO=HJo]A4QD<"Z09Q<Ua\ϒ$-dV)o9p˭5;z+Hd(*zU:Pp{^υ z eJ'iI飏6P6w>sܯJPbr6oٖUSRpHIض(}{.O"2SGWZ)R*tiTɔS9nFKq+r̼o媂|+^bU.jtY|DR:pXLxOSzdࣽVXzTJ*<5A)8r~*ٳ>;cDa3)\IQW.R;eW@VJ) 8TY .$EpiTH(>Ob~nmvaQ)1ǤxUp\jm,̫`a^l(ad3:'0wt'"|sx5K*3d2]N@ds蔙Jbb,UU5Tg[Jk"4,^hRJ)?ҀCCC9̂8ky|;0Zd䄌x&eq|8Ңz,/hze*VVq<&Ds^Sl4ȻQ k9>\veDEE]Nz&3#bM;(nzUp;p*p 8 nRJ)рC^IL2>\Ȍ- ؒEnyLpyd&e1(1%DbXGey,d`*Ҽyp#`nJ)RJ\nQÐw=}|cWV?SU8IfL?QfC, MpKU6;늫YWRr+I!%n_"ՉYT_egy#@jsoE̍ǿ3ވ;ʿR%0um*ڒ^y(:q.Fg5۽ 7>EVsC)RJJ5Ǔxx9Q:W(#J.ίŻCMz++b1badJ1 K=n'%HKb6ɾRk6VȰV'Nc^,g|+&/9O?4 X~!eť Н{wky+i$`60 < \SJ) 8L֒Pn$\Lݲx!8ȋagHHg! N}|c >0_[wpSQk*~/w~bCdaXz'cqijW$%yĘM!H3#S,NatJ IQfnXu^ؾ"Gk f/qؑX/6nBuu%{ ؓNJ{7`q\ RJ)J0L[ar^%._5qM/ơ\mqTE#0 ϽOjw@Xb,5L *X[ W_'FF־cI+6v,娬31m2)С5hFTT 7!ee/c-+_!9fH)RJ0ml:ϮN`=Z:ֶ6:C]PqTɣobZH]ŀsB%PrRL?+R;zǧ|^+cǦ԰k3=e/TUu%լ.bmIJ[7huFPWؙ9sev}I5g,˦RYnsd#auRz?w"SWs,J)R@0xp?.]{2V0qaZ 3[ >Vn1>cМE%wu;aIJb֎"cP^VȡI\k6%V *yoO2F$[È =$4=}\k6Ŏ"S{&rǀt.u?i anN.~nIRJ)A4hĉ]FmݚEV+6N^^1;/" >v Qiw,؍Ӗc_e)&mu}94^`\cJ+/9U|wÒ,H0%YxrsnDL<1,=S8y^Jj GH ,u`u)R*i"drxO.k\-:#U`зY|qdg6NM`6}{֑HO>).ٹl]=Oy,/t{Ӊ1?5 K J` LFVs@EoRJ)?Ҁá7 ?W84o_~ "" @ _M?njpe c1ـ쮉Ryu._fyttܮZ,˂ 7րhʤD*? R3٪rtsd5PRJ)TXҀm_Up/999]^a9s`߾lf:Qھ~ӋM[|=%|3oL'ku IDATlgSo.[9W6yY\qhR.!zC ψIςr}^܂ p:p";RJ) DZW?ܘ3g/#.Պ*N;m2C a߾l^}:'_QBٔuq ( >Nv9Gwu7OaYQXΛYe|p"vTZEUQXŪ*VU,ܰMǹ8s2V̮(l)yX Qn)1 xY1k\YJ) apt6Q1iÍ矟Atxv 55de0y__8>@~ G:Cw)^2ʭ6\ wDXI`H#"0_]ުjʬv V*vJk(ىA\$FI 6DgK(jvkk)Z)]kt_6/yq: X\,:]zB'=(K;Pd֥R!_~ 87]R2͜|r1|ݾ9v4өf`6ԩclKeN;.xe,GQʶ XrcI^KOG1jaxH3,z$Dl"lf' V+VKY_AnB Op|\8]B]Y \1_J3Ӏπ!9^2 K)Xll,6l0 NXwdkvѕSYYܹs X [fa2x2d!0k,:tHp{YsTAfcQ^܄A'ɲ :ˑ,-.O9ׇZ~YP| |xYᡔRJ)aptΨvtؑJy(.dZII1-Eg7خ+7j̄44>(nu$xqD`ux oU+z.@8YgK)RG=[F:WndSe)Ҵtc:Ñ:V1!V.E~NDF> WRJ)n{e69;&ˏ}e/scqq Zn[irкp#-2fu4U^L+w3C Kcj941T!!3XkpQgjP^g?cEFEF 3p|i흗J)B6s:c^cݍ.**ز%mQX]Ǝóz 7BBho701jѥq7::VAǮBVT X,JiR ɀaaۙ?>-g϶o3wX`С3IK n$p𨜴cU>#n+݈׉P? TH$( tVҀ4PJ)\ea̴$##]iaǎlܸ;QSSMTT4Vk 3V[J9;eꆭn}Hׁ뭻8g+k ,8Qfƹǰ7'4QqHڢ#jU8[\D#WIt `pJ)屐 8nDPSS#Lb̰%77͛7qZ8<:t[999|eRR)`a٬QÍp׀8K˱?PjPshq+.[ݱYQ::V y8`.0™RJy,d ;0v ]<@eeVm!&&(\QQJEE`gӦ ӵoz 7Up#TϹ9Q^t /*8B{$qJ\9RJ.H%QJGԪp0؉lz;w4? 8Rc!pt^؁/fE_NJJ%%E|<S8(.jc/G#CÍг8yLx9N?5$)cEG9F?F6ܝy8C1Rxq8d[O* ?pJ)屠8:/+ԩWd2QScnELLr*?%mmkYlsmpQBM.p-+H@|GӀC)<G``*^J~rss2P22:cKQQ!6IN%==kFr+ O^0^Vʼl))oK2sfE; g+J2tD }!tEC+ mpJ)屠 8|na׮,r%)):wJ=0{ x$SZSQYy! <8dW34* ]pJ)屠 8A b6&ҪF\|`2ab cb?3k/ 61w\b8M |&-F$;nRC[kF&S7UʎlQYqT# ApJ)屠 8""8ocɾ} |TV}\>+op#d LG"W;p >| x=q ڲb($v[Q^CvdQ􈋤g\"SlD %,VDrX)'&+<\GGԪ`hB= $YTр4PJ)_QF{}/E\:+kJ#6)+XF8iKzқ^殤_SAXk5SZk 56)QDG؈0ANjQ1XUNaHVֳ i;5=HQ xNcdQ!BӀC)<t@Җxy4ђƳgT]j_'[]sx Y3I&(H]JTU G%OQRH5ՔQF)PCC %+w9 yУkT:Rwx CӀC)<R<{hDiLim\IT1=v=\N њ=# =#?J 5jmVFspJ)1 8}߀mE 7πc)Mjk~jBhqȶƕPqK+kN.dՑj= 8OJyHs|  ۷n,*iHA 9 & <#jq*GO#͑H$=zpJ)1 8jJ6`Br |iv7;٢bk% !ƕڠ-#jǡS0,.C#Yq7Zkhp(4P![E5X Z-+OhZ36yݵG?֨BOp+0y2 5`iRӀCxrmss@?Bd zL8bXEۜ#jH?WaZ>_W"Ϲx j+4? 8Rcp(<`1:Ǻcꦽр4PJ)SEy;hvsRciw7> ]dX@F=:-C*G!Aۧ@6? /pdr\By7d;R "ϥ> o6w#RJ*߮ @twFRzr NuF^ܮ}M w?K u\/|O <6 +]CcАC7i^p!5&!F!a6WF<$k+R*~]$d)ȋÑwaQ] w9|lFVq"/J{$$lYgi?c7DA4m_u|lizY>Ϥ'=1{9 珢Ȇ滜W d_R OZ#jSc4f$^yc!Ȣ =8O{p(|?Eu  ?nƱmݎ?;̓ȿ| uo8 OHu+T\puV+c㳳ᙳ7/>FAKhz&dbB/nIߚfCʼnZ+pSgcHhLR 9oE&}}[ocț3/ +{YRJ)_1i0z2/ uK>ڞҜԽ{kGVP4HJ+pQy *d _nאsn[#CBۑMSMJ˯iz9֐CW\Pd)tDm(@ˑě|RJLq _c[Vp8{\܎lO)AmDYpy̘6<+g T"2r+' qkd$.q|~O9NOkc(9Uc1ݛNsaFVYȖV-rP:T{ @+D#Gd$T~Y) Yɘ^U@ƛccQJ)2{pplA^4y,?x4zSBhn@#'4Qd0q&ؑȻ:6ysi(ېU776Fe]p1]%@g-< }\*-)w#Han`9(?#J XG^ 5Ƶ Bct8Y]Unj=8Rc 8Qi>F[l)Z_FЋ=q(x=ޙ0oKUߚ=JKt8C_@Ut8?"}T`+Gx;{͍5? 8RcߢT yYQ93nF^wH96`?2BvEpDm]m+_ X q(+ˑdϡo4(R+8l51;.K #w\C)+n@YueFmP# Y Q:N@WpPJ)iBOt-\4UA(9xj؋CGA|g35)V^9 cAB#eϐ);OO4? 8RcpeE=Jpp!N,d 9TD^h{EzB6 dHqgӀH`iRӀCm ZޒrvoK HWsh}DhliWc׀j"$pˑQ⑆㑆?AHos 4? 8RcppPF랏fw pCWuc]f3CCj5b$a/"8}>2<؂& 8O*t cM_GZ[ڒ7n]im0@k{ݜ 9<Q{$#ޏ5; p+3Ҍd#RJyL~At]`^3`.ȪPbLCj -GßH`8{ycl;p9b̄LzH4VҀ4PJ)i xukVm8MDt_VP9;0 y7!mi|1#hȡGzB4 2YnYE8iRӀC߀h]#QWgE_4nLhFƫ~c 2YCȁR YX4/޷ M@E5CӀC)< N!M0dx c`M 9-ǯNB? C&CC6v(xx>4FӀC) Fnd{WhȡT+E6} IӀC)< >/y>}盹7dTlX,o*4ՐC)h͈ڮH =FQ~H_W"AP<0cV=:6 IDATjp(4P\yy C 439's\ 9*+k#j:>\'Yq5#G 'g 8O*8U#/~@ޅȖT Xomr 9;ĺp̆Èk\dBsrbmI} ȔENSt\uFzp(4P8C߁J xs˛<y0"- L6)Rֲi*+<~W#[T>s>fZ/]U{l73x+_|x@*ep;zW+ ok` 8(˝r((<QckyRǭ}Ki(^Kkoq1c1$R~ >k<]_k;ߵzp%Н u!4r|rN"\]R%궧8o;{yB~&nvMuஜŬ;Ћ׳,n12 [~׋1R~ .[ぬV^ߌHt>=uߗZXďJir8ÍJV(4?T*v|\8nD}ԍu =:d['>w8ecS |9?,_it9J)L<~CѺ^/& úI7b4=sώ#<;CoVmȸ˿~ dDF.t|8 @~8LI9KY/aIu%\ [~4pl=0rl[xsd̷?bJOy* p#rXN~ I!=}[ZPY4l327&"Mh9hG7LDVrFVn4 7\}y{* v|LuOȊMy`Dm^s` ٭xVUWIwvbH"1Q'ANᶍ}uyͲO4z>6'90Bc\  1`J)4P"?Htr ~p o7cC 2h(ԅ0p(`o*HNu|]Zl5[F݈+g1NnU֕w;Yɨ#=z4^ͰaÈ _~*eSqxY5.ǠA7nז3yg{$/3l\n•RJ"LZ׭V xೊXwڿEer@nju B\hixRJOF:C1HZsW"J\}l{ٵ5rFbԨQ 6̙37_uW^y%5\QQ?L=nMk2ظ]O5U*TЀC-$:!? no1 x>ĆkB55U2z^FpgO3EeI=HiWxǷ#/YrvZNˀ-6{p(TxЀCp#0  yJߗ>[ L/'UG!;τYѡ Mې,c c|fL`yairZfdC£RW6 .Vp󯐵wՀC)ƒv(Pxq|YT䵊W426v,Nl{W8ّ7/x>Rb`9O ^l=9'7];5N~s~7Qd?rw|\jYU K M,-UaLQ˄dw>=}9y])TӀCR `~ sfRhATpUZ$r/SBR*hCp k 3ׁ|]TIu|4;LJ,*ȍfy~uxJmTXYu2S[Y_Kps^/.n{8r@x6[6xN8M6Y4֕oez24?6|RJ< 8v"1 dp aݞޥT}:WLVR7rV)VNazX6pR_N}ޒ4jt|9Ս6%7t5<>R)T0k_|a 5~+M0#F _)(Æ4p uZ^udL{G6?p_V|?T6&o-}#+g4PJ), 8q#H[Ѥ;}1($E!M[L #TM, f8W]Mౘkɤ~*RaIe!x9yD gmO1#+mTK0J>oַLJqB<cDkIs#RYp#*2ɺO)"Rqn@* o\fCPMd7W;xJ)ÜZz+ qmik`؈(G^jm*KT,E|ž ^R)T ҀCSTx`5pRpxD6.T@R| qpxh {qg6[ÍK4 NPK+UJ)t;pphn8{g[DUs2YV\Lσ ـ24 5*V3/aBKcP &w{^~vW\;;dvtMrUJ)J0RlMlwA LSMVpFuL`O2!۱-~D:[^E6).vqunĮ]R*lh|YV?79f)~K56twyRʔRJ |90vn D=4ЀmzSRépbV:qTR!!-)n^pC)”7 M4qXq0儌cۦbFCpo6\QVJ01-q?vy3RрCy&d;T4q~"4@]gCVn/^s|oi2jy2R*HuNO㾛.]泤Ǎ.G)4P põ |miV vt<L>pRgc/p&v(T){~!f7 ]RJ)i{εj$Z!>h-|`C;Y%RaWLBw~mt9J);N* 7@bK1V<3+%ϵƽ ikom B}wםkX_QJ) tLjȻ&74ReDQ#o؀]rr+hz 9 RziSx1"VZ4RDWp񵍺gt 7CS FuDGE<;m ՛lf%)\ g籭89W<ǁb^ Fޡ'ScKt] nS"1oIz5t֑5aGq>m GߚÆ bExZ Rrds9Z }f#DSR%׀ÌaM6 YQϢRmQ?&6R_֡fHt 854u8khi.G/rSC)T-*~YA205lR$`a˅#wԦ|d6x Qm2 v8'G@vS?rW_/ɢ5vYpa)_ s|m+G>/җC)wo E%-_9 ś$mS:%< p(tFs#8(r_.Y| V"C !w#| t2:S._ۑ*x]UTs%Lk?J̹ .E)TҀGb-sp&: w6!w*{hܸPu+N p I̊]la1BdY ;]Ẃ kT!ʫ^p|cjg"aRJ)R!B/Kѷgʱg0naFӬW^͎;HLD#BffSL f@t` ]ֿ0pwQUߓdB , ( KmZjѪjq_g+ wmպ-Z\EPdM!N8wa$Ly=O;̽gn&sw/@/#82Ǭ! 3CDDDD꾹 ;O?QGS>EqQ1Y=9c |ί "_Āp\5T+nz=@Z9`p}%"KnFCw[%"՟X{]""q 8"$ 7"%5-eˢݥ˰%@]ӽ;VҪFF/ zcsBRn 7]ptLc! ̈JD:R`0 S; cFTcFRDDSQ!@FF(yF'=zndVd5?`† R1V۷gdkbfC\ڄ{Gp\4;"mkr0593 u L`8H#pgGzgflQу3?=ߎe첓;6')./)G-x@z9Z5FԐg98p[| L&7b.qS=̿-_ys`\p 3r%?C12ZǗy@$Z¸̟""FpiiL|L1m4yHK3|x6<;pYĪ 7Vcˍ!CmK=IDZYu u[LLGI3 Oہ~ /8Xg)̈.kLԕZ 'XSvm-7ӮtOT~ "aеk7&NOrr&?$''2ѣ+<vK1ܞ|r& 7"Q> .q1{}ڝ)%zĊwM` ^"#L_AxB~] PlČw w1O\mq8PaO1>S`p cnǜ#8DDSeddrQcIK9\NII L| NInBVk]F}C׏SٛB+UW瓴M яm 1Aʇ9UTߦǒ0܈0j,̝U25^Lb~.ÌečwO`~Go]+؏)lȭV_nc `:630~l{߆tLOK繷?70#45?0ptb={dѤ夓~;m۶1`@\|rV}ĄpAm}=KMp#k|DF"dQek(AF, r܂'؆D_\3@D3*j>*梻3dn"\ /cB협޿/a.gb`dgS1}1 A=Qtt0js:&q`1&;˄ڟ0#DÌH DDP"c gܸ8}ƍ?~$ 6-[g_|NJJw,}bٟ]OIFe|7fn;٣+UeƚhwGd=]E>-#ʹ"""aN(++qFQQfHOOd1?櫯֑%OA5{T eM 7HjN Q^|*.+%)Iļ[w1 ꔈp.p7֫XDDD]qtBCNcMΝ;xw=N;tV~ ;=lJ6mJh]- IDATJJJbNӓ=:;n})xL:%])Q@iW 8:Zmd׮r=zeq晧`ժOUǖ wҘl~QUU5l۶n1j/pģ[1! 9H'v%"""A)脊J|iȪUkط[ Dڄ GsCزhwCZ6Lq܃ 9>/ptBl \x9gg.TV)QD:1n kQ둈H@ 8:!?SYYEj."wXKwȱȡHHv544b'44ԑFJJ  ^ޏR_DDDDDP)=$t[ ]r.J}C.>q-p PxS  ݘ£p`:{4zצ t Kq%HQ!""ZxStY+3 c lwjlO=KC- 0e3ٍn"l`^Q 8DDeʀGY8'{ݻQS^ݾEXuU5 XCDDZa x {d]u$S^E]DDDDb9D^NjHWVpil޼1b0YY@jv^H<2.JO 7w裧Fc-cӯ_/""""qBGsv7xFiM%tg;JD]Ƭtyi1LnZ/VHG 90hC?d]Ymř|Ǎ4*8#**J)v7zp K DWiM=nH|N >4""""""4SrQ^]MQr>yPᆈ?,y'IMR~3Uᆈ?R8G26G+JȁunS!""""""y^v7TCDDDDDDD{ 8DDDDDDD$)CDDDDDDD{ 8DDDDDDD$uf}ugp$ZAoF՚'""""""C݁ಖEB 9x3p X`  &&>iS))I,_!veluHDDDDD:Wl?R15^C'ky EU 4Y_s<p5p'qlPDeeerihhhvWBRYYͧn>dԩ<Õ,i9mL EkY~ڦ `ȋ0E3c{H(m"a&b}f:mo_Z0Ac]2d!kk۝TW_މHgy@u8)LOZ_0SVNnX P,ڔ[de~Bi^ 7F1#Gnyr'֝ݛȫ&Cw\i$"""""T 8V| \qh Y?6xo} x Ob~F`B}}Y>ﱖekqp3ffp%)))vZ﯍vRPaÆ1}tv;_~%K.%agt`7GKg-}kp9VL)Nz8p0Ҳ}18YYp ==1r} 7ŋJna-3<κuXt)=[Lɑt` 8X` f%Q` L1S=.js#&X)30۴K1w\S`vpgq# 7FOvvh0d{Q[5\C߾}YnK,1Fi_ݸ5EDDDDD*p+p7G&pW[Z`&0ݫԶ MN M[p0Aod3fn̝;-vBVSSϰaK=ҷ׃=Ev;y'`1|掖149j%Wk jI0+&,f&%%B^xa1#Gz;5֖7֯_o)-櫫{joH|H}fcp/bĈ~q6--[o>ndg4U=Iᆈ"H?̣ jj6#7j=oee|5{'C0 7i) ̚uIp"""""Ҿp#ʘ5 7-ZHNN?i)e|n~;fMZnHT(iccʘOszOyyU\MKg\ve7z}{oOnJHLLfذhw%$.Ɔ}NH:^aJ[=7k3cʘ՞p]P4'UU^wK5klܸ 72SV̆+n&NŠA}ݍ}&JJYߧOցeUfյgDDDD$ p vu{uxmY[Q`i֘CIW-elMvq^ fĄ*HhH >3] [=z:AnnK*ɟ^]f=`!>Kz=:H`W"n¡MMM PTTAQQE{F˫o:}{?S!FJa# $%-;wE;Q ejF6FS""""HX pz 4Y v}849w_YOnN q{ ˀ-Njy t,fO0xWc^kBn%ƌ^41YIMM>־lFEEuuTUUҥK7RRRҥ+Pݛ^zaFxÍn%1:w<[|Ö-_Ggijj)S2bxI8krEDDD$ 8h\wưax(/+!#3]ݫCirE#`x=R(>j1@pp08j G$Zq:Á2 Z-ByN7 u5ݟ#1#?ļm =^:nN&Mυ3?MIq m(?)'pczmnak2L!x!Ps%Lr<0Z`- L88Q0Ao%GyhFbb?6$rr k["M;޽cco޼Wn%lTfZcwPx+tBnn|O\.v <((.*&{ځpc STDbȑKfZ @a>֮ABjJ1=xBTnJ߾//e%;qf|\JJ.6=1i|ᇬ]) p/."íhP\X 7o` 2MQ 0h263r$'G.\rt;\.8:ܵ>}SPQY;q og2ctVX59$''EijrWIOΏ|5r L'nHP!"؝"nO#cS:zTECmUwi?u4J۷璒DAE)fT!@pcٴ0HOYO` *_ 8DP9n.0*|.7ݑ\`9jƁpcʕY I[0wKu xnѳ 7+s 8DT3k5oGR װ 7KLSf&XzG=x[uvpQ\t}N^t!"$'R/K[J.u0|̜jýl2V\IϞG ;0py bFn[^ 7D$Hpe6{'poFg'RWJjk ӻ/ȑ# 7Jn}[O U 8DD¦CDD+ܸ}<3GzJHH`Ϟ|V|Jޅ: 8p‰?2/ /,d|B^}W!"1NHTCDDH*s01@QQ1K駟ŀINNf䤡={x9 ӧo A#8DD:$ȍ8qډgc 2RS-DrssaC()1lkjjHII&!Zx!{٣ yuhm69HDiH4CDK*Od㙑p 1Nbb8Ue: ̙g@SSiimwe""""FptRIL}3O 7v+W.gҤq8p85BIii{8Q;̞ۢ]Mj(8""aKvDD%'2 ~BD ɒ%oPZZHII%%{)-݇ÑHqq1KJmmMD >~""""Fpt2pc8iImr 7n8ӗ%))%'gdD;pCDFpMH'm[SCRR2~xlɉHBB"v;=[[hjn(xCD$l*2*"҉ x7 EUmqwYζuUe 7DDDD:-;u}QQ LHiZy,)cL06]mRR\G+pHRL b.?bDbDZ*xwݕ6Q!""")t,buʹ7w  ݫWVSx ;ʨ0@ <t \`9>mz@] ",!>_[FS|׻癘z#,Lql` @z=/]0w]-80_0h\0aiX_b»`1w8k}(j)h gm OZJp ھ aꎼFEF1Sr'HLP!Ѹ/W1?yAڄR&ky#`i כg?)h LLȑ~V8})*""&)BmB~):{v58S0am+/,ÄCiubn{Os?@B雈H[)5 8DD¦ϡDDDDDDD$)CDDDDDDD{ 8DDDDDDD$)d-K[.RϋĊz;" EDD$F)J|Z#q]گXfJ{;`_ @083@+l_imhmCDڇ xg݃>n[5b>7bWojC (F?NjO~a=~'w>oOzϊHR!"Y`}3?m}o[vd}y IDATH3wB/k]wX}]WuW6'w;; \T??1k4朷D:pxYID qL r_k@"ukl>y}iy0}8=.ǡK0{07  pp'&h++ρWML;G 05n>L {`FCl1 Q1h뵾 \f{ K0X˗u"uWbx }~1 2&@x,osi64 M8y³DrEdfea"}fK1A05i~S~Bm3a0yCQe@~Wu@ m(h;&`Hc L 0ywO dLP3=LWfJ>=I"P`n~\} 3cQxwUmps.KD<ZGOuNA-1r1LFha}xç?n  օrLpׄ3&_U> to|;Ͼ廯ӘQ6}Jޘ! &2=H_.^Liq`jϡŜ IA}LڴAR!"6MQsp.ZE_ N<Ծw]~ ~܋gF[knj8zG;s!&x3Zs<+tl\'ƗHOBh{| O[}>35e5f*H[δ{K׺Q臈th 8D}X{ۘ kl[1cjS:l3=0d44w1 Z-w`9qw wssc u)N633fԆjc)-K1uXi9 3u)!ǟδQ6Ex#Q!"y̧a HN9cjO Su:_W&93d斱!кuv  ҁk7cί3zy߾\EDDDEpD[81V8Qf`"fj[~p 0(Ą6Xi sa_,ZZw%Э} ߈PU Ō" U5XwcFuT`!#0?a_DDDDZ͵m6ͺ#7N=Ҡg: 4`F_Àmk6k;o18ʀLk6Yͼ~[u#w^Wc{+oN,8+RL򁾘~f;&H_ @D$T?#󧺈H""񤿵tXK{wYˁ^ZЙ;m.3e\L` j >cj0 3j$ngqL-Sc<G{[>2ϫ̔|`/f vCD$ڜxFak wk.?X˽x.]V?Zfkb4w.Ą/ck}8rϲWBGX__qli1""4Zpo+u3bS—)S[qc)`)1-W>si2 MultiPPTP Tom Eastep Shoreline Firewall 671353298 671351309 AQAAAGwAAAA9AAAAiAAAAL4DAADrAgAAAAAAAAAAAABzbQAApVQAACBFTUYAAAEAWEwAAFcBAAAEA AAAAAAAAAAAAAAAAAAAAAUAAAAEAABAAQAA8AAAAAAAAAAAAAAAAAAAAADiBACAqQMARgAAACwAAA AgAAAARU1GKwFAAQAcAAAAEAAAAAEQwNsBAAAAYAAAAGAAAABGAAAApAAAAJgAAABFTUYrMEACABA AAAAEAAAAAACAPx9ABAAMAAAAAAAAAB5AAQAMAAAAAAAAAB1AAAAUAAAACAAAAAIAAAB+AwAAHUAA ABQAAAAIAAAAAgAAAJsDAAAIQAADNAAAACgAAAABEMDbAwAAAAAAAAC4Ti5DVBzQQ7hOLkNbVslDu E4uQ1Qc0EMAAYEAFEAAgBAAAAAEAAAAAAAA/0YAAAAgAQAAFAEAAEVNRisIQAECPAAAADAAAAABEM DbAAAAAE4AAAAAAAAAt2WtPgIAAAACAAAAAgAAAAIAAAABEMDbAAAAAAAAAP8IQAADxAAAALgAAAA BEMDbEwAAAAAAAAA9apFCW1bJQyn0iUNbVslDCjfEQmnKu0MKN8RCW1bJQ7hOLkNbVslDHzUIQ07i 1kMfNQhDW1bJQ7hOLkNbVslDUmhUQ07i1kNSaFRDW1bJQ7hOLkNbVslDuE4uQ2nKu0O4Ti5DW1bJQ +uBekNpyrtD64F6Q1tWyUO4Ti5DW1bJQ7hOLkNUHNBDuE4uQ1tWyUO4Ti5DVBzQQwABAAEBAAEBAA EBAAEAAQEAAQEAFUAAABAAAAAEAAAAAQAAACEAAAAIAAAAYgAAAAwAAAABAAAAJAAAACQAAAAAAIA 9AAAAAAAAAAAAAIA9AAAAAAAAAAACAAAAXwAAADgAAAABAAAAOAAAAAAAAAA4AAAAAAAAAAAAAQAF AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlAAAADAAAAAEAAAAlAAAADAAAAAUAAIBaAAAAiAAAAEcAA AB2AQAAFgEAAK8BAAAHAAAAEwAAAAIAAAADAAAAAwAAAAMAAAACAAAAAwAAAAMAAACMBCsZPxErGS IGehciBisZ5QorGYQI3RqECCsZ5QorGUcN3RpHDSsZ5QorGeUKehflCisZqQ96F6kPKxnlCisZ5Qo EGuUKKxnlCgQaJQAAAAwAAAAHAACAJQAAAAwAAAAAAACAJAAAACQAAAAAAIBBAAAAAAAAAAAAAIBB AAAAAAAAAAACAAAAKAAAAAwAAAABAAAARgAAAFQAAABIAAAARU1GKwhAAAM0AAAAKAAAAAEQwNsDA AAAAAAAAK53OENPFClErnc4Q1KxJUSudzhDTxQpRAABgQAUQACAEAAAAAQAAAAAAAD/RgAAACABAA AUAQAARU1GKwhAAQI8AAAAMAAAAAEQwNsAAAAATgAAAAAAAAC3Za0+AgAAAAIAAAACAAAAAgAAAAE QwNsAAAAAAAAA/whAAAPEAAAAuAAAAAEQwNsTAAAAAAAAACm8pUJSsSVEpAiPQ1KxJUT2iNhCWese RPaI2EJSsSVErnc4Q1KxJUQUXhJDTHcsRBReEkNSsSVErnc4Q1KxJURHkV5DTHcsREeRXkNSsSVEr nc4Q1KxJUSudzhDWeseRK53OENSsSVEcVWCQ1nrHkRxVYJDUrElRK53OENSsSVErnc4Q08UKUSudz hDUrElRK53OENPFClEAAEAAQEAAQEAAQEAAQABAQABAQAVQAAAEAAAAAQAAAABAAAAJAAAACQAAAA AAIA9AAAAAAAAAAAAAIA9AAAAAAAAAAACAAAAXwAAADgAAAABAAAAOAAAAAAAAAA4AAAAAAAAAAAA AQAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlAAAADAAAAAEAAAAlAAAADAAAAAUAAIBaAAAAiAAAA FEAAAB6AgAAIAEAALMCAAAHAAAAEwAAAAIAAAADAAAAAwAAAAMAAAACAAAAAwAAAAMAAAAuBW0p4h FtKcUGuyfFBm0piAttKSYJHismCW0piAttKeoNHivqDW0piAttKYgLuyeIC20pSxC7J0sQbSmIC20 piAtGKogLbSmIC0YqJQAAAAwAAAAHAACAJQAAAAwAAAAAAACAJAAAACQAAAAAAIBBAAAAAAAAAAAA AIBBAAAAAAAAAAACAAAAKAAAAAwAAAABAAAARgAAAPQBAADoAQAARU1GKwhAAAPUAQAAyAEAAAEQw NsxAAAAAAAAAH9LskOJSuBDy6+4QyE090PBO8dDRoD/QzLJ0kPz0vJDavjTQzaG8UPWGNVDAAfwQ1 on1kNxWe5Dz3XgQyO3/kMwge9Db2n7Q6XB90N/+OZDOpr4Q/rf5ENyW/lD8qPiQzYD+kOPSuBDwjM ARH2Q40NAdgNE6vDbQ39JBESWQ89DwWkERP5TzUMUegRENFbLQxR6BERcVslDFHoERJk+vEMWzQFE c6GxQzYA/UNzobFDI/77Q3KhsUMa/fpDM+KxQzkD+kMoYrJD6p7zQ5N4m0P0EuVDbyyTQ4SF2UPE2 Z9DS1bYQ4AmoUPgNddDt6WiQ1wn1kNGU6RD59jLQ5P1k0OGzbxDR0OXQxGNtEM4tKtDfLSzQ73MrU NE87JDxQiwQ4BLskMnYrJDMuerQzgcr0M3YqVDy7u2Q7m7o0MgacNDNHujQ7hYxUOPWqNDglbHQ49 ao0NaVslDjlqjQx1u1kOLtKhDQgvhQ4FOr0NDC+FDlFCwQ0ML4UOdUbFDg8rgQ35LskONSuBDAAMD AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDgwAAABRAAIAQAAAAB AAAAP////8kAAAAJAAAAAAAgD0AAAAAAAAAAAAAgD0AAAAAAAAAAAIAAAAlAAAADAAAAAAAAIATAA AADAAAAAEAAAA7AAAACAAAAFUAAADgAAAAAAAAAAAAAAD//////////zEAAABKFgocFhfnHugY8R9 aGlsegBoxHqQaAR7FGswdDxzXH/Edbh/5HuAcFB+cHCwfVRxBHwocDSBzHN4gfxsTIekZGyGrGR8h axkfISsZHyGIF3QgNRagHzUWgB81FmAfPRZBH00WdB5wE6McZhIxG/wTCxslFOcaVRTFGosUfBl/E poX6RKSFncVdxa6FV8WAhZKFk0WfRXkFa0U2BZ4FG4YcBSsGGwU6xhsFCsZbBTOGhcVIhzqFSIcCx YiHCsWGhxKFgocPAAAAAgAAAA+AAAAGAAAAEYBAAAmAQAAEgIAAAACAAATAAAADAAAAAEAAAAlAAA ADAAAAAAAAIAkAAAAJAAAAAAAgEEAAAAAAAAAAAAAgEEAAAAAAAAAAAIAAABGAAAAXAAAAFAAAABF TUYrCEABAjwAAAAwAAAAARDA2wAAAABOAAAAAAAAAEoMgj8CAAAAAgAAAAIAAAACAAAAARDA2wAAA AAAAAD/FUAAABAAAAAEAAAAAQAAACQAAAAkAAAAAACAPQAAAAAAAAAAAACAPQAAAAAAAAAAAgAAAF 8AAAA4AAAAAQAAADgAAAAAAAAAOAAAAAAAAAAAAAEAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQA AAAwAAAABAAAAJQAAAAwAAAAFAACAVQAAAOAAAABFAQAAJAEAABQCAAABAgAAMQAAAEoWChwWF+ce 6BjxH1oaWx6AGjEepBoBHsUazB0PHNcf8R1uH/ke4BwUH5wcLB9VHEEfChwNIHMc3iB/GxMh6RkbI asZHyFrGR8hKxkfIYgXdCA1FqAfNRaAHzUWYB89FkEfTRZ0HnAToxxmEjEb/BMLGyUU5xpVFMUaix R8GX8SmhfpEpIWdxV3FroVXxYCFkoWTRZ9FeQVrRTYFngUbhhwFKwYbBTrGGwUKxlsFM4aFxUiHOo VIhwLFiIcKxYaHEoWChwlAAAADAAAAAcAAIAlAAAADAAAAAAAAIAkAAAAJAAAAAAAgEEAAAAAAAAA AAAAgEEAAAAAAAAAAAIAAAAoAAAADAAAAAEAAABGAAAA6AAAANwAAABFTUYrKkAAACQAAAAYAAAAM zPLQgAAAAAAAAAA Jb/YQo9ao0OL7JlDCEACBjAAAAAkAAAAARDA26uqKj4AAAAAAAAAAAAAAAAFAAAAQQBSAEkAQQBMA AAANkACgIQAAAB4AAAAAAAA/wEAAAABAAAACAAAAEkAbgB0AGUAcgBuAGUAdAAAqDc/zcxsP6uCQz /NzGw/VT1bP83MbD8AGGc/zcxsP6vSfj/NzGw/AISGP83MbD9VYZI/zcxsP6s+nj/NzGw/AACAPwA AAAAAAAAAAACAPwAAAAAAAAAAEgAAAAwAAAABAAAAGAAAAAwAAAAAAAAAFgAAAAwAAAAYAAAAUgAA AHABAAABAAAA7v///wAAAAAAAAAAAAAAAJABAAAAAAAABwAEAEEAcgBpAGEAbAAAAAAATQBvAG4Ab wB0AHkAcABlADoAQQByAGkAYQBsACAAUgBlAGcAdQBsAGEAcgA6AFYAZQAAAG0yDwAAAAgAAAAcAg AAYPb//ywAAACgAwAA+AMAABwCAAAcAgAAAgAAAMDs//+ft+BwAMQAAAEAAAAAAAAAAQAAAADkAQB AAAAA/////xwAAAAYAAAABwAAAAgAAADk2xIAkK9tMl+I03AKAAAAEgAAAIQ6bzIAnm0ynNwSAAAA AACQFvV3SDlvMk4W9Xc4DrMAahb1dzhmbzI4X28yxNwSAIWH03CMOm8ywDlvMoKzbTIzAAAAAQAAA AIAAAAAAAAAIJptMgCebTJIm20yCgAAAACebTJIm20yAAAAABAAAADgjHMyzAAAAAAAAADQAAAACA AAANgAAACIOm8yZHYACAAAAAAlAAAADAAAAAEAAABUAAAAfAAAAJABAACHAQAAxwEAAJsBAAABAAA AAADIQQCAu0GQAQAAmAEAAAgAAABMAAAAAAAAAAAAAAAAAAAA//////////9cAAAASQBuAHQAZQBy AG4AZQB0AAUAAAAJAAAABQAAAAkAAAAGAAAACQAAAAkAAAAAAAAAJQAAAAwAAAANAACARgAAAHQAA ABoAAAARU1GKytAAAAMAAAAAAAAAAhAAANIAAAAPAAAAAEQwNsFAAAAAAAAAK6rHkQSA99DrpsmRC MUzkOumyZEva20Q66rHkSsnMVDrqseRBID30MAAQEBgQAAABRAAIAQAAAABAAAAE9i0P8kAAAAJAA AAAAAgD0AAAAAAAAAAAAAgD0AAAAAAAAAAAIAAAAnAAAAGAAAAAIAAAAAAAAA0GJPAAAAAAAlAAAA DAAAAAIAAAATAAAADAAAAAEAAAAlAAAADAAAAAgAAIBWAAAAMAAAAHoCAABpAQAAmwIAAL8BAAAFA AAAqyfhG6cpwxmnKZYWqye0GKsn4RslAAAADAAAAAcAAIATAAAADAAAAAEAAAAlAAAADAAAAAAAAI AkAAAAJAAAAAAAgEEAAAAAAAAAAAAAgEEAAAAAAAAAAAIAAABGAAAAXAAAAFAAAABFTUYrCEABAjw AAAAwAAAAARDA2wAAAABOAAAAAAAAAEoMgj8CAAAAAgAAAAIAAAACAAAAARDA2wAAAADNzc3/FUAA ABAAAAAEAAAAAQAAACQAAAAkAAAAAACAPQAAAAAAAAAAAACAPQAAAAAAAAAAAgAAAF8AAAA4AAAAA wAAADgAAAAAAAAAOAAAAAAAAAAAAAEAEAAAAAAAAADNzc0AAAAAAAAAAAAAAAAAJQAAAAwAAAADAA AAJQAAAAwAAAAFAACAVgAAADAAAAB5AgAAZwEAAJwCAADAAQAABQAAAKsn4RunKcMZpymWFqsntBi rJ+EbJQAAAAwAAAAHAACAJQAAAAwAAAAAAACAJAAAACQAAAAAAIBBAAAAAAAAAAAAAIBBAAAAAAAA AAACAAAAKAAAAAwAAAADAAAARgAAAOgEAADcBAAARU1GKwhAAQI4AAAALAAAAAEQwNsAAAAAFgAAA AAAAABKDII/AQAAAAEAAAAAAABAARDA2wAAAADNzc3/CEAAA5AEAACEBAAAARDA238AAAAAAAAASB UdRGjYyUOuqx5EaNjJQ66pH0SKusdDrqkfRIq6x0OupyBErJzFQ66nIESsnMVDrqUhRM5+w0OupSF Ezn7DQ66jIkTwYMFDrqMiRPBgwUOuoSNEEkO/Q66hI0QSQ79Drp8kRDQlvUOunyRENCW9Q66dJURX B7tDSBUdRCMUzkOuqx5EIxTOQ66pH0RF9stDrqkfREX2y0OupyBEaNjJQ66nIERo2MlDrqUhRIq6x 0OupSFEirrHQ66jIkSsnMVDrqMiRKycxUOuoSNEzn7DQ66hI0TOfsNDrp8kRPBgwUOunyRE8GDBQ6 6dJUQSQ79Drp0lRBJDv0OumyZENCW9Q0gVHUTfT9JDrqseRN9P0kOuqR9EATLQQ66pH0QBMtBDrqc gRCMUzkOupyBEIxTOQ66lIURF9stDrqUhREX2y0OuoyJEaNjJQ66jIkRo2MlDrqEjRIq6x0OuoSNE irrHQ66fJESsnMVDrp8kRKycxUOunSVEzn7DQ66dJUTOfsNDrpsmRPBgwUNIFR1Em4vWQ66rHkSbi 9ZDrqkfRL1t1EOuqR9EvW3UQ66nIETfT9JDrqcgRN9P0kOupSFEATLQQ66lIUQBMtBDrqMiRCMUzk OuoyJEIxTOQ66hI0RF9stDrqEjREX2y0OunyREaNjJQ66fJERo2MlDrp0lRIq6x0OunSVEirrHQ66 bJkSsnMVDSBUdRFbH2kOuqx5EVsfaQ66pH0R5qdhDrqkfRHmp2EOupyBEm4vWQ66nIESbi9ZDrqUh RL1t1EOupSFEvW3UQ66jIkTfT9JDrqMiRN9P0kOuoSNEATLQQ66hI0QBMtBDrp8kRCMUzkOunyREI xTOQ66dJURF9stDrp0lREX2y0OumyZEaNjJQ66pH0SKusdDrqkfRM5+w0OuqR9EATLQQ66pH0RF9s tDrqkfRHmp2EOuqR9EvW3UQ66nIERWx9pDrqcgRJuL1kOupyBEaNjJQ66nIESsnMVDrqcgRN9P0kO upyBEIxTOQ66lIUTOfsNDrqUhRBJDv0OupSFERfbLQ66lIUSKusdDrqUhRL1t1EOupSFEATLQQ66j IkSbi9ZDrqMiRN9P0kOuoyJErJzFQ66jIkTwYMFDrqMiRCMUzkOuoyJEaNjJQ66hI0QSQ79DrqEjR FcHu0OuoSNEirrHQ66hI0TOfsNDrqEjRAEy0EOuoSNERfbLQ66fJETfT9JDrp8kRCMUzkOunyRE8G DBQ66fJEQ0Jb1Drp8kRGjYyUOunyRErJzFQ66dJUTOfsNDrp0lRBJDv0OunSVERfbLQ66dJUSKusd Drp0lRFcHu0OunSVEm8u2Q66dJURXB7tDrpsmRHnpuEMAAQEAAQABAAEAAQABAAEAAQEAAQABAAEA AQABAAEAAQABAQABAAEAAQABAAEAAQABAAEBAAEAAQABAAEAAQABAAEAAQEAAQABAAEAAQABAAEAA QABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABABVAAAAQAAAABAAAAA EAAAA6AAAADAAAAAIAAAAkAAAAJAAAAAAAgD0AAAAAAAAAAAAAgD0AAAAAAAAAAAIAAABfAAAAOAA AAAMAAAA4AAAAAAAAADgAAAAAAAAAACEBABAAAAAAAAAAzc3NAAAAAAAAAAAAAAAAACUAAAAMAAAA AwAAACUAAAAMAAAABQAAgFoAAAAQAwAAbwIAAGkBAACfAgAAuwEAAD0AAAB/AAAAAwAAAAIAAAACA AAAAgAAAAIAAAACAAAAAgAAAAMAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAwAAAAIAAA ACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAADAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAM AAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAA AAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAA gAAAEYnPBmrJzwZ 6yf4GOsn+BgqKLQYKii0GGoocBhqKHAYqSgtGKkoLRjpKOkX6SjpFygppRcoKaUXaClhF0YnwxmrJ 8MZ6yd/GesnfxkqKDwZKig8GWoo+BhqKPgYqSi0GKkotBjpKHAY6ShwGCgpLRgoKS0YaCnpF2gp6R enKaUXRidKGqsnShrrJwca6ycHGioowxkqKMMZaih/GWoofxmpKDwZqSg8Geko+BjpKPgYKCm0GCg ptBhoKXAYaClwGKcpLRhGJ9IaqyfSGusnjhrrJ44aKihKGiooShpqKAcaaigHGqkowxmpKMMZ6Sh/ GekofxkoKTwZKCk8GWgp+BhoKfgYpym0GEYnWRurJ1kb6ycWG+snFhsqKNIaKijSGmoojhpqKI4aq ShKGqkoShrpKAca6SgHGigpwxkoKcMZaCl/GWgpfxmnKTwZ6yf4GOsncBjrJwca6yd/GesnFhvrJ4 4aKihZGyoo0hoqKDwZKii0GCooShoqKMMZaihwGGoo6RdqKH8Zaij4GGoojhpqKAcaqSjSGqkoShq pKLQYqSgtGKkowxmpKDwZ6SjpF+koYRfpKPgY6ShwGOkoBxrpKH8ZKClKGigpwxkoKS0YKCmlFygp PBkoKbQYaClwGGgp6RdoKX8ZaCn4GGgpYRdoKdoWaClhF6cpHhclAAAADAAAAAcAAIAlAAAADAAAA AAAAIAkAAAAJAAAAAAAgEEAAAAAAAAAAAAAgEEAAAAAAAAAAAIAAAAoAAAADAAAAAMAAAA6AAAADA AAAAoAAABGAAAANAAAACgAAABFTUYrCkAAgCQAAAAYAAAAX37c/wEAAABIFR1ErJzFQwAzy0AwM0t CKAAAAAwAAAACAAAAJAAAACQAAAAAAIA9AAAAAAAAAAAAAIA9AAAAAAAAAAACAAAAJwAAABgAAAAC AAAAAAAAANx+XwAAAAAAJQAAAAwAAAACAAAAJQAAAAwAAAAIAACATAAAAGQAAAB0AgAAiwEAAHoCA AC9AQAARicAALQYAABlAAAALQMAACEA8AAAAAAAAAAAAAAAgD8AAAAAAAAAAAAAgD8AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACUAAAAMAAAABwAAgCUAAAAMAAAAAAAAgCQAAAAkAAAAAAC AQQAAAAAAAAAAAACAQQAAAAAAAAAAAgAAAEYAAACoAAAAnAAAAEVNRisIQAECQAAAADQAAAABEMDb AAAAAF4AAAAAAAAASgyCPwIAAAACAAAAAgAAAAAAAEACAAAAARDA2wAAAADm5ub/CEAAA0gAAAA8A AAAARDA2wUAAAAAAAAASBUdRBID30NIFR1ErJzFQ66rHkSsnMVDrqseRBID30NIFR1EEgPfQwABAQ GBAAAAFUAAABAAAAAEAAAAAQAAACQAAAAkAAAAAACAPQAAAAAAAAAAAACAPQAAAAAAAAAAAgAAAF8 AAAA4AAAAAwAAADgAAAAAAAAAOAAAAAAAAAAAAAEAEAAAAAAAAADm5uYAAAAAAAAAAAAAAAAAJQAA AAwAAAADAAAAJQAAAAwAAAAFAACAVgAAADAAAAByAgAAiQEAAH0CAADAAQAABQAAAEYn4RtGJ7QYq ye0GKsn4RtGJ+EbJQAAAAwAAAAHAACAJQAAAAwAAAAAAACAJAAAACQAAAAAAIBBAAAAAAAAAAAAAI BBAAAAAAAAAAACAAAAKAAAAAwAAAADAAAARgAAAGgAAABcAAAARU1GKwhAAANIAAAAPAAAAAEQwNs FAAAAAAAAAOF2H0SsnMVD4WYnRL2ttEPhZidEP/yyQ+F2H0Qu68ND4XYfRKycxUMAAQEBgQAAABRA AIAQAAAABAAAAJqamv8oAAAADAAAAAIAAAAkAAAAJAAAAAAAgD0AAAAAAAAAAAAAgD0AAAAAAAAAA AIAAAAnAAAAGAAAAAIAAAAAAAAAmpqaAAAAAAAlAAAADAAAAAIAAAATAAAADAAAAAEAAAAlAAAADA AAAAgAAIBWAAAAMAAAAH0CAABmAQAAngIAAIwBAAAFAAAA3ie0GNoplhbaKWAW3id+GN4ntBglAAA ADAAAAAcAAIATAAAADAAAAAEAAAAlAAAADAAAAAAAAIAkAAAAJAAAAAAAgEEAAAAAAAAAAAAAgEEA AAAAAAAAAAIAAABGAAAAYAAAAFQAAABFTUYrCEABAkAAAAA0AAAAARDA2wAAAABeAAAAAAAAALdlr T4CAAAAAgAAAAIAAAAAAABAAgAAAAEQwNsAAAAAAAAA/xVAAAAQAAAABAAAAAEAAAAkAAAAJAAAAA AAgD0AAAAAAAAAAAAAgD0AAAAAAAAAAAIAAABfAAAAOAAAAAMAAAA4AAAAAAAAADgAAAAAAAAAAAA BAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACUAAAAMAAAAAwAAACUAAAAMAAAABQAAgFYAAAAwAAAA fAIAAGQBAACfAgAAjQEAAAUAAADeJ7QY2imWFtopYBbeJ34Y3ie0GCUAAAAMAAAABwAAgCUAAAAMA AAAAAAAgCQAAAAkAAAAAACAQQAAAAAAAAAAAACAQQAAAAAAAAAAAgAAACgAAAAMAAAAAwAAAEYAAA A0AAAAKAAAAEVNRisKQACAJAAAABgAAADAwMD/AQAAABRKHEQu68NDQDNLQQC/WEAoAAAADAAAAAI AAAAkAAAAJAAAAAAAgD0AAAAAAAAAAAAAgD0AAAAAAAAAAAIAAAAnAAAAGAAAAAIAAAAAAAAAwMDA AAAAAAAlAAAADAAAAAIAAAAlAAAADAAAAAgAAIBMAAAAZAAAAHECAACIAQAAfQIAAIoBAAATJwAAf hgAAMsAAAA2AAAAIQDwAAAAAAAAAAAAAACAPwAAAAAAAAAAAACAPwAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAJQAAAAwAAAAHAACAJQAAAAwAAAAAAACAJAAAACQAAAAAAIBBAAAAAAAAAAA AAIBBAAAAAAAAAAACAAAARgAAAKgAAACcAAAARU1GKwhAAQJAAAAANAAAAAEQwNsAAAAAXgAAAAAA AAC3Za0+AgAAAAIAAAACAAAAAAAAQAIAAAABEMDbAAAAAAAAAP8IQAADSAAAADwAAAABEMDbBQAAA AAAAAAUShxELuvDQxRKHESsnMVD4XYfRKycxUPhdh9ELuvDQxRKHEQu68NDAAEBAYEAAAAVQAAAEA AAAAQAAAABAAAAJAAAACQAAAAAAIA9AAAAAAAAAAAAAIA9AAAAAAAAAAACAAAAXwAAADgAAAADAAA AOAAAAAAAAAA4AAAAAAAAAAAAAQAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlAAAADAAAAAMAAAAl AAAADAAAAAUAAIBWAAAAMAAAAHACAACGAQAAfwIAAI0BAAAFAAAAEyd+GBMntBjeJ7QY3id+GBMnf hglAAAADAAAAAcAAIAlAAAADAAAAAAAAIAkAAAAJAAAAAAAgEEAAAAAAAAAAAAAgEEAAAAAAAAAAA IAAAAoAAAADAAAAAMAAABGAAAAaAAAAFwAAABFTUYrCEAAA0gAAAA8AAAAARDA2wUAAAAAAAAAFEo cRC7rw0MUOiREP/yyQ+FmJ0Q//LJD4XYfRC7rw0MUShxELuvDQwABAQGBAAAAFEAAgBAAAAAEAAAA 5ubm/ygAAAAMAAAAAgAAACQAAAAkAAAAAACAPQAAAAAAAAAAAACAPQAAAAAAAAAAAgAAACcAAAAYA AAAAgAAAAAAAADm5uYAAAAAACUAAAAMAAAAAgAAABMAAAAMAAAAAQAAACUAAAAMAAAACAAAgFYAAA AwAAAAcQIAAGYBAACeAgAAiAEAAAUAAAATJ34YDylgFtopYBbeJ34YEyd+GCUAAAAMAAAABwAAgBM AAAAMAAAAAQAAACUAAAAMAAAAAAAAgCQAAAAkAAAAAACAQQAAAAAAAAAAAACAQQAAAAAAAAAAAgAA AEYAAABgAAAAVAAAAEVNRisIQAECQAAAADQAAAABEMDbAAAAAF4AAAAAAAAAt2WtPgIAAAACAAAAA gAAAAAAAEACAAAA ARDA2wAAAAAAAAD/FUAAABAAAAAEAAAAAQAAACQAAAAkAAAAAACAPQAAAAAAAAAAAACAPQAAAAAAA AAAAgAAAF8AAAA4AAAAAwAAADgAAAAAAAAAOAAAAAAAAAAAAAEABQAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAJQAAAAwAAAADAAAAJQAAAAwAAAAFAACAVgAAADAAAABwAgAAZAEAAJ8CAACJAQAABQAAABM nfhgPKWAW2ilgFt4nfhgTJ34YJQAAAAwAAAAHAACAJQAAAAwAAAAAAACAJAAAACQAAAAAAIBBAAAA AAAAAAAAAIBBAAAAAAAAAAACAAAAKAAAAAwAAAADAAAARgAAAMwAAADAAAAARU1GKwhAAQI4AAAAL AAAAAEQwNsAAAAAFgAAAAAAAABKDII/AQAAAAEAAAAAAABAARDA2wAAAADm5ub/CEAAA3QAAABoAA AAARDA2woAAAAAAAAArqseRGjYyUNIFR1EaNjJQ66rHkQjFM5DSBUdRCMUzkOuqx5E30/SQ0gVHUT fT9JDrqseRJuL1kNIFR1Em4vWQ66rHkRWx9pDSBUdRFbH2kMAAQABAAEAAQABAAAVQAAAEAAAAAQA AAABAAAAOgAAAAwAAAACAAAAJAAAACQAAAAAAIA9AAAAAAAAAAAAAIA9AAAAAAAAAAACAAAAXwAAA DgAAAADAAAAOAAAAAAAAAA4AAAAAAAAAAAhAQAQAAAAAAAAAObm5gAAAAAAAAAAAAAAAAAlAAAADA AAAAMAAAAlAAAADAAAAAUAAIBaAAAAXAAAAG8CAACPAQAAgAIAALsBAAAFAAAACgAAAAIAAAACAAA AAgAAAAIAAAACAAAAqyc8GUYnPBmrJ8MZRifDGasnShpGJ0oaqyfSGkYn0hqrJ1kbRidZGyUAAAAM AAAABwAAgCUAAAAMAAAAAAAAgCQAAAAkAAAAAACAQQAAAAAAAAAAAACAQQAAAAAAAAAAAgAAACgAA AAMAAAAAwAAADoAAAAMAAAACgAAAEYAAADcAAAA0AAAAEVNRisIQAECQAAAADQAAAABEMDbAAAAAF 4AAAAAAAAAJb/YPwIAAAACAAAAAgAAAAAAAEACAAAAARDA2wAAAAAAAAD/CEAAA3wAAABwAAAAARD A2wsAAAAAAAAASBUdRBID30NIFR1ErJzFQxRKHESsnMVDFEocRC7rw0MUOiREP/yyQ+FmJ0Q//LJD 4WYnRL2ttEOumyZEO1+2Q66bJkQjFM5DrqseRBID30NIFR1EEgPfQwABAQEBAQEBAQEBABVAAAAQA AAABAAAAAEAAAAkAAAAJAAAAAAAgD0AAAAAAAAAAAAAgD0AAAAAAAAAAAIAAABfAAAAOAAAAAMAAA A4AAAAAAAAADgAAAAAAAAAAAABABsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACUAAAAMAAAAAwAAACU AAAAMAAAABQAAgFcAAABIAAAAbwIAAGQBAACgAgAAwAEAAAsAAABGJ+EbRie0GBMntBgTJ34YDylg FtopYBbaKZYWpynMFqcpwxmrJ+EbRifhGyUAAAAMAAAABwAAgCUAAAAMAAAAAAAAgCQAAAAkAAAAA ACAQQAAAAAAAAAAAACAQQAAAAAAAAAAAgAAACgAAAAMAAAAAwAAAEYAAADoAAAA3AAAAEVNRisqQA AAJAAAABgAAAAzM8tCAAAAAAAAAAAlv9hCOeEVRBID30MIQAIGMAAAACQAAAABEMDbq6oqPgAAAAA AAAAAAAAAAAUAAABBAFIASQBBAEwAAAA2QAKAhAAAAHgAAAAAAAD/AQAAAAEAAAAIAAAARgBpAHIA ZQB3AGEAbABsADmO4zxhCzY+x7EEPmELNj5ynCo+YQs2PsdxYz5hCzY+OS6hPmELNj45zt4+YQs2P schBz9hCzY+cpwQP2ELNj4AAIA/AAAAAAAAAAAAAIA/AAAAAAAAAAASAAAADAAAAAEAAAAYAAAADA AAAAAAAAAWAAAADAAAABgAAAAlAAAADAAAAAEAAABUAAAAfAAAAFoCAADAAQAAkgIAANQBAAABAAA AAADIQQCAu0FaAgAA0QEAAAgAAABMAAAAAAAAAAAAAAAAAAAA//////////9cAAAARgBpAHIAZQB3 AGEAbABsAAoAAAAEAAAABgAAAAkAAAAMAAAACQAAAAQAAAAAAAAAJQAAAAwAAAANAACARgAAAGAAA ABUAAAARU1GKytAAAAMAAAAAAAAAAhAAAM0AAAAKAAAAAEQwNsDAAAAAAAAAMLBVURUHNBDwsFVRF tWyUPCwVVEVBzQQwABgQAUQACAEAAAAAQAAAAAAAD/RgAAACQBAAAYAQAARU1GKwhAAQJAAAAANAA AAAEQwNsAAAAAXgAAAAAAAAC3Za0+AgAAAAIAAAACAAAAAAAAQAIAAAABEMDbAAAAAAAAAP8IQAAD xAAAALgAAAABEMDbEwAAAAAAAABcWzxEW1bJQykob0RbVslD9rRCRGnKu0P2tEJEW1bJQ8LBVURbV slDXDtMRE7i1kNcO0xEW1bJQ8LBVURbVslDKUhfRE7i1kMpSF9EW1bJQ8LBVURbVslDwsFVRGnKu0 PCwVVEW1bJQ4/OaERpyrtDj85oRFtWyUPCwVVEW1bJQ8LBVURUHNBDwsFVRFtWyUPCwVVEVBzQQwA BAAEBAAEBAAEBAAEAAQEAAQEAFUAAABAAAAAEAAAAAQAAACQAAAAkAAAAAACAPQAAAAAAAAAAAACA PQAAAAAAAAAAAgAAAF8AAAA4AAAAAwAAADgAAAAAAAAAOAAAAAAAAAAAAAEABQAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAJQAAAAwAAAADAAAAJQAAAAwAAAAFAACAWgAAAIgAAADwAgAAdgEAAL4DAACvAQ AABwAAABMAAAACAAAAAwAAAAMAAAADAAAAAgAAAAMAAAADAAAAFy8rGcs7KxmuMHoXrjArGXE1Kxk PM90aDzMrGXE1KxnTN90a0zcrGXE1KxlxNXoXcTUrGTQ6ehc0OisZcTUrGXE1BBpxNSsZcTUEGiUA AAAMAAAABwAAgCUAAAAMAAAAAAAAgCQAAAAkAAAAAACAQQAAAAAAAAAAAACAQQAAAAAAAAAAAgAAA CgAAAAMAAAAAwAAAEYAAABUAAAASAAAAEVNRisIQAADNAAAACgAAAABEMDbAwAAAAAAAADCJSRDzc wxQ8IlJEPaQCRDwiUkQ83MMUMAAYEAFEAAgBAAAAAEAAAAAAAA/0YAAAAkAQAAGAEAAEVNRisIQAE CQAAAADQAAAABEMDbAAAAAF4AAAAAAAAAt2WtPgIAAAACAAAAAgAAAAAAAEACAAAAARDA2wAAAAAA AAD/CEAAA8QAAAC4AAAAARDA2xMAAAAAAAAApDB6QtpAJEOu34RD2kAkQx/lr0L2KAlDH+WvQtpAJ EPCJSRD2kAkQ1IY/EK/WD9DUhj8QtpAJEPCJSRD2kAkQ1w/SkO/WD9DXD9KQ9pAJEPCJSRD2kAkQ8 IlJEP2KAlDwiUkQ9pAJEP2WHBD9igJQ/ZYcEPaQCRDwiUkQ9pAJEPCJSRDzcwxQ8IlJEPaQCRDwiU