mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-10 23:58:14 +01:00
More address validate changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6289 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b557ba02c8
commit
0d00d30d94
@ -40,9 +40,21 @@ Problems corrected in 3.9.7.
|
||||
4) A value of 'detect' in the GATEWAY column of the providers file no
|
||||
longer generates an error during [re]start.
|
||||
|
||||
Other changes in Shorewall 3.9.6.
|
||||
5) The command 'shorewall check -p' resulted in an indefinite loop.
|
||||
|
||||
None.
|
||||
6) A number of problems having to do with SECTIONs in the rules file
|
||||
have been corrected.
|
||||
|
||||
7) The mss zone option now works correctly.
|
||||
|
||||
8) The LOGBURST and LOGLIMIT options in shorewall.conf now work
|
||||
correctly
|
||||
|
||||
Other changes in Shorewall 3.9.7.
|
||||
|
||||
1) Shorewall-perl now validates all IP addresses and addresses ranges
|
||||
in rules. DNS names are resolved and an error is issued for any
|
||||
name that cannot be resolved.
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
|
@ -44,6 +44,7 @@ our @EXPORT = qw(
|
||||
pop_open
|
||||
read_a_line
|
||||
validate_level
|
||||
qt
|
||||
get_configuration
|
||||
require_capability
|
||||
report_capabilities
|
||||
|
@ -31,6 +31,7 @@ use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw(
|
||||
validate_address
|
||||
validate_net
|
||||
validate_range
|
||||
ip_range_explicit
|
||||
@ -50,14 +51,23 @@ sub valid_address( $ ) {
|
||||
1;
|
||||
}
|
||||
|
||||
sub validate_address( $ ) {
|
||||
unless ( valid_address $_[0] ) {
|
||||
fatal_error "Unknown Host ($_[0])" unless qt "host $_[0]";
|
||||
}
|
||||
}
|
||||
|
||||
sub validate_net( $ ) {
|
||||
my ($net, $vlsm) = split '/', $_[0];
|
||||
|
||||
if ( defined $vlsm ) {
|
||||
fatal_error "Invalid VLSM ($vlsm)" unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
|
||||
}
|
||||
|
||||
fatal_error "Invalid IP address ($net)" unless valid_address $net;
|
||||
} else {
|
||||
fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
|
||||
fatal_error "Invalid Network address ($_[0])" unless defined $net;
|
||||
validate_address $net;
|
||||
}
|
||||
}
|
||||
|
||||
sub decodeaddr( $ ) {
|
||||
|
@ -186,7 +186,9 @@ sub setup_providers() {
|
||||
"fi\n" );
|
||||
$gateway = '$gateway';
|
||||
} elsif ( $gateway && $gateway ne '-' ) {
|
||||
emit "run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number";
|
||||
validate_address $gateway;
|
||||
my $variable = get_interface_address $interface;
|
||||
emit "run_ip route replace $gateway src $variable dev $interface table $number";
|
||||
emit "run_ip route add default via $gateway dev $interface table $number";
|
||||
} else {
|
||||
$gateway = '';
|
||||
|
@ -244,6 +244,55 @@
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
||||
role="bold">:C</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>!</term>
|
||||
|
||||
<listitem>
|
||||
<para>Inverts the test (not equal)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>value</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Value of the packet or connection mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>mask</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>A mask to be applied to the mark before testing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">:C</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>In all of the above columns except <emphasis
|
||||
|
@ -92,6 +92,11 @@ loc eth2 -</programlisting>
|
||||
<para>If you don't want to give a value for this column but you want
|
||||
to enter a value in the OPTIONS column, enter <emphasis
|
||||
role="bold">-</emphasis> in this column.</para>
|
||||
|
||||
<para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
|
||||
Shorewall-perl only supports <option>detect</option> in this column.
