extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-16 06:36:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use 4.2 syntax for parameterized Macros.

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9693 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-03-15 20:46:56 +00:00
parent 6892bfbf5d
commit 00b7025467
15 changed files with 131 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/6to4.xml
View File

@ -345,15 +345,15 @@ all all REJECT info</programlisting>
# #
# Accept DNS connections from the firewall to the network # Accept DNS connections from the firewall to the network
# #
DNS/ACCEPT $FW net DNS(ACCEPT) $FW net
# #
# Accept SSH connections from the local network for administration # Accept SSH connections from the local network for administration
# #
SSH/ACCEPT loc $FW SSH(ACCEPT) loc $FW
# #
# Allow Ping everywhere # Allow Ping everywhere
# #
Ping/ACCEPT all all Ping(ACCEPT) all all
# #
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
docs/FAQ.xml
View File

@ -850,7 +850,7 @@ to debug/develop the newnat interface.</programlisting></para>
invokes the <emphasis role="bold">Auth</emphasis> macro (defined in invokes the <emphasis role="bold">Auth</emphasis> macro (defined in
<filename>/usr/share/shorewall/macro.Auth</filename>) specifying the <filename>/usr/share/shorewall/macro.Auth</filename>) specifying the
<emphasis role="bold">REJECT</emphasis> action (i.e., <emphasis <emphasis role="bold">REJECT</emphasis> action (i.e., <emphasis
role="bold">Auth/REJECT</emphasis>). This is necessary to prevent role="bold">Auth(REJECT)</emphasis>). This is necessary to prevent
outgoing connection problems to services that use the outgoing connection problems to services that use the
<quote>Auth</quote> mechanism for identifying requesting users. That is <quote>Auth</quote> mechanism for identifying requesting users. That is
the only service which the default setup rejects.</para> the only service which the default setup rejects.</para>

4
docs/FTP.xml
View File

@ -405,13 +405,13 @@ DNAT ACTION =
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION # PORT(S) PORT(S) DESTINATION
FTP/DNAT net loc:192.168.1.5</programlisting> FTP(DNAT) net loc:192.168.1.5</programlisting>
</example><example id="Example4"> </example><example id="Example4">
<title>Allow your DMZ FTP access to the Internet</title> <title>Allow your DMZ FTP access to the Internet</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DESTINATION # PORT(S) PORT(S) DESTINATION
FTP/ACCEPT dmz net</programlisting> FTP(ACCEPT) dmz net</programlisting>
</example></para> </example></para>
<para>Note that the FTP connection tracking in the kernel cannot handle <para>Note that the FTP connection tracking in the kernel cannot handle

10
docs/IPSEC-2.6.xml
View File

@ -804,15 +804,15 @@ all all REJECT info
# PORT(S) PORT(S) # PORT(S) PORT(S)
SECTION ESTABLISHED SECTION ESTABLISHED
# Prevent IPSEC bypass by hosts behind a NAT gateway # Prevent IPSEC bypass by hosts behind a NAT gateway
L2TP/REJECT net $FW L2TP/(REJECT) net $FW
REJECT $FW net udp - 1701 REJECT $FW net udp - 1701
# l2tp over the IPsec VPN # l2tp over the IPsec VPN
ACCEPT vpn $FW udp 1701 ACCEPT vpn $FW udp 1701
# webserver that can only be accessed internally # webserver that can only be accessed internally
HTTP/ACCEPT loc $FW HTTP(ACCEPT) loc $FW
HTTP/ACCEPT l2tp $FW HTTP(ACCEPT) l2tp $FW
HTTPS/ACCEPT loc $FW HTTPS(ACCEPT) loc $FW
HTTPS/ACCEPT l2tp $FW HTTPS(ACCEPT) l2tp $FW
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>

18
docs/Macros.xml
View File

@ -114,7 +114,7 @@ PARAM - - tcp 135,139,445
<para>When invoking a parameterized macro, you follow the name of the <para>When invoking a parameterized macro, you follow the name of the
macro with the action that you want to substitute for PARAM enclosed in macro with the action that you want to substitute for PARAM enclosed in
parentheses. </para> parentheses.</para>
<para>Example:</para> <para>Example:</para>
@ -160,7 +160,7 @@ PARAM - loc tcp 25</programlisting>
<para>/etc/shorewall/rules (Shorewall 4.0):</para> <para>/etc/shorewall/rules (Shorewall 4.0):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SMTP/DNAT:info net 192.168.1.5</programlisting> SMTP(DNAT):info net 192.168.1.5</programlisting>
<para>/etc/shorewall/rules (Shorewall 4.2.0 and later):</para> <para>/etc/shorewall/rules (Shorewall 4.2.0 and later):</para>
@ -182,12 +182,7 @@ DNAT:info net loc:192.168.1.5 tcp 25</programlisting>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S) <programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
PARAM - 192.168.1.5 tcp 25</programlisting> PARAM - 192.168.1.5 tcp 25</programlisting>
<para>/etc/shorewall/rules (Shorewall 4.0)</para> <para>/etc/shorewall/rules</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SMTP/DNAT:info net loc</programlisting>
<para>/etc/shorewall/rules (Shorewall 4.2.0 and later)</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SMTP(DNAT):info net loc</programlisting> SMTP(DNAT):info net loc</programlisting>
@ -222,12 +217,7 @@ PARAM DEST SOURCE udp 1024: 137
PARAM DEST SOURCE tcp 135,139,445 PARAM DEST SOURCE tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>/etc/shorewall/rules (Shorewall 4.0):</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SMBBI/ACCEPT loc fw</programlisting>
<para>/etc/shorewall/rules (Shorewall 4.2.0 and later):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SMBBI(ACCEPT) loc fw</programlisting> SMBBI(ACCEPT) loc fw</programlisting>

