mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 02:54:18 +01:00
More tcfilter documentation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0dce5fd379
commit
2c10a936f5
@ -1334,6 +1334,111 @@ qt ip link set dev ifb0 up</programlisting></para>
|
|||||||
2:110 - 206.124.146.179 #SNAT Responses
|
2:110 - 206.124.146.179 #SNAT Responses
|
||||||
2:110 - 206.124.146.180 #Work Laptop
|
2:110 - 206.124.146.180 #Work Laptop
|
||||||
2:130 - 206.124.146.177 tcp 25 #Incoming Email.</programlisting></para>
|
2:130 - 206.124.146.177 tcp 25 #Incoming Email.</programlisting></para>
|
||||||
|
|
||||||
|
<para>You can examine the installed filters with the <command>shorewall
|
||||||
|
show filters</command> command. What follows shows the output for
|
||||||
|
<filename class="devicefile">eth0</filename> with the filters shown
|
||||||
|
above. <emphasis role="bold">Bold font</emphasis> are comments
|
||||||
|
explaining the rules.<programlisting>gateway:~ # shorewall-lite show filters
|
||||||
|
Shorewall Lite 4.1.6 Clasifiers at gateway - Thu Mar 20 16:38:10 PDT 2008
|
||||||
|
|
||||||
|
Device eth1:
|
||||||
|
|
||||||
|
Device eth2:
|
||||||
|
|
||||||
|
Device eth0:
|
||||||
|
filter parent 1: protocol ip pref 10 u32
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 2:</emphasis> ht divisor 1 <emphasis
|
||||||
|
role="bold"> <========= Start of table 2. parses TCP header</emphasis>
|
||||||
|
<emphasis role="bold"> </emphasis>
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 2::800</emphasis> order 2048 key ht 2 bkt 0 <emphasis
|
||||||
|
role="bold">flowid 1:130</emphasis> (rule hit 2268 success 0)
|
||||||
|
match c1210000/ffff0000 at nexthdr+0 (success 0 ) <emphasis
|
||||||
|
role="bold"> <========= SOURCE PORT 49441 goes to class 1:130</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 2::801</emphasis> order 2049 key ht 2 bkt 0 flowid <emphasis
|
||||||
|
role="bold">1:130</emphasis> (rule hit 2268 success 546)
|
||||||
|
match 03690000/ffff0000 at nexthdr+0 (success 546 ) <emphasis
|
||||||
|
role="bold"> <========= SOURCE PORT 873 goes to class 1:130</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 1:</emphasis> ht divisor 1 <emphasis
|
||||||
|
role="bold"> <========= Start of table 1. parses ICMP header</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 1::800</emphasis> order 2048 key ht 1 bkt 0 <emphasis
|
||||||
|
role="bold">flowid 1:110</emphasis> (rule hit 16 success 10)
|
||||||
|
match 08000000/ff000000 at nexthdr+0 (success 10 ) <emphasis
|
||||||
|
role="bold"> <========= echo-request goes to class 1:110</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 1::801</emphasis> order 2049 key ht 1 bkt 0 flowid 1:110 (rule hit 6 success 6)
|
||||||
|
match 00000000/ff000000 at nexthdr+0 (success 6 ) <emphasis
|
||||||
|
role="bold"><========= echo-reply goes to class 1:110
|
||||||
|
</emphasis>
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800:</emphasis> ht divisor 1 <emphasis
|
||||||
|
role="bold"><========= Start of Table 800. Packets start here!</emphasis>
|
||||||
|
|
||||||
|
<emphasis role="bold">=============== The following 2 rules are generated by the class definition in /etc/shorewall/classes ==================</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::800</emphasis> order 2048 key ht 800 bkt 0 <emphasis
|
||||||
|
role="bold">flowid </emphasis><emphasis role="bold">1:110</emphasis> (rule hit 19434 success 1686)
|
||||||
|
match 00060000/00ff0000 at 8 (success 5359 ) <emphasis
|
||||||
|
role="bold"><========= TCP </emphasis>
|
||||||
|
match 05000000/0f00ffc0 at 0 (success 2867 ) <emphasis
|
||||||
