extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Centralize the complete list of manpages in shorewall(8)

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-06-16 17:11:43 -07:00
parent d8ef934f24
commit 42a46d42b6
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
71 changed files with 83 additions and 16927 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Shorewall-core/manpages/shorewall.xml
View File

@ -3173,6 +3173,8 @@
<title>FILES</title>
<para>/etc/shorewall/</para>
<para>/etc/shorewall6/</para>
</refsect1>
<refsect1>
@ -3182,13 +3184,17 @@
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
<para>shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-mangle(5),
shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

24
Shorewall/install.sh
View File

@ -492,8 +492,11 @@ fi
#
# Install the config file
#
run_install $OWNERSHIP -m 0644 $PRODUCT.conf ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
run_install $OWNERSHIP -m 0644 $PRODUCT.conf ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
if [ $PRODUCT = shorewall ]; then
run_install $OWNERSHIP -m 0644 shorewall.conf.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
fi
if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
run_install $OWNERSHIP -m 0600 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
@ -1165,6 +1168,23 @@ done
cd ..
if [ $PRODUCT = shorewall6 ]; then
for f in ${DESTDIR}${MANDIR}/man5/shorewall-*; do
base=$(basename $f);
case $base in
shorewall-arprules.*|shorewall-ecn.*|shorewall-proxyarp.*)
;;
*)
base6=shorewall6-${base#*-}
ln -sf ${MANDIR}/man5/$(basename $f) ${DESTDIR}${MANDIR}/man5/$base6
;;
esac
done
ln -sf ${MANDIR}/man5/shorewall.conf ${DESTDIR}${MANDIR}/man5/shorewall6.conf
fi
echo "Man Pages Installed"
fi

10
Shorewall/manpages/shorewall-accounting.xml
View File

@ -800,14 +800,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-actions.xml
View File

@ -249,14 +249,6 @@
<para><ulink
url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

8
Shorewall/manpages/shorewall-arprules.xml
View File

@ -25,6 +25,8 @@
<refsect1>
<title>Description</title>
<para>IPv4 only.</para>
<para>This file was added in Shorewall 4.5.12 and is used to describe
low-level rules managed by arptables (8). These rules only affect Address
Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
@ -377,4 +379,10 @@ SNAT:10.1.10.11 - eth1:10.1.10.0/24 1</programlis
<para>/etc/shorewall/arprules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8)</para>
</refsect1>
</refentry>

9
Shorewall/manpages/shorewall-blrules.xml
View File

@ -337,13 +337,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
shorewall-mangle(5) shorewall6-netmap(5),shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-snat(5),shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -748,14 +748,6 @@ DROP:PO - 2001:1.2.3::4</programlisting><
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

12
Shorewall/manpages/shorewall-ecn.xml
View File

@ -25,6 +25,8 @@
<refsect1>
<title>Description</title>
<para>IPv4 only.</para>
<para>Use this file to list the destinations for which you want to disable
ECN (Explicit Congestion Notification). Use of this file is deprecated in
favor of ECN rules in <ulink
@ -67,14 +69,6 @@
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-exclusion.xml
View File

@ -177,14 +177,6 @@ ACCEPT all!z2 net tcp 22</programlisting>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-hosts.xml
View File

@ -280,14 +280,6 @@ vpn ppp+:192.168.3.0/24</programlisting></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-init.xml
View File

@ -165,14 +165,6 @@
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

11
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/interfaces</command>
<command>/etc/shorewall[6]/interfaces</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -1046,13 +1046,6 @@ net ppp0 -</programlisting>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-ipsets.xml
View File

@ -289,14 +289,6 @@
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-maclist.xml
View File

@ -110,14 +110,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-mangle.xml
View File

@ -1633,14 +1633,6 @@ Normal-Service =&gt; 0x00</programlisting>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-masq.xml
View File

@ -776,14 +776,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-modules.xml
View File

@ -95,14 +95,6 @@
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-nat.xml
View File

@ -223,14 +223,6 @@ all all REJECT info
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-netmap.xml
View File

@ -180,14 +180,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-params.xml
View File

@ -136,14 +136,6 @@ net eth0 130.252.100.255 routefilter</programlisting>
<para><ulink
url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-policy.xml
View File

@ -411,14 +411,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-providers.xml
View File

@ -538,14 +538,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

12
Shorewall/manpages/shorewall-proxyarp.xml
View File

@ -25,6 +25,8 @@
<refsect1>
<title>Description</title>
<para>IPv4 only.</para>
<para>This file is used to define Proxy ARP. There is one entry in this
file for each IP address to be proxied.</para>
@ -139,14 +141,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-routes.xml
View File

@ -119,14 +119,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-rtrules.xml
View File

@ -212,14 +212,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-rules.xml
View File

@ -2645,14 +2645,6 @@
<para><ulink
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-secmarks.xml
View File

@ -417,14 +417,6 @@ RESTORE I:ER</programlisting>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-snat.xml
View File

@ -747,14 +747,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-stoppedrules.xml
View File

@ -166,14 +166,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-tcclasses.xml
View File

@ -780,14 +780,6 @@
<para>tc-red(8)</para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-tcdevices.xml
View File

@ -294,14 +294,6 @@
<para><ulink
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-tcfilters.xml
View File

@ -366,14 +366,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-tcinterfaces.xml
View File

@ -215,14 +215,6 @@
<para><ulink
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-tcpri.xml
View File

@ -158,14 +158,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>prio(8), shorewall(8), shorewall-accounting(5),
shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>prio(8), shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-tunnels.xml
View File

@ -378,14 +378,6 @@
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall-vardir.xml
View File

@ -58,14 +58,6 @@
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

9
Shorewall/manpages/shorewall-zones.xml
View File

@ -443,13 +443,6 @@ c:a,b ip</programlisting>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

10
Shorewall/manpages/shorewall.conf.xml
View File

@ -3251,14 +3251,6 @@ INLINE - - - ;; -j REJECT
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcinterfaces(5),
shorewall-tcpri(5), shorewall-tcrules(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall(8)</para>
</refsect1>
</refentry>

851
Shorewall6/manpages/shorewall6-accounting.xml
View File

@ -1,851 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-accounting</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>accounting</refname>
<refpurpose>Shorewall6 Accounting file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/accounting</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Accounting rules exist simply to count packets and bytes in
categories that you define in this file. You may display these rules and
their packet and byte counters using the <command>shorewall6 show
accounting</command> command.</para>
<para>Beginning with Shorewall 4.4.18, the accounting structure can be
created with three root chains:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">accountin</emphasis>: Rules that are valid
in the <emphasis role="bold">INPUT</emphasis> chain (may not specify
an output interface).</para>
</listitem>
<listitem>
<para><emphasis role="bold">accountout</emphasis>: Rules that are
valid in the OUTPUT chain (may not specify an input interface or a MAC
address).</para>
</listitem>
<listitem>
<para><emphasis role="bold">accounting</emphasis>: Other rules.</para>
</listitem>
</itemizedlist>
<para>The new structure is enabled by sectioning the accounting file in a
manner similar to the <ulink url="/manpages6/shorewall6-rules.html">rules
file</ulink>. The sections are <emphasis role="bold">INPUT</emphasis>,
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
role="bold">FORWARD</emphasis> and must appear in that order (although any
of them may be omitted). The first non-commentary record in the accounting
file must be a section header when sectioning is used.</para>
<warning>
<para>If sections are not used, the Shorewall rules compiler cannot
detect certain violations of netfilter restrictions. These violations
can result in run-time errors such as the following:</para>
<blockquote>
<para><emphasis role="bold">ip6tables-restore v1.4.13: Can't use -o
with INPUT</emphasis></para>
</blockquote>
</warning>
<para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
added to shorewall.conf and shorewall6.conf. That setting determines the
Netfilter table (filter or mangle) where the accounting rules are added.
When ACCOUNTING_TABLE=mangle is specified, the available sections are
<emphasis role="bold">PREROUTING</emphasis>, <emphasis
role="bold">INPUT</emphasis>, <emphasis role="bold">OUTPUT</emphasis>,
<emphasis role="bold">FORWARD</emphasis> and <emphasis
role="bold">POSTROUTING</emphasis>.</para>
<para>Section headers have the form:</para>
<para><option>[?]SECTION</option>
<replaceable>section-name</replaceable></para>
<para>The optional "?" was added in Shorewalll 4.6.0 and is preferred.
Existing configurations may be converted to use this form using the
<command>shorewall6 update</command> command.</para>
<para>When sections are enabled:</para>
<itemizedlist>
<listitem>
<para>A jump to a user-defined accounting chain must appear before
entries that add rules to that chain. This eliminates loops and
unreferenced chains.</para>
</listitem>
<listitem>
<para>An output interface may not be specified in the <emphasis
role="bold">PREROUTING</emphasis> and <emphasis
role="bold">INPUT</emphasis> sections.</para>
</listitem>
<listitem>
<para>In the <emphasis role="bold">OUTPUT</emphasis> and <emphasis
role="bold">POSTROUTING</emphasis> sections:</para>
<itemizedlist>
<listitem>
<para>An input interface may not be specified</para>
</listitem>
<listitem>
<para>Jumps to a chain defined in the <emphasis
role="bold">INPUT</emphasis> or <emphasis
role="bold">PREROUTING</emphasis> sections that specifies an input
interface are prohibited</para>
</listitem>
<listitem>
<para>MAC addresses may not be used</para>
</listitem>
<listitem>
<para>Jump to a chain defined in the <emphasis
role="bold">INPUT</emphasis> or <emphasis
role="bold">PREROUTING</emphasis> section that specifies a MAC
address are prohibited.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>The default value of the CHAIN column is:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">accountin</emphasis> in the <emphasis
role="bold">INPUT</emphasis> section</para>
</listitem>
<listitem>
<para><emphasis role="bold">accountout</emphasis> in the <emphasis
role="bold">OUTPUT</emphasis> section</para>
</listitem>
<listitem>
<para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
role="bold">FORWARD</emphasis> section</para>
</listitem>
<listitem>
<para><emphasis role="bold">accountpre</emphasis> in the <emphasis
role="bold">PREROUTING</emphasis> section</para>
</listitem>
<listitem>
<para><emphasis role="bold">accountpost</emphasis> in the
<emphasis role="bold">POSTROUTING</emphasis> section</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Traffic addressed to the firewall goes through the rules defined
in the INPUT section.</para>
</listitem>
<listitem>
<para>Traffic originating on the firewall goes through the rules
defined in the OUTPUT section.</para>
</listitem>
<listitem>
<para>Traffic being forwarded through the firewall goes through the
rules from the FORWARD sections.</para>
</listitem>
</itemizedlist>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis> - {<emphasis
role="bold">COUNT</emphasis>|<emphasis
role="bold">DONE</emphasis>|<emphasis>chain</emphasis>[:<emphasis
role="bold">{COUNT|JUMP}</emphasis>]|[?]COMMENT
<replaceable>comment</replaceable>}</term>
<listitem>
<para>What to do when a matching packet is found.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">COUNT</emphasis></term>
<listitem>
<para>Simply count the match and continue with the next
rule</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DONE</emphasis></term>
<listitem>
<para>Count the match and don't attempt to match any other
accounting rules in the chain specified in the <emphasis
role="bold">CHAIN</emphasis> column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>chain</emphasis>[<emphasis
role="bold">:</emphasis><emphasis
role="bold">COUNT</emphasis>]</term>
<listitem>
<para>Where <emphasis>chain</emphasis> is the name of a chain;
shorewall6 will create the chain automatically if it doesn't
already exist. If a second chain is mentioned in the CHAIN
column, then a jump from this second chain to
<replaceable>chain</replaceable> is created. If no chain is
named in the CHAIN column, then a jump from the default chain
to <replaceable>chain</replaceable> is created. If <emphasis
role="bold">:COUNT</emphasis> is included, a counting rule
matching this entry will be added to
<emphasis>chain</emphasis>. The <emphasis>chain</emphasis> may
not exceed 29 characters in length and may be composed of
letters, digits, dash ('-') and underscore ('_').</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>chain</emphasis>:JUMP</term>
<listitem>
<para>Like the previous option without the <emphasis
role="bold">:COUNT</emphasis> part.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INLINE</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.16. Allows free form ip6tables
matches to be specified following a ';'. In the generated
ip6tables rule(s), the free form matches will follow any
matches that are generated by the column contents.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFACCT</emphasis>({<replaceable>object</replaceable>[!]}[,...])</term>
<listitem>
<para>Added in Shorewall 4.5.7. Provides a form of accounting
that survives <command>shorewall stop/shorewall</command>
start and <command>shorewall restart</command>. Requires the
NFaccnt Match capability in your kernel and iptables.
<replaceable>object</replaceable> names an nfacct object (see
man nfaccnt(8)). Multiple rules can specify the same
<replaceable>object</replaceable>; all packets that match any
of the rules increment the packet and bytes count of the
object.</para>
<para>Prior to Shorewall 4.5.16, only one
<replaceable>object</replaceable> could be specified.
Beginning with Shorewall 4.5.16, an arbitrary number of
objects may be given.</para>
<para>With Shorewall 4.5.16 or later, an nfacct
<replaceable>object</replaceable> in the list may optionally
be followed by <emphasis role="bold">!</emphasis> to indicate
that the nfacct <replaceable>object</replaceable> will be
incremented unconditionally for each packet. When <emphasis
role="bold">!</emphasis> is omitted, the
<replaceable>object</replaceable> will be incremented only if
all of the matches in the rule succeed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
- Added in Shorewall-4.4.20.</term>
<listitem>
<para>Causes each matching packet to be sent via the currently
loaded logging back end (usually nfnetlink_log) where it is
available to accounting daemons through a netlink
socket.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">?COMMENT</emphasis></term>
<listitem>
<para>The remainder of the line is treated as a comment which
is attached to subsequent rules until another ?COMMENT line is
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word
?COMMENT.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CHAIN</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>chain</emphasis>}</term>
<listitem>
<para>The name of a <emphasis>chain</emphasis>. If specified as
<emphasis role="bold">-</emphasis> the <emphasis
role="bold">accounting</emphasis> chain is assumed when the file is
un-sectioned. When the file is sectioned, the default is one of
accountin, accountout, etc. depending on the section. This is the
chain where the accounting rule is added. The
<emphasis>chain</emphasis> will be created if it doesn't already
exist. The <emphasis>chain</emphasis> may not exceed 29 characters
in length.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
role="bold">:<option>[</option></emphasis><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
<listitem>
<para>Packet Source.</para>
<para>The name of an <replaceable>interface</replaceable>, an
<replaceable>address</replaceable> (host or net) or an
<replaceable>interface</replaceable> name followed by ":" and a host
or net <replaceable>address</replaceable>. An ipset name is also
accepted as an <replaceable>address</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
<listitem>
<para>Packet Destination.</para>
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
column.</para>
<para>This column was formerly labelled DESTINATION.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
role="bold">ipp2p</emphasis>[<emphasis
role="bold">:</emphasis>{<emphasis
role="bold">udp</emphasis>|<emphasis
role="bold">all</emphasis>}]}</term>
<listitem>
<para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
<emphasis>protocol-number</emphasis>, <emphasis
role="bold">ipp2p</emphasis>, <emphasis
role="bold">ipp2p:udp</emphasis> or <emphasis
role="bold">ipp2p:all</emphasis></para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
<para>This column was formerly labelled PROTOCOL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
<listitem>
<para>Destination Port number. Service name from services(5) or
<emphasis>port number</emphasis>. May only be specified if the
protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
(136).</para>
<para>You may place a comma-separated list of port names or numbers
in this column if your kernel and ip6tables include multi-port match
support.</para>
<para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then
this column must contain an <emphasis>ipp2p-option</emphasis>
("ip6tables -m ipp2p --help") without the leading "--". If no option
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para>
<para>This column was formerly labelled DEST PORT(S).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
<listitem>
<para>Service name from services(5) or <emphasis>port
number</emphasis>. May only be specified if the protocol is TCP (6),
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>
<para>You may place a comma-separated list of port numbers in this
column if your kernel and ip6tables include multi-port match
support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DPORT column is non-empty. This causes the
rule to match when either the source port or the destination port in
a packet matches one of the ports specified in DPORT. Use of '='
requires multi-port match in your iptables and kernel.</para>
<para>This column was formerly labelled SOURCE PORT(S).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER</emphasis> - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
<listitem>
<para>This column may only be non-empty if the <emphasis
role="bold">CHAIN</emphasis> is <emphasis
role="bold">OUTPUT</emphasis>.</para>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>#program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist>
<para>This column was formerly labelled USER/GROUP.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
(Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
)</emphasis></term>
<listitem>
<para>The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been decrypted via an SA that matches these options will have their
source address changed. May only be specified when sections are
used.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis> or <emphasis
role="bold">ipsec</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulated
to match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">no</emphasis> or <emphasis
role="bold">none</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulated
to match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">in</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item the list. Indicates that matching
packets have been decrypted in input.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">out</emphasis></term>
<listitem>
<para>May only be used in the FORWARD section and must be the
first or the only item in the list. Indicates that matching
packets will be encrypted on output.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If this column is non-empty and sections are not used,
then:</para>
<itemizedlist>
<listitem>
<para>A chain NAME appearing in the ACTION column must be a
chain branched either directly or indirectly from the <emphasis
role="bold">accipsecin</emphasis> or <emphasis
role="bold">accipsecout</emphasis> chain.</para>
</listitem>
<listitem>
<para>The CHAIN column must contain either <emphasis
role="bold">accipsecin</emphasis> or <emphasis
role="bold">accipsecout</emphasis> or a chain branched either
directly or indirectly from those chains.</para>
</listitem>
<listitem>
<para>These rules will NOT appear in the <emphasis
role="bold">accounting</emphasis> chain.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">41</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem>
</varlistentry>
</variablelist>
<para>In all of the above columns except <emphasis
role="bold">ACTION</emphasis> and <emphasis role="bold">CHAIN</emphasis>,
the values <emphasis role="bold">-</emphasis>, <emphasis
role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
used as wildcards. Omitted trailing columns are also treated as
wildcards.</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/accounting</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/Accounting.html">http://www.shorewall.net/Accounting.html
</ulink></para>
<para><ulink
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

