extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

More address validate changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6289 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-08 19:05:25 +00:00
parent b557ba02c8
commit 0d00d30d94
13 changed files with 644 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Shorewall-common/releasenotes.txt
View File

@ -40,9 +40,21 @@ Problems corrected in 3.9.7.
4) A value of 'detect' in the GATEWAY column of the providers file no 4) A value of 'detect' in the GATEWAY column of the providers file no
longer generates an error during [re]start. longer generates an error during [re]start.
Other changes in Shorewall 3.9.6. 5) The command 'shorewall check -p' resulted in an indefinite loop.
None. 6) A number of problems having to do with SECTIONs in the rules file
have been corrected.
7) The mss zone option now works correctly.
8) The LOGBURST and LOGLIMIT options in shorewall.conf now work
correctly
Other changes in Shorewall 3.9.7.
1) Shorewall-perl now validates all IP addresses and addresses ranges
in rules. DNS names are resolved and an error is issued for any
name that cannot be resolved.
Migration Considerations: Migration Considerations:

1
Shorewall-perl/Shorewall/Config.pm
View File

@ -44,6 +44,7 @@ our @EXPORT = qw(
pop_open pop_open
read_a_line read_a_line
validate_level validate_level
qt
get_configuration get_configuration
require_capability require_capability
report_capabilities report_capabilities

14
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -31,6 +31,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( our @EXPORT = qw(
validate_address
validate_net validate_net
validate_range validate_range
ip_range_explicit ip_range_explicit
@ -50,14 +51,23 @@ sub valid_address( $ ) {
1; 1;
} }
sub validate_address( $ ) {
unless ( valid_address $_[0] ) {
fatal_error "Unknown Host ($_[0])" unless qt "host $_[0]";
}
}
sub validate_net( $ ) { sub validate_net( $ ) {
my ($net, $vlsm) = split '/', $_[0]; my ($net, $vlsm) = split '/', $_[0];
if ( defined $vlsm ) { if ( defined $vlsm ) {
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32; fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
fatal_error "Invalid IP address ($net)" unless valid_address $net;
} else {
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
fatal_error "Invalid Network address ($_[0])" unless defined $net;
validate_address $net;
} }
fatal_error "Invalid IP address ($net)" unless valid_address $net;
} }
sub decodeaddr( $ ) { sub decodeaddr( $ ) {

4
Shorewall-perl/Shorewall/Providers.pm
View File

@ -186,7 +186,9 @@ sub setup_providers() {
"fi\n" ); "fi\n" );
$gateway = '$gateway'; $gateway = '$gateway';
} elsif ( $gateway && $gateway ne '-' ) { } elsif ( $gateway && $gateway ne '-' ) {
emit "run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number"; validate_address $gateway;
my $variable = get_interface_address $interface;
emit "run_ip route replace $gateway src $variable dev $interface table $number";
emit "run_ip route add default via $gateway dev $interface table $number"; emit "run_ip route add default via $gateway dev $interface table $number";
} else { } else {
$gateway = ''; $gateway = '';

49
manpages/shorewall-accounting.xml
View File

@ -244,6 +244,55 @@
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>In all of the above columns except <emphasis <para>In all of the above columns except <emphasis