40
docs/XenMyWay-Routed.xml
View File

@ -436,9 +436,9 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
exception that I've added a fourth interface for our wireless network. exception that I've added a fourth interface for our wireless network.
The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN
server</ulink> to provide road warrior access for our three laptops and a server</ulink> to provide road warrior access for our three laptops and
bridged OpenVPN server for the wireless network in our home. Here is the a bridged OpenVPN server for the wireless network in our home. Here is
firewall's view of the network:</para> the firewall's view of the network:</para>
<graphic align="center" fileref="images/network4a.png" /> <graphic align="center" fileref="images/network4a.png" />
@ -692,20 +692,20 @@ REDIRECT- loc 3128 tcp
# #
ACCEPT vpn fw tcp ssh,time,631,8080 ACCEPT vpn fw tcp ssh,time,631,8080
ACCEPT vpn fw udp 161,ntp,631 ACCEPT vpn fw udp 161,ntp,631
Ping/ACCEPT vpn fw Ping(ACCEPT) vpn fw
############################################################################################################################################################################### ###############################################################################################################################################################################
# Road Warriors to DMZ # Road Warriors to DMZ
# #
ACCEPT vpn dmz udp domain ACCEPT vpn dmz udp domain
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 - ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
Ping/ACCEPT vpn dmz Ping(ACCEPT) vpn dmz
############################################################################################################################################################################### ###############################################################################################################################################################################
# Local network to DMZ # Local network to DMZ
# #
ACCEPT loc dmz udp domain ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https - ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
ACCEPT loc dmz tcp smtp ACCEPT loc dmz tcp smtp
Trcrt/ACCEPT loc dmz Trcrt(ACCEPT) loc dmz
############################################################################################################################################################################### ###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets # Internet to ALL -- drop NewNotSyn packets
# #
@ -723,7 +723,7 @@ ACCEPT net dmz udp
Mirrors net dmz tcp rsync Mirrors net dmz tcp rsync
Limit:$LOG:SSHA,3,60\ Limit:$LOG:SSHA,3,60\
net dmz tcp 22 net dmz tcp 22
Trcrt/ACCEPT net dmz Trcrt(ACCEPT) net dmz
############################################################################################################################################################################## ##############################################################################################################################################################################
# #
# Net to Local # Net to Local
@ -768,7 +768,7 @@ ACCEPT net loc:192.168.1.6 tcp
# #
# Traceroute # Traceroute
# #
Trcrt/ACCEPT net loc:192.168.1.3 Trcrt(ACCEPT) net loc:192.168.1.3
# #
# Silently Handle common probes # Silently Handle common probes
# #
@ -780,7 +780,7 @@ DROP net loc icmp
ACCEPT dmz net udp domain,ntp ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080 ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3 ACCEPT dmz net:$POPSERVERS tcp pop3
Ping/ACCEPT dmz net Ping(ACCEPT) dmz net
# #
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases # code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
@ -792,13 +792,13 @@ ACCEPT:$LOG dmz net tcp
# #
ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
Trcrt/ACCEPT loc dmz Trcrt(ACCEPT) loc dmz
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Local # DMZ to Local
# #
ACCEPT dmz loc:192.168.1.5 udp 123 ACCEPT dmz loc:192.168.1.5 udp 123
ACCEPT dmz loc:192.168.1.5 tcp 21 ACCEPT dmz loc:192.168.1.5 tcp 21
Ping/ACCEPT dmz loc Ping(ACCEPT) dmz loc
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth # DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
@ -815,7 +815,7 @@ ACCEPT net loc:192.168.1.6 tcp
# #
# Traceroute # Traceroute
# #
Trcrt/ACCEPT net loc:192.168.1.3 Trcrt(ACCEPT) net loc:192.168.1.3
# #
# Silently Handle common probes # Silently Handle common probes
# #
@ -827,7 +827,7 @@ DROP net loc icmp
ACCEPT dmz net udp domain,ntp ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080 ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3 ACCEPT dmz net:$POPSERVERS tcp pop3
Ping/ACCEPT dmz net Ping(ACCEPT) dmz net
# #
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases # code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
@ -839,26 +839,26 @@ ACCEPT:$LOG dmz net tcp
# #
ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
Trcrt/ACCEPT loc dmz Trcrt(ACCEPT) loc dmz
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Local # DMZ to Local
# #
ACCEPT dmz loc:192.168.1.5 udp 123 ACCEPT dmz loc:192.168.1.5 udp 123
ACCEPT dmz loc:192.168.1.5 tcp 21 ACCEPT dmz loc:192.168.1.5 tcp 21
Ping/ACCEPT dmz loc Ping(ACCEPT) dmz loc
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth # DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
# #
ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
Trcrt/ACCEPT loc dmz Trcrt(ACCEPT) loc dmz
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Local # DMZ to Local
# #
ACCEPT dmz loc:192.168.1.5 udp 123 ACCEPT dmz loc:192.168.1.5 udp 123
ACCEPT dmz loc:192.168.1.5 tcp 21 ACCEPT dmz loc:192.168.1.5 tcp 21
Ping/ACCEPT dmz loc Ping(ACCEPT) dmz loc
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth # DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
@ -866,7 +866,7 @@ Ping/ACCEPT dmz loc
ACCEPT dmz fw tcp 161,ssh ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161,ntp ACCEPT dmz fw udp 161,ntp
REJECT dmz fw tcp auth REJECT dmz fw tcp auth
Ping/ACCEPT dmz fw Ping(ACCEPT) dmz fw
############################################################################################################################################################################### ###############################################################################################################################################################################
# Internet to Firewall # Internet to Firewall
# #
@ -878,7 +878,7 @@ ACCEPT net fw tcp
ACCEPT net:$OMAK fw tcp 22 ACCEPT net:$OMAK fw tcp 22
Limit:$LOG:SSHA,3,60\ Limit:$LOG:SSHA,3,60\
net fw tcp 22 net fw tcp 22
Trcrt/ACCEPT net fw Trcrt(ACCEPT) net fw
# #
# Bittorrent # Bittorrent
# #
@ -890,7 +890,7 @@ ACCEPT net fw udp
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465 ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465
ACCEPT fw dmz udp domain ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139 REJECT fw dmz udp 137:139
Ping/ACCEPT fw dmz Ping(ACCEPT) fw dmz
############################################################################################################################################################################## ##############################################################################################################################################################################
# Avoid logging Freenode.net probes # Avoid logging Freenode.net probes
# #

