extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 00:53:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Final cleanup of PORT(S) column headings

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 12:31:53 -08:00
parent 665381f194
commit 016acfb9de
16 changed files with 47 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/6to4.xml
View File

@ -493,7 +493,6 @@ all all REJECT info</programlisting></para>
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#

8
docs/FTP.xml
View File

@ -535,10 +535,10 @@ DNAT ACTION =
specific IP address to be forwarded to your server.</para>
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on
the mailing list and they show 20 in the DEST PORT(S) column, we will know
that you haven't read this article and will either ignore your post or
tell you to RTFM.</para>
with 20 (ftp-data) in the DPORT column. If you post your rules on the
mailing list and they show 20 in the DPORT column, we will know that you
haven't read this article and will either ignore your post or tell you to
RTFM.</para>
<para>Shorewall includes an FTP macro that simplifies creation of FTP
rules. The macro source is in

8
docs/ManualChains.xml
View File

@ -195,16 +195,14 @@ sub Knock {
<para>The rule from the Port Knocking article:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHKnock net $FW tcp 22,1599,1600,1601
</programlisting>
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};

12
docs/MyNetwork.xml
View File

@ -494,8 +494,7 @@ tarpit inline # Wrapper for TARPIT
<section>
<title>/etc/shorewall/action.Mirrors</title>
<para><programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
<para><programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
?COMMENT Accept traffic from Mirrors
?FORMAT 2
DEFAULTS -
@ -508,8 +507,7 @@ $1 $MIRRORS
<section>
<title>/etc/shorewall/action.tarpit</title>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
$LOG { rate=s:1/min }
TARPIT
</programlisting>
@ -520,7 +518,8 @@ TARPIT
<section id="zones">
<title>/etc/shorewall/zones</title>
<para><programlisting>fw firewall
<para><programlisting>#ZONE TYPE
fw firewall
loc ip #Local Zone
net ipv4 #Internet
dmz ipv4 #LXC Containers
@ -816,8 +815,7 @@ br0 - ComcastB 11000
<section id="routestopped">
<title>/etc/shorewall/stoppedrules</title>
<para><programlisting>#TARGET HOST(S) DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
<para><programlisting>#TARGET HOST(S) DEST PROTO DPORT SPORT
ACCEPT INT_IF:172.20.1.0/24 $FW
NOTRACK COMB_IF - 41
NOTRACK $FW COMB_IF 41

4
docs/PacketMarking.xml
View File

@ -178,8 +178,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<itemizedlist>
<listitem>
<para>Rules are conditionally executed based on whether the current
packet matches the contents of the SOURCE, DEST, PROTO, PORT(S),
CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para>
packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
USER, TEST, LENGTH and TOS columns.</para>
</listitem>
<listitem>

11
docs/Shorewall-5.xml
View File

@ -240,15 +240,15 @@
</listitem>
<listitem>
<para>DEST PORT(S)</para>
<para>DPORT</para>
</listitem>
<listitem>
<para>SOURCE PORT(S)</para>
<para>SPORT</para>
</listitem>
<listitem>
<para>ORIGINAL DEST</para>
<para>ORIGDEST</para>
</listitem>
<listitem>
@ -284,8 +284,9 @@
</listitem>
</itemizedlist>
<para>Notice that the first five columns of both sets are the
same.</para>
<para>Notice that the first five columns of both sets are the same
(although the port-valued column names have changed, the contents are
the same).</para>
<para>In Shorewall 5, support for format-1 macros and actions has been
dropped and all macros and actions will be processed as if ?FORMAT 2

3
docs/Shorewall_Squid_Usage.xml
View File

@ -314,8 +314,7 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding /etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#MARK SOURCE DEST PROTO DPORT
202:P eth1 0.0.0.0/0 tcp 80</programlisting>
</listitem>

2
docs/Shorewall_and_Aliased_Interfaces.xml
View File

@ -166,7 +166,7 @@ iface eth0 inet static
<example id="SSH">
<title>allow SSH from net to eth0:0 above</title>
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
</example>
</section>

3
docs/XenMyWay-Routed.xml
View File

@ -637,8 +637,7 @@ Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
ACCEPT $MIRRORS</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>

5
docs/XenMyWay.xml
View File

@ -631,10 +631,9 @@ ACCEPT $MIRRORS</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>SECTION NEW
<programlisting>?SECTION NEW
###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031

