mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 00:34:04 +01:00
Use 4.2 syntax for parameterized Macros.
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9693 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
6892bfbf5d
commit
00b7025467
@ -345,15 +345,15 @@ all all REJECT info</programlisting>
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
DNS/ACCEPT $FW net
|
||||
DNS(ACCEPT) $FW net
|
||||
#
|
||||
# Accept SSH connections from the local network for administration
|
||||
#
|
||||
SSH/ACCEPT loc $FW
|
||||
SSH(ACCEPT) loc $FW
|
||||
#
|
||||
# Allow Ping everywhere
|
||||
#
|
||||
Ping/ACCEPT all all
|
||||
Ping(ACCEPT) all all
|
||||
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@ -850,7 +850,7 @@ to debug/develop the newnat interface.</programlisting></para>
|
||||
invokes the <emphasis role="bold">Auth</emphasis> macro (defined in
|
||||
<filename>/usr/share/shorewall/macro.Auth</filename>) specifying the
|
||||
<emphasis role="bold">REJECT</emphasis> action (i.e., <emphasis
|
||||
role="bold">Auth/REJECT</emphasis>). This is necessary to prevent
|
||||
role="bold">Auth(REJECT)</emphasis>). This is necessary to prevent
|
||||
outgoing connection problems to services that use the
|
||||
<quote>Auth</quote> mechanism for identifying requesting users. That is
|
||||
the only service which the default setup rejects.</para>
|
||||
|
||||
@ -405,13 +405,13 @@ DNAT ACTION =
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
FTP/DNAT net loc:192.168.1.5</programlisting>
|
||||
FTP(DNAT) net loc:192.168.1.5</programlisting>
|
||||
</example><example id="Example4">
|
||||
<title>Allow your DMZ FTP access to the Internet</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST SOURCE ORIGINAL
|
||||
# PORT(S) PORT(S) DESTINATION
|
||||
FTP/ACCEPT dmz net</programlisting>
|
||||
FTP(ACCEPT) dmz net</programlisting>
|
||||
</example></para>
|
||||
|
||||
<para>Note that the FTP connection tracking in the kernel cannot handle
|
||||
|
||||
@ -804,15 +804,15 @@ all all REJECT info
|
||||
# PORT(S) PORT(S)
|
||||
SECTION ESTABLISHED
|
||||
# Prevent IPSEC bypass by hosts behind a NAT gateway
|
||||
L2TP/REJECT net $FW
|
||||
L2TP/(REJECT) net $FW
|
||||
REJECT $FW net udp - 1701
|
||||
# l2tp over the IPsec VPN
|
||||
ACCEPT vpn $FW udp 1701
|
||||
# webserver that can only be accessed internally
|
||||
HTTP/ACCEPT loc $FW
|
||||
HTTP/ACCEPT l2tp $FW
|
||||
HTTPS/ACCEPT loc $FW
|
||||
HTTPS/ACCEPT l2tp $FW
|
||||
HTTP(ACCEPT) loc $FW
|
||||
HTTP(ACCEPT) l2tp $FW
|
||||
HTTPS(ACCEPT) loc $FW
|
||||
HTTPS(ACCEPT) l2tp $FW
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
@ -114,7 +114,7 @@ PARAM - - tcp 135,139,445
|
||||
|
||||
<para>When invoking a parameterized macro, you follow the name of the
|
||||
macro with the action that you want to substitute for PARAM enclosed in
|
||||
parentheses. </para>
|
||||
parentheses.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@ -160,7 +160,7 @@ PARAM - loc tcp 25</programlisting>
|
||||
<para>/etc/shorewall/rules (Shorewall 4.0):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SMTP/DNAT:info net 192.168.1.5</programlisting>
|
||||
SMTP(DNAT):info net 192.168.1.5</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules (Shorewall 4.2.0 and later):</para>
|
||||
|
||||
@ -182,12 +182,7 @@ DNAT:info net loc:192.168.1.5 tcp 25</programlisting>
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
|
||||
PARAM - 192.168.1.5 tcp 25</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules (Shorewall 4.0)</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SMTP/DNAT:info net loc</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules (Shorewall 4.2.0 and later)</para>
|
||||
<para>/etc/shorewall/rules</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SMTP(DNAT):info net loc</programlisting>
|
||||
@ -222,12 +217,7 @@ PARAM DEST SOURCE udp 1024: 137
|
||||
PARAM DEST SOURCE tcp 135,139,445
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules (Shorewall 4.0):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SMBBI/ACCEPT loc fw</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules (Shorewall 4.2.0 and later):</para>
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SMBBI(ACCEPT) loc fw</programlisting>
|
||||
|
||||
@ -436,9 +436,9 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
|
||||
exception that I've added a fourth interface for our wireless network.