|
||||
If you specify <replaceable>address</replaceable>es, a compilation
|
||||
warning will be issued.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -107,173 +112,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">dhcp</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Specify this option when any of the following are
|
||||
true:</para>
|
||||
|
||||
<orderedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>the interface gets its IP address via DHCP</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>the interface is used by a DHCP server running on
|
||||
the firewall</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>you have a static IP but are on a LAN segment with
|
||||
lots of DHCP clients.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>the interface is a bridge with a DHCP server on one
|
||||
port and DHCP clients on another port.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">norfc1918</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This interface should not receive any packets whose
|
||||
source is in one of the ranges reserved by RFC 1918 (i.e.,
|
||||
private or "non-routable" addresses). If packet mangling or
|
||||
connection-tracking match is enabled in your kernel, packets
|
||||
whose destination addresses are reserved by RFC 1918 are also
|
||||
rejected.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">routefilter</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Turn on kernel route filtering for this interface
|
||||
(anti-spoofing measure).</para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
the INTERFACE column.</para>
|
||||
</note>
|
||||
|
||||
<para>This option can also be enabled globally in the <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logmartians</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Turn on kernel martian logging (logging of packets with
|
||||
impossible source addresses. It is strongly suggested that if
|
||||
you set <emphasis role="bold">routefilter</emphasis> on an
|
||||
interface that you also set <emphasis
|
||||
role="bold">logmartians</emphasis>. Even if you do not specify
|
||||
the <option>routefilter</option> option, it is a good idea to
|
||||
specify <option>logmartians</option> because your distribution
|
||||
may be enabling route filtering without you knowing it.</para>
|
||||
|
||||
<para>To find out if route filtering is set on a given
|
||||
<replaceable>interface</replaceable>, check the contents of
|
||||
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
|
||||
— a non-zero value indicates that route filtering is
|
||||
enabled.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
|
||||
1
|
||||
teastep@lists:~$ </programlisting>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
the INTERFACE column.</para>
|
||||
</note>
|
||||
|
||||
<para>This option may also be enabled globally in the <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Check packets arriving on this interface against the
|
||||
<ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">maclist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Connection requests from this interface are compared
|
||||
against the contents of <ulink
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
this option is specified, the interface must be an ethernet
|
||||
NIC and must be up before Shorewall is started.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">tcpflags</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Packets arriving on this interface are checked for
|
||||
certain illegal combinations of TCP flags. Packets found to
|
||||
have such a combination of flags are handled according to the
|
||||
setting of TCP_FLAGS_DISPOSITION after having been logged
|
||||
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">proxyarp</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Sets
|
||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
|
||||
Do NOT use this option if you are employing Proxy ARP through
|
||||
entries in <ulink
|
||||
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
|
||||
This option is intended solely for use with Proxy ARP
|
||||
sub-networking as described at: <ulink
|
||||
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html</ulink><note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+)
|
||||
in the INTERFACE column.</para>
|
||||
</note></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">routeback</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, indicates that Shorewall should include
|
||||
rules that allow filtering traffic arriving on this interface
|
||||
back out that same interface. This option is also required
|
||||
when you have used a wildcard in the INTERFACE column if you
|
||||
want to allow traffic between the interfaces that match the
|
||||
wildcard.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">arp_filter</emphasis></term>
|
||||
<term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, this interface will only respond to ARP
|
||||
@ -282,6 +121,13 @@ loc eth2 -</programlisting>
|
||||
requests for IP addresses on any of the firewall's interface.
|
||||
The interface must be up when Shorewall is started.</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>arp_filter</option> option will
|
||||
have their setting changes; the value assigned to the setting
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
@ -328,16 +174,13 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">nosmurfs</emphasis></term>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Filter packets for smurfs (packets with a broadcast
|
||||
address as the source).</para>
|
||||
|
||||
<para>Smurfs will be optionally logged based on the setting of
|
||||
SMURF_LOG_LEVEL in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
logging, the packets are dropped.</para>
|
||||
<para>Check packets arriving on this interface against the
|
||||
<ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -358,7 +201,230 @@ loc eth2 -</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">sourceroute</emphasis></term>
|
||||
<term><emphasis role="bold">dhcp</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Specify this option when any of the following are
|
||||
true:</para>
|
||||
|
||||
<orderedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>the interface gets its IP address via DHCP</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>the interface is used by a DHCP server running on
|
||||
the firewall</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>you have a static IP but are on a LAN segment with
|
||||
lots of DHCP clients.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>the interface is a bridge with a DHCP server on one
|
||||
port and DHCP clients on another port.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">logmartians[={0|1}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Turn on kernel martian logging (logging of packets with
|
||||
impossible source addresses. It is strongly suggested that if
|
||||
you set <emphasis role="bold">routefilter</emphasis> on an