|
role="bold"><========= Header length 20 and Packet Length < 64</emphasis>
|
||||||
|
match 00100000/00ff0000 at 32 (success 1686 ) <emphasis
|
||||||
|
role="bold"><========= ACK</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::801</emphasis> order 2049 key ht 800 bkt 0 <emphasis
|
||||||
|
role="bold">flowid 1:110</emphasis> (rule hit 17748 success 16)
|
||||||
|
match 00100000/00100000 at 0 (success 16 ) <emphasis
|
||||||
|
role="bold"><========= Minimize-delay</emphasis><emphasis
|
||||||
|
role="bold"> jumps to class 1:110</emphasis>
|
||||||
|
|
||||||
|
<emphasis role="bold"> =============== Jump to Table 2 if the matches are met ==================</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::807</emphasis> order 2055 key ht 800 bkt 0 <emphasis
|
||||||
|
role="bold">link 2:</emphasis> (rule hit 5853 success 0)
|
||||||
|
match ce7c92b2/ffffffff at 12 (success 0 ) <emphasis
|
||||||
|
role="bold"><========= SOURCE 206.124.146.178 </emphasis>
|
||||||
|
match 00060000/00ff0000 at 8 (success 0 ) <emphasis
|
||||||
|
role="bold"><========= PROTO TCP</emphasis>
|
||||||
|
offset 0f00>>6 at 0 eat
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::802</emphasis> order 2050 key ht 800 bkt 0 <emphasis
|
||||||
|
role="bold">flowid 1:110 </emphasis> (rule hit 17732 success 3800)
|
||||||
|
match ce7c92b2/ffffffff at 12 (success 3800 ) <emphasis
|
||||||
|
role="bold"><========= SOURCE 206.124.146.178 goes to class 1:110</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::803</emphasis> order 2051 key ht 800 bkt 0 <emphasis
|
||||||
|
role="bold">flowid 1:110</emphasis> (rule hit 13932 success 1058)
|
||||||
|
match ce7c92b3/ffffffff at 12 (success 1058 ) <emphasis
|
||||||
|
role="bold"><========= SOURCE 206.124.146.179 goes to class 1:110</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::804</emphasis> order 2052 key ht 800 bkt 0 flowid 1:110 (rule hit 12874 success 7005)
|
||||||
|
match ce7c92b4/ffffffff at 12 (success 7005 ) <emphasis
|
||||||
|
role="bold"><========= SOURCE 206.124.146.180 goes to class 1:110</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::805</emphasis> order 2053 key ht 800 bkt 0 <emphasis
|
||||||
|
role="bold">link 1:</emphasis> (rule hit 5869 success 0)
|
||||||
|
match 00010000/00ff0000 at 8 (success 16 ) <emphasis
|
||||||
|
role="bold"><========= PROTO ICMP</emphasis> <emphasis
|
||||||
|
role="bold">jumps to Table 1</emphasis>
|
||||||
|
offset 0f00>>6 at 0 eat
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::806</emphasis> order 2054 key ht 800 bkt 0 <emphasis
|
||||||
|
role="bold">link 1: </emphasis> (rule hit 5853 success 0)
|
||||||
|
match 00010000/00ff0000 at 8 (success 0 ) <emphasis
|
||||||
|
role="bold"><========= PROTO ICMP jumps to Table 1 (Shorewall-perl isn't</emphasis>
|
||||||
|
offset 0f00>>6 at 0 eat <emphasis
|
||||||
|
role="bold">smart enough yet to suppress this duplicate rule)</emphasis>
|
||||||
|
|
||||||
|
<emphasis role="bold"> =============== Jump to Table 2 if the matches are met ==================</emphasis>
|
||||||
|
|
||||||
|
filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::808</emphasis> order 2056 key ht 800 bkt 0 <emphasis
|
||||||
|
role="bold">link 2: </emphasis> (rule hit 5853 success 0)
|
||||||
|
match ce7c92b1/ffffffff at 12 (success 5654 ) <emphasis
|
||||||
|
role="bold"><========= SOURCE 206.124.146.177</emphasis>
|
||||||
|
match 00060000/00ff0000 at 8 (success 2268 ) <emphasis
|
||||||
|
role="bold"><========= PROTO TCP</emphasis>
|
||||||
|
offset 0f00>>6 at 0 eat</programlisting></para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user