|
||||
The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN
|
||||
server</ulink> to provide road warrior access for our three laptops and a
|
||||
bridged OpenVPN server for the wireless network in our home. Here is the
|
||||
firewall's view of the network:</para>
|
||||
server</ulink> to provide road warrior access for our three laptops and
|
||||
a bridged OpenVPN server for the wireless network in our home. Here is
|
||||
the firewall's view of the network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/network4a.png" />
|
||||
|
||||
@ -692,20 +692,20 @@ REDIRECT- loc 3128 tcp
|
||||
#
|
||||
ACCEPT vpn fw tcp ssh,time,631,8080
|
||||
ACCEPT vpn fw udp 161,ntp,631
|
||||
Ping/ACCEPT vpn fw
|
||||
Ping(ACCEPT) vpn fw
|
||||
###############################################################################################################################################################################
|
||||
# Road Warriors to DMZ
|
||||
#
|
||||
ACCEPT vpn dmz udp domain
|
||||
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
|
||||
Ping/ACCEPT vpn dmz
|
||||
Ping(ACCEPT) vpn dmz
|
||||
###############################################################################################################################################################################
|
||||
# Local network to DMZ
|
||||
#
|
||||
ACCEPT loc dmz udp domain
|
||||
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
||||
ACCEPT loc dmz tcp smtp
|
||||
Trcrt/ACCEPT loc dmz
|
||||
Trcrt(ACCEPT) loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# Internet to ALL -- drop NewNotSyn packets
|
||||
#
|
||||
@ -723,7 +723,7 @@ ACCEPT net dmz udp
|
||||
Mirrors net dmz tcp rsync
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net dmz tcp 22
|
||||
Trcrt/ACCEPT net dmz
|
||||
Trcrt(ACCEPT) net dmz
|
||||
##############################################################################################################################################################################
|
||||
#
|
||||
# Net to Local
|
||||
@ -768,7 +768,7 @@ ACCEPT net loc:192.168.1.6 tcp
|
||||
#
|
||||
# Traceroute
|
||||
#
|
||||
Trcrt/ACCEPT net loc:192.168.1.3
|
||||
Trcrt(ACCEPT) net loc:192.168.1.3
|
||||
#
|
||||
# Silently Handle common probes
|
||||
#
|
||||
@ -780,7 +780,7 @@ DROP net loc icmp
|
||||
ACCEPT dmz net udp domain,ntp
|
||||
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
Ping/ACCEPT dmz net
|
||||
Ping(ACCEPT) dmz net
|
||||
#
|
||||
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
|
||||
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
|
||||
@ -792,13 +792,13 @@ ACCEPT:$LOG dmz net tcp
|
||||
#
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
|
||||
Trcrt/ACCEPT loc dmz
|
||||
Trcrt(ACCEPT) loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Local
|
||||
#
|
||||
ACCEPT dmz loc:192.168.1.5 udp 123
|
||||
ACCEPT dmz loc:192.168.1.5 tcp 21
|
||||
Ping/ACCEPT dmz loc
|
||||
Ping(ACCEPT) dmz loc
|
||||
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
@ -815,7 +815,7 @@ ACCEPT net loc:192.168.1.6 tcp
|
||||
#
|
||||
# Traceroute
|
||||
#
|
||||
Trcrt/ACCEPT net loc:192.168.1.3
|
||||
Trcrt(ACCEPT) net loc:192.168.1.3
|
||||
#
|
||||
# Silently Handle common probes
|
||||
#
|
||||
@ -827,7 +827,7 @@ DROP net loc icmp
|
||||
ACCEPT dmz net udp domain,ntp
|
||||
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
Ping/ACCEPT dmz net
|
||||
Ping(ACCEPT) dmz net
|
||||
#
|
||||
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
|
||||
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
|
||||
@ -839,26 +839,26 @@ ACCEPT:$LOG dmz net tcp
|
||||
#
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
|
||||
Trcrt/ACCEPT loc dmz
|
||||
Trcrt(ACCEPT) loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Local
|
||||
#
|
||||
ACCEPT dmz loc:192.168.1.5 udp 123
|
||||
ACCEPT dmz loc:192.168.1.5 tcp 21
|
||||
Ping/ACCEPT dmz loc
|
||||
Ping(ACCEPT) dmz loc
|
||||
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
#
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
|
||||
Trcrt/ACCEPT loc dmz
|
||||
Trcrt(ACCEPT) loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Local
|
||||
#
|
||||
ACCEPT dmz loc:192.168.1.5 udp 123
|
||||
ACCEPT dmz loc:192.168.1.5 tcp 21
|
||||
Ping/ACCEPT dmz loc
|
||||
Ping(ACCEPT) dmz loc
|
||||
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
@ -866,7 +866,7 @@ Ping/ACCEPT dmz loc
|
||||
ACCEPT dmz fw tcp 161,ssh
|
||||
ACCEPT dmz fw udp 161,ntp
|
||||
REJECT dmz fw tcp auth
|
||||
Ping/ACCEPT dmz fw
|
||||
Ping(ACCEPT) dmz fw
|
||||
###############################################################################################################################################################################