|
||||
interface that you also set <emphasis
|
||||
role="bold">logmartians</emphasis>. Even if you do not specify
|
||||
the <option>routefilter</option> option, it is a good idea to
|
||||
specify <option>logmartians</option> because your distribution
|
||||
may be enabling route filtering without you knowing it.</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>logmartians</option> option will
|
||||
have their setting changes; the value assigned to the setting
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
|
||||
<para>To find out if route filtering is set on a given
|
||||
<replaceable>interface</replaceable>, check the contents of
|
||||
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
|
||||
— a non-zero value indicates that route filtering is
|
||||
enabled.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
|
||||
1
|
||||
teastep@lists:~$ </programlisting>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
the INTERFACE column.</para>
|
||||
</note>
|
||||
|
||||
<blockquote>
|
||||
<para>This option may also be enabled globally in the <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
file.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">maclist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Connection requests from this interface are compared
|
||||
against the contents of <ulink
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
this option is specified, the interface must be an ethernet
|
||||
NIC and must be up before Shorewall is started.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">norfc1918</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This interface should not receive any packets whose
|
||||
source is in one of the ranges reserved by RFC 1918 (i.e.,
|
||||
private or "non-routable" addresses). If packet mangling or
|
||||
connection-tracking match is enabled in your kernel, packets
|
||||
whose destination addresses are reserved by RFC 1918 are also
|
||||
rejected.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">nosmurfs</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Filter packets for smurfs (packets with a broadcast
|
||||
address as the source).</para>
|
||||
|
||||
<para>Smurfs will be optionally logged based on the setting of
|
||||
SMURF_LOG_LEVEL in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
|
||||
logging, the packets are dropped.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">optional</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only supported by Shorewall-perl. When
|
||||
<option>optional</option> is specified for an interface,
|
||||
Shorewall will be silent when:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>a <filename
|
||||
class="directory">/proc/sys/net/ipv4/conf/</filename>
|
||||
entry for the interface cannot be modified (including for
|
||||
proxy ARP).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The first address of the interface cannot be
|
||||
obtained.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>I specify <option>optional</option> on interfaces to Xen
|
||||
virtual machines that may or may not be running when Shorewall
|
||||
is [re]started.</para>
|
||||
|
||||
<caution>
|
||||
<para>Use <option>optional</option> at your own risk. If you
|
||||
[re]start Shorewall when an 'optional' interface is not
|
||||
available and then do a <command>shorewall save</command>,
|
||||
subsequent <command>shorewall restore</command> and
|
||||
<command>shorewall -f start</command> operations will
|
||||
instantiate a ruleset that does not support that interface,
|
||||
even if it is available at the time of the
|
||||
restore/start.</para>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Sets
|
||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
|
||||
Do NOT use this option if you are employing Proxy ARP through
|
||||
entries in <ulink
|
||||
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
|
||||
This option is intended solely for use with Proxy ARP
|
||||
sub-networking as described at: <ulink
|
||||
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
|
||||
</ulink><note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+)
|
||||
in the INTERFACE column.</para>
|
||||
</note>The option value (0 or 1) may only be specified if
|
||||
you are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>proxyarp</option> option will have
|
||||
their setting changes; the value assigned to the setting will
|
||||
be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">routeback</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, indicates that Shorewall should include
|
||||
rules that allow filtering traffic arriving on this interface
|
||||
back out that same interface. This option is also required
|
||||
when you have used a wildcard in the INTERFACE column if you
|
||||
want to allow traffic between the interfaces that match the
|
||||
wildcard.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">routefilter[={0|1}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Turn on kernel route filtering for this interface
|
||||
(anti-spoofing measure).</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>routefilter</option> option will
|
||||
have their setting changes; the value assigned to the setting
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
the INTERFACE column.</para>
|
||||
</note>
|
||||
|
||||
<blockquote>
|
||||
<para>This option can also be enabled globally in the <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
||||
file.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">sourceroute[={0|1}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>If this option is not specified for an interface, then
|
||||
@ -369,6 +435,13 @@ loc eth2 -</programlisting>
|
||||
This might represent a security risk and is not usually
|
||||
needed.</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>sourceroute</option> option will
|
||||
have their setting changes; the value assigned to the setting
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
<replaceable>interface</replaceable> name (e.g., eth0.+) in
|
||||
@ -377,6 +450,18 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">tcpflags</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Packets arriving on this interface are checked for
|
||||
certain illegal combinations of TCP flags. Packets found to
|
||||
have such a combination of flags are handled according to the
|
||||
setting of TCP_FLAGS_DISPOSITION after having been logged
|
||||
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">upnp</emphasis></term>
|
||||
|
||||
|
@ -302,6 +302,55 @@
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
||||
role="bold">:C</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>!</term>
|
||||
|
||||
<listitem>
|
||||
<para>Inverts the test (not equal)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>value</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Value of the packet or connection mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>mask</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>A mask to be applied to the mark before testing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">:C</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