kQ83MMUMAAQABAQABAQABAQABAAEBAAEBABVAAAAQAAAABAAAAAEAAAAkAAAAJAAAAAAAgD0AAAAA AAAAAAAAgD0AAAAAAAAAAAIAAABfAAAAOAAAAAMAAAA4AAAAAAAAADgAAAAAAAAAAAABAAUAAAAAA AAAAAAAAAAAAAAAAAAAAAAAACUAAAAMAAAAAwAAACUAAAAMAAAABQAAgFoAAACIAAAAPQAAAIgAAA ALAQAAwQAAAAcAAAATAAAAAgAAAAMAAAADAAAAAwAAAAIAAAADAAAAAwAAAOkDRQqcEEUKgAWTCIA FRQpDCkUK4Qf2C+EHRQpDCkUKpAz2C6QMRQpDCkUKQwqTCEMKRQoGD5MIBg9FCkMKRQpDCh0LQwpF CkMKHQslAAAADAAAAAcAAIAlAAAADAAAAAAAAIAkAAAAJAAAAAAAgEEAAAAAAAAAAAAAgEEAAAAAA AAAAAIAAAAoAAAA DAAAAAMAAABGAAAAjAAAAIAAAABFTUYrCEABAkAAAAA0AAAAARDA2wAAAABeAAAAAAAAALdlrT4CA AAAAgAAAAIAAAAAAABAAgAAAAEQwNsAAAAAAAAA/whAAAMsAAAAIAAAAAEQwNsCAAAAAAAAAK7fhE PaQCRDajbHQ4vsmUMAAQAAFUAAABAAAAAEAAAAAQAAACQAAAAkAAAAAACAPQAAAAAAAAAAAACAPQA AAAAAAAAAAgAAAF8AAAA4AAAAAwAAADgAAAAAAAAAOAAAAAAAAAAAAAEABQAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAJQAAAAwAAAADAAAAJQAAAAwAAAAFAACAVwAAACQAAAAIAQAAowAAAJABAAA1AQAAA gAAAJwQRQrnGD4TJQAAAAwAAAAHAACAJQAAAAwAAAAAAACAJAAAACQAAAAAAIBBAAAAAAAAAAAAAI BBAAAAAAAAAAACAAAAKAAAAAwAAAADAAAARgAAAIwAAACAAAAARU1GKwhAAQJAAAAANAAAAAEQwNs AAAAAXgAAAAAAAAC3Za0+AgAAAAIAAAACAAAAAAAAQAIAAAABEMDbAAAAAAAAAP8IQAADLAAAACAA AAABEMDbAgAAAAAAAABqNsdDK8D4Q6QIj0NSsSVEAAEAABVAAAAQAAAABAAAAAEAAAAkAAAAJAAAA AAAgD0AAAAAAAAAAAAAgD0AAAAAAAAAAAIAAABfAAAAOAAAAAMAAAA4AAAAAAAAADgAAAAAAAAAAA ABAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACUAAAAMAAAAAwAAACUAAAAMAAAABQAAgFcAAAAkAAA AHQEAAPABAACQAQAAmAIAAAIAAADnGBgf4hFtKSUAAAAMAAAABwAAgCUAAAAMAAAAAAAAgCQAAAAk AAAAAACAQQAAAAAAAAAAAACAQQAAAAAAAAAAAgAAACgAAAAMAAAAAwAAAEYAAACMAAAAgAAAAEVNR isIQAECQAAAADQAAAABEMDbAAAAAF4AAAAAAAAAt2WtPgIAAAACAAAAAgAAAAAAAEACAAAAARDA2w AAAAAAAAD/CEAAAywAAAAgAAAAARDA2wIAAAAAAAAAKfSJQ1tWyUOPWqNDW1bJQwABAAAVQAAAEAA AAAQAAAABAAAAJAAAACQAAAAAAIA9AAAAAAAAAAAAAIA9AAAAAAAAAAACAAAAXwAAADgAAAADAAAA OAAAAAAAAAA4AAAAAAAAAAAAAQAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlAAAADAAAAAMAAAAlA AAADAAAAAUAAIBXAAAAJAAAABIBAACRAQAASAEAAJQBAAACAAAAPxErGWwUKxklAAAADAAAAAcAAI AlAAAADAAAAAAAAIAkAAAAJAAAAAAAgEEAAAAAAAAAAAAAgEEAAAAAAAAAAAIAAAAoAAAADAAAAAM AAABGAAAAjAAAAIAAAABFTUYrCEABAkAAAAA0AAAAARDA2wAAAABeAAAAAAAAALdlrT4CAAAAAgAA AAIAAAAAAABAAgAAAAEQwNsAAAAAAAAA/whAAAMsAAAAIAAAAAEQwNsCAAAAAAAAABR6BERbVslDS BUdRCexykMAAQAAFUAAABAAAAAEAAAAAQAAACQAAAAkAAAAAACAPQAAAAAAAAAAAACAPQAAAAAAAA AAAgAAAF8AAAA4AAAAAwAAADgAAAAAAAAAOAAAAAAAAAAAAAEABQAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAJQAAAAwAAAADAAAAJQAAAAwAAAAFAACAVwAAACQAAAAQAgAAkQEAAHYCAACXAQAAAgAAAB8h KxlGJ1cZJQAAAAwAAAAHAACAJQAAAAwAAAAAAACAJAAAACQAAAAAAIBBAAAAAAAAAAAAAIBBAAAAA AAAAAACAAAAKAAAAAwAAAADAAAARgAAAIwAAACAAAAARU1GKwhAAQJAAAAANAAAAAEQwNsAAAAAXg AAAAAAAAC3Za0+AgAAAAIAAAACAAAAAAAAQAIAAAABEMDbAAAAAAAAAP8IQAADLAAAACAAAAABEMD bAgAAAAAAAACuoyJEJ7HKQ1xbPERbVslDAAEAABVAAAAQAAAABAAAAAEAAAAkAAAAJAAAAAAAgD0A AAAAAAAAAAAAgD0AAAAAAAAAAAIAAABfAAAAOAAAAAMAAAA4AAAAAAAAADgAAAAAAAAAAAABAAUAA AAAAAAAAAAAAAAAAAAAAAAAAAAAACUAAAAMAAAAAwAAACUAAAAMAAAABQAAgFcAAAAkAAAAiQIAAJ EBAADzAgAAlwEAAAIAAACpKFcZFy8rGSUAAAAMAAAABwAAgCUAAAAMAAAAAAAAgCQAAAAkAAAAAAC AQQAAAAAAAAAAAACAQQAAAAAAAAAAAgAAACgAAAAMAAAAAwAAAEYAAAA4AQAALAEAAEVNRisqQAAA JAAAABgAAAAzM8tCAAAAAAAAAAAlv9hCKbylQkiaT0MIQAIGMAAAACQAAAABEMDbq6oqPgAAAAAAA AAAAAAAAAUAAABBAFIASQBBAEwAAAA2QAKA1AAAAMgAAAAAAAD/AQAAAAEAAAAQAAAAUgBlAG0Abw B0AGUAIABOAGUAdAB3AG8AcgBrACAAMQCa+VY+mpkZPs0cqT6amRk+IpLYPpqZGT680w8/mpkZPma OJz+amRk+EWkzP5qZGT68I0s/mpkZPmb+Vj+amRk+Zs51P5qZGT6JxIY/mpkZPt6xjD+amRk+3hmc P5qZGT4z96c/mpkZPt4Rrz+amRk+iby5P5qZGT7eqb8/mpkZPgAAgD8AAAAAAAAAAAAAgD8AAAAAA AAAABIAAAAMAAAAAQAAABgAAAAMAAAAAAAAABYAAAAMAAAAGAAAACUAAAAMAAAAAQAAAFQAAACsAA AAaAAAAM8AAADvAAAA4wAAAAEAAAAAAMhBAIC7QWgAAADgAAAAEAAAAEwAAAAAAAAAAAAAAAAAAAD //////////2wAAABSAGUAbQBvAHQAZQAgAE4AZQB0AHcAbwByAGsAIAAxAAwAAAAJAAAADgAAAAkA AAAFAAAACQAAAAUAAAAMAAAACQAAAAUAAAAMAAAACQAAAAYAAAAIAAAABQAAAAAAAAAlAAAADAAAA A0AAIBGAAAAAAEAAPQAAABFTUYrK0AAAAwAAAAAAAAAKkAAACQAAAAYAAAAMzPLQgAAAAAAAAAAJb /YQim8pUJImk9DNkACgMAAAAC0AAAAAAAA/wEAAAABAAAADgAAADEAOQAyAC4AMQA2ADgALgAxAC4 AMAAvADIANAB3F7A+MzOzPs2M3z4zM7M+EYEHPzMzsz68Ox8/MzOzPmYWKz8zM7M+EdFCPzMzsz68 i1o/MzOzPmZGcj8zM7M+ESF+PzMzsz7e7Yo/MzOzPjPbkD8zM7M+ibicPzMzsz7epaI/MzOzPjODr j8zM7M+AACAPwAAAAAAAAAAAACAPwAAAAAAAAAAEgAAAAwAAAABAAAAGAAAAAwAAAAAAAAAFgAAAA wAAAAYAAAAJQAAAAwAAAABAAAAVAAAAKAAAAB2AAAA5QAAAOMAAAD5AAAAAQAAAAAAyEEAgLtBdgA AAPYAAAAOAAAATAAAAAAAAAAAAAAAAAAAAP//////////aAAAADEAOQAyAC4AMQA2ADgALgAxAC4A MAAvADIANAAJAAAACQAAAAkAAAAFAAAACQAAAAkAAAAJAAAABQAAAAkAAAAFAAAACQAAAAUAAAAJA AAAAAAAACUAAAAMAAAADQAAgEYAAABEAQAAOAEAAEVNRisrQAAADAAAAAAAAAAqQAAAJAAAABgAAA AzM8tCAAAAAAAAAAAlv9hCKbylQhID30MIQAIGMAAAACQAAAABEMDbq6oqPgAAAAAAAAAAAAAAAAU AAABBAFIASQBBAEwAAAA2QAKA1AAAAMgAAAAAAAD/AQAAAAEAAAAQAAAAUgBlAG0AbwB0AGUAIABO AGUAdAB3AG8AcgBrACAAMgCa+VY+mpkZPs0cqT6amRk+IpLYPpqZGT680w8/mpkZPmaOJz+amRk+E WkzP5qZGT68I0s/ mpkZPmb+Vj+amRk+Zs51P5qZGT6JxIY/mpkZPt6xjD+amRk+3hmcP5qZGT4z96c/mpkZPt4Rrz+am Rk+iby5P5qZGT7eqb8/mpkZPgAAgD8AAAAAAAAAAAAAgD8AAAAAAAAAABIAAAAMAAAAAQAAABgAAA AMAAAAAAAAABYAAAAMAAAAGAAAACUAAAAMAAAAAQAAAFQAAACsAAAAaAAAAL0BAADxAAAA0QEAAAE AAAAAAMhBAIC7QWgAAADOAQAAEAAAAEwAAAAAAAAAAAAAAAAAAAD//////////2wAAABSAGUAbQBv AHQAZQAgAE4AZQB0AHcAbwByAGsAIAAyAAwAAAAJAAAADgAAAAkAAAAFAAAACQAAAAUAAAAMAAAAC QAAAAUAAAAMAAAACQAAAAYAAAAIAAAABQAAAAAAAAAlAAAADAAAAA0AAIBGAAAAAAEAAPQAAABFTU YrK0AAAAwAAAAAAAAAKkAAACQAAAAYAAAAMzPLQgAAAAAAAAAAJb/YQim8pUISA99DNkACgMAAAAC 0AAAAAAAA/wEAAAABAAAADgAAADEAOQAyAC4AMQA2ADgALgAyAC4AMAAvADIANAB3F7A+MzOzPs2M 3z4zM7M+EYEHPzMzsz68Ox8/MzOzPmYWKz8zM7M+EdFCPzMzsz68i1o/MzOzPmZGcj8zM7M+ESF+P zMzsz7e7Yo/MzOzPjPbkD8zM7M+ibicPzMzsz7epaI/MzOzPjODrj8zM7M+AACAPwAAAAAAAAAAAA CAPwAAAAAAAAAAEgAAAAwAAAABAAAAGAAAAAwAAAAAAAAAFgAAAAwAAAAYAAAAJQAAAAwAAAABAAA AVAAAAKAAAAB2AAAA0wEAAOMAAADnAQAAAQAAAAAAyEEAgLtBdgAAAOQBAAAOAAAATAAAAAAAAAAA AAAAAAAAAP//////////aAAAADEAOQAyAC4AMQA2ADgALgAyAC4AMAAvADIANAAJAAAACQAAAAkAA AAFAAAACQAAAAkAAAAJAAAABQAAAAkAAAAFAAAACQAAAAUAAAAJAAAAAAAAACUAAAAMAAAADQAAgE YAAABEAQAAOAEAAEVNRisrQAAADAAAAAAAAAAqQAAAJAAAABgAAAAzM8tCAAAAAAAAAAAlv9hCKby lQq6HMEQIQAIGMAAAACQAAAABEMDbq6oqPgAAAAAAAAAAAAAAAAUAAABBAFIASQBBAEwAAAA2QAKA 1AAAAMgAAAAAAAD/AQAAAAEAAAAQAAAAUgBlAG0AbwB0AGUAIABOAGUAdAB3AG8AcgBrACAAMwCa+ VY+mpkZPs0cqT6amRk+IpLYPpqZGT680w8/mpkZPmaOJz+amRk+EWkzP5qZGT68I0s/mpkZPmb+Vj +amRk+Zs51P5qZGT6JxIY/mpkZPt6xjD+amRk+3hmcP5qZGT4z96c/mpkZPt4Rrz+amRk+iby5P5q ZGT7eqb8/mpkZPgAAgD8AAAAAAAAAAAAAgD8AAAAAAAAAABIAAAAMAAAAAQAAABgAAAAMAAAAAAAA ABYAAAAMAAAAGAAAACUAAAAMAAAAAQAAAFQAAACsAAAAaAAAAMECAADxAAAA1QIAAAEAAAAAAMhBA IC7QWgAAADSAgAAEAAAAEwAAAAAAAAAAAAAAAAAAAD//////////2wAAABSAGUAbQBvAHQAZQAgAE 4AZQB0AHcAbwByAGsAIAAzAAwAAAAJAAAADgAAAAkAAAAFAAAACQAAAAUAAAAMAAAACQAAAAUAAAA MAAAACQAAAAYAAAAIAAAABQAAAAAAAAAlAAAADAAAAA0AAIBGAAAAAAEAAPQAAABFTUYrK0AAAAwA AAAAAAAAKkAAACQAAAAYAAAAMzPLQgAAAAAAAAAAJb/YQim8pUKuhzBENkACgMAAAAC0AAAAAAAA/ wEAAAABAAAADgAAADEAOQAyAC4AMQA2ADgALgAzAC4AMAAvADIANAB3F7A+MzOzPs2M3z4zM7M+EY EHPzMzsz68Ox8/MzOzPmYWKz8zM7M+EdFCPzMzsz68i1o/MzOzPmZGcj8zM7M+ESF+PzMzsz7e7Yo /MzOzPjPbkD8zM7M+ibicPzMzsz7epaI/MzOzPjODrj8zM7M+AACAPwAAAAAAAAAAAACAPwAAAAAA AAAAEgAAAAwAAAABAAAAGAAAAAwAAAAAAAAAFgAAAAwAAAAYAAAAJQAAAAwAAAABAAAAVAAAAKAAA AB2AAAA1wIAAOMAAADrAgAAAQAAAAAAyEEAgLtBdgAAAOgCAAAOAAAATAAAAAAAAAAAAAAAAAAAAP //////////aAAAADEAOQAyAC4AMQA2ADgALgAzAC4AMAAvADIANAAJAAAACQAAAAkAAAAFAAAACQA AAAkAAAAJAAAABQAAAAkAAAAFAAAACQAAAAUAAAAJAAAAAAAAACUAAAAMAAAADQAAgEYAAAAoAQAA HAEAAEVNRisrQAAADAAAAAAAAAAqQAAAJAAAABgAAAAzM8tCAAAAAAAAAAAlv9hCH9E5RBID30MIQ AIGMAAAACQAAAABEMDbq6oqPgAAAAAAAAAAAAAAAAUAAABBAFIASQBBAEwAAAA2QAKAuAAAAKwAAA AAAAD/AQAAAAEAAAANAAAATABvAGMAYQBsACAATgBlAHQAdwBvAHIAawB3d74+mpkZPs3s7T6amRk +EbEOP5qZGT5mBiQ/mpkZPhHBOz+amRk+vDtFP5qZGT5mFlE/mpkZPmbmbz+amRk+idCDP5qZGT7e vYk/mpkZPt4lmT+amRk+MwOlP5qZGT7eHaw/mpkZPgAAgD8AAAAAAAAAAAAAgD8AAAAAAAAAAAAAE gAAAAwAAAABAAAAGAAAAAwAAAAAAAAAFgAAAAwAAAAYAAAAJQAAAAwAAAABAAAAVAAAAJwAAAANAw AAvQEAAHYDAADRAQAAAQAAAAAAyEEAgLtBDQMAAM4BAAANAAAATAAAAAAAAAAAAAAAAAAAAP///// /////aAAAAEwAbwBjAGEAbAAgAE4AZQB0AHcAbwByAGsAAAAJAAAACQAAAAgAAAAJAAAABAAAAAUA AAAMAAAACQAAAAUAAAAMAAAACQAAAAYAAAAAAAAAJQAAAAwAAAANAACARgAAAAwBAAAAAQAARU1GK ytAAAAMAAAAAAAAACpAAAAkAAAAGAAAADMzy0IAAAAAAAAAACW/2EIf0TlEEgPfQzZAAoDMAAAAwA AAAAAAAP8BAAAAAQAAAA8AAAAxADkAMgAuADEANgA4AC4AMQAwAC4AMAAvADIANADNXJg+MzOzPiL Sxz4zM7M+d0f3PjMzsz5mXhM/MzOzPhE5Hz8zM7M+vPM2PzMzsz5mrk4/MzOzPhFpZj8zM7M+vENy PzMzsz4z/4Q/MzOzPonckD8zM7M+3smWPzMzsz4zp6I/MzOzPomUqD8zM7M+3nG0PzMzsz4AAIA/A AAAAAAAAAAAAIA/AAAAAAAAAAAAABIAAAAMAAAAAQAAABgAAAAMAAAAAAAAABYAAAAMAAAAGAAAAC UAAAAMAAAAAQAAAFQAAACoAAAABgMAANMBAAB8AwAA5wEAAAEAAAAAAMhBAIC7QQYDAADkAQAADwA AAEwAAAAAAAAAAAAAAAAAAAD//////////2wAAAAxADkAMgAuADEANgA4AC4AMQAwAC4AMAAvADIA NAAAAAkAAAAJAAAACQAAAAUAAAAJAAAACQAAAAkAAAAFAAAACQAAAAkAAAAFAAAACQAAAAUAAAAJA AAAAAAAACUAAAAMAAAADQAAgEYAAADIAQAAvAEAAEVNRisrQAAADAAAAAAAAAAqQAAAJAAAABgAAA AzM8tCAAAAAAAAAAAlv9hCZv7LQ1KxJUQIQAIGMAAAACQAAAABEMDbchxHPgAAAAAAAAAAAAAAAAU AAABBAFIASQBBAEwAAAA2QAKAWAEAAEwBAAAAAAD/AQAAAAEAAAAdAAAATQB1AGwAdABpAHAAbABl ACAAUgBlAG0AbwB0AGUAIABQAFAAVABQACAATgBlAHQAdwBvAHIAawBzAIPdPD6rquo++lyxPquq6 j4zu+g+q6rqPmzZ /j6rquo+KEENP6uq6j5EUBg/q6rqPmH/Mz+rquo+fQ4/P6uq6j6avVo/q6rqPguSaD+rquo+W0KGP 6uq6j7pGZQ/q6rqPnfVqD+rquo+Bq22P6uq6j4/l70/q6rqPs1uyz+rquo+BlnSP6uq6j7N8uI/q6 rqPpSM8z+rquo+SmABQKuq6j4urQlAq6rqPkoiDUCrquo+9R4WQKuq6j68Ch1Aq6rqPth/IECrquo +g3wpQKuq6j5KaDBAq6rqPi6NNECrquo+EcY6QKuq6j4AAIA/AAAAAAAAAAAAAIA/AAAAAAAAAAAA ABIAAAAMAAAAAQAAABgAAAAMAAAAAAAAABYAAAAMAAAAGAAAACgAAAAMAAAAAQAAAFIAAABwAQAAA QAAAOv///8AAAAAAAAAAAAAAACQAQAAAAAAAAcABABBAHIAaQBhAGwAAAAAAE0AbwBuAG8AdAB5AH AAZQA6AEEAcgBpAGEAbAAgAFIAZQBnAHUAbABhAHIAOgBWAGUAAABtMgoAAAADAAAAAAAAAAAAAAA A/v//fAMAAHACAAAAAAAA4gAAAAIAAAAAiAMAn7fgcADhMQAAAAAAAQAAAP////8AJDoAQAAAAAEA AADiAAAAIAAAAAQAAAAgAAAAVLBtMoCvbTJfiNNwDAABAAAAFAAY2xIAAJ5tMgzcEgAAAPd3yNX2d /////9qFvV3y2DndwAAFAAAAAAA3mDnd5IPCsUwkBoAIMDKd9h9cTIgs20yLgAAAAIAAADo2xIAAA AAAATmEgAJSOl3iDLod//////eYOd3Ha3HdzCQGgDIHyUzMJAaAAgAAABU3BIA3nTIdyDAyne7EiE RAQAAAGR2AAgAAAAAJQAAAAwAAAABAAAAVAAAAPwAAACrAQAAtQIAAMQCAADMAgAAAQAAAAAAyEEA gLtBqwEAAMgCAAAdAAAATAAAAAAAAAAAAAAAAAAAAP//////////iAAAAE0AdQBsAHQAaQBwAGwAZ QAgAFIAZQBtAG8AdABlACAAUABQAFQAUAAgAE4AZQB0AHcAbwByAGsAcwAAABAAAAALAAAABAAAAA UAAAAEAAAACwAAAAQAAAALAAAABQAAAA4AAAALAAAAEAAAAAsAAAAFAAAACwAAAAUAAAANAAAADQA AAAwAAAANAAAABQAAAA4AAAALAAAABQAAAA4AAAALAAAABwAAAAoAAAAAAAAAJQAAAAwAAAANAACA RgAAABwAAAAQAAAARU1GKytAAAAMAAAAAAAAAEwAAABkAAAAPgAAAIgAAAC+AwAA6wIAAD4AAACIA AAAgQMAAGQCAAApAKoAAAAAAAAAAAAAAIA/AAAAAAAAAAAAAIA/AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAiAAAADAAAAP////9GAAAAHAAAABAAAABFTUYrAkAAAAwAAAAAAAAADgAAABQ AAAAAAAAAEAAAABQAAAA= 2003-10-11T15:41:55 2003-12-23T08:56:27 2003-11-10T07:09:48 2003-10-11T15:41:55 9 295 34 0 0 0 0 0 1 1 0 0 0 1 1 1 0.25 0.25 0.25 0.25 1 1 1 0 0.01 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 32 0 0 8 8 0 0 0 0 1 0.5 0.5 0 0 0 0 1 2 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0.125 0.125 0.25 0.25 0.375 0.375 0.125 0.125 0.66666666666667 0.66666666666667 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 0 0.01 0 0 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0.5 0 0 0 0 0 -1.2 0 0 0 0 1 1 1 0 0.01 0 0 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 1 1 1 0 0 4 23 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 0.055555555555556 0.055555555555556 0 0 2 0 0.5 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 4 0 0 1 0 0.125 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 2 0.5 0 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 14 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 15 15 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 18 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 15 18 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 14 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 15 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 18 14 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 15 18 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 15 1 0 2 0 0 0 2 0 #efefef 1 1 15 1 0 0 0 0 0 0 15 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 1 1 0 2 0 0 0 2 0 1 0 1 15 1 0 0 0 0 0 0 15 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 14 1 0 2 0 0 0 2 0 15 #fafafa 1 15 1 0 0 0 0 0 0 14 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 15 1 0 2 0 0 0 2 0 1 15 1 15 1 0 0 0 0 0 0 14 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 0 1 1 0 1 0 0 0 0 0 0 1 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 1 1 1 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.027777777777778 0.027777777777778 0.027777777777778 0.027777777777778 1 0 0.5 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 15 0.5 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 2 0.5 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 0 15 1 1 0 1 0 0 0 0 0 1 1 1 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 14 15 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 0 18 15 1 0 1 0 0 0 0 0 1 1 1 0 20 14 1 0 1 0 0 0 0 0 1 1 1 0 3 15 1 0 1 0 0 0 0 0 0.0033333333333333 3 1 0 2 0 0 1 2 0 1 1 1 0 1 #8a8aff 31 0 1 0 0 0 0 0 0.0033333333333333 0 0 0 2 0 0 0 2 0 1 1 1 0 15 18 1 0 1 0 0 0 0 0 0.0016666666666667 0 1 0 2 0 0 0 2 0 2 0 1 0 2 Visio Network Solutions
http://netc.members.microsoft.com/
0 0 11 8.5 0.125 -0.125 1 1 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0.125 0.125 0.25 0.25 0.375 0.375 0.125 0.125 0.66666666666667 0.66666666666667 0 0 0 0 Co&lor Schemes... 0 0 0 Black & White Network 255 0 1 1 0 0 1 1 Network 0 Apple 255 0 1 1 0 0 1 1 Apple 0 Digital 255 0 1 1 0 0 1 1 Digital 0 Cray 255 0 1 1 0 0 1 1 Cray 0 IBM 255 0 1 1 0 0 1 1 IBM 0 Connector 255 0 1 1 0 0 1 1 Connector 0 1.7 4.8 2 3.25E-18 1 1.625E-18 0 0 0 0 0 0 0 0 0 0 1 0.25 0.25 0 0 0 0 0.625 -0.25 0 0 0 0 1.375 -0.25 0 0 0 0 1 0.25 0 0 0 0 1.75 0.25 0 0 0 0 1 -0.125 0 0 0 0 0.81666666666667 1.61135E-18 0 0 0 0 1.1666666666667 1.625E-18 0 0 0 0 0 1.625E-18 0 0 0 0 2 1.625E-18 0 0 0 0 1.8 2.4 2 3.25E-18 1 1.625E-18 0 0 0 0 0 0 0 0 0 0 1 0.25 0.25 0 0 0 0 0.625 -0.25 0 0 0 0 1.375 -0.25 0 0 0 0 1 0.25 0 0 0 0 1.75 0.25 0 0 0 0 1 -0.125 0 0 0 0 0.81666666666667 1.61135E-18 0 0 0 0 1.1666666666667 1.625E-18 0 0 0 0 0 1.625E-18 0 0 0 0 2 1.625E-18 0 0 0 0 4.2 4.8 2 1.75 1 0.875 0 0 0 0 0 0 0 0 0 0 0 0.875 0 0 0 0 0.705882 1.75 0 0 0 0 1.2942 1.75 0 0 0 0 0.705882 0 0 0 0 0 1.294118 0 0 0 0 0 2 0.875 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 0 0.29411764705882 0.45139244650857 1 0.19195334392518 0.61462786302837 0.01660909406747 0 0.53781512605042 1.7058823529412 0.45139244650857 1.3853721369716 0.016609094067465 0 0.53781512605042 2 0.875 1.9087935142814 0.52912588091909 0 0.53781512605042 1.7058823529412 1.2986075534914 1.9087935142814 1.2208741190809 0 0.53781512605042 1 1.5580466560748 1.3853721369716 1.7333909059325 0 0.53781512605042 0.29411764705882 1.2986075534914 0.61462786302837 1.7333909059325 0 0.53781512605042 0 0.875 0.091206485718635 1.2208741190809 0 0.53781512605042 0.29411764705882 0.45139244650857 0.091206485718638 0.52912588091909 0 0.53781512605042 Internet 6.2 4.65 0.0625 0.5 0.03125 0.25 0 0 0 0 0 0 0 0 0 0 0.03125 -0.12777777777778 0.03125 0.25 3 2 0 Reposition Text 0 0 0.5 1 0 0 0.21875 0.15625 0 0 0 0 0.21875 0.375 0 0 0 0 0 0.375 0 0 0 0 0.03515625 0 0 0 0 0 0.1875 0.65625 0 0 0 0 0.21875 0.390625 0.3125 0.78125 0.15625 0.390625 0 0 0 0 0 #d0624f 15 1 0 1 0 0 0 0 0 0.1875 0.41015625 0.375 0.6640625 0.1875 0.33203125 0 0 0 0 0 0.03125 0.234375 0.0625 0.46875 0.03125 0.234375 0 0 0 0 0 #dc7e5f 15 1 0 1 0 0 0 0 0 0.25 0.640625 0.3125 0.34375 0.15625 0.171875 0 0 0 0 0 0.03125 0.484375 0.125 0.03125 0.0625 0.015625 0 0 0 0 0 0.1875 0.65625 0.4375 0.3125 0.21875 0.15625 0 0 0 0 0 0.03125 0.234375 0.0625 0.3125 0.03125 0.15625 0 0 0 0 0 0.1875 0.40625 0.4375 0.8125 0.21875 0.40625 0 0 0 0 0 0 0 0.62969292634722 0.25555555555556 0.28359646317361 0.25555555555556 0 0 0 0 0 0 0 0 0 0 0.31484646317361 0.12777777777778 0.62969292634722 0.25555555555556 0.31484646317361 0.12777777777778 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 1 0 1 0 0 0 0.62969292634722 0 0.62969292634722 0.25555555555556 0 0.25555555555556 0 0 Firewall 8.4 4.8 2 3.25E-18 1 1.625E-18 0 0 0 0 0 0 0 0 0 0 1 0.25 0.25 0 0 0 0 0.625 -0.25 0 0 0 0 1.375 -0.25 0 0 0 0 1 0.25 0 0 0 0 1.75 0.25 0 0 0 0 1 -0.125 0 0 0 0 0.81666666666667 1.61135E-18 0 0 0 0 1.1666666666667 1.625E-18 0 0 0 0 0 1.625E-18 0 0 0 0 2 1.625E-18 0 0 0 0 1.6 7 2 3.25E-18 1 1.625E-18 0 0 0 0 0 0 0 0 0 0 1 0.25 0.25 0 0 0 0 0.625 -0.25 0 0 0 0 1.375 -0.25 0 0 0 0 1 0.25 0 0 0 0 1.75 0.25 0 0 0 0 1 -0.125 0 0 0 0 0.81666666666667 1.61135E-18 0 0 0 0 1.1666666666667 1.625E-18 0 0 0 0 0 1.625E-18 0 0 0 0 2 1.625E-18 0 0 0 0 3.252941 6.3375 1.8603636198131 0 0.93018180990654 0 -0.79266480002215 0 0 0 2.6 7 3.905882 5.675 0 0 0 0 0 5 0 0 0 1 0 0 0 3 2 2 2 0 0 0 0.93018180990654 0 0.55555555555556 0.24444444444444 0.27777777777778 0.12222222222222 0.79266480002215 0.93018180990654 0 0.93018180990654 0 0 0 0 Curve Position 0.93018180990654 0 0 0 0 0 1 0 0 0 0 0 1.8603636198131 0 0.93018180990654 0 0 1 3.352941 3.1625 1.8837728095299 0 0.94188640476493 0 -2.1982149728809 0 1 0 3.905882 3.925 2.8 2.4 0 0 0 0 0 5 0 0 0 1 0 0 0 3 2 2 2 0 0 0 0.94188640476493 0 0.55555555555556 0.24444444444444 0.27777777777778 0.12222222222222 -2.1982149728809 0.94188640476493 0 0.94188640476493 0 0 0 0 Curve Position 0.94188640476493 0 0 0 0 0 1 0 0 0 0 0 1.8837728095299 0 0.94188640476493 0 0 1 2.95 4.8 0.5 0 0.25 0 0 0 0 0 2.7 4.8 3.2 4.8 0 0 0 0 0 5 0 0 0 1 0 0 0 3 2 2 2 0 0 0 0.25 0 0.55555555555556 0.24444444444444 0.27777777777778 0.12222222222222 0 0.25 0 0.25 0 0 0 0 Curve Position 0.25 0 0 0 0 0 1 0 0 0 0 0 0.5 0 0.25 0 0 1 5.684375 4.7875 0.96907252695554 0 0.48453626347777 0 -0.025800725101425 0 0 0 5.2 4.8 6.16875 4.775 0 0 0 0 0 5 0 0 0 1 0 0 0 3 2 2 2 0 0 0 0.48453626347777 0 0.55555555555556 0.24444444444444 0.27777777777778 0.12222222222222 0.025800725101425 0.48453626347777 0 0.48453626347777 0 0 0 0 Curve Position 0.48453626347777 0 0 0 0 0 1 0 0 0 0 0 0.96907252695554 0 0.48453626347777 0 0 1 6.89375 4.7875 1.0128085949477 0 0.50640429747387 0 0.0246863420556 0 1 0 6.3875 4.775 7.4 4.8 0 0 0 0 0 5 0 0 0 1 0 0 0 3 2 2 2 0 0 0 0.50640429747387 0 0.55555555555556 0.24444444444444 0.27777777777778 0.12222222222222 0.0246863420556 0.50640429747387 0 0.50640429747387 0 0 0 0 Curve Position 0.50640429747387 0 0 0 0 0 1 0 0 0 0 0 1.0128085949477 0 0.50640429747387 0 0 1 1.7 6.4 1.8 0.4 0.9 0.2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 0 0 0 1.8 0 1.8 0.4 0 0.4 0 0 Remote Network 1 192.168.1.0/24 1.7 4.2 1.8 0.4 0.9 0.2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 0 0 0 1.8 0 1.8 0.4 0 0.4 0 0 Remote Network 2 192.168.2.0/24 1.7 1.8 1.8 0.4 0.9 0.2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 0 0 0 1.8 0 1.8 0.4 0 0.4 0 0 Remote Network 3 192.168.3.0/24 8.2 4.2 1.8 0.4 0.9 0.2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 0 0 0 1.8 0 1.8 0.4 0 0.4 0 0 Local Network 192.168.10.0/24 5.6 2 3.2 0.8 1.6 0.4 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.19444444444444 0 0 0 0 0 0 0 0 0 0 0 0 3.2 0 3.2 0.8 0 0.8 0 0 Multiple Remote PPTP Networks 1 1 0 1 1 9 295 34 0 0.33 10 0 10 1 10 2 10 3 10 4 shorewall-docs-xml-5.2.3/images/kernel-2.6.20-1.png0000664000000000000000000014132713427347317020104 0ustar rootrootPNG  IHDR}B pHYs  :ݙtIME9Y IDATxwXY$)b/XkWWuנ`WDQXPQ]{_P!)313 Cp'Nn=Ι37|ϨZ R)}<^h/d1Fz_# RqI(G axn[7uByy&H-@{a#Y_$_p RuHMֳZ[hI2Y9Fd7!"%iI)Sd}(@E@$Id"I)Yz6\=T,h"eR8Wk 2)MSrY![&tHinrք]F< ɤX,D"(++ hʉXg\|)Kx;q(B%$Ez2EQ$)Sgm4ڭa=Hr?JAy-l͚ۚ$)KIt_IA̝#ѡi:W#$T*IOK_8'W+1`=w2)㓤L*hIȼ}6kL0&k٥Ý5[KxQnmpgFVF7v@E[:}D`wT9933S"dggɤLJ2A#ߵt5iZ :Y3|yopաsBʤ4fI5efhmaC[\ {|"sssiH$KbXWOsssIy@([Dd$)##E@yQ ɹٗs'=m{ɨz#9M7x"{|"eRI=>sjMn>`ͬvn4Z5MǧITVV&Mox)h 2lT#Kp ZK`3hA39^ao.%[ގ|PYrs)IJ,2T,_lDb_tD.֔+eͦl r% LZvgg?~((GEJq)Ã<]D n{4Mf|5|zq<n@w矄d 9Y2/9kJ5 OBr?/SByρa O%״\577eY޽ȐJ9E( Ƅ M~p:swm >E>H=~zpAH"{`j?ffTgMq lOM ~Z[@y'THOOܾc' )R&IRD"b1MO8hs|fnAFɲ^0m}3cWWnd^<`xlyP5K`Z?[[`k}XD|>M2R&H$X"J2(>_d<FUV}>ʏWDҐmY/rHZ__ܰߴ6II*hX=6-)'6;ϒ`a#?4c1>㧤|)IʤRT&#e2$ID9::|>0GƭU,1A+A!i)hi'MuibbbFfhG9"\vuT׀6I?KZc+JC[x[O(%x<==}ґQ  +ʟZli;tkhLkiPW͙f]p8B|8\||[[B3wuu'6#iд:23#pw/)gy<h ̗7(;zf8#Ravi-x6ֲŤO+uOgљ#RзImW'7'[s R.@ T~oTrk_S򞉦iArPY7i>U Reb|A*Q㣿G<}> H%E> H.Aϟ/ͦ~Ur5%/̫AyDž/[0P5^j/{1P &_bYMZ*}_ET*RD^ MZ˩_S]o8Hɻ_NxdrKf5tY;ҋB,l_JblYA&Rvu4giY|wi\mh6۝?('j4F/'cӖ:^~]}KtqA*ŮN!{TĬݽs&NL[I*+l?]6-;" M[R8LBJ+UDe?wd׸폦3 7'ugA0:6mynǒ>];7jJھtkֲˀS Z'dLcӖףWޥqM8*S^vm6j$EVPSwC]Fo$)y { Ӭe=~[yV1*|lz|VbT86fcO߽vtOlr֊Q8ycjTûû=[ ,MzgE5ѫ^2gq퀨)R!Ɵ;,lU:n Y#5 A[#0)$vv͢IbImsU$gkwcrFO[<ٖefƨWa 6 pѢuvú}'D0Ʊͳ.C204460e5_4'mXventwSdAQ< _:tzZL1g٣Nٵ➸Q6o p/v k1.MSz٨Su+/o{X U+Z:Lƪ!8)Q!|)BgԪ6b&)MMZ}ޯ\A>f/謳L 3m֦*emTN.^QĹ8(HUqOq@*zOI^qlL|rO ֊J.5hP:c-00A=RIΓ{KPSQ k,SDkM#UJG8Ƴ21>> 1> 1> R=/pPA* :if![>|Itbٕ#Sfu ALzڗO84qVӜ#(HMy8AGkZ컋 H8m[{y_±y9LX"r*Dȼ(S}JnmrK/tܐ*i44;JPUsb~5wOޓʊjVTeϑMڭn\嗇ןQ4 un2>ndv^uPs׿|To ۭkZڋse8]8y: 87 q3K雎߿噵AE*>A]^m;֠+w_ڸ xw__r/LZՕ2{.4>8vlu05 zui*ܴ!?n7_PhײX5S|U&nf姧Oj <#CG@dReRi9g%hՌ |zcW޺;RMӑ{ .菟ܓ@~d仴]zyS,7(:|%ֱU1Cf;ݯ5uccOQsAznGBИD[0e[O%,vbI;;>dH0X6xZj= tuji41 <!{0RyliKj\5)Q^;.j h/~kg1f]n]IgS4[emдuڣW~...m9 RPѣgO6i޼$*DmWv`~fAϝW]dkuyGL1\yM ȘYi?5yυgιЩx46꼗#ΝL,!7X:z-̥..mFw-4M?{4+3ҿ~}y Gt @_y)zD>|uw#)v|L;7tm]j$l|S_l{LJ@Euާ 2?SIEAjBF+wB09ΨF=mȥj3/_~QMQO_u2 ٔ.h81mw8qm6!Qg{/;=Y\b>vWgS+k % +,sjGsʥƶ츸/Ko簖˜ hh v+ilk=Sh,M7Ook7ߚʥygFqkT5aKfeCnZI=<*RM0秥,knxFǁ]OZBBV׃j&ꓢl[XCE=&j-%֚6:tp/}N_TzrPLmFE1YY=.Wڶ-ݮÒG?FMn{b$9ra˾g~loViPR;.7lR뮫:EOS^?i G豳pĿ+[Hpn\{}/O'^7?VC@&|f{tگj{X3@d5.㜷jԄ_⿺yT#Z>iYy/R޻1#$1 Gtþ44 4Ek9O+-)ѢRdee,*%ACwkzȆfR8/S\r^;c~N5A7`\!xz|?B UqG#T~ ZGSM4-i*[?~ڙ U A HE7|Z=-k8USL|($1S0S0dR2}>)EC(i(} |կu-:Pl=` ` o W{Ì㶵o@$EER$@%?((OwC GA# ABK]:A 1GA#UmjHX8!?<8V]6֏N ؋RA0Gr(A0G@PX&sJ 0Hkҝ3n*1Ã$--kdo/_oE$]/:].$ :Fhڝ ?V˭l*vT䱶PbVZXT|l $5*ک~@4ASKOdF*ܞzǶ" y,LM<>A@*?`JEO̴ɟ$4ܧ?u%I6zf.%\j;xp~HCs ґ)d7@f87^/z|\#&GФ~T?_A/f>|o IC.:;'Hzڊ&(F7:x+5+Y )yoi))_nt]ޢd}Ȣo]x/ۥ*E5k=Ƕ |2] x4 &%@ƓiOmи#Rp]t}N6-@ .]cst/VS췛JEe_H"ፙ=Z]0j-M2{ݎr{LR?";9%OS9RancX:KGoo-߸yM>vvɷ^:}d-Oj%I' d5T. |qsQjꪪe}LC H2tr/oxM= gյ^/h9u^((?eKu욢G#Ŧi%vJzm.k]JS~[e/Wy[/y6%7jLfNfr~ o\U} A %" #REjy|R5=[8 ;\#[;n;.Rj,ZY$׭njȧ|HA_$e؀ʬ ,5ڪ9oO/ K91ڝT~Oy{LLL- IDAT;]3R 7)7>w3ťw]@hRpL\ܙ9A]27E>}zvq2B\sQK3nVq V'q˾>0S 2{.`TmhK]Wu~*G+h(*U>.,9Oǝpm]W YSYc+ Ϟ>8#ʦ]7>X0b .c#zwu}ޤhZBfCf֑bˉto\\sʥe.CR?R+ S])ŅxqǹdgQ7GLy6>|_/01db-d:V99o}]8k.sT?}H3bg6{lC8N9v$ٖO?xH֏[7ǯZuKU`LIbjtsͼ,My^GSXOD,Gui'ѕc;]}IRܲe/yDvO%FeH;9¶qV;LJ9ڱ5v4e+|QVΰSq'f4ңG5XcI4bkL3o%%zMVuu܇xTj qY5@(ala1A*ծNyeQEbx|TRC)NIy|TRC*K O5ȪNqgμ8W1)'bV٬}/3<\cE^UqlOuU%U"BP SW/g]w#;`ɵ(Zo%7_y[ R}x 46&EZ1t{Ym~Wu!^DҕrmH}i{R.)P_ *`eV +{Yܪ7NSԥG7^i sĘvmP2v!0(YۣMSgX{[qm nCՈJss1.ª7e_/VKߙc~aӺ] ѐ:WQϼqShFٽtE :&݌?xìgخ /Nnr].+AJ]_ýthcS;l rź*I*0ŀZVqaJq4 BOr];3._\))BcڱRrvZomk;v4XW q=01TAMy%X\FK }'է +}gY`#}vzm#,*o}]vbWUt44@,`S7B󋋂"Jj*2UXUrvگu}g֮SBjb*YUT*S%湌{)lMfXYfQKvt\?ŘO.נ/Ɗ^v T?jaǫڀ~iEUMԘv*. bY/-p\uPSUJss1;7->:;=K}i*Zf=«j+-3.+i\u%gdU+pm0ĸԥ3:TW,Ve@b6oo5n_+PJvx!ńTDb&CYSj}"胣R0PEˌZ.ZfWsCScKݪ+9ˌfU1d1S@S)U\gnq( z_`f?}W {r H)QEXE;-l*!T0-ǿl HUQ@cfRC%5Ar REJj\)bI/\ ýFD\XuJJKB_TĽg{ ;KaET(J^l[P\uS8DqJb?P <2.)UZG=~S,:JAA;N/4`<<؃|{۴VoOZTȿEE:%UMv&)%klX;?>i:Qrw8ǯr!ԭeYeDy #IXSz K{A%#%>y 4#~] ؓ}R^tTg)MwfNP(<~1y ~Wӧg"%c~?HQД4AU#1K=ڵzs52E}gAI~~:;ow*R !~qVN=}:pFMn}z5,gvJwZ?s|= /?ZػՠwS͓oapG=㬤h{yG]y`+#͡ v'; :w2`v@.=zt_Cj6rpΞx㩕Kpm.X8p+]9'6/f/uTeݲtۼw"`KmyC;c^ lJ֍"O\p;Sl'<$y}D4(݅p ʼnONWf3{\!!>?;XoTffpu111~>6]}nѵ|WϘ ND&_װm/ _JA:Qp+TԒ,EA"RXfzɬP$IQ$EI4E((jo6 >%%zMB*ǯ ` PI A@%5TRCjJj% *.UY2>R1~+h~cxXv,(4LXJF%s|J([Uz"1̷Mk`ƳɣJvVSI+r^zA_<;(7"Zq-C7 b֮W0j_5i'2Ihezv+;f6ۥ) Y13S=' <)=8w_2HbUbGf剐3)Js* A_8m8ug\ Pw`Ӯq~ hsMūY+p=] nϏ+\)foಱy\PI[=Oѷ3Ӂ\{nm>;=c^ OnBS\׬>iؤINjZ+|n;Em}G;*pyu3ފ cf k{Tf9p7QżCK%.nf폏Ev=f­M 6sfQ٬bUv+<]/ .|gc*֩pis4tJj\/NJ Mun7`^q;QP!*pLófrAHc ]sA H R!*!VZ--?A53kq %/s EJj5k;-砊Oo0 IDAT.:n*l=piºvd` Tiq]LHvg?;dʲӍ?V9knjtyW-wS: @ڀRWRNU.Y~=܊yDͣFn $_Dbvw4Ԣb/N}BpWbYI#@7s)!@7gy2t´E^eQRjTϡC|~|.bCGṈ_RLBj#==Gz8D.5]e&qFI$ɿXϾYDeoYyBMJ<A/;g'`𙓼qW ,߈Z9o\?̹`c|D.@f%FMu@-3`(/f)ej碶TSgYaT[◹Ss7r ;M\lofm"ڸ$j1A J^C]/G)iU]9o)(36kyMA]+͇hREi1W /-;kzQJTR+YPI )RCgw#ViB|:A*3(Jj * UTRC ?D2BE|8oRެ,M%5_6eG|'1J!SIcm3D#HUiRY~1oB, cj111?`Rv-#?yi؁ Rn|"fJ9򦒆 Hs;y AB} .<{t(v\j`Y.IEIdfzYI>K3n&VFλݣCwwB턨@A(N6\ebU#) <di; k]]ꚼkW_md % q sIG{=a+8nYdjCw0|ԕQȦ]Q޻xrߨ5n ~Q`}F¦̍nZ-xw{塚eZ;kUZJ1ΰSq'f4ңG5f)Oũ/=sS+'హRRz+YM!0wղyL)iRʇ2i}3tuk]*mFb<}BB:_Ů2{\!!>?;XXڛCGY;ޡ7 WR+U*diQ.iJ"Gfq4Ek67\D\ZhZ]m..>6T_7jխuW7OCK//M% #-kjQf&p޾tNڨ*^ Ge..8]]R5Jj B*G* H1Jj HԐ j!H9ԊTRSn111On}d]3~±4P(hP[ AW hRpL\ܙ9A WRֳO]J9r4?&=*x`$iZGBK[*.(hg[%3;HS_#\hDAm5A_lTq%5D/vM\Z{VC/ { Z룧\ǷW[.|%sO=x@To4zm[. =@b.>g\NLL̜ >}Iٽ wbzzuydӮ5&?'[ߞ吧S6!) ^kG4l$Vysso@pD~̺mqlY;O\ ʬ͊kTڌg>"QԘ̚ r>;f.k[ۨ TR+ű.&%5&7žIS䷉@/VC+ USI39l*YdZ ΣT!PI A@%5AAJj * UTRCkR~crEUVRcѴ8n.&Iu;3yPj_CMTRSrxv![硒ucpo!%*ifXz6K~92#W.蛉$My@׸:㨿 USIxD=M*OWZf z_`f?pbLTRC0> ځJj H9=>|>TfPI A@%5TRCjJj%P(,.y*%z)iY{PVl+s*ә;+~_Ҕ֚q*)jUIk"111G ݩևsgX SNf\h˞Ge|X4fq?kEy@~iWؔ.zꆢW-wS:7AWJSI q[;/Bo?~>~"ʈ ^* \Ǫ+6YY#\vRn|"fKzj־e/H)YTԢ +)z6&߻{.7%4 řiC 0mѹW+Fzzx-<:Ky'< 2Eɣbދ ~Q%g7hH`jFs~Tuԏ*OGrV 4Xk;whȣk윝| :SrJj*q*`~7>|.U05&?qb6quv>HZ|ߧ;nXK*nLJՎu钣:#4~(h*P:v'AIjGpWSrJj*q*`yh?xH֏+Nleng/Ȝ:Ҥg^o.n<ٳ  vSrAJyd?Ͽm;aCOTmW꺐>V$Yfi<:`XU)& Z'h6AFd4x aZvTٜϧ"6u1؇BɀiSYuO$-ʌ;:^ݧos6&&fh{ި&ͺeh71~4Ԙ5|t}= )?.1fXY(\CoמuU#Wh tF{ xT%N1pbx(f9!фTב`55(@3V;)4R!JjpyA/.oۺ4fL_5ҏYkWN#PXS!*pHqQͪ傐^Up0b \  HU R!*! eLC۹fJY%Mv2hm_-4)J|&.̜P`g_ѳO]Ezr4UX A2{N^q+2³OΈi͵O4=g%E,ܻ;XK \׃O\%h s|= /?Zػՠu=z"S{PIXBľm%Ȍ]lQa[5?ү_˚B0[ء+Y`ck}f{B v'; :I366ptnvkaRvcfIl>@j+:(ŋEM@R`^ 9!7!h]@~!z޴m ˮ_0smԤP=>6aaA[7Q Ky|%90$qAk=nOڶ|#N_c&?Ԛ.Z3\$:>G0+{bCNf\8`oۻPYEgNO1!+@Ylk߳O}xb_犪j#Vd_ ۚ18r=:~ c\#Α=G.<+* `lth̦f|wZ-k-]!,rߕ@L1[uyiWPY1m_S#t4*_Z,@Xwz`0N[]m؁z:RK51182[Y 5߻AXEbH qwuE9=٧1޹IHmIGBf3іA`2v Q̼9-i.3mQdck,7Ie-_׼ծQ1l+˼MjI#fakaɎY2w'm^M\ &G#Ф&j̻hݻ"ކ:xZOҫʑVЉ Mj5y؎ L1<2ZO>щ -)gI AI AiA`Gi+I ADI Mj Ф @ (e 4ɑg U_vֺ!fMjぐ_p ?~KI%" AZMju,Ng^o% A0+ g~mZ& ]L6#;3M]u<.#=}WI ؟t΍?n 0-i_aIM!&5ίzD#4ФH%A4{M]UhIC3Ѥ xФ  0#Ф Ф&5AhRCbk~(VoMj =7Z(ēe[Z^h&5R/s:n['ikfҖGo'͖m39hO <=pwL"pPmnZ;UW<޽lXcԤ vUe93D^ku&5j/s:Ғ|7_QS}]WmmoK2ig Wxʹg̤-o&EtR!d9)3jf03>@6zinriIڱ; Xr&m>Ӈm?kԚiߒmvRd_.K>=~љI[1ڎ=Gh]lޛvH"_#r4LLڳõTigKbk5t~o3e4t'\>p g|U W!;{_!*tm5QC.梷"ZXk _v;/6s}*Nv';>i$^ %)0Z{ĔcCwE[߆?%'5JIvĦ |zuܰ7FTælNy"%{.ɰ-ژ/kMH"mHIRIch㗜c;:qX3AwGM1veeeeem,2;t93ZT1 N#RWYNgq_O+6zԭBI~RĀF[ݗ*ofSy>;!9h)oծENs³R@F5W1P7mOF<5+;[N2]6ԒtAm?xMg&Q>օg嵕@Ƴ j߰Tc9~="ZXJ.UiӪtL}gӮiDZMjm]E"_wSyP(ͻ,LM/qΫ7ry<^z>V5@jCOUc8mͲJc nm${bn 7jP(`mOB9z$J!L~Vjgǟ{L5z;"MEG#o6l5[p,Z_)E9q@슺DL8'M(ZIvvY;cfy}wY08hcE-_ fw'm^M\53In|}Jy`nf{v9}Mm, wg-rk8A89Yi-eTT 8YG[Z2['%.su@gyQai) OLЊϙhRC> r Vo^th=*[P͔¤"Q =̉3'I ADI Mj Ф8| H`%Bǐ㷴z0IU7M{C?