260
Shorewall6/manpages/shorewall6-actions.xml
View File

@ -1,260 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-actions</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>actions</refname>
<refpurpose>shorewall6 action declaration file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/actions</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file allows you to define new ACTIONS for use in rules (see
<ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>). You
define the ip6tables rules to be performed in an ACTION in
/etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
<para>Columns are:</para>
<variablelist>
<varlistentry>
<term>NAME</term>
<listitem>
<para>The name of the action. ACTION names should begin with an
upper-case letter to distinguish them from Shorewall-generated chain
names and be composed of letters, digits or numbers. If you intend
to log from the action then the name must be no longer than 11
characters in length if you use the standard LOGFORMAT.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OPTIONS</term>
<listitem>
<para>Added in Shorewall 4.5.10. Available options are:</para>
<variablelist>
<varlistentry>
<term><option>audit</option></term>
<listitem>
<para>Added in Shorewall 5.0.7. When this option is specified,
the action is expected to have at least two parameters; the
first is a target and the second is either 'audit' or omitted.
If the second is 'audit', then the first must be an auditable
target (ACCEPT, DROP or REJECT).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>builtin</term>
<listitem>
<para>Added in Shorewall 4.5.16. Defines the action as a rule
target that is supported by your ip6tables but is not directly
supported by Shorewall. The action may be used as the rule
target in an INLINE rule in <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
<para>Beginning with Shorewall 4.6.0, the Netfilter table(s)
in which the <emphasis role="bold">builtin</emphasis> can be
used may be specified: <emphasis
role="bold">filter</emphasis>, <emphasis
role="bold">nat</emphasis>, <emphasis
role="bold">mangle</emphasis> and <emphasis
role="bold">raw</emphasis>. If no table name(s) are given,
then <emphasis role="bold">filter</emphasis> is assumed. The
table names follow <emphasis role="bold">builtin</emphasis>
and are separated by commas; for example, "FOOBAR
builtin,filter,mangle" would specify FOOBAR as a builtin
target that can be used in the filter and mangle
tables.</para>
<para>Beginning with Shorewall 4.6.4, you may specify the
<emphasis role="bold">terminating</emphasis> option with
<emphasis role="bold">builtin</emphasis> to indicate to the
Shorewall optimizer that the action is terminating (the
current packet will not be passed to the next rule in the
chain).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>inline</option></term>
<listitem>
<para>Causes the action body (defined in
action.<replaceable>action-name</replaceable>) to be expanded
in-line like a macro rather than in its own chain. You can
list Shorewall Standard Actions in this file to specify the
<option>inline</option> option.</para>
<caution>
<para>Some of the Shorewall standard actions cannot be used
in-line and will generate a warning and the compiler will
ignore <option>inline</option> if you try to use them that
way:</para>
<simplelist>
<member>DropSmurfs</member>
<member>IfEvent</member>
<member>Invalid (Prior to Shorewall 4.5.13)</member>
<member>NotSyn (Prior to Shorewall 4.5.13)</member>
<member>RST (Prior to Shorewall 4.5.13)</member>
<member>TCPFlags</member>
</simplelist>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term><option>logjump</option></term>
<listitem>
<para>Added in Shorewall 5.0.8. Performs the same function as
<option>nolog</option> (below), with the addition that the
jump to the actions chain is logged if a log level is
specified on the action invocation. For inline actions, this
option is identical to <option>nolog</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>mangle</option></term>
<listitem>
<para>Added in Shorewall 5.0.7. Specifies that this action is
to be used in <ulink
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>
rather than <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>nat</option></term>
<listitem>
<para>Added in Shorewall 5.0.13. Specifies that this action is
to be used in <ulink
url="/manpages6/shorewall6-snat.html">shorewall6-snat(5)</ulink> rather
than <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink>. The
<option>mangle</option> and <option>nat</option> options are
mutually exclusive.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>noinline</option></term>
<listitem>
<para>Causes any later <option>inline</option> option for the
same action to be ignored with a warning.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>nolog</option></term>
<listitem>
<para>Added in Shorewall 4.5.11. When this option is
specified, the compiler does not automatically apply the log
level and/or tag from the invocation of the action to all
rules inside of the action. Rather, it simply sets the
$_loglevel and $_logtag shell variables which can be used
within the action body to apply those logging options only to
a subset of the rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>section</option></term>
<listitem>
<para>Added in Shorewall 5.1.1. When specified, this option
causes the rules file section name and a comma to be prepended
to the parameters passed to the action (if any). Note that
this means that the first parameter passed to the action by
the user is actually the second parameter to the action. If
the action is invoked out of the blrules file, 'BLACKLIST' is
used as the section name.</para>
<para>Given that neither the <filename>snat</filename> nor the
<filename>mangle</filename> file is sectioned, this parameter
has no effect when <option>mangle</option> or
<option>nat</option> is specified.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
<listitem>
<para>Added in Shorewall 5.0.7. Reserved for use by Shorewall
in <filename>actions.std</filename>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>terminating</option></term>
<listitem>
<para>Added in Shorewall 4.6.4. When used with
<option>builtin</option>, indicates that the built-in action
is termiating (i.e., if the action is jumped to, the next rule
in the chain is not evaluated).</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/actions</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/Actions.html">http://www.shorewall.net/Actions.html</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

331
Shorewall6/manpages/shorewall6-blrules.xml
View File

@ -1,331 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-blrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>blrules</refname>
<refpurpose>shorewall6 Blacklist file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/blrules</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to perform zone-specific blacklisting and
whitelisting.</para>
<para>Rules in this file are applied depending on the setting of
BLACKLISTNEWONLY in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
connections in the NEW and INVALID states.</para>
<para>The format of rules in this file is the same as the format of rules
in <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5). The
difference in the two files lies in the ACTION (first) column.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION- {<emphasis
role="bold">ACCEPT</emphasis>|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
role="bold">WHITELIST</emphasis>|<emphasis
role="bold">LOG</emphasis>|<emphasis
role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[<emphasis
role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
role="bold">)</emphasis>]<emphasis
role="bold">|[?]COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
role="bold">(</emphasis><emphasis>target</emphasis><emphasis
role="bold">)</emphasis>]}<emphasis
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
role="bold">!</emphasis></emphasis>][<emphasis
role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
<listitem>
<para>Specifies the action to be taken if the packet matches the
rule. Must be one of the following.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.3. This is actually a macro that
expands as follows:</para>
<itemizedlist>
<listitem>
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then the macro expands to <emphasis
role="bold">blacklog</emphasis>.</para>
</listitem>
<listitem>
<para>Otherwise it expands to the action specified for
BLACKLIST_DISPOSITION in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklog</emphasis></term>
<listitem>
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
</ulink>(5). Logs, audits (if specified) and applies the
BLACKLIST_DISPOSITION specified in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
<listitem>
<para>Exempt the packet from the remaining rules in this
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DROP</emphasis></term>
<listitem>
<para>Ignore the packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>A_DROP and A_DROP!</term>
<listitem>
<para>Audited versions of DROP. Requires AUDIT_TARGET support
in the kernel and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REJECT</emphasis></term>
<listitem>
<para>disallow the packet and return an icmp-unreachable or an
RST packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>A_REJECT</term>
<listitem>
<para>Audited versions of REJECT. Require AUDIT_TARGET support
in the kernel and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOG</emphasis></term>
<listitem>
<para>Simply log the packet and continue with the next
rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">QUEUE</emphasis></term>
<listitem>
<para>Queue the packet to a user-space application such as
ftwall (http://p2pwall.sf.net). The application may reinsert
the packet for further processing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem>
<para>queues matching packets to a back end logging daemon via
a netlink socket then continues to the next rule. See <ulink
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem>
<para>Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a
<replaceable>queuenumber</replaceable> is not specified, queue
zero (0) is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">?COMMENT</emphasis></term>
<listitem>
<para>the rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of
"shorewall6 show &lt;chain&gt;". To stop the comment from
being attached to further rules, simply include ?COMMENT on a
line by itself.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>action</emphasis></term>
<listitem>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
or in /usr/share/shorewall6/actions.std.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>macro</emphasis></term>
<listitem>
<para>The name of a macro defined in a file named
macro.<emphasis>macro</emphasis>. If the macro accepts an
action parameter (Look at the macro source to see if it has
PARAM in the TARGET column) then the
<emphasis>macro</emphasis> name is followed by the
parenthesized <emphasis>target</emphasis> (<emphasis
role="bold">ACCEPT</emphasis>, <emphasis
role="bold">DROP</emphasis>, <emphasis
role="bold">REJECT</emphasis>, ...) to be substituted for the
parameter.</para>
<para>Example: FTP(ACCEPT).</para>
</listitem>
</varlistentry>
</variablelist>
<para>The <emphasis role="bold">ACTION</emphasis> may optionally be
followed by ":" and a syslog log level (e.g, REJECT:info or
Web(ACCEPT):debug). This causes the packet to be logged at the
specified level.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="/manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5)
or in /usr/share/shorewall6/actions.std then:</para>
<itemizedlist>
<listitem>
<para>If the log level is followed by "!' then all rules in the
action are logged at the log level.</para>
</listitem>
<listitem>
<para>If the log level is not followed by "!" then only those
rules in the action that do not specify logging are logged at
the specified level.</para>
</listitem>
<listitem>
<para>The special log level <emphasis
role="bold">none!</emphasis> suppresses logging by the
action.</para>
</listitem>
</itemizedlist>
<para>You may also specify <emphasis role="bold">NFLOG</emphasis>
(must be in upper case) as a log level.This will log to the NFLOG
target for routing to a separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>Actions specifying logging may be followed by a log tag (a
string of alphanumeric characters) which is appended to the string
generated by the LOGPREFIX (in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
</listitem>
</varlistentry>
</variablelist>
<para>For the remaining columns, see <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules
(5)</ulink>.</para>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Drop Teredo packets from the net.</para>
<programlisting>DROP net:[2001::/32] all</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Don't subject packets from 2001:DB8::/64 to the remaining
rules in the file.</para>
<programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/blrules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

739
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -1,739 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-conntrack</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>conntrack</refname>
<refpurpose>shorewall6 conntrack file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/conntrack</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The original intent of the <emphasis role="bold">notrack</emphasis>
file was to exempt certain traffic from Netfilter connection tracking.
Traffic matching entries in the file were not to be tracked.</para>
<para>The role of the file was expanded in Shorewall 4.4.27 to include all
rules that can be added in the Netfilter <emphasis
role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
<emphasis role="bold">conntrack</emphasis>.</para>
<para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
and FORMAT 3, FORMAT 1 being the default. The three differ as
follows:</para>
<itemizedlist>
<listitem>
<para>in FORMAT 2 and 3, there is an additional leading ACTION
column.</para>
</listitem>
<listitem>
<para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
ACTION column allows a SUFFIX that determines the chain(s) that the
generated rule will be added to.</para>
</listitem>
</itemizedlist>
<para>When an entry in the following form is encountered, the format of
the following entries are assumed to be of the specified
<replaceable>format</replaceable>.</para>
<simplelist>
<member><emphasis role="bold">?FORMAT</emphasis>
<replaceable>format</replaceable></member>
</simplelist>
<para>where <replaceable>format</replaceable> is either <emphasis
role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
role="bold">3</emphasis>.</para>
<para>Format 3 was introduced in Shorewall 4.5.10.</para>
<para>Comments may be attached to Netfilter rules generated from entries
in this file through the use of ?COMMENT lines. These lines begin with
?COMMENT; the remainder of the line is treated as a comment which is
attached to subsequent rules until another ?COMMENT line is found or until
the end of the file is reached. To stop adding comments to rules, use a
line with only ?COMMENT.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis> - {<emphasis
role="bold">NOTRACK</emphasis>|<emphasis
role="bold">CT</emphasis>:<emphasis
role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
role="bold">CT:ctevents:<replaceable>event</replaceable>[,...]|CT:expevents:new|notrack</emphasis>|DROP|LOG|NFLOG(<replaceable>nflog-parameters</replaceable>)|IP6TABLES(<replaceable>target</replaceable>)}[:<replaceable>log-level</replaceable>[:<replaceable>log-tag</replaceable>]][:<replaceable>chain-designator</replaceable>]</term>
<listitem>
<para>This column is only present when FORMAT &gt;= 2. Values other
than NOTRACK require <firstterm>CT Target </firstterm>support in
your iptables and kernel.</para>
<itemizedlist>
<listitem>
<para><option>NOTRACK</option> or
<option>CT:notrack</option></para>
<para>Disables connection tracking for this packet. If a
<replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
</listitem>
<listitem>
<para><option>helper</option>:<replaceable>name</replaceable></para>
<para>Attach the helper identified by the
<replaceable>name</replaceable> to this connection. This is more
flexible than loading the conntrack helper with preset ports. If
a <replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
<para>At this writing, the available helpers are:</para>
<variablelist>
<varlistentry>
<term>amanda</term>
<listitem>
<para>Requires that the amanda netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ftp</term>
<listitem>
<para>Requires that the FTP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>irc</term>
<listitem>
<para>Requires that the IRC netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>netbios-ns</term>
<listitem>
<para>Requires that the netbios_ns (sic) helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RAS and Q.931</term>
<listitem>
<para>These require that the H323 netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pptp</term>
<listitem>
<para>Requires that the pptp netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sane</term>
<listitem>
<para>Requires that the SANE netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>sip</term>
<listitem>
<para>Requires that the SIP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>snmp</term>
<listitem>
<para>Requires that the SNMP netfilter helper is
present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>tftp</term>
<listitem>
<para>Requires that the TFTP netfilter helper is
present.</para>
</listitem>
</varlistentry>
</variablelist>
<para>May be followed by an option list of
<replaceable>arg</replaceable>=<replaceable>val</replaceable>
pairs in parentheses:</para>
<itemizedlist>
<listitem>
<para><option>ctevents</option>=<replaceable>event</replaceable>[,...]</para>
<para>Only generate the specified conntrack events for this
connection. Possible event types are: <emphasis
role="bold">new</emphasis>, <emphasis
role="bold">related</emphasis>, <emphasis
role="bold">destroy</emphasis>, <emphasis
role="bold">reply</emphasis>, <emphasis
role="bold">assured</emphasis>, <emphasis
role="bold">protoinfo</emphasis>, <emphasis
role="bold">helper</emphasis>, <emphasis
role="bold">mark</emphasis> (this is connection mark, not
packet mark), <emphasis role="bold">natseqinfo</emphasis>,
and <emphasis role="bold">secmark</emphasis>. If more than
one <emphasis>event</emphasis> is listed, the
<replaceable>event</replaceable> list must be enclosed in
parentheses (e.g., ctevents=(new,related)).</para>
</listitem>
<listitem>
<para><option>expevents</option><option>=new</option></para>
<para>Only generate <emphasis role="bold">new</emphasis>
expectation events for this connection.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>ctevents:<replaceable>event</replaceable>[,...]</para>
<para>Added in Shorewall 4.6.10. Only generate the specified
conntrack events for this connection. Possible event types are:
<emphasis role="bold">new</emphasis>, <emphasis
role="bold">related</emphasis>, <emphasis
role="bold">destroy</emphasis>, <emphasis
role="bold">reply</emphasis>, <emphasis
role="bold">assured</emphasis>, <emphasis
role="bold">protoinfo</emphasis>, <emphasis
role="bold">helper</emphasis>, <emphasis
role="bold">mark</emphasis> (this is connection mark, not packet
mark), <emphasis role="bold">natseqinfo</emphasis>, and
<emphasis role="bold">secmark</emphasis>.</para>
</listitem>
<listitem>
<para>expevents=new</para>
<para>Added in Shorewall 4.6.10. Only generate <emphasis
role="bold">new</emphasis> expectation events for this
connection.</para>
</listitem>
<listitem>
<para><option>DROP</option></para>
<para>Added in Shorewall 4.5.10. Silently discard the packet. If
a <replaceable>log-level</replaceable> is specified, the packet
will also be logged at that level.</para>
</listitem>
<listitem>
<para><option>IP6TABLES</option>(<replaceable>target</replaceable>)</para>
<para>Added in Shorewall 4.6.0. Allows you to specify any
iptables <replaceable>target</replaceable> with target options
(e.g., "IP6TABLES(AUDIT --type drop)"). If the target is not one
recognized by Shorewall, the following error message will be
issued:</para>
<simplelist>
<member>ERROR: Unknown target
(<replaceable>target</replaceable>)</member>
</simplelist>
<para>This error message may be eliminated by adding
<replaceable>target</replaceable> as a builtin action in <ulink
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para>
</listitem>
<listitem>
<para><option>LOG</option></para>
<para>Added in Shoreawll 4.6.0. Logs the packet using the
specified <replaceable>log-level</replaceable> and<replaceable>
log-tag </replaceable>(if any). If no log-level is specified,
then 'info' is assumed.</para>
</listitem>
<listitem>
<para><option>NFLOG</option></para>
<para>Added in Shoreawll 4.6.0. Queues the packet to a backend
logging daemon using the NFLOG netfilter target with the
specified <replaceable>nflog-parameters</replaceable>.</para>
</listitem>
</itemizedlist>
<para>When FORMAT = 1, this column is not present and the rule is
processed as if NOTRACK had been entered in this column.</para>
<para>Beginning with Shorewall 4.5.10, when FORMAT = 3, this column
can end with a colon followed by a
<replaceable>chain-designator</replaceable>. The
<replaceable>chain-designator</replaceable> can be one of the
following:</para>
<variablelist>
<varlistentry>
<term>P</term>
<listitem>
<para>The rule is added to the raw table PREROUTING chain.
This is the default if no
<replaceable>chain-designator</replaceable> is present.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>O</term>
<listitem>
<para>The rule is added to the raw table OUTPUT chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PO or OP</term>
<listitem>
<para>The rule is added to the raw table PREROUTING and OUTPUT
chains.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE (formats 1 and 2)
<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term>
<listitem>
<para>where <replaceable>zone</replaceable> is the name of a zone,
<replaceable>interface</replaceable> is an interface to that zone,
and <replaceable>address-list</replaceable> is a comma-separated
list of addresses (may contain exclusion - see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para>
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
used as the <replaceable>zone</replaceable> name to mean
<firstterm>all zones</firstterm>.</para>
<para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
used as the <replaceable>zone</replaceable> name to mean all
<firstterm>off-firewall zone</firstterm>s.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SOURCE (format 3 prior to Shorewall 5.1.0)
{-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
<listitem>
<para>Where <replaceable>interface</replaceable> is an interface to
that zone, and <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para>
<para>COMMENT is only allowed in format 1; the remainder of the line
is treated as a comment that will be associated with the generated
rule(s).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
later) -
{-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
<listitem>
<para>where <replaceable>source-spec</replaceable> is one of the
following:</para>
<variablelist>
<varlistentry>
<term><replaceable>interface</replaceable></term>
<listitem>
<para>Where interface is the logical name of an interface
defined in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interface</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
<listitem>
<para>where <replaceable>address</replaceable> may be:</para>
<itemizedlist>
<listitem>
<para>A host or network IP address.</para>
</listitem>
<listitem>
<para>A MAC address in Shorewall format (preceded by a
tilde ("~") and using dash ("-") as a separator.</para>
</listitem>
<listitem>
<para>The name of an ipset preceded by a plus sign ("+").
See <ulink
url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
</listitem>
</itemizedlist>
<para><replaceable>exclusion</replaceable> is described in
<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
<listitem>
<para>This form combines the preceding two and requires that
both the incoming interace and source address match.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>exclusion</replaceable></term>
<listitem>
<para>See <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall-exclusion</ulink>
(5)</para>
</listitem>
</varlistentry>
</variablelist>
<para>Beginning with Shorewall 5.1.0, multiple
<replaceable>source-spec</replaceable>s separated by commas may be
specified provided that the following alternative forms are
used:</para>
<blockquote>
<para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
<para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
<para>(<replaceable>exclusion</replaceable>)</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term>DEST (Prior to Shorewall 5.1.0)
{-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
<listitem>
<para>where <replaceable>address-list</replaceable> is a
comma-separated list of addresses (may contain exclusion - see
<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
{-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
<listitem>
<para>where <replaceable>dest-spec</replaceable> is one of the
following:</para>
<variablelist>
<varlistentry>
<term><replaceable>interface</replaceable></term>
<listitem>
<para>Where interface is the logical name of an interface
defined in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
<listitem>
<para>where <replaceable>address</replaceable> may be:</para>
<itemizedlist>
<listitem>
<para>A host or network IP address.</para>
</listitem>
<listitem>
<para>A MAC address in Shorewall format (preceded by a
tilde ("~") and using dash ("-") as a separator.</para>
</listitem>
<listitem>
<para>The name of an ipset preceded by a plus sign ("+").
See <ulink
url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
</listitem>
</itemizedlist>
<para><replaceable>exclusion</replaceable> is described in
<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
<listitem>
<para>This form combines the preceding two and requires that
both the outgoing interace and destination address
match.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>exclusion</replaceable></term>
<listitem>
<para>See <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5)</para>
</listitem>
</varlistentry>
</variablelist>
<para>Beginning with Shorewall 5.1.0, multiple source-specs
separated by commas may be specified provided that the following
alternative forms are used:</para>
<blockquote>
<para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
<para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
<para>(<replaceable>exclusion</replaceable>)</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term>PROTO
<replaceable>protocol-name-or-number</replaceable>[,...]</term>
<listitem>
<para>A protocol name from <filename>/etc/protocols</filename> or a
protocol number.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DPORT -
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>A comma-separated list of port numbers and/or service names
from <filename>/etc/services</filename>. May also include port
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
in this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
<para>This column was formerly labelled DEST PORT(S).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SPORT -
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>A comma-separated list of port numbers and/or service names
from <filename>/etc/services</filename>. May also include port
ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DPORT column is non-empty. This causes the
rule to match when either the source port or the destination port in
a packet matches one of the ports specified in DPORT.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
in this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
<para>This column was formerly labelled SOURCE PORT(S).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>USER
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
<listitem>
<para>May only be specified if the SOURCE
<replaceable>zone</replaceable> is $FW. Specifies the effective user
id and or group id of the process sending the traffic.</para>
<para>This column was formerly labelled USER/GROUP.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem>
<para>Added in Shorewall6 4.5.10 and allows enabling and disabling
the rule without requiring <command>shorewall6
restart</command>.</para>
<para>Enables the rule if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. Disables the rule if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...'
expansion) must begin with a letter and be composed of letters,
decimal digits, underscores or hyphens. Switch names must be 30
characters or less in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall6
restart</command>.</para>
<para>When the <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the
switch setting.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLES</title>
<para>Example 1:</para>
<para>Use the FTP helper for TCP port 21 connections from the firewall
itself.</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP all-:2001:1.2.3::4 -
DROP all 2001:1.2.3::4
</programlisting>
<para>or<programlisting>FORMAT 3
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP:P 2001:1.2.3::4 -
DROP:PO - 2001:1.2.3::4
</programlisting></para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/notrack</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

