extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-30 14:38:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Final cleanup of PORT(S) column headings

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 12:31:53 -08:00
parent 665381f194
commit 016acfb9de
16 changed files with 47 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/6to4.xml
View File

@ -493,7 +493,6 @@ all all REJECT info</programlisting></para>
?SECTION INVALID ?SECTION INVALID
?SECTION UNTRACKED ?SECTION UNTRACKED
?SECTION NEW ?SECTION NEW
# PORT PORT(S) DEST LIMIT GROUP
# #
# Accept DNS connections from the firewall to the network # Accept DNS connections from the firewall to the network
# #

8
docs/FTP.xml
View File

@ -535,10 +535,10 @@ DNAT ACTION =
specific IP address to be forwarded to your server.</para> specific IP address to be forwarded to your server.</para>
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule <para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
with 20 (ftp-data) in the DEST PORT(S) column. If you post your rules on with 20 (ftp-data) in the DPORT column. If you post your rules on the
the mailing list and they show 20 in the DEST PORT(S) column, we will know mailing list and they show 20 in the DPORT column, we will know that you
that you haven't read this article and will either ignore your post or haven't read this article and will either ignore your post or tell you to
tell you to RTFM.</para> RTFM.</para>
<para>Shorewall includes an FTP macro that simplifies creation of FTP <para>Shorewall includes an FTP macro that simplifies creation of FTP
rules. The macro source is in rules. The macro source is in

8
docs/ManualChains.xml
View File

@ -195,16 +195,14 @@ sub Knock {
<para>The rule from the Port Knocking article:</para> <para>The rule from the Port Knocking article:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SSHKnock net $FW tcp 22,1599,1600,1601 SSHKnock net $FW tcp 22,1599,1600,1601
</programlisting> </programlisting>
<para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <para>becomes:<programlisting>PERL Knock 'net', '$FW', {target =&gt; 22, knocker =&gt; 1600, trap =&gt; [1599, 1601]};</programlisting>Similarly<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601 SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>becomes:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
# PORT(S) DEST
DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178 DNAT- net 192.168.1.5 tcp 22 - 206.124.146.178
PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]}; PERL Knock 'net', '$FW', {name =&gt; 'SSH', knocker =&gt; 1600, trap =&gt; [1599, 1601]};

12
docs/MyNetwork.xml
View File

@ -494,8 +494,7 @@ tarpit inline # Wrapper for TARPIT
<section> <section>
<title>/etc/shorewall/action.Mirrors</title> <title>/etc/shorewall/action.Mirrors</title>
<para><programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE <para><programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
# PORT PORT(S) DEST LIMIT
?COMMENT Accept traffic from Mirrors ?COMMENT Accept traffic from Mirrors
?FORMAT 2 ?FORMAT 2
DEFAULTS - DEFAULTS -
@ -508,8 +507,7 @@ $1 $MIRRORS
<section> <section>
<title>/etc/shorewall/action.tarpit</title> <title>/etc/shorewall/action.tarpit</title>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
$LOG { rate=s:1/min } $LOG { rate=s:1/min }
TARPIT TARPIT
</programlisting> </programlisting>
@ -520,7 +518,8 @@ TARPIT
<section id="zones"> <section id="zones">
<title>/etc/shorewall/zones</title> <title>/etc/shorewall/zones</title>
<para><programlisting>fw firewall <para><programlisting>#ZONE TYPE
fw firewall
loc ip #Local Zone loc ip #Local Zone
net ipv4 #Internet net ipv4 #Internet
dmz ipv4 #LXC Containers dmz ipv4 #LXC Containers
@ -816,8 +815,7 @@ br0 - ComcastB 11000
<section id="routestopped"> <section id="routestopped">
<title>/etc/shorewall/stoppedrules</title> <title>/etc/shorewall/stoppedrules</title>
<para><programlisting>#TARGET HOST(S) DEST PROTO DEST SOURCE <para><programlisting>#TARGET HOST(S) DEST PROTO DPORT SPORT
# PORT(S) PORT(S)
ACCEPT INT_IF:172.20.1.0/24 $FW ACCEPT INT_IF:172.20.1.0/24 $FW
NOTRACK COMB_IF - 41 NOTRACK COMB_IF - 41
NOTRACK $FW COMB_IF 41 NOTRACK $FW COMB_IF 41

4
docs/PacketMarking.xml
View File

@ -178,8 +178,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Rules are conditionally executed based on whether the current <para>Rules are conditionally executed based on whether the current
packet matches the contents of the SOURCE, DEST, PROTO, PORT(S), packet matches the contents of the SOURCE, DEST, PROTO, DPORT, SPORT,
CLIENT PORT(S_, USER, TEST, LENGTH and TOS columns.</para> USER, TEST, LENGTH and TOS columns.</para>
</listitem> </listitem>
<listitem> <listitem>