|
||||
# Internet to Firewall
|
||||
#
|
||||
@ -878,7 +878,7 @@ ACCEPT net fw tcp
|
||||
ACCEPT net:$OMAK fw tcp 22
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net fw tcp 22
|
||||
Trcrt/ACCEPT net fw
|
||||
Trcrt(ACCEPT) net fw
|
||||
#
|
||||
# Bittorrent
|
||||
#
|
||||
@ -890,7 +890,7 @@ ACCEPT net fw udp
|
||||
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465
|
||||
ACCEPT fw dmz udp domain
|
||||
REJECT fw dmz udp 137:139
|
||||
Ping/ACCEPT fw dmz
|
||||
Ping(ACCEPT) fw dmz
|
||||
##############################################################################################################################################################################
|
||||
# Avoid logging Freenode.net probes
|
||||
#
|
||||
|
||||
@ -686,27 +686,27 @@ ACCEPT loc fw tcp
|
||||
ACCEPT loc fw udp 161,ntp,631
|
||||
ACCEPT loc:192.168.1.5 fw udp 111
|
||||
DROP loc fw tcp 3185 #SUSE Meta pppd
|
||||
Ping/ACCEPT loc fw
|
||||
Ping(ACCEPT) loc fw
|
||||
REDIRECT loc 3128 tcp 80 - !206.124.146.177
|
||||
###############################################################################################################################################################################
|
||||
# Road Warriors to Firewall
|
||||
#
|
||||
ACCEPT vpn fw tcp ssh,time,631,8080
|
||||
ACCEPT vpn fw udp 161,ntp,631
|
||||
Ping/ACCEPT vpn fw
|
||||
Ping(ACCEPT) vpn fw
|
||||
###############################################################################################################################################################################
|
||||
# Road Warriors to DMZ
|
||||
#
|
||||
ACCEPT vpn dmz udp domain
|
||||
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
|
||||
Ping/ACCEPT vpn dmz
|
||||
Ping(ACCEPT) vpn dmz
|
||||
###############################################################################################################################################################################
|
||||
# Local network to DMZ
|
||||
#
|
||||
ACCEPT loc dmz udp domain
|
||||
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
||||
ACCEPT loc dmz tcp smtp
|
||||
Trcrt/ACCEPT loc dmz
|
||||
Trcrt(ACCEPT) loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# Internet to ALL -- drop NewNotSyn packets
|
||||
#
|
||||
@ -723,7 +723,7 @@ ACCEPT net dmz udp
|
||||
Mirrors net dmz tcp rsync
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net dmz tcp 22
|
||||
Trcrt/ACCEPT net dmz
|
||||
Trcrt(ACCEPT) net dmz
|
||||
##############################################################################################################################################################################
|
||||
#
|
||||
# Net to Local
|
||||
@ -755,7 +755,7 @@ ACCEPT net loc:192.168.1.6 tcp
|
||||
#
|
||||
# Traceroute
|
||||
#
|
||||
Trcrt/ACCEPT net loc:192.168.1.3
|
||||
Trcrt(ACCEPT) net loc:192.168.1.3
|
||||
#
|
||||
# Silently Handle common probes
|
||||
#
|
||||
@ -767,7 +767,7 @@ DROP net loc icmp
|
||||
ACCEPT dmz net udp domain,ntp
|
||||
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
Ping/ACCEPT dmz net
|
||||
Ping(ACCEPT) dmz net
|
||||
#
|
||||
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
|
||||
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
|
||||
@ -779,13 +779,13 @@ ACCEPT:$LOG dmz net tcp
|
||||
#
|
||||
ACCEPT loc dmz udp domain,xdmcp
|
||||
ACCEPT loc dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
|
||||
Trcrt/ACCEPT loc dmz
|
||||
Trcrt(ACCEPT) loc dmz
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Local
|
||||
#
|
||||
ACCEPT dmz loc:192.168.1.5 udp 123
|
||||
ACCEPT dmz loc:192.168.1.5 tcp 21
|
||||
Ping/ACCEPT dmz loc
|
||||
Ping(ACCEPT) dmz loc
|
||||
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
@ -793,7 +793,7 @@ Ping/ACCEPT dmz loc
|
||||
ACCEPT dmz fw tcp 161,ssh
|
||||
ACCEPT dmz fw udp 161
|
||||
REJECT dmz fw tcp auth
|
||||
Ping/ACCEPT dmz fw
|
||||
Ping(ACCEPT) dmz fw
|
||||
###############################################################################################################################################################################
|
||||
# Internet to Firewall
|
||||
#
|
||||
@ -805,14 +805,14 @@ ACCEPT net fw tcp
|
||||
ACCEPT net:$OMAK fw tcp 22
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net fw tcp 22
|
||||
Trcrt/ACCEPT net fw
|
||||
Trcrt(ACCEPT) net fw
|
||||
###############################################################################################################################################################################
|
||||
# Firewall to DMZ
|
||||
#
|
||||
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,https,993,465