24
docs/XenMyWay.xml
View File

@ -686,27 +686,27 @@ ACCEPT loc fw tcp
ACCEPT loc fw udp 161,ntp,631 ACCEPT loc fw udp 161,ntp,631
ACCEPT loc:192.168.1.5 fw udp 111 ACCEPT loc:192.168.1.5 fw udp 111
DROP loc fw tcp 3185 #SUSE Meta pppd DROP loc fw tcp 3185 #SUSE Meta pppd
Ping/ACCEPT loc fw Ping(ACCEPT) loc fw
REDIRECT loc 3128 tcp 80 - !206.124.146.177 REDIRECT loc 3128 tcp 80 - !206.124.146.177
############################################################################################################################################################################### ###############################################################################################################################################################################
# Road Warriors to Firewall # Road Warriors to Firewall
# #
ACCEPT vpn fw tcp ssh,time,631,8080 ACCEPT vpn fw tcp ssh,time,631,8080
ACCEPT vpn fw udp 161,ntp,631 ACCEPT vpn fw udp 161,ntp,631
Ping/ACCEPT vpn fw Ping(ACCEPT) vpn fw
############################################################################################################################################################################### ###############################################################################################################################################################################
# Road Warriors to DMZ # Road Warriors to DMZ
# #
ACCEPT vpn dmz udp domain ACCEPT vpn dmz udp domain
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 - ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
Ping/ACCEPT vpn dmz Ping(ACCEPT) vpn dmz
############################################################################################################################################################################### ###############################################################################################################################################################################
# Local network to DMZ # Local network to DMZ
# #
ACCEPT loc dmz udp domain ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https - ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
ACCEPT loc dmz tcp smtp ACCEPT loc dmz tcp smtp
Trcrt/ACCEPT loc dmz Trcrt(ACCEPT) loc dmz
############################################################################################################################################################################### ###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets # Internet to ALL -- drop NewNotSyn packets
# #
@ -723,7 +723,7 @@ ACCEPT net dmz udp
Mirrors net dmz tcp rsync Mirrors net dmz tcp rsync
Limit:$LOG:SSHA,3,60\ Limit:$LOG:SSHA,3,60\
net dmz tcp 22 net dmz tcp 22
Trcrt/ACCEPT net dmz Trcrt(ACCEPT) net dmz
############################################################################################################################################################################## ##############################################################################################################################################################################
# #
# Net to Local # Net to Local
@ -755,7 +755,7 @@ ACCEPT net loc:192.168.1.6 tcp
# #
# Traceroute # Traceroute
# #
Trcrt/ACCEPT net loc:192.168.1.3 Trcrt(ACCEPT) net loc:192.168.1.3
# #
# Silently Handle common probes # Silently Handle common probes
# #
@ -767,7 +767,7 @@ DROP net loc icmp
ACCEPT dmz net udp domain,ntp ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080 ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3 ACCEPT dmz net:$POPSERVERS tcp pop3
Ping/ACCEPT dmz net Ping(ACCEPT) dmz net
# #
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking # Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases # code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
@ -779,13 +779,13 @@ ACCEPT:$LOG dmz net tcp
# #
ACCEPT loc dmz udp domain,xdmcp ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
Trcrt/ACCEPT loc dmz Trcrt(ACCEPT) loc dmz
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Local # DMZ to Local
# #
ACCEPT dmz loc:192.168.1.5 udp 123 ACCEPT dmz loc:192.168.1.5 udp 123
ACCEPT dmz loc:192.168.1.5 tcp 21 ACCEPT dmz loc:192.168.1.5 tcp 21
Ping/ACCEPT dmz loc Ping(ACCEPT) dmz loc
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth # DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
@ -793,7 +793,7 @@ Ping/ACCEPT dmz loc
ACCEPT dmz fw tcp 161,ssh ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161 ACCEPT dmz fw udp 161
REJECT dmz fw tcp auth REJECT dmz fw tcp auth
Ping/ACCEPT dmz fw Ping(ACCEPT) dmz fw
############################################################################################################################################################################### ###############################################################################################################################################################################
# Internet to Firewall # Internet to Firewall
# #
@ -805,14 +805,14 @@ ACCEPT net fw tcp
ACCEPT net:$OMAK fw tcp 22 ACCEPT net:$OMAK fw tcp 22
Limit:$LOG:SSHA,3,60\ Limit:$LOG:SSHA,3,60\
net fw tcp 22 net fw tcp 22
Trcrt/ACCEPT net fw Trcrt(ACCEPT) net fw
############################################################################################################################################################################### ###############################################################################################################################################################################
# Firewall to DMZ # Firewall to DMZ
# #
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465 ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465
ACCEPT fw dmz udp domain ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139 REJECT fw dmz udp 137:139
Ping/ACCEPT fw dmz Ping(ACCEPT) fw dmz
############################################################################################################################################################################## ##############################################################################################################################################################################
# Avoid logging Freenode.net probes # Avoid logging Freenode.net probes
# #