11
docs/Shorewall-5.xml
View File

@ -240,15 +240,15 @@
</listitem> </listitem>
<listitem> <listitem>
<para>DEST PORT(S)</para> <para>DPORT</para>
</listitem> </listitem>
<listitem> <listitem>
<para>SOURCE PORT(S)</para> <para>SPORT</para>
</listitem> </listitem>
<listitem> <listitem>
<para>ORIGINAL DEST</para> <para>ORIGDEST</para>
</listitem> </listitem>
<listitem> <listitem>
@ -284,8 +284,9 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Notice that the first five columns of both sets are the <para>Notice that the first five columns of both sets are the same
same.</para> (although the port-valued column names have changed, the contents are
the same).</para>
<para>In Shorewall 5, support for format-1 macros and actions has been <para>In Shorewall 5, support for format-1 macros and actions has been
dropped and all macros and actions will be processed as if ?FORMAT 2 dropped and all macros and actions will be processed as if ?FORMAT 2

3
docs/Shorewall_Squid_Usage.xml
View File

@ -314,8 +314,7 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding /etc/shorewall/tcrules entries are:</para> <para>Corresponding /etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST <programlisting>#MARK SOURCE DEST PROTO DPORT
# PORT(S)
202:P eth1 0.0.0.0/0 tcp 80</programlisting> 202:P eth1 0.0.0.0/0 tcp 80</programlisting>
</listitem> </listitem>

2
docs/Shorewall_and_Aliased_Interfaces.xml
View File

@ -166,7 +166,7 @@ iface eth0 inet static
<example id="SSH"> <example id="SSH">
<title>allow SSH from net to eth0:0 above</title> <title>allow SSH from net to eth0:0 above</title>
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para> ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
</example> </example>
</section> </section>

3
docs/XenMyWay-Routed.xml
View File

@ -637,8 +637,7 @@ Mirrors # Accept traffic from Shorewall Mirrors</programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para> <para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE <programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS</programlisting> ACCEPT $MIRRORS</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>

5
docs/XenMyWay.xml
View File

@ -631,10 +631,9 @@ ACCEPT $MIRRORS</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>SECTION NEW <programlisting>?SECTION NEW
############################################################################################################################################################################### ###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
# PORT PORT(S) DEST LIMIT GROUP
############################################################################################################################################################################### ###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25 REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031 REJECT:$LOG loc net udp 1025:1031

6
docs/bridge-Shorewall-perl.xml
View File

@ -941,15 +941,13 @@ ACCEPT col zone2 tcp 22 - - -
<para>or more compactly:</para> <para>or more compactly:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT col <emphasis role="bold">zone2</emphasis> tcp 22 ; mark=<emphasis ACCEPT col <emphasis role="bold">zone2</emphasis> tcp 22 ; mark=<emphasis
role="bold">net</emphasis></programlisting> role="bold">net</emphasis></programlisting>
<para>Similarly, rules allowing traffic from the firewall to zone3:</para> <para>Similarly, rules allowing traffic from the firewall to zone3:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22 ; mark=<emphasis ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22 ; mark=<emphasis
role="bold">fw</emphasis></programlisting> role="bold">fw</emphasis></programlisting>

3
docs/configuration_file_basics.xml
View File

@ -2313,8 +2313,7 @@ gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.2
<para>So this rule may work for five minutes then suddently stop <para>So this rule may work for five minutes then suddently stop
working:</para> working:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
POP(ACCEPT) loc net:pop.gmail.com</programlisting> POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<para>If your firewall rules include DNS names then:</para> <para>If your firewall rules include DNS names then:</para>

16
docs/netmap.xml
View File

@ -54,7 +54,7 @@
<para>Shorewall NETMAP support is designed to supply a solution. The basic <para>Shorewall NETMAP support is designed to supply a solution. The basic
situation is as shown in the following diagram.<graphic situation is as shown in the following diagram.<graphic
fileref="images/netmap.png" /></para> fileref="images/netmap.png"/></para>
<para>While the link between the two firewalls is shown here as a VPN, it <para>While the link between the two firewalls is shown here as a VPN, it
could be any type of interconnection that allows routing of <ulink could be any type of interconnection that allows routing of <ulink
@ -163,8 +163,8 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in <term><emphasis role="bold">DPORT (Optional - Added in Shorewall
Shorewall 4.4.23.2)</emphasis> - 4.4.23.2)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term> <emphasis>port-number-or-name-list</emphasis></term>
<listitem> <listitem>
@ -190,8 +190,8 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in <term><emphasis role="bold">SPORT (Optional - Added in Shorewall
Shorewall 4.4.23.2)</emphasis> - 4.4.23.2)</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term> <emphasis>port-number-or-name-list</emphasis></term>
<listitem> <listitem>
@ -314,7 +314,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<entry>192.168.1.27</entry> <entry>192.168.1.27</entry>
<entry></entry> <entry/>
</row> </row>
<row> <row>
@ -350,7 +350,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<entry>192.168.1.4</entry> <entry>192.168.1.4</entry>
<entry></entry> <entry/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
@ -413,7 +413,7 @@ DNAT:T 10.10.10.0/24 vpn 192.168.1.0/24</emphasis></programlisting
<para>IPv6 Netmap has been verified at shorewall.net using the <para>IPv6 Netmap has been verified at shorewall.net using the
configuration shown below.</para> configuration shown below.</para>
<graphic align="center" fileref="images/Network2011b.png" /> <graphic align="center" fileref="images/Network2011b.png"/>
<para>IPv6 support is supplied from Hurricane Electric; the IPv6 address <para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
block is 2001:470:b:227::/64.</para> block is 2001:470:b:227::/64.</para>