115
Shorewall6/manpages/shorewall6-exclusion.xml
View File

@ -1,115 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-exclusion</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>exclusion</refname>
<refpurpose>Exclude a set of hosts from a definition in a shorewall6
configuration file.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<arg choice="plain"
rep="repeat"><option>!</option><replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]</arg>
</cmdsynopsis>
<cmdsynopsis>
<arg choice="plain"
rep="repeat"><option>!</option><replaceable>zone-name</replaceable>[,<replaceable>zone-name</replaceable>]</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Exclusion is used when you wish to exclude one or more addresses
from a definition. An exclamation point is followed by a comma-separated
list of addresses. The addresses may be single host addresses (e.g.,
fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
(e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include
iprange support, you may also specify ranges of ip addresses of the form
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
<para>No embedded white-space is allowed.</para>
<para>Exclusion can appear after a list of addresses and/or address
ranges. In that case, the final list of address is formed by taking the
first list and then removing the addresses defined in the
exclusion.</para>
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is
allowed after <emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> in the SOURCE and DEST columns of
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list
generated by those key words.</para>
<warning>
<para>If you omit a sub-zone and there is an explicit or explicit
CONTINUE policy, a connection to/from that zone can still be matched by
the rule generated for a parent zone.</para>
<para>For example:</para>
<blockquote>
<para>/etc/shorewall6/zones:</para>
<programlisting>#ZONE TYPE
z1 ip
z2:z1 ip
...</programlisting>
<para>/etc/shorewall6/policy:</para>
<programlisting>#SOURCE DEST POLICY
z1 net CONTINUE
z2 net REJECT</programlisting>
<para>/etc/shorewall6/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT all!z2 net tcp 22</programlisting>
<para>In this case, SSH connections from <emphasis
role="bold">z2</emphasis> to <emphasis role="bold">net</emphasis> will
be accepted by the generated <emphasis role="bold">z1</emphasis> to
net ACCEPT rule.</para>
</blockquote>
</warning>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall6/masq</para>
<para>/etc/shorewall6/rules</para>
<para>/etc/shorewall6/tcrules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

210
Shorewall6/manpages/shorewall6-hosts.xml
View File

@ -1,210 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-hosts</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>hosts</refname>
<refpurpose>shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/hosts</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define zones in terms of subnets and/or
individual IP addresses. Most simple setups don't need to (should not)
place anything in this file.</para>
<para>The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
determines the order in which the records in this file are
interpreted.</para>
<warning>
<para>The only time that you need this file is when you have more than
one zone connected through a single interface.</para>
</warning>
<warning>
<para>If you have an entry for a zone and interface in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
then do not include any entries in this file for that same (zone,
interface) pair.</para>
</warning>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ZONE</emphasis> -
<emphasis>zone-name</emphasis></term>
<listitem>
<para>The name of a zone declared in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).
You may not list the firewall zone in this column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HOST(S)</emphasis> (hosts)-
<emphasis>interface</emphasis>:{<replaceable>address-or-range</replaceable>[,<replaceable>address-or-range</replaceable>]...|+<replaceable>ipset</replaceable>|<option>dynamic</option>}[<replaceable>exclusion</replaceable>]</term>
<listitem>
<para>The name of an interface defined in the <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
file followed by a colon (":") and a comma-separated list whose
elements are either:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The IPv6 <replaceable>address</replaceable> of a
host.</para>
</listitem>
<listitem>
<para>A network in CIDR format.</para>
</listitem>
<listitem>
<para>An IP address range of the form
[<emphasis>low.address</emphasis>]-[<emphasis>high.address</emphasis>].
Your kernel and ip6tables must have iprange match
support.</para>
</listitem>
<listitem>
<para>The name of an <emphasis>ipset</emphasis>.</para>
</listitem>
<listitem>
<para>The word <option>dynamic</option> which makes the zone
dynamic in that you can use the <command>shorewall add</command>
and <command>shorewall delete</command> commands to change to
composition of the zone. This capability was added in Shorewall
4.4.21.</para>
</listitem>
</orderedlist>
<blockquote>
<para>You may also exclude certain hosts through use of an
<emphasis>exclusion</emphasis> (see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term>OPTIONS - [<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>An optional comma-separated list of options from the following
list. The order in which you list the options is not significant but
the list must have no embedded white-space.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Check packets arriving on this port against the <ulink
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipsec</emphasis></term>
<listitem>
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an
IPSEC zone in the <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5)
file then you do NOT need to specify the 'ipsec' option
here.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
<listitem>
<para>Added in Shorewall 4.5.2. When present, causes the TCP
mss for new connections to/from the hosts given in the HOST(S)
column to be clamped at the specified
<replaceable>mss</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>shorewall6 should set up the infrastructure to pass
packets from this/these address(es) back to themselves. This
is necessary if hosts in this group use the services of a
transparent proxy that is a member of the group or if DNAT is
used to send requests originating from this group to a server
in the group.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving from these hosts are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/hosts</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

733
Shorewall6/manpages/shorewall6-interfaces.xml
View File

@ -1,733 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-interfaces</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>interfaces</refname>
<refpurpose>shorewall6 interfaces file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/interfaces</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The interfaces file serves to define the firewall's network
interfaces to shorewall6. The order of entries in this file is not
significant in determining zone composition.</para>
<para>Beginning with Shorewall 4.5.3, the interfaces file supports two
different formats:</para>
<variablelist>
<varlistentry>
<term>FORMAT 1 (default - deprecated)</term>
<listitem>
<para>There is a ANYCAST column which provides compatibility with
older versions of Shorewall..</para>
</listitem>
</varlistentry>
<varlistentry>
<term>FORMAT 2</term>
<listitem>
<para>The BROADCAST column is omitted.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The format is specified by a line as follows:</para>
<blockquote>
<para><emphasis role="bold">?FORMAT {1|2}</emphasis></para>
</blockquote>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ZONE</emphasis> -
<emphasis>zone-name</emphasis></term>
<listitem>
<para>Zone for this interface. Must match the name of a zone
declared in /etc/shorewall6/zones. You may not list the firewall
zone in this column.</para>
<para>If the interface serves multiple zones that will be defined in
the <ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
file, you should place "-" in this column.</para>
<para>If there are multiple interfaces to the same zone, you must
list them in separate entries.</para>
<para>Example:</para>
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST
loc eth1 -
loc eth2 -</programlisting>
</blockquote>
<para>Beginning with Shorewall 4.5.17, if you specify a zone for the
'lo' interface, then that zone must be defined as type
<option>local</option> in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis><emphasis
role="bold">[:</emphasis><emphasis>port</emphasis><emphasis
role="bold">]</emphasis></term>
<listitem>
<para>Logical name of interface. Each interface may be listed only
once in this file. You may NOT specify the name of a "virtual"
interface (e.g., eth0:0) here; see <ulink
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
If the <option>physical</option> option is not specified, then the
logical name is also the name of the actual interface.</para>
<para>You may use wildcards here by specifying a prefix followed by
the plus sign ("+"). For example, if you want to make an entry that
applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
ppp1, ppp2, …Please note that the '+' means '<emphasis
role="bold">one</emphasis> or more additional characters' so 'ppp'
does not match 'ppp+'.</para>
<para>Care must be exercised when using wildcards where there is
another zone that uses a matching specific interface. See <ulink
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
for a discussion of this problem.</para>
<para>Shorewall6 allows '+' as an interface name.</para>
<para>There is no need to define the loopback interface (lo) in this
file.</para>
<para>If a <replaceable>port</replaceable> is given, then the
<replaceable>interface</replaceable> must have been defined
previously with the <option>bridge</option> option. The OPTIONS
column must be empty when a <replaceable>port</replaceable> is
given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ANYCAST</emphasis> - <emphasis
role="bold">-</emphasis></term>
<listitem>
<para>Enter '<emphasis role="bold">-'</emphasis> in this column. It
is here for compatibility between Shorewall6 and Shorewall and is
omitted if FORMAT is 2.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list
should have no embedded white-space.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">accept_ra</emphasis>[={0|1|2}]</term>
<listitem>
<para>Added in Shorewall 4.5.16. Values are:</para>
<variablelist>
<varlistentry>
<term>0</term>
<listitem>
<para>Do not accept Router Advertisements.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>1</term>
<listitem>
<para>Accept Route Advertisements if forwarding is
disabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>2</term>
<listitem>
<para>Overrule forwarding behavior. Accept Route
Advertisements even if forwarding is enabled.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If the option is specified without a value, then the
value 1 is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Check packets arriving on this interface against the
<ulink
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para>
<para>Beginning with Shorewall 4.4.13:</para>
<itemizedlist>
<listitem>
<para>If a <replaceable>zone</replaceable> is given in the
ZONES column, then the behavior is as if <emphasis
role="bold">blacklist</emphasis> had been specified in the
IN_OPTIONS column of <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
</listitem>
<listitem>
<para>Otherwise, the option is ignored with a
warning:</para>
<blockquote>
<para><emphasis role="bold">WARNING: The 'blacklist'
option is ignored on multi-zone
interfaces</emphasis></para>
</blockquote>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">bridge</emphasis></term>
<listitem>
<para>Designates the interface as a bridge. Beginning with
Shorewall 4.4.7, setting this option also sets
<option>routeback</option>.</para>
<note>
<para>If you have a bridge that you don't intend to define
bport zones on, then it is best to omit this option and
simply specify <option>routeback</option>.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">dbl={none|src|dst|src-dst}</emphasis></term>
<listitem>
<para>Added in Shorewall 5.0.10. This option defined whether
or not dynamic blacklisting is applied to packets entering the
firewall through this interface and whether the source address
and/or destination address is to be compared against the
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
<ulink
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>).
The default is determine by the setting of
DYNAMIC_BLACKLIST:</para>
<variablelist>
<varlistentry>
<term>DYNAMIC_BLACKLIST=No</term>
<listitem>
<para>Default is <emphasis role="bold">none</emphasis>
(e.g., no dynamic blacklist checking).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DYNAMIC_BLACKLIST=Yes</term>
<listitem>
<para>Default is <emphasis role="bold">src</emphasis>
(e.g., the source IP address is checked against the
ipset).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DYNAMIC_BLACKLIST=ipset[-only]</term>
<listitem>
<para>Default is <emphasis
role="bold">src</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DYNAMIC_BLACKLIST=ipset[-only],src-dst...</term>
<listitem>
<para>Default is <emphasis
role="bold">src-dst</emphasis> (e.g., the source IP
addresses in checked against the ipset on input and the
destination IP address is checked against the ipset on
packets originating from the firewall and leaving
through this interface).</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">destonly</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.17. Causes the compiler to omit
rules to handle traffic from this interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">dhcp</emphasis></term>
<listitem>
<para>Specify this option when any of the following are
true:</para>
<orderedlist spacing="compact">
<listitem>
<para>the interface gets its IP address via DHCP</para>
</listitem>
<listitem>
<para>the interface is used by a DHCP server running on
the firewall</para>
</listitem>
<listitem>
<para>the interface has a static IP but is on a LAN
segment with lots of DHCP clients.</para>
</listitem>
<listitem>
<para>the interface is a <ulink
url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
server on one port and DHCP clients on another
port.</para>
<note>
<para>If you use <ulink
url="/bridge-Shorewall-perl.html">Shorewall-perl for
firewall/bridging</ulink>, then you need to include
DHCP-specific rules in <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(8).
DHCP uses UDP ports 546 and 547.</para>
</note>
</listitem>
</orderedlist>
<para>This option allows DHCP datagrams to enter and leave the
interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
<listitem>
<para>Sets the /proc/sys/net/ipv6/conf/interface/forwarding
option to the specified value. If no value is supplied, then 1
is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ignore[=1]</emphasis></term>
<listitem>
<para>When specified, causes the generated script to ignore
up/down events from Shorewall-init for this device.
Additionally, the option exempts the interface from hairpin
filtering. When '=1' is omitted, the ZONE column must contain
'-' and <option>ignore</option> must be the only
OPTION.</para>
<para>Beginning with Shorewall 4.5.5, may be specified as
'<option>ignore=1</option>' which only causes the generated
script to ignore up/down events from Shorewall-init; hairpin
filtering is still applied. In this case, the above
restrictions on the ZONE and OPTIONS columns are
lifted.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">loopback</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.6. Designates the interface as
the loopback interface. This option is assumed if the
interface's physical name is 'lo'. Only one interface man have
the <option>loopback</option> option specified.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
<listitem>
<para>Causes forwarded TCP SYN packets entering or leaving on
this interface to have their MSS field set to the specified
<replaceable>number</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">nets=(<emphasis>net</emphasis>[,...])</emphasis></term>
<listitem>
<para>Limit the zone named in the ZONE column to only the
listed networks. If you specify this option, be sure to
include the link-local network (ff80::/10).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nets=dynamic</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.21. Defines the zone as
<firstterm>dynamic</firstterm>. Requires ipset match support
in your iptables and kernel. See <ulink
url="/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
for further information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nodbl</emphasis></term>
<listitem>
<para>Added in Shorewall 5.0.8. When specified, dynamic
blacklisting is disabled on the interface. Beginning with
Shorewall 5.0.10, <emphasis role="bold">nodbl</emphasis> is
equivalent to <emphasis
role="bold">dbl=none</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">optional</emphasis></term>
<listitem>
<para>When <option>optional</option> is specified for an
interface, shorewall6 will be silent when:</para>
<itemizedlist>
<listitem>
<para>a <filename
class="directory">/proc/sys/net/ipv6/conf/</filename>
entry for the interface cannot be modified.</para>
</listitem>
<listitem>
<para>The first global IPv6 address of the interface
cannot be obtained.</para>
</listitem>
</itemizedlist>
<para>This option may not be specified together with <emphasis
role="bold">required</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">physical</emphasis>=<emphasis
role="bold"><emphasis>name</emphasis></emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.4. When specified, the interface
or port name in the INTERFACE column is a logical name that
refers to the name given in this option. It is useful when you
want to specify the same wildcard port name on two or more
bridges. See <ulink
url="/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
<para>If the <emphasis>interface</emphasis> name is a wildcard
name (ends with '+'), then the physical
<emphasis>name</emphasis> must also end in '+'.</para>
<para>If <option>physical</option> is not specified, then it's
value defaults to the <emphasis>interface</emphasis>
name.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">required</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.10. When specified, the firewall
will fail to start if the interface named in the INTERFACE
column is not usable. May not be specified together with
<emphasis role="bold">optional</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback[={0|1}]</emphasis></term>
<listitem>
<para>If specified, indicates that shorewall6 should include
rules that allow traffic arriving on this interface to be
routed back out that same interface. This option is also
required when you have used a wildcard in the INTERFACE column
if you want to allow traffic between the interfaces that match
the wildcard.</para>
<para>If you specify this option, then you should also specify
<option>rpfilter</option> (see below) if you are running
Shorewall 4.5.7 or later; otherwise, you should specify
<option>sfilter</option> (see below).</para>
<para>Beginning with Shorewall 4.5.18, you may specify this
option to explicitly reset (e.g., <emphasis
role="bold">routeback=0</emphasis>). This can be used to
override Shorewall's default setting for bridge devices which
is <emphasis role="bold">routeback=1</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">rpfilter</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.7. This is an anti-spoofing
measure that requires the 'RPFilter Match' capability in your
iptables and kernel. It provides a more efficient alternative
to the <option>sfilter</option> option below.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">sourceroute[={0|1}]</emphasis></term>
<listitem>
<para>If this option is not specified for an interface, then
source-routed packets will not be accepted from that interface
unless explicitly enabled via sysconf. Only set this option to
1 (enable source routing) if you know what you are doing. This
might represent a security risk and is not usually
needed.</para>
<para>Only those interfaces with the
<option>sourceroute</option> option will have their setting
changed; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.20. At this writing (spring
2011), Linux does not support reverse path filtering (RFC3704)
for IPv6. In its absence, <option>sfilter</option> may be used
as an anti-spoofing measure.</para>
<para>This option should be used on bridges or other
interfaces with the <option>routeback</option> option. On
these interfaces, <option>sfilter</option> should list those
local networks that are connected to the firewall through
other interfaces.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcpflags[={0|1}]</emphasis></term>
<listitem>
<para>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
<para>Beginning with Shorewall 4.6.0, tcpflags=1 is the
default. To disable this option, specify tcpflags=0.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
<listitem>
<para>Sets
/proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
<para><emphasis role="bold">Note</emphasis>: This option does
not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para>
<para>Only those interfaces with the <option>proxyndp</option>
option will have their setting changed; the value assigned to
the setting will be the value specified (if any) or 1 if no
value is given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">unmanaged</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.18. Causes all traffic between
the firewall and hosts on the interface to be accepted. When
this option is given:</para>
<itemizedlist>
<listitem>
<para>The ZONE column must contain '-'.</para>
</listitem>
<listitem>
<para>Only the following other options are allowed with
<emphasis role="bold">unmanaged</emphasis>:</para>
<simplelist>
<member><emphasis
role="bold">accept_ra</emphasis></member>
<member><emphasis
role="bold">forward</emphasis></member>
<member><emphasis role="bold">ignore</emphasis></member>
<member><emphasis
role="bold">optional</emphasis></member>
<member><emphasis
role="bold">physical</emphasis></member>
<member><emphasis
role="bold">sourceroute</emphasis></member>
<member><emphasis
role="bold">proxyndp</emphasis></member>
</simplelist>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">wait</emphasis>=<emphasis>seconds</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.10. Causes the generated script
to wait up to <emphasis>seconds</emphasis> seconds for the
interface to become usable before applying the <emphasis
role="bold">required</emphasis> or <emphasis
role="bold">optional</emphasis> options.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Suppose you have eth0 connected to a DSL modem and eth1
connected to your local network You have a DMZ using eth2.</para>
<para>Your entries for this setup would look like:</para>
<programlisting>FORMAT 2
#ZONE INTERFACE OPTIONS
net eth0 -
loc eth1 -
dmz eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 4 (Shorewall 4.4.9 and later):</term>
<listitem>
<para>You have a bridge with no IP address and you want to allow
traffic through the bridge.</para>
<programlisting>FORMAT 2
#ZONE INTERFACE OPTIONS
- br0 bridge</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/interfaces</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

274
Shorewall6/manpages/shorewall6-ipsets.xml
View File

@ -1,274 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-ipsets</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>ipsets</refname>
<refpurpose>Specifying the name if an ipset in Shorewall6 configuration
files</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>+<replaceable>ipsetname</replaceable></command>
</cmdsynopsis>
<cmdsynopsis>
<command>+<replaceable>ipsetname</replaceable>[<replaceable>flag</replaceable>,...]</command>
</cmdsynopsis>
<cmdsynopsis>
<command>+[ipsetname,...]</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Note: In the above syntax descriptions, the square brackets ("[]")
are to be taken literally rather than as meta-characters.</para>
<para>In most places where a network address may be entered, an ipset may
be substituted. Set names must be prefixed by the character "+", must
start with a letter and may be composed of alphanumeric characters, "-"
and "_".</para>
<para>Whether the set is matched against the packet source or destination
is determined by which column the set name appears (SOURCE or DEST). For
those set types that specify a tuple, two alternative syntaxes are
available:</para>
<simplelist>
<member>[<replaceable>number</replaceable>] - Indicates that 'src' or
'dst' should repeated number times. Example: myset[2].</member>
<member>[<replaceable>flag</replaceable>,...] where
<replaceable>flag</replaceable> is <option>src</option> or
<option>dst</option>. Example: myset[src,dst].</member>
</simplelist>
<para>In a SOURCE or SPORT column, the following pairs are
equivalent:</para>
<itemizedlist>
<listitem>
<para>+myset[2] and +myset[src,src]</para>
</listitem>
</itemizedlist>
<para>In a DEST or DPORT column, the following pairs are
equivalent:</para>
<itemizedlist>
<listitem>
<para>+myset[2] and +myset[dst,dst]</para>
</listitem>
</itemizedlist>
<para>Beginning with Shorewall 4.4.14, multiple source or destination
matches may be specified by enclosing the set names within +[...]. The set
names need not be prefixed with '+'. When such a list of sets is
specified, matching packets must match all of the listed sets.</para>
<para>For information about set lists and exclusion, see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5).</para>
<para>Beginning with Shorewall 4.5.16, you can increment one or more
nfacct objects each time a packet matches an ipset. You do that by listing
the objects separated by commas within parentheses.</para>
<para>Example:</para>
<simplelist>
<member>+myset[src](myobject)</member>
</simplelist>
<para>In that example, when the source address of a packet matches the
<emphasis role="bold">myset</emphasis> ipset, the <emphasis
role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
any) can be immediately be followed by a list of match options.</para>
<important>
<para>These additional match options are not available in <ulink
url="/manpages6/shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink>.</para>
</important>
<para>Available options are:</para>
<variablelist>
<varlistentry>
<term>nomatch</term>
<listitem>
<para>If the set type supports the nomatch flag, then the matching
is reversed: a match with an element flagged with nomatch returns
true, while a match with a plain element returns false. This option
requires the 'Ipset Match nomatch' capability in your kernel and
ip[6]tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>no-update-counters</term>
<listitem>
<para>The packet and byte counters of the matching element in the
set won't be updated. By default, the packet and byte counters are
updated. This option and those that follow require the 'Ipset Match
counters' capability in your kernel and ip[6]tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>no-update-subcounters</term>
<listitem>
<para>The packet and byte counters of the matching element in the
member set of a list type of set won't be updated. Default the
packet and byte counters are updated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>packets=<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the packet counter of the element matches the given
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>packets&lt;<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the packet counter of the element is less than the given
<replaceable>value</replaceable> as well.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>packets&gt;<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the packet counter of the element is greater than the given
<replaceable>value</replaceable> as well.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>packets!=<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the packet counter of the element does not match the given
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>bytes=<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the byte counter of the element matches the given
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>bytes&lt;<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the byte counter of the element is less than the given
<replaceable>value</replaceable> as well.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>bytes&gt;<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the byte counter of the element is greater than the given
<replaceable>value</replaceable> as well.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>bytes&lt;&gt;<replaceable>value</replaceable></term>
<listitem>
<para>If the packet is matched an element in the set, match only if
the byte counter of the element does not match the given
<replaceable>value</replaceable> also.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<para>+myset</para>
<para>+myset[src]</para>
<para>+myset[2]</para>
<para>+[myset1,myset2[dst]]</para>
<para>+myset[src,nomatch,packets&gt;100]</para>
<para>+myset[nomatch,no-update-counters](myObject)</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/accounting</para>
<para>/etc/shorewall6/blrules</para>
<para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall6/rules</para>
<para>/etc/shorewall6/secmarks</para>
<para>/etc/shorewall6/mangle</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