437
manpages/shorewall-interfaces.xml
View File

@ -92,6 +92,11 @@ loc eth2 -</programlisting>
<para>If you don't want to give a value for this column but you want <para>If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter <emphasis to enter a value in the OPTIONS column, enter <emphasis
role="bold">-</emphasis> in this column.</para> role="bold">-</emphasis> in this column.</para>
<para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
Shorewall-perl only supports <option>detect</option> in this column.
If you specify <replaceable>address</replaceable>es, a compilation
warning will be issued.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -107,173 +112,7 @@ loc eth2 -</programlisting>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">dhcp</emphasis></term> <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
<listitem>
<para>Specify this option when any of the following are
true:</para>
<orderedlist spacing="compact">
<listitem>
<para>the interface gets its IP address via DHCP</para>
</listitem>
<listitem>
<para>the interface is used by a DHCP server running on
the firewall</para>
</listitem>
<listitem>
<para>you have a static IP but are on a LAN segment with
lots of DHCP clients.</para>
</listitem>
<listitem>
<para>the interface is a bridge with a DHCP server on one
port and DHCP clients on another port.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">norfc1918</emphasis></term>
<listitem>
<para>This interface should not receive any packets whose
source is in one of the ranges reserved by RFC 1918 (i.e.,
private or "non-routable" addresses). If packet mangling or
connection-tracking match is enabled in your kernel, packets
whose destination addresses are reserved by RFC 1918 are also
rejected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routefilter</emphasis></term>
<listitem>
<para>Turn on kernel route filtering for this interface
(anti-spoofing measure).</para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<para>This option can also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logmartians</emphasis></term>
<listitem>
<para>Turn on kernel martian logging (logging of packets with
impossible source addresses. It is strongly suggested that if
you set <emphasis role="bold">routefilter</emphasis> on an
interface that you also set <emphasis
role="bold">logmartians</emphasis>. Even if you do not specify
the <option>routefilter</option> option, it is a good idea to
specify <option>logmartians</option> because your distribution
may be enabling route filtering without you knowing it.</para>
<para>To find out if route filtering is set on a given
<replaceable>interface</replaceable>, check the contents of
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
— a non-zero value indicates that route filtering is
enabled.</para>
<para>Example:</para>
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
1
teastep@lists:~$ </programlisting>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<para>This option may also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Check packets arriving on this interface against the
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyarp</emphasis></term>
<listitem>
<para>Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in <ulink
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
This option is intended solely for use with Proxy ARP
sub-networking as described at: <ulink
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html</ulink><note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+)
in the INTERFACE column.</para>
</note></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>If specified, indicates that Shorewall should include
rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you
want to allow traffic between the interfaces that match the
wildcard.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">arp_filter</emphasis></term>
<listitem> <listitem>
<para>If specified, this interface will only respond to ARP <para>If specified, this interface will only respond to ARP
@ -282,6 +121,13 @@ loc eth2 -</programlisting>
requests for IP addresses on any of the firewall's interface. requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.</para> The interface must be up when Shorewall is started.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>arp_filter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<note> <note>
<para>This option does not work with a wild-card <para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in <replaceable>interface</replaceable> name (e.g., eth0.+) in
@ -328,16 +174,13 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term> <term><emphasis role="bold">blacklist</emphasis></term>
<listitem> <listitem>
<para>Filter packets for smurfs (packets with a broadcast <para>Check packets arriving on this interface against the
address as the source).</para> <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
<para>Smurfs will be optionally logged based on the setting of file.</para>
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -358,7 +201,230 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">sourceroute</emphasis></term> <term><emphasis role="bold">dhcp</emphasis></term>
<listitem>
<para>Specify this option when any of the following are
true:</para>
<orderedlist spacing="compact">
<listitem>
<para>the interface gets its IP address via DHCP</para>
</listitem>
<listitem>
<para>the interface is used by a DHCP server running on
the firewall</para>
</listitem>
<listitem>
<para>you have a static IP but are on a LAN segment with
lots of DHCP clients.</para>
</listitem>
<listitem>
<para>the interface is a bridge with a DHCP server on one
port and DHCP clients on another port.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">logmartians[={0|1}]</emphasis></term>
<listitem>
<para>Turn on kernel martian logging (logging of packets with
impossible source addresses. It is strongly suggested that if
you set <emphasis role="bold">routefilter</emphasis> on an
interface that you also set <emphasis
role="bold">logmartians</emphasis>. Even if you do not specify
the <option>routefilter</option> option, it is a good idea to
specify <option>logmartians</option> because your distribution
may be enabling route filtering without you knowing it.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>logmartians</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para>To find out if route filtering is set on a given
<replaceable>interface</replaceable>, check the contents of
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
— a non-zero value indicates that route filtering is
enabled.</para>
<para>Example:</para>
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
1
teastep@lists:~$ </programlisting>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<blockquote>
<para>This option may also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">norfc1918</emphasis></term>
<listitem>
<para>This interface should not receive any packets whose
source is in one of the ranges reserved by RFC 1918 (i.e.,
private or "non-routable" addresses). If packet mangling or
connection-tracking match is enabled in your kernel, packets
whose destination addresses are reserved by RFC 1918 are also
rejected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">optional</emphasis></term>
<listitem>
<para>Only supported by Shorewall-perl. When
<option>optional</option> is specified for an interface,
Shorewall will be silent when:</para>
<itemizedlist>
<listitem>
<para>a <filename
class="directory">/proc/sys/net/ipv4/conf/</filename>
entry for the interface cannot be modified (including for
proxy ARP).</para>
</listitem>
<listitem>
<para>The first address of the interface cannot be
obtained.</para>
</listitem>
</itemizedlist>
<para>I specify <option>optional</option> on interfaces to Xen
virtual machines that may or may not be running when Shorewall
is [re]started.</para>
<caution>
<para>Use <option>optional</option> at your own risk. If you
[re]start Shorewall when an 'optional' interface is not
available and then do a <command>shorewall save</command>,
subsequent <command>shorewall restore</command> and
<command>shorewall -f start</command> operations will
instantiate a ruleset that does not support that interface,
even if it is available at the time of the
restore/start.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
<listitem>
<para>Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in <ulink
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
This option is intended solely for use with Proxy ARP
sub-networking as described at: <ulink
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
</ulink><note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+)
in the INTERFACE column.</para>
</note>The option value (0 or 1) may only be specified if
you are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>proxyarp</option> option will have
their setting changes; the value assigned to the setting will
be the value specified (if any) or 1 if no value is
given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>If specified, indicates that Shorewall should include
rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you
want to allow traffic between the interfaces that match the
wildcard.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">routefilter[={0|1}]</emphasis></term>
<listitem>
<para>Turn on kernel route filtering for this interface
(anti-spoofing measure).</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>routefilter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<blockquote>
<para>This option can also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">sourceroute[={0|1}]</emphasis></term>
<listitem> <listitem>
<para>If this option is not specified for an interface, then <para>If this option is not specified for an interface, then
@ -369,6 +435,13 @@ loc eth2 -</programlisting>
This might represent a security risk and is not usually This might represent a security risk and is not usually
needed.</para> needed.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>sourceroute</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<note> <note>
<para>This option does not work with a wild-card <para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in <replaceable>interface</replaceable> name (e.g., eth0.+) in
@ -377,6 +450,18 @@ loc eth2 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">upnp</emphasis></term> <term><emphasis role="bold">upnp</emphasis></term>

