shorewall_code/Shorewall/manpages/shorewall-conntrack.xml

513 lines
19 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-conntrack</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>conntrack</refname>
<refpurpose>shorewall conntrack file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/conntrack</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The original intent of the <emphasis role="bold">notrack</emphasis>
file was to exempt certain traffic from Netfilter connection tracking.
Traffic matching entries in the file were not to be tracked.</para>
<para>The role of the file was expanded in Shorewall 4.4.27 to include all
rules that can be added in the Netfilter <emphasis
role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
<emphasis role="bold">conntrack</emphasis>.</para>
<para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
and FORMAT 3, FORMAT 1 being the default. The three differ as
follows:</para>
<itemizedlist>
<listitem>
<para>in FORMAT 2 and 3, there is an additional leading ACTION
column.</para>
</listitem>
<listitem>
<para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
ACTION column allows a SUFFIX that determines the chain(s) that the
generated rule will be added to.</para>
</listitem>
</itemizedlist>
<para>When an entry in the following form is encountered, the format of
the following entries are assumed to be of the specified
<replaceable>format</replaceable>.</para>
<simplelist>
<member><emphasis role="bold">FORMAT</emphasis>
<replaceable>format</replaceable></member>
</simplelist>
<para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
role="bold">3</emphasis>.</para>
<para>Format 3 was introduced in Shorewall 4.5.10.</para>
<para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of COMMENT lines. These lines begin with the
word COMMENT; the remainder of the line is treated as a comment which is
attached to subsequent rules until another COMMENT line is found or until
the end of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis> - {<emphasis
role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:notrack</emphasis>}[:<replaceable>chain-designator</replaceable>]</term>
<listitem>
<para>This column is only present when FORMAT = 2. Values other than
NOTRACK or DROP require <firstterm>CT Target </firstterm>support in
your iptables and kernel.</para>
<itemizedlist>
<listitem>
<para><option>NOTRACK</option> or
<option>CT:notrack</option></para>
<para>Disables connection tracking for this packet.</para>
</listitem>
<listitem>
<para><option>DROP</option></para>
<para>Added in Shorewall 4.5.10. Silently discard the
packet.</para>
</listitem>
<listitem>
<para><option>helper</option>:<replaceable>name</replaceable></para>
<para>Attach the helper identified by the
<replaceable>name</replaceable> to this connection. This is more
flexible than loading the conntrack helper with preset
ports.</para>
<para>At this writing, the available helpers are:</para>
<variablelist>
<varlistentry>
<term>amanda</term>
<listitem>
<para>Requires that the amanda netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ftp</term>
<listitem>
<para>Requires that the FTP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>irc</term>
<listitem>
<para>Requires that the IRC netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netbios-ns</term>
<listitem>
<para>Requires that the netbios_ns (sic) helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RAS and Q.931</term>
<listitem>
<para>These require that the H323 netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pptp</term>
<listitem>
<para>Requires that the pptp netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term/>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term>sane</term>
<listitem>
<para>Requires that the SANE netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sip</term>
<listitem>
<para>Requires that the SIP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>snmp</term>
<listitem>
<para>Requires that the SNMP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>tftp</term>
<listitem>
<para>Requires that the TFTP netfilter helper is
present.</para>
</listitem>
</varlistentry>
</variablelist>
<para>May be followed by an option list of
<replaceable>arg</replaceable>=<replaceable>val</replaceable>
pairs in parentheses:</para>
<itemizedlist>
<listitem>
<para><option>ctevents</option>=<replaceable>event</replaceable>[,...]</para>
<para>Only generate the specified conntrack events for this
connection. Possible event types are: <emphasis
role="bold">new</emphasis>, <emphasis
role="bold">related</emphasis>, <emphasis
role="bold">destroy</emphasis>, <emphasis
role="bold">reply</emphasis>, <emphasis
role="bold">assured</emphasis>, <emphasis
role="bold">protoinfo</emphasis>, <emphasis
role="bold">helper</emphasis>, <emphasis
role="bold">mark</emphasis> (this is connection mark, not
packet mark), <emphasis role="bold">natseqinfo</emphasis>,
and <emphasis role="bold">secmark</emphasis>. If more than
one <emphasis>event</emphasis> is listed, the
<replaceable>event</replaceable> list must be enclosed in
parentheses (e.g., ctevents=(new,related)).</para>
</listitem>
<listitem>
<para><option>expevents</option><option>=new</option></para>
<para>Only generate a <emphasis role="bold">new</emphasis>
expectation events for this connection.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<para>When FORMAT = 1, this column is not present and the rule is
processed as if NOTRACK had been entered in this column.</para>
<para>Beginning with Shoreall 4.5.10, when FORMAT = 3, this column
can end with a colon followed by a
<replaceable>chain-designator</replaceable>. The
<replaceable>chain-designator</replaceable> can be one of the
following:</para>
<variablelist>
<varlistentry>
<term>P</term>
<listitem>
<para>The rule is added to the raw table PREROUTING chain.