2
docs/configuration_file_basics.xml
View File

@ -720,7 +720,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.2
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
POP/ACCEPT loc net:pop.gmail.com</programlisting> POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<para>If your firewall rules include DNS names then:</para> <para>If your firewall rules include DNS names then:</para>

10
docs/ping.xml
View File

@ -56,7 +56,7 @@
<filename>/etc/shorewall/rules</filename> of the form:</para> <filename>/etc/shorewall/rules</filename> of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/ACCEPT z1 z2</programlisting> Ping(ACCEPT) z1 z2</programlisting>
<example id="Example1"> <example id="Example1">
<title>Ping from local zone to firewall</title> <title>Ping from local zone to firewall</title>
@ -64,7 +64,7 @@ Ping/ACCEPT z1 z2</programlisting>
<para>To permit ping from the local zone to the firewall:</para> <para>To permit ping from the local zone to the firewall:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/ACCEPT loc $FW</programlisting> Ping(ACCEPT) loc $FW</programlisting>
</example> </example>
<para>If you would like to accept <quote>ping</quote> by default even when <para>If you would like to accept <quote>ping</quote> by default even when
@ -74,13 +74,13 @@ Ping/ACCEPT loc $FW</programlisting>
<filename class="directory">/etc/shorewall</filename> and simply add this <filename class="directory">/etc/shorewall</filename> and simply add this
line to the copy:</para> line to the copy:</para>
<programlisting>Ping/ACCEPT</programlisting> <programlisting>Ping(ACCEPT)</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote> <para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para> from z1 to z2 then you need a rule of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/DROP z1 z2</programlisting> Ping(DROP) z1 z2</programlisting>
<example id="Example2"> <example id="Example2">
<title>Silently drop pings from the Internet</title> <title>Silently drop pings from the Internet</title>
@ -89,7 +89,7 @@ Ping/DROP z1 z2</programlisting>
<filename>/etc/shorewall/rules</filename>:</para> <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/DROP net $FW</programlisting> Ping(DROP) net $FW</programlisting>
</example> </example>
<para>Note that the above rule may be used without changing the action <para>Note that the above rule may be used without changing the action