6
docs/bridge-Shorewall-perl.xml
View File

@ -941,15 +941,13 @@ ACCEPT col zone2 tcp 22 - - -
<para>or more compactly:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT col <emphasis role="bold">zone2</emphasis> tcp 22 ; mark=<emphasis
role="bold">net</emphasis></programlisting>
<para>Similarly, rules allowing traffic from the firewall to zone3:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22 ; mark=<emphasis
role="bold">fw</emphasis></programlisting>

3
docs/configuration_file_basics.xml
View File

@ -2313,8 +2313,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.2
<para>So this rule may work for five minutes then suddently stop
working:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<para>If your firewall rules include DNS names then:</para>

16
docs/netmap.xml
View File

@ -54,7 +54,7 @@
<para>Shorewall NETMAP support is designed to supply a solution. The basic
situation is as shown in the following diagram.<graphic
fileref="images/netmap.png" /></para>
fileref="images/netmap.png"/></para>
<para>While the link between the two firewalls is shown here as a VPN, it
could be any type of interconnection that allows routing of <ulink
@ -163,8 +163,8 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
Shorewall 4.4.23.2)</emphasis> -
<term><emphasis role="bold">DPORT (Optional - Added in Shorewall
4.4.23.2)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term>
<listitem>
@ -190,8 +190,8 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
Shorewall 4.4.23.2)</emphasis> -
<term><emphasis role="bold">SPORT (Optional - Added in Shorewall
4.4.23.2)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term>
<listitem>
@ -314,7 +314,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<entry>192.168.1.27</entry>
<entry></entry>
<entry/>
</row>
<row>
@ -350,7 +350,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<entry>192.168.1.4</entry>
<entry></entry>
<entry/>
</row>
</tbody>
</tgroup>
@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24</emphasis></programlisting
<para>IPv6 Netmap has been verified at shorewall.net using the
configuration shown below.</para>
<graphic align="center" fileref="images/Network2011b.png" />
<graphic align="center" fileref="images/Network2011b.png"/>
<para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
block is 2001:470:b:227::/64.</para>

4
docs/ping.xml
View File

@ -79,7 +79,7 @@ Ping(ACCEPT) loc $FW</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) z1 z2</programlisting>
<example id="Example2">
@ -88,7 +88,7 @@ Ping(DROP) z1 z2</programlisting>
<para>To drop ping from the Internet, you would need this rule in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) net $FW</programlisting>
</example>

4
docs/shorewall_setup_guide.xml
View File

@ -1712,8 +1712,8 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
rules.</para>
<note>
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in
this section, they won't be shown</para>
<para>Since the SPORT and ORIGDEST. Columns aren't used in this
section, they won't be shown</para>
</note>
<para>You probably want to allow ping between your zones:</para>

14
docs/simple_traffic_shaping.xml
View File

@ -194,7 +194,7 @@ eth0 External</programlisting>
band 2.</para>
<note>
<para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
<para>When an INTERFACE is specified, the PROTO, DPORT and ADDRESS
column must contain '-'.</para>
</note>
</listitem>
@ -203,14 +203,14 @@ eth0 External</programlisting>
<para>Assign traffic from a particular IP address to a specific
priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - 192.168.1.44</programlisting>
<para>In this example, traffic from 192.168.1.44 will be assigned to
priority band 1.</para>
<note>
<para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
<para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
columns must be empty.</para>
</note>
</listitem>
@ -219,7 +219,7 @@ eth0 External</programlisting>
<para>Assign traffic to/from a particular application to a specific
priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 udp 1194</programlisting>
<para>In that example, OpenVPN traffic is assigned to priority band
@ -230,7 +230,7 @@ eth0 External</programlisting>
<para>Assign traffic that uses a particular Netfilter helper to a
particular priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - - - sip</programlisting>
<para>In this example, SIP and associated RTP traffic will be assigned
@ -322,7 +322,7 @@ tun0 Internal</programlisting>
eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
</programlisting>etc/shorewall/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default
3 - - 70.90.191.124/31
COMMENT Bit Torrent is in band 3
@ -335,7 +335,7 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
<para>etc/shorewall6/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default
3 - - 2001:470:b:227::40/124
COMMENT But give a boost to DNS queries