|
||||
ACCEPT fw dmz udp domain
|
||||
REJECT fw dmz udp 137:139
|
||||
Ping/ACCEPT fw dmz
|
||||
Ping(ACCEPT) fw dmz
|
||||
##############################################################################################################################################################################
|
||||
# Avoid logging Freenode.net probes
|
||||
#
|
||||
|
||||
@ -720,7 +720,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.2
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
POP/ACCEPT loc net:pop.gmail.com</programlisting>
|
||||
POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
||||
|
||||
<para>If your firewall rules include DNS names then:</para>
|
||||
|
||||
|
||||
@ -56,7 +56,7 @@
|
||||
<filename>/etc/shorewall/rules</filename> of the form:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Ping/ACCEPT z1 z2</programlisting>
|
||||
Ping(ACCEPT) z1 z2</programlisting>
|
||||
|
||||
<example id="Example1">
|
||||
<title>Ping from local zone to firewall</title>
|
||||
@ -64,7 +64,7 @@ Ping/ACCEPT z1 z2</programlisting>
|
||||
<para>To permit ping from the local zone to the firewall:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Ping/ACCEPT loc $FW</programlisting>
|
||||
Ping(ACCEPT) loc $FW</programlisting>
|
||||
</example>
|
||||
|
||||
<para>If you would like to accept <quote>ping</quote> by default even when
|
||||
@ -74,13 +74,13 @@ Ping/ACCEPT loc $FW</programlisting>
|
||||
<filename class="directory">/etc/shorewall</filename> and simply add this
|
||||
line to the copy:</para>
|
||||
|
||||
<programlisting>Ping/ACCEPT</programlisting>
|
||||
<programlisting>Ping(ACCEPT)</programlisting>
|
||||
|
||||
<para>With that rule in place, if you want to ignore <quote>ping</quote>
|
||||
from z1 to z2 then you need a rule of the form:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Ping/DROP z1 z2</programlisting>
|
||||
Ping(DROP) z1 z2</programlisting>
|
||||
|
||||
<example id="Example2">
|
||||
<title>Silently drop pings from the Internet</title>
|
||||
@ -89,7 +89,7 @@ Ping/DROP z1 z2</programlisting>
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Ping/DROP net $FW</programlisting>
|
||||
Ping(DROP) net $FW</programlisting>
|
||||
</example>
|
||||
|
||||
<para>Note that the above rule may be used without changing the action
|
||||
|
||||
@ -62,7 +62,7 @@
|
||||
role="bold">net</emphasis> zone:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION
|
||||
DNS/ACCEPT dmz net</programlisting>
|
||||
DNS(ACCEPT) dmz net</programlisting>
|
||||
</note>
|
||||
|
||||
<note>
|
||||
@ -75,12 +75,12 @@ DNS/ACCEPT dmz net</programlisting>
|
||||
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
FTP/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
|
||||
<para>You would code your rule as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
FTP/DNAT net dmz:192.168.1.4 </programlisting>
|
||||
FTP(DNAT) net dmz:192.168.1.4 </programlisting>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
@ -94,7 +94,7 @@ FTP/DNAT net dmz:192.168.1.4 </programlisting>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Auth/ACCEPT <emphasis> <source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
Auth(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="BT">
|
||||
@ -111,14 +111,14 @@ Auth/ACCEPT <emphasis> <source></emphasis> <emphasis><destination&
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
BitTorrent/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
BitTorrent(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="DNS">
|
||||
<title>DNS</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
DNS/ACCEPT <emphasis> <source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
||||
DNS(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
||||
|
||||
<para>Note that if you are setting up a DNS server that supports recursive
|
||||
resolution, the server is the <<emphasis>destination</emphasis>> for
|
||||
@ -129,8 +129,8 @@ DNS/ACCEPT <emphasis> <source></emphasis> <emphasis><destination&
|
||||
local clients then you would need:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
DNS/ACCEPT all dmz
|
||||
DNS/ACCEPT dmz net </programlisting>
|
||||
DNS(ACCEPT) all dmz
|
||||
DNS(ACCEPT) dmz net </programlisting>
|
||||
|
||||
<note>
|
||||
<para>Recursive Resolution means that if the server itself can't resolve
|
||||
@ -175,7 +175,7 @@ DNS/ACCEPT dmz net </programlisting>
|
||||
<para><filename>/etc/shorewall/rules:</filename></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Edonkey/DNAT net loc:192.168.1.4
|
||||
Edonkey(DNAT) net loc:192.168.1.4
|
||||
#if you wish to enable the Emule webserver, add this rule too.