119
Shorewall6/manpages/shorewall6-maclist.xml
View File

@ -1,119 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-maclist</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>maclist</refname>
<refpurpose>shorewall6 MAC Verification file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/maclist</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define the MAC addresses and optionally their
associated IPv6 addresses to be allowed to use the specified interface.
The feature is enabled by using the <emphasis
role="bold">maclist</emphasis> option in the <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
or <ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
configuration file.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">DISPOSITION</emphasis> - {<emphasis
role="bold">ACCEPT</emphasis>|<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>}[<option>:</option><replaceable>log-level</replaceable>]</term>
<listitem>
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then REJECT is also allowed). If specified, the
<replaceable>log-level</replaceable> causes packets matching the
rule to be logged at that level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis></term>
<listitem>
<para>Network <emphasis>interface</emphasis> to a host.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MAC</emphasis> -
<emphasis>address</emphasis></term>
<listitem>
<para>MAC <emphasis>address</emphasis> of the host -- you do not
need to use the shorewall6 format for MAC addresses here. If
<emphasis role="bold">IP ADDRESSES</emphasis> is supplied then
<emphasis role="bold">MAC</emphasis> can be supplied as a dash
(<emphasis role="bold">-</emphasis>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IP ADDRESSES</emphasis> (Optional) -
[<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>]...]</term>
<listitem>
<para>If specified, both the MAC and IP address must match. This
column can contain a comma-separated list of host and/or subnet
addresses. If your kernel and ip6tables have iprange match support
then IP address ranges are also allowed. Similarly, if your kernel
and ip6tables include ipset support than set names (prefixed by "+")
are also allowed.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/maclist</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/MAC_Validation.html">http://www.shorewall.net/MAC_Validation.html</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

1683
Shorewall6/manpages/shorewall6-mangle.xml
View File

File diff suppressed because it is too large Load Diff

577
Shorewall6/manpages/shorewall6-masq.xml
View File

@ -1,577 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-masq</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>masq</refname>
<refpurpose>Shorewall6 Masquerade/SNAT definition file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/masq</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Use this file to define Source NAT (SNAT). Requires Shorewall 4.5.14
or later.</para>
<warning>
<para>The entries in this file are order-sensitive. The first entry that
matches a particular connection will be the one that is used.</para>
</warning>
<warning>
<para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
or PREROUTING entries in <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
do that.</para>
</warning>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis
role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>|[<emphasis
role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
<listitem>
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
comma-separated list of interface names. This is usually your
internet interface.</para>
<para>Each interface must match an entry in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Where <ulink url="MultiISP.html#Shared">more that one
internet provider share a single interface</ulink>, the provider is
specified by including the provider name or number in
parentheses:</para>
<programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interface's address
for that provider in the ADDRESS column.</para>
<para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
as are ipset names preceded by a plus sign '+'.</para>
<para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of ?COMMENT lines. These lines
begin with ?COMMENT; the remainder of the line is treated as a
comment which is attached to subsequent rules until another ?COMMENT
line is found or until the end of the file is reached. To stop
adding comments to rules, use a line containing only
?COMMENT.</para>
<para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
With the exception of the leading '+', the interfacelist and
qualifiers may appear within the parentheses of <emphasis
role="bold">INLINE</emphasis>(...).</para>
<para>Example:</para>
<programlisting> +INLINE(eth0)</programlisting>
<para>When this is done, you may augment the rule generated by
Shorewall with iptables matches of your own. These matches appear
after a semicolon (';') at the end of the line.</para>
<para>See example 2 below.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Optional) -
[<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]]</term>
<listitem>
<para>Set of hosts that you wish to SNAT; one or more host or
network addresses separated by comma. You may use ipset names
preceded by a plus sign (+) to specify a set of hosts.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
role="bold">:random</emphasis>][:persistent]|<emphasis
role="bold">detect</emphasis>|<emphasis
role="bold">random</emphasis>]</term>
<listitem>
<para>If you do not specify an address or address range,
masquerading will be performed. This requires <firstterm>Masquerade
Target</firstterm> support in your kernel and ip6tables.</para>
<para>If you specify an address here, SNAT will be used and this
will be the source address.</para>
<para>You may also specify a range of up to 256 IP addresses if you
want the SNAT address to be assigned from that range in a
round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
You may follow the port range with<emphasis
role="bold">:random</emphasis> in which case assignment of ports
from the list will be random. <emphasis
role="bold">random</emphasis> may also be specified by itself in
this column in which case random local port assignments are made for
the outgoing connections.</para>
<para>Example:
[2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010</para>
<para>You may follow the port range (or <emphasis
role="bold">:random</emphasis>) with <emphasis
role="bold">:persistent</emphasis>. This is only useful when an
address range is specified and causes a client to be given the same
source/destination IP pair.</para>
<para>This column may not contain DNS Names.</para>
<para>Normally, Netfilter will attempt to retain the source port
number. You may cause netfilter to remap the source port by
following an address or range (if any) by ":" and a port range with
the format
<emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If this
is done, you must specify "tcp" or "udp" in the PROTO column.</para>
<para>Examples:</para>
<programlisting> [2001:470:a:787::2]:5000-6000</programlisting>
<para>If you simply place <emphasis role="bold">NONAT</emphasis> in
this column, no rewriting of the source IP address or port number
will be performed. This is useful if you want particular traffic to
be exempt from the entries that follow in the file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number
here.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DPORT</emphasis> (Optional) -
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by
commas.</para>
<para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>If you specify a value other than "-" in this column, you must
be running kernel 2.6 and your kernel and iptables must include
policy match support.</para>
<para>Comma-separated list of options from the following. Only
packets that will be encrypted via an SA that matches these options
will have their source address changed.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated to match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
<listitem>
<para>Only locally-generated connections will match if this column
is non-empty.</para>
<para>When this column is non-empty, the rule matches only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>#program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.1 and allows enabling and disabling the
rule without requiring <command>shorewall restart</command>.</para>
<para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...'
expansion) must begin with a letter and be composed of letters,
decimal digits, underscores or hyphens. Switch names must be 30
characters or less in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall
restart</command>.</para>
<para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the
switch setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>(Optional) This column may be included and may contain one or
more addresses (host or network) separated by commas. Address ranges
are not allowed. When this column is supplied, rules are generated
that require that the original destination address matches one of
the listed addresses. It is useful for specifying that SNAT should
occur only for connections that were acted on by a DNAT when they
entered the firewall.</para>
<para>This column was formerly labelled ORIGINAL DEST.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROBABILITY</emphasis> -
[<replaceable>probability</replaceable>]</term>
<listitem>
<para>Added in Shorewall 5.0.0. When non-empty, requires the
<firstterm>Statistics Match</firstterm> capability in your kernel
and ip6tables and causes the rule to match randomly but with the
given <replaceable>probability</replaceable>. The
<replaceable>probability</replaceable> is a number 0 &lt;
<replaceable>probability</replaceable> &lt;= 1 and may be expressed
at up to 8 decimal points of precision.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>You have a simple 'masquerading' setup where eth0 connects to
a DSL or cable modem and eth1 connects to your local network with
subnet 2001:470:b:787::0/64</para>
<para>Your entry in the file will be:</para>
<programlisting> #INTERFACE SOURCE ADDRESS
eth0 2001:470:b:787::0/64 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Your sit1 interface has two public IP addresses:
2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
iptables statistics match to masquerade outgoing connections evenly
between these two addresses.</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
INLINE(sit1) ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 ::/0 2001:470:a:227::2
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then these rules may be specified as follows:</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
sit1 ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 ::/0 2001:470:a:227::2</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/masq</para>
</refsect1>
</refentry>

98
Shorewall6/manpages/shorewall6-modules.xml
View File

@ -1,98 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-modules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>modules</refname>
<refpurpose>shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/usr/share/shorewall6/modules</command>
</cmdsynopsis>
<cmdsynopsis>
<command>/usr/share/shorewall6/helpers</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>These files specify which kernel modules shorewall6 will load before
trying to determine your ip6tables/kernel's capabilities. The
<filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5);
the <filename>helpers</filename> file is used when
LOAD_HELPERS_ONLY=Yes.</para>
<para>Each record in the files has the following format:</para>
<cmdsynopsis>
<command>loadmodule</command>
<arg choice="plain"><replaceable
class="parameter">modulename</replaceable></arg>
<arg rep="repeat"><replaceable>moduleoption</replaceable></arg>
</cmdsynopsis>
<para>The <replaceable>modulename</replaceable> names a kernel module
(without suffix). shorewall6 will search for modules based on your
MODULESDIR and MODULE_SUFFIX settings in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). The
<replaceable>moduleoption</replaceable>s are passed to modprobe (if
installed) or to insmod.</para>
<para>The /usr/share/shorewall6/modules file contains a large number of
modules. Users are encouraged to copy the file to /etc/shorewall6/modules
and modify the copy to load only the modules required or use
LOAD_HELPERS_ONLY=Yes.<note>
<para>If you build monolithic kernels and have not installed
module-init-tools, then create an empty /etc/shorewall6/modules file;
that will prevent shorewall6 from trying to load modules at
all.</para>
</note></para>
</refsect1>
<refsect1>
<title>Example</title>
<para>loadmodule ip_conntrack_ftp ports=21,221</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/usr/share/shorewall6/modules</para>
<para>/usr/share/shorewall6/helpers</para>
<para>/etc/shorewall6/modules</para>
<para>/etc/shorewall6/helpers</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

147
Shorewall6/manpages/shorewall6-nat.xml
View File

@ -1,147 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-nat</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>nat</refname>
<refpurpose>Shorewall6 one-to-one NAT file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/nat</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define one-to-one Network Address Translation
(NAT).</para>
<warning>
<para>If all you want to do is simple port forwarding, do NOT use this
file. See <ulink
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>.</para>
</warning>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">EXTERNAL</emphasis> -
{<emphasis>address</emphasis>|?COMMENT}</term>
<listitem>
<para>External IP Address - this should NOT be the primary IP
address of the interface named in the next column and must not be a
DNS Name.</para>
<para>If you put ?COMMENT in this column, the rest of the line will
be attached as a comment to the Netfilter rule(s) generated by the
following entries in the file. The comment will appear delimited by
"/* ... */" in the output of "shorewall show nat"</para>
<para>To stop the comment from being attached to further rules,
simply include ?COMMENT on a line by itself.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interfacelist</emphasis>[<emphasis
role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
<listitem>
<para>Interfaces that have the <emphasis
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
Shorewall will automatically add the EXTERNAL address to this
interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
name with ":" and a <emphasis>digit</emphasis> to indicate that you
want Shorewall to add the alias with this name (e.g., "eth0:0").
That allows you to see the alias with ifconfig. <emphasis
role="bold">That is the only thing that this name is good for -- you
cannot use it anywhere else in your Shorewall configuration.
</emphasis></para>
<para>Each interface must match an entry in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>If you want to override ADD_IP_ALIASES=Yes for a particular
entry, follow the interface name with ":" and no digit (e.g.,
"eth0:").</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERNAL</emphasis> -
<emphasis>address</emphasis></term>
<listitem>
<para>Internal Address (must not be a DNS Name).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>If Yes or yes, NAT will be effective from all hosts. If No or
no (or left empty) then NAT will be effective only through the
interface named in the <emphasis role="bold">INTERFACE</emphasis>
column.</para>
<para>This column was formerly labelled ALL INTERFACES.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOCAL</emphasis> - [<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>If <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, NAT will be effective from the firewall
system</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/nat</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/NAT.htm">http://www.shorewall.net/NAT.htm</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
</refsect1>
</refentry>

123
Shorewall6/manpages/shorewall6-nesting.xml
View File

@ -1,123 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-nesting</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>nesting</refname>
<refpurpose>shorewall6 Nested Zones</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<arg choice="plain"
rep="norepeat"><replaceable>child-zone</replaceable>[:<replaceable>parent-zone</replaceable>[,<replaceable>parent-zone</replaceable>]...]</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>In <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5), a zone
may be declared to be a sub-zone of one or more other zones using the
above syntax. The <replaceable>child-zone</replaceable> may be neither the
firewall zone nor a vserver zone. The firewall zone may not appear as a
parent zone, although all vserver zones are handled as sub-zones of the
firewall zone.</para>
<para>Where zones are nested, the CONTINUE policy in <ulink
url="/manpages6/shorewall6-policy.html">shorewall6-policy</ulink>(5)
allows hosts that are within multiple zones to be managed under the rules
of all of these zones.</para>
</refsect1>
<refsect1>
<title>Example</title>
<para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTION
fw firewall
net ipv6
sam:net ipv6
loc ipv6</programlisting>
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect blacklist
loc eth1 detect</programlisting>
<para><filename>/etc/shorewall6/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
net eth0:[::\]
sam eth0:[2001:19f0:feee::dead:beef:cafe]</programlisting>
<para><filename>/etc/shorewall6/policy</filename>:</para>
<programlisting> #SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT
sam all CONTINUE
net all DROP info
all all REJECT info</programlisting>
<para>The second entry above says that when Sam is the client, connection
requests should first be processed under rules where the source zone is
sam and if there is no match then the connection request should be treated
under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
<programlisting> #ACTION SOURCE DEST PROTO DPORT
...
ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
ACCEPT net loc:2001:19f0:feee::5 tcp www
...</programlisting>
<para>Given these two rules, Sam can connect with ssh to
2001:19f0:feee::3. Like all hosts in the net zone, Sam can connect to TCP
port 80 on 2001:19f0:feee::5. The order of the rules is not
significant.</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/zones</para>
<para>/etc/shorewall6/interfaces</para>
<para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall6/policy</para>
<para>/etc/shorewall6/rules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

185
Shorewall6/manpages/shorewall6-netmap.xml
View File

@ -1,185 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-netmap</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>netmap</refname>
<refpurpose>Shorewall6 NETMAP definition file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/netmap</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to map addresses in one network to corresponding
addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
<warning>
<para>To use this file, your kernel and ip6tables must have NETMAP
support included.</para>
</warning>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">TYPE</emphasis> - <emphasis
role="bold">{DNAT</emphasis>|<emphasis
role="bold">SNAT}</emphasis></term>
<listitem>
<para>Must be DNAT or SNAT followed by :P, :O or :T to perform
<firstterm>stateless NAT</firstterm>. Stateless NAT requires
<firstterm>Rawpost Table support</firstterm> in your kernel and
iptables (see the output of <command>shorewall6 show
capabilities</command>).</para>
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
its destination address rewritten to the corresponding address in
NET2.</para>
<para>If SNAT, traffic leaving INTERFACE with a source address in
NET1 has it's source address rewritten to the corresponding address
in NET2.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NET1</emphasis> -
<emphasis>network-address</emphasis></term>
<listitem>
<para>Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in
Shorewall6 4.4.24, <ulink
url="/manpages6/shorewall6-exclusion.html">exclusion</ulink> is
supported.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis></term>
<listitem>
<para>The name of a network interface. The interface must be defined
in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NET2</emphasis> -
<emphasis>network-address</emphasis></term>
<listitem>
<para>Network in CIDR format</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NET3</emphasis> -
<emphasis>network-address</emphasis></term>
<listitem>
<para>Optional - added in Shorewall 4.4.11. If specified, qualifies
INTERFACE. It specifies a SOURCE network for DNAT rules and a
DESTINATION network for SNAT rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO (Optional</emphasis> -
<emphasis>protocol-number-or-name</emphasis></term>
<listitem>
<para>Only packets specifying this protocol will have their IP
header modified.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DPORT</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term>
<listitem>
<para>Destination Ports. An optional comma-separated list of Port
names (from services(5)), <emphasis>port number</emphasis>s or
<emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See <ulink
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para>
<para>An entry in this field requires that the PROTO column specify
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
any of the following field is supplied.</para>
<para>This column was formerly labelled DEST PORT(S).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SPORT</emphasis> -
<emphasis>port-number-or-name-list</emphasis></term>
<listitem>
<para>Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma-separated list of port names, port
numbers or port ranges.</para>
<para>An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
the following fields is supplied.</para>
<para>This column was formerly labelled SOURCE PORT(S).</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/netmap</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/netmap.html">http://www.shorewall.net/netmap.html</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
</refsect1>
</refentry>

144
Shorewall6/manpages/shorewall6-params.xml
View File

@ -1,144 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-params</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>params</refname>
<refpurpose>Shorewall6 parameters file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/params</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Assign any shell variables that you need in this file. The file is
always processed by <filename>/bin/sh</filename> or by the shell specified
through SHOREWALL_SHELL in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5) so the
full range of shell capabilities may be used.</para>
<para>It is suggested that variable names begin with an upper case letter
to distinguish them from variables used internally within the Shorewall
programs</para>
<para>The following variable names must be avoided. Those in <emphasis
role="bold">bold font</emphasis> must be avoided in all Shorewall
versions; those in regular font must be avoided in versions prior to
4.4.8.</para>
<simplelist>
<member><emphasis role="bold">Any option from <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
(5)</emphasis></member>
<member><emphasis role="bold">COMMAND</emphasis></member>
<member><emphasis role="bold">CONFDIR</emphasis></member>
<member>DEBUG</member>
<member>ECHO_E</member>
<member>ECHO_N</member>
<member>EXPORT</member>
<member>FAST</member>
<member>FILEMODE</member>
<member>HOSTNAME</member>
<member>IPT_OPTIONS</member>
<member>NOROUTES</member>
<member>PREVIEW</member>
<member>PRODUCT</member>
<member>PROFILE</member>
<member>PURGE</member>
<member>RECOVERING</member>
<member>RESTOREPATH</member>
<member>RING_BELL</member>
<member><emphasis role="bold">SHAREDIR</emphasis></member>
<member><emphasis role="bold">Any name beginning with SHOREWALL_ or
SW_</emphasis></member>
<member>STOPPING</member>
<member>TEST</member>
<member>TIMESTAMP</member>
<member>USE_VERBOSITY</member>
<member><emphasis role="bold">VARDIR</emphasis></member>
<member>VERBOSE</member>
<member>VERBOSE_OFFSET</member>
<member>VERSION</member>
</simplelist>
<para>Example params file:</para>
<programlisting>NET_IF=eth0
NET_OPTIONS=dhcp,nosmurfs</programlisting>
<para>Example <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
file.</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
net $NET_IF - $NET_OPTIONS</programlisting>
<para>This is the same as if the interfaces file had contained:</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
net eth0 - dhcp,nosmurfs</programlisting>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/params</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/configuration_file_basics.htm#Variables">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