(wO[*|5ۼ YɊږxN+UmGZF Z8Lj-͛&_<P_^䓇d%۰aE|cSN;4!mbUUa6e믽И ےjϲmy*e ʞq sϧ|~ B^xHvWG;;G'PPcMWz mԒ^v66Jw!Up  IDAT+,xwIreg\lÓ.HvL||Gǂ:֣aV$&2gVlRST[Lxu tz ̨P#$0tQ!YVl h־-nNn;0 cXPPZHq i:ؤSH)cW}YZɹ"amFH*a Bif=3,sF1Q,%M u Tǐ6E&sϟN\2$iœZMj bg#U5t E.3CۓEֶ}]H!dۺuU%ƾr_DY;_ oX`9Y_ݫA s"KޣwOacH/j=hCDLjMMcXBaeFkmkZ>2I>xUM%rՒpTIcЭ1r&ԐI밒)q&5iVa%CA3 m4!(4I AԐ-&AZqMj_@ZcRxi hR45&nRCJԠԘMj:JZI}o`WФ֒Mj qMj_@䫹⁏mRC6ARpAA&5A&54!6@ZDZd Y 15OVжYC3dङhl)*9GlRpP;~Pes&m H9Mj@/Zq-7`i4{u䧉Lj$/&mK^F8:{zPJ[s+AT8,;f5g'Ikml&]b>%UkecgEKᢾ_ư-[lcmK@fNәH>8\߆?%'5JIvYdwr M4^M宰ҏoL$KZ]W[AS]2)ǸU6q zr9!&:m|p!72f/ UB̦f|w d҃PWKk?¶&z~cb&Y.č2H[c +s$~ϑ ϊJ}a[v/jx=k+-=hJ_j #YhIy8Lq>UZɤWb w TMy`rPi13(-U#^|"'bvz߽˩f /-yv x#[?iRBHV2ZZ;ibnr J&iZ/$FaQ%{\ZL"$1!j%qሹYZGaE~wҜbn9Zw%:&;, Pby"[7|7m~g)GŢ&5%3Q/* 4t l}p4Wu}Ab_*hRCQ|&5A&Ư.S(3LLj ɕk>n0oR ` \V/C@CN R0}FM+~鏡ϋ/Fe\8_ң4Gϩ_tK;{ŸUcrT1X1OG&:x%|==$Cu%sWmѡv=bik&螚A[=?sb>l\.F6^˿5Ф;wyV~V˾16y(LnƘ1#f|D*Sk\L$z{fd>uJOMy졤%m@/x6rjR(=0n{R`^ 9!ΗIxѩ'G/^l$$~۝Zhfޣ!޴m ˮƌ OguJ> DFGbR C Y/ -^?w=?f61ژz_%oi7Tg/``zM8ԧ3>Abܠ)eF/A(/Z-S`V׀ /!LlP(l|̒7R Vf `G|%}^\ιd{~wl ) ޿?11|Ѻ̨4Tˌ)D CH(N3F*Y@B=:{zgf[B8w\GZ,hRkZФpm;" l(=455yՃGLLL^xkpUi_")PBof&B5֤Mj ɤVVR$ M ^Ҩgn٪|I!sP iU?Ryy;vuxݵAd|A>EZAք)光zƯzmpgϘa;:+~&rugu׸ 7MዢW٣WO`Ƨ'iI9iSN"4nA7 ·JYV'Ϫ*egc*ʟ^]lke%bKε% ćwqt..n)Yd.Y9ɕOnϚ7?vO>@Z<~hgD>?^lc3'4 HWu>t |wfR`))&:Ii\7m[wC%[I헿^b!ZsӃaL]xԽkLnzeAnOMXx؄YY-~{g AZߪߏ/R2JH~n0@mE'L6&~L?Awwԇڻ2yhZ#Kk&K5WŒQFi p ?NWuXLipV~:g 6.Q܉!zFj&fߝ7]Χu~E˘@kd1+m -1l*}ǑO(ɪNs= 0r謹*_0K[yζ"P( u~ItP}^$shlTt۳a:۟V펉pgcEcK0تAq8!H_'ؤha2qX/>l=K!C>I{XhUZ-\fiiI i઎2eh!R:5 ) me||جU?Rg j2I AVGɇmhUG(-zA٦nHXag6wR%$+/OE5icnG`d\ q_rb{KYm-y} 'G>j,mgGk)X1Ş _ g> 9t!z+~VAs פag;t~as?7:!n:YX+'5}uGvW%l :У:IW6hĄ =/.8['DѴ |&_[{Ew@צWʞvZØI'fi׳BFw2s~<gh:a6=Uq鯇u}] ۱E39C7A.tjr$k^w}ځS۳ʞYC\v$ipeFwTFR͢U Au~g?9 61'atwPRZ"x|毡n夘gDG T8> f>^iдWٷ|1#Rpi^yE嵘q)}:TTݸC>ŒluT5& kD*䈯.U*~s[tfyzսb+?P'wƌҫ|6Ht832ӑsD(YxZ_m9=LSYU޻f9*{d]NS^hGR{!cLrCiv4hkgsBἈOv{ΙQvNm: :jgkFIr,gBaGRJ{,?~bOeMu| 8'5*9uPo2Sc M P+^`rJYYlXsQ%NeN;^O@0ZEe,_Wvf/@N Pݲɯ4ɚTQc z՜BFѐƒ:aJ{cvS +-}hⶨc^TQ#REkcuNſx^(IM̭ݏX2lh\􄵥^l%]b m|CYb(Ʌf_Y(&5/ ޽  LjL"NeG]o/Al\g)+#Wo~&dK!>˂zp-Un GŖ*>7\2*q~oۓaÞvMɣaVd3ޖW|m{U[c pn{ZJ {Ņ&8(go`H7=؄Nzmq6$Z^ MHIkw: $'Y7m[²+q~Mr9k#&2iI̴M?tH#Fq4-F2Ft]'.nߑt@Z=Sk\L$!@ rnb5IPNQ5m)VΓgW HOŏ-_NNΰ!K`MjiM> GDݟMN_s~uP/č2H[c,%u ƸF#{\xVT 鵝1wWehK$}ꈝۚ-~.mjIzz`<Ԧ?m@z':F@ZʞeV.r\jҟ9oX?|k(lsa<&$v%~f\ՑjPiVy^;_lZ(PK@kjZCrFV%QZ܋GWJz3 y><{bn 7jPX:_*^1cUj,?heǟ{L5z;ZR7M5[p,Z_)E9qjˮLЦy`^|cZ_X"t984`vl AIۂ]jԾ~Xs%LonDl}TI}-ɠs p [5h8cC=Ac,YZGaE:VnIjK`à? [>pPqrjo6Z>iҾ^Hı7wCIxI"sGe^qsz 1Ҙ#E)Mjhm~giK NXy9;ҡ"&5$BCׯN%`N MB4sW s H3&54!6@"hRS.Ф(m}嫃 J@v% 2@97M Mj@`oqd3BY}: n4wgֱ&5٠IMI UƢJYV'ϒM&54+ݾ50Ig>#ѮI Mj&53n_8x0(Zo4IM\QN ̼8my !`M&54ɞ1I 9~sc)qFSGT00<4*hRCbAxФIE&5DԐMj-4!4-hRC3>A(I ADI 4)hRC1RM4&44I A0,f}ٳ1I MjMj4/&54IMI 9~3A2|1I MjMjffФ&5sR`hRCpUĶ&54ɞCI 9~X|A{ Ւd4I24}(hRCԔ4Ф@҄"hRk!I UiA ͝Ѥ DMj Mjmt}tho-jevcMCbi= ~s<]3ܱJ`fKv6  !ɀIf7Ƈ6&4!!<+6{LLڶ 6nͲ\2* 6*mG(eF141E`*_]S5 JenK<~@(0$.jeE7coiih;.e1vy6G~TX'?6~.C6y(LnƘJʻD{?+ehRkFA|GZ2,K>=~љ-I骂I_ZyЧ#-x3jFlN+2U m[T2_UovYn3)qԶHp4LLڳI-rb"ԗa2HBY=Wjl9>v7,[<.3 SaQ +{8KLP_%VSV~V%$SO:'f IDATdtQpK,D]0+vXx$̶mD֛-!4 jߝGT"2E3ldv17 -rH͙hRk!sE!I*rףF@e>{A7/~᷈Kj$ zf|_yގI& % tT sѴX]t4Fymc5[p,2TcMjLb|fݹ@xY`yQ| Ǥj>Fk7#NCIOinC}f|4eTS L4!zʐ  &))CygnA hRCQhR@ m45-Lbm\:A?cG֭7aQg!nޟkrh=\+x<:sCrԪh,i~1&6Rw~ڗps.[՜3ߢ݉{2ʺfLv!YcƸ'mc1vp5sl/D-ZqL@_Lkۃ*GL- t!ӢQm_xNm{X,\̃Ri[⷇Ν8 Ta-[lcm%^Ū*egc*D9vWG;;G',lcx}L>uZUkO=b HknPBLƙu|?^lc3'4钸T\Jwu\{~m<>_`]Zg3_U oWgme:C:{i9vMGìIL p@EB1.4z%7J?>$^Sk^D2j7AMFSO:'dt*)0Z{ĔcCw6=>6!9:`Vw $1KN_U7P]L2u1LmVqYۨsF['j Lڋv|H&ߥ;{^nu;F?%'1 N`Ի JۀGIޓ&5HS]\ZǔT"r9p(K]Dg(+~']PGO޷npX/j=U,U*Sm kί"4e1'eNvE%}&~1EAq&%'ŒQFi pP #|=9@gsN]ƿFcEICҺF;'4c.F;#Iy$"dGo{*~۳i?Ȥ^0g^|pR^_'?OZ=*n]ӌ6j̻Bamޅf[ -39~)޿fC_֦Igz }Y} ۥ:ژΜGT" 6s,{ը}|7*5aU&/!Ҫw')榚Ӫx؎ L1<2:&5&A/>l=Kat)hRkZqH#gAh}:\A5@Ѥ DMj MjHc!="|^BԴu|IQ5,iggHRP$T<3Iܴ*d>/j m[?ff7?yzņ"Yֻ~Jhmk$1h7C0+g}6D.b&*$Դ X9Em0k ?TV)sQM_޹a/o̰uk,=u%"A45|Q`T>/FYTC-(!$DLev3Wu>{bCNf\8`oۻPOEgNO1!+:A5Vo0IKi9ȅgE|P By7Ծ7ϢhǧeffSy>;DݬA@s&ݢ]"D7U-H[懒mjA()-]5%UHKC)ܨ5BaTNM/uq?p4{4gQ q#rSN["ͶF7n#B;n2v:_cB9!˵!HwZn~3//lz=#/ZXQ'#6 g>/Z[u4gQ qNڼmù~+iK4͐3פ4MR?zgaB$iI i&y)? fR"M=w 4!(4I AԐ 'B h-45h4ڸ!MjԺ4'4yf7aQg!nޟkr8T )BgՉF)g~4Ľ, q-  k8/&Cgz$r_LH <.1uc\R\GƄSlb x(&Jͯu}IL/R< r%_Qu4xTEʷs*<$%fNjZO/[ I *xt0|RmIeФA2s`4Rmʟ^]lke%c&~T:w@3pSia:'I=I G{8{+-L,`LcT'^LmI"lt QaԶ$бHJ'c&tMPS3s}@R`))&U# cAuz$Ǚ/x rLlS^JL;L6ďǑ1Sͯ}R#kwzZnOM_W8WTU"TZ N=e~ƃ8Is|qMjLTc (zl,.$9р)[⛅FjH-컵w'koLXOPI4Mz#7-㥧0&4Dc/xGV!9Mjnyf Fr|ӺHmQ5*fmE|P6 9EC}fC玭ܰ'|=fmA qy:ZJD6AC\FK qhRCZ T&g(f>MdRO@94<O(ܻй7f.Z2˄ؔՇ) :h{˿߳r^]2N˟p\:/bFaYP(xԚK˼?/Il8|Ogf^!D>o<%Mj'M?ڸ[wb/%/審)/D-ZqLhSF嫳~y-~>vou)'k_ny+_g2OJ$-W+C+#֛'o?zhRj.5 㗱 AWy2Oxȱ4&muTWo8Itmߘ BfYP Dɧnс~?bǚ7ܸXTGb,¼@XWU[WV"9τI:@R{Qaρ_jsϧ}֣x{jetUPWtϗ&ɭcP)?9%z$hgGl/&/~$U\NʽR]cń>{N}~,Wo 4;wyV~V˾1ДtnSۏ =kF݆ϭq/=}]oA07&HI sS F:LjgW HOm┌ǾT|7`+y=mf:bq*{_?ϝ|6G{^Fɥμ_ P^ZlaRvcfIlNںv+ąmKXv%O_'1\fËI"ia]kF?I~@M˴wS>;'Ro}_I Iv;5D5 f(,'9]wf@TZzZT̤|/%)cޠY—_Z籪!ytjᦄL;Sm֥Ӷ?euv*lif˥56fl%58lsEU+쬭W-F-v_f65iZZckfG֔{ϩ\|[3wa=kySA**G| q=d%=c,3kj/ !@45S[U:?lKT2JK{~J"ME &G5!4lRcq^\:OY$m v)QEc9V͈PXA[w*WSwCkx_@k JMbQTXp;~hm $v d,Honxt}L.1%|cClՠK8yӨ{BhNgՀ J3Ѥ3Oui䒎 |e$Y*MCł&5DXoWư--- 1à f27 >&5A%ʇhRCQhRkZP%c;8ؐHn@jYi9Gu^ӡMɶ='tժK:ύ_Iu5Ľ&؜NL1^e/?K{Qfk[h\ Yd[yytOQ/:)=gaΉC&#]J&b'><2dFfTIAV  AzL||G7'6fz۟'fѶdf*9ڤC^VĞfTOݓ>і^.vID右x9 M$چ6A0+2}QdgbJJⱉ;֛-!m z(.PhS8ڤK+k+e, .H%_O 7'&aN%1KNQI]W[#;ApUG̞!~6bEF\oVT[H?RlIg"hDw!>87Jť5Xw].3g({9KjFqB -A07֍Vd%e3˷]4A^[]ТZ;4#"H,j~POxm lw{uzmTcg-GޅTMy`}kHWɎA5A~uc7~:zF0~T5Y|8di 8u~gd"ODg ZgiЪe|!-۱=.9YX/t򛛗bov1%?=n.`7&i(IMAZ!H#AZ$co A҃Mj JѤ Фԓ1?,wH(eb|y:ϟf) :h{{m?[ByU:pIJ^,,1YF5e lKˮZ]'ze7i[3.#"_?{(S6/<[OCg2jX`n7}/[ȨbӹDGQ/v¸) ֟'FNybZ x} ^S~޺?0s@嫼S'^{<`XKM+%W}*oˬS|zƙOЇi> `N~p~ת!6bA×ڋ69 AbPÜ5oaC#8U潫 F'chbB]&ɭce8{ѶEAY %ۢVR6bsJ^AIɋt#L mnφVS D.ުiLr`XyÙUzZ[Y{axW IDATY#^d=[xK~ӝz㽴={Τϗ% nvY{|lBrt,`l.kp/ڶDh;uH50~͐b A67r2D#|ޝ 4w=7\]60K]wf@Ԅ]_؉q+?Ue=޺_RZ?EͿC빡#FF*bC X3i kί2{1Y!Y>h"'n3&=e <1[uyiWPY1m_S'U|S  Xz :0cЭ g?YɱG,o'Tͧ?k$Ogh.c-):,5u~#im`;3ýi>;n2v:_cBV6X*[ ;hp[}lwLm`0UvBrmXѼd yߓ/yB/mck,7Ie-BWmAÀk?]onxt}L.cK0تAqڽ5SBQ9SyMj" -i&5!]+| -i@0#> ʝѤ DMj Mj H d|KKugu̍/.f@m?=l<7[^ yٿ{:/ :qHZ_UWw>i1;#C_V|γ?_R %煁.ζ.ckx tsv^3 >~3~ҒMjΏa}:/ u._ykN@aΉC,YI̜BqI/[׆ {f,ٓDGD3~嫼m_{1@% e۸^UCkRcl8W_j?PWE̯1ըjtJm6z3=OA3Uu'\=횸}FMhʂ'yp[OjvΞҖ;f5gw?>mdm8GMB7ױ*X,!] vWnӡl~_ =5\(8pN9SP+^-96!.9yQBH"mI\hJn*w~|HxGIC# dOlI{~Sy{zZzouQ~+93Yb}?T}":)oJÉnS̈-#0Qc7nND?-&2nb5nnLp]w!:&M[O]TeeSFL nv&lP5IjUK&qBLZk_r[_ P I 8b^1v8P A<nC@%@~@"u[s6~տ鳸tT+dOB!ЙL#c4ߥw#vܖ]o L{b[Շ+ڊ:sr$OR[6Im!T0zľwl.g #"3sA_#r_+m$)A.+ U' 9^HwVmdz~Xg:pb||L8e)DT0'x&efb;TUVZfR}Vڀʄˋ㽂";}B #vF1&n&"n﮽{W}kY:1"DŁ{ jiCIjHŒq'\%8Ԅ)ȓt5xOێːY7iv":Q Y$FQgt ~&N!a>oA4OrxazN(쁝x ! {_YIjrEwr_W-۳i^g=+C`OR>4J[qꞺS)ˬA#woY7+CcoWU[=!%Ғ ŐwZ3V! @+hE>P_v;ʂ$5J$5"$@$Ge /]F{QX!Ck\+B+~ͦUsֽ>g!eopvξ=4hųS'HއM,MLV%}5i=|(c7u[ Gf1o[MQ>VTSikPK|1El/tSҬ21CGGn 5/AA+܎MC֚Dp/\7W7RS>V]"8PVuYirQ2MᾔGyʮ޾sO{lb tu,p4.}݌a 5px|kB~JF?R]9\))/9~<=r3Xr] >J>mp_fq7/_+L 5\x-;^ھIj^A_9zx[*qQ޲O8Os͚4QC_#] 5`<u\Ue2>GQxZ|wlan&V󖪻' ZYfuP߀oEN~Y+?\n#4+,4m#XD&~G"WI[SlJ$5y-QuS~W>3n?̷EUWu5p2%22E_I}&:)vl(u}[8  ]?u{WSpޘaW7ܧQ"Io"z;@I&GDN5e62MT))h{e_غ1h#[ 1׿+)C~G}F-I}v~B$bpu}}ʹ0P6Ir/ ƃ0ǯrՖQNRSȦp_*B`a Z 3qrn[9a7 Ûu#(ght^e[=枲=0\; )fDduwɾx0;$u85ՙƲ B'Ӣkt4xV$i_ Z_/-N}(Di?N7Cu<6@@%@~@"uݙʙVްUD4WK]rU-LIZ 1Veq ;֏W-;z{HI50m6i{漣ۛlҴu}囶h;ӹn)oG>F*z&P>U-RQ_'cbN.Y2|8d͖Ėa=ѷ!ܫիFrRe G, 5iYYaXG6N`*[ 6{WPAa}.MYҮy ]Ay;Dͦi2 3G>OںtxϖE W^I{"_!j?r-{'Գ;Fƺ2 'N3yB!Ot!cb5vNyB8:iaPc5s8 C %gGJY0ɮ)onE&N͒Uפ&STN{L]s (i{HUښʬw7TPh:lLa֦:FY6MOSa^!a[_ Rss+'q,Cܫ%2y%MǦ9D-/#,z-c_>闯}{]gsrJL\Ni״8XU&}ʧ2EN克P(,pZ|]$zw޽>wݵr_(4< ܲ}.KgՎ%7-;̴rXy_?F98}/\-MtH)Ӫ0#t3n7w Xr;9҃p#OJW:@DMv +g ~D/7OۗZ8O/7)-L̋'7}0ǘj/J4S!)rj|üԦ8X!mM GQ7߂ȉ!!K Uʲxݾ3e!!Gؘu$q7&oW[2Iڣ$<.1 1<"Q *IѠGDt;.rI)&WIMLSf1_^J\!mM]ێB xo8rpV;z\l[)$jz˥WS;A X[m'%+0Y_ҤE97|!20m9zr"hS4 0m ~@C2>*WCMRHU&ZsݽqI5M47ڛV.XQկ)46aVǒ,՜uw 4EH{ @w ǚP# P+$5-HRHRJ ^%h oba=lfg٩vV}Tugw^@s|V*J8}蛀zNYHDeN;K {wLc0 _䝼c{ahOI `ؘ㧯Xh,P7Uc6_x<`_UZ*LF bLܞM6y^sUWN!ƥ8)Vy^fVrrAߚٽo9}sڨTڷ!6nDaʥ3ǦرJ9ϋRUrs;\\shUVJ yi~"QGQlRG릜EofuRHRX] [vZpϫ.Ƽ&4RH~0 oW|NbRHR3a7|%Cz_vM`BAHR]"I /PkL I  IIjP?hE=S,#=7*cOs,Q,QW:~ť¤I.Y*{5MIFgo|l{TT|4-3, Һ<F[Wu.P??lGkbȾ1na ="[~@ůd[tSN~MM^ap!iV-Yx4}AC1Y[(KD+cJfegDtCD,,M6xA ZЂ)YAV:ͺs"qxMʼQ!-* {Ѥ(@?ZwYX !X"c"2KTad۲1 o֬Yc-ha$0;HR+~co%^Ui6qA!#b(HΰO2o<ۘ'_U`UG 4I:?QeBSyKR=j&WV>2y.vŹT|ձls'>S[9QPr{/Oט8P?!I s| h'\'aU@@T|F~|!cԺ})rЂEe +;CZ]txz[p-*[ /^,WuS.1reHbu|P@!IMxxԮ qN4.HR'j >xݵ]!(?(qFe;ȫ|ٺyBaUKBYOc))[^V O0|݅ч;G8 I71+%>MBa7CDR.*WըqPX7Yj=T +{kͺuWɔ˶iugв8DO2=B(Nʠ䲠d~3k{k!TʸӒbc}/Wѕ<97g ,ukY2V3_俧U~nCٚUzqR}YVL8nG>Ȉ5wkmSm:«--z̿hTEg&儝լ%͘X;~vl:٣o8=^|d1a[D^hPTpqy$ڮ[3sNy %>JOˌ/ճЭrM/Sa^!a[_ ""S w^Vw;kz% gqPmb}vvwC]}dd"#g/o|LwExnOx ͋|Y S{͍g.h3ˆ#;uݖI5#O\ؾˀ&:jWuޜiwh<+~y Sr: ٻG, ERb3Yn]Zp{+#rq*>Tܔ9i]mMo30N_Fj2fc.#|j{\V~Q 04Κ} )|q/=f$S=/ _"KԽ1 )%٤N~J}UTkf6#'z/JK7jt38ϫ|t3P'QK)Tx}ܖL32{m\Vl)©1豨A#ړL+!kpV[$9Ʊ7fGhŤ Q3P.\}ۆ߇D2LԤe)q묣}$B>:]v{T3k[Y[Jp \G9*o̼8ʩ43܁L;ua%/Yamq^Z_I:5<.{^'%KRN-O_}pXtQ?WC P񡺝mgͶԱ)tK(t98>>T\l>#5CUtt,VGK۵AnPHD<&+jqtG1!+@BV|$?hYE@=QIjX/PP;S`ngTܹן'V/bu |-hA ZyKNJYhm/iiڰi }6>!> Ტ粆MhA ZR[l;ikŗ&_,yQPPzWnA$.IDAT~)E9p|0T|@T|@=Z$K,XeY2?T|m֦}GV&cYeeQ!Vu T|T|@mWnIEԤ}Br֤?1ZP_*>h#W@[ON~YMml0kZ63(-Mpr64lP0 cmkcܰ!54iͱD"F8N[8òWuj\mvPvv&˲+ڄee2ἑ}/ɲ3laYV9>+ʨ[nVF^^*>s7W/e2 82E(GD<D`lbjۮ,Ea mu261UKWWpy's|>[S$=|Ŝ<1nLΫ4~ogsݙ{$<@GGG @_BDrOeߏ/GꋜD+>΋ —+H*֦ e8}' %B?Aso=Is۟s__[o,?</#oOs_pԱWru=G>O7֗|E|Ʈ>;܇$%XC+PNΗ+aE cre&_ij] JVo qdʉAuo ~D'ˋ^ͭ>ԯ/.ȝ#է_K/ '9yع3>s{w{з e oT],iR-b&C}fOp>[?YEXX`[aH,CAZY,c)mJF/S?ԢMk[%>*@=|wCxAS|r z>f;qr%~O'~iWr`ݛ}]l=|J7[>n<-Q-.sz٤5~޿ҧnM8Nt͖?t;tɲxJ}h_9a/[o=ks|JߢoN?QqEyM`zC/aQߺ~[<[?{d)&c{6s 6=fMsvg}eB j'}k^zw~;ߺ{9e߻o>X]_㗖-PnHOw͜9yi՚Iީ>}CwO?p掜=}tzԙgbٷ]sٷ[q;o2Hp~:}͇^HOo֟p+x͇Rίo_xk?8Utmk-қ."rz}N?(ʹtzKq^ސӛ7.>RuAߛ/_'ntU 62V%+}k<[QrמY,ډ>I^Ů{}d!$ qO<\Q+rr*[' JQ{Ж$w2)Eĉ{ou]ɳYE,B;UAzm8}랒@꾧Jg::̻zfuzgr.}b䛋ֳow:=u_K<k 9OuO]}-~z.F/kޣOh۷jӭ[;ܪOppJI[!jzpzO_!WS1 ![1z˫CiKjp_&ى,x֭%t,x/<}IT.E훷w?}kWϜ={꿸uB/ɭօw|깗nmҀ'vܹ];_eHC9~Ͻ o:=~/]dyxNs>q8qbO89%:Zw9u8:9 {<9y⧯<7=>󎳫'nNέnmyg3<_9.=|Wj)ؐ֡}y[*ً_N7_}ґ`Mأ?(_FpC S0.>V!-6`b;v! r7y( ۿ[z(S:w'r:RtS'߼yOn~w9q4o:wwO<9:%wn8u3'OK7|ͫxk;K׹ޢˆNo)bNIj.P>]L)i3%uzXa.PН'NOIO+ Eom|z*og@H䛴EޑSdt!8;Enko])9s\ʊYc_y {s[j7.B-'4][xuoH,ΞRǝ\cO>[go40~߀ehNw4T=;uST7,\8OJ|Sp.,'mR;'Վ`Cc2q'.>fGOεWҹ)9s$9S; _ \dv=[^| W1OE디R?s*2-yx!8Ibإw6SꝷvǤpz@,dXqh "ksSw^:xt\ZuQ!~o'n):m$\NO8]RI;Nm`c&!S%H/ȝ(tȍpE,%P5? S肍|`CǦMtDdqu?DG<"0 ~ף(D0-vvNG/L#=` F QXԶ_~|OQ8t` 00qs ` V @Zч` 00qs ` V @Zч` 00qs ` V ts9^؄q߄g5 R^_LܓO0z .SwXMC Lz:G*GOp^,.oi9*5$ow?Oжi / :Y^D_0&}/iwA_x>Mu W9GWg~~nvn|0k?8-J5u}?O/o~Ϳ/w@\^y_pw_'eJ ֹO>Iz?n@NsGOW޼N ѩ m(5:[6,,?xĉw0 :vOVMB?G^?+e_xυ8.vtѕvC4L_iл|Zh 7*y}Z(~?kxkO? EKngϞ[7o.ny%:a] ]{Wt鵀ެ$TmO:M:m".;vN>: }[ɣ#oܢ`dFћ' YP81w( B0zZu5ԁSD)v]|ZsrQ?FߍBc]__H>+uвH{i?ʏn >gǟQ"3.fV^r't~ߒueRGt ˡefuGOw0eum8q_}tdD:6 $rWJW>˟Jtsymqɇ~!CU}]{g([EВ^+; )߂Ȓ?ߦ{Lu. ro:ԩ~)Sv'y5T98ܿ F71|Q**^tV_N覾^|D-_sZ"euH:8]eT9d&i$gZV6s H F&H\'4gyEr:N.$nwOn_ߙrב\|қ| Nz18۬~ny .`'^A@Z|#]H` 0`Os)[|mmmo,}gH8,j#*cNg s#.#@2!|6*UԾdD``j0 LwG x` s x` 00 s` ~+04p>((``pt߱AT06`[]<|J5=9``\?#xP?W} DK].Cya-k ףt;fo":0А$oеunĕ%I6$T553C.B4ųD7{]``R tv%e۲ ^jɱ1{blqO7{n```R YzK_'z ʼn[ q2] ',dtcJD,Q(m怔ؘXfsLh 2@?]s35d9hYxڳ{F'1mi"k,rF>u'1x$ qvE+ dD;йBY*}hIj),kq;vb,WTnh+-g%K/}ȊDG0" hyH]:AL>E#IުL3&n +?bө08# RIŌ*T0:d $:|}APx5%)"H:i?cei&TfƪyLN2n^dis7j9\g fqlj^5~Ah=s1s$v`ZnDk3Ȁ$r+J,XvBLK Ĭ¶^raĴZK.o-'Ip d B *` ̝Tޞ|7sSܯuSz=+<+_BϷ$v~u.l6 _*2΅6ι` @^Hs ` pp` $~` 06s. |#` uN)0Mh0 0:g}(~q ` l8=ݭ]CzB`WpݲWz 0Ff:7 =` tWz 0Ff:7 =` tWz 0Ff.u00X0ᏌC[>҃yF=(19&1h`X gG:0c:c& ŗ`$ƺWʕup<fKv ',}DHP 9L.RDde 6UrxHx9bEf X3LY⛭v?$l\fOܗֵۘ"]H/c $gn(89DЋ,z͠+ib2z7]Ǒີ3R(#]H.!nnw+ h@gK\j ƮCf/WuuP_XO c4妣G }~"P;9gUr" FٍUqn@sc-nߞf難$X5b1f|;"|vsA&9 IDAT0LQ=<ɕ\xlH8s= 2ծ9]$+ ;L{\V 83 ^@T ^Eueo_ D==)IG_*)-YD0a`{_ˏ]>z4z?<>7%0!nU{{H~T.έ+_-gW~|.`` j$s4ڨumޘO|a?ͯsRh't1⿉4;,^KIN"2E}@Sh Gd`*:7"3Jr͚QC;E{ͨ, RIь0I|>GWp9 =[#j]-Pd1 gsAr8l$dIR٭3[rvP@. mwi]7Q6q$Qʀ9HBHa$,̖ٙXHR[r<;Zg2\֓*SB^ ʹ4cK 1>-{%йJ='1_6%#r`r$)$f.#/~ݔt/jewyc'K^Md)Vj[HuIvAnuTq,IpA-lɭ_ 8n[2ȭe!Խ9TmrIHOd-;xMm).Zu>cв1 K#ZFf׸:SJ&VW7ikcN &$O3=`-cnԲ]kŬ[`nܬ'{ZmдQ L uJz9ԪZ,[gs2E:WT˘4-fw:{Bb8G 1PRkr"/N&u\,a.nd*GҍҭܼMOM=1XC|6_ #=Ȓ[xLu׵6e:2d82;kc759nL.Y$-_쁆iG?jwkw;unL2VV-]ADqUL4<)31 /`ařnS<}`,-nI͈h?qm>b,[UXhM_e_ CFRLJG]"nIRj3W"NZ85{ٌ;B}`n3]+_?4qϖ&F.S夵j t!8Z E(*ֵJګsn2Hi ,Q=R:l%S>k0 LBS7o2fx_xv; ,(AH 5FRhQcgU 3Vgqk%'3<nNf]-V{uu`<cڥZդnZZ +wqD&\\#uٓ"npB$N&-3V`m֙Λɜ֢ e.fnXK=$$1 /xvU{A-]-.Nkr'.u3rR)_K8侮QWԞO)}*-Rx-`&eq.,i#fc0!Y"$fdMXM T)4"2Y(Ǯ1^<[&U0`L3d:Kt Hʅ Ndt`N_ Ѵ<;nGzˠƤKe:5=Z"T: q_Z5ݹ9ܥ_i 1$!D I3PG9NI"ⴖn@6Mt=B]Ƅp^_x,e\5OE\GtS˩ƺa'%$E"ɍD+t)nBB_Hoj .Έ'gw9kNr>9(!s9N3(ǏLxؖij'QGqn.}&surFˆFzBBS\N72222K}+>5cn/LBݰ@]¼< $@\Y_^й˝cG9Jm96&S566&7=xdaJjt'Z1v2KhnE-s0̻10 MK]7!$t.7阬l^帅Pvih[&r{.эEEʩ H\{}\.\Ky΅DWOa`B[,Ms"ԮѺ5T61kt&Jܺ;OIWa>ڒUHTظU9lfNȝ)}\kQTmS1oa* 㡧csh{E'1uqZBɍoŢlؾdl M7!5I`-ҡl%ҩ-NkP 5]{<]ebɭҡ+:E2TQ(p 5%0Ѐyڠu!6)o~W5xsCh``沾Ϻ }>7k 00<PsuчhW 7Hh ͚"">Ͳ'%Mܳr Rߌnmv{I;~]UyzJ[1p\)&TT:tE`ZNFmز)w˴ qz:7.mh)6ȥo1;!A)׏ʗLq``Z+ bdVK.'ȿR]=5rgQK7Be]:[Y*MT$]QcIu >G )°1aUCr^%ʵpĀ;F K:exC9Uz]O<nd9nX "mJ,b!U"!7n|:I"tn;j^1hKt ,m9nkQ'v{@lpM%&'s|#),N^IB޶l,%]^,Rmbojwk [K2ʹitu]nܤlʥ?9ft,ﮛ6$dkStǺew7|չ aswy@]\XdnqnSCq\-mpb>-eBP#i2">,so0;*k)A%/@Lmޥˏ]ի;;;;v|{ȟ_~Oe?WF//6S0` L)L``+ud! C)G` 2й2?h` y3=` ΕA+` ̛ܼ`[.E^V'J~tR@Xhj(훖NGH9}WԆs(hA 49s =x)}K<=#}Iӛ`*4s;'Uh p~mR+}695/ju"v/H ,ohM @J2yb+oˉ%wú,,i0Kdk Zr)Ɂ IuJg8\\/|}'{.PYX_naի3g;a\ck&rN'u_q~ @VcJˬAbԑ~6^"Q$rbvYM\͕i=sf]Zs];u]\l1.exw3I><_Ke^uK^bmtzV6/W[5aڰ9gYHvk8I\p6P䝇lIg#XKzƍH{FY4\ׇC%l|X6܆Ou+?:BnDLWw[#fKH>)6Z _ O)9@0מ[=sQ h[E ȇ>? :1sFe"'NKLa}#0"ڷZt^/%'b``έF_qrWk-g6țmesK~"SlBX4k9;5%=+\zhl9jٺ26~bVjug^$+1 3sDB8ZK``1йuz)d*,ֹ1nG/K&10Jbn(Q ̛փK[Tw2mHI:Jp`op2"eƭ"Z-9{=ƽr9{JkiR^n91s.` s- w@$*f=hl=e\7)"4X ;йXB١$G.zVw^7݈2j}Ԉu!5u%uz+cs^K7ps>qB^` T2܊"wtV>΁OۅO__JvkHrA޴ ?.!2m r70Z2pp߸~G^ }٥G.]{.k^ k!fdQh@uΥ-ȽKJWzUteΕ/]za\1;` йuk}Ɯ`(L8A@-\-B#`@1sC9MO۸"5\½3RØ:}3[ɱ^]%?,uK-B8` й4bo9ټ-\kEڵN$%ǹrx$ט870e:_/<zKY<'b rzd<"eZcRB[{ |؈Zj-HdUio7fArt,sA```: `??ܲ0B,Ֆ0Ԡ67k\d000ws4YC%u*d\<̩? l2n}iM,9f2H-g06Vc]7t ^BvkZjL ILºeZc-Hkg0`:,)%Nvs, 07fr\VfsK[ d-9.@0ljGq74[kl])n9Ӂl؜+3g:7G9gumr,8kLҋ; ` tnrWPwV;}7Ȍ(dzT 0й% #1T:oyŞӵdje%9;5%AZ$ҵq5&: 2[ ^I˃4ԕD ))Sʱ[ &uI(0@ڃd9VCZ%Wl$B uIR{\Zι 00q8 K0 EO0tnA /.AqqTsa2F tn9^uHKQ3oxH GZ˃ZPn[ +e$rZ[`J&5JLeZc-H 0s, ɱ=A'nt[zZY p47BVdqu 0@ms)xw2q e ub:N& v`Fts-  q>~p%wtgK;q"$J wN\"sZ$WǗr|RO]- tn5u׋ h5M"w$6TbZ0[sZ F:%ݭgeEZܘIu6E@f:d#^,▛aZuYIu#7ky,xΞ1U3˰y:NX*bc\9%d MfOćeϠ.Xv/\L i'Si,JVٰ^NT6\Hnw26 9{.\ٹ"/W{ e:WC䘾a^{K,Z|D%v׹ IDATἒ.uD3>1ex"xn йơiIN`Ltx̸(h;2p Aa0-*(RQ.s$Ksdc-57&9]dԍiaYsqRGKH ng^ijD9Koc;FAHuV;y0 0uV=>BP8 <:yBf D2_g\R ǘ10O]HnGm$Her*n~ᓦ+$N&+BJFnFwʬ,vZr,}Kmf_]xBrQ9$+4˟/*jIӗ/oRL`Ϊ A~`O4؋Y%xҧ@#y􍸵cVVWˌ=+_{6 E##XOMA5:uhu1 e8]Ę r[g)Gҹ]62mX7e_:RЍSNxs2$_Hէ,rPp! йvv*yYNFB/=.jEU/n+Jҹ`]*ˬuh8&-~k.TZjsWEPRr&niȊr7͎j+nߟ.0Xs"/YSl@ףrwSb:iqrrv7[k`x1{ڢ}@a8qH qL'R<ǹWz7.:^̮cc@OǥDC8> Q88X `#G>bNg-<:澒]k#S0|K]pJ]ƺc?*legeӾD`` 9,$L~}lQb]ׯHA0 @V>9v̄ 005s!= r`@)O 'k=8'ArlA[WuXSH]]`400GpbhKDN$-6>T6S_Q0q\uSS!ǹ7M*̔[مWnPI\Em}&9"W*^">AnxP#Kpc\Zι 00GnY^2&*p$<"4H6byMV[w0DgafO)'qB*cJ_dd0ª(ǹKnkōi.x\ϙ\E9`` n\PQXhp'A HDʽ5'c} wcZι 0Ќjor+l%-РƤ[ZV:V >n` ̋bxKt97}&3ij R:k *zfo #d-RW>DQZ#"\shsAۻ"E2]l00PV[MhC]k땽$qcmm% b x\cL #\c0S&IYZ#X2o:\#(kC``~ ɀV)y]㐨 8й8W2M@#':9g岿SL*ݡ4AHׯFc:^/=r.[W庅h` d:Vҳ]9;%ztBwIz&Y{jPrJIJu2knE'A 6 s hIDN$-6>T6C䎓97a=5o(ž/5IR{v.\vkw-nLktsj"7;` d9Gʜ&WvnꊨsBS쵺P:!ܘ1s.` 4c96s+lKI>gZRriu=]c0F4We]"d йh:]" }!uEA&\uQ5oVrGǘĆ` t[.os Z+e2WsZak+N"q[qUW:y/xjؓs-0k%.o,ܰ kZ,x2]c-<-~X38ǹhO$-5e( hġe@~ֶH2k:%WtTiIst ` pdnl\;^l[{  @֭H8NU@kD] +S:/khސe3έ]p]ʈքʵX$UL |nITdUe78zM?\"gv.)xH#ܱ&`P$X{8{(9k+"``v @CFzS fFZ9HRr*F:nn믳Vu>)ݷ3ZH_qI5TcɥF0|n-Cȉ%Ƨ^D.fosֲ tON]nܑVt q1[n_75|(v0,9"giQZYEU+f-p>rB'͍s1k9f9ᖅY[7 ]D08Ix$Dh @tnAe*.j}hę:5<.ɥ?ק+wq1KfY/s#>fÔc+{ddZ`` `?}LC'C<ǹS/exoƬսsCWނ1]cXiJ& K@%5S9XF18op#%5κLdM}eMt`%: G %5 &3я֮?`` >gTzŽR~=EtK4ӡLWP!X[sKkuv IcSuzm3 ` prIIDHކ I݌ʢ͉Hib!lN I'ʁ6fRQ%l80 `?YZ+"0iW k* n ZWs rk؍i.xU#sȕ>QsW_9h0* O1]c.f-\XonYtҤ^)]D @vA܂ Zz˴ux>1ԺI5Ox, d-яandzfGxhJ[bCG0֘Vn f*轑iAjcعk1]V2)ud.k#ktPRsrthgߜH0HAR[]!럃mqj7  Ќ#` tnHk@|mεaoSMi ֑3ɲ*OOL %?h 0h  йpZtqdJJ+{Xsˁfi): bb@2<4& ƤoIv]I=6XWҚ(HZm|ZW~:=\ E(ǹ M*[مWnPI\E ` ̔#r|1\uHWc[EDž9'TRt"a``3,̆[k%عa-B04й:'벻Lw.rL`Ir+9 >%瑭0 wΛrS` ϭRB*M|5L-6$M`\c4d\PuX O-`Qp`` @.5'N's \ ԑ)83Nar70e:MjNNMMsT+v[FZB"ZV3V]^ 0AܢAh` 5й-~׸20B @B4  { @KC`rGg}Sc Qޣh %OWQ.{0T}z~BY1[ %Z9[onv12>lV`)ndU܆)%usٕƺ@X,E1ILqN쮳+!I t" $ U†eHZm|ډԝäf*xŗ9djVܚ0&.r+J*;R``R @+!CAq9G(ӭnLטY9v0&tearKyKݦFD%1di˅Z0s$ 0`-85YXuRN,k`U-xZ!X>QC2PlDn rz`ғWH}KlO ,2܊CC㱔_G\W]rt>fT]cp + SXc-bZCZ֯!C.0 @VZDV:Ԛ"c' QmZ X'pr9]Ik< />ʪ9e $Hb&FvN:W†s1x K]yIõ/hureCnTZnMqcZ C%r2H D~M|W'8.9Gl7kŬ ;s- SB)4`7G 0*-(9.W䤺O'PZ9Gh[.3\9=ƒ1b[b#1j+7}щHz1GH5KJ& %LrZ΍?|E: EDBbkiVk!M +a#D@#X```Cu h Ps:]k6:Z`` @;vAOf3T ֑3ɺ2MtWfF)w*F$b:ɱk ` KrHO4wq+Н4NNKWFy٘X),Ed)L&8R @ɨ$rrtlS[#hT|VT&0&tn1@z%+`ZcLG)Ę0<,&܀.l,ĔPrYn51Qמ*a``F ລ#r ,5nM_7(l`tp IDATmjݍajC0"00 x%Pn)elR-Z6;R/m-.#tn1輼&Eg h]cp8} ^rF1; F"HrG o=`[n4 FoEIj7 CK<.N膵Fԑ8늬Z?,` Liooogg]ˏ]>zZ./=rs^슂Ғr qsbg:߿VuۻDtWE[vn\ҕn?;ouc0:0(Ks@3J3`` @>B67Qֹj1 I3s'Y[Ct7+1 hڐ Ljx'ǮqC p` 0- =0{EYX=STD:$ͭNsCc+@JJ<@1#P]0005ňТHZm|ZmY`l]Ѥ R )GŅgYrZ71D\E900 sȕGհR܈hHGW9x2Սs1k9, [=G!4oi9ݰ}ĴHx$D  -H5YXussMzƖmҟu"C4}(q;P E`X^n200 [ S6ҡ!RQ^=8)zrDZɤv #S@[ks(00.9Ya-9u:45's[2ZP1. IH. \SL7k̅m: c` 0й=rnG{ $pkw ` tnL'w|A+9g8UE\~ Sߥ1Ƴ=+[KT++fgsέZr;p}Jԡ#Sc[.Grq'[|iqHe#eRbSH 6 )Wtnv|f\lHj[Jƭ=DL( x9 6b׋dΕd--TAR5&4 qܤ |nqOZsE*()_Rũ܌ ɩK].;`` G/n}p-+SkG٧D8kٓ:4ǃwRKL<(G]U;$\tD]YZvυ ̝p¸B&NI$K[e̸C1mvYˮpvgccݘļ[8Brΰy1[/eBh߯$*֌6^p|߬Vw"Γ[gC-rDepʒ^\du'|7|!:a,>|9HJez ;o:-Tfhs+*ׂJà\Kz= []%WZl@Xg]5Sَߺ,|9v,[,e18OmD'eYƴg4D AhF00VkG2rZ0 }}\}cX܅5 йyR:46RdtO㌅DD06܇ }OrthjJ{J*Jď g0@c[Ql9vv;/>S0vpDS` Gv!FڏkQnlv tPnw"]aMamQ0 @ ,idn@4q2esnbv=*`9x\"`8HppHܠUbq(45>pX!f;~-yt+)Epj1' BR``j @#^mseOn)*A.i.qg^*)pd``tpr9,uC /:A <n` s!sT:t2Z&$xrN0 6ti$0 @Mu1 rn=h 1\]dg`` f:1W+s \׌"P @ކby}(?` 29$wM>ɽr}Ͻm9i.8_00{s!ԋULLVD wsHIeJgB` Lr("+;@m2[DbCAGh:&bgI֘Xl"IL]kFw=mw1i-48X\<1s.5FOD1nY`df'mZ50йH qA 09|N6ɳs7V#z?VG] q) 0[9ҟi/qB0cߟ[rYI4*rk!1[0cE=)0n\nn?OY` 5c:Wj "0Z2[nۚQBw0s||5!+5ҡaXS;A ` 2Π$z֫I< ``z `?71"0\w\"` L`;ern )@17jO.Su_sdBm^!_R3<K\p,@ @VV8]9{YiVWmv48nL;` nu%9ytb]֘n&7s|f?*85VVҿ'BMzꑲs\]b&WC]bs-.x~n1h5I6L'5&L$ݖc}iq$NEBn"Zdٓtq.x sȕgėǫ|3=]c(ڦ{BS[.טKZ9v049ᖅY.x$*+VfPݥVbJQ,]"`\n8?%E{Nȥ{*G/0Z2[kYZy5o9]HDvmwLBy.9fI\]tw]l00PCYR+x.sa&K2^\f!uP&@v0` ~nETJ 齺W?홋1-R1Bed׭6[\ MdԌ[``8J0׿qcgtP: f ",{ ?܌q1los[KJWzUteΕ/]za\1vԙv3J?Y% @G eGD'z չ]|& u`uE9sI>SG,w䚤I=qv=#i"č {8,3o悳NMe:ȱ^G_9${|JZKL47fBE<s1h-̢V`d~ FrG'[cb\x&1urj<7(Q7>(RWbKAƒZ8 X'5Q]Jw%} 8PԌD@_j BX@_.qF( E P pw lHfB`" :0pճ5[Uݧο><u~UgmIJ 0B 0U o?2WRP2m֭j~dTa}@qhO(#t^i,b!:̹5X;@x4 0.!O:4>VP%G9w۳q!so(ioLυR°)(-""!͢jX⠍x kJP// ٩G~&)-?`^w bV"O)ԩ>} s7>! 2Jlۢe ٖ:ɁY9l&*2t͗!0s.`Vc;߇r[õmҀKy)GS.y5E6D&8PUɵK'_r#\=0uGs.D6Y˜-<|L CJ2J4[B ! L``hRJa IDAT0Whf%[dЮ#򼱚pDyIxBC9ׄG'j&](lwT vW.u$=YUCާ osBO9s(ךv8] >XIY89lvF$|mibۮiɕ=bZ1~Lٯ9mÁkf%p6"ʭg+W=n2\j>DgLvU>2K>x.NJő*(bG|d>~gU :ZRb̷bgB`iAƝ٧:ZAO'}/_!O}؃ܓSLx}n=C"@y 0λ7+ %P*c"SqgWWe*}I[5}. 5j!x֭O^=~n8-Id3onF9#haݕVf^`-Cm n oh-?+.bBcVk}! ;"[7gYb[0\Ov'ma?UzVX (@6]K8tTd-z&_U'O+ 0n3oTuVvwhsn|gHC%>Xy\*o 1zcH^bVBD'wꕞ>"1O12  %IE,g10[f9X7a<4fT۷yy xB O9w?vc! IO%`Iʷ:A&nDw Hm/ r\&5TBene[L' s7JqR(\mY $V-j [956_3@憝k-L3p)Sr`2&Sp }ϤgLY8Ͻt~}N۴M g; :n */ʪVP,%7&y [z{rɃdL/o\@(}и+̤UI$ae9'$Az^ [(q#skh p!̹ mV-վLR_;ERW އT~Ќt~$G"F$( =p{j>Dom#? PR6{۹RbVrR,ӺB؊37@k0nhx|ȕ\_)&T%$II s @"Q߼=\?^k]?DɶĎ 8Ͻm1ha-y,y+{K=[n-{FsKRVԆX !k`UulJ[sKgKpy;NJՅ11B$D<dX#f>; 0.}gxyFvhv PvJH@8 sVTo݃A)Sq⮯szcf? +mX)ׯs .Cs qΌ4x+VDm@s}Ɍ2H2nvڊYMFr=yKHr%Ya=+uӘL}#/TRXNʱ@$O]V;mk hVq:_*py(T.k9LڿZEnga(# p-%r-w;ꪴuRKRl [AC''y.pζ:stwɎ|ـr,/ju!%2 p]̹I{kg?^3#r  W' 0[ޙg:<^dMMy|jy #s{t^t^(sYw~C9E3#I>~eqZ[gXgYsVQ8Cy0ڶ3}?BIL t1T^ # x}_Cm䍢ipg4_FHRbJ4=7V0n[zd/$uRW8sij֦-mgYk۝ݗK@ RED^O;5W _uvTq 8s.r8cǕՅW;ss) 1[Jf9`C9egLsK} SWM1YTY^{oćsI΃c\(I?*O;6tVq+ZZ; !-w=4nhJ[&*9&'.A6%IvJɕ3JpO -{N2 kmP oLs,!sSW_ 7w/>wT3aggiՅ+ERKsrmItzP\sx>}ԡ|PEE p̹`>./$yIneXetUt,@H9vC}CKl[Weㆉ@ }e[ޯX%2vthjr{o,aX/O4HGK"#>Nʱ@W':3jvXvJa8TDyU{}!LxC*WYUX:;\[C;jg0w.">[f9`?:q,PVfɀ!fX , AF\#/1 6f%ճ|` id∏.(|xBg#g&VfkɞeDJB% `繷mK ^WI#2 x}EHH2cyS#^FH-[J +gqMcڊqKpzD$#HN  p!̹f]R6Sk=-UTá"T@*OagUBj zŒQ%@x2r&_W;Ӻs鐊B=%os+v@8~Ad=LUYFК]`- '[u۰.'=8j,_FF5BD8j|]N3`w?3 tɸlkepLVv$R{o,>QG`)8<S:R1Bg#mC3j+n{;5m*xK.rBO[fTUYlIKC%:ZnG]\$4vzR>J:˹; pff/6i[N5uyyvjWEyX<6mV#'G 9ދN-ZbgF-4ڪrk y.?WoSfi%D|TrL <`>5%p{ۦ3ǤV[nGܤcj W+Y||PĴư"]klexc2,[>q m 0U;X”(PC39)}Z[- e+ELU,v@TsڎGOP5@%֝UG0uh<+h[YJ;Up xl̹,-#<> ?bKǾ.{7/XZ>MJPj LxB̹`tj՘liuz5[2f9`s.pέ?$/Ki')V*ZGvx/).ђ Sc 0sYZv.?9t۪?*W%VX av5N̈x坪>ɾ_~dvrq @78Ʋt^NbQRYt H;COi۰6Jj xx̹`o~}[ F>QR _[ٽ*T!o,B`syw ,sϲB"I <*ܣº{H,*]賰o.ۯM؏lKO`:NΌy2IOgRr BOCVC޷Gif{+;g/%ڛ!8݉eN Wff,: udVe/mM,=3 %T\CUfU~HJK!/  p̹NI׳{f{6Ǩ^rX_yL˶!\JUQDN; p-̹`0l%sj=w_-%f5lΥbzI7  p-̹G g9?YC % @H9wŸ7rgg)4RÌIbDA`oy,O|!ϸ~ɭ'[IlwKlTl I0炍~oO|[cqaѪ=_f-[:Z%`.J9wэC.Qx4` =$Ux@v Me;΀sU1?))rR@Me~\<F(:D<=Cp>u&22sN='FD.<&NvI{CT1^оm}y%oq*%fi' KQ{.rH[טyOڼxTJ{)Cȡіi%ygIf % ` 0n4&"˴Km9N+3\bgC~IB!u)ZxzcGRne-!܌!'~Bo5V-{ws',K\;YBcK,V$\p^ R80qJKkpJ$~ɇS* 0sw_|Z5Gy/g\Ҳ wg = QX翄Ͻ2>٧:XO'}/_!gd•mMy a'۟趋A]()4.Vs[g>K+k'xfƱ<K!smr|IܹRd,%Tt"o~)Yy '${3`oI7_oe" x}=])!sn>Xm]N'!i)zB3#^Wu%%.2DїcCvd~װ@p*&ߥ܉VI_ʨ]U}'dswH^g(\nU)e-!snƐT:c;c{IW͚,"W[BcK,V2̹n) {#)D9鿬V7 $uGK Sc.D9w,z,lo>y=jTW=$uq 8C?6cJ̾x[5,=*!4O@` so& H: U_INV||-n7Β4ٗsJIDATVy?dJ],-3Һ7zB sϷ'(8Ʉ+b^{Z_CyAi'J }(㙓`΍cM&@O979!@`8d s㙓8q sξ'Ͼx>T @8d s㙓`΍cM&@O979!@`8d s㙓`΍cM&@O979!@`8d s㙓`΍cM&@O`Ϸ|NB$J-| F ac KI8\ `]~ ):s8\ `]~ ):s8\ L|ר_C'*!`Νvk.oT.w?Z?[,,'[QW~_^+f]1ڳ|%NE ORk:ei\0@0̹П*̶2Q (ЪW=g9L+-z%-دK9wݽLyf䟥lyVvRNfm:GnVׁW{DswjAX2=˘,V5TǻNeڽZ,L[>J \ԥ>8\e7`/ʕ WiH3iq>[ZwBIok\\ufȤCs7w4?U.m5itM ǀQ7їi֦/ms@_Sar[Տ`=&./!'hF/>ɚl>Ifj5 g p}¸ I..j+  sJh&v:ȼg(}k^._:%qX_S{QakoWVYM='_ճ 9I:dcT.xڇ 5[מ|繇UOTb/ʎqV]\F]Ig}<蜄+ 2mz^<(YY;˟sy:Uʻ5ۼ[$Th)Üf[vվnU</C׏˒ۜwd_d@F}U|'?-9ο Y@OMӟ}?k^A&1> ޿x޲&CYI pj̹So @`%J, >އ>n p:2تQOO:p@"GTsB@@lCbyrNG@[f1Ny ce`@&  '4侜 TwoNets1 teastep Hewlett Packard Company 671351309 671351309 AQAAAIwAAAAAAAAAAAAAAHwAAAChAAAAAAAAAAAAAAAcDAAAvQ4AACBFTUYAAAEAHO8AAAMAAAABA AAADwAAAGwAAAAAAAAAAAUAAAAEAABAAQAA8AAAAAAAAAAAAAAAAAAAAADiBACAqQMAVgBJAFMASQ BPAAAARAByAGEAdwBpAG4AZwAAAAAAAABMAAAAfO4AAAAAAAAAAAAAfAAAAKEAAAAAAAAAAAAAAH0 AAACiAAAAIADMAAAAAAAAAAAAAACAPwAAAAAAAAAAAACAPwAAAAAAAAAA////AAAAAABkAAAAKAAA AIwAAADw7QAAKAAAAH0AAACiAAAAAQAYAAAAAADw7QAAAAAAAAAAAAAAAAAAAAAAAP/////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////wD///////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////8A////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////AP/////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////wD//////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////8A////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////AP////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////wD//////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////8A//////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////AP///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////wD////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////8A//////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////AP//////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////wD////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////8A/////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////AP//////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////wD//////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////8A////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////AP////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////wD//////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////8A///////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////AP////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////wD/////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////8A///////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////AP//////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /wD////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////8A/////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///AP//////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////wD///////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////8A/////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////AP/////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////wD///////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// //////////////////////////////8A///////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////AP///// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////wD/////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////8A//// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////AP///////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////wD// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////8A//////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////AP ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////wD////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////8A////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////AP/////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////wD//////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////8A////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////AP////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////wD//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////8A///////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////AP////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////wD////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////8A//////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////AP//////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////wD////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////8A/////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////AP//////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////wD///////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////8A/////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////AP////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////wD//////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////8A///////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////AP////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////wD/////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////8A///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////AP///////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////wD/////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////8A/////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////A P//////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////wD///////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// 8A/////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////AP/////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //wD///////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////8A////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////AP/////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////wD/////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////8AAAAAAAAAAAAAAAD///////8AAAAAAAAAAAAAA