|
||||
DNAT net loc:192.168.1.4 tcp 4711</programlisting>
|
||||
</section>
|
||||
@ -184,7 +184,7 @@ DNAT net loc:192.168.1.4 tcp 4711</programlisting>
|
||||
<title>FTP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
FTP/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
|
||||
<para>Look <ulink url="FTP.html">here</ulink> for much more
|
||||
information.</para>
|
||||
@ -213,14 +213,14 @@ FTP/ACCEPT <emphasis><source></emphasis> <emphasis><destination>
|
||||
<para>Your loc->net policy is ACCEPT</para>
|
||||
</listitem>
|
||||
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Gnutella/DNAT net loc:192.168.1.4</programlisting></para>
|
||||
Gnutella(DNAT) net loc:192.168.1.4</programlisting></para>
|
||||
</section>
|
||||
|
||||
<section id="ICQ">
|
||||
<title>ICQ/AIM</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ICQ/ACCEPT <emphasis><source></emphasis> net</programlisting>
|
||||
ICQ(ACCEPT) <emphasis><source></emphasis> net</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="IMAP">
|
||||
@ -237,8 +237,8 @@ ICQ/ACCEPT <emphasis><source></emphasis> net</programlisting>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
IMAP/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> # Unsecure IMAP
|
||||
IMAPS/ACCEPT <source> <destination> # IMAP over SSL.</programlisting>
|
||||
IMAP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Unsecure IMAP
|
||||
IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="IPSEC">
|
||||
@ -264,8 +264,8 @@ ACCEPT <emphasis><destination></emphasis> <emphasis><source></e
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
LDAP/ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> #Insecure LDAP</emphasis>
|
||||
LDAPS/ACCEPT <emphasis><emphasis><source></emphasis> <emphasis> <destination></emphasis></emphasis><emphasis></emphasis> # LDAP over SSL</programlisting>
|
||||
LDAP(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> #Insecure LDAP</emphasis>
|
||||
LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> <destination></emphasis></emphasis><emphasis></emphasis> # LDAP over SSL</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="MySQL">
|
||||
@ -285,7 +285,7 @@ LDAPS/ACCEPT <emphasis><emphasis><source></emphasis> <emphasis> &
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
MySQL/ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> </emphasis></programlisting>
|
||||
MySQL(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> </emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="NFS">
|
||||
@ -303,14 +303,14 @@ ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis
|
||||
<title>NTP (Network Time Protocol)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
NTP/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
NTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="PCA">
|
||||
<title><trademark>PCAnywhere</trademark></title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
PCA/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
PCA(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="POP3">
|
||||
@ -326,8 +326,8 @@ PCA/ACCEPT <emphasis><source></emphasis> <emphasis><destination>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
POP3/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> # Secure
|
||||
POP3S/ACCEPT <source> <destination> #Unsecure Pop3</programlisting>
|
||||
POP3(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Secure
|
||||
POP3S(ACCEPT) <source> <destination> #Unsecure Pop3</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="PPTP">
|
||||
@ -345,14 +345,14 @@ ACCEPT <emphasis><source></emphasis> <emphasis><destination></e
|
||||
<title>rdate</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Rdate/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
Rdate(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="rsync">
|
||||
<title>rsync</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Rsync/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
Rsync(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Siproxd">
|
||||
@ -373,7 +373,7 @@ ACCEPT <emphasis> net fw udp 7070:7089</emp
|
||||
<title>SSH/SFTP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SSH/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
||||
SSH(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
||||
</section>
|
||||
|
||||
<section id="SMB">
|
||||
@ -381,8 +381,8 @@ SSH/ACCEPT <emphasis><source></emphasis> <emphasis><destination></e
|
||||
Sharing)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SMB/ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis>
|
||||
SMB/ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis></programlisting>
|
||||
SMB(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis>
|
||||
SMB(ACCEPT) <emphasis><destination></emphasis> <emphasis><source></emphasis></programlisting>
|
||||
|
||||
<para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
|
||||
</section>
|
||||
@ -395,15 +395,15 @@ SMB/ACCEPT <emphasis><destination></emphasis> <emphasis><source>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SMTP/ACCEPT<emphasis> <source></emphasis> <emphasis><destination></emphasis> #Insecure SMTP