49
manpages/shorewall-masq.xml
View File

@ -302,6 +302,55 @@
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

49
manpages/shorewall-rules.xml
View File

@ -891,6 +891,55 @@
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

3
manpages/shorewall-tcrules.xml
View File

@ -410,8 +410,7 @@
<listitem> <listitem>
<para>Defines a test on the existing packet or connection mark. The <para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true. Tests have the rule will match only if the test returns true.</para>
format</para>
<para>If you don't want to define a test but need to specify <para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para> anything in the following columns, place a "-" in this field.</para>

85
manpages/shorewall-tos.xml
View File

@ -28,10 +28,10 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <term><emphasis role="bold">SOURCE</emphasis> -
{<emphasis>zone</emphasis>[<emphasis {<emphasis>all</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>|<emphasis role="bold">all</emphasis>|<emphasis role="bold">$FW</emphasis>}
role="bold">$FW</emphasis>}</term> (Shorewall-shell)</term>
<listitem> <listitem>
<para>Name of a zone declared in <ulink <para>Name of a zone declared in <ulink
@ -53,11 +53,31 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
role="bold">$FW</emphasis>} (Shorewall-perl)</term>
<listitem>
<para>If <emphasis role="bold">all</emphasis>, may optionally be
followed by ":" and an IP address, a MAC address, a subnet
specification or the name of an interface.</para>
<para>Example: all:192.168.2.3</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <term><emphasis role="bold">DEST</emphasis> -
{<emphasis>zone</emphasis>[<emphasis {<emphasis>zone</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>}</term> role="bold">all</emphasis>} (Shorewall-shell)</term>
<listitem> <listitem>
<para>Name of a zone declared in <ulink <para>Name of a zone declared in <ulink
@ -71,6 +91,17 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
role="bold">all</emphasis>:<emphasis>address</emphasis>}
(Shorewall-perl)</term>
<listitem>
<para>Example: 192.168.2.3</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">PROTOCOL</emphasis> <term><emphasis role="bold">PROTOCOL</emphasis>
<emphasis>proto-name-or-number</emphasis></term> <emphasis>proto-name-or-number</emphasis></term>
@ -114,6 +145,52 @@
<emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting> <emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

8
manpages/shorewall-zones.xml
View File

@ -36,10 +36,10 @@
role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term> role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term>
<listitem> <listitem>
<para>Name of the <emphasis>zone</emphasis>. The names "all" and <para>Name of the <emphasis>zone</emphasis>. The names "all",
"none" are reserved and may not be used as zone names. The maximum "none", "SOURCE" and "DEST" are reserved and may not be used as zone
length of a zone name is determined by the setting of the LOGFORMAT names. The maximum length of a zone name is determined by the
option in <ulink setting of the LOGFORMAT option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). With the url="shorewall.conf.html">shorewall.conf</ulink>(5). With the
default LOGFORMAT, zone names can be at most 5 characters default LOGFORMAT, zone names can be at most 5 characters
long.</para> long.</para>