AD/////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////8A//////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////AAA A////////////////AAAAAAAA////////////////AAAA//////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////AP///////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////wAAAP//////////////////////////////////////// ///////wAAAP///////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////wAAAP////////// /////////////////////////////////////////////////////////////////////wD////// /////////////////////////////////////////////////////////////////////8AAAD/// +fn5///////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////8AAAD/ //////////////////////////////////////////////8AAAD////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////8AAAD///9/f3///////////////////////////////////////////// ///////////////////////////////8A//////////////////////////////////////////// ////////////////////////////39/f////AAAA///////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////AAAAAAAA/////////////////////////////////////////// /////////////AAAAAAAA//////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////QEBA///////// ///////////////////////////////////////////////////////////////////////AP//// ///////////////////////////////////////////////////////////////////////0BAQP/ //7e3t/////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////wAAAP/////////// ////////////////////////////////////////////////////////////wAAAP//////////// ///////////////////////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////8f Hx/////////////////////////////////////////////////////////////////////////// /////////////////////////////////wD////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////8AAAD///////////////////////////////////////////////////// //////////////////////////8AAAD///////////////////////////////////////8AAAD// /8AAAD///8AAAD///8AAAD///8AAAD///8AAAD/////////////////////////////////////// ////////////////////////////////////////////////////////////////////////8A/// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////h4eH////QEBA////QEBA////QEBA////QEBA////QEBA////Q EBA////QEBA////////////////////////////////////v7+/l5eXf39/AAAA////////////// //////////////////////////////////////////////////////////////////AAAAl5eX5+f n////////////////////////////d3d3////f39/////f39/////f39/////f39/////f39///// j4+P///////////////////////////////////////////////////////////////////////// /////////////// ////////////////////AP/////////////////////////////////////////////////////// ////////////////////////////////////////////////////////wAAAP///wAAAP///wAAAP ///wAAAP///wAAAP///wAAAP///wAAAP///yAgIP///////8/Pz6enp39/fzhISBYgIAAAAA0QEEh QUI+PjwAAAP///////////////////5+fn////wAAAP///wAAAP///wAAAP///yAgIP////////// /////////////wAAAFJYWAAAACUwMIeHh9fX1////////////////0ZQUBQgIIOHh+fn5//////// ////////////////////////////////////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAP///////////////////////////////////////////////////////wD//////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////v7++/v79/f39KW FghMDAAAAAAAAAAAAAJEBBBUFCPj4/Pz8////////////8AAAD///////////////////////9AQE D///9AQED///9AQED///9AQED///////////////////////////8AAAD////v7++Xl5cbKCgAAAA UICBeaGi3t7f///97f38DYGADKCgAAABKWFinp6f///////////////////////////////////8A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD////////////////////////////////// /////////////////////8A////////////////////////////////////////////////////// //////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/////////////////////////// /////////////////////////n5+fAAAAAHh4AAAADhgYSlhYl5eXz8/P//////////////////// ////////////AAAA///////////////////////////////////////////////////////////// ///////////AAAA////////////////////x8fHXmhoCBAQAAAACRAQKDAwEEBAEEBAICgoAAAAAA AADhgYcHh439/f////////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A////////////////////////////////////////////////////////////AP////////////// /////////////////////////////////////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAL+/vwAAAP///////////////////////////////////////////////////5WfnxJgYA WvrzlQUPf39////////////////////////////////////////////wAAAAAAAP///////////// //////////////////////////////////////////wAAAAAAAP////////////////////////// //////f395+fnzBAQAAAAAIwMAB4eGlwcPf396enp1RgYAkQEAAAADhISKenp/f39////wAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//////////////////////////////////////// ///////////////////////wD//////////////////////////////////////////////////// ///////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC/v78AAAD///////////////////// ///////////////////v7++vr69pcHAhMDAAAAAAWFgJMDBNWFj////////////////////////// /////////////////////////8AAAD/////////////////////////////////////////////// 8AAAD////////////////////////////////////////////////////f399weHgOGBgsODj//// ///////////+/v79eaGgZICANEBBhaGgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////// //////////////////////////////////////////////////////////////8A///////////// ///////////////////////////////////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA////////////////////7+/vr6+vaXBwITAwAAAAAAAAAAAADhgYMEB Af39/p6en39/f////////////////////////////////////////////////////AAAA//////// ////////////////////////////////////////AAAA///////////////////////////////// ///////////////////////////////39/f////////////////////////////z8/Pe39/l5eXAA AAAAAA8vLy8vLy8vLy8vLyAAAAAAAA/////////////////////////////////////////////// /////////////////////////AP////////////////////////////////////////////////// /////////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////8fHx2lwc CowMAAAAAAAACg4OFRgYIeHh7+/v+/v7///////////////////////////////////////////// ///////////////////////////////wAAAP///////////////wAAAAAAAP///////////////wA AAP////////////////////////////////////////////////////////////////////////// /////////////////////////////////////wAAAAAAAPLy8vLy8vLy8vLy8gAAAAAAAP/////// ////////////////////////////////////////////////////////////////wD/////////// ////////////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAA//8A//8 A//8A//8A//8AAAAAAAAAAAAAAAAAAAB7f39/f3+vr6/X19f///////////////////////////// //////////////////////////////////////////////////////////////////////////8AA AAAAAAAAAAAAAD///////8AAAAAAAAAAAAAAAD/////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////8 AAAAAAADy8vLy8vLy8vLy8vIAAAAAAAD///////////////////////////////////////////// //////////////////////////8A///////////////////////////////////////////////// /////////////// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAA///////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA///////////////////// ///////////////////////////////////////////////////AP//////////////////////// ///////////////////////////////////////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAP////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////wAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAP////////////////////////////////////////////////////////// /////////////wD////////////////////////////////////////////////////////////// /////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////8A/////////////////////// /////////////////////////////////////////////////////////AAAAn5+fAAAA////AAAA ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////AP//////////////////////////////////////////////////////////// ///////////////////2BgYJ+fn////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////wD///////////////////// //////////////////////////////////////////////////////////9gYGCfn5/////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////8A/////////////////////////////////////////////////////////// /////////////////////YGBgn5+f//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////AP/////////////////// ////////////////////////////////////////////////////////////2BgYJ+fn///////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////wD///////////////////////////////////////////////////////// //////////////////////9gYGCfn5////////8AAAD///8AAAD///8AAAD///8AAAD///8AAAD// /8AAAD////f39// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////8A///////////////////////////////// ///////////////////////////////////////////////YGBgn5+f////WFhY////QEBA////QE BA////QEBA////QEBA////QEBA////QEBA/////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////AP////////////////////////////////////////////////////////////////////// /////////2BgYJ+fn//////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////wD/////////////////////////////// ////////////////////////////////////////////////9gYGCfn5///////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////8A///////////////////////////////////////////////////////////////////// ///////////YGBgn5+f////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////AP///////////////////////////// //////////////////////////////////////////////////2BgYJ+fn/////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////wD/////////////////////////////////////////////////////////////////// ////////////9gYGCfn5///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////8A//////////////////////////// ////////////////////////////////////////////////////YGBgn5+f///////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////AP///////////////////////////////////////////////////////////////// //////////////2BgYJ+fn/////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////wD///////////////////////////////////////// //////////////////////////////////////9gYGCfn5/////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////8A// ///////////////////////////////////////////////////////////////////////////// /YGBgn5+f//////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////AP/////////////////////////////////////// ////////////////////////////////////////2BgYJ+fn///////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////wD ///////////////////////////////////////////////////////////////////////////// //9gYGCfn5/////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////8A////////////////////////////////////// //////////////////////////////////////////YGBgn5+f/////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// AP/////////////////////////////////////////////////////////////////////////// ////2BgYJ+fn///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////wD//////////////////////////////////// ///////////////////////////////////////////9gYGCfn5////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /8A////////////////////////////////////////////////////////////////////////// //////YGBgn5+f/////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////AP///////////////////////////////////////////////// //////////////////////////////2BgYJ+fn/////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////wD////////// /////////////////////////////////////////////////////////////////////9gYGCfn5 ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////8A//////////////////////////////////////////////// ////////////////////////////////YGBgn5+f///////////////////////////////////// ///////////////////n5+fn5+f////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////AP//////// ///////////////////////////////////////////////////////////////////////2BgYJ+ fn////////////////////////////////////////////////////////39/f39/f/////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////wD////////////////////////////////////////////// /////////////////////////////////9gYGCfn5//////////////////////////////////// ////////////////////9/f39/f3///////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////8A/////// /////////////////////////////////////////////////////////////////////////YGBg n5+f////////////////////////////////////////////////////////f39/f39////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////AP//////////////////////////////////////////// ///////////////////////////////////2BgYJ+fn////////////////////////////////// //////////////////////39/f39/f/////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////wD///// ///////////////////////////Hx8d/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f38wM DBQUFB/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39AQEBAQEB/f39/f3 9/f39/f39/f39/f39/f39/f39/f39/f39/f39/f3+Xl5f//////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////8A////////////////////////////z8/PBAQEAAAAPT09QUFBQUFBQUFBQU FBQUFBQUFBQUFBQUFBQUFBGBgYKSkpQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBISEhISEhQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBLS0teHh4//// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////AP////////////////// /////////3h4eDAwMGhoaEZGRnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2diwsLEpKSnZ2dnZ2d nZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2djs7Ozs7O3Z2dnZ2dnZ2dnZ2dnZ2dn Z2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dmdnZyAgIP///////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////wD///////////////////////////9ISEhgYGCPj48vLy9qampqampqamp PT08bGxsbGxsbGxsbGxsbGxsKCgoREREbGxsbGxsbGxsWFhYbGxsHBwcbGxsHBwcbGxsHBwcbGxsR EREbGxsbGxsNDQ0NDQ0bGxsbGxsbGxsbGxsbGxsbGxs7OztqampqampqampqampqampqamoQEBDv7 +//////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////8A///////////////// ///////////YGBgUFBQeHh4MjIyXl5eXl5eXl5eLy8vIyMjRkZGRkZGRkZGRkZGRkZGRkZGRkZGRk ZGRkZGRkZGEhISRkZGEhISCQkJEBAQRkZGEhISRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZ GNTU1GBgYXl5eXl5eXl5eXl5eXl5eW1tbCAgI//////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////AP///////////////////////////5eXlxAQEDAwMD8/P1FRUVFRUVFR USgoKCgoKFFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUQoKCkdHR1FRUVFRU VFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUT09PRQUFFFRUVFRUVFRUVFRUVFRUTo6OkBAQP ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////wD/////////////// ////////////////9QUFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoKCjf39/////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////8A///////////////////////////////////////////////////// ///f39/f39/////////////////////////////////////////////////////ICAg39/f////// //////////////////////////////////////////v7+/QEBA/////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////AP///////////// //////////////////////////////////////////39/f39/f/////////////////////////// /////////////////////////yAgIN/f3//////////////////////////////////////////// ////7+/v0BAQP//////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// /////////wD///////////////////////////////////////////////////////9/f39/f3/// /////////////////////////////////////////////////8gICDf39//////////////////// ////////////////////////////+/v79AQED//////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////8A/////////////////////////// /////////////////////////////f39/f39///////////////////////////////////////// ////////////ICAg39/f////////////////////////////////////////////////v7+/QEBA/ ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////AP///////////////////////////////////////////////////////39/f39/f/ ///////////////////////////////////////////////////yAgIN/f3////////////////// //////////////////////////////7+/v0BAQP////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////wD///////////////////////// ///////////////////////////////f39/f39/////////////////////////////////////// /////////////+/v7/////////////////////////////////////////////////////39/fHx8 f//////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////8A/////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////AP/////////////////////// ////////////////////////////////////////////////////////////////0BAQP///wAAAP ///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///39/f////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////wD///////////////////////////////////////////////////////////// //////////////////////////////9AQED///9AQED///9AQED///9AQED///9AQED///9AQED// /9AQED///9AQED/////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////8A////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////AP/////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////wD/////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //8A///////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////AP///////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////wD/////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////8A//////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////AP///////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////wD////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////8A//////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////AP/////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////wD//// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////8A////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////AP// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////wD//////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////8A/ ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////AP////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////w D//////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////8A//////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////AP//////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////wD////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////8A/////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////AP//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////wD///////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////8A/////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////AA4AAAAUA AAAAAAAABAAAAAUAAAA 2002-08-11T10:30:58 2003-12-23T08:46:06 2002-08-11T11:01:21 2002-08-11T10:30:58 11 39 34 0 0 0 0 0 1 0 0 0 0 1 1 1 0.25 0.25 0.25 0.25 1 1 1 0 0.01 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 32 0 0 8 8 0 0 0 0 1 0.5 0.5 0 0 0 0 1 2 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0.125 0.125 0.25 0.25 0.375 0.375 0.125 0.125 0.66666666666667 0.66666666666667 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 0 0.01 0 0 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0.5 0 0 0 0 0 -1.2 0 0 0 0 1 1 1 0 0.01 0 0 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 1 1 1 0 0 4 23 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 0.055555555555556 0.055555555555556 0 0 2 0 0.5 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 4 0 0 1 0 0.125 0 0 0 0 0 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 1 0 0 0 0.01 0 1 0 2 0 0 0 2 0 1 0 0 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 0 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 2 0.5 0 0 1 0 0 0 0.01 1 1 0 2 0 0 0 2 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 1 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 0 0 0.5 0 0 0 0 0 -1.2 0 0 0 0 1 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 0 0 0.5 0 0 1 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 2 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 0 0 0.5 0 0 2 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 0 0 0.5 0 0 0 0 0 -1.2 0 0 0 0 2 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 2 0.5 0 0 0 1 0 0 14 0 1 0 1 0 0 0 0 0 1 1 1 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 2 0 0 2 Visio Network Solutions
http://officupdate.com/visio/
0 0 85 110 0.125 -0.125 1 10 0 3 0 0 0 1 1 0 0 0 0 0 0 16 16 0 0 8 4 0 0 0 0 Network 255 0 1 1 0 0 1 1 Network 0 20 85 30 3.75 15 1.875 0 0 0 0 5 85 35 85 0 0 0 0 0 0 15 1.875 30 3.75 15 1.875 0 5.001 7.5 5.001 1.875 0 0 1 Position Connector 9 -21.125 9 1.875 0 0 1 Position Connector 20.001 -3.75 20.001 1.875 0 0 1 Position Connector 15 7.5 15 1.875 0 0 1 Position Connector 24.9999 7.5 24.9999 1.875 0 0 1 Position Connector 15 1.875 15 1.875 0 0 1 Add Connector 12.5 1.875 12.5 1.875 0 0 1 Add Connector 15 1.875 15 1.875 0 0 1 Add Connector 15 1.875 0 0 0 0 12.5 1.875 0 0 0 0 15 1.875 0 0 0 0 0.9375 1.875 0 0 0 0 30 1.875 0 0 0 0 0 0 0 0 0.9375 0.234375 0.9375 3.515625 0.234375 1.875 -1.5707963267949 2.3 0.9375 0.234375 1.640625 1.875 -1.5707963267949 2.3 0 0 0 0 0.9375 3.75 29.0625 3.75 29.0625 0 30 1.875 -1.5707963267949 2 0.9375 0 0.9375 3.75 0 1.875 -1.5707963267949 2 1 0 0 0 5.001 7.5 5.001 1.875 15 1.875 1 0 0 0 9 -21.125 9 1.875 15 1.875 1 0 0 0 20.001 -3.75 20.001 1.875 15 1.875 1 0 0 0 15 7.5 15 1.875 15 1.875 1 0 0 0 24.9999 7.5 24.9999 1.875 15 1.875 1 0 0 0 15 1.875 15 1.875 15 1.875 1 0 0 0 12.5 1.875 12.5 1.875 15 1.875 1 0 0 0 15 1.875 15 1.875 15 1.875 44 55 15 11.25405906912 7.5 5.6270295345601 0 0 0 0 0 0 0 0 0 0 15.555555555556 5.6270295345601 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 5.6270295345601 0 0 0 1 15 5.6270295345601 0 0 0 1 7.5 -2.4444444444444 7.5 5.6270295345601 7 2 1 Reposition Equipment Label 15.555555555556 5.6270295345601 7.5 5.6270295345601 9 2 1 Reposition Text 7.5 5.6270295345601 15 11.25405906912 7.5 5.6270295345601 0 0 0 0 0 0 15 11.25405906912 0 0 0 0 0 0 7.5 -2.4444444444444 4.0142144107222 2.4444444444444 2.0071072053611 1.2222222222222 0 0 0 0 0 0 0 15 0 15 11.25405906912 0 11.25405906912 0 0 15 60 11.1984375 7.3625 5.59921875 3.68125 0 0 0 0 0 0 0 0 0 0 11.753993055556 3.68125 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 11.1984375 3.68125 0 0 0 1 5.59921875 3.68125 11.1984375 7.3625 5.59921875 3.68125 0 0 0 0 0 0 11.1984375 7.3625 0 0 0 0 0 0 5.59921875 -2.4444444444444 10.064019098222 2.4444444444444 5.0320095491111 1.2222222222222 0 28.549609375 57.5 16.668378576225 2.5 8.3341892881124 1.25 -0.30466035525803 0 0 0 20.59921875 60 36.5 55 0 0 0 0 0 0 8.3341892881124 -1.2222222222222 16.668378576225 2.4444444444444 8.3341892881124 1.2222222222222 0 0 0 0 0 0 1.25 9.5841892881124 2.5 8.6466892881124 0.75 16.668378576225 1.25 7.0841892881124 0 8.0216892881124 1.75 0 1.25 59.200390625 56.840625 15.834634971254 2.5 7.9173174856269 1.25 0.23462768534988 0 0 0 51.5 55 66.90078125 58.68125 0 0 0 0 0 0 7.9173174856269 -1.2222222222222 15.834634971254 2.4444444444444 7.9173174856269 1.2222222222222 0 0 0 0 0 0 1.25 9.1673174856269 2.5 8.2298174856269 0.75 15.834634971254 1.25 6.6673174856269 0 7.6048174856269 1.75 0 1.25 20 66.5 12.5 3 6.25 1.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12.5 0 12.5 3 0 3 0 0 192.168.1.1 23.75 55 12.5 3 6.25 1.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12.5 0 12.5 3 0 3 0 0 206.162.148.9 44 55.5 10 3 5 1.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10 0 10 3 0 3 0 0 Internet 62.25 54 12.5 3 6.25 1.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12.5 0 12.5 3 0 3 0 0 134.28.54.2 20.5 92.5 15 3 7.5 1.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 15 0 15 3 0 3 0 0 192.168.1.0/24 71.255475601753 58.276455141227 8.5109512035055 6.5529102824536 4.2554756017527 3.2764551412268 0 0 0 0 0 0 0 0 0 0 9.066506759061 3.2764551412268 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 4.2554756017527 -2.4444444444444 4.2554756017527 3.2764551412268 7 2 1 Reposition Equipment Label 9.066506759061 3.2764551412268 4.2554756017527 3.2764551412268 9 2 1 Reposition Text 4.2554756017527 3.2764551412268 8.4532216303498 6.504175459779 4.2266108151749 3.2520877298895 0 0 0 0 0 0 8.4532216303498 6.504175459779 0 0 0 0 0 0 4.2266108151749 -2.4688118557817 8.7087673621111 2.4444444444444 4.3543836810556 1.2222222222222 0 0 0 0 0 0 0 8.4532216303498 0 8.4532216303498 6.504175459779 0 6.504175459779 0 0 13.5 52.5 5 3.5 2.5 1.75 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.25 0 0 0 0 0 0 0 0 0 0 0 0 5 0 5 3.5 0 3.5 0 0 A 71 51.75 5 3.5 2.5 1.75 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.25 0 0 0 0 0 0 0 0 0 0 0 0 5 0 5 3.5 0 3.5 0 0 B 1 1 0 1 1 11 39 34 0 0.33 10 0 10 1 10 2 10 3 10 4 10 5 10 6 shorewall-docs-xml-5.2.3/images/Network2012a.dia0000664000000000000000000001502313427347317020004 0ustar rootroot]sF~_R.[El&*ۛ*g[DX™"u dyR%@1Z" ?gOY{@8,޿~y_yz?-߽;+ˋÃ+2LEAf%Yff;`x|ӴLէiYeyb8=xZ,.ӽq'٢Jg/PV98HO"K?]N}wO{~XŽCZ΃:fu4?WYYfwe>9_Ŷ *4ߗϬ~HnHNw+n[qn,Ҽ/xe鼖ZYw9˓tTۂgΖ@{ZӇ-gʧ?=S̏gYw o~S공d&D^lmra=m`J,ӿ1BqzRn=d'fߖ|⏽?y!?ú{{d=ōJ>a}w^O秳l-I'4r@7q,;(QEKx:ӳ]% 쭗Q݄/iV6-WE6a6dN5pg_\$ $ DcՒv\AY='eHneV)I2hNs(h8̑ʎ,g/sSIf["=Elղ< /^1Eo_?[y;/O Y^c#z1# ؄)Bu׸նF@B-2w0Š  hbD9BW\٠j1xx#G߀ojQ|t7Wcо%B[6$8pv5N7:fCǂ8z_S{g\,OCrl7b~V ΊlOUsI_.qk1kȗooL-((B"("n[d.!blφT$ց^Ucٵ]-TE_L&8U,&HHuוeI 1h]񧰯|xm)\" b;[.e!2ޙm`%Jܼ3+'9ˬJ6SaR[@ABr:o?쳻tW D_5}Po/{`߈ʆҽTհ@A,?g_h >TTeKSuIwIl &`;c:AAJ&´ G[ `ݵ3y9Phzx|Ș><@s4>B,񗯈f>\̦$5iA71R&V'b8uN!G6C^'/ߊ/ܝ4~_/| RVe:{cqmG}]P >g&Nd9_'mi 3CwyͲr||pz0 ݏo_.3,e7_jQk]:$۰uMܠ$KP S72Zjw|Zt(e6˳k|r|"蚕;"Nq͞4֓Ң )R]u>d\a]F(<֢V=Jdo&;F؄I"XP*{%$ҸeE2{D*JtVH1N6Q `فQ~̖etVwꬶfUU xsA8JDH4+7*Wkb[3[@wMƫRᡪ-jn v)islO4v0'tFjE0}X\4BҦ$-k硋q[!DžE+2gp]xԴ nmQ Xc. u>st'mH0m4ڀAd% IksDADDfD{] dJG!ʄsb71۴~Φ"Ql3,-خ ;Kbb[5 X$Y J!jel^6kUBeZ Dnn F:-=Øw5DP# 4 gbAsR{sq5nv.5 A=<+WĄugХFWr_g?t y"V;(ae5MW;1q.FؿW\n[~VlMctơ.sLDҠ(hp2qIWT6 ^'BptjVNC'o@/m%2 W5+p" krGvMiWnSNE&ID1#&C 66V=~b=n|kWc?8#ABXl𺖨dlU0V# + 8u(0cn 6Qf p4D8gj G+1(QF8"8 \b#fkѵn ""RD%4DH=s$<˰T'rx#E8jQFCD#o?\Pݮp) CwfG@jGC#R9Ŧ4:ĵ Xl!bQ}H4D$u3C"CHvZV?D/"ȟ GHS-BQF,"y!Ձ.uC!"?^KLjFm*hh$h}- ۇ~%PD(bQF,"ъvZx>CUZ(#E4jSGC>؀y؀\ %ŽPԬ~E$lвx\zc#1QF8"yCYqF+9P{GRU #$ 襮WЪHmD)QF8"9fRWe#_!Bwm"{BBZ"|G-*ɡћZ NqHdll3d,`#%rh#rr"]#|:ԛ/B#6^maܽ!+n: JbZhܣqoQhِ5vN!3lb2'aH@ qȮlSv̲?oݷ5~b%5[gש^B9ƠsxV8y;O 5l5 I0 l̋|Gd;Bfn↩ _cN窄j0wJqz5n/ 6<|ypH4!FHbB]8Q;!XfU1wvc5OngfE1ϊHB$UFPVtu+Y0EMKrt#7FɿE|^D,Wӓr>+xeTdz^;v{9`Y~lQ:lyq ;ҝ>S=p"rV(-ufi!眭5òBVRj!St$ズo`#wE5(OqJҤ†a}ֹrL`O e0YyR8>Pѓj־CC!C&E1M(PY# RdX,jq:"QD@4@ R<u7lCjMG:i=uf#Z"`ģ![^Ggjhk":HZu0 E-L#E0jӿEC"omSWMtMڛ/<+&Pe~(D&N R9ʄ{z ++ʨH'w/r 1oΌ1n3Jo&άB7XM LL̪"$!5e` 'eW;k%pn[ŰO İ y+uI5Laѹi+wPUeRRYYi˦i~2L sU_GW(=vz1Λ?l}_vΤFZ$ `ڙ<G"-LtX疧ބrA7fobNtS)@ ɩ$Z42f'sb Rv lr>FM4imPe8^ mC%v-qiQjB11-`Iq@ -5 DHr4=۫<9$iVΘxRb7kbhXW%JV%aKFLtRmTo"s@N$vJ y:,HeuMIu56=F%KW[4M8cD5+1Z saԖ&VHaBn15 .h5j̃=>Wfe.2DQ Z&+o}~O)M@SNhwc[[YaՃJklɧ 4άi>Â2Pʆm7H\>#Vj1` cMX H1PT:6GtYwxy*<=ӣQM]cɦq~ ^MI8E%$Y r; b}zՐ;"$VHS0 Bfq85ĴNLĴΓLx3!y؉mn8AK+4\:e>sE8`&s|Ș>d36|H%1vƜnu7s}60 cZjaRDt;3n`kfte@䋗K(藴̮ϑxtFœe]$H! G?׆Չ@ S)c`pK^aw\qw\[LaPn%SohH*]lE]g,7Ѭ\v N06X`aaVЪ֨9wj4n7jY8Og(gX[U"rH$$HZɇ'z(u\6}!lp[)w[A,JN6 (l1()N61=`ή4heD'~,[.~шTLT`DxtZ K@;a0po5 ӖM1,l)J +Z.b{a,?7"=aĴMshorewall-docs-xml-5.2.3/images/veth1.png0000664000000000000000000005766013427347317017000 0ustar rootrootPNG  IHDRW+jbKGD IDATxwxSuwh)R({({YQD}\e |DAAAA}KʔGR,-tIJ)N{~]W'''i|jZD\Қ5k(`v"""""""uf """""8GO`qU-""""""".