@ -891,6 +891,55 @@
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
||||
role="bold">:C</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>!</term>
|
||||
|
||||
<listitem>
|
||||
<para>Inverts the test (not equal)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>value</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Value of the packet or connection mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>mask</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>A mask to be applied to the mark before testing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">:C</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
@ -410,8 +410,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true. Tests have the
|
||||
format</para>
|
||||
rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
|
@ -28,10 +28,10 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
||||
{<emphasis>zone</emphasis>[<emphasis
|
||||
{<emphasis>all</emphasis>[<emphasis
|
||||
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>}</term>
|
||||
role="bold">all</emphasis>|<emphasis role="bold">$FW</emphasis>}
|
||||
(Shorewall-shell)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Name of a zone declared in <ulink
|
||||
@ -53,11 +53,31 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
||||
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>} (Shorewall-perl)</term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis role="bold">all</emphasis>, may optionally be
|
||||
followed by ":" and an IP address, a MAC address, a subnet
|
||||
specification or the name of an interface.</para>
|
||||
|
||||
<para>Example: all:192.168.2.3</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
{<emphasis>zone</emphasis>[<emphasis
|
||||
role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
|
||||
role="bold">all</emphasis>}</term>
|
||||
role="bold">all</emphasis>} (Shorewall-shell)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Name of a zone declared in <ulink
|
||||
@ -71,6 +91,17 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
||||
role="bold">all</emphasis>:<emphasis>address</emphasis>}
|
||||
(Shorewall-perl)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Example: 192.168.2.3</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> —
|
||||
<emphasis>proto-name-or-number</emphasis></term>
|
||||
@ -114,6 +145,52 @@
|
||||
<emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> — [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
||||
role="bold">:C</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>!</term>
|
||||
|
||||
<listitem>
|
||||
<para>Inverts the test (not equal)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>value</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Value of the packet or connection mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>mask</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>A mask to be applied to the mark before testing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">:C</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
@ -36,10 +36,10 @@
|
||||
role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Name of the <emphasis>zone</emphasis>. The names "all" and
|
||||
"none" are reserved and may not be used as zone names. The maximum
|
||||
length of a zone name is determined by the setting of the LOGFORMAT
|
||||
option in <ulink
|
||||
<para>Name of the <emphasis>zone</emphasis>. The names "all",
|
||||
"none", "SOURCE" and "DEST" are reserved and may not be used as zone
|
||||
names. The maximum length of a zone name is determined by the
|
||||
setting of the LOGFORMAT option in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). With the
|
||||
default LOGFORMAT, zone names can be at most 5 characters
|
||||
long.</para>
|
||||
|
@ -256,6 +256,26 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BLACKLISTNEWONLY=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections. When set to <emphasis role="bold">No</emphasis> or
|
||||
<emphasis role="bold">no</emphasis>, blacklists are consulted for
|
||||
every packet (will slow down your firewall noticably if you have
|
||||
large blacklists). If the BLACKLISTNEWONLY option is not set or is
|
||||
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para>
|
||||
|
||||
<note>
|
||||
<para>BLACKLISTNEWONLY=No is incompatible with
|
||||
FASTACCEPT=Yes.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
@ -363,6 +383,11 @@
|
||||
role="bold">shorewall</emphasis> [<emphasis
|
||||
role="bold">re</emphasis>]<emphasis
|
||||
role="bold">start</emphasis>.</para>
|
||||
|
||||
<note>
|
||||
<para>DELAYBLACKLISTLOAD=Yes is not supported by
|
||||
Shorewall-perl.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -429,6 +454,11 @@
|
||||
set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
|
||||
or RELATED sections of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||
|
||||
<note>
|
||||
<para>FASTACCEPT=Yes is incompatible with
|
||||
BLACKLISTNEWONLY=No.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -574,7 +604,8 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>|Keep]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
@ -586,6 +617,15 @@
|
||||
may still enable it for individual interfaces using the <emphasis
|
||||
role="bold">logmartians</emphasis> interface option in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
|
||||
<para>The value <emphasis role="bold">Keep</emphasis> is only
|
||||
allowed under Shorewall-perl. It causes Shorewall to ignore the
|
||||
option. If the option is set to <emphasis
|
||||
role="bold">Yes</emphasis>, then martians are logged on all
|
||||
interfaces. If the option is set to <emphasis
|
||||
role="bold">No</emphasis>, then martian logging is disabled on all
|
||||
interfaces except those specified in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -807,7 +847,13 @@
|
||||
parameterized macros. For compatibility, Shorewall can map the old
|
||||
names into invocations of the new macros if you set
|
||||
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
|
||||
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed</para>
|
||||
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
|
||||
|
||||
<note>
|
||||
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
|
||||
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
|
||||
value then MAPOLDACTIONS=No is assumed.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -940,6 +986,60 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RCP_COMMAND="</emphasis><replaceable>command</replaceable><emphasis
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RSH_COMMAND="</emphasis><replaceable>command</replaceable><emphasis
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Eariler generations of Shorewall Lite required that remote
|
||||
root login via ssh be enabled in order to use the
|
||||
<command>load</command> and <command>reload</command> commands.