416
Shorewall6/manpages/shorewall6-policy.xml
View File

@ -1,416 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-policy</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>policy</refname>
<refpurpose>shorewall6 policy file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/policy</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file defines the high-level policy for connections between
zones defined in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
<important>
<para>The order of entries in this file is important</para>
<para>This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall6/rules file . For each
source/destination pair, the file is processed in order until a match is
found ("all" will match any source or destination).</para>
</important>
<important>
<para>Intra-zone policies are pre-defined</para>
<para>For $FW and for all of the zones defined in /etc/shorewall6/zones,
the POLICY for connections from the zone to itself is ACCEPT (with no
logging or TCP connection rate limiting but may be overridden by an
entry in this file. The overriding entry must be explicit (specifying
the zone name on both SOURCE and DEST) or it must use "all+ or it must
use "all+" (Shorewall 4.5.17 or later).</para>
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6.conf,
then the implicit policy to/from any sub-zone is CONTINUE. These
implicit CONTINUE policies may also be overridden by an explicit entry
in this file.</para>
</important>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> -
<emphasis>zone</emphasis>[,...[+]]|<emphasis
role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
<listitem>
<para>Source zone. Must be the name of a zone defined in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
$FW, "all" or "all+".</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas. As above, if '+' is specified after two or more
zone names, then the policy overrides the implicit intra-zone ACCEPT
policy if the same <replaceable>zone</replaceable> appears in both
the SOURCE and DEST columns.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
<emphasis>zone</emphasis>[,...[+]]|<emphasis
role="bold">$FW</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis
role="bold">all+</emphasis></term>
<listitem>
<para>Destination zone. Must be the name of a zone defined in <ulink
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
$FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE
must be "all", "all+", another bport zone associated with the same
bridge, or it must be an ipv4 zone that is associated with only the
same bridge.</para>
<para>Support for "all+" was added in Shorewall 4.5.17. "all" does
not override the implicit intra-zone ACCEPT policy while "all+"
does.</para>
<para>Beginning with Shorewall 5.0.12, multiple zones may be listed
separated by commas. As above, if '+' is specified after two or more
zone names, then the policy overrides the implicit intra-zone ACCEPT
policy if the same <replaceable>zone</replaceable> appears in both
the SOURCE and DEST columns.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">POLICY</emphasis> - {<emphasis
role="bold">ACCEPT</emphasis>|<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>|BLACKLIST|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis
role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
role="bold">NONE</emphasis>}[<emphasis
role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
role="bold">None</emphasis>}]</term>
<listitem>
<para>Policy if no match from the rules file is found.</para>
<para>If the policy is neither CONTINUE nor NONE then the policy may
be followed by ":" and one of the following:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The word "None" or "none". This causes any default action
defined in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
to be omitted for this policy.</para>
</listitem>
<listitem>
<para>The name of an action. The action will be invoked before
the policy is enforced.</para>
</listitem>
</orderedlist>
<para>Actions can have parameters specified.</para>
<para>Beginning with Shorewall 4.5.10, the action name can be
followed optionally by a colon and a log level. The level will be
applied to each rule in the action or body that does not already
have a log level.</para>
<para>Beginning with Shorewall 5.1.2, multiple
<replaceable>action</replaceable>[:<replaceable>level</replaceable>]
pairs may be specified, separated by commas. The actions are invoked
in the order listed. Also beginning with Shorewall 5.1.2, the
policy-action list can be prefixed with a plus sign ("+") indicating
that the listed actions are in addition to those listed in the
related _DEFAULT setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Possible policies are:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACCEPT</emphasis></term>
<listitem>
<para>Accept the connection.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DROP</emphasis></term>
<listitem>
<para>Ignore the connection request.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REJECT</emphasis></term>
<listitem>
<para>For TCP, send RST. For all other, send an "unreachable"
ICMP.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem>
<para>Added in Shorewall 5.1.1 and requires that the
DYNAMIC_BLACKLIST setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
specifies ipset-based dynamic blacklisting. The SOURCE IP
address is added to the blacklist ipset and the connection
request is ignored.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">QUEUE</emphasis></term>
<listitem>
<para>Queue the request for a user-space application such as
Snort-inline.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem>
<para>Queue the request for a user-space application using the
nfnetlink_queue mechanism. If a
<replaceable>queuenumber1</replaceable> is not given, queue
zero (0) is assumed. Beginning with Shorewall 4.6.10, a second
queue number (queuenumber2) may be given. This specifies a
range of queues to use. Packets are then balanced across the
given queues. This is useful for multicore systems: start
multiple instances of the userspace program on queues x, x+1,
.. x+n and use "x:x+n". Packets belonging to the same
connection are put into the same nfqueue.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CONTINUE</emphasis></term>
<listitem>
<para>Pass the connection request past any other rules that it
might also match (where the source or destination zone in
those rules is a superset of the SOURCE or DEST in this
policy). See <ulink
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
for additional information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NONE</emphasis></term>
<listitem>
<para>Assume that there will never be any packets from this
SOURCE to this DEST. shorewall6 will not create any
infrastructure to handle such packets and you may not have any
rules with this SOURCE and DEST in the /etc/shorewall6/rules
file. If such a packet <emphasis role="bold">is</emphasis>
received, the result is undefined. NONE may not be used if the
SOURCE or DEST columns contain the firewall zone ($FW) or
"all".</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOGLEVEL</emphasis> (loglevel) -
[<emphasis>log-level</emphasis>|<emphasis
role="bold">NFLOG</emphasis>]</term>
<listitem>
<para>Optional - if supplied, each connection handled under the
default POLICY is logged at that level. If not supplied, no log
message is generated. See syslog.conf(5) for a description of log
levels.</para>
<para>You may also specify NFLOG (must be in upper case). This will
log to the NFLOG target and will send to a separate log through use
of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>For a description of log levels, see <ulink
url="/shorewall_logging.html.">http://www.shorewall.net/shorewall_logging.html.</ulink></para>
<para>If you don't want to log but need to specify the following
column, place "-" here.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RATE</emphasis> (rate) -
[-|<replaceable>limit</replaceable>]</term>
<listitem>
<para>where limit is one of:</para>
<simplelist>
<member>[<emphasis
role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
role="bold">/</emphasis>{<emphasis
role="bold">sec</emphasis>|<emphasis
role="bold">min</emphasis>|<emphasis
role="bold">hour</emphasis>|<emphasis
role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</member>
<member>[<replaceable>name</replaceable>1]:<emphasis>rate1</emphasis><emphasis
role="bold">/</emphasis>{<emphasis
role="bold">sec</emphasis>|<emphasis
role="bold">min</emphasis>|<emphasis
role="bold">hour</emphasis>|<emphasis
role="bold">day</emphasis>}[:<emphasis>burst1</emphasis>],[<replaceable>name</replaceable>2]:<emphasis>rate2</emphasis><emphasis
role="bold">/</emphasis>{<emphasis
role="bold">sec</emphasis>|<emphasis
role="bold">min</emphasis>|<emphasis
role="bold">hour</emphasis>|<emphasis
role="bold">day</emphasis>}[:<emphasis>burst2</emphasis>]</member>
</simplelist>
<para>If passed, specifies the maximum TCP connection
<emphasis>rate</emphasis> and the size of an acceptable
<emphasis>burst</emphasis>. If not specified, TCP connections are
not limited. If the <replaceable>burst</replaceable> parameter is
omitted, a value of 5 is assumed.</para>
<para>When <option>s:</option> or <option>d:</option> is specified,
the rate applies per source IP address or per destination IP address
respectively. The <replaceable>name</replaceable> may be chosen by
the user and specifies a hash table to be used to count matching
connections. If not give, the name <emphasis
role="bold">shorewall</emphasis> is assumed. Where more than one
POLICY or rule specifies the same name, the connections counts for
the policies are aggregated and the individual rates apply to the
aggregated count.</para>
<para>Beginning with Shorewall 4.6.5, two<replaceable>
limit</replaceable>s may be specified, separated by a comma. In this
case, the first limit (<replaceable>name1</replaceable>,
<replaceable>rate1</replaceable>, burst1) specifies the per-source
IP limit and the second limit specifies the per-destination IP
limit.</para>
<para>Example: <emphasis
role="bold">client:10/sec:20,:60/sec:100</emphasis></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CONNLIMIT</emphasis> -
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
<listitem>
<para>May be used to limit the number of simultaneous connections
from each individual host to <replaceable>limit</replaceable>
connections. While the limit is only checked on connections to which
this policy could apply, the number of current connections is
calculated over all current connections from the SOURCE host. By
default, the limit is applied to each host individually but can be
made to apply to networks of hosts by specifying a
<replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
specifies the width of a VLSM mask to be applied to the source
address; the number of current connections is then taken over all
hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<orderedlist numeration="loweralpha">
<listitem>
<para>All connections from the local network to the internet are
allowed</para>
</listitem>
<listitem>
<para>All connections from the internet are ignored but logged at
syslog level KERNEL.INFO.</para>
</listitem>
<listitem>
<para>All other connection requests are rejected and logged at level
KERNEL.INFO.</para>
</listitem>
</orderedlist>
<programlisting> #SOURCE DEST POLICY LOG BURST:LIMIT
# LEVEL
loc net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info</programlisting>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/policy</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

503
Shorewall6/manpages/shorewall6-providers.xml
View File

@ -1,503 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-providers</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>providers</refname>
<refpurpose>Shorewall6 Providers file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/providers</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define additional routing tables. You will want
to define an additional table if:</para>
<itemizedlist>
<listitem>
<para>You have connections to more than one ISP or multiple
connections to the same ISP</para>
</listitem>
<listitem>
<para>You run Squid as a transparent proxy on a host other than the
firewall.</para>
</listitem>
<listitem>
<para>You have other requirements for policy routing.</para>
</listitem>
</itemizedlist>
<para>Each entry in the file defines a single routing table.</para>
<para>If you wish to omit a column entry but want to include an entry in
the next column, use "-" for the omitted entry.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">NAME</emphasis> -
<emphasis>name</emphasis></term>
<listitem>
<para>The provider <emphasis>name</emphasis>. Must be a valid shell
variable name. The names 'local', 'main', 'default' and 'unspec' are
reserved and may not be used as provider names.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NUMBER</emphasis> -
<emphasis>number</emphasis></term>
<listitem>
<para>The provider number -- a number between 1 and 15. Each
provider must be assigned a unique value.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> (Optional) -
<emphasis>value</emphasis></term>
<listitem>
<para>A FWMARK <emphasis>value</emphasis> used in your <ulink
url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>(5)
file to direct packets to this provider.</para>
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then the value must be a multiple of 256 between 256 and 65280 or
their hexadecimal equivalents (0x0100 and 0xff00 with the low-order
byte of the value being zero). Otherwise, the value must be between
1 and 255. Each provider must be assigned a unique mark value. This
column may be omitted if you don't use packet marking to direct
connections to a particular provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DUPLICATE</emphasis> -
<emphasis>routing-table-name</emphasis></term>
<listitem>
<para>The name of an existing table to duplicate to create this
routing table. May be <option>main</option> or the name of a
previously listed provider. You may select only certain entries from
the table to copy by using the COPY column below.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis></term>
<listitem>
<para>The name of the network interface to the provider. Must be
listed in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
role="bold">detect|none</emphasis>}</term>
<listitem>
<para>The IP address of the provider's gateway router.</para>
<para>You can enter <emphasis role="bold">detect</emphasis> here and
Shorewall6 will attempt to detect the gateway automatically.</para>
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
role="bold">none</emphasis>. This causes creation of a routing table
with no default route in it.</para>
<para>For PPP devices, you may omit this column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>A comma-separated list selected from the following. The order
of the options is not significant but the list may contain no
embedded white-space.</para>
<variablelist>
<varlistentry>
<term>autosrc</term>
<listitem>
<para>Added in Shorewall 4.5.17. Causes a host route to the
provider's gateway router to be added to the provider's
routing table. This is the default behavior unless overridden
by a following <emphasis role="bold">noautosrc</emphasis>
option.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">balance[=<replaceable>weight</replaceable>]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.25. The providers that have
<option>balance</option> specified will get outbound traffic
load-balanced among them. By default, all interfaces with
<option>balance</option> specified will have the same weight
(1). Beginning with Shorewall 5.0.13, you can change the
weight of an interface by specifying
<option>balance=</option><replaceable>weight</replaceable>
where <replaceable>weight</replaceable> is the weight of the
route out of this interface. Prior to Shorewall 5.0.13, only
one provider can specify this option.</para>
<para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
<option>balance=1</option> is assumed unless the
<option>fallback</option>, <option>loose</option>,
<option>load</option> or <option>tproxy</option> option is
specified. Beginning with Shorewall 5.1.1, when
BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
unless the <option>fallback</option>, <option>loose</option>,
<option>load</option> or <option>tproxy</option> option is
specified.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.25. Indicates that a default
route through the provider should be added to the default
routing table (table 253). If a
<replaceable>weight</replaceable> is given, a balanced route
is added with the weight of this provider equal to the
specified <replaceable>weight</replaceable>. If the option is
given without a <replaceable>weight</replaceable>, an separate
default route is added through the provider's gateway; the
route has a metric equal to the provider's NUMBER. Prior to
Shorewall 5.0.13, at most one provider can specify this option
and a <replaceable>weight</replaceable> may not be
given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">track</emphasis></term>
<listitem>
<para>If specified, inbound connections on this interface are
to be tracked so that responses may be routed back out this
same interface.</para>
<para>You want to specify <option>track</option> if internet
hosts will be connecting to local servers through this
provider.</para>
<para>Beginning with Shorewall 4.4.3, <option>track</option>
defaults to the setting of the TRACK_PROVIDERS option in
<ulink
url="/manpages6/shorwewall6.conf.html">shorewall6.conf</ulink>
(5). If you set TRACK_PROVIDERS=Yes and want to override that
setting for an individual provider, then specify
<option>notrack</option> (see below).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">loose</emphasis></term>
<listitem>
<para>Shorewall6 normally adds a routing rule for each IP
address on an interface which forces traffic whose source is
that IP address to be sent using the routing table for that
interface. Setting <option>loose</option> prevents creation of
such rules on this interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">load=<replaceable>probability</replaceable></emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.0. This option provides an
alternative method of load balancing based on probabilities.
Providers to be balanced are given a
<replaceable>probability</replaceable> (a number 0 &gt; n
&gt;= 1) with up to 8 digits to the right of the decimal
point. Beginning with Shorewall 4.6.10, a warning is issued if
the sum of the probabilities is not 1.00000000.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noautosrc</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.17. Prevents the addition of a
host route to the provider's gateway router from being added
to the provider's routing table. This option must be used with
caution as it can cause start and restart failures.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">notrack</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.3. When specified, turns off
<option>track</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">optional</emphasis> (deprecated for
use with providers that do not share an interface)</term>
<listitem>
<para>If the interface named in the INTERFACE column is not up
and configured with an IPv4 address then ignore this provider.
If not specified, the value of the <option>optional</option>
option for the INTERFACE in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces(5)</ulink>
is assumed. Use of that option is preferred to this one,
unless an <replaceable>address</replaceable> is provider in
the INTERFACE column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">primary</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.6, <emphasis
role="bold">primary</emphasis> is a synonym for <emphasis
role="bold">balance</emphasis> (see above) and is preferred
when the remaining providers specify <emphasis
role="bold">fallback</emphasis> or <emphasis
role="bold">tproxy</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>src=<replaceable>source-address</replaceable></term>
<listitem>
<para>Specifies the source address to use when routing to this
provider and none is known (the local client has bound to the
0 address). May not be specified when an
<replaceable>address</replaceable> is given in the INTERFACE
column. If this option is not used, Shorewall6 substitutes the
primary IP address on the interface named in the INTERFACE
column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>mtu=<replaceable>number</replaceable></term>
<listitem>
<para>Specifies the MTU when forwarding through this provider.
If not given, the MTU of the interface named in the INTERFACE
column is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tproxy</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
action in shorewall-tcrules(5). See <ulink
url="/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
When specified, the MARK, DUPLICATE and GATEWAY columns should
be empty, INTERFACE should be set to 'lo' and
<option>tproxy</option> should be the only OPTION. Only one
<option>tproxy</option> provider is allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hostroute</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.21. This is the default behavior
that results in a host route to the defined <emphasis
role="bold">GATEWAY</emphasis> being inserted into the main
routing table and into the provider's routing table. <emphasis
role="bold">hostroute</emphasis> is required for older
distributions but <emphasis role="bold">nohostroute</emphasis>
(below) is appropriate for recent distributions. <emphasis
role="bold">hostroute</emphasis> may interfere with Zebra's
ability to add routes on some distributions such as Debian
7.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nohostroute</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.21. nohostroute inhibits addition
of a host route to the defined <emphasis
role="bold">GATEWAY</emphasis> being inserted into the main
routing table and into the provider's routing table. <emphasis
role="bold">nohostroute</emphasis> is not appropriate for
older distributions but is appropriate for recent
distributions. <emphasis role="bold">nohostroute</emphasis>
allows Zebra's to correctly add routes on some distributions
such as Debian 7.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">persistent</emphasis></term>
<listitem>
<para>Added in Shorewall 5.0.2 and alters the behavior of the
<command>disable</command> command:</para>
<itemizedlist>
<listitem>
<para>The provider's routing table still contains the
apprioriate default route.</para>
</listitem>
<listitem>
<para>Unless the <option>noautosrc</option> option is
specified, routing rules are generated to route traffic
from the interfaces address(es) out of the provider's
routing table.</para>
</listitem>
<listitem>
<para>Persistent routing rules in <ulink
url="shorewall-rtrules.html">shorewall6-rtrules(5)</ulink>
are present.</para>
</listitem>
</itemizedlist>
<note>
<para>The generated script will attempt to reenable a
disabled persistent provider during execution of the
<command>start</command>, <command>restart</command> and
<command>reload</command> commands. When
<option>persistent</option> is not specified, only the
<command>enable</command> and <command>reenable</command>
commands can reenable the provider.</para>
</note>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">COPY</emphasis> -
[{<option>none</option>|<emphasis>interface</emphasis><emphasis
role="bold">[,</emphasis><emphasis>interface</emphasis>]...}]</term>
<listitem>
<para>A comma-separated list of other interfaces on your firewall.
Wildcards specified using an asterisk ("*") are permitted (e.g.,
tun* ). Usually used only when DUPLICATE is <option>main</option>.
Only copy routes through INTERFACE and through interfaces listed
here. If you only wish to copy routes through INTERFACE, enter
<option>none</option> in this column.</para>
<para>Beginning with Shorewall 4.5.17, blackhole, unreachable and
prohibit routes are no longer copied by default but may be copied by
including <emphasis role="bold">blackhole</emphasis>,<emphasis
role="bold">unreachable</emphasis> and <emphasis
role="bold">prohibit</emphasis> respectively in the COPY
list.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2.
Your DMZ interface is eth2</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 2002:ce7c:92b4:1::2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>eth0 connects to ISP 1. The ISP's gateway router has IP
address 2001:ce7c:92b4:1::2.</para>
<para>eth1 connects to ISP 2. The ISP's gateway router has IP
address 2001:d64c:83c9:12::8b.</para>
<para>eth2 connects to a local network.</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
ISP1 1 1 main eth0 2001:ce7c:92b4:1::2 track eth2
ISP2 2 2 main eth1 2001:d64c:83c9:12::8b track eth2</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/providers</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-rtrules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

129
Shorewall6/manpages/shorewall6-routes.xml
View File

@ -1,129 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-routes</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>routes</refname>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/routes</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file was added in Shorewall 4.4.15 and is used to define routes
to be added to provider routing tables.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">PROVIDER</emphasis></term>
<listitem>
<para>The name or number of a provider defined in <ulink
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
(5). Beginning with Shorewall 4.5.14, you may also enter
<option>main</option> in this column to add routes to the main
routing table.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis></term>
<listitem>
<para>Destination host address or network address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis> (Optional)</term>
<listitem>
<para>If specified, gives the IP address of the gateway to the
DEST.</para>
<para>Beginning with Shorewall 4.5.14, you may specify
<option>blackhole</option> in this column to create a blackhole
route.</para>
<para>Beginning with Shorewall 4.5.15, you may specify
<option>prohibit</option> or <option>unreachable</option> in this
column to create a <firstterm>prohibit</firstterm> or
<firstterm>unreachable</firstterm> route respectively.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEVICE</emphasis> (Optional)</term>
<listitem>
<para>Specifies the device route. If neither DEVICE nor GATEWAY is
given, then the INTERFACE specified for the PROVIDER in <ulink
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>
(5).This column must be omitted if <option>blackhole</option>,
<option>prohibit</option> or <option>unreachable</option> is
specified in the GATEWAY column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS</emphasis> (Optional)</term>
<listitem>
<para>Added in Shorewall 5.0.2.</para>
<para>Allowed options are:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">persistent</emphasis></term>
<listitem>
<para>If specified, the route remains in the provider's
routing table even when the provider is disabled.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Files</title>
<para>/etc/shorewall6/routes</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

