mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 15:43:30 +01:00
Cleanup of ORIGINAL DEST column references
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
016acfb9de
commit
2ee1d11f94
@ -485,7 +485,7 @@ all all REJECT info</programlisting></para>
|
|||||||
<para><filename>/etc/shorewall6/rules</filename>:</para>
|
<para><filename>/etc/shorewall6/rules</filename>:</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGINAL RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
<para><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||||
|
|
||||||
?SECTION ALL
|
?SECTION ALL
|
||||||
?SECTION ESTABLISHED
|
?SECTION ESTABLISHED
|
||||||
|
@ -746,7 +746,7 @@ KnockEnhanced 'net', '$FW', {name => 'SSH1', log_level => 3, proto => '
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">original_dest</emphasis> is the rule
|
<para><emphasis role="bold">original_dest</emphasis> is the rule
|
||||||
ORIGINAL DEST</para>
|
ORIGDEST</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -617,7 +617,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
|
|||||||
a single address?</title>
|
a single address?</title>
|
||||||
|
|
||||||
<para><emphasis role="bold">Answer</emphasis>: Specify the external
|
<para><emphasis role="bold">Answer</emphasis>: Specify the external
|
||||||
address that you want to redirect in the ORIGINAL DEST column.</para>
|
address that you want to redirect in the ORIGDEST column.</para>
|
||||||
|
|
||||||
<para>Example:</para>
|
<para>Example:</para>
|
||||||
|
|
||||||
|
@ -530,9 +530,9 @@ options nf_nat_ftp</programlisting>
|
|||||||
ACCEPT or <<emphasis>source</emphasis>> <<emphasis>destination</emphasis>> tcp 21 - <external IP addr> if
|
ACCEPT or <<emphasis>source</emphasis>> <<emphasis>destination</emphasis>> tcp 21 - <external IP addr> if
|
||||||
DNAT ACTION = DNAT</programlisting>
|
DNAT ACTION = DNAT</programlisting>
|
||||||
|
|
||||||
<para>You need an entry in the ORIGINAL DESTINATION column only if the
|
<para>You need an entry in the ORIGDEST column only if the ACTION is DNAT,
|
||||||
ACTION is DNAT, you have multiple external IP addresses and you want a
|
you have multiple external IP addresses and you want a specific IP address
|
||||||
specific IP address to be forwarded to your server.</para>
|
to be forwarded to your server.</para>
|
||||||
|
|
||||||
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
|
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
|
||||||
with 20 (ftp-data) in the DPORT column. If you post your rules on the
|
with 20 (ftp-data) in the DPORT column. If you post your rules on the
|
||||||
|
@ -469,7 +469,7 @@ ACCEPT $FW loc tcp 135,139,445</programlist
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
|
<para>ORIGDEST (Shorewall-perl 4.2.0 and later)</para>
|
||||||
|
|
||||||
<para>To use this column, you must include 'FORMAT 2' as the first
|
<para>To use this column, you must include 'FORMAT 2' as the first
|
||||||
non-comment line in your macro file.</para>
|
non-comment line in your macro file.</para>
|
||||||
|
@ -153,10 +153,9 @@ SSHKnock net loc:192.168.1.5 tcp 22 -
|
|||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>You can use SSHKnock with DNAT on earlier releases provided
|
<para>You can use SSHKnock with DNAT on earlier releases provided
|
||||||
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
|
that you omit the ORIGDEST entry on the second SSHKnock rule. This
|
||||||
This rule will be quite secure provided that you specify
|
rule will be quite secure provided that you specify 'routefilter' on
|
||||||
'routefilter' on your external interface and have
|
your external interface and have NULL_ROUTE_RFC1918=Yes in
|
||||||
NULL_ROUTE_RFC1918=Yes in
|
|
||||||
<filename>shorewall.conf</filename>.</para>
|
<filename>shorewall.conf</filename>.</para>
|
||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -174,7 +174,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
|||||||
Squid.</para>
|
Squid.</para>
|
||||||
|
|
||||||
<para>If needed, you may just add the additional hosts/networks to the
|
<para>If needed, you may just add the additional hosts/networks to the
|
||||||
ORIGINAL DEST column in your REDIRECT rule.</para>
|