This is the default if no
<replaceable>chain-designator</replaceable> is present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>O</term>
<listitem>
<para>The rule is added to the raw table OUTPUT chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PO or OP</term>
<listitem>
<para>The rule is added to the raw table PREROUTING and OUTPUT
chains.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE (formats 1 and 2)
{<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
<listitem>
<para>where <replaceable>zone</replaceable> is the name of a zone,
<replaceable>interface</replaceable> is an interface to that zone,
and <replaceable>address-list</replaceable> is a comma-separated
list of addresses (may contain exclusion - see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
used as the <replaceable>zone</replaceable> name to mean
<firstterm>all zones</firstterm>.</para>
<para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
used as the <replaceable>zone</replaceable> name to mean all
<firstterm>off-firewall zone</firstterm>s.</para>
<note>
<para>In 4.5.10, handling of <option>all</option> was changed.
<option>all</option> now causes the generated netfilter rule to be
appended to the raw table PREROUTING and OUTPUT chains directly.
<option>all-</option> rules are added directly to PREROUTING.
<option>all</option> and <option>all-</option> rules are processed
after the more specific rules that specify an individual
zone.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE (formats 3)
{-|[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>}</term>
<listitem>
<para>Where <replaceable>interface</replaceable> is an interface to
that zone, and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)).</para>
<para>COMMENT is only allowed in format 1; the remainder of the line
is treated as a comment that will be associated with the generated
rule(s).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DEST
[<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
<listitem>
<para>where <replaceable>interface</replaceable> is the name of a
network interface and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
(5)). If an interface is given:</para>
<itemizedlist>
<listitem>
<para>It must be up and configured with an IPv4 address when
Shorewall is started or restarted.</para>
</listitem>
<listitem>
<para>All routes out of the interface must be configured when
Shorewall is started or restarted.</para>
</listitem>
<listitem>
<para>Default routes out of the interface will result in a
warning message and will be ignored.</para>
</listitem>
</itemizedlist>
<para>These restrictions are because Netfilter doesn't support
NOTRACK rules that specify a destination interface (these rules are
applied before packets are routed and hence the destination
interface is unknown). Shorewall uses the routes out of the
interface to replace the interface with an address list
corresponding to the networks routed out of the named
interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PROTO
<replaceable>protocol-name-or-number</replaceable></term>
<listitem>
<para>A protocol name from <filename>/etc/protocols</filename> or a
protocol number.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DEST PORT(S) (dport) - port-number/service-name-list</term>
<listitem>
<para>A comma-separated list of port numbers and/or service names
from <filename>/etc/services</filename>. May also include port
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
<listitem>
<para>A comma-separated list of port numbers and/or service names
from <filename>/etc/services</filename>. May also include port
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>USER/GROUP (user)
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
<listitem>
<para>May only be specified if the SOURCE
<replaceable>zone</replaceable> is $FW. Specifies the effective user
id and or group id of the process sending the traffic.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable></emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.10 and allows enabling and disabling
the rule without requiring <command>shorewall
restart</command>.</para>
<para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0. <replaceable>switch-name</replaceable> must
begin with a letter and be composed of letters, decimal digits,
underscores or hyphens. Switch names must be 30 characters or less
in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall
restart</command>.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>Example 1:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP all-:1.2.3.4 -
DROP all 1.2.3.4</programlisting>
<para>or<programlisting>FORMAT 3
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
# PORT(S) PORT(S)
DROP:P 1.2.3.4 -
DROP:PO - 1.2.3.4
</programlisting></para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/notrack</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>