201
Shorewall6/manpages/shorewall6-rtrules.xml
View File

@ -1,201 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-rtrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>rtrules</refname>
<refpurpose>Shorewall6 Routing Rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/rtrules</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Entries in this file cause traffic to be routed to one of the
providers listed in <ulink
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|<emphasis>interface</emphasis>|<emphasis>address</emphasis>|<emphasis>interface</emphasis><firstterm>:</firstterm><emphasis>&lt;address</emphasis>&gt;}</term>
<listitem>
<para>An ip <emphasis>address</emphasis> (network or host) that
matches the source IP address in a packet. May also be specified as
an <emphasis>interface</emphasis> name optionally followed by ":"
and an address. If the device <emphasis role="bold">lo</emphasis> is
specified, the packet must originate from the firewall
itself.</para>
<para>Beginning with Shorewall 4.5.0, you may specify
&amp;<replaceable>interface</replaceable> in this column to indicate
that the source is the primary IP address of the named
interface.</para>
<para>Beginning with Shorewall 4.6.8, you may specify a
comma-separated list of addresses in this column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}</term>
<listitem>
<para>An ip address (network or host) that matches the destination
IP address in a packet.</para>
<para>If you choose to omit either <emphasis
role="bold">SOURCE</emphasis> or <emphasis
role="bold">DEST</emphasis>, place "-" in that column. Note that you
may not omit both <emphasis role="bold">SOURCE</emphasis> and
<emphasis role="bold">DEST</emphasis>.</para>
<para>Beginning with Shorewall 4.6.8, you may specify a
comma-separated list of addresses in this column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROVIDER</emphasis> -
{<emphasis>provider-name</emphasis>|<emphasis>provider-number</emphasis>|<emphasis
role="bold">main</emphasis>}</term>
<listitem>
<para>The provider to route the traffic through. May be expressed
either as the provider name or the provider number. May also be
<emphasis role="bold">main</emphasis> or 254 for the main routing
table. This can be used in combination with VPN tunnels, see example
2 below.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PRIORITY</emphasis> -
<emphasis>priority</emphasis><emphasis
role="bold">[!]</emphasis></term>
<listitem>
<para>The rule's numeric <emphasis>priority</emphasis> which
determines the order in which the rules are processed. Rules with
equal priority are applied in the order in which they appear in the
file.</para>
<variablelist>
<varlistentry>
<term>1000-1999</term>
<listitem>
<para>Before Shorewall-generated 'MARK' rules</para>
</listitem>
</varlistentry>
<varlistentry>
<term>11000-11999</term>
<listitem>
<para>After 'MARK' rules but before Shorewall-generated rules
for ISP interfaces.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>26000-26999</term>
<listitem>
<para>After ISP interface rules but before 'default'
rule.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Beginning with Shorewall 5.0.2, the priority may be followed
optionally by an exclaimation mark ("!"). This causes the rule to
remain in place if the interface is disabled.</para>
<caution>
<para>Be careful when using rules of the same PRIORITY as some
unexpected behavior can occur when multiple rules have the same
SOURCE. For example, in the following rules, the second rule
overwrites the first unless the priority in the second is changed
to 19001 or higher:</para>
<programlisting>2601:601:8b00:bf0::/64 2001:470:b:787::542 provider1 19000
2601:601:8b00:bf0::/64 - provider2 19000</programlisting>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK -
{-|<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>]}</emphasis></term>
<listitem>
<para>Optional -- added in Shorewall 4.4.25. For this rule to be
applied to a packet, the packet's mark value must match the
<replaceable>mark</replaceable> when logically anded with the
<replaceable>mask</replaceable>. If a
<replaceable>mask</replaceable> is not supplied, Shorewall supplies
a suitable provider mask.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>You want all traffic coming in on eth1 to be routed to the
ISP1 provider.</para>
<programlisting> #SOURCE DEST PROVIDER PRIORITY MASK
eth1 - ISP1 1000
</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/rtrules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

2143
Shorewall6/manpages/shorewall6-rules.xml
View File

File diff suppressed because it is too large Load Diff

423
Shorewall6/manpages/shorewall6-secmarks.xml
View File

@ -1,423 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-secmarks</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>secmarks</refname>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/secmarks</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<important>
<para>Unlike rules in the <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules</ulink>(5) file,
evaluation of rules in this file will continue after a match. So the
final secmark for each packet will be the one assigned by the LAST rule
that matches.</para>
</important>
<para>The secmarks file is used to associate an SELinux context with
packets. It was added in Shorewall6 version 4.4.13.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SECMARK -
{SAVE|RESTORE|<replaceable>context</replaceable>|?COMMENT}</emphasis></term>
<listitem>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SAVE</emphasis></term>
<listitem>
<para>If an SELinux context is associated with the packet, the
context is saved in the connection. Normally, the remaining
columns should be left blank.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RESTORE</emphasis></term>
<listitem>
<para>If an SELinux context is not currently associated with
the packet, then the saved context (if any) is associated with
the packet. Normally, the remaining columns should be left
blank.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable role="bold">context</replaceable></term>
<listitem>
<para>An SELinux context.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>?COMMENT</term>
<listitem>
<para>The remainder of the line is treated as a comment which
is attached to subsequent rules until another ?COMMENT line is
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word
?COMMENT.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CHAIN -
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
<listitem>
<para>This column determines the CHAIN where the SELinux context is
to be applied:</para>
<simplelist>
<member>P - PREROUTING</member>
<member>I - INPUT</member>
<member>F - FORWARD</member>
<member>O - OUTPUT</member>
<member>T - POSTROUTING</member>
</simplelist>
<para>It may be optionally followed by a colon and an indication of
the Netfilter connection state(s) at which the context is to be
applied:</para>
<simplelist>
<member>:N - NEW connection</member>
<member>:I - INVALID connection</member>
<member>:NI - NEW or INVALID connection</member>
<member>:E - ESTABLISHED connection</member>
<member>:ER - ESTABLISHED or RELATED connection</member>
</simplelist>
<para>Beginning with Shorewall 4.5.10, the following additional
options are available</para>
<simplelist>
<member>:U - UNTRACKED connection</member>
<member>:IU - INVALID or UNTRACKED connection</member>
<member>:NU - NEW or UNTRACKED connection</member>
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
</simplelist>
<para>This column was formerly labelled CHAIN:STATE.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis><emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name - matches traffic entering the firewall
on the specified interface. May not be used in classify rules or
in rules using the T in the CHAIN column.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses or
MAC addresses.</para>
</listitem>
<listitem>
<para>An interface name followed by a colon (":") followed by a
comma-separated list of host or network IP addresses or MAC
addresses.</para>
</listitem>
</orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name. May not be used in the PREROUTING or
INPUT chains. The interface name may be optionally followed by a
colon (":") and an IP address list.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses.
The list may include ip address ranges if your kernel and
iptables include iprange support.</para>
</listitem>
</orderedlist>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">tcp:syn</emphasis>|<emphasis
role="bold">ipp2p</emphasis>|<emphasis
role="bold">ipp2p:udp</emphasis>|<emphasis
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
<listitem>
<para>See <ulink
url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink> for
details.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
<listitem>
<para>Optional destination Ports. A comma-separated list of Port
names (from services(5)), <emphasis>port number</emphasis>s or
<emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See <ulink
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para>
<para>This column is ignored if PROTO = all but must be entered if
any of the following field is supplied. In that case, it is
suggested that this field contain "-"</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
<listitem>
<para>Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma-separated list of port names, port
numbers or port ranges.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DPORT column is non-empty. This causes the
rule to match when either the source port or the destination port in
a packet matches one of the ports specified in DPORT. Use of '='
requires multi-port match in your iptables and kernel.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER</emphasis> - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
<listitem>
<para>This optional column may only be non-empty if the SOURCE is
the firewall itself.</para>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
</variablelist>
<para>This column was formerly labelled USER/GROUP.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>Mark the first incoming packet of a connection on the loopback
interface and destined for address ::1 and tcp port 3306 with context
system_u:object_r:mysqld_t:s0 and save that context in the conntrack
table. On subsequent input packets in the connection, set the context from
the conntrack table.</para>
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
- lo - ignore</programlisting>
<para><filename>/etc/shorewall6/secmarks</filename>:</para>
<programlisting>#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
SAVE I:N
RESTORE I:ER</programlisting>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/secmarks</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

616
Shorewall6/manpages/shorewall6-snat.xml
View File

@ -1,616 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-masq</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>snat</refname>
<refpurpose>Shorewall6 SNAT/Masquerade definition file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/snat</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define dynamic NAT (Masquerading) and to define
Source NAT (SNAT). While still supported, its use is deprecated in favor
of <ulink url="/manpages6/shorewall6-snat.html">shorewall6-snat</ulink>(5) which was
introduced in Shorewall 5.0.14.</para>
<warning>
<para>The entries in this file are order-sensitive. The first entry that
matches a particular connection will be the one that is used.</para>
</warning>
<warning>
<para>If you have more than one ISP link, adding entries to this file
will <emphasis role="bold">not</emphasis> force connections to go out
through a particular link. You must use entries in <ulink
url="/manpages6/shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
or PREROUTING entries in <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall-tcrules</ulink>(5) to
do that.</para>
</warning>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis></term>
<listitem>
<para>Defines the type of rule to generate. Choices are:</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">MASQUERADE</emphasis>[+][([<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>][<option>random</option>])]</term>
<listitem>
<para>Causes matching outgoing packages to have their source
IP address set to the primary IP address of the interface
specified in the DEST column. if
<replaceable>lowport</replaceable>-<replaceable>highport</replaceable>
is given, that port range will be used to assign a source
port. If option <option>random</option> is used then port
mapping will be randomized. MASQUERADE should only be used
when the DEST interface has a dynamic IP address. Otherwise,
SNAT should be used and should specify the interface's static
address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SNAT</emphasis>[+]([<emphasis>address-or-address-range</emphasis>][:<emphasis>lowport</emphasis><emphasis
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
role="bold">:random</emphasis>][:<option>persistent</option>]|<emphasis
role="bold">detect</emphasis>|</term>
<listitem>
<para>If you specify an address here, matching packets will
have their source address set to that address. If
ADD_SNAT_ALIASES is set to Yes or yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) then
Shorewall will automatically add this address to the INTERFACE
named in the first column.</para>
<para>You may also specify a range of up to 256 IP addresses
if you want the SNAT address to be assigned from that range in
a round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
You may follow the port range with<emphasis role="bold">
:random</emphasis> in which case assignment of ports from the
list will be random. <emphasis role="bold">random</emphasis>
may also be specified by itself in this column in which case
random local port assignments are made for the outgoing
connections.</para>
<para>Example: 206.124.146.177-206.124.146.180</para>
<para>You may follow the port range (or <emphasis
role="bold">:random</emphasis>) with <emphasis
role="bold">:persistent</emphasis>. This is only useful when
an address range is specified and causes a client to be given
the same source/destination IP pair. This feature replaces the
SAME modifier which was removed from Shorewall in version
4.4.0.</para>
<para>You may also use the special value
<option>detect</option> which causes Shorewall to determine
the IP addresses configured on the interface named in the DEST
column and substitute them in this column.</para>
<para>Finally, you may also specify a comma-separated list of
ranges and/or addresses in this column.</para>
<para>DNS Names names are not allowed.</para>
<para>Normally, Netfilter will attempt to retain the source
port number. You may cause netfilter to remap the source port
by following an address or range (if any) by ":" and a port
range with the format
<emphasis>lowport</emphasis>-<emphasis>highport</emphasis>. If
this is done, you must specify "tcp", "udp", "dccp" or "stcp"
in the PROTO column.</para>
<para>Example:</para>
<programlisting> [2001:470:a:787::2]:5000-6000</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>CONTINUE[+]</term>
<listitem>
<para>Causes matching packets to be exempted from any
following rules in the file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold"><replaceable>action</replaceable></emphasis>[+][(<replaceable>parameter</replaceable>,...)]</term>
<listitem>
<para>where <replaceable>action</replaceable> is an action
declared in <ulink
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>
with the <option>nat</option> option. See <ulink
url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
further information.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in <ulink
url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5)). If
you want the rule to be applied before one-to-one NAT rules, follow
the action name with "+": This feature should only be required if
you need to insert rules in this file that preempt entries in <ulink
url="/manpages6/shorewall6-nat.html">shorewall6-nat</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> (Optional) -
[<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address</emphasis>...][<emphasis>exclusion</emphasis>]]</term>
<listitem>
<para>Set of hosts that you wish to SNAT; one or more host or
network addresses separated by comma. You may use ipset names
preceded by a plus sign (+) to specify a set of hosts.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> -
{<emphasis>interface</emphasis>|[<emphasis
role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|?COMMENT}</term>
<listitem>
<para>Outgoing <emphasis>interface</emphasis>. This is usually your
internet interface.</para>
<para>The <replaceable>interface</replaceable> must match an entry
in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
Shorewall allows loose matches to wildcard entries in <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
For example, <filename class="devicefile">ppp0</filename> in this
file will match a <ulink
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Where <ulink url="MultiISP.html#Shared">more that one
internet provider share a single interface</ulink>, the provider is
specified by including the provider name or number in
parentheses:</para>
<programlisting> eth0(Avvanta)</programlisting>
<para>In that case, you will want to specify the interface's address
for that provider as the SNAT parameter.</para>
<para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
as are ipset names preceded by a plus sign '+'.</para>
<para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of ?COMMENT lines. These lines
begin with ?COMMENT; the remainder of the line is treated as a
comment which is attached to subsequent rules until another ?COMMENT
line is found or until the end of the file is reached. To stop
adding comments to rules, use a line containing only
?COMMENT.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number here. See
<ulink url="/manpages6/shorewall6-rules.html">shorewall6-rules(5)</ulink> for
details.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DPORT</emphasis> (Optional) -
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by
commas.</para>
<para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>Beginning with Shorewall 4.6.0, an
<replaceable>ipset</replaceable> name can be specified in this
column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>If you specify a value other than "-" in this column, you must
be running kernel 2.6 and your kernel and iptables must include
policy match support.</para>
<para>Comma-separated list of options from the following. Only
packets that will be encrypted via an SA that matches these options
will have their source address changed.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">yes</emphasis></term>
<listitem>
<para>When used by itself, causes all traffic that will be
encrypted/encapsulated to match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
role="bold">:C</emphasis>]</term>
<listitem>
<para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para>
<para>If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.</para>
<variablelist>
<varlistentry>
<term>!</term>
<listitem>
<para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>value</emphasis></term>
<listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>mask</emphasis></term>
<listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">:C</emphasis></term>
<listitem>
<para>Designates a connection mark. If omitted, the packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
<listitem>
<para>Only locally-generated connections will match if this column
is non-empty.</para>
<para>When this column is non-empty, the rule matches only if the
program generating the output is running under the effective
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
specified (or is NOT running under that id if "!" is given).</para>
<para>Examples:</para>
<variablelist>
<varlistentry>
<term>joe</term>
<listitem>
<para>program must be run by joe</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:kids</term>
<listitem>
<para>program must be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>!:kids</term>
<listitem>
<para>program must not be run by a member of the 'kids'
group</para>
</listitem>
</varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>#program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.1 and allows enabling and disabling the
rule without requiring <command>shorewall restart</command>.</para>
<para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...'
expansion) must begin with a letter and be composed of letters,
decimal digits, underscores or hyphens. Switch names must be 30
characters or less in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall
restart</command>.</para>
<para>Beginning with Shorewall 4.5.10, when the
<replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the
switch setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>(Optional) This column may be included and may contain one or
more addresses (host or network) separated by commas. Address ranges
are not allowed. When this column is supplied, rules are generated
that require that the original destination address matches one of
the listed addresses. It is useful for specifying that SNAT should
occur only for connections that were acted on by a DNAT when they
entered the firewall.</para>
<para>This column was formerly labelled ORIGINAL DEST.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROBABILITY</emphasis> -
[<replaceable>probability</replaceable>]</term>
<listitem>
<para>Added in Shorewall 5.0.0. When non-empty, requires the
<firstterm>Statistics Match</firstterm> capability in your kernel
and ip6tables and causes the rule to match randomly but with the
given <replaceable>probability</replaceable>. The
<replaceable>probability</replaceable> is a number 0 &lt;
<replaceable>probability</replaceable> &lt;= 1 and may be expressed
at up to 8 decimal points of precision.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>You have a simple 'masquerading' setup where eth0 connects to
a DSL or cable modem and eth1 connects to your local network with
subnet 2001:470:b:787::0/64</para>
<para>Your entry in the file will be:</para>
<programlisting> #ACTION SOURCE DEST
MASQUERADE 2001:470:b:787::0/64 eth0</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Your sit1 interface has two public IP addresses:
2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
iptables statistics match to masquerade outgoing connections evenly
between these two addresses.</para>
<programlisting>/etc/shorewall/snat:
#ACTION SOURCE DEST
SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 }
SNAT(2001:470:a:227::2) ::/0 sit</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/snat</para>
</refsect1>
</refentry>

177
Shorewall6/manpages/shorewall6-stoppedrules.xml
View File

@ -1,177 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-stoppedrules</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>stoppedrules</refname>
<refpurpose>The Shorewall file that governs what traffic flows through the
firewall while it is in the 'stopped' state.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/stoppedrules</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define the hosts that are accessible when the
firewall is stopped or is being stopped.</para>
<warning>
<para>Changes to this file do not take effect until after the next
<command>shorewall6 start</command>, <command>shorewall6
reload</command>, <command>shorewall6 restart</command>, or
<option>shorewall6 compile</option> command.</para>
</warning>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis> -
<option>ACCEPT|NOTRACK</option></term>
<listitem>
<para>Determines the disposition of the packet.</para>
<para><option>ACCEPT</option> means that the packet will be
accepted.</para>
<para><option>NOTRACK</option> indicates that no conntrack entry
should be created for the packet. <option>NOTRACK</option> does not
imply <option>ACCEPT</option>.</para>
<para><option>DROP</option> was added in Shorewall 4.6.0 and causes
the packet to be dropped in the raw table's PREROUTING chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - [<emphasis
role="bold">-</emphasis>|[$FW|<replaceable>interface</replaceable>]|[{$FW|interface}[<emphasis>:address</emphasis>[,<emphasis>address</emphasis>]...]]|[<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
<listitem>
<para><option>$FW</option> matches packets originating on the
firewall itself, while <replaceable>interface</replaceable>
specifies packets arriving on the named interface.</para>
<para>This column may also include a comma-separated list of
IP/subnet addresses. If your kernel and iptables include iprange
match support, IP address ranges are also allowed. Ipsets and
exclusion are also supported. When <option>$FW</option> or interface
are specified, the list must be preceded by a colon (":").</para>
<para>If left empty or supplied as "-", ::/0 is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - [<emphasis
role="bold">-</emphasis>|[$FW|<replaceable>interface</replaceable>]|[{$FW|interface}[<emphasis>:address</emphasis>[,<emphasis>address</emphasis>]...]]|[<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
<listitem>
<para><option>$FW</option> matches packets addressed the firewall
itself, while <replaceable>interface</replaceable> specifies packets
arriving on the named interface. Neither may be specified if the
target is <option>NOTRACK</option> or <option>DROP</option>.</para>
<para>This column may also include a comma-separated list of
IP/subnet addresses. If your kernel and iptables include iprange
match support, IP address ranges are also allowed. Ipsets and
exclusion are also supported. When <option>$FW</option> or interface
are specified, the list must be preceded by a colon (":").</para>
<para>If left empty or supplied as "-", ::/0 is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PROTO (Optional)
<replaceable>protocol-name-or-number</replaceable>[,...]</term>
<listitem>
<para>Protocol.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DPORT
<replaceable>service-name/port-number-list</replaceable></term>
<listitem>
<para>Optional. A comma-separated list of port numbers and/or
service names from <filename>/etc/services</filename>. May also
include port ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
<para>This column was formerly labelled DEST PORT(S).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SPORT
<replaceable>service-name/port-number-list</replaceable></term>
<listitem>
<para>Optional. A comma-separated list of port numbers and/or
service names from <filename>/etc/services</filename>. May also
include port ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DPORT column is non-empty. This causes the
rule to match when either the source port or the destination port in
a packet matches one of the ports specified in DPORT. Use of '='
requires multi-port match in your iptables and kernel.</para>
<para>This column was formerly labelled SOURCE PORT(S).</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/stoppedrules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