80
docs/ports.xml
View File

@ -62,7 +62,7 @@
role="bold">net</emphasis> zone:</para> role="bold">net</emphasis> zone:</para>
<programlisting>#ACTION SOURCE DESTINATION <programlisting>#ACTION SOURCE DESTINATION
DNS/ACCEPT dmz net</programlisting> DNS(ACCEPT) dmz net</programlisting>
</note> </note>
<note> <note>
@ -75,12 +75,12 @@ DNS/ACCEPT dmz net</programlisting>
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para> at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>You would code your rule as follows:</para> <para>You would code your rule as follows:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/DNAT net dmz:192.168.1.4 </programlisting> FTP(DNAT) net dmz:192.168.1.4 </programlisting>
</note> </note>
</section> </section>
@ -94,7 +94,7 @@ FTP/DNAT net dmz:192.168.1.4 </programlisting>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Auth/ACCEPT <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> Auth(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="BT"> <section id="BT">
@ -111,14 +111,14 @@ Auth/ACCEPT <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
BitTorrent/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> BitTorrent(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="DNS"> <section id="DNS">
<title>DNS</title> <title>DNS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNS/ACCEPT <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting> DNS(ACCEPT) <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
<para>Note that if you are setting up a DNS server that supports recursive <para>Note that if you are setting up a DNS server that supports recursive
resolution, the server is the &lt;<emphasis>destination</emphasis>&gt; for resolution, the server is the &lt;<emphasis>destination</emphasis>&gt; for
@ -129,8 +129,8 @@ DNS/ACCEPT <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&
local clients then you would need:</para> local clients then you would need:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNS/ACCEPT all dmz DNS(ACCEPT) all dmz
DNS/ACCEPT dmz net </programlisting> DNS(ACCEPT) dmz net </programlisting>
<note> <note>
<para>Recursive Resolution means that if the server itself can't resolve <para>Recursive Resolution means that if the server itself can't resolve
@ -175,7 +175,7 @@ DNS/ACCEPT dmz net </programlisting>
<para><filename>/etc/shorewall/rules:</filename></para> <para><filename>/etc/shorewall/rules:</filename></para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Edonkey/DNAT net loc:192.168.1.4 Edonkey(DNAT) net loc:192.168.1.4
#if you wish to enable the Emule webserver, add this rule too. #if you wish to enable the Emule webserver, add this rule too.
DNAT net loc:192.168.1.4 tcp 4711</programlisting> DNAT net loc:192.168.1.4 tcp 4711</programlisting>
</section> </section>
@ -184,7 +184,7 @@ DNAT net loc:192.168.1.4 tcp 4711</programlisting>
<title>FTP</title> <title>FTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> FTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>Look <ulink url="FTP.html">here</ulink> for much more <para>Look <ulink url="FTP.html">here</ulink> for much more
information.</para> information.</para>
@ -213,14 +213,14 @@ FTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
<para>Your loc-&gt;net policy is ACCEPT</para> <para>Your loc-&gt;net policy is ACCEPT</para>
</listitem> </listitem>
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) </orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Gnutella/DNAT net loc:192.168.1.4</programlisting></para> Gnutella(DNAT) net loc:192.168.1.4</programlisting></para>
</section> </section>
<section id="ICQ"> <section id="ICQ">
<title>ICQ/AIM</title> <title>ICQ/AIM</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ICQ/ACCEPT <emphasis>&lt;source&gt;</emphasis> net</programlisting> ICQ(ACCEPT) <emphasis>&lt;source&gt;</emphasis> net</programlisting>
</section> </section>
<section id="IMAP"> <section id="IMAP">
@ -237,8 +237,8 @@ ICQ/ACCEPT <emphasis>&lt;source&gt;</emphasis> net</programlisting>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
IMAP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Unsecure IMAP IMAP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Unsecure IMAP
IMAPS/ACCEPT &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlisting> IMAPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # IMAP over SSL.</programlisting>
</section> </section>
<section id="IPSEC"> <section id="IPSEC">
@ -264,8 +264,8 @@ ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</e
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
LDAP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> #Insecure LDAP</emphasis> LDAP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> #Insecure LDAP</emphasis>
LDAPS/ACCEPT <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis></emphasis><emphasis></emphasis> # LDAP over SSL</programlisting> LDAPS(ACCEPT) <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis></emphasis><emphasis></emphasis> # LDAP over SSL</programlisting>
</section> </section>
<section id="MySQL"> <section id="MySQL">
@ -285,7 +285,7 @@ LDAPS/ACCEPT <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
MySQL/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> </emphasis></programlisting> MySQL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> <emphasis> </emphasis></programlisting>
</section> </section>
<section id="NFS"> <section id="NFS">
@ -303,14 +303,14 @@ ACCEPT <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt; <emphasis
<title>NTP (Network Time Protocol)</title> <title>NTP (Network Time Protocol)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
NTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> NTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="PCA"> <section id="PCA">
<title><trademark>PCAnywhere</trademark></title> <title><trademark>PCAnywhere</trademark></title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
PCA/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> PCA(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="POP3"> <section id="POP3">
@ -326,8 +326,8 @@ PCA/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
POP3/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Secure POP3(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> # Secure
POP3S/ACCEPT &lt;source&gt; &lt;destination&gt; #Unsecure Pop3</programlisting> POP3S(ACCEPT) &lt;source&gt; &lt;destination&gt; #Unsecure Pop3</programlisting>
</section> </section>
<section id="PPTP"> <section id="PPTP">
@ -345,14 +345,14 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<title>rdate</title> <title>rdate</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Rdate/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> Rdate(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="rsync"> <section id="rsync">
<title>rsync</title> <title>rsync</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Rsync/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> Rsync(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="Siproxd"> <section id="Siproxd">
@ -373,7 +373,7 @@ ACCEPT <emphasis> net fw udp 7070:7089</emp
<title>SSH/SFTP</title> <title>SSH/SFTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SSH/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting> SSH(ACCEPT)<emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
</section> </section>
<section id="SMB"> <section id="SMB">
@ -381,8 +381,8 @@ SSH/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
Sharing)</title> Sharing)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SMB/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis> SMB(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis> &lt;destination&gt;</emphasis>
SMB/ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis></programlisting> SMB(ACCEPT) <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt;</emphasis></programlisting>
<para>Also, see <ulink url="samba.htm">this page</ulink>.</para> <para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
</section> </section>
@ -395,15 +395,15 @@ SMB/ACCEPT <emphasis>&lt;destination&gt;</emphasis> <emphasis>&lt;source&gt
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SMTP/ACCEPT<emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure SMTP SMTP(ACCEPT)<emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure SMTP
SMTPS/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #SMTP over SSL (TLS)</programlisting> SMTPS(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #SMTP over SSL (TLS)</programlisting>
</section> </section>
<section id="SNMP"> <section id="SNMP">
<title>SNMP</title> <title>SNMP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SNMP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> SNMP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="SVN"> <section id="SVN">
@ -419,7 +419,7 @@ SNMP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&g
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SVN/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> SVN(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="Telnet"> <section id="Telnet">
@ -431,7 +431,7 @@ SVN/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Telnet/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> Telnet(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="TFTP"> <section id="TFTP">
@ -455,7 +455,7 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<title>Traceroute</title> <title>Traceroute</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Trcrt/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Good for 10 hops</programlisting> Trcrt(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Good for 10 hops</programlisting>
<para>UDP traceroute uses ports 33434 through 33434+&lt;max number of <para>UDP traceroute uses ports 33434 through 33434+&lt;max number of
hops&gt;-1. Note that for the firewall to respond with a TTL expired ICMP hops&gt;-1. Note that for the firewall to respond with a TTL expired ICMP
@ -474,8 +474,8 @@ ACCEPT fw ...</programlisting>
<title>Usenet (NNTP)</title> <title>Usenet (NNTP)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
NNTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> NNTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis>
NNTPS/ACCEPT &lt;source&gt; &lt;destination&gt; # secure NNTP</programlisting> NNTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; # secure NNTP</programlisting>
<para>TCP Port 119</para> <para>TCP Port 119</para>
</section> </section>
@ -494,13 +494,13 @@ NNTPS/ACCEPT &lt;source&gt; &lt;destination&gt; # secure NNTP</programlisti
9.</para> 9.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
VNC/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> VNC(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis>
</programlisting> </programlisting>
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para> <para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
VNCL/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting> VNCL(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section id="Vonage"> <section id="Vonage">
@ -520,15 +520,15 @@ VNCL/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&g
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
HTTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure HTTP HTTP(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Insecure HTTP
HTTPS/ACCEPT &lt;source&gt; &lt;destination&gt; #Secure HTTP</programlisting> HTTPS(ACCEPT) &lt;source&gt; &lt;destination&gt; #Secure HTTP</programlisting>
</section> </section>
<section id="Webmin"> <section id="Webmin">
<title>Webmin</title> <title>Webmin</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Webmin/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>Webmin Webmin(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>Webmin
use TCP port 10000.</para> use TCP port 10000.</para>
</section> </section>
@ -536,7 +536,7 @@ Webmin/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination
<title>Whois</title> <title>Whois</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Whois/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting></para> Whois(ACCEPT) <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting></para>
</section> </section>
<section id="X"> <section id="X">