|
||||
SMTPS/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> #SMTP over SSL (TLS)</programlisting>
|
||||
SMTP(ACCEPT)<emphasis> <source></emphasis> <emphasis><destination></emphasis> #Insecure SMTP
|
||||
SMTPS(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #SMTP over SSL (TLS)</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="SNMP">
|
||||
<title>SNMP</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SNMP/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
SNMP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="SVN">
|
||||
@ -419,7 +419,7 @@ SNMP/ACCEPT <emphasis><source></emphasis> <emphasis><destination&g
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SVN/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
SVN(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Telnet">
|
||||
@ -431,7 +431,7 @@ SVN/ACCEPT <emphasis><source></emphasis> <emphasis><destination>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Telnet/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
Telnet(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="TFTP">
|
||||
@ -455,7 +455,7 @@ ACCEPT <emphasis><source></emphasis> <emphasis><destination></e
|
||||
<title>Traceroute</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Trcrt/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> #Good for 10 hops</programlisting>
|
||||
Trcrt(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Good for 10 hops</programlisting>
|
||||
|
||||
<para>UDP traceroute uses ports 33434 through 33434+<max number of
|
||||
hops>-1. Note that for the firewall to respond with a TTL expired ICMP
|
||||
@ -474,8 +474,8 @@ ACCEPT fw ...</programlisting>
|
||||
<title>Usenet (NNTP)</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
NNTP/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
||||
NNTPS/ACCEPT <source> <destination> # secure NNTP</programlisting>
|
||||
NNTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
||||
NNTPS(ACCEPT) <source> <destination> # secure NNTP</programlisting>
|
||||
|
||||
<para>TCP Port 119</para>
|
||||
</section>
|
||||
@ -494,13 +494,13 @@ NNTPS/ACCEPT <source> <destination> # secure NNTP</programlisti
|
||||
9.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
VNC/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
||||
VNC(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
||||
</programlisting>
|
||||
|
||||
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
VNCL/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
VNCL(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Vonage">
|
||||
@ -520,15 +520,15 @@ VNCL/ACCEPT <emphasis><source></emphasis> <emphasis><destination&g
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
HTTP/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> #Insecure HTTP
|
||||
HTTPS/ACCEPT <source> <destination> #Secure HTTP</programlisting>
|
||||
HTTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Insecure HTTP
|
||||
HTTPS(ACCEPT) <source> <destination> #Secure HTTP</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Webmin">
|
||||
<title>Webmin</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Webmin/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>Webmin
|
||||
Webmin(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>Webmin
|
||||
use TCP port 10000.</para>
|
||||
</section>
|
||||
|
||||
@ -536,7 +536,7 @@ Webmin/ACCEPT <emphasis><source></emphasis> <emphasis><destination
|
||||
<title>Whois</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Whois/ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting></para>
|
||||
Whois(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting></para>
|
||||
</section>
|
||||
|
||||
<section id="X">
|
||||
|
||||
@ -35,9 +35,9 @@
|
||||
</articleinfo>
|
||||
|
||||
<caution>
|
||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
||||
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
3.0.0 then please see the documentation for that
|
||||
4.3.5 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
@ -46,15 +46,15 @@
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
||||
# PORT(S)
|
||||
SMB/ACCEPT $FW loc
|
||||
SMB/ACCEPT loc $FW</programlisting>
|
||||
SMB(ACCEPT) $FW loc
|
||||
SMB(ACCEPT) loc $FW</programlisting>
|
||||
|
||||
<para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
|
||||
# PORT(S)
|
||||
SMB/ACCEPT Z1 Z2
|
||||
SMB/ACCEPT Z2 Z1</programlisting>
|
||||
SMB(ACCEPT) Z1 Z2
|
||||
SMB(ACCEPT) Z2 Z1</programlisting>
|
||||
|
||||
<para>To make network browsing (<quote>Network Neighborhood</quote>) work
|
||||
properly between Z1 and Z2 <emphasis role="bold">requires a Windows Domain
|
||||
@ -74,8 +74,8 @@ SMB/ACCEPT Z2 Z1</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Edit the copies and remove the <emphasis
|
||||
role="bold">SMB/DROP</emphasis> and <emphasis
|
||||
role="bold">SMB/REJECT</emphasis> lines.</para>
|
||||
role="bold">SMB(DROP)</emphasis> and <emphasis
|
||||
role="bold">SMB(REJECT)</emphasis> lines.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -507,7 +507,7 @@ root@lists:~# </programlisting>