120
manpages/shorewall.conf.xml
View File

@ -256,6 +256,26 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLISTNEWONLY=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new
connections. When set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, blacklists are consulted for
every packet (will slow down your firewall noticably if you have
large blacklists). If the BLACKLISTNEWONLY option is not set or is
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para>
<note>
<para>BLACKLISTNEWONLY=No is incompatible with
FASTACCEPT=Yes.</para>
</note>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis <term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -363,6 +383,11 @@
role="bold">shorewall</emphasis> [<emphasis role="bold">shorewall</emphasis> [<emphasis
role="bold">re</emphasis>]<emphasis role="bold">re</emphasis>]<emphasis
role="bold">start</emphasis>.</para> role="bold">start</emphasis>.</para>
<note>
<para>DELAYBLACKLISTLOAD=Yes is not supported by
Shorewall-perl.</para>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -429,6 +454,11 @@
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
or RELATED sections of <ulink or RELATED sections of <ulink
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para> url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
<note>
<para>FASTACCEPT=Yes is incompatible with
BLACKLISTNEWONLY=No.</para>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -574,7 +604,8 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|Keep]</term>
<listitem> <listitem>
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
@ -586,6 +617,15 @@
may still enable it for individual interfaces using the <emphasis may still enable it for individual interfaces using the <emphasis
role="bold">logmartians</emphasis> interface option in <ulink role="bold">logmartians</emphasis> interface option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
<para>The value <emphasis role="bold">Keep</emphasis> is only
allowed under Shorewall-perl. It causes Shorewall to ignore the
option. If the option is set to <emphasis
role="bold">Yes</emphasis>, then martians are logged on all
interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then martian logging is disabled on all
interfaces except those specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -807,7 +847,13 @@
parameterized macros. For compatibility, Shorewall can map the old parameterized macros. For compatibility, Shorewall can map the old
names into invocations of the new macros if you set names into invocations of the new macros if you set
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed</para> value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
<note>
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
value then MAPOLDACTIONS=No is assumed.</para>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -940,6 +986,60 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">RCP_COMMAND="</emphasis><replaceable>command</replaceable><emphasis
role="bold">"</emphasis></term>
<listitem>
<para></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RSH_COMMAND="</emphasis><replaceable>command</replaceable><emphasis
role="bold">"</emphasis></term>
<listitem>
<para>Eariler generations of Shorewall Lite required that remote
root login via ssh be enabled in order to use the
<command>load</command> and <command>reload</command> commands.
Beginning with release 3.9.5, you may define an alternative means
for accessing the remote firewall system. In that release, two new
options were added to shorewall.conf:<simplelist>
<member>RSH_COMMAND</member>
<member>RCP_COMMAND</member>
</simplelist>The default values for these are as
follows:<simplelist>
<member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>
<member>RCP_COMMAND: scp ${files}
${root}@${system}:${destination}</member>
</simplelist>Shell variables that will be set when the commands
are envoked are as follows:<simplelist>
<member><replaceable>root</replaceable> - root user. Normally
<option>root</option> but may be overridden using the '-r'
option.</member>
<member><replaceable>system</replaceable> - The name/IP address
of the remote firewall system.</member>
<member><replaceable>command</replaceable> - For RSH_COMMAND,
the command to be executed on the firewall system.</member>
<member><replaceable>files</replaceable> - For RCP_COMMAND, a
space-separated list of files to be copied to the remote
firewall system.</member>
<member><replaceable>destination</replaceable> - The directory
on the remote system that the files are to be copied
into.</member>
</simplelist></para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term> role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term>
@ -1025,7 +1125,8 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis <term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|Keep]</term>
<listitem> <listitem>
<para>If this parameter is given the value <emphasis <para>If this parameter is given the value <emphasis
@ -1034,6 +1135,15 @@
interfaces which are brought up while Shorewall is in the started interfaces which are brought up while Shorewall is in the started
state. The default value is <emphasis state. The default value is <emphasis
role="bold">no</emphasis>.</para> role="bold">no</emphasis>.</para>
<para>The value <emphasis role="bold">Keep</emphasis> is only
allowed under Shorewall-perl. It causes Shorewall to ignore the
option. If the option is set to <emphasis
role="bold">Yes</emphasis>, then route filtering occurs on all
interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then route filtering is disabled on all
interfaces except those specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1182,6 +1292,10 @@
a sizable amount of code to implement. By setting USE_ACTIONS=No, a sizable amount of code to implement. By setting USE_ACTIONS=No,
embedded Shorewall installations can omit the large library embedded Shorewall installations can omit the large library
/usr/share/shorewall/lib.actions.</para> /usr/share/shorewall/lib.actions.</para>
<note>
<para>USE_ACTIONS=No is not supported by Shorewall-perl.</para>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>

4
manpages/shorewall.xml
View File

@ -735,7 +735,9 @@
<listitem> <listitem>
<para>The rules involving the the black list, ECN control rules, and <para>The rules involving the the black list, ECN control rules, and
traffic shaping are recreated to reflect any changes made to your traffic shaping are recreated to reflect any changes made to your
configuration files. Existing connections are untouched.</para> configuration files. Existing connections are untouched. Under
Shorewall-perl, <command>refresh</command> is synonamous with
<command>restart</command>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>