739
Shorewall6/manpages/shorewall6-tcclasses.xml
View File

@ -1,739 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tcclasses</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>tcclasses</refname>
<refpurpose>Shorewall6 file to define HTB and HFSC classes</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tcclasses</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>A note on the <emphasis>rate</emphasis>/bandwidth definitions used
in this file:</para>
<itemizedlist>
<listitem>
<para>don't use a space between the integer value and the unit: 30kbit
is valid while 30 kbit is NOT.</para>
</listitem>
<listitem>
<para>you can use one of the following units:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">kpbs</emphasis></term>
<listitem>
<para>Kilobytes per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mbps</emphasis></term>
<listitem>
<para>Megabytes per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">kbit</emphasis></term>
<listitem>
<para>Kilobits per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mbit</emphasis></term>
<listitem>
<para>Megabits per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">bps</emphasis> or <emphasis
role="bold">number</emphasis></term>
<listitem>
<para>Bytes per second.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para>if you want the values to be calculated for you depending on the
output bandwidth setting defined for an interface in tcdevices, you
can use expressions like the following:</para>
<variablelist>
<varlistentry>
<term>full/3</term>
<listitem>
<para>causes the bandwidth to be calculated as 1/3 of the full
outgoing speed that is defined.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>full*9/10</term>
<listitem>
<para>will set this bandwidth to 9/10 of the full
bandwidth</para>
</listitem>
</varlistentry>
</variablelist>
<para>Note that in a sub-class (a class that has a specified parent
class), full refers to the RATE or CEIL of the parent class rather
than to the OUT-BANDWIDTH of the device.</para>
<para>DO NOT add a unit to the rate if it is calculated !</para>
</listitem>
</itemizedlist>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>
<listitem>
<para>Name of <emphasis>interface</emphasis>.</para>
<para>You may specify either the interface number or the interface
name. If the <emphasis role="bold">classify</emphasis> option is
given for the interface in <ulink
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5),
then you must also specify an interface class (an integer that must
be unique within classes associated with this interface).</para>
<para>You may NOT specify wildcards here, e.g. if you have multiple
ppp interfaces, you need to put them all in here!</para>
<para>Please note that you can only use interface names in here that
have a bandwidth defined in the <ulink
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
file.</para>
<para>Normally, all classes defined here are sub-classes of a root
class (class number 1) that is implicitly defined from the entry in
<ulink
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5).
You can establish a class hierarchy by specifying a
<emphasis>parent</emphasis> class -- the number of a class that you
have previously defined. The sub-class may borrow unused bandwidth
from its parent.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis> -
{-|<replaceable>value</replaceable>[:<replaceable>priority</replaceable>]}</term>
<listitem>
<para>The mark <emphasis>value</emphasis> which is an integer in the
range 1-255. You set mark values in the <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5)
file, marking the traffic you want to fit in the classes defined in
here. You can use the same marks for different interfaces.</para>
<para>The <replaceable>priority</replaceable>, if specified, is an
integer in the range 1-65535 and determines the relative order in
which the tc mark classification filter for this class is to be
applied to packets being sent on the
<replaceable>interface</replaceable>. Filters are applied in
ascending numerical order. If not supplied, the value is derived
from the class priority (PRIORITY column value below):
(<replaceable>class priority</replaceable> &lt;&lt; 8) | 20.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RATE</emphasis> -
{-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>
<listitem>
<para>The minimum bandwidth this class should get, when the traffic
load rises. If the sum of the rates in this column exceeds the
INTERFACE's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not be
honored. Similarly, if the sum of the rates of sub-classes of a
class exceed the CEIL of the parent class, things don't work
well.</para>
<para>When using the HFSC queuing discipline, this column specify
the real-time (RT) service curve. leaf classes may specify
<replaceable>dmax</replaceable>, the maximum delay in milliseconds
that the first queued packet for this class should experience. May
be expressed as an integer, optionally followed by 'ms' with no
intervening white-space (e.g., 10ms).</para>
<para>HFSC leaf classes may also specify
<replaceable>umax</replaceable>, the largest packet expected in this
class. May be expressed as an integer. The unit of measure is
<emphasis>bytes</emphasis> and the integer may be optionally
followed by 'b' with no intervening white-space (e.g., 800b).
<replaceable>umax</replaceable> may only be given if
<replaceable>dmax</replaceable> is also given.</para>
<para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
column (e.g, '-' in the column), provided that an
<replaceable>lsrate</replaceable> is specified (see CEIL below).
These rates are used to arbitrate between classes of the same
priority.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CEIL</emphasis> -
[<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>
<listitem>
<para>The maximum bandwidth this class is allowed to use when the
link is idle. Useful if you have traffic which can get full speed
when more needed services (e.g. ssh) are not used.</para>
<para>You can use the value <emphasis role="bold">full</emphasis> in
here for setting the maximum bandwidth to the RATE of the parent
class, or the OUT-BANDWIDTH of the device if there is no parent
class.</para>
<para>Beginning with Shorewall 4.5.6, you can also specify an
<replaceable>lsrate</replaceable> (link sharing rate).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PRIORITY</emphasis> -
<emphasis>priority</emphasis></term>
<listitem>
<para>For HTB:</para>
<blockquote>
<para>The <emphasis>priority</emphasis> in which classes will be
serviced by the packet shaping scheduler and also the priority in
which bandwidth in excess of the rate will be given to each
class.</para>
<para>Higher priority classes will experience less delay since
they are serviced first. Priority values are serviced in ascending
order (e.g. 0 is higher priority than 1).</para>
<para>Classes may be set to the same priority, in which case they
will be serviced as equals.</para>
</blockquote>
<para>For both HTB and HFSC, the <emphasis>priority</emphasis> is
used to calculate the priority of following Shorewall-generated
classification filters that refer to the class:</para>
<itemizedlist>
<listitem>
<para>Packet MARK</para>
</listitem>
<listitem>
<para><emphasis role="bold">tcp-ack</emphasis> and the <emphasis
role="bold">tos</emphasis> options (see below)</para>
</listitem>
</itemizedlist>
<para>The rules for classes with lower numeric priorities will
appear before those with higher numeric priorities.</para>
<para>Beginning with Shorewall 4.5.8, the PRIORITY may be omitted
from an HFSC class if you do not use the MARK column or the
<emphasis role="bold">tcp-ack</emphasis> or <emphasis
role="bold">tos</emphasis> options. If you use those features and
omit the PRIORITY, then you must specify a
<replaceable>priority</replaceable> along with the MARK or
option.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>A comma-separated list of options including the
following:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">default</emphasis></term>
<listitem>
<para>This is the default class for that interface where all
traffic should go, that is not classified otherwise.</para>
<note>
<para>You must define <emphasis
role="bold">default</emphasis> for exactly one class per
interface.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tos=0x</emphasis><emphasis>value</emphasis>[/0x<emphasis>mask</emphasis>][:<replaceable>priority</replaceable>]
(mask defaults to 0xff)</term>
<listitem>
<para>This lets you define a classifier for the given
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
combination of the IP packet's TOS/Precedence/DiffSrv octet
(aka the TOS byte).</para>
<para>Beginning with Shorewall 4.5.8, the
<replaceable>value/mask</replaceable> may be followed by a
colon (":") and a <replaceable>priority</replaceable>. This
priority determines the order in which filter rules are
processed during packet classification. If not specified, the
value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
15) is used.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tos-</emphasis><emphasis>tosname</emphasis>[:<replaceable>priority</replaceable>]</term>
<listitem>
<para>Aliases for the following TOS octet value and mask
encodings. TOS encodings of the "TOS byte" have been
deprecated in favor of diffserve classes, but programs like
ssh, rlogin, and ftp still use them.</para>
<programlisting> <emphasis role="bold">tos-minimize-delay</emphasis> 0x10/0x10
<emphasis role="bold">tos-maximize-throughput</emphasis> 0x08/0x08
<emphasis role="bold">tos-maximize-reliability</emphasis> 0x04/0x04
<emphasis role="bold">tos-minimize-cost</emphasis> 0x02/0x02
<emphasis role="bold">tos-normal-service</emphasis> 0x00/0x1e</programlisting>
<para>Beginning with Shorewall 4.5.8, the
<replaceable>tos-name</replaceable> may be followed by a colon
(":") and a <replaceable>priority</replaceable>. This priority
determines the order in which filter rules are processed
during packet classification. If not specified, the value
(<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
is used.</para>
<note>
<para>Each of these options is only valid for ONE class per
interface.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tcp-ack</emphasis>[:<replaceable>priority</replaceable>]</term>
<listitem>
<para>If defined, causes a tc filter to be created that puts
all tcp ack packets on that interface that have a size of
&lt;=64 Bytes to go in this class. This is useful for speeding
up downloads. Please note that the size of the ack packets is
limited to 64 bytes because we want only packets WITHOUT
payload to match.</para>
<para>Beginning with Shorewall 4.5.8, the <emphasis
role="bold">tcp-ack</emphasis> may be followed by a colon
(":") and a <replaceable>priority</replaceable>. This priority
determines the order in which filter rules are processed
during packet classification. If not specified, the value
(<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
is used.</para>
<note>
<para>This option is only valid for ONE class per
interface.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>flow=<emphasis>keys</emphasis></term>
<listitem>
<para>Shorewall attaches an SFQ queuing discipline to each
leaf HTB class. SFQ ensures that each
<firstterm>flow</firstterm> gets equal access to the
interface. The default definition of a flow corresponds
roughly to a Netfilter connection. So if one internal system
is running BitTorrent, for example, it can have lots of
'flows' and can thus take up a larger share of the bandwidth
than a system having only a single active connection. The
<option>flow</option> classifier (module cls_flow) works
around this by letting you define what a 'flow' is. The
classifier must be used carefully or it can block off all
traffic on an interface! The flow option can be specified for
an HTB leaf class (one that has no sub-classes). We recommend
that you use the following:</para>
<simplelist>
<member>Shaping internet-bound traffic:
flow=nfct-src</member>
<member>Shaping traffic bound for your local net:
flow=dst</member>
</simplelist>
<para>These will cause a 'flow' to consists of the traffic
to/from each internal system.</para>
<para>When more than one key is give, they must be enclosed in
parenthesis and separated by commas.</para>
<para>To see a list of the possible flow keys, run this
command:</para>
<blockquote>
<para><command>tc filter add flow help</command></para>
</blockquote>
<para>Those that begin with "nfct-" are Netfilter connection
tracking fields. As shown above, we recommend flow=nfct-src;
that means that we want to use the source IP address
<emphasis>before NAT</emphasis> as the key.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pfifo</term>
<listitem>
<para>When specified for a leaf class, the pfifo queuing
discipline is applied to the class rather than the sfq queuing
discipline.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>limit=<emphasis>number</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.3. When specified for a leaf
class, determines the maximum number of packets that may be
queued within the class. The <emphasis>number</emphasis> must
be &gt; 2 and &lt;= 128. If not specified, the value 127 is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
...)</term>
<listitem>
<para>Added in Shorewall 4.5.6. When specified on a leaf
class, causes the class to use the RED (Random Early
Detection) queuing discipline rather than SFQ. See tc-red (8)
for additional information.</para>
<para>Allowable redoptions are:</para>
<variablelist>
<varlistentry>
<term>min <replaceable>min</replaceable></term>
<listitem>
<para>Average queue size at which marking becomes a
possibility.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>max <replaceable>max</replaceable></term>
<listitem>
<para>At this average queue size, the marking
probability is maximal. Must be at least twice
<replaceable>min</replaceable> to prevent synchronous
retransmits, higher for low
<replaceable>min</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>probability
<replaceable>probability</replaceable></term>
<listitem>
<para>Maximum probability for marking, specified as a
floating point number from 0.0 to 1.0. Suggested values
are 0.01 or 0.02 (1 or 2%, respectively).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>limit <replaceable>limit</replaceable></term>
<listitem>
<para>Hard limit on the real (not average) queue size in
bytes. Further packets are dropped. Should be set higher
than
<replaceable>max</replaceable>+<replaceable>burst</replaceable>.
It is advised to set this a few times higher than
<replaceable>max</replaceable>. Shorewall requires that
<replaceable>limit</replaceable> be at least twice
<replaceable>min</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>burst <replaceable>burst</replaceable></term>
<listitem>
<para>Used for determining how fast the average queue
size is influenced by the real queue size. Larger values
make the calculation more sluggish, allowing longer
bursts of traffic before marking starts. Real life
experiments support the following guideline:
(<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>avpkt <replaceable>avpkt</replaceable></term>
<listitem>
<para>Optional. Specified in bytes. Used with burst to
determine the time constant for average queue size
calculations. 1000 is a good value and is the Shorewall
default.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>bandwidth
<replaceable>bandwidth</replaceable></term>
<listitem>
<para>Optional. This rate is used for calculating the
average queue size after some idle time. Should be set
to the bandwidth of your interface. Does not mean that
RED will shape for you!</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ecn</term>
<listitem>
<para>RED can either 'mark' or 'drop'. Explicit
Congestion Notification allows RED to notify remote
hosts that their rate exceeds the amount of bandwidth
available. Non-ECN capable hosts can only be notified by
dropping a packet. If this parameter is specified,
packets which indicate that their hosts honor ECN will
only be marked and not dropped, unless the queue size
hits <replaceable>limit</replaceable> bytes. Needs a tc
binary with RED support compiled in. Recommended.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>fq_codel[=(<replaceable>codeloption</replaceable>=<replaceable>value</replaceable>,
...)]</term>
<listitem>
<para>Added in Shorewall 4.5.12. When specified for a leaf
class, causes the class to use the FQ_CODEL
(<firstterm>Fair-queuing Controlled-Delay</firstterm>) queuing
discipline rather than SFQ. See tc-fq_codel (8) for additional
information.</para>
<para>Allowable <replaceable>codeloptions</replaceable>
are:</para>
<variablelist>
<varlistentry>
<term>limit</term>
<listitem>
<para>hard limit on the real queue size. When this limit
is reached, incoming packets are dropped. If the value
is lowered, packets are dropped so that the new limit is
met. Default is 1000 packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>flows</term>
<listitem>
<para>is the number of flows into which the incoming
packets are classified. Due to the stochastic nature of
hashing, multiple flows may end up being hashed into the
same slot. Newer flows have priority over older ones.
This parameter can be set only at load time since memory
has to be allocated for the hash table. Default value is
1024.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>target</term>
<listitem>
<para>is the acceptable minimum standing/persistent
queue delay. This minimum delay is identified by
tracking the local minimum queue delay that packets
experience. Default and recommended value is 5ms.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>interval</term>
<listitem>
<para>is used to ensure that the measured minimum delay
does not become too stale. The minimum delay must be
experienced in the last epoch of length interval. It
should be set on the order of the worst-case RTT through
the bottleneck to give endpoints sufficient time to
react. Default value is 100ms.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>quantum</term>
<listitem>
<para>is the number of bytes used as 'deficit' in the
fair queuing algorithm. Default is set to 1514 bytes
which corresponds to the Ethernet MTU plus the hardware
header length of 14 bytes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ecn | noecn</term>
<listitem>
<para>can be used to mark packets instead of dropping
them. If ecn has been enabled, noecn can be used to turn
it off and vice-a-versa. By default, ecn is
enabled.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
interface for this. You have 4 classes here, the first you can use
for voice over IP traffic, the second interactive traffic (e.g.
ssh/telnet but not scp), the third will be for all unclassified
traffic, and the forth is for low priority traffic (e.g.
peer-to-peer).</para>
<para>The voice traffic in the first class will be guaranteed a
minimum of 100kbps and always be serviced first (because of the low
priority number, giving less delay) and will be granted excess
bandwidth (up to 180kbps, the class ceiling) first, before any other
traffic. A single VoIP stream, depending upon codecs, after
encapsulation, can take up to 80kbps on a PPPoE/DSL link, so we pad
a little bit just in case. (TOS byte values 0xb8 and 0x68 are
DiffServ classes EF and AFF3-1 respectively and are often used by
VOIP devices).</para>
<para>Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
echo traffic if you use the example in tcrules) and any packet with
a mark of 2 will be guaranteed 1/4 of the link bandwidth, and may
extend up to full speed of the link.</para>
<para>Unclassified traffic and packets marked as 3 will be
guaranteed 1/4th of the link bandwidth, and may extend to the full
speed of the link.</para>
<para>Packets marked with 4 will be treated as low priority packets.
(The tcrules example marks p2p traffic as such.) If the link is
congested, they're only guaranteed 1/8th of the speed, and even if
the link is empty, can only expand to 80% of link bandwidth just as
a precaution in case there are upstream queues we didn't account
for. This is the last class to get additional bandwidth and the last
to get serviced by the scheduler because of the low priority.</para>
<programlisting> #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc
ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay
ppp0 3 full/4 full 3 default
ppp0 4 full/8 full*8/10 4</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tcclasses</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>tc-hfsc(7)</para>
<para>tc-red(8)</para>
<para><ulink
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

302
Shorewall6/manpages/shorewall6-tcdevices.xml
View File

@ -1,302 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tcdevices</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>tcdevices</refname>
<refpurpose>Shorewall6 Traffic Shaping Devices file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tcdevices</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Entries in this file define the bandwidth for interfaces on which
you want traffic shaping to be enabled.</para>
<para>If you do not plan to use traffic shaping for a device, don't put it
in here as it limits the throughput of that device to the limits you set
here.</para>
<para>A note on the <emphasis>bandwidth</emphasis> definitions used in
this file:</para>
<itemizedlist>
<listitem>
<para>don't use a space between the integer value and the unit: 30kbit
is valid while 30 kbit is not.</para>
</listitem>
<listitem>
<para>you can use one of the following units:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">kbps</emphasis></term>
<listitem>
<para>Kilobytes per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mbps</emphasis></term>
<listitem>
<para>Megabytes per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">kbit</emphasis></term>
<listitem>
<para>Kilobits per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mbit</emphasis></term>
<listitem>
<para>Megabits per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">bps</emphasis> or <emphasis
role="bold">number</emphasis></term>
<listitem>
<para>Bytes per second.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para>Only whole integers are allowed.</para>
</listitem>
</itemizedlist>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> -
[<emphasis>number</emphasis>:]<emphasis>interface</emphasis></term>
<listitem>
<para>Name of <emphasis>interface</emphasis>. Each interface may be
listed only once in this file. You may NOT specify the name of an
alias (e.g., eth0:0) here; see <ulink
url="/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
<para>You may NOT specify wildcards here, e.g. if you have multiple
ppp interfaces, you need to put them all in here!</para>
<para>If the device doesn't exist, a warning message will be issued
during "shorewall6 [re]start" and "shorewall6 refresh" and traffic
shaping configuration will be skipped for that device.</para>
<para>Shorewall6 assigns a sequential <firstterm>interface
number</firstterm> to each interface (the first entry in the file is
interface 1, the second is interface 2 and so on) Beginning with
Shorewall6-perl 4.1.6, you can explicitly specify the interface
number by prefixing the interface name with the number and a colon
(":"). Example: 1:eth0.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IN-BANDWIDTH (in_bandwidth)</emphasis> -
{-|<replaceable>bandwidth</replaceable>[:<replaceable>burst</replaceable>]|~<replaceable>bandwidth</replaceable>[:<replaceable>interval</replaceable>:<replaceable>decay_interval</replaceable>]}</term>
<listitem>
<para>The incoming <emphasis>bandwidth</emphasis> of that interface.
Please note that you are not able to do traffic shaping on incoming
traffic, as the traffic is already received before you could do so.
But this allows you to define the maximum traffic allowed for this
interface in total, if the rate is exceeded, the packets are
dropped. You want this mainly if you have a DSL or Cable connection
to avoid queuing at your providers side.</para>
<para>If you don't want any traffic to be dropped, set this to a
value to zero in which case Shorewall will not create an ingress
qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
non-empty.</para>
<para>The optional burst option was added in Shorewall 4.4.18. The
default <replaceable>burst</replaceable> is 10kb. A larger
<replaceable>burst</replaceable> can help make the
<replaceable>bandwidth</replaceable> more accurate; often for fast
lines, the enforced rate is well below the specified
<replaceable>bandwidth</replaceable>.</para>
<para>What is described above creates a rate/burst policing filter.
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used
with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para>
<para>To create a rate-estimated filter, precede the bandwidth with
a tilde ("~"). The optional interval and decay_interval determine
how often the rate is estimated and how many samples are retained
for estimating. Please see <ulink
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink>
for details.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OUT-BANDWIDTH</emphasis> (out_bandwidth) -
<emphasis>bandwidth</emphasis></term>
<listitem>
<para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
This is the maximum speed your connection can handle. It is also the
speed you can refer as "full" if you define the tc classes in <ulink
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).
Outgoing traffic above this rate will be dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">{classify</emphasis>|htb|<emphasis
role="bold">hfsc</emphasis>|<emphasis
role="bold">linklayer</emphasis>={<emphasis
role="bold">ethernet</emphasis>|<emphasis
role="bold">atm</emphasis>|<emphasis
role="bold">adsl</emphasis>}|<emphasis
role="bold">tsize</emphasis>=<replaceable>tsize</replaceable>|<emphasis
role="bold">mtu</emphasis>=<replaceable>mtu</replaceable>|<emphasis
role="bold">mpu</emphasis>=<replaceable>mpu</replaceable>|<emphasis
role="bold">overhead</emphasis>=<replaceable>overhead</replaceable>}
,...}</term>
<listitem>
<para><option>classify</option> ― When specified, Shorewall will not
generate tc or Netfilter rules to classify traffic based on packet
marks. You must do all classification using CLASSIFY rules in <ulink
url="/manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).</para>
<para><option>htb</option> - Use the <firstterm>Hierarchical Token
Bucket</firstterm> queuing discipline. This is the default.</para>
<para><option>hfsc</option> - Shorewall normally uses the
Hierarchical Token Bucket queuing discipline. When
<option>hfsc</option> is specified, the <firstterm>Hierarchical Fair
Service Curves</firstterm> discipline is used instead(see tc-hfsc
(7)).</para>
<para><emphasis role="bold">linklayer</emphasis> - Added in
Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
causes scheduler packet size manipulation as described in tc-stab
(8). When this option is given, the following options may also be
given after it:</para>
<blockquote>
<para><emphasis
role="bold">mtu</emphasis>=<replaceable>mtu</replaceable> - The
device MTU; default 2048 (will be rounded up to a power of
two)</para>
<para><emphasis
role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable> -
Minimum packet size used in calculations. Smaller packets will be
rounded up to this size</para>
<para><emphasis
role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable>
- Size table entries; default is 512</para>
<para><emphasis
role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable>
- Number of overhead bytes per packet.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REDIRECTED INTERFACES</emphasis>
(redirect) -
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
<listitem>
<para>Added in Shorewall6-perl 4.1.6. May only be specified if the
interface in the INTERFACE column is an Intermediate Frame Block
(IFB) device. Causes packets that enter each listed interface to be
passed through the egress filters defined for this device, thus
providing a form of incoming traffic shaping. When this column is
non-empty, the <emphasis role="bold">classify</emphasis> option is
assumed.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
interface for this. The device has an outgoing bandwidth of 500kbit
and an incoming bandwidth of 6000kbit</para>
<programlisting> #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
# INTERFACES
1:ppp0 6000kbit 500kbit</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tcdevices</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>tc-hfsc (7)</para>
<para><ulink
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
<para><ulink
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-mangle(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