4
docs/ping.xml
View File

@ -79,7 +79,7 @@ Ping(ACCEPT) loc $FW</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote> <para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para> from z1 to z2 then you need a rule of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) z1 z2</programlisting> Ping(DROP) z1 z2</programlisting>
<example id="Example2"> <example id="Example2">
@ -88,7 +88,7 @@ Ping(DROP) z1 z2</programlisting>
<para>To drop ping from the Internet, you would need this rule in <para>To drop ping from the Internet, you would need this rule in
<filename>/etc/shorewall/rules</filename>:</para> <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) net $FW</programlisting> Ping(DROP) net $FW</programlisting>
</example> </example>

4
docs/shorewall_setup_guide.xml
View File

@ -1712,8 +1712,8 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
rules.</para> rules.</para>
<note> <note>
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in <para>Since the SPORT and ORIGDEST. Columns aren't used in this
this section, they won't be shown</para> section, they won't be shown</para>
</note> </note>
<para>You probably want to allow ping between your zones:</para> <para>You probably want to allow ping between your zones:</para>

14
docs/simple_traffic_shaping.xml
View File

@ -194,7 +194,7 @@ eth0 External</programlisting>
band 2.</para> band 2.</para>
<note> <note>
<para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS <para>When an INTERFACE is specified, the PROTO, DPORT and ADDRESS
column must contain '-'.</para> column must contain '-'.</para>
</note> </note>
</listitem> </listitem>
@ -203,14 +203,14 @@ eth0 External</programlisting>
<para>Assign traffic from a particular IP address to a specific <para>Assign traffic from a particular IP address to a specific
priority band:</para> priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - 192.168.1.44</programlisting> 1 - - 192.168.1.44</programlisting>
<para>In this example, traffic from 192.168.1.44 will be assigned to <para>In this example, traffic from 192.168.1.44 will be assigned to
priority band 1.</para> priority band 1.</para>
<note> <note>
<para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE <para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
columns must be empty.</para> columns must be empty.</para>
</note> </note>
</listitem> </listitem>
@ -219,7 +219,7 @@ eth0 External</programlisting>
<para>Assign traffic to/from a particular application to a specific <para>Assign traffic to/from a particular application to a specific
priority band:</para> priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 udp 1194</programlisting> 1 udp 1194</programlisting>
<para>In that example, OpenVPN traffic is assigned to priority band <para>In that example, OpenVPN traffic is assigned to priority band
@ -230,7 +230,7 @@ eth0 External</programlisting>
<para>Assign traffic that uses a particular Netfilter helper to a <para>Assign traffic that uses a particular Netfilter helper to a
particular priority band:</para> particular priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
1 - - - - sip</programlisting> 1 - - - - sip</programlisting>
<para>In this example, SIP and associated RTP traffic will be assigned <para>In this example, SIP and associated RTP traffic will be assigned
@ -322,7 +322,7 @@ tun0 Internal</programlisting>
eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516 eth0 External 50mbit:200kb 6.0mbit:100kb:200ms:100mbit:1516
</programlisting>etc/shorewall/tcpri:</para> </programlisting>etc/shorewall/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default COMMENT All DMZ traffic in band 3 by default
3 - - 70.90.191.124/31 3 - - 70.90.191.124/31
COMMENT Bit Torrent is in band 3 COMMENT Bit Torrent is in band 3
@ -335,7 +335,7 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
<para>etc/shorewall6/tcpri:</para> <para>etc/shorewall6/tcpri:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER <programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
COMMENT All DMZ traffic in band 3 by default COMMENT All DMZ traffic in band 3 by default
3 - - 2001:470:b:227::40/124 3 - - 2001:470:b:227::40/124
COMMENT But give a boost to DNS queries COMMENT But give a boost to DNS queries