extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

A little editing

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2605 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-31 14:56:10 +00:00
parent 8574996c61
commit 1db8dfa54b
1 changed files with 35 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
Shorewall-docs2/two-interface.xml
View File

@ -33,6 +33,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section> <section>
<title>Introduction</title> <title>Introduction</title>
@ -596,28 +603,33 @@ fw net ACCEPT</programlisting> The above policy will:
<para>The general form of a simple port forwarding rule in <filename <para>The general form of a simple port forwarding rule in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename> is: class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting> DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>Shorewall
<example label="1"> has macros for many popular applications. Look at
/usr/share/shorewall/macro.* to see what is available in your release.
Macros simplify creating DNAT rules by supplying the protocol and port(s)
as shown in the following examples.</para>
<para><example label="1">
<title>Web Server</title> <title>Web Server</title>
<para>You run a Web Server on computer 2 and you want to forward <para>You run a Web Server on computer 2 and you want to forward
incoming <acronym>TCP</acronym> port 80 to that system: incoming <acronym>TCP</acronym> port 80 to that system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/DNAT net 192.168.1.5</programlisting></para> Web/DNAT net loc:192.168.1.5</programlisting></para>
</example> <example label="2"> </example> <example label="2">
<title>FTP Server</title> <title>FTP Server</title>
<para>You run an <acronym>FTP</acronym> Server on computer 1 so you <para>You run an <acronym>FTP</acronym> Server on computer 1 so you
want to forward incoming <acronym>TCP</acronym> port 21 to that want to forward incoming <acronym>TCP</acronym> port 21 to that
system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) system: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
FTP/DNAT net 10.10.10.1</programlisting> For <acronym>FTP</acronym>, FTP/DNAT net loc:10.10.10.1</programlisting> For
you will also need to have <acronym>FTP</acronym> connection tracking <acronym>FTP</acronym>, you will also need to have
and <acronym>NAT</acronym> support in your kernel. For vendor-supplied <acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
kernels, this means that the <filename support in your kernel. For vendor-supplied kernels, this means that
class="libraryfile">ip_conntrack_ftp</filename> and <filename the <filename class="libraryfile">ip_conntrack_ftp</filename> and
class="libraryfile">ip_nat_ftp</filename> modules must be loaded. <filename class="libraryfile">ip_nat_ftp</filename> modules must be
Shorewall will automatically load these modules if they are available loaded. Shorewall will automatically load these modules if they are
and located in the standard place under <filename available and located in the standard place under <filename
class="directory">/lib/modules/&lt;kernel class="directory">/lib/modules/&lt;kernel
version&gt;/kernel/net/ipv4/netfilter</filename>.</para> version&gt;/kernel/net/ipv4/netfilter</filename>.</para>
</example> A couple of important points to keep in mind: <itemizedlist> </example> A couple of important points to keep in mind: <itemizedlist>
@ -691,7 +703,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
in <filename in <filename
class="directory">/etc/shorewall/</filename><filename>rules</filename>. class="directory">/etc/shorewall/</filename><filename>rules</filename>.
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT loc fw</programlisting></para> DNS/ACCEPT loc fw</programlisting></para>
</listitem> </listitem>
</itemizedlist></para> </itemizedlist></para>
</section> </section>
@ -701,7 +713,7 @@ DNS/ACCEPT loc fw</programlisting></para>
<para>The two-interface sample includes the following rules: <para>The two-interface sample includes the following rules:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNS/ACCEPT fw net</programlisting>This rule allows DNS/ACCEPT fw net</programlisting>This rule allows
<acronym>DNS</acronym> access from your firewall and may be removed if you <acronym>DNS</acronym> access from your firewall and may be removed if you
uncommented the line in <filename uncommented the line in <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
@ -716,11 +728,10 @@ DNS/ACCEPT fw net</programlisting>This rule allows
accept connection requests have names that begin with accept connection requests have names that begin with
<quote>Allow</quote>.</para> <quote>Allow</quote>.</para>
<para>You don't have to use defined actions when coding a rule in <para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>; the generated Netfilter ruleset <filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
is slightly more efficient if you code your rules directly rather than faster if you code your rules directly rather than using macros. The the
using defined actions. The the rule shown above could also have been coded rule shown above could also have been coded as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
as follows:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT fw net udp 53 ACCEPT fw net udp 53
ACCEPT fw net tcp 53</programlisting></para> ACCEPT fw net tcp 53</programlisting></para>
@ -728,23 +739,22 @@ ACCEPT fw net tcp 53</programlisting></para>
your needs, you can either define the action yourself or you can simply your needs, you can either define the action yourself or you can simply
code the appropriate rules directly.</para> code the appropriate rules directly.</para>
<para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para>The sample also includes: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT loc fw</programlisting> That rule allows you to run an SSH/ACCEPT loc fw</programlisting> That rule allows you to run an
<acronym>SSH</acronym> server on your firewall and connect to that server <acronym>SSH</acronym> server on your firewall and connect to that server
from your local systems.</para> from your local systems.</para>
<para>If you wish to enable other connections from your firewall to other <para>If you wish to enable other connections from your firewall to other
systems, the general format using an <quote>Allow</quote> action is: systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) &lt;macro&gt;/ACCEPT fw <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
&lt;action&gt; fw <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT fw <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example> ACCEPT fw <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example>
<title>Web Server on Firewall</title> <title>Web Server on Firewall</title>
<para>You want to run a Web Server on your firewall system: <para>You want to run a Web Server on your firewall system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/ACCEPT net fw Web/ACCEPT net fw
Web/ACCEPT loc fw</programlisting> Those two rules would of course be Web/ACCEPT loc fw</programlisting> Those two rules would of course be
in addition to the rules listed above under <quote><link in addition to the rules listed above under <quote><link
linkend="cachingdns">You can configure a Caching Name Server on your linkend="cachingdns">You can configure a Caching Name Server on your
firewall</link></quote>.</para> firewall</link></quote>.</para>
@ -755,7 +765,7 @@ Web/ACCEPT loc fw</programlisting> Those two rules would of course be
shell access to your firewall from the internet, use shell access to your firewall from the internet, use
<acronym>SSH</acronym>:</para> <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSH/ACCEPT net fw</programlisting> SSH/ACCEPT net fw</programlisting>
</important> <inlinegraphic fileref="images/leaflogo.gif" </important> <inlinegraphic fileref="images/leaflogo.gif"
format="GIF" />Bering users will want to add the following two rules to be format="GIF" />Bering users will want to add the following two rules to be