@_DDDDDD(|/""""""EDDDDDD\ Pq """"""".@_DDDDDD(|/""""""EDDDDDD\ Pq """"""".DDjԨav """yҩS.ADr|5N>mv """""y>jIu~$E$nv"""""y&q """"""".@_DDDDDD(|/""""""EDDDDDD\ Pq """"""".@_DDDDDD(|/""""""EDDDDDD\ Ps Xl_-.@DDDDDD\]f_DDDDDDO}`,pB\H^cI<P *R8zP (T>x OC-9bZf!"`ލ_IDD$}oy#$qM`@P5]d;EvR8qwZXfZEDDDDEF'ˁȢ9s&{uV+'"")Ǔ &Z),3#߇ъc϶}Vhŏ3#ܿ9n.P :/""yNjmtӺo:[###/6GK*,%($,ɮԭ>9q"0&MDj>|8-Z`ݻ^zeA֭[sN֮]K͹r Cf͚̞=?UrP39`ߐBcE$И<1A0/cIO1)ԑqʶO7n\M(Q1nnn+V, .g-^8 j;x"G%444qۂ ? ,hl}x`J՜[]* OgxOϾqI໛]Hv9 -2qo5iYa)@`&gϲ{۶EGGsrj3e `ETýd/H3"""&fQxx8EMzq2-'""""?9+e$܋HR}/""""?f!"/""""y'01HfLn@okA_DDDD$obb刈H,^]5LHz X}*刈$|X1^ kn9""(7Yc#"|"4sI# s0ɥEDDDD; tBǀI_DDDD$>,A^D|@0"tS/1ֽ/ljE""/""""-$X 1" S-V$") """"b,P2"LS)x ~ʘZH(H<m""y/1fjE""N/""""G<;F8V?,?c̚/""EDDDYK55"S&9PX2저/""""m 0-GD$(]-GD$;)k _-GD$)_O[HNp71s 刈X<LFD$G)kX<-GD$)H޷xZ)EDDD$o<DS-GD, """"wz LED!|ɛ]PI` ")H7 /?ԊDDL/""""yip|4"\A_DDDD@pf$"{(H8VELHD$WQ/?ަV$"(H tØ5(njE""(#j@S+gav". """";EU-@S+g:."1 """"cz_ۥyN2T|y,Vjv!""ŸJ""[<`Fw_zV{:^D${""""a- ""颀/""""xcFV$"(H0XV--GD$Q  ?m-GD$/Rs&RAsɫEDDD<c7`1rDD2|1l`8'/1ֽLSxv}""*.@DDDDM[P 䜟x}usq% """"36O(`刈j]b1迒DbO3aGzA_Dr|$S"|IB쉈H9tp/NꋈSi d>cӧH6R 8InA@`1fjEids89p,v͞={ĉ$$$7o\|}v[iڴ)=z{4mE]DDDrNhd̮&ohZ^[Xu刈H \._x+WqFnJhhm{xxPvm.ׯOթT˗bŊ/^]>XG /3J3[gH|' ڵkL2yquy衇ڵ+;vbŊ9Rŋo7oN^z9z ww,!tz4U)Al IJtV6ؓ~ &R?::O>ɓ's (@n߿?ݺuӴڬV+6lgΝ4lؐ3gҶm[ f/"wfW|ީ -3w|)$<СC4k֌ѣGN~8~8k֬wަ{0Yuڕ;v/ФI>Lyg 1>qMy*YVZqQ5jY`AԮcǎ0k,/ŋiܸ1;v04-N8G VG%22@Æ .+M+:txӮ];ϟovi"""b_%j^5qy";vg}Xy͛GB.+C*W͛5jqqq 8 &]?N3ٹa [Oݸ <.xKXX='N4Lsssc„ ̟?www}]̙cvY"""b`pt~ *P|9L0xHdd%Hv S#c#ק_ Rxb.\@h׮8;پ};/fxAXX!!!DDDp;X,*U%K&^)R$[qenWN0m׼T+W [+Ju9|{HJru_h 2lbXꫯ28<Ν\p |2W^%((,[paJ*EjըY&k{{dɒY:s~_+Ç߱ϥhڬ@DlBN(""y\ /_f۶mx{{ӫW/6 4ȑ#wU/N8Μ9CTTTx-Z///ʿKpppedd$m۶W:uK.tԉ ' ""?܌rF \ 8.>q }DDD2!M6aZi۶-fmR QQQ?~Ǐ_qqN8AHHH(S UTjժTRʕ+SLʔ)C ([,eʔ=k(_Μ9ɓ'9~8c߾}̘1%KO2`6mɵtJѣ8|0^^^XV-[uRV-j׮UZ5 .#.\___|}}iӦmlܸ 6qF̙Ü9sԩ#FC9RS_)^ wz%$-0-hIDDLk/>hr%#::ɓ'߶ӓڵkSNj׮Mݺu]6jǤJӧ^zԫW!Cŋ>}:7ndƍ&fNN\}HDD\<_RJ?0n8x饗XjedWVޓ10UmD~̫CDDr|1c0qDy 4,,iӬ cNȏ_c ]'d\ɓ>}'Or)N:EDD!!!s<#Fѣ|7ꫬ\DDDMXY#gܹsEDƀoF@@{aϞ=+Wf͚Uhlذ~]vѲeKKI-<]Lwyys0gB-K1_ Da'Ԁ!~'ٽ{7^dIj֬IթY&5jԠFxyy・;xxx$)U/"&L` ""{Yܠa;~>Σa~>nqcaϟb'2k.|3{""^EfP2,WIK~GNfx.+rY 111,_yeV+5W^tܙ{w :XqUTaÆٳwAIDDT ?O6bI3kє5Đo [yQyF~3qw'o8j<Tb|eh(fΜIZxټy35j`ĉ8q?s+Kڶm ֭[-DDD$!MSܧMYJkl[L4a)' ",i|ٝؕ"@w` g$\slLjKm=F}m$ Gu׏W#~֮]K,d[={LDDD$H;wlٌUM3m{_;>엑V\X0ȏsi˖-у#G8xY1KĚkk̶X.G1^sGm_ݞ\UVH?ܶ}^}w3^>mSrG@JC*<Ҡ)ȣ|>7ER >)Jvh7 >އᆪYftЁu1mڴ,788:u6䠯~Ӷ}r>P}}nu J`$srF~4F0NZ9r'K4d@ 6S0h >S<==s0|}}9vԯ_rDDD2, O/Ӽ~-:O{_׭UYwy­|B!t~J+ݪQZtV}\cK@qm[$YRnMv,rcL{Z@#@G cL>s>ʕcȐ! <8{m׮]DGGl2VZyVNE[ů.k%{G/zmO-a8pk=P!H8l>|8SNÃospoX2< 3) 0PKHeZoNӝ՛Ȼb{xxĻjज़E  Y1Ďg#4ʕ+5 ???r9ԩܹs9{,#GdɒY~ݻsIGBBgϦz|DDD8H~ĘX͝]K.O$~"I%(~]ΡVc5qh NuG_`1,_>}Q111&W"""5B?v2U)EҿP8|g/cmp𚋄p:,ߧ>` Fx{F7?< tZcz@ tG22ؚ캣\6G>v{J*L8`7nԩSYb> \~9TX p!zAxx8GVZ̟?8=جkbngx8h;n84AsLD1l'+XϟAwOYS[O… 8q"gΜv|gkaViӦ1{lΟ?OyWx뭷g9s&'O&0047=O}lݺ-[$$J|헵$eJ1@zFޅ٦ V~<вjGbɣ qoj g9CNUh)9~Y;$*!? #,G`1(r%ȭsG1·]jgm0Iw.$ }]>mi6(PŋS`A-JB(REPBx{{Nqss777+^^^xzzRpaĉ|g=z3i$~a;FϓX1z4VWJ{0ѕLi'Xl {GXX}upm۶~y0`'OjqR?歷ޢo߾̞=ɓ'3b6lm9rcǎQht=nzZmyUX18;=EDR L`|.dBp(ǭ%\]F Ȋ(WJ/$ UJ/>¸ʍbb)8c եӎЬ߾H,:J'0 o(_0pq>.a'Yo0h,l^H:ARC]˦ƍnݺ<쳀SdɒT\wwwˆ#44xBBBHHHHlͿzj֋H@;v^z8Vzc1&Ի;a5.U[Ac3y\ɒ7nPbE8w>>g"@*UDll,X,ǮZj={'NPfMBBB(QժUӷ7((ҥoq3r|W e˖%((W: KDD=/KA |IQFZRc `V>NFwȬcLo'+8FAZΦ5|^[ŀs96g] 2wSfBc% i:^S^z~!-Q"V. f14,ikm1z2.ZϘ0a!!!(P'|?*Unύ7!""( &&7n$ '448¸y& '66Pùp቏եK6lؐKD2.y w}GDD rpJ*P1.=>\ZOAi4>㻂 ԩbqfbQ\9zpNrݻwӢEsb&7|kc8c-lۿ]Ϩ xw=Z2F zE,ރZFxNGMl93i xgΝ-Q o!- xӯs곱:ȴ(Vf]޴_u iP;#-$Q=1?l1XBi1 Ug0#8!d 63af͚ŷ~˲exn`͍%J8qV+L<={gߧzÇӰaü@$I 6mcGG33@ʕ9s W\\ryh%O9sfbw)J9twM4aܸq䌳[1&I|cd58 rrv 0xv{z~, O0>?:Ι0N | ^#/َvvy cI,3hvZWyTL7at(maźm+Vh޶!9E/7:{am˗g8-I1_z{$׿}%Vm>c ȑ#oOX`FW^pᬟI<Ç(V bȐ!T\9ˏ!"K .\PxqBCC9}4իWO>tP^u~mO۷og鷺eAzRmyn[իL:ٳg'o߾=.۷7Nɼ/R|yGϞ=iժǏ44Ȯ*/HɅk?x soX{0&133]oھ.g`xu@ 0F^ض%Y|F7kmZII bN`,nV9/YhQ.|ᇙ>… )9'RpjTck/ W||3:#ytu*U70l0~m6niР]vұ ƍǥKc)C2h +E$?ʚ3jԨq[C2w\8@re̙wLY9~J5 vI&tЁ˗/oPZ5>#֭;v` yTn8y$ӦMlٲtԉv%p+]0Z6`?헼5؂V6Y cY$$o Vkp>l.KSgN>*ȞkRpm08pI~辿_c~a,Vk]S`5XNDI7 `Qlz޹l0^?I}tR['_ J17ŋý3jv]BBBhܸ1ϟgڴi 0&Y+]4ժU TKr%])VV )ҘE&ΧTNԛׄ3k,LBpp0;wߧE@&slW[S:/e\&p>9en X|_n0B pcuì aLudb1Bl!,붤POfgOLf>bI]:1@u1X# Ɖ(8^+==8EHrgwLW+xyU*̞8|~Ϗoaw^fLf\sK}?LBBBؽ{7;wNW#&q5nܘիWsN|6ߟӶm[n޼ŋo/RAAAnvB᛫}]&'Pʶmؾ};ӴiSK.fu'Jkau=[4I n_^Oʋy BS1zaq@1C}p'B1Zϯ'7@z(c1Rd!VptH_Y26xz$w :(Yʪ:5)R h}ХK~nݘ0a˖-cʔ)yN111Ӈ˗W_}EժUy裏5kX,>Kj'K+ٗtq$444q ¤"##ycccS>_re`KބBCC˾Lr%gK6İ~4IF)Hڝx3۝\5z '[#r{lj{]2, 2o_FɌxS1fEQ11fέ _9??xckny5 6YkB~ʕƖlw<8o4@dܝ""$VZٳg {5.q1ϟo߾lݺ~gV5aҤI 6)S0k,vO<{G:uL~O^˄ x'ͬK\DLL .dĈPreV\IӦMSϕ+W4is͛ѧOƎWnܸY>}z{ѣGӫW/,K§58=sCaGno / ƬM({{c` F+~$q )K;#@:=#3+u"K;mǝteTkcnD)g/pk;`RYSN<ɋ/_5u姟~ʡg ruƏOj5jAAAlْ5kְgy䑬 i|7c`LI٧!8H[{Gb,khk)q>Tou1Bk!Rs'#n-G`̳Pv9>/Ŗ1U^Y`>`̋`;U^͘Y<6fhJEl7wUhmwm[BDR1R ""ւZ5kΝ;.G`` -ϏロZjQ]###9qǏ' _'vܹ3Z%>gΜaYǏ8>_}C I'm۶=|>j1&*:$ՔJ߮u"r簥t_eSe?t?;J8vph^0{_-yZEEnȑݻQF1ydbܹL0mŋ@GJ+TSO= /@Æ TCjXp!aaa)/7nܠK.56md[SNGٝ83b ܻ(W8'܃q$ޭ%;e9W `nwuEƵx.߈K`ED$#C…iӦ SLZjKf&@' q[I׊)BZ]6-Zm۶4mjYpmۖÇӠA0{wұ;#$8)/ y=.ŷ~;[_SY>Gjx?(Y$,|q=mlѢ_~%^{3ft]KsN>uҽ7oDEEx7i޼ý]9ED :=@"+&oyJ:1iɊfO>L:ʫppq}nnn9r]0`@˴K,I `3I 5Kq+S/""IUɒ%xzzgѬY38SI.Yx1Kf4jԈ7]9ba}"b󐡸իx}8%;ܧ[l5.+@DD\H੧bΝ4nܘ#GЬY3yΝ6N9,rw;wt֍'[EDDkL91<.{Ң>d0EG(VK!}SSkJ >Jk~Mn-ڴdE(|4iB@@'NXb|WԨQG}~IrHٲe^:/Tb *?3i1بQx駉12$'s= 2f?)X*4J[GşPSџ^sΣG ²mbu'='""2}͍޽{ӻwobbbؿ?{ȑ#r㉏dɒҰaCZnMVpsscٲe-[iOHѨQ#mFټy3}Tzn9b,>\{ecGm-V[>j;ɝ҇Ã-[Ҳ7\pʕ+; 1Y͚5YnmڴaŴnݚ^zDDD2Ϛk9q/aZt^lۊ~ܯ2058-HIK`` f!N԰aC/^bwҥKf$""%~=' 1Xy'NqNJufjzDD$05Ƙ|q=z#44qƙ]HY,fpocqw!{T^=GԀ]'|K,I=v7m!9""{kiVWSti{1'Sq5f{w9TH!_DD~bq㆙eH6֭ׯ7 I5{wz:DD||ŵ'OO(""Jzz(eՔ:5j])eV&M8peH6`&W"""IA:oX,ٱ.j|Z,"tMIDATr1ϵ8Zt9H35hт @llS#\h 9 -X,\)[6.]v/Uݺu8m={0b>3Μ9cv9Y|rX6ODDDDDD࣏>j[L.ЧO>#^}UWNOz٥eƍٸq#UVk׮f#"޽WQ/  J\bՊ֢n=-XUj/ZS른 ؖRH5AI5Ǭ\$Y_ϓg53x2|H$)B\s gu/fԩaݻԩqtЁC2{l<b۾};G+y$I{ a`5aa%HH“O> wƍC(\/bl2}]nvZlٳ:t(ڵ[oeѢE=z4쒏sN 4h7tS%It?{7vmnӦE3.N>h^~9WO&kRAIR>K6l~)> ӇK.ҿq6mĬY2d<3\|tԉ˗]:\r%,_Ν;3c bXeIҒ۷P4ڷo_6݋i x=+"|6?>b|I [R|ɓ'ӳgOV\ɠAؼv=ؽ{wɲF1df͚E~~>&MblڴG}s==z0aV\Y5ϛ7}b >l^{5ZjUuH>+J%Ee;/nk3OLX F_ova$I"~FF ,[n,_dɒ˪u{e…b1? [na…lذ_WӇիWsӫW/:uرc7o{z7n_ٺu+ bѢEdee1%I5әcw%}Æ tLVVǏgȑ]^8tz+iҤ 999tK>b޼y̝; ~aSOW^у:֭[ӦMZnM&MJj*((lذ5kְtR,Y@ӦM9r$?m۶lHJ"a[aW?֜F2?syOɇ6rJ4~v7ep8P|Lҟ|)s4[z5?O?>ڵ[naԨQèQ!==ٳg3hРKpB.\ҥKOj?%%2l0ZUyT4'‿y`MyL9u EN|IP7~^{~_ ps2t:׬Y#<),,saڴi{5~O?+Vj*֯_϶mزe ۶mc߾}@7==ƍөS'vJ~8iٲeרǓeg.bӟ-$gu+#vյkW.R.b pRSkڮ]xWxx78z(G?;$---xT |y=UĀ/ f/~̙ٳ;w.;wcҥ^#;;B hw뭷2f7o^uIȓeџ!GaW %Ae9r{7|EtR+ܶqt҅38Ӷm[:t@6mʢYf4oޜ-ZҩDAAw&//M6qF6nȇ~;f ZF^Zd^R:]E1nMPe '''>kײvZ֬Ys_MҬY3N9/+**bΝڵGp?׏K.AѿRRR3I'{IJB73wVᖣr xúuOشi[lO>a˖-lڴ={{nvY_4oޜӡCʢ[nӇO%E'{IJBoYa3W޽{ٳgºX,F-p@%)Iw a|IǓ$% Fn3K$I*wtk$UȀ/IAӽ}pˑ$ˀ/I{ IR)4OM z߃fuH%% ȉZK}E8%AǨ%%M߭+P2KJ|IȀ_s˻XPxy FUh ) _R$2  66 8Nu&:|I5&{$I5m&p4>,M  FÛYb/ <\n}m{g #/I ##"DSO%>ܶcߕ۶h{ߦ̺-w l@?x":#G%$IRMx`t{Ulܶ#ڪ_|&iM$I|II|IS<*^fj{~m_`_i)e&HH_x- -^p_RK$մsE.?S$/I5|I|(7<>_QnysD]51` 6ݓ%Ij Ǘ[5q}{Sߋ.>lO n9Tx="D][=" +Xw9As \L`2pSDK*|I'yMF;Vc1`6p7_f\`0)~ A@IRr_Rp_"v =~pˉG%a4 A n!;p!}J 2/I3?m#IQf$IRjB9{3K$Xk2K$v#IQc=II&{T!hp&6;6ٓT#$I= ?gLn9%|I$ծVM&n9Nї4/I H)_ :N/9KJ9s8/I~DiӽM#Iu]JH${XFbӽL:``n|I$!05j$N3K$)\Wx:r$2K$)|} , I $IJ~Bto86ݓj2K$)yL.[$%|I$%{g`=I$I˩6ݛ<n9TW%I|zS`aHR]`$IRrJ æ{T $I-G_$IɫY@66ݓ0K$)eRto-G_$Iɯ'0Ҧ{oY$%'$IπB|-G_$IuJJ IJ&|I$M:a=I*À/IAӽ4pˑda$IRs6{#j$))%IT7}8| 8r$)l|I$]Wa=I€/Ilӽe#Ia2K$nf̀n9$I6ݻ PP%I 4_pˑf$IRt<\ {$I07EV$Iƀ/Ih)nI7 $I6PZa$IR4 St/7r$%I]|M$E_$I݀hl') $I 럀G-Gj_$I׍`$?Xn9T $I{-G̀/IcR]e$IRZ]TMJmF Ƿ#h.qW-NCrom >(;XG)mnٳ?*+**oFV$jOu$vuAmZ3? U]S@*KpA_``.̙3|I$Is}=OӀoAX^_@=`pg|seO6x_^\dP%Izbڵvm߿?aܽ{77x#VJ>UMӀ +# ⯓ ܟMiX}\I0%A Me}`=8[> [|!bw Su%IU a֭cԨQу~g}6a~ꩧ2e z[~*Ap}0c#rSy{+YHe}_Y{N)p1g$_$IO`-}҇)}d؝ 8F=z4ݻwgڴib11dȐcԨQ7T?ѻwoʕ+v ǟpE_Unʭ/ao勷 U$Z#c$IjS-<6,77ѣGӭ[7NJ,㦛nb͚5N9dߎ%]%% Jj˺x#E#K@{Mǎ7Vlft'g/EÆ L0iӦQXXHJJ 7pw:N͛73qD}YO,cС<}8"# J;*X.cpE/m%ފd܏ۨre%% OZUG}U5OGKc塇b4mڔ-ZШQ* =ʮ]}e:x 6:t(f >x?9+[A4rX+_U>'4w$@]{= l&0 Uϡʕ )a"I$죾'uI A9Q*vtK#?@aa!/"=k׮s{l1{}Y&NH~~>B|/%Xo}I$OxWyUy$ōV^ʹiڵ+֭ctڕ)SPXXٕ;x O=;wo'??}w}k4KQ|I$Oyo{2ja 6dȑZ^x]ˍ7/8q"ƍ#//>}0k, R/)i8eOT/>@qWy"V9z(/=s̡]vU<ȉm߾뮻 :P^J0HjӦ $I$I'&{$I$E_$I0K$I|I$I"/I$IR%I$I$I$I`$I$) $I$E_$I0K$I|I$I"/I$IR%I$I$I$I`$I$) $I$E_$I0K$I|I$I"/I$IR%I$I$I$I`$I$) $I$E_$I0K$I|I$I"/I$IR%I$I$I$I`$I$) $I$E_$IH IX닊ٮs]SH|I$I"|Ipd;-IR9/Ij],;f:ϓ'Of4mml˜1cر#jՊÇ3k,/_UW]UW]̙3ٮX4jԈu1z$IJ$I S{ѫ{֭[ ذaqY{Cff&5bӶm[nJ۶mIKK>f͚|߈#>}z|IR2r_$%O?l.uFZZiiitڕ%5k֌~zM۶mKӷo_8ywL4iFy椥ѧO~I#$I$E#$I$E_$I ?/9IENDB`shorewall-docs-xml-5.2.3/images/dmz2.vdx0000664000000000000000000146547113427347317016646 0ustar rootroot dmz1 teastep Hewlett Packard Company 671351309 671351309 AQAAAIwAAAAAAAAAAAAAAHwAAAChAAAAAAAAAAAAAAAcDAAAvQ4AACBFTUYAAAEAHO8AAAMAAAABA AAADwAAAGwAAAAAAAAAAAUAAAAEAABAAQAA8AAAAAAAAAAAAAAAAAAAAADiBACAqQMAVgBJAFMASQ BPAAAARAByAGEAdwBpAG4AZwAAAAAAAABMAAAAfO4AAAAAAAAAAAAAfAAAAKEAAAAAAAAAAAAAAH0 AAACiAAAAIADMAAAAAAAAAAAAAACAPwAAAAAAAAAAAACAPwAAAAAAAAAA////AAAAAABkAAAAKAAA AIwAAADw7QAAKAAAAH0AAACiAAAAAQAYAAAAAADw7QAAAAAAAAAAAAAAAAAAAAAAAP/////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////wD///////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////8A////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////AP/////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////wD//////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////8A////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////AP////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////wD//////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////8A//////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////AP///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////wD////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////8A//////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////AP//////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////wD////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////8A/////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////AP//////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////wD//////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////8A////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////AP////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////wD//////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////8A///////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////AP////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////wD/////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////8A///////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////AP//////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /wD////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////8A/////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///AP//////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////wD///////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////8A/////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////AP/////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////wD///////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// //////////////////////////////8A///////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////AP///// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////wD/////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////8A//// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////AP///////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////wD// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////8A//////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////AP ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////wD////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////8A////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////AP/////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////wD//////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////8A////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////AP////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////wD//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////8A///////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////AP////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////wD////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////8A//////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////AP//////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////wD////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////8A/////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////AP//////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////wD///////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////8A/////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////AP////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////wD//////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////8A///////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////AP////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////wD///////////////+Gj48wQEAwQE AwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEA wQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEAwQEBB UFDv7+/////////////////////////////////////////////////39/dDUEMwQDAwQDAwQDAwQ DAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQD AwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDAwQDA wQDAwQDAwQDAwQDAwQDAwQDAwQDCip6L///////////////////////////////////////////// //////////8A////////////////MEBAAI+PAL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/A L+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL +/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/AL+/DDAwv7+//////////////////////////////// /////////////////39/fCRgJAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8A AL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AA L8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAL8AAHgAVGBU////// //////////////////////////////////////////////////AP///////////////zBAQAC/vwD //wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/ /wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD// xBAQL+/v////////////////////////////////////////////////9/f3wwgDAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP/////////////////////////////////////////// ////////////wD///////////////8wQEAAv78A//8A//8A//8A//8A//8A//8A//8A//8A//8A// 8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8 A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8QQEC/v7////////////////////////////// ///////////////////f398MIAwA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAnwBUYFT/////////////////// ////////////////////////////////////8A////////////////MEBAAL+/AP//AP//AM/PAP/ /AH9/AP//AH9/AP//AH9/AP//AH9/AP//AH9/AP//AO/vAP//AP//AP//AP//AP//AP//AP//AOfn AP//AEBAAP//AEBAAP//AEBAAP//AEBAAP//AEBAAP//ALe3AP//AP//AP//AP//EEBAv7+////// ///////////////////////////////////////////39/fDCAMAP8AAP8AAP8AAP8AAP8AAIcAAP 8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAP8AAP8A AP8AAP8AAP8AAJ8AVGBU////////////////////////////////////////////////////////A P///////////////zBAQAC/vwD//wD//wD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//w AAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD //wAAAAD//wD//wD//wD//wD//xBAQL+/v/////////////////////////////////////////// /////9/f3wwgDAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/A AAgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADfAAD/AAAAAAD/AAAAAA D/AAAAAAD/AAAAAAD/AAAAAAD/AACfAAD/AAD/AAD/AAD/AAD/AACfAFRgVP///////////////// //////////////////////////////////////wD///////////////8wQEAAv78A//8A//8A5+cA //8Av78A//8Av78A//8Av78A//8Av78A//8Av78A//8A9/cA//8A//8A//8A//8A//8A//8A//8A/ /8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8QQEC/v7//// /////////////////////////////////////////////f398MIAwA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAAnwBUYFT/////////////////////////////////////////////////////// 8A////////////////MEBAAL+/AP//AP//AP//AEBAAP//AEBAAP//AEBAAP//AEBAAP//AEBAAP/ /AEBAAP//AP//AP//AP//AP//AP//AP//AP//AP//AAAAAP//AAAAAP//AAAAAP//AAAAAP//AAAA AP//AAAAAP//AP//AP//AP//AP//EEBAv7+////////////////////////////////////////// ///////39/fDCAMAP8AAP8AAP8AAP8AAP8AAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP 8AAEAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAHAAAP8AAEAAAP8AAEA AAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAP8AAP8AAP8AAP8AAJ8AVGBU//////////////// ////////////////////////////////////////AP///////////////zBAQAC/vwD//wD//wAAA AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wBAQAD//wD//wD//wD//wD//wD//wD//w BAQAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wD//wD//wD//xBAQL+/v// //////////////////////////////////////////////9/f3wwgDAD/AAD/AAD/AAD/AAD/AAAg AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AADfAAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AA D/AAD/AAD/AAD/AACfAFRgVP///////////////////////////////////////////////////// //wD///////////////8wQEAAv78A//8A//8A//8Av78A//8Av78A//8Av78A//8Av78A//8Av78A //8Av78A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A/ /8A//8A//8A//8A//8A//8A//8A//8QQEC/v7//////////////////////////////////////// /////////f398MIAwA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAnwBUYFT////////////// /////////////////////////////////////////8A////////////////MEBAAL+/AP//AP//AP //AP//AP//AP//AEBAAP//AEBAAP//AEBAAP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP/ /AP//AP//AP//AP//AAAAAP//AAAAAP//AAAAAP//AP//AP//AP//AP//AP//AP//AP//EEBAv7+/ ////////////////////////////////////////////////39/fDCAMAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAJ8AAP8AAAAAAP8AAAAAAP8AAH8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAJ8AVGBU//////////////////////////////////////////////////// ////AP///////////////zBAQAC/vwD//wD//wD//wD//wD//wC/vwD//wAAAAD//wAAAAD//wD// wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAAD//wAAAAD//w C/vwD//wD//wD//wD//wD//wD//wD//xBAQL+/v////////////////////////////////////// //////////9/f3wwgDAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAgAAD/AAAAAAD/AAAAAAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AAAAAD/AAAAAAD/ AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP/////////////////////////// ////////////////////////////wD///////////////8wQEAAv78A//8A//8A//8A//8A//8A// 8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8 A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8QQEC/v7////////////// ///////////////////////////////////f398MIAwA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAAnwBUYFT///////////////////////////////////////////////////////8A//////// ////////MEBAAL+/AP//AP//AP//AP//AP//AAAAAAAAAAAAAAAAAAAAAAAAAP//AP//AP//AP//A P//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AAAAAAAAAAAAAAAAAAAAAAAAAP//AP//AP //AP//AP//AP//AP//EEBAv7+/////////////////////////////////////////////////39/ fDCAMAP8AAP8AAP8AAP8AAP8AAP8AAAAAf39/AAAAAAAAf39/f39/f39/f39/AAAAAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAf39/AAAAf39/f39/f 39/f39/f39/AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAJ8AVGBU////////////////////////// //////////////////////////////AP///////////////zBAQAC/vwD//wD//wD//wD//wD//wA AAAAAAAAAAAAAAAAAAAAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/ /wD//wAAAAAAAAAAAAAAAAAAAAAAAAD//wD//wD//wD//wD//wD//wD//xBAQL+/v//////////// ////////////////////////////////////9/f3wwgDAD/AAD/AAD/AAD/AAD/AAD/AH9/f39/f/ Ly8vLy8n9/f39/f39/fwAAAH9/fwD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AH9/f39/f/Ly8n9/fwAAAH9/f39/f39/fwD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AACfAFRgVP///////////////////////////////////////////////////////wD////// /////////8wQEAAv78A//8A//8A//8A//8A//8AAAAAAAAAAAAAAAAAAAAAAAAA//8A//8A//8A// 8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8AAAAAAAAAAAAAAAAAAAAAAAAA//8A//8 A//8A//8A//8A//8A//8QQEC/v7/////////////////////////////////////////////////f 398MIAwA/wAA/wAA/wAA/wAA/wAA/wAAAAB/f38AAAAAAAA/Pz9vb29/f38AAAAAAAAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAB/f38AAAB3d3cwMD AAAAAAAAB/f38A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAnwBUYFT//////////////////////// ///////////////////////////////8A////////////////MEBAAL+/AP//AP//AP//AP//AP// AAAAAAAAAAAAAAAAAAAAAAAAAP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//A P//AP//AAAAAAAAAAAAAAAAAAAAAAAAAP//AP//AP//AP//AP//AP//AP//EEBAv7+/////////// //////////////////////////////////////39/fDCAMAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAEAAAL8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAN8AACAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAJ8AVGBU////////////////////////////////////////////////////////AP//// ///////////zBAQAC/vwD//wD//wD//wD//wD//wAAAAAAAAAAAAAAAH9/fwAAAAD//wD//wD//wD //wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAAAAAAAAAAAAAH9/fwAAAAD//wD/ /wD//wD//wD//wD//wD//xBAQL+/v//////////////////////////////////////////////// 9/f3wwgDAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABAAAC/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADfAAA gAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP////////////////////// /////////////////////////////////wD///////////////8wQEAAv78A//8A//8A//8A//8A/ /8AAAAAAAAAAAAAAAAAAAAAAAAA//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A// 8A//8A//8AAAAAAAAAAAAAAAAAAAAAAAAA//8A//8A//8A//8A//8A//8A//8QQEC/v7///////// ////////////////////////////////////////f398MIAwA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAAQAAAvwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA3wAAIAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAAnwBUYFT///////////////////////////////////////////////////////8A/// /////////////MEBAAL+/AP//AP//AP//AP//AP//8vLyAAAAAAAAAAAAAAAAAAAAAP//AP//AP// AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//8vLyAAAAAAAAAAAAAAAAAAAAAP//A P//AP//AP//AP//AP//AP//EEBAv7+/////////////////////////////////////////////// //39/fDCAMAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAEAAAL8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAN8A ACAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAJ8AVGBU///////////////////// /////////////// ////////////////////AP///////////////zBAQAC/vwD//wD//wD//wD//wD//wAAAAAAAAAAA AAAAAAAAAAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAA AAAAAAAAAAAAAAAAAAAAD//wD//wD//wD//wD//wD//wD//xBAQL+/v////////////////////// //////////////////////////9/f3wwgDAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABA AAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AADfAAAgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAF RgVP///////////////////////////////////////////////////////wD///////////////8 wQEAAv78A//8A//8A//8A//8A//8AAAAAAAAAAAAAAAAAAAAAAAAA//8A//8A//8A//8A//8A//8A //8A//8A//8A//8A//8A//8A//8A//8A//8AAAAAAAAAAAAAAAAAAAAAAAAA//8A//8A//8A//8A/ /8A//8A//8QQEC/v7/////////////////////////////////////////////////f398MIAwA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAQAAAvwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA3wAAIAAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAnwBUYFT////////////////////////////////// /////////////////////8A////////////////MEBAAL+/AP//AP//AP//AP//AP//AP//AP//AL +/AEBAAP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP/ /AP//AEBAAL+/AP//AP//AP//AP//AP//AP//AP//AP//AP//EEBAv7+///////////////////// ////////////////////////////39/fDCAMAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA EAAAL8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAN8AACAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAJ8 AVGBU////////////////////////////////////////////////////////AP////////////// /zBAQAC/vwD//wD//wD//wD//wD//wD//wD//wC/vwBAQAD//wD//wD//wD//wD//wD//wD//wD// wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wBAQAC/vwD//wD//wD//wD//wD//wD//w D//wD//wD//xBAQL+/v////////////////////////////////////////////////9/f3wwgDAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABAAAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADfAAAgAAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP//////////////////////////////// ///////////////////////wD///////////////8wQEAAv78A//8A//8A//8A//8A//8A//8A//8 Av78AQEAA//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A //8A//8AQEAAv78A//8A//8A//8A//8A//8A//8A//8A//8A//8QQEC/v7/////////////////// //////////////////////////////f398MIAwA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AAQAAAvwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA3wAAIAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA nwBUYFT///////////////////////////////////////////////////////8A///////////// ///MEBAAL+/AP//AP//AP//AP//AP//AP//AP//AL+/AEBAAP//AP//AP//AP//AP//AP//AP//AP //AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AEBAAL+/AP//AP//AP//AP//AP//AP/ /AP//AP//AP//EEBAv7+/////////////////////////////////////////////////39/fDCAM AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAEAAAL8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAN8AACAAAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAJ8AVGBU/////////////////////////////// /////////////////////////AP///////////////zBAQAC/vwD//wD//wD//wD//wD//wD//wD/ /wC/vwBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD// wD//wD//wBAQAC/vwD//wD//wD//wD//wD//wD//wD//wD//wD//xBAQL+/v///////////////// ///////////////////////////////9/f3wwgDAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AABAAAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AADfAAAgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A ACfAFRgVP///////////////////////////////////////////////////////wD/////////// ////8wQEAAv78A//8A//8A//8A//8A//8A//8A//8Av78AQEAA//8A//8A//8A//8A//8A//8A//8 A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8AQEAAv78A//8A//8A//8A//8A//8A //8A//8A//8A//8QQEC/v7/////////////////////////////////////////////////f398MI AwA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAQAAAvwAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA3wAAIAAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAnwBUYFT///////////////////////////// //////////////////////////8A////////////////MEBAAL+/AP//AP//AP//AP//AP//AP//A P//AL+/AEBAAP// AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AEBAA L+/AP//AP//AP//AP//AP//AP//AP//AP//AP//EEBAv7+/////////////////////////////// //////////////////39/fDCAMAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAEAAAL8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAN8AACAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAJ8AVGBU///// ///////////////////////////////////////////////////AP///////////////zBAQAC/vw D//wD//wD//wD//wD//wD//wD//wC/vwBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD //wD//wD//wD//wD//wD//wD//wD//wD//wBAQAC/vwD//wD//wD//wD//wD//wD//wD//wD//wD/ /xBAQL+/v////////////////////////////////////////////////9/f3wwgDAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AABAAAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADfAAAgAAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP////////////////////////////////////////// /////////////wD///////////////8wQEAAv78A//8A//8A//8A//8A//8A//8A//8Av78AQEAA/ /8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8AQE AAv78A//8A//8A//8A//8A//8A//8A//8A//8A//8QQEC/v7///////////////////////////// ////////////////////f398MIAwA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAQAAAvwAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA3wAAIAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAnwBUYFT/// ////////////////////////////////////////////////////8A////////////////MEBAAL+ /AP//AP//AP//AP//AP//AP//AP//AL+/AEBAAP//AP//AP//AP//AP//AP//AP//AP//AP//AP// AP//AP//AP//AP//AP//AP//AP//AP//AP//AEBAAL+/AP//AP//AP//AP//AP//AP//AP//AP//A P//EEBAv7+/////////////////////////////////////////////////39/fDCAMAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAEAAAL8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAN8AACAAAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAJ8AVGBU///////////////////////////////////////// ///////////////AP///////////////zBAQAC/vwD//wD//wD//wD//wD//wD//wD//wC/vwBAQA D//wDv7wB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwCPjwD//wB AQAC/vwD//wD//wD//wD//wD//wD//wD//wD//wD//xBAQL+/v/////////////////////////// /////////////////////9/f3wwgDAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AABAAAC/A AD/AAD/AAC/AABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAA CnAAD/AAD/AAD/AADfAAAgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP/ //////////////////////////////////////////////////////wD///////////////8wQEAA v78A//8A//8A//8A//8A//8A//8A//8Ax8cAEBAAQEAAMDAAFBQAf38Af38Af38Af38Af38Af38Af 38Af38Af38Af38Af38Af38Af38Af38AAAAAQEAAEBAAz88A//8A//8A//8A//8A//8A//8A//8A// 8A//8QQEC/v7/////////////////////////////////////////////////f398MIAwA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAUAAAMAAAQAAAQAAAIAAASAAAvwAAvwAAvwAAvwAAvwAA vwAAvwAAvwAAvwAAvwAAvwAAvwAAvwAAvwAAZQAAGAAAQAAAQAAAQAAAOAAAMAAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAnwBUYFT/////////////////////////////////////// ////////////////8A////////////////MEBAAL+/AP//AP//AP//AP//AP//AP//AP//AP//AMf HAL+/AKGhAAcHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwcAL+/ AM/PAP//AP//AP//AP//AP//AP//AP//AP//AP//AP//EEBAv7+////////////////////////// ///////////////////////39/fDCAMAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAO8AAL 8AAL8AAL8AAHcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAGMAAL8AAL8AAL8AAL8AAOcAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAJ8AVGBU ////////////////////////////////////////////////////////AP///////////////zBAQ AC/vwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w BgYACfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD //wD//xBAQL+/v////////////////////////////////////////////////9/f3wwgDAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAB/AAD/AAD/A AD/AAB/AAB/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP///////////////////////////////////// //////////////////wD///////////////8wQEAAv78A//8A//8A//8A//8A//8A//8A//8A//8A //8A//8A//8A//8A//8A//8A//8A//8A//8A//8AYGAAn58A//8A//8AQEAA//8AQEAA//8AQEAA/ /8AQEAA//8AQEAA //8AQEAA//8A//8A//8A//8A//8A//8QQEC/v7/////////////////////////////////////// //////////f398MIAwA/wAA/wAA/wAA/wAA/wAA/wAA/wAAIAAA/wAAAAAA/wAAAAAA/wAAAAAA/w AAAAAA/wAAAAAA/wAAfwAA/wAA/wAAfwAAfwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAnwBUYFT///////////// //////////////////////////////////////////8A////////////////MEBAAL+/AP//AP//A P//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AGBgAJ+fAP//AC AgAP//AAAAAP//AAAAAP//AAAAAP//AAAAAP//AAAAAP//AH9/AP//AP//AP//AP//AP//EEBAv7+ /////////////////////////////////////////////////39/fDCAMAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAH8AAP8AAH8AAP8AAH8AAP8AAH8AAP8AAH8AAP8AAH8AAP8AAP8AAP8AAH8AAH8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAJ8AVGBU/////////////////////////////////////////////////// /////AP///////////////zBAQAC/vwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/ /wD//wD//wD//wD//wD//wD//wBgYACfnwD//wD//wC/vwD//wC/vwD//wC/vwD//wC/vwD//wC/v wD//wC/vwD//wD//wD//wD//wD//wD//xBAQL+/v///////////////////////////////////// ///////////9/f3wwgDAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAB/AAB/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AACfAFRgVP/////////// ////////////////////////////////////////////wD///////////////8wQEAAv78A//8A// 8A//8A//8A//8AAAAA//8AAAAA//8AAAAA//8AAAAA//8AAAAA//8AAAAA//8A//8AYGAAn58A//8 A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8QQEC/ v7/////////////////////////////////////////////////f398MIAwA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAfwAAfw AA/wAA/wAA/wAA/wAA/wAA/wAA3wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAA A/wAAAAAA/wAAvwAA/wAAnwBUYFT///////////////////////////////////////////////// //////8A////////////////MEBAAL+/AP//AP//AP//AP//ACAgAP//AAAAAP//AAAAAP//AAAAA P//AAAAAP//AAAAAP//ACAgAP//AGBgAJ+fAP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP //AP//AP//AP//AP//AP//AP//AP//AP//EEBAv7+//////////////////////////////////// /////////////39/fDCAMAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAH8AAH8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAEAAAP8AA EAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAEAAAP8AAP8AAJ8AVGBU////////// //////////////////////////////////////////////AP///////////////zRAQAwwMBBAQBB AQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQAYYGAooKBBA QBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQBBAQAcQE MfHx////////////////////////////////////////////////9/f3wQIBBBAEBBAEBBAEBBAEB BAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEAggCAg gCBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBAEBBA EBBAEBBAEBBAEBBAEBBAEAooCldgV//////////////////////////////////////////////// ////////wD////////////////f39+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7 +/v7+/v7+/v7+/v7+/v7+/v7+/v79ISEh3d3e/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+ /v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7/Hx8f///////////////////////////////////// ///////////////////Hx8e/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v 7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v79fX19fX1+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7 +/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7/n5+f//////// ///////////////////////////////////////////////8A//////////////////////////// ////////////////////////////////////////////////////////////////////YGBgn5+f/ ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////f39/ f39////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////AP///////////////////////////////////////////////////////////////// //////////////////////////////2BgYJ+fn/////////////////////////////////////// /////////////////////////////////////////////////////////wAAAP///wAAAP///wAAA P///wAAAP///wAA AP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////////////////////////// ////////////////////39/f39/f///////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////wD///////////////////////////////////////// //////////////////////////////////////////////////////9gYGCfn5/////////////// ///////////////////////////////////////////////////////////////////////////// +Hh4f///9AQED///9AQED///9AQED///9AQED///9AQED///9AQED///9AQED///9AQED//////// ///////////////////////////////////////////////////////////9/f39/f3////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////8A// ///////////////////////////////////////////////////////////////////////////// /////////////////YGBgn5+f//////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////f39/f39//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////AP/////////////////////////////////////// ////////////////////////////////////////////////////////2BgYJ+fn///////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////39/f39/f//////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////wD ///////////////////////////////////////////////////////////////////////////// //////////////////9gYGB4eHi/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v 7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v78AAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAC/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+/v7+ /v7+/v7+/v7+/v7+/v7+/v79gYGB/f3////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////8A////////////////////////////////////// //////////////////////////////////////////////////////////t7e3QEBAQEBAQEBAQEB AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAv7+/AAAAQEBAQEBAQEBAQEBAQ EBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAz8/P////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// AP/////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////wAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAL+/vwAAAP////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////wD//////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////9AQED///9AQED///9AQED///9AQED///9AQED///9AQED///9AQ ED////Pz8////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////////// 8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD////f39///////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /8A////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////AAAA/// /AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////////////////AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA////////5+fn////QEBA////QEBA////QEBA////QEBA////Q EBA////QEBA//// QEBA///////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////AP///////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// wAAAAAAAAAAAAAAAAAAAAD//wD//wD//wD//wD//wAAAAAAAAAAAAAAAAAAAP///7+/v////7+/v/ ///7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////wD////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////9gYGD///8AAAD///8AAAD///8AAAD ///8AAAD///8AAAD///8AAAD///8AAAD///////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA //8AAAAAAAD///////////8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD// /8AAAD/////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////8A//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////ICAg// //////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////QEBA////QEB A////QEBA////QEBA////QEBA////QEBA////QEBA////QEBA//////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////AP//////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////wAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAP//////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////wD////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////8AAAB/f38AAAD///8AAAD///////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////8A/////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////f39/X19f// //AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA/////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////AP//////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////39/f39/f0BAQP///0BAQP///0BAQP///0BAQP///0BAQP/// 0BAQP///0BAQP///0BAQP///0BAQP///1hYWP//////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////wD///// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////X19cyMkAwMEAwMEAwMEAwMEAwMEAwMEAYGCAYGCA wMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAw MEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwM EAwMEAwMEAwMEAw MEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEAwMEBUVGD////////////////////// /////////////////8A////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////n5+fCQlIAAC/AAC/ AAC/AAC/AAC/AAC/AABfAABfAAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/A AC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AA C/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC/AAC /AAC/AAC/AAC/AAAA////////////////////////////////////////AP////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////5+fnwwMYAAA/wAA/wAA/wAA/wAA/wAA/wAAfwAAfwAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP//////////////////// ///////////////////wD//////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////+fn58MDGAAAP8AA P8AAP8AAP8AAP8AAP8AAH8AAH8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAAD///////////////////////////////////////8A///////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////n5+fDAxgAAD/AAD/AAD/AAD/AAD/AAD/AAB/AAB/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADnAAD/AABAAAD/AABAA AD/AABAAAD/AABAAAD/AABAAAD/AABAAAD/AACHAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA/////////////////// /////////////////////AP////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////5+fnwwMYAAA/w AA/wAA/wAA/wAA/wAA/wAAfwAAfwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAAAP///////////////////////////////////////wD/////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////+fn58MDGAAAP8AAP8AAP8AAP8AAP8AAP8AAH8AAH8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////// //////////////////////8A///////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////n5+fDAxgAAD /AAD/AAD/AAD/AAD/AAD/AAB/AAB/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADHAAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAAA////////////////////////////////////////AP///////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////5+fnwwMYAAA/wAA/wAA/wAA/wAAjwAAfwAAPwAAPwAAfwAAhw AA9wAA/wAA/wAA/wAA7wADCAAAAAAPMAAMYAAAjwAAvwAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP/////////////// /////////////// /////////wD////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////+fn58MDGAAAP8AAP8AAP8AAL8 AACAAAH8AAG8AAGcAAH8AABoAAH0AAL8AANcAAP8AAP8AC3AAi48ANEAAAAAAAAAAAAAAAAAABjAA DGAAAK8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAAD///////////////////////////////////////8A/////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////n5+fDAxgAAD/AAD/AAD/AAC/AAAgAAB/AAB/AAB/AAB/AAAYAAU3AAQYAAAAAA AAAAAAAA44AAUIALe3ABA4AAD/AADfAAC/AACvAAB/AACfAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA///////////////////////////// ///////////AP//////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////5+fnwwMYAAA/wAA/wAA/wAA 9wAAhwAAfwAAfwAAfwAAfwAAfwAA7wAA/wAA5wAAtwAAfwAPUAAMIAAJEAAECAAArwAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9wADIAAAzwAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAAAP///////////////////////////////////////wD///////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////+fn58MDGAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAO8AAL8AAO8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8ABI8ACzgAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD/////////////////////////// ////////////8A/////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////n5+fDAxgAAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD3AAcYAAWfAAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAAA////////////////////////////////////////AP/////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////5+fnwwMYAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAEjwAKGAAA5wAA9wAEcAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////////////// //////////////wD///////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////+fn58MDGAAAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAPcAChgAD2AABI8A BggAAK8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAAD///////////////////////////////////////8A////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////n5+fDAxgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AASPAAAAAAcQAJ+fAA8wAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA//////////////////////// ////////////////AP/////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////5+fnwwMYAAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA9wALGABweAA6SAAAAAAArwAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAA P///////////////////////////////////////wD/////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////+fn58MDGAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8ABI8AQUgADzAAEEgADzAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////////////////////////// //8A///////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////n5+fDAxgAAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD3AAgYAACfAADfAAMIA ACvAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA AA////////////////////////////////////////AP///////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////5+fnwwMYAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA5wAA/wAA/wAIhwALMAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP/////////////////////////////////// ////wD/////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////+fn58MDGAAAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP cACDAAAK8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAAD///////////////////////////////////////8A//////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////n5+fDAxgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AADHAAIwAAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////////////////////// //////AP///////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////5+fnwwMYAAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAAeAAA5wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAAAP///////////////////////////////////////wD////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////+fn58MDGAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAA AAAP8AAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAAD//////////////////////////////// ///////8A//////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ////////////////////////////////////n5+fDAxgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAAA////////////AAAA////////////AAAAAAD/AAD/AAD/AAD/AAD/AAAA//////// ////////////////////////////////AP/////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////5+ fnwwMYAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP//////////////////////////// ///////wAAAAAA/wAA/wAA/wAA/wAAAP///////////////////////////////////////wD//// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////+fn58MDGAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAAAAAAD///////////////////////////////////8AAAAAAAAAAP8AAP8AAP8AAAD////// /////////////////////////////////8A////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// n5+fDAxgAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////v7+/////v7+/////v7+/////v7+ /////////////////AAAAAAD/AAD/AAAA////////////////////////////////////////AP// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////5+fnwwMYAAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAAAP///2BgYP///wAAAP///wAAAP///wAAAP///2BgYP///////////wAAAAAA/wAA/wAAAP//// ///////////////////////////////////wD//////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /+fn58MDGAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////9/f3////9/f3////9/f3////9/ f3////////////////8AAAAAAP8AAP8AAAD///////////////////////////////////////8A/ ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////n5+fDAxgAAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAAAAAAA////////////////////////////////////AAAAAAAAAAD/AAD/AAD/AAAA/// /////////////////////////////////////AP////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///5+fnwwMYAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAQAAA/wAAQAAA/wAAQAA A/wAAQAAA/wAAQAAA/wAAQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP/////////////////////// ////////////wAAAAAA/wAA/wAA/wAA/wAAAP///////////////////////////////////////w D//////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////+fn58MDGAAAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8A AJ8AAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AACAAAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAAD///////////8AAAD///////////8AAAAAAP8AAP8AAP8AAP8AAP8AAAD//////////////// ///////////////////////8A//////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////n5+fDAxgAA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAC/AAD/AAC/AAD/AAC/AAD/AAC/AAD/AAC /AAD/AAC/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAD/AAAAAAAAAAAAAAD/A AD/AAD/AAD/AAD/AAD/AAAA////////////////////////////////////////AP//////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////5+fnwwMYAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP////////////// /////////////////////////wD////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////+fn58MDGA AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAAD///////////////////////////////////////8A/////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////v7+/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGBgg///////////// ///////////////////////////AP//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////wD///////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////8A/////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////AA4AAAAUA AAAAAAAABAAAAAUAAAA 2002-08-11T06:46:41 2003-12-23T08:44:21 2002-08-11T11:11:58 2002-08-11T06:46:41 11 39 1 0 0 0 0 0 1 0 0 0 0 1 1 1 0.25 0.25 0.25 0.25 1 1 1 0 0.01 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 32 0 0 8 8 0 0 0 0 1 0.5 0.5 0 0 0 0 1 2 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0.125 0.125 0.25 0.25 0.375 0.375 0.125 0.125 0.66666666666667 0.66666666666667 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 0 0.01 0 0 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0.5 0 0 0 0 0 -1.2 0 0 0 0 1 1 1 0 0.01 0 0 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 1 1 1 0 0 4 23 0 2 0 0 0 2 0 1 0 0 0 1 0 0 0 0 0 0.055555555555556 0.055555555555556 0 0 2 0 0.5 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 4 0 0 1 0 0.125 0 0 0 0 0 0 1 1 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 1 0 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 1 0 0 0 0.01 0 1 0 2 0 0 0 2 0 1 0 0 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 0 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 2 0.5 0 0 1 0 0 0 0.01 1 1 0 2 0 0 0 2 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 1 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 0 0 0.5 0 0 0 0 0 -1.2 0 0 0 0 1 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 0 0 0.5 0 0 1 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 2 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 0 0 0.5 0 0 2 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 0 0 1 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 0 0 0.5 0 0 0 0 0 -1.2 0 0 0 0 2 0 0 0 1 0 0.13888888888889 0 0 0 0 0 0 1 1 1 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 2 0.5 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 1 1 1 0 0.0033333333333333 0 1 0 2 0 0 0 2 0 0.055555555555556 0.055555555555556 0.055555555555556 0.055555555555556 1 0 0.5 0 0 0 0 0 0 1 0 0.11111111111111 0 0 0 0 0 0 0 0 0 -1.2 0 0 1 0 1 1 1 1 0.01 0 1 0 2 0 0 0 2 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 2 0 0 2 Visio Network Solutions
http://officupdate.com/visio/