16
docs/samba.xml
View File

@ -35,9 +35,9 @@
</articleinfo> </articleinfo>
<caution> <caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and <para><emphasis role="bold">This article applies to Shorewall 4.3 and
later. If you are running a version of Shorewall earlier than Shorewall later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that 4.3.5 then please see the documentation for that
release.</emphasis></para> release.</emphasis></para>
</caution> </caution>
@ -46,15 +46,15 @@
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S) # PORT(S)
SMB/ACCEPT $FW loc SMB(ACCEPT) $FW loc
SMB/ACCEPT loc $FW</programlisting> SMB(ACCEPT) loc $FW</programlisting>
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para> <para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S) # PORT(S)
SMB/ACCEPT Z1 Z2 SMB(ACCEPT) Z1 Z2
SMB/ACCEPT Z2 Z1</programlisting> SMB(ACCEPT) Z2 Z1</programlisting>
<para>To make network browsing (<quote>Network Neighborhood</quote>) work <para>To make network browsing (<quote>Network Neighborhood</quote>) work
properly between Z1 and Z2 <emphasis role="bold">requires a Windows Domain properly between Z1 and Z2 <emphasis role="bold">requires a Windows Domain
@ -74,8 +74,8 @@ SMB/ACCEPT Z2 Z1</programlisting>
<listitem> <listitem>
<para>Edit the copies and remove the <emphasis <para>Edit the copies and remove the <emphasis
role="bold">SMB/DROP</emphasis> and <emphasis role="bold">SMB(DROP)</emphasis> and <emphasis
role="bold">SMB/REJECT</emphasis> lines.</para> role="bold">SMB(REJECT)</emphasis> lines.</para>
</listitem> </listitem>
<listitem> <listitem>