|
||||
in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<<emphasis>macro</emphasis>>/ACCEPT net $FW</programlisting>
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<important>
|
||||
<para>Be sure to add your rules after the line that reads <emphasis
|
||||
@ -519,8 +519,8 @@ root@lists:~# </programlisting>
|
||||
system:</title>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
Web/ACCEPT net $FW
|
||||
IMAP/ACCEPT net $FW</programlisting>
|
||||
Web(ACCEPT) net $FW
|
||||
IMAP(ACCEPT)net $FW</programlisting>
|
||||
</example>
|
||||
|
||||
<para>You may also choose to code your rules directly without using the
|
||||
@ -549,7 +549,7 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
||||
firewall from the Internet, use <acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SSH/ACCEPT net $FW </programlisting>
|
||||
SSH(ACCEPT) net $FW </programlisting>
|
||||
</important>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
@ -739,8 +739,8 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[:<e
|
||||
incoming TCP port 80 to that system</title>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Web/DNAT net dmz:10.10.11.2
|
||||
Web/ACCEPT loc dmz:10.10.11.2</programlisting><itemizedlist>
|
||||
Web(DNAT) net dmz:10.10.11.2
|
||||
Web(ACCEPT) loc dmz:10.10.11.2</programlisting><itemizedlist>
|
||||
<listitem>
|
||||
<para>Entry 1 forwards port 80 from the Internet.</para>
|
||||
</listitem>
|
||||
@ -857,13 +857,13 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
||||
</listitem>
|
||||
</itemizedlist> If you run the name server on the firewall:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS/ACCEPT loc $FW
|
||||
DNS/ACCEPT dmz $FW </programlisting> Run name server on DMZ
|
||||
DNS(ACCEPT) loc $FW
|
||||
DNS(ACCEPT) dmz $FW </programlisting> Run name server on DMZ
|
||||
computer 1: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS/ACCEPT loc dmz:10.10.11.1
|
||||
DNS/ACCEPT $FW dmz:10.10.11.1 </programlisting></para>
|
||||
DNS(ACCEPT) loc dmz:10.10.11.1
|
||||
DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
||||
|
||||
<para>In the rules shown above, <quote>DNS/ACCEPT</quote> is an example of
|
||||
<para>In the rules shown above, <quote>DNS</quote>(ACCEPT)is an example of
|
||||
a <emphasis>defined macro</emphasis>. Shorewall includes a number of
|
||||
defined macros and <ulink url="Macros.html">you can add your own</ulink>.
|
||||
To see the list of macros included with your version of Shorewall, run the
|
||||
@ -892,20 +892,20 @@ ACCEPT dmz $FW udp 53 </programlist
|
||||
|
||||
<para>The three-interface sample includes the following rule:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS/ACCEPT $FW net </programlisting>That rule allow DNS access
|
||||
DNS(ACCEPT) $FW net </programlisting>That rule allow DNS access
|
||||
from your firewall and may be removed if you commented out the line in
|
||||
<filename>/etc/shorewall/policy</filename> allowing all connections from
|
||||
the firewall to the Internet.</para>
|
||||
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSH/ACCEPT loc $FW
|
||||
SSH/ACCEPT loc dmz </programlisting>Those rules allow you to run
|
||||
SSH(ACCEPT) loc $FW
|
||||
SSH(ACCEPT) loc dmz </programlisting>Those rules allow you to run
|
||||
an SSH server on your firewall and in each of your DMZ systems and to
|
||||
connect to those servers from your local systems.</para>
|
||||
|
||||
<para>If you wish to enable other connections between your systems, the
|
||||
general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<<emphasis>macro</emphasis>>/ACCEPT <emphasis><source zone> <destination zone></emphasis></programlisting></para>
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) <emphasis><source zone> <destination zone></emphasis></programlisting></para>
|
||||
|
||||
<para>The general format when not using a defined action
|
||||
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
@ -918,7 +918,7 @@ ACCEPT <emphasis><source zone> <destination zone> <protocol&g
|
||||
<para>Using defined macros:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS/ACCEPT net $FW</programlisting>
|
||||
DNS(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<para>Not using defined macros:</para>
|
||||
|
||||
@ -937,7 +937,7 @@ ACCEPT net $FW udp 53 </programlisting>
|
||||
<para>I don't recommend enabling telnet to/from the Internet because it
|
||||
uses clear text (even for login!). If you want shell access to your
|
||||
firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSH/ACCEPT net $FW</programlisting></para>
|
||||
SSH(ACCEPT) net $FW</programlisting></para>
|
||||
</important>
|
||||
|
||||
<para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
|
||||
@ -1086,7 +1086,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
<para>While you are editing <filename>shorewall.conf</filename>, it is a
|
||||
good idea to check the value of the SUBSYSLOCK option. You can find a
|
||||
description of this option by typing 'man shorewall.conf' at a shell
|
||||
prompt and searching for SUBSYSLOCK </para>
|
||||
prompt and searching for SUBSYSLOCK</para>