|
||||
Beginning with release 3.9.5, you may define an alternative means
|
||||
for accessing the remote firewall system. In that release, two new
|
||||
options were added to shorewall.conf:<simplelist>
|
||||
<member>RSH_COMMAND</member>
|
||||
|
||||
<member>RCP_COMMAND</member>
|
||||
</simplelist>The default values for these are as
|
||||
follows:<simplelist>
|
||||
<member>RSH_COMMAND: ssh ${root}@${system} ${command}</member>
|
||||
|
||||
<member>RCP_COMMAND: scp ${files}
|
||||
${root}@${system}:${destination}</member>
|
||||
</simplelist>Shell variables that will be set when the commands
|
||||
are envoked are as follows:<simplelist>
|
||||
<member><replaceable>root</replaceable> - root user. Normally
|
||||
<option>root</option> but may be overridden using the '-r'
|
||||
option.</member>
|
||||
|
||||
<member><replaceable>system</replaceable> - The name/IP address
|
||||
of the remote firewall system.</member>
|
||||
|
||||
<member><replaceable>command</replaceable> - For RSH_COMMAND,
|
||||
the command to be executed on the firewall system.</member>
|
||||
|
||||
<member><replaceable>files</replaceable> - For RCP_COMMAND, a
|
||||
space-separated list of files to be copied to the remote
|
||||
firewall system.</member>
|
||||
|
||||
<member><replaceable>destination</replaceable> - The directory
|
||||
on the remote system that the files are to be copied
|
||||
into.</member>
|
||||
</simplelist></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term>
|
||||
@ -1025,7 +1125,8 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>|Keep]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If this parameter is given the value <emphasis
|
||||
@ -1034,6 +1135,15 @@
|
||||
interfaces which are brought up while Shorewall is in the started
|
||||
state. The default value is <emphasis
|
||||
role="bold">no</emphasis>.</para>
|
||||
|
||||
<para>The value <emphasis role="bold">Keep</emphasis> is only
|
||||
allowed under Shorewall-perl. It causes Shorewall to ignore the
|
||||
option. If the option is set to <emphasis
|
||||
role="bold">Yes</emphasis>, then route filtering occurs on all
|
||||
interfaces. If the option is set to <emphasis
|
||||
role="bold">No</emphasis>, then route filtering is disabled on all
|
||||
interfaces except those specified in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1182,6 +1292,10 @@
|
||||
a sizable amount of code to implement. By setting USE_ACTIONS=No,
|
||||
embedded Shorewall installations can omit the large library
|
||||
/usr/share/shorewall/lib.actions.</para>
|
||||
|
||||
<note>
|
||||
<para>USE_ACTIONS=No is not supported by Shorewall-perl.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -735,7 +735,9 @@
|
||||
<listitem>
|
||||
<para>The rules involving the the black list, ECN control rules, and
|
||||
traffic shaping are recreated to reflect any changes made to your
|
||||
configuration files. Existing connections are untouched.</para>
|
||||
configuration files. Existing connections are untouched. Under
|
||||
Shorewall-perl, <command>refresh</command> is synonamous with
|
||||
<command>restart</command>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user