8
docs/standalone.xml
View File

@ -507,7 +507,7 @@ root@lists:~# </programlisting>
in <filename>/etc/shorewall/rules</filename> is:</para> in <filename>/etc/shorewall/rules</filename> is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
&lt;<emphasis>macro</emphasis>&gt;/ACCEPT net $FW</programlisting> &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net $FW</programlisting>
<important> <important>
<para>Be sure to add your rules after the line that reads <emphasis <para>Be sure to add your rules after the line that reads <emphasis
@ -519,8 +519,8 @@ root@lists:~# </programlisting>
system:</title> system:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net $FW Web(ACCEPT) net $FW
IMAP/ACCEPT net $FW</programlisting> IMAP(ACCEPT)net $FW</programlisting>
</example> </example>
<para>You may also choose to code your rules directly without using the <para>You may also choose to code your rules directly without using the
@ -549,7 +549,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
firewall from the Internet, use <acronym>SSH</acronym>:</para> firewall from the Internet, use <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SSH/ACCEPT net $FW </programlisting> SSH(ACCEPT) net $FW </programlisting>
</important> </important>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>

28
docs/three-interface.xml
View File

@ -739,8 +739,8 @@ DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<e
incoming TCP port 80 to that system</title> incoming TCP port 80 to that system</title>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/DNAT net dmz:10.10.11.2 Web(DNAT) net dmz:10.10.11.2
Web/ACCEPT loc dmz:10.10.11.2</programlisting><itemizedlist> Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
<listitem> <listitem>
<para>Entry 1 forwards port 80 from the Internet.</para> <para>Entry 1 forwards port 80 from the Internet.</para>
</listitem> </listitem>
@ -857,13 +857,13 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
</listitem> </listitem>
</itemizedlist> If you run the name server on the firewall: </itemizedlist> If you run the name server on the firewall:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT loc $FW DNS(ACCEPT) loc $FW
DNS/ACCEPT dmz $FW </programlisting> Run name server on DMZ DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT loc dmz:10.10.11.1 DNS(ACCEPT) loc dmz:10.10.11.1
DNS/ACCEPT $FW dmz:10.10.11.1 </programlisting></para> DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
<para>In the rules shown above, <quote>DNS/ACCEPT</quote> is an example of <para>In the rules shown above, <quote>DNS</quote>(ACCEPT)is an example of
a <emphasis>defined macro</emphasis>. Shorewall includes a number of a <emphasis>defined macro</emphasis>. Shorewall includes a number of
defined macros and <ulink url="Macros.html">you can add your own</ulink>. defined macros and <ulink url="Macros.html">you can add your own</ulink>.
To see the list of macros included with your version of Shorewall, run the To see the list of macros included with your version of Shorewall, run the
@ -892,20 +892,20 @@ ACCEPT dmz $FW udp 53 </programlist
<para>The three-interface sample includes the following rule: <para>The three-interface sample includes the following rule:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT $FW net </programlisting>That rule allow DNS access DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
from your firewall and may be removed if you commented out the line in from your firewall and may be removed if you commented out the line in
<filename>/etc/shorewall/policy</filename> allowing all connections from <filename>/etc/shorewall/policy</filename> allowing all connections from
the firewall to the Internet.</para> the firewall to the Internet.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT loc $FW SSH(ACCEPT) loc $FW
SSH/ACCEPT loc dmz </programlisting>Those rules allow you to run SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
an SSH server on your firewall and in each of your DMZ systems and to an SSH server on your firewall and in each of your DMZ systems and to
connect to those servers from your local systems.</para> connect to those servers from your local systems.</para>
<para>If you wish to enable other connections between your systems, the <para>If you wish to enable other connections between your systems, the
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
&lt;<emphasis>macro</emphasis>&gt;/ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt;</emphasis></programlisting></para> &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) <emphasis>&lt;source zone&gt; &lt;destination zone&gt;</emphasis></programlisting></para>
<para>The general format when not using a defined action <para>The general format when not using a defined action
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
@ -918,7 +918,7 @@ ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&g
<para>Using defined macros:</para> <para>Using defined macros:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT net $FW</programlisting> DNS(ACCEPT) net $FW</programlisting>
<para>Not using defined macros:</para> <para>Not using defined macros:</para>
@ -937,7 +937,7 @@ ACCEPT net $FW udp 53 </programlisting>
<para>I don't recommend enabling telnet to/from the Internet because it <para>I don't recommend enabling telnet to/from the Internet because it
uses clear text (even for login!). If you want shell access to your uses clear text (even for login!). If you want shell access to your
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT net $FW</programlisting></para> SSH(ACCEPT) net $FW</programlisting></para>
</important> </important>
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering <para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
@ -1086,7 +1086,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para>While you are editing <filename>shorewall.conf</filename>, it is a <para>While you are editing <filename>shorewall.conf</filename>, it is a
good idea to check the value of the SUBSYSLOCK option. You can find a good idea to check the value of the SUBSYSLOCK option. You can find a
description of this option by typing 'man shorewall.conf' at a shell description of this option by typing 'man shorewall.conf' at a shell
prompt and searching for SUBSYSLOCK </para> prompt and searching for SUBSYSLOCK</para>
<para>The firewall is started using the <command>shorewall start</command> <para>The firewall is started using the <command>shorewall start</command>
command and stopped using <command>shorewall stop</command>. When the command and stopped using <command>shorewall stop</command>. When the

