Update configuration basics doc for 5.0

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-18 08:56:11 -08:00
parent 353d4d1b70
commit 0a8905f25b
2 changed files with 21 additions and 27 deletions

View File

@ -62,7 +62,7 @@
<para>Suppose that we have the following situation:</para> <para>Suppose that we have the following situation:</para>
<graphic fileref="images/TwoNets1.png" /> <graphic fileref="images/TwoNets1.png"/>
<para>We want systems in the 192.168.1.0/24 subnetwork to be able to <para>We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is communicate with the systems in the 10.0.0.0/8 network. This is
@ -103,8 +103,8 @@ vpn ipv4</programlisting>
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis <para>On system A, the 10.0.0.0/8 will comprise the <emphasis
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para> role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
vpn tosysb 10.255.255.255</programlisting> vpn tosysb</programlisting>
<para>In /etc/shorewall/tunnels on system A, we need the following:</para> <para>In /etc/shorewall/tunnels on system A, we need the following:</para>
@ -133,8 +133,8 @@ subnet=10.0.0.0/8
<emphasis role="bold">vpn</emphasis> zone. In <emphasis role="bold">vpn</emphasis> zone. In
/etc/shorewall/interfaces:</para> /etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST <programlisting>#ZONE INTERFACE
vpn tosysa 192.168.1.255</programlisting> vpn tosysa</programlisting>
<para>In /etc/shorewall/tunnels on system B, we have:</para> <para>In /etc/shorewall/tunnels on system B, we have:</para>

View File

@ -464,8 +464,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
<para>Example (<filename>/etc/shorewall/rules</filename>):</para> <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
ACCEPT net:\ ACCEPT net:\
206.124.146.177,\ 206.124.146.177,\
206.124.146.178,\ 206.124.146.178,\
@ -483,8 +482,7 @@ ACCEPT net:\
<para>A trailing backslash is not ignored in a comment. So the continued <para>A trailing backslash is not ignored in a comment. So the continued
rule above can be commented out with a single '#' as follows:</para> rule above can be commented out with a single '#' as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
<emphasis role="bold">#</emphasis>ACCEPT net:\ <emphasis role="bold">#</emphasis>ACCEPT net:\
206.124.146.177,\ 206.124.146.177,\
206.124.146.178,\ 206.124.146.178,\
@ -765,8 +763,7 @@ ACCEPT net:\
<para>Example (rules file):</para> <para>Example (rules file):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST <programlisting>#ACTION SOURCE DEST PROTO DPORT
# PORT(S)
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting> DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting>
<para>Here's the same line in several equivalent formats:</para> <para>Here's the same line in several equivalent formats:</para>
@ -1166,14 +1163,14 @@ COMB_IF !70.90.191.120/29 70.90.191.123</programli
ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules ALL.rules DNAT.rules FW.rules NET.rules REDIRECT.rules VPN.rules
gateway:/etc/shorewall # </programlisting></para> gateway:/etc/shorewall # </programlisting></para>
<para>/etc/shorewall/rules:<programlisting>SECTION NEW <para>/etc/shorewall/rules:<programlisting>?SECTION NEW
SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para> SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
<para>If you are the sort to put such an entry in your rules file even <para>If you are the sort to put such an entry in your rules file even
though /etc/shorewall/rules.d might not exist or might be empty, then though /etc/shorewall/rules.d might not exist or might be empty, then
you probably want:</para> you probably want:</para>
<programlisting>SECTION NEW <programlisting>?SECTION NEW
SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting> SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting>
<para>Beginning with Shorewall 4.5.2, in files other than <para>Beginning with Shorewall 4.5.2, in files other than
@ -1306,7 +1303,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>[?]COMMENT [ <replaceable>comment</replaceable> ]</term> <term>?COMMENT [ <replaceable>comment</replaceable> ]</term>
<listitem> <listitem>
<para>If <replaceable>comment</replaceable> is present, it will <para>If <replaceable>comment</replaceable> is present, it will
@ -1363,8 +1360,7 @@ gateway:~ #
<para><filename>/usr/share/shorewall/macro.SSH</filename>:</para> <para><filename>/usr/share/shorewall/macro.SSH</filename>:</para>
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ <para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT RATE USER
# PORT(S) PORT(S) LIMIT GROUP
?COMMENT SSH ?COMMENT SSH
PARAM - - tcp 22 </programlisting> PARAM - - tcp 22 </programlisting>
<filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
@ -2418,7 +2414,7 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,arpfilter <para>Must not have any embedded white space.+<programlisting> Valid: routefilter,dhcp,arpfilter
Invalid: routefilter,     dhcp,     arpfilter</programlisting></para> Invalid: routefilter,     dhcp,     arpfilter</programlisting></para>
</listitem> </listitem>
@ -2608,7 +2604,7 @@ redirect =&gt; 137</programlisting>
to forward the range of tcp ports 4000 through 4100 to local host to forward the range of tcp ports 4000 through 4100 to local host
192.168.1.3, the entry in /etc/shorewall/rules is:</para> 192.168.1.3, the entry in /etc/shorewall/rules is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORTS(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting> DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
<para>If you omit the low port number, a value of zero is assumed; if you <para>If you omit the low port number, a value of zero is assumed; if you
@ -2790,8 +2786,7 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
on.</para> on.</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
# PORT(S) PORT(S) DEST LIMIT GROUP
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis
role="bold">primary_down</emphasis> </programlisting> role="bold">primary_down</emphasis> </programlisting>
</blockquote> </blockquote>
@ -2822,17 +2817,16 @@ DNAT net dmz:$BACKUP tcp 80 - -
<para>Here is an example:</para> <para>Here is an example:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net <emphasis role="bold">COM_IF </emphasis> detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis net <emphasis role="bold">COM_IF </emphasis> dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
role="bold">physical=eth0</emphasis> role="bold">physical=eth0</emphasis>
net <emphasis role="bold">EXT_IF</emphasis> detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis net <emphasis role="bold">EXT_IF</emphasis> dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
role="bold">physical=eth2</emphasis> role="bold">physical=eth2</emphasis>
loc <emphasis role="bold">INT_IF </emphasis> detect dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis loc <emphasis role="bold">INT_IF </emphasis> dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
role="bold">physical=eth1</emphasis> role="bold">physical=eth1</emphasis>
dmz <emphasis role="bold">VPS_IF </emphasis> detect logmartians=1,routefilter=0,routeback,<emphasis dmz <emphasis role="bold">VPS_IF </emphasis> logmartians=1,routefilter=0,routeback,<emphasis
role="bold">physical=venet0</emphasis> role="bold">physical=venet0</emphasis>
loc <emphasis role="bold">TUN_IF</emphasis> detect <emphasis loc <emphasis role="bold">TUN_IF</emphasis> <emphasis role="bold">physical=tun+</emphasis></programlisting>
role="bold">physical=tun+</emphasis></programlisting>
<para>In this example, COM_IF is a logical interface name that refers to <para>In this example, COM_IF is a logical interface name that refers to
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is