|
||||
|
||||
<para>The firewall is started using the <command>shorewall start</command>
|
||||
command and stopped using <command>shorewall stop</command>. When the
|
||||
|
||||
@ -336,7 +336,7 @@ ACCEPT dmz loc udp 53</programlisting>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
Ping/ACCEPT <emphasis><source zone></emphasis> <emphasis><destination zone></emphasis></programlisting>
|
||||
Ping(ACCEPT)<emphasis><source zone></emphasis> <emphasis><destination zone></emphasis></programlisting>
|
||||
|
||||
<para>The ramifications of this can be subtle. For example, if you
|
||||
have the following in <filename><ulink
|
||||
@ -358,7 +358,7 @@ Ping/ACCEPT <emphasis><source zone></emphasis> <emphasis><destination z
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
Ping/DROP net all</programlisting>
|
||||
Ping(DROP)net all</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
@ -701,14 +701,14 @@ DNAT net loc:<emphasis><server local ip address></emphasis>[:<e
|
||||
linkend="Diagram">the above diagram</link> and you want to forward
|
||||
incoming <acronym>TCP</acronym> port 80 to that system:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Web/DNAT net loc:10.10.10.2</programlisting></para>
|
||||
Web(DNAT) net loc:10.10.10.2</programlisting></para>
|
||||
</example> <example id="Example2" label="2">
|
||||
<title>FTP Server</title>
|
||||
|
||||
<para>You run an <acronym>FTP</acronym> Server on <link
|
||||
linkend="Diagram">computer 1</link> so you want to forward incoming
|
||||
<acronym>TCP</acronym> port 21 to that system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
FTP/DNAT net loc:10.10.10.1</programlisting> For
|
||||
FTP(DNAT) net loc:10.10.10.1</programlisting> For
|
||||
<acronym>FTP</acronym>, you will also need to have
|
||||
<acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
|
||||
support in your kernel. For vendor-supplied kernels, this means that
|
||||
@ -808,7 +808,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||
in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS/ACCEPT loc $FW</programlisting></para>
|
||||
DNS(ACCEPT)loc $FW</programlisting></para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
</section>
|
||||
@ -818,13 +818,13 @@ DNS/ACCEPT loc $FW</programlisting></para>
|
||||
|
||||
<para>The two-interface sample includes the following rules:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNS/ACCEPT $FW net</programlisting>This rule allows
|
||||
DNS(ACCEPT) $FW net</programlisting>This rule allows
|
||||
<acronym>DNS</acronym> access from your firewall and may be removed if you
|
||||
uncommented the line in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
allowing all connections from the firewall to the Internet.</para>
|
||||
|
||||
<para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of
|
||||
<para>In the rule shown above, <quote>DNS</quote>(ACCEPT)is an example of
|
||||
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
|
||||
macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink
|
||||
url="Macros.html">you can add your own</ulink>.</para>
|
||||
@ -841,13 +841,13 @@ ACCEPT $FW net tcp 53</programlisting></para>
|
||||
code the appropriate rules directly.</para>
|
||||
|
||||
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSH/ACCEPT loc $FW </programlisting>That rule allows you to run an
|
||||
SSH(ACCEPT) loc $FW </programlisting>That rule allows you to run an
|
||||
<acronym>SSH</acronym> server on your firewall and connect to that server
|
||||
from your local systems.</para>
|
||||
|
||||
<para>If you wish to enable other connections from your firewall to other
|
||||
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<macro>/ACCEPT $FW <emphasis><destination zone></emphasis></programlisting>The
|
||||
<macro>(ACCEPT) $FW <emphasis><destination zone></emphasis></programlisting>The
|
||||
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT $FW <emphasis><destination zone> <protocol> <port></emphasis></programlisting><example
|
||||
id="Example3">
|
||||
@ -855,8 +855,8 @@ ACCEPT $FW <emphasis><destination zone> <protocol> <por
|
||||
|
||||
<para>You want to run a Web Server on your firewall system:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Web/ACCEPT net $FW
|
||||
Web/ACCEPT loc $FW </programlisting>Those two rules would of
|
||||
Web(ACCEPT) net $FW
|
||||
Web(ACCEPT) loc $FW </programlisting>Those two rules would of
|
||||
course be in addition to the rules listed above under <quote><link
|
||||
linkend="cachingdns">You can configure a Caching Name Server on your
|
||||
firewall</link></quote>.</para>
|
||||
@ -868,7 +868,7 @@ Web/ACCEPT loc $FW </programlisting>Those two rules would of
|
||||
<acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
SSH/ACCEPT net $FW</programlisting>
|
||||
SSH(ACCEPT) net $FW</programlisting>
|
||||
</important> <inlinegraphic fileref="images/leaflogo.gif"
|
||||
format="GIF" />Bering users will want to add the following two rules to be
|
||||
compatible with Jacques's Shorewall configuration.<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user