4
docs/troubleshoot.xml
View File

@ -336,7 +336,7 @@ ACCEPT dmz loc udp 53</programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
Ping/ACCEPT <emphasis>&lt;source zone&gt;</emphasis> <emphasis>&lt;destination zone&gt;</emphasis></programlisting> Ping(ACCEPT)<emphasis>&lt;source zone&gt;</emphasis> <emphasis>&lt;destination zone&gt;</emphasis></programlisting>
<para>The ramifications of this can be subtle. For example, if you <para>The ramifications of this can be subtle. For example, if you
have the following in <filename><ulink have the following in <filename><ulink
@ -358,7 +358,7 @@ Ping/ACCEPT <emphasis>&lt;source zone&gt;</emphasis> <emphasis>&lt;destination z
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
Ping/DROP net all</programlisting> Ping(DROP)net all</programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

20
docs/two-interface.xml
View File

@ -701,14 +701,14 @@ DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<e
linkend="Diagram">the above diagram</link> and you want to forward linkend="Diagram">the above diagram</link> and you want to forward
incoming <acronym>TCP</acronym> port 80 to that system: incoming <acronym>TCP</acronym> port 80 to that system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/DNAT net loc:10.10.10.2</programlisting></para> Web(DNAT) net loc:10.10.10.2</programlisting></para>
</example> <example id="Example2" label="2"> </example> <example id="Example2" label="2">
<title>FTP Server</title> <title>FTP Server</title>
<para>You run an <acronym>FTP</acronym> Server on <link <para>You run an <acronym>FTP</acronym> Server on <link
linkend="Diagram">computer 1</link> so you want to forward incoming linkend="Diagram">computer 1</link> so you want to forward incoming
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
FTP/DNAT net loc:10.10.10.1</programlisting> For FTP(DNAT) net loc:10.10.10.1</programlisting> For
<acronym>FTP</acronym>, you will also need to have <acronym>FTP</acronym>, you will also need to have
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym> <acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
support in your kernel. For vendor-supplied kernels, this means that support in your kernel. For vendor-supplied kernels, this means that
@ -808,7 +808,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
in <filename in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>. class="directory">/etc/shorewall/</filename><filename>rules</filename>.
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT loc $FW</programlisting></para> DNS(ACCEPT)loc $FW</programlisting></para>
</listitem> </listitem>
</itemizedlist></para> </itemizedlist></para>
</section> </section>
@ -818,13 +818,13 @@ DNS/ACCEPT loc $FW</programlisting></para>
<para>The two-interface sample includes the following rules: <para>The two-interface sample includes the following rules:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT $FW net</programlisting>This rule allows DNS(ACCEPT) $FW net</programlisting>This rule allows
<acronym>DNS</acronym> access from your firewall and may be removed if you <acronym>DNS</acronym> access from your firewall and may be removed if you
uncommented the line in <filename uncommented the line in <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
allowing all connections from the firewall to the Internet.</para> allowing all connections from the firewall to the Internet.</para>
<para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of <para>In the rule shown above, <quote>DNS</quote>(ACCEPT)is an example of
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink
url="Macros.html">you can add your own</ulink>.</para> url="Macros.html">you can add your own</ulink>.</para>
@ -841,13 +841,13 @@ ACCEPT $FW net tcp 53</programlisting></para>
code the appropriate rules directly.</para> code the appropriate rules directly.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT loc $FW </programlisting>That rule allows you to run an SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an
<acronym>SSH</acronym> server on your firewall and connect to that server <acronym>SSH</acronym> server on your firewall and connect to that server
from your local systems.</para> from your local systems.</para>
<para>If you wish to enable other connections from your firewall to other <para>If you wish to enable other connections from your firewall to other
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
&lt;macro&gt;/ACCEPT $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The &lt;macro&gt;(ACCEPT) $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example
id="Example3"> id="Example3">
@ -855,8 +855,8 @@ ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;por
<para>You want to run a Web Server on your firewall system: <para>You want to run a Web Server on your firewall system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/ACCEPT net $FW Web(ACCEPT) net $FW
Web/ACCEPT loc $FW </programlisting>Those two rules would of Web(ACCEPT) loc $FW </programlisting>Those two rules would of
course be in addition to the rules listed above under <quote><link course be in addition to the rules listed above under <quote><link
linkend="cachingdns">You can configure a Caching Name Server on your linkend="cachingdns">You can configure a Caching Name Server on your
firewall</link></quote>.</para> firewall</link></quote>.</para>
@ -868,7 +868,7 @@ Web/ACCEPT loc $FW </programlisting>Those two rules would of
<acronym>SSH</acronym>:</para> <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT net $FW</programlisting> SSH(ACCEPT) net $FW</programlisting>
</important> <inlinegraphic fileref="images/leaflogo.gif" </important> <inlinegraphic fileref="images/leaflogo.gif"
format="GIF" />Bering users will want to add the following two rules to be format="GIF" />Bering users will want to add the following two rules to be
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)