344
Shorewall6/manpages/shorewall6-tcfilters.xml
View File

@ -1,344 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tcfilters</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>tcfilters</refname>
<refpurpose>shorewall6 u32/basic classifier rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tcfilters</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Entries in this file cause packets to be classified for traffic
shaping.</para>
<para>Beginning with Shorewall 4.4.15, the file may contain entries for
both IPv4 and IPv6. By default, all rules apply to IPv6 but that can be
changed by inserting a line as follows:</para>
<variablelist>
<varlistentry>
<term>IPV4</term>
<listitem>
<para>Following entries apply to IPv4.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IPV6</term>
<listitem>
<para>Following entries apply to IPv6</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ALL</term>
<listitem>
<para>Following entries apply to both IPv4 and IPv6. Each entry is
processed twice; once for IPv4 and once for IPv6.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">CLASS</emphasis> -
<emphasis>interface</emphasis><emphasis
role="bold">:</emphasis><emphasis>class</emphasis></term>
<listitem>
<para>The name or number of an <returnvalue>interface</returnvalue>
defined in <ulink
url="/manpages6/shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
followed by a <replaceable>class</replaceable> number defined for
that interface in <ulink
url="/manpages6/shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>Source of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not allowed.
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch </firstterm>capability and you set BASIC_FILTERS=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
ipset name may optionally be followed by a number or a comma
separated list of src and/or dst enclosed in square brackets
([...]). See <ulink
url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
details.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>|+<replaceable>ipset</replaceable>}</term>
<listitem>
<para>Destination of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not allowed.
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf (5)</ulink>. The
ipset name may optionally be followed by a number or a comma
separated list of src and/or dst enclosed in square brackets
([...]). See <ulink
url="/manpages6/shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
details.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|{<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis>[,...]}</term>
<listitem>
<para>Protocol.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Optional destination Ports. A Port name (from services(5)) or
a <emphasis>port number</emphasis>; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s).</para>
<para>This column was formerly labelled DEST PORT(S).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Optional source port.</para>
<para>This column was formerly labelled SOURCE PORT(S).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TOS</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>tos</emphasis>]</term>
<listitem>
<para>Optional - specifies the value of the TOS field. The
<replaceable>tos</replaceable> value can be any of the
following:</para>
<itemizedlist>
<listitem>
<para><option>tos-minimize-delay</option></para>
</listitem>
<listitem>
<para><option>tos-maximize-throughput</option></para>
</listitem>
<listitem>
<para><option>tos-maximize-reliability</option></para>
</listitem>
<listitem>
<para><option>tos-minimize-cost</option></para>
</listitem>
<listitem>
<para><option>tos-normal-service</option></para>
</listitem>
<listitem>
<para><replaceable>hex-number</replaceable></para>
</listitem>
<listitem>
<para><replaceable>hex-number</replaceable>/<replaceable>hex-number</replaceable></para>
</listitem>
</itemizedlist>
<para>The <replaceable>hex-number</replaceable>s must be exactly two
digits (e.g., 0x04)x.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LENGTH</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>
<listitem>
<para>Optional. Must be a power of 2 between 32 and 8192 inclusive.
Packets with a total length that is strictly less than the specified
<replaceable>number</replaceable> will match the rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PRIORITY</emphasis> - [<emphasis
role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.8. Specifies the rule priority. The
priority value must be &gt; 0 and &lt;= 65535.</para>
<para>When a <replaceable>priority</replaceable> is not
given:</para>
<itemizedlist>
<listitem>
<para>For Shorewall versions prior to 4.5.8 - all filters have
priority 11.</para>
</listitem>
<listitem>
<para>For Shorewall 4.5.8 and later - for each device, the
compiler maintains a <firstterm>high-water priority</firstterm>
with an initial value of 0. When a filter has no
<replaceable>priority</replaceable>, the high-water priority is
incremented by 1 and assigned to the filter. When a
<replaceable>priority</replaceable> greater than the high-water
priority is entered in this column, the high-water priority is
set to the specified <replaceable>priority</replaceable>. An
attempt to assign a priority value greater than 65535
(explicitly or implicitly) raises an error.</para>
</listitem>
</itemizedlist>
<para>The default priority values used by other Shorewall-generated
filters are as follows:</para>
<itemizedlist>
<listitem>
<para>Classify by packet mark - ( <replaceable>class
priority</replaceable> &lt;&lt; 8 ) | 20.</para>
</listitem>
<listitem>
<para>Ingress policing - 10</para>
</listitem>
<listitem>
<para>Simple TC ACK packets - 1</para>
</listitem>
<listitem>
<para>Complex TC ACK packets - ( <replaceable>class
priority</replaceable> &lt;&lt; 8 ) | 20.</para>
</listitem>
<listitem>
<para>Classify by TOS - ( <replaceable>class
priority</replaceable> &lt;&lt; 8 ) | 15.</para>
</listitem>
<listitem>
<para>Class with 'occurs' - 65535</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Place all 'ping' traffic on interface 1 in class 10. Note that
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
protocols.</para>
<programlisting> #CLASS SOURCE DEST PROTO DPORT
IPV4
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
IPV6
1:10 ::/0 ::/0 icmp6 echo-request
1:10 ::/0 ::/0 icmp6 echo-reply</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
later).</para>
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
IPV6
1:10 ::/0 ::/0 icmp echo-request 10
1:10 ::/0 ::/0 icmp echo-reply 10</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tcfilters</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</ulink></para>
<para><ulink
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
<para><ulink
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
<para/>
</refsect1>
</refentry>

224
Shorewall6/manpages/shorewall6-tcinterfaces.xml
View File

@ -1,224 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tcinterfaces</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>tcinterfaces</refname>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tcinterfaces</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file lists the interfaces that are subject to simple traffic
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>A note on the <emphasis>bandwidth</emphasis> definition used in this
file:</para>
<itemizedlist>
<listitem>
<para>don't use a space between the integer value and the unit: 30kbit
is valid while 30 kbit is not.</para>
</listitem>
<listitem>
<para>you can use one of the following units:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">kbps</emphasis></term>
<listitem>
<para>Kilobytes per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mbps</emphasis></term>
<listitem>
<para>Megabytes per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">kbit</emphasis></term>
<listitem>
<para>Kilobits per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mbit</emphasis></term>
<listitem>
<para>Megabits per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">bps</emphasis> or <emphasis
role="bold">number</emphasis></term>
<listitem>
<para>Bytes per second.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>k or kb</term>
<listitem>
<para>Kilo bytes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>m or mb</term>
<listitem>
<para>Megabytes.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para>Only whole integers are allowed.</para>
</listitem>
</itemizedlist>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis></term>
<listitem>
<para>The logical name of an interface. If you run both IPv4 and
IPv6 Shorewall firewalls, a given interface should only be listed in
one of the two configurations.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TYPE</emphasis> - [<emphasis
role="bold">external</emphasis>|<emphasis
role="bold">internal</emphasis>]</term>
<listitem>
<para>Optional. If given specifies whether the interface is
<emphasis role="bold">external</emphasis> (facing toward the
Internet) or <emphasis role="bold">internal</emphasis> (facing
toward a local network) and enables SFQ flow classification.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IN-BANDWIDTH (in_bandwidth)</emphasis> -
{-|<replaceable>bandwidth</replaceable>[:<replaceable>burst</replaceable>]|~<replaceable>bandwidth</replaceable>[:<replaceable>interval</replaceable>:<replaceable>decay_interval</replaceable>]}</term>
<listitem>
<para>The incoming <emphasis>bandwidth</emphasis> of that interface.
Please note that you are not able to do traffic shaping on incoming
traffic, as the traffic is already received before you could do so.
But this allows you to define the maximum traffic allowed for this
interface in total, if the rate is exceeded, the packets are
dropped. You want this mainly if you have a DSL or Cable connection
to avoid queuing at your providers side.</para>
<para>If you don't want any traffic to be dropped, set this to a
value to zero in which case Shorewall will not create an ingress
qdisc. Must be set to zero if the REDIRECTED INTERFACES column is
non-empty.</para>
<para>The optional burst option was added in Shorewall 4.4.18. The
default <replaceable>burst</replaceable> is 10kb. A larger
<replaceable>burst</replaceable> can help make the
<replaceable>bandwidth</replaceable> more accurate; often for fast
lines, the enforced rate is well below the specified
<replaceable>bandwidth</replaceable>.</para>
<para>What is described above creates a rate/burst policing filter.
Beginning with Shorewall 4.4.25, a rate-estimated policing filter
may be configured instead. Rate-estimated filters should be used
with Ethernet adapters that have Generic Receive Offload enabled by
default. See <ulink url="/FAQ.htm#faq97a">Shorewall FAQ
97a</ulink>.</para>
<para>To create a rate-estimated filter, precede the bandwidth with
a tilde ("~"). The optional interval and decay_interval determine
how often the rate is estimated and how many samples are retained
for estimating. Please see <ulink
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink>
for details.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OUT-BANDWIDTH (out_bandwidth) -
[<replaceable>rate</replaceable>[:[<replaceable>burst</replaceable>][:[<replaceable>latency</replaceable>][:[<replaceable>peek</replaceable>][:[<replaceable>minburst</replaceable>]]]]]]</term>
<listitem>
<para>Added in Shorewall 4.4.13. The terms are defined in
tc-tbf(8).</para>
<para>Shorewall provides defaults as follows:</para>
<simplelist>
<member><replaceable>burst</replaceable> - 10kb</member>
<member><replaceable>latency</replaceable> - 200ms</member>
</simplelist>
<para>The remaining options are defaulted by tc(8).</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tcinterfaces.</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
<para><ulink
url="http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/estimators.txt</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcpri, shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

164
Shorewall6/manpages/shorewall6-tcpri.xml
View File

@ -1,164 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tcpri</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>tcpri</refname>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tcpri</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to specify the priority band of traffic for simple
traffic shaping (TC_ENABLED=Simple in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)). The
priority band of each packet is determined by the <emphasis
role="bold">last</emphasis> entry that the packet matches. If a packet
doesn't match any entry in this file, then its priority will be determined
by its TOS field. The default mapping is as follows but can be changed by
setting the TC_PRIOMAP option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<programlisting>TOS Bits Means Linux Priority BAND
------------------------------------------------------------
0x0 0 Normal Service 0 Best Effort 2
0x2 1 Minimize Monetary Cost 1 Filler 3
0x4 2 Maximize Reliability 0 Best Effort 2
0x6 3 mmc+mr 0 Best Effort 2
0x8 4 Maximize Throughput 2 Bulk 3
0xa 5 mmc+mt 2 Bulk 3
0xc 6 mr+mt 2 Bulk 3
0xe 7 mmc+mr+mt 2 Bulk 3
0x10 8 Minimize Delay 6 Interactive 1
0x12 9 mmc+md 6 Interactive 1
0x14 10 mr+md 6 Interactive 1
0x16 11 mmc+mr+md 6 Interactive 1
0x18 12 mt+md 4 Int. Bulk 2
0x1a 13 mmc+mt+md 4 Int. Bulk 2
0x1c 14 mr+mt+md 4 Int. Bulk 2
0x1e 15 mmc+mr+mt+md 4 Int. Bulk 2</programlisting>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">BAND</emphasis> - {<emphasis
role="bold">1</emphasis>|<emphasis role="bold">2</emphasis>|<emphasis
role="bold">3</emphasis>}</term>
<listitem>
<para>Classifies matching traffic as High Priority (1), Medium
Priority (2) or Low Priority (3). For those interfaces listed in
<ulink
url="/manpages6/shorewall6-tcinterfaces.html">shorewall6-tcinterfaces</ulink>(5),
Priority 2 traffic will be deferred so long and there is Priority 1
traffic queued and Priority 3 traffic will be deferred so long as
there is Priority 1 or Priority 2 traffic to send.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> -
<replaceable>protocol</replaceable>[,...]</term>
<listitem>
<para>Optional. The name or number of an IPv4
<replaceable>protocol</replaceable>.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
<listitem>
<para>Optional. May only be given if the the PROTO is TCP (6), UDP
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
port numbers or service names from /etc/services. Port ranges of the
form
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
may also be included.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ADDRESS - [<replaceable>address</replaceable>]</term>
<listitem>
<para>Optional. The IP or MAC address that the traffic originated
from. MAC addresses must be given in Shorewall format. If this
column contains an address, then the PROTO, PORT(S) and INTERFACE
column must be empty ("-").</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INTERFACE - [<replaceable>interface</replaceable>]</term>
<listitem>
<para>Optional. The logical name of an
<replaceable>interface</replaceable> that traffic arrives from. If
given, the PROTO, PORT(S) and ADDRESS columns must be empty
("-").</para>
<note>
<para>INTERFACE classification of packets occurs before
classification by PROTO/PORT(S)/ADDRESS. So it is highly
recommended to place entries that specify INTERFACE at the top of
the file so that the rule about <emphasis>last entry
matches</emphasis> is preserved.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HELPER</emphasis> -
[<replaceable>helper</replaceable>]</term>
<listitem>
<para>Optional. Names a Netfilter protocol helper module such as
ftp, sip, amanda, etc. A packet will match if it was accepted by the
named helper module. You can also append "-" and a port number to
the helper module name (e.g., ftp-21) to specify the port number
that the original connection was made on.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tcpri</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>PRIO(8), shorewall6(8), shorewall6-accounting(5),
shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcinterfaces(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

264
Shorewall6/manpages/shorewall6-tunnels.xml
View File

@ -1,264 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tunnels</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>tunnels</refname>
<refpurpose>Shorewall6 VPN definition file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tunnels</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The tunnels file is used to define rules for encapsulated (usually
encrypted) traffic to pass between the Shorewall6 system and a remote
gateway. Traffic flowing through the tunnel is handled using the normal
zone/policy/rule mechanism. See <ulink
url="/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink> for
details.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">TYPE</emphasis> - {<emphasis
role="bold">ipsec</emphasis>[<emphasis
role="bold">:{noah</emphasis>|ah}]|<emphasis
role="bold">ipsecnat</emphasis>|<emphasis
role="bold">gre</emphasis>|l2tp|<emphasis
role="bold">pptpclient</emphasis>|<emphasis
role="bold">pptpserver</emphasis>|?COMMENT|{<emphasis
role="bold">openvpn</emphasis>|<emphasis
role="bold">openvpnclient</emphasis>|<emphasis
role="bold">openvpnserver</emphasis>}[:{<emphasis
role="bold">tcp</emphasis>|<emphasis
role="bold">udp</emphasis>}]<emphasis
role="bold">[</emphasis>:<emphasis>port</emphasis>]|<emphasis
role="bold">generic</emphasis><emphasis
role="bold">:</emphasis><emphasis>protocol</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>port</emphasis>]}</term>
<listitem>
<para>Types are as follows:</para>
<programlisting> <emphasis role="bold">ipsec</emphasis> - IPv6 IPSEC
<emphasis role="bold">ipsecnat</emphasis> - IPv6 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
<emphasis role="bold">gre</emphasis> - Generalized Routing Encapsulation (Protocol 47)
<emphasis role="bold">l2tp</emphasis> - Layer 2 Tunneling Protocol (UDP port 1701)
<emphasis role="bold">openvpn</emphasis> - OpenVPN in point-to-point mode
<emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
<emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
<emphasis role="bold">generic</emphasis> - Other tunnel type
<emphasis role="bold">tinc</emphasis> - TINC (added in Shorewall 4.6.6)</programlisting>
<para>If the type is <emphasis role="bold">ipsec</emphasis>, it may
be followed by <emphasis role="bold">:ah</emphasis> to indicate that
the Authentication Headers protocol (51) is used by the tunnel (the
default is <option>:noah</option> which means that protocol 51 is
not used). NAT traversal is only supported with ESP (protocol 50) so
<emphasis role="bold">ipsecnat</emphasis> tunnels don't allow the
<emphasis role="bold">ah</emphasis> option (<emphasis
role="bold">ipsecnat:noah</emphasis> may be specified but is
redundant).</para>
<para>If type is <emphasis role="bold">openvpn</emphasis>, <emphasis
role="bold">openvpnclient</emphasis> or <emphasis
role="bold">openvpnserver</emphasis> it may optionally be followed
by ":" and <emphasis role="bold">tcp</emphasis> or <emphasis
role="bold">udp</emphasis> to specify the protocol to be used. If
not specified, <emphasis role="bold">udp</emphasis> is assumed.
Note: At this writing, OpenVPN does not support IPv6.</para>
<para>If type is <emphasis role="bold">openvpn</emphasis>, <emphasis
role="bold">openvpnclient</emphasis> or <emphasis
role="bold">openvpnserver</emphasis> it may optionally be followed
by ":" and the port number used by the tunnel. if no ":" and port
number are included, then the default port of 1194 will be used. .
Where both the protocol and port are specified, the protocol must be
given first (e.g., openvpn:tcp:4444).</para>
<para>If type is <emphasis role="bold">generic</emphasis>, it must
be followed by ":" and a protocol name (from /etc/protocols) or a
protocol number. If the protocol is <emphasis
role="bold">tcp</emphasis> or <emphasis role="bold">udp</emphasis>
(6 or 17), then it may optionally be followed by ":" and a port
number.</para>
<para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of ?COMMENT lines. These lines
begin with the word ?COMMENT; the remainder of the line is treated
as a comment which is attached to subsequent rules until another
?COMMENT line is found or until the end of the file is reached. To
stop adding comments to rules, use a line with only the word
?COMMENT.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ZONE</emphasis> -
<emphasis>zone</emphasis></term>
<listitem>
<para>The <emphasis>zone</emphasis> of the physical interface
through which tunnel traffic passes. This is normally your internet
zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis>(S) (gateway or
gateways) - <emphasis>address-or-range</emphasis> <emphasis
role="bold">[ , ... ]</emphasis></term>
<listitem>
<para>The IP address of the remote tunnel gateway. If the remote
gateway has no fixed address (Road Warrior) then specify the gateway
as <emphasis role="bold">::/0</emphasis>. May be specified as a
network address and if your kernel and ip6tables include iprange
match support then IP address ranges are also allowed.</para>
<para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
may be given. Exclusion (<ulink
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>
(5) ) is not supported.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">GATEWAY ZONE(S)</emphasis> (gateway_zone
or gateway_zones) - [<emphasis>zone</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>zone</emphasis>]...]</term>
<listitem>
<para>Optional. If the gateway system specified in the third column
is a standalone host then this column should contain a
comma-separated list of the names of the zones that the host might
be in. This column only applies to IPSEC tunnels where it enables
ISAKMP traffic to flow through the tunnel to the remote
gateway(s).</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>IPSec tunnel.</para>
<para>The remote gateway is 2001:cec792b4:1::44. The tunnel does not
use the AH protocol</para>
<programlisting> #TYPE ZONE GATEWAY
ipsec:noah net 2002:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Road Warrior (LapTop that may connect from anywhere) where the
"gw" zone is used to represent the