0 0 85 110 0.125 -0.125 1 10 0 3 0 0 0 1 1 0 0 0 0 0 0 16 16 0 0 8 4 0 0 0 0 Network 255 0 1 1 0 0 1 1 Network 0 Connector 255 0 1 1 0 0 1 1 Connector 0 56 95.5 44 25 22 12.5 0 0 0 0 2 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 44 0 44 25 0 25 0 0 58 56 34 28 17 14 0 0 0 0 3 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 34 0 34 28 0 28 0 0 17 56 28 28 14 14 0 0 0 0 5 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 28 0 28 28 0 28 0 0 9.473828125 53.196994991653 4.0901502504174 6.3939899833055 2.0450751252087 3.1969949916528 0 0 0 0 0 0 0 0 0 0 4.6457058059729 3.1969949916528 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2.0450751252087 6.3939899833055 0 0 0 1 2.0450751252087 3.1969949916528 4.0515625 6.34375 2.02578125 3.171875 0 0 0 0 0 0 4.0515625 6.34375 0 0 0 0 0 0 2.02578125 -2.4695644360972 10.681966146833 2.4444444444444 5.3409830734167 1.2222222222222 0 23.473828125 53.196994991653 4.0901502504174 6.3939899833055 2.0450751252087 3.1969949916528 0 0 0 0 0 0 0 0 0 0 4.6457058059729 3.1969949916528 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2.0450751252087 6.3939899833055 0 0 0 1 2.0450751252087 3.1969949916528 4.0515625 6.34375 2.02578125 3.171875 0 0 0 0 0 0 4.0515625 6.34375 0 0 0 0 0 0 2.02578125 -2.4695644360972 10.681966146833 2.4444444444444 5.3409830734167 1.2222222222222 0 16.746545526631 64.454545454545 10.455284552846 1.0909090909091 5.2276422764228 0.54545454545455 0 0 0 0 0 0 0 0 0 0 11.010840108401 0.54545454545455 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 5.2276422764228 -2.4444444444444 5.2276422764228 0.54545454545455 7 2 1 Reposition Equipment Label 11.010840108401 0.54545454545455 5.2276422764228 0.54545454545455 9 2 1 Reposition Text 5.2276422764228 1.0909090909091 0 0 0 1 10.455284552846 0.54545454545455 0 0 0 1 0 0.54545454545455 0 0 0 1 5.2276422764228 0.54545454545455 10.455284552846 1.0909090909091 5.2276422764228 0.54545454545455 0 0 0 0 0 0 10.455284552846 1.0909090909091 0 0 0 0 0 0 5.2276422764228 -2.4444444444444 7.6584201398889 2.4444444444444 3.8292100699444 1.2222222222222 0 0 0 0 0 0 0 10.455284552846 0 10.455284552846 1.0909090909091 0 1.0909090909091 0 0 48.792229143066 51.101450892857 5.7390625 2.0828125 2.86953125 1.04140625 0 0 0 0 0 0 0 0 0 0 6.2946180555556 1.04140625 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2.86953125 1.04140625 5.7390625 2.0828125 2.86953125 1.04140625 0 0 0 0 0 0 5.7390625 2.0828125 0 0 0 0 0 0 2.86953125 -2.4444444444444 9.3863932301667 2.4444444444444 4.6931966150833 1.2222222222222 0 66.273325892857 51.04140625 5.7390625 2.0828125 2.86953125 1.04140625 0 0 0 0 0 0 0 0 0 0 6.2946180555555 1.04140625 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2.86953125 1.04140625 5.7390625 2.0828125 2.86953125 1.04140625 0 0 0 0 0 0 5.7390625 2.0828125 0 0 0 0 0 0 2.86953125 -2.4444444444444 9.3863932301667 2.4444444444444 4.6931966150833 1.2222222222222 0 57.188504464286 64.4234375 11.0515625 1.153125 5.52578125 0.5765625 0 0 0 0 0 0 0 0 0 0 11.607118055556 0.5765625 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0.5765625 0 0 0 1 11.0515625 0.5765625 0 0 0 1 5.52578125 1.153125 0 0 0 1 5.52578125 0.5765625 11.0515625 1.153125 5.52578125 0.5765625 0 0 0 0 0 0 11.0515625 1.153125 0 0 0 0 0 0 5.52578125 -2.4444444444444 7.6584201398889 2.4444444444444 3.8292100699444 1.2222222222222 0 50.227476178676 58.275311727045 2.87049407122 12.29625154591 1.43524703561 6.1481257729549 0 0 0 0 48.792229143066 52.12718595409 51.662723214286 64.4234375 1 0 0 0 0 0 0 0 0 1 0 0 2 2 0 2 2 2 0 1 -2.512147933894E-15 7.5833728085649 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 4 0 0 0 0 0 0 1 0 0 0 0 0 0 12.29625154591 2.87049407122 12.29625154591 64.493805803572 58.245289405617 3.5590401785716 -12.356296188767 1.7795200892858 -6.1781480943834 0 0 0 0 62.714285714286 64.4234375 66.273325892857 52.067141311233 1 0 0 0 0 0 0 0 0 1 0 0 2 2 0 2 2 2 0 1 3.5590401785716 -4.3986280050976 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 5 0 0 0 0 0 0 1 0 0 0 0 0 3.5590401785716 0 3.5590401785716 -12.356296188767 27.123272763316 70 -20.753454473369 -10 -10.376727236684 -5 0 0 0 0 37.5 75 16.746545526631 65 1 0 0 0 0 0 0 0 0 1 0 0 2 2 0 1 2 2 0 1 -15.376727236684 -3.9720546451956E-15 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 -20.753454473369 0 -20.753454473369 -10 49.094252232143 70 16.188504464286 -10 8.0942522321429 -5 0 0 0 0 41 75 57.188504464286 65 1 0 0 0 0 0 0 0 0 1 0 0 2 2 0 1 2 2 0 1 13.094252232143 0 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 16.188504464286 0 16.188504464286 -10 39.407965750209 89.31796875 3.778125 1.3640625 1.8890625 0.68203125 0 0 0 0 0 0 0 0 0 0 4.3336805555556 0.68203124999999 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1.8890625 0 0 0 0 1 3.778125 0.68203125 0 0 0 1 1.8890625 0.68203125 3.778125 1.3640625 1.8890625 0.68203125 0 0 0 0 0 0 3.778125 1.3640625 0 0 0 0 0 0 1.8890625 -2.4444444444444 8.5834418412778 2.4444444444444 4.2917209206389 1.2222222222222 0 39.407965750209 84.310160703144 2 8.6515535937115 1 4.3257767968557 0 0 0 0 39.407965750209 79.984383906289 39.407965750209 88.6359375 1 0 0 0 0 0 0 0 0 1 0 0 2 2 0 2 2 2 0 1 1 4.3257767968557 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 8.6515535937115 22.724007964027 60.424267718925 2 -8.06055547124 1 -4.03027773562 0 0 0 0 21.974187803054 64.454545454545 23.473828125 56.393989983306 1 0 0 0 0 0 0 0 0 1 0 0 2 2 0 2 2 2 0 1 1.7498201609729 -3.2804575746471 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0.25017983902712 0 1.7498201609729 0 1.7498201609729 -8.06055547124 10.496365687604 60.424267718926 -2.0450751252087 -8.0605554712399 -1.0225375626043 -4.03027773562 0 0 0 0 11.518903250209 64.454545454545 9.473828125 56.393989983306 1 0 0 0 0 0 0 0 0 1 0 0 2 2 0 2 2 2 0 1 -2.0450751252087 -3.0077401730156 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 -2.0450751252087 0 -2.0450751252087 -8.0605554712399 46.297028250209 89.31796875 10 2.5 5 1.25 0 0 0 0 41.297028250209 89.31796875 51.297028250209 89.31796875 0 0 0 0 0 0 5 -1.2222222222222 10 2.4444444444444 5 1.2222222222222 0 0 0 0 0 0 1.25 6.25 2.5 5.3125 0.75 10 1.25 3.75 0 4.6875 1.75 0 1.25 70.94765625 102.209375 10.1046875 7.58125 5.05234375 3.790625 0 0 0 0 0 0 0 0 0 0 10.660243055556 3.790625 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 0 0 0 0 0 1 5.05234375 3.790625 10.1046875 7.58125 5.05234375 3.790625 0 0 0 0 0 0 10.1046875 7.58125 0 0 0 0 0 0 5.05234375 -2.4444444444444 4.0142144107222 2.4444444444444 2.0071072053611 1.2222222222222 0 56.802236583542 88.916666666667 10.566666666667 2.1666666666667 5.2833333333333 1.0833333333333 0 0 0 0 0 0 0 0 0 0 11.122222222222 1.0833333333333 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 5.2833333333333 1.0833333333333 10.5203125 2.121875 5.26015625 1.0609375 0 0 0 0 0 0 10.5203125 2.121875 0 0 0 0 0 0 5.26015625 -2.4668402777778 7.9665798621111 2.4444444444444 3.9832899310556 1.2222222222222 0 62.654764125104 94.209375 10.624498418403 2.5 5.3122492092017 1.25 0.9147175961819 0 0 0 59.414215750209 90 65.8953125 98.41875 0 0 0 0 0 0 5.3122492092017 -1.2222222222222 10.624498418403 2.4444444444444 5.3122492092017 1.2222222222222 0 0 0 0 0 0 1.25 6.5622492092017 2.5 5.6247492092017 0.75 10.624498418403 1.25 4.0622492092017 0 4.9997492092017 1.75 0 1.25 11.055555555556 68.61994949495 12.111111111111 4.760101010101 6.0555555555556 2.3800505050505 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12.111111111111 0 12.111111111111 4.760101010101 0 4.760101010101 0 0 DMZ ZONE 67.785714285714 68.5 16 3 8 1.5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0 16 3 0 3 0 0 LOCAL ZONE 46.055555555556 105 20.111111111111 3.2146464646465 10.055555555556 1.6073232323232 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 20.111111111111 0 20.111111111111 3.2146464646465 0 3.2146464646465 0 0 NET ZONE 49.015873015873 46.81746031746 11.968253968254 1.7777777777778 5.9841269841271 0.88888888888889 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 11.968253968254 0 11.968253968254 1.7777777777778 0 1.7777777777778 0 0 Local Computer1 10.10.10.1 66.428571428571 46.81746031746 11.142857142857 1.7777777777778 5.5714285714286 0.88888888888889 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 11.142857142857 0 11.142857142857 1.7777777777778 0 1.7777777777778 0 0 Local Computer 2 10.10.10.2 9.5714285714286 46.928571428571 11 2 5.5 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 11 0 11 2 0 2 0 0 DMZ Computer 1 10.10.11.1 23.392857142857 46.785714285714 12.5 2 6.25 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12.5 0 12.5 2 0 2 0 0 DMZ Computer 2 10.10.11.2 57 85.75 14 3.5 7 1.75 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 0 14 3.5 0 3.5 0 0 ISP’s Router 70.5 102.5 9 2.5 4.5 1.25 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 9 0 9 2.5 0 2.5 0 0 Internet 22.5 66.75 11 2.5 5.5 1.25 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 11 0 11 2.5 0 2.5 0 0 Hub/Switch 50.5 66.25 11 2.5 5.5 1.25 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 11 0 11 2.5 0 2.5 0 0 Hub/Switch 39.5 72 14 2 7 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0.16666666666667 0 0 0 0 0 0 0 0 0 0 0 0 14 0 14 2 0 2 0 0 Firewall/Router 46.428571428571 81.571428571429 16 2 8 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0 16 2 0 2 0 0 External Interface 50.285714285714 77.710004340278 16 0.27715153769842 8 0.13857576884921 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0 16 0.27715153769842 0 0.27715153769842 0 0 Local Interface 10.10.10.254 28.535714285714 77.857142857143 12.5 2 6.25 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 12.5 0 12.5 2 0 2 0 0 DMZ Interface 10.10.11.254 39.40078125 77.68125 11.1984375 7.3625 5.59921875 3.68125 0 0 0 0 0 0 0 0 0 0 11.753993055556 3.68125 1.1111111111111 2.4444444444444 0.55555555555556 1.2222222222222 0 5.59921875 3.68125 11.1984375 7.3625 5.59921875 3.68125 0 0 0 0 0 0 11.1984375 7.3625 0 0 0 0 0 0 5.59921875 -2.4444444444444 10.064019098222 2.4444444444444 5.0320095491111 1.2222222222222 0 1 1 0 1 1 11 39 1 0 0.33 10 0 10 1 10 2 10 3 10 4 10 5 10 6 shorewall-docs-xml-5.2.3/images/network4.vdx0000664000000000000000001174742613427347317017553 0ustar rootroot networkteastepHewlett Packard Company738201805738203013 AQAAAIwAAAAAAAAAAAAAAHwAAAChAAAAAAAAAAAAAADKDAAAlRAAACBFTUYAAAEAHO8AAAMAAAABA AAADwAAAGwAAAAAAAAAAAUAAAAEAABSAQAADgEAAAAAAAAAAAAAAAAAAFAoBQCwHgQAVgBJAFMASQ BPAAAARAByAGEAdwBpAG4AZwAAAAAAAABMAAAAfO4AAAAAAAAAAAAAfAAAAKEAAAAAAAAAAAAAAH0 AAACiAAAAIADMAAAAAAAAAAAAAACAPwAAAAAAAAAAAACAPwAAAAAAAAAA////AAAAAABkAAAAKAAA AIwAAADw7QAAKAAAAH0AAACiAAAAAQAYAAAAAADw7QAAAAAAAAAAAAAAAAAAAAAAAP/////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////wD///////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////8A////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////AP/////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////wD//////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////8A////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////AP////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////wD//////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////8A//////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////AP///////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////wD////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////8A//////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////AP//////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////wD////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////8A/////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////AP//////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////wD///////////////////////8AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///8AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD////// /////////8A////////////////////////AAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAAAA////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP///////////////////////wAA AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAAAAAD /AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAP///wAAAAAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP//// ///////////wD///////////////////////8AAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/w AA/wAA/wAA/wAA/wAA/wAA/wAAAAD///8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A////////////////////////A AAAAP8AAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAA////AAAAA AD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAAA/// /////////////AP///////////////////////wAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/ AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAAAAP///wAAAAAA/wAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAAAAAAA/wAA/wAAAP///////////////wD/////////////////////// 8AAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAD///8AAA AAAP8AAAAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAA/wAA/wAAAAAA/wAAAAA A/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAA/wAA/wAA/wAA/wAAAAAAAP8AAP8AAAD/ //////////////8A////////////////////////AAAAAP8AAP8AAP8AAAAAAP8AAAAAAP8AAAAAA P8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAA////AAAAAAD/AAAAAP8AAP8AAP8AAAAAAP8AAAAAAP8AA AAAAP8AAAAAAP8A AAAAAP8AAP8AAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AA P8AAP8AAAAAAAD/AAD/AAAA////////////////AP///////////////////////wAAAAD/AAD/AA D/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAP///wAAAAAA/wAAAAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAA/wAA/wAAAP////////////// /wD///////////////////////8AAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAA AAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAAAAD///8AAAAAAP8AAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA/w AA/wAA/wAAAAAAAP8AAP8AAAD///////////////8A////////////////////////AAAAAP8AAP8 AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAA////AAAAAAD/AAAAAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAAAAAAD/AAD/AAAA///////////// ///AP///////////////////////wAAAAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAA AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAAAAP///wAAAAAA/wAAAAD/AAD/AAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD /AAD/AAD/AAAAAAAA/wAA/wAAAP///////////////wD///////////////////////8AAAAA/wAA /wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAD///8AAAAAAP8AAAAA /wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAAAAAAAAD/VVX/VVX/VVX/VVX/VVUAAAAAAAAA/wAA/wAA/wAAAAAAAP8AAP8AAAD/////////// ////8A////////////////////////AAAAAP8AAP8AAP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAAAAAP8AAAAAAP8AA AAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP 8AAAAAAP8AAAAAAP8AAAAA////AAAAAAD/AAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAA/4qK/4qK/4qK/3V1/1VV/0BAAAAA AP8AAP8AAP8AAAAAAAD/AAD/AAAA////////////////AP///////////////////////wAAAAD/A AD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAAAAAD/AA AAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD /AAAAAAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAAAAP///wAAAAAA/wAAA AD/AAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAAAAAAAAP+fn/+Kiv91df9VVf9AQAAAAAAAAAD/AAD/AAAAAAAA/wAA/wAAAP///////// //////wD///////////////////////8AAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAD/Tk7/ Tk7/Tk7/Tk7/Tk7/Tk4AAAAAAAAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAA/ wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/w AAAAAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAA A/wAAAAAA/wAAAAAA/wAAAAD///8AAAAAAP8AAAAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAA AAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA/wAA/wAA AAAAAP8AAP8AAAD///////////////8A////////////////////////AAAAAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAAAA/3Z2/3Z2/3Z2/3Z2/2Ji/05OAAAAAAAAAP8AAP8AAP8AAAAAAP8AAAAAAP 8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAAAAAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8A AAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAAAA////AAAAAAD/AAAAAP8AAP8AAP8AA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAD/AAD/AAAA////////////////AP///// //////////////////wAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAP+np/+Tk/92dv9i Yv9OTv8xMQAAAAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAAAAP///wAAAAAA/wAAAAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/A AAAAAAA/wAA/wAAAP///////////////wD///////////////////////8AAAAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA /wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAAAAD///8AAAAAAP8AAAAA/wAA/wAA/w AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAP8AAP8AAAD///////////////8A//// ////////////////////AAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAAAAwM DAwMDAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAAAAwMDAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAwMDAwMDAAP8AAAAAAP8AAAAAAAAAAAAA AAAAAP8AAAAA////AAAAAAD/AAAAAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAAAAAAD/AAD/AAAA////////////////AP///////////////////////wAAAAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAA AAAAAAAAAMDAwAAAAAAAAAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/A AD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AA D/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAAAAP///wAAAAAA/wAAAAD/AAD/AAD /AAD/AAD/AAD/AAD/AAAAAP9YWP9YWP9YWP9YWP9YWP9YWAAAAAAAAAD/AAD/AAD/AAD/AAD/AAAA AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAA/wAA/wAAAP///////////////wD// /////////////////////8AAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AAAAAA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAADAwMDAwMDAwMDA wMAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAA/wAA/wAAAAD///8AAAAAAP8AAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAD/gID/gID/gID/gI D/bGz/WFj/OzsAAAAAAAAA/wAA/wAA/wAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAAAAAAAP8AAP8AAAD///////////////8A////////////////////////AAAAAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAAAAp6en/7a2/7a2/6+vwMDAAAAAAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAAAA/7a2/7a2/7a2/6enAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAAAAp6en/6+v/6+v/6+vy8vLAAAAAP8AAP8AAP8AAAAA////AAAAAAD/AAAAAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAAAA/6en/5OT/4CA/2xs/1hY/zs7AAAAAAAAAP8AAP8AAAAAAAAAA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAD/AAD/AAAA////////////////AP ///////////////////////wAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/ AAAAAKenp//MzP/Fxf+vr8DAwAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAP/MzP/MzP+2t v+npwAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAKenp//MzP/Fxf+vr76+vgAAAA AAAAD/AAD/AAAAAP///wAAAAAA/wAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///wAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAAAAAAA/wAA/wAAAP///////////////wD///////////////////////8AAAAA/wAA/wAA/ wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAAAAD+/v7/iooAAAAAAAAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAAAACnp6f/2tr/xcX/r6/AwMAAAAAAAAAA/wAA/wAA/wAA/wAA/w AA/wAA/wAAAACsrKysrKysrKysrKwAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAC np6f/2tr/xcX/r6+srKwAAAAAAAAA/wAA/wAAAAD///8AAAAAAP8AAAAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAAAAAAAAAA/wAAAAD///////////////////8AAAAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAP8AAP8AAAD///////////////8A////////////// //////////AAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8 AAP8AAP8AAP8AAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAA AA////AAAAAAD/AAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAAAA/// /AAAAAAAAAAAAAAAAAAAAAAAA////AAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAD/ AAD/AAAA////////////////AP///////////////////////wAAAAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAAAAP///wAAAAAA/wAA/wAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAAAP///////////////wD//////////// ///////////8AAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAA/wAA/ wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wA AAAD///8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////8A AAAAAAAAAP8AAP8AAP8AAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAAD///////////////8A////////////////////////AAAAAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8 AAP8AAP8AAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAAAA////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////AAAAAAAAAAAAAAD/AAD/AAAAAAAAAAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP////////// /////////////wAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/ AAAAAP///wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAAA/ wAAAAAA/wAA/wAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAAAP///////////////wD///////////////////////8AAAAAAAAA/wAAAAAA/wAAAAA A/wAAAAAA/wAAAAAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA /wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAAAAD///8AAAAAAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAAAAAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A///////// ///////////////AAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP8AAP8AAAAAAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AA P8AAAAA////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAAA////////////////AP///////////////////////wAAAAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAAAAObm5ubm 5ubm5ubm5gAAAObm5ubm5ubm5ubm5ubm5gAAAAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AA AAAAD/AAD/AAD/AAD/AAD/AAD/AAAAAP///wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////wD////////////////////// /8AAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/wA A/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAAAAD///8AA AAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD ///////////////8A////////////////////////AAAAAP8AAP8AAAAAAP8AAAAAAP8AAAAAAP8A AP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxtrbAAAAAP8AAP8AAP8AAP8 AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAAAA////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAD/AAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP//////////////////// ///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAAAAMba2wAAAAAAAAAAAAAAAMba2wAAAAAAAAAAAAAAAMba2wAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAMba25qamgAAAAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAAAAP///w AAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////wAAAP///// //////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA AP///////////////wD///////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAwMDAwMDAwMDAwMD AwMDAwMDAwMCSkpLAwMDAwMDAwMDAwMBtbW3AwMDAwMDAwMDAwMDAwMAAAACampqampoAAAAA/wAA /wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAAAAD///8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAAD///////////////////////////////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A/////////////////// /////AAAAAP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAAAAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM DAwMDAwMDAwMDAwMDAAAAAmpqampqaAAAAAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAAAA/// /AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAA//////////////////////////// ////////////////AAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AAA////////////////AP///////////////////////wAAAAD/AAD/AAD/AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqampqamgAAAAD/A AD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAAAAP///wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AAAP///////////////////////////////////////////////////////////wAAAAAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////wD///////////////// //////8AAAAA/wAA/wAA/wAA/wAAAAD/YmL/YmL/YmL/YmL/YmL/WFgAAAAAAAAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAAAADm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5uYAAADm5ubm5ubm5ub m5ubm5ubm5ubm5ubm5ubm5ubm5uaampoAAAAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAAAAD/ //8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8AAAD///8AAAD///8AA AD///8AAAD///////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAAD///////////////8A////////////////////////AAAAAP8AAP8AAP8AAP8AAAAAAAAA/4m J/4mJ/4CA/2xs/1hY/zs7AAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAAAAAP8AA P8AAP8AAP8AAP8AAP8AAAAA////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////// //AAAA////AAAA////AAAA////AAAA////AAAA////////////AAAAAAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP///////////////////////wAAAAD/ AAD/AAD/AAD/AAD/AAAAAP+xsf+dnf+AgP9sbP9YWP87OwAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAAAAP///wAAAAAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAAAP/////////////////////////////////////////////// ////////////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP//////// ///////wD///////////////////////8AAAAA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/w AA/wAA/wAA/wAA/wAA/wAAAAD///8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD//////// ///////////////////////////////////////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A////////////////////////AAAAA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAAAA////AAAAAAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAA////////////////////////////////////// //////AAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA/////// /////////AP///////////////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAP///wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAAAP///////////////////////////////////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////wD/////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////8AAAD////////////////////// /////////////////////////////////8AAAD///////////////////////////////8AAAAAAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////8AAAAAAAD///////////8 AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///// //////////8A///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////AAAA////AA AA////AAAA////////////////////////////////////////////////////AAAA////AAAA/// /AAAA////AAAAAAAA////////////////////////////////////////AAAA////AAAA////AAAA ////////////////////////////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP///////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////wAAAP///wAAAP///wAAAP/////////////////////// ////////////////////////////wAAAP///wAAAP///wAAAP///wAAAP//////////////////// ///////////////wAAAP///wAAAP///wAAAAAAAP///////////////////////////////wAAAAA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP/// ////////////wD/////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////////////////8AAAD///8AAAD/ //8AAAD///8AAAAAAAD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAD///////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAAD///////////////8A/////////////////////////////////////// /////////////////////////////////////////////////////////////////////////AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA///////////// ///////AAAA////AAAA////AAAA////AAAA////AAAA////////////////AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////AAAAAAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////A P//////////////////////////////////////////////////////////////////////////// ///////////////////////////////////wAAAMDAwMDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMD AwMDAwAAAAAAAAAAAAAAAAAAAAP///////////////////////////////////wAAAP////////// /////wAAAAAAAAAAAAAAAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAAA AAAAJqamgAAAP///////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAA AA/wAAAAAAAAAAAAAAAAAAAAAA/wAAAAAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAAAP///////////////wD///////////////////////////////////// //////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ADAwMDAwMDAwMDAwMDAwMAAtgDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAACampoAAAD/////// ////////////////////8AAADm5uYAAAD///////////////////////////8AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACampoAAAD///////8AAAAAAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAAAAAP8AAAAAAAAAAAAAAAAAAAAAAP8AAAAAAP8AAAAAA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD/////////////// 8A/////////////////////////////////////////////////////////////////////////// /AAAA////////////////////////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAmpqaAAAA////////////////////////////AAAA5ubmzc3NAAAA/ ///////////////////////AAAA5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5u bm5ubmmpqaAAAA////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAA AAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP/////////////////////////////////// ////////////////////////////////////////wAAAP//////////////////////////////// ///////wAAAObm5ubm5ubm5ubm5ubm5ubm5gAAAObm5ubm5ubm5ubm5ubm5ubm5ubm5gAAAP///// //////////////////////wAAAObm5s3Nzc3NzQAAAP///////////////////////wAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////wAAAAAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAAAAAAAAAA/wAAAAAA/wAAAA AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////// //wD///////////////////////////////////////////////////////////////////////// //8AAAD///////////////////////////////////////////8AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////////////////////8AAADm5ubNzc3Nzc 