ORIGDEST column in your REDIRECT rule.</para>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
<para><filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
REDIRECT loc 3128 tcp www - !206.124.146.177,130.252.100.0/24</programlisting></para>
|
||||||
|
40
docs/VPN.xml
40
docs/VPN.xml
@ -46,7 +46,7 @@
|
|||||||
The two most common means for doing this are IPSEC and PPTP. The basic
|
The two most common means for doing this are IPSEC and PPTP. The basic
|
||||||
setup is shown in the following diagram:</para>
|
setup is shown in the following diagram:</para>
|
||||||
|
|
||||||
<graphic fileref="images/VPN.png" />
|
<graphic fileref="images/VPN.png"/>
|
||||||
|
|
||||||
<para>A system with an RFC 1918 address needs to access a remote network
|
<para>A system with an RFC 1918 address needs to access a remote network
|
||||||
through a remote gateway. For this example, we will assume that the local
|
through a remote gateway. For this example, we will assume that the local
|
||||||
@ -87,15 +87,15 @@
|
|||||||
|
|
||||||
<entry align="center">SOURCE</entry>
|
<entry align="center">SOURCE</entry>
|
||||||
|
|
||||||
<entry align="center">DESTINATION</entry>
|
<entry align="center">DEST</entry>
|
||||||
|
|
||||||
<entry align="center">PROTOCOL</entry>
|
<entry align="center">PROTO</entry>
|
||||||
|
|
||||||
<entry align="center">PORT</entry>
|
<entry align="center">DPORT</entry>
|
||||||
|
|
||||||
<entry align="center">CLIENT PORT</entry>
|
<entry align="center">SPORT</entry>
|
||||||
|
|
||||||
<entry align="center">ORIGINAL DEST</entry>
|
<entry align="center">ORIGDEST</entry>
|
||||||
</row>
|
</row>
|
||||||
</thead>
|
</thead>
|
||||||
|
|
||||||
@ -109,11 +109,11 @@
|
|||||||
|
|
||||||
<entry>50</entry>
|
<entry>50</entry>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
@ -127,9 +127,9 @@
|
|||||||
|
|
||||||
<entry>500</entry>
|
<entry>500</entry>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
</row>
|
</row>
|
||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
@ -146,15 +146,15 @@
|
|||||||
|
|
||||||
<entry align="center">SOURCE</entry>
|
<entry align="center">SOURCE</entry>
|
||||||
|
|
||||||
<entry align="center">DESTINATION</entry>
|
<entry align="center">DEST</entry>
|
||||||
|
|
||||||
<entry align="center">PROTOCOL</entry>
|
<entry align="center">PROTO</entry>
|
||||||
|
|
||||||
<entry align="center">PORT</entry>
|
<entry align="center">DPORT</entry>
|
||||||
|
|
||||||
<entry align="center">CLIENT PORT</entry>
|
<entry align="center">SPORT</entry>
|
||||||
|
|
||||||
<entry align="center">ORIGINAL DEST</entry>
|
<entry align="center">ORIGDEST</entry>
|
||||||
</row>
|
</row>
|
||||||
</thead>
|
</thead>
|
||||||
|
|
||||||
@ -170,9 +170,9 @@
|
|||||||
|
|
||||||
<entry>4500</entry>
|
<entry>4500</entry>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
@ -186,9 +186,9 @@
|
|||||||
|
|
||||||
<entry>500</entry>
|
<entry>500</entry>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
|
|
||||||
<entry></entry>
|
<entry/>
|
||||||
</row>
|
</row>
|
||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
|
@ -1766,7 +1766,7 @@ SSH(ACCEPT) net:$MYIP $FW
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>They may also appear in the ORIGINAL DEST column of:</para>
|
<para>They may also appear in the ORIGDEST column of:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -1418,8 +1418,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
|||||||
|
|
||||||
<para>This example used the firewall's external IP address for DNAT.
|
<para>This example used the firewall's external IP address for DNAT.
|
||||||
You can use another of your public IP addresses (place it in the
|
You can use another of your public IP addresses (place it in the
|
||||||
ORIGINAL DEST column in the rule above) but Shorewall will not add
|
ORIGDEST column in the rule above) but Shorewall will not add that
|
||||||
that address to the firewall's external interface for you.</para>
|
address to the firewall's external interface for you.</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>When testing DNAT rules like those shown above, you must test
|
<para>When testing DNAT rules like those shown above, you must test
|
||||||
|
Loading…
Reference in New Issue
Block a user