3Nzc0AAAD///////////////////////////////////////////8AAAD//////////////////// ///////////////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AAAAAAAAAAAAAAAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A////////////////////////////////// //////////////////////////////////////////AAAA/////////////////////////////// /////////////////////////////////////AAAA//////////////////////////////////// ////////////////////////AAAA5ubmzc3Nzc3Nzc3Nzc3NAAAA///////////////////////// ///////////////AAAA////////////////////////////////////////////AAAAAAD/AAD/AA D/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAzs7O1dXV3d3d5eXl4ODg2NjYAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA//////////// ////AP/////////////////////////////////////////////////////////////////////// ////wAAAP///////////////////////////////////////////////////////////////////w AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAObm5s3Nzc3 Nzc3Nzc3NzQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP////////////////// /////////////////////////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAAAKenp66urre3t76+vsbGx ubm5ubm5ubm5ubm 5ubm5ubm5ubm5snJycDAwLm5ubGxsampqQAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAAAP///////////////wD///////////////////////8AAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8A AAD///8AAAAAAAAAAAAAAADNzc3Nzc3Nzc0AAAAAAAD///8AAAD///8AAAD///8AAAD///8AAAD// /8AAAD///8AAAD///////////////////////////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP 8AAACampqampq3t7e+vr7GxsYA/wDV1dUA/wAA/wAA/wDY2NgA/wDJycnAwMC5ubmxsbGampoAAAC ampoAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A//////// ////////////////AAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAAAMz/A Mz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA////////////////////// //////////////////////////////////////////////////AAAAAAAAAAAAAAAAzc3Nzc3NAAA A////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA//////////////////// ////////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAAAAAAAAAAAt7e3vr6+xsbGAP8AAAAAAP8AA P8AAP8AAP8AAP8AAAAAwMDAubm5sbGxqampAAAAZmZmAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAAA////////////////AP///////////////////////wAAAADM/wDM/wDM/wAAAAD M/wAAAADM/wAAAADM/wAAAADM/wAAAAAAAAAAAADM/wAAAADM/wAAAADM/wAAAADM/wDM/wDM/wDM /wDM/wDM/wDM/wAAAP/////////////////////////////////////////////////////////// ////////////////wAAAObm5gAAAAAAAM3NzQAAAP//////////////////////////////////// ///////////////////////////////////////////////////wAAAAAA/wAA/wAA/wAA/wAA/wA A/wAAAAAAAAAAAAAAAAAAAAAAAObm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5gAAAAAAAAAAAAAAAAAA AJqamgAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////wD////// /////////////////8AAAAAzP8AzP8AzP8AzP8AAAAAzP8AAAAAzP8AAAAAzP8AAAAAzP8AAAAAzP 8AAAAAzP8AAAAAzP8AAAAAzP8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AAAD//////////////////// ///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADm5uYAAAAAAAAA AAD////////////////////////////////////////////////////////////////////////// /////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAADm5ubm5ubm5ubm5ubm5ubm5ubm5u bm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5uYAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAAD///////////////8A////////////////////////AAAAAMz/AMz/AMz/AMz/ AMz/AMz/AMz/AAAAAMz/AAAAAMz/AAAAAAAAAAAAAMz/AAAAAMz/AAAAAMz/AMz/AMz/AMz/AMz/A Mz/AMz/AMz/AMz/AAAA////////////////////////////////////AAAA////////////////// //////////////////////AAAAAAAA5ubmAAAAAAAA/////////////////////////////////// /////////////////////////////////////////////////////AAAAAAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP//// ///////////////////wAAAADM/wDM/wDM/wDM/wDM/wDM/wAAAADM/wAAAADM/wAAAADM/wAAAAD M/wAAAADM/wAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAP////////////////// /////////////////wAAAP///////////////////////////////////////wAAAP///wAAAAAAA AAAAP//////////////////////////////////////////////////////////////////////// ///////////////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAAAP///////////////wD///////////////////////8AAAAAzP8AzP8AzP8Az P8AzP8AzP8AzP8AzP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP 8AzP8AzP8AzP8AzP8AAAD///////////////////////////////////8AAAD//////////////// ///////////////////////8AAAD///////////////////////////////////////////////// //////////////////////////////////////////////////////8AAAAAAP8AAP8AAP8AAP8AA P8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A/// /////////////////////AAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA///////////////// ///////////////////AAAA////////////////////////////////////////AAAA////////// //AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA/////////////// /////////////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/ AAD/AAAAAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/ AAAA////////////////AP///////////////////////wAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/ wAAAMDAwIeHh52dncDAwMDAwKmpqZKSksDAwAAAAAAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/w DM/wAAAP///////////////////////////////////wAAAP///////////////////////////// //////////wAAAP///////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP// /wAAAP///////////////////////////////////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////wD//////////////// ///////8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAADAwMCHh4ednZ3AwMDAwMCpqamSkpLAwMAA AACampoAAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AAAD////////////////////////////// /////8AAAD///////////////////////////////////////8AAAD/////////////////////// ///////////////////////////////////////////////////////////////////////////// ///8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAA AAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAAD///////////////8A////////////////////////AAAAAMz/AMz/AMz/AMz/AMz/AMz/AM z/AAAAwMDAh4eHnZ2dwMDAwMDAwMDAwMDAwMDAAAAAmpqampqaAAAAAMz/AMz/AMz/AMz/AMz/AMz /AMz/AAAA////////////////////////////////////AAAA//////////////////////////// ////////////AAAA////////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA/ ///AAAA////////////////////////////////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP////////////// /////////wAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw AAAAJqampqamgAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAP//////////////////////////// ///////wAAAP///////////////////////////////////////wAAAP///////////////////// ///////////////////////////////////////////////////////////////////////////// /////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAA AAAAAAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAAAP///////////////wD///////////////////////8AAAAAzP8AzP8AzP8AzP8AzP8AzP8 AzP8AAADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAAACampqampoAAAAAzP8AzP8AzP8AzP8AzP8A zP8AzP8AAAD///////////////////////////////////8AAAD////////////////////////// /////////////8AAAD///////8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAA D///8AAAD///////////////////////////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A///////////// ///////////AAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAAwMDAwMDAwMDAwMDArKyswMDAwMDAwM DAAAAAmpqampqaAAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA/////////////////////////// /////////AAAA////////////////////////////////////////AAAA////////////AAAA//// AAAA////AAAA////AAAA////AAAA////AAAA////AAAA////AAAA///////////////////////// ///////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AA AAAAAAAAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAAA////////////////AP///////////////////////wAAAADM/wDM/wDM/wDM/wDM/wDM /wDM/wAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAJqampqamgAAAADM/wDM/wDM/wDM/wDM/ wDM/wDM/wAAAP///////////////////////////////////wAAAP//////////////////////// ///////////////wAAAP///////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wA AAP///wAAAP///////////////////////////////////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAA/wAA/wAA/wAA/wAA/ wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////wD/////////// ////////////8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAADAwMAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAACampqampoAAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAAD///////////////////////// //////////8AAAD///////////////////////////////////////8AAAD///////////8AAAD// /8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD///8AAAD/////////////////////// ////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAAAAP8AAAAAAP8AAAAAAP8 AAAAAAAAAAAAAAP8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAAD///////////////8A////////////////////////AAAAAMz/AMz/AMz/AMz/AMz/A Mz/AMz/AAAAwMDA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmpqampqaAAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA/ ///////////////////////////////////AAAA////////////////////////////////////// //AAAA/////////////////////////////////////////////////////////////////////// /////////////////////////////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA AAD/AAAAAAD/AAAAAAD/AAAAAAAAAAAAAAD/AAAAAAD/AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP///////////////////////w AAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAMDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqampq amgAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAP///////////////////////////////////wAA AP///////////////////////////////////////wAAAP/////////////////////////////// ////////////////////////////////////////////////////////////////////////wAAAA AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP// /////////////wD///////////////////////8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAADAw MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACampqampoAAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAA D///////////////////////////////////8AAAD//////////////////////////////////// ///8AAAD///////////////////////////////////////////////////////////////////// //////////////////////////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AA P8AAP8AAADAwMCAgACAgACAgACAgACAgADAwMAAAAAAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A/////////////////////// /AAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmpqa mpqaAAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA////////////////////////////////////A AAA////////////////////////////////////////AAAA////////////////////////////// //////////////////////////////////////////////////////////////////////////AAA AAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA5ubm0NAA0NAA0NAA0NAA0NAA5ubm AAAAmpqaAAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA/ ///////////////AP///////////////////////wAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAM DAwAAAAMDAwMDAwMDAwMDAwAAAAAAAAAAAAJqampqamgAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wA AAP///////////////////////////////////wAAAP////////////////////////////////// /////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqampqamgAAAAAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP///////////////wD///////////////////// //8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAADAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACam pqampoAAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAAD/////////////////////////////////// 8AAAD//////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////8A AAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAADm5ubm5ubm5ubm5ubm5ubm5 ubm5ubm5uaampoAAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAA D///////////////8A////////////////////////AAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAA AwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmpqampqaAAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/ AAAA////////////////////////////////////AAAA////AAAA////AAAA////AAAA////AAAA/ ///AAAA////AAAA////AAAA////////////////////////////////////////////////////// //////////////////////////////////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD /AAD/AAD/AAD/AAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/AAD/AAD/AAD/AAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP/////////////////// ////wAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAMDAwAAAAAD/AAAAAAAAAAAAAAAAAAAAAAAAAJ qampqamgAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAP///////////////////////////////// //wAAAP///////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP////////// ///////////////////////////////////////////////////////////////////////////// wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA AAP///////////////wD///////////////////////8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8A AADAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACampqampoAAAAAzP8AzP8AzP8AzP8AzP8AzP8Az P8AAAD///////// //////////////////////////8AAAD////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8A AP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A////////////////////////AAAAAMz/A Mz/AMz/AMz/AMz/AMz/AMz/AAAAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmpqampqaAAAAAM z/AMz/AMz/AMz/AMz/AMz/AMz/AAAA////////////////////////////////////AAAA/////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////AAAAAAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAAAAAD/AAD/AAAA/////////// /////AP///////////////////////wAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAMDAwAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAJqampqamgAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAP/////// ////////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAP///////////////////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/ wAAAAAA/wAAAAAA/wAA/wAA/wAAAP///////////////wD///////////////////////8AAAAAzP 8AzP8AzP8AzP8AzP8AzP8AzP8AAADAwMAAAAAA/wAAAAAAAAAAAAAAAAAAAAAAAACampqampoAAAA AzP8AzP8AzP8AzP8AzP8AzP8AzP8AAAD///////////////////////8AAAAA//8A//8A//8A//8A //8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A/ /8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8AAAD///////////////////8AAAAAAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////// //////8A////////////////////////AAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAAwMDAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAmpqampqaAAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA////// //////////////////AAAAAP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP/ /AP//AP//AP//AP//AP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AP//AP//AP//AP//AP// AP//AAAA////////////////////AAAAAAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AA D/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////////////////AP///////////////////////wAAAAD M/wDM/wDM/wDM/wDM/wDM/wDM/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqampqamgAA AADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAP///////////////////////wAAAAD//wD//wD//wD// wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAAAAAP//////////////// ///////////////wAAAAD//wD//wD//wD//wD//wD//wAAAP///////////////////wAAAAAA/wA A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA /wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAP/////// ////////wD///////////////////////8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AAADm5u bm5ubm5ubm5ubm5ubm5ubm5ubm5uaampqampoAAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAAD//// ///////////////////8AAAAA//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A //8A//8A//8A//8AAAD///////////////////////////////////////8AAAAA//8A//8A//8A/ /8A//8AAAD///////////////////8AAAAAAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP 8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAP8 AAP8AAP8AAP8AAP8AAP8AAP8AAP8AAAD///////////////8A////////////////////////AAAA AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubmmpqaA AAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA////////////////////////AAAAAP//AP//AP//AP //AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AAAAAAAA/////////////////////// /////////////////////////AAAAAAAAAP//AP//AP//AAAA////////////////////AAAAAAD/ AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/A AD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAD/AAAA////// //////////AP///////////////////////wAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wD M/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAP// /////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD// wD//wD///////// /////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///////////wAAAAD//wD//wD//wAAAP/// ////////////////wAAAAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wA A/wAA/wAA/wAA/wAAAP///////////////wD///////////////////////8AAAAAzP8AzP8AzP8A zP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8Az P8AzP8AzP8AzP8AzP8AAAD///////////////////////8AAAAA//8A//8A//8A//8A//8A//8A// 8A//8A//8A//8A//8A//8A//8A//8A//////////////////8AAAD///8AAAD///8AAAD///8AAAD ///8AAAD///////////8AAAAA//8A//8AAAD///////////////////8AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////8A// //////////////////////AAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz /AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA//////////////// ////////AAAAAP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP/////// ///////AAAA////AAAA////AAAA////AAAA////AAAA////////////////AAAAAP//AP//AAAA// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////AP///////////////////////wAAAADM/wDM/wDM/ wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/w DM/wDM/wDM/wDM/wDM/wAAAP///////////////////////wAAAAD//wD//wD//wD//wD//wD//wD //wD//wD//wD//wD//wD//wD//wD//wD///////////////////////////////////////////// /////////////////wAAAAD//wD//wD//wAAAP/////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////wD ///////////////////////8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAAAAzP8AAAAAzP8AAAAA zP8AAAAAzP8AAAAAzP8AAAAAzP8AAAAAzP8AzP8AzP8AzP8AzP8AzP8AzP8AAAD////////////// /////////8AAAAA//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8A//8AAA D///////////////////////////////////////////////////////8AAAAA//8A//8A//8AAAD ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////8A////////////////////////AAAAAMz/AMz/AM z/AMz/AMz/AMz/AMz/AMz/AAAAAMz/AAAAAMz/AAAAAMz/AAAAAMz/AAAAAMz/AAAAAMz/AMz/AMz /AMz/AMz/AMz/AMz/AMz/AAAA////////////////////////AAAAAP//AP//AP//AP//AP//AAAA AP//AAAAAP//AAAAAP//AAAAAP//AAAAAP//AAAAAAAAAAAA///////////////////////////// ///////////AAAAAAAAAP//AP//AP//AP//AAAA////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// AP///////////////////////wAAAADM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/ wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wAAAP//////////// ///////////wAAAAD//wD//wD//wD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD //wD//wAAAP///////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wAA AP/////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////wD///////////////////////8AAAAAzP8AzP8 AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8AzP8A zP8AzP8AzP8AzP8AzP8AzP8AAAD///////////////////////8AAAAA//8A//8A//8A//8A//8AA AAA//8AAAAA//8AAAAA//8AAAAA//8AAAAA//8AAAAA//8A//8AAAAAAAD///8AAAAAAAAAAAAAAA D///8AAAAAAAAA//8A//8A//8A//8A//8A//8AAAD//////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /8A////////////////////////AAAAAMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AM z/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AMz/AAAA/////////// /////////////AAAAAP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP// AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//AP//A AAA//////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////AP///////////////////////wAAAADM/wDM/wDM/wDM/wDM/wD M/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM/wDM /wDM/wDM/wAAAP///////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD// wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w D//wD//wD//wD//wD//wD//wAAAP///////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////wD////////// /////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD///////////////////////////8 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////8A//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////AP//////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////wD////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////8A/////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////AP//////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////wD///// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////8A////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////AP////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////wD//////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////8A///////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////AP////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////wD/////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////8A///////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////AP///////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// /////////wD////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////8A/////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////AP//////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////wD///////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////8A/////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////AP/////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////wD///////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////8A////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////AP/////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////wD/////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //8A///////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////AP///////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////wD/////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////8A//////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////AP///////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////wD////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////8A//////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////AP/////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////wD//// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////8A////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////AP// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////wD//////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////8A/ ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////AP////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////w D//////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////8A//////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////AP//////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// /////////////////////////wD////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////8A/////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////AP//////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////wD///////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////8A/////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////AA4AAAAUA AAAAAAAABAAAAAUAAAA2002-08-11T08:58:322006-08-23T10:14:282006-08-23T10:14:222002-08-11T08:58:32113910000011100.010102000201010100000000010000100.500000000000000000000000000000000000103310000032320088000010.50.500001201100000000000000000000000010000.1250.1250.250.250.3750.3750.1250.1250.666666666666670.66666666666667000000.250.250.250.25111100001170000000000000400010.1666666666666667000000000000-11033000-1.2001000-10011100.010002000201000100000000010000000.500000-1.2000000-10011100.0100020002010001000000000111100.055555555555555550.055555555555555550.055555555555555550.05555555555555555100.5000423020002010001000000000111100.055555555555555550.0555555555555555500200.500010000000000000010331111000000000000440010.125000000000000-110330.003333333333333301020002010101000000000111100.055555555555555550.055555555555555550.055555555555555550.05555555555555555100.500400010.1111111111111111000000000000-110330.0101020002010000.00333333333333330102000201000001010000000001010000100.055555555555555550.055555555555555550.055555555555555550.05555555555555555120.5000.01110200020100000100.055555555555555550.055555555555555550.055555555555555550.05555555555555555100.500400010.1388888888888889000000000000-11033000-1.2001000-10000100.055555555555555550.055555555555555550.055555555555555550.05555555555555555000.500400010.1388888888888889000000000000-11033000-1.2000000-10000100.055555555555555550.055555555555555550.055555555555555550.05555555555555555000.500400010.1388888888888889000000000000-11033000-1.2001000-10000100.055555555555555550.055555555555555550.055555555555555550.05555555555555555100.5002300010.1388888888888889000000000000-11033000-1.2001000-10000100.055555555555555550.055555555555555550.055555555555555550.05555555555555555000.5002300010.1388888888888889000000000000-11033000-1.2001000-10000100.055555555555555550.055555555555555550.055555555555555550.05555555555555555000.5002300010.1388888888888889000000000000-11033000-1.2000000-1000.00333333333333333301020002011100.055555555555555550.055555555555555550.055555555555555550.05555555555555555120.500400010.11111111111111000000000000-110330.003333333333333301020002011100.055555555555555550.055555555555555550.055555555555555550.05555555555555555100.500400010.1111111111111111000000000000-11033000-1.2001000-1000.010102000200110100000000011111400010.1666666666666667000000000000-110330.010102000201010100000000011110400010.1111111111111111000000000000-11033000-1.2001000-1000.010102000201010100000000011111400010.1666666666666667000000000000-110331815101000000000111100.0033333333333333010200020141510100000000011110400010.1111111111111111000000000000-11033000-1.2001000-100151101000000000111100.0033333333333333310200120315101000000000111100.0101020002001101000000000100100.027777777777777780.027777777777777780.027777777777777780.02777777777777778100.500400010.1111111111111111000000000000-11033000-1.2001000-1000.0016666666666666670102000201518101000000000111102014101000000000111100.00333333333333330002000201#8a8aff3101000000000111102000121033Visio Network Solutions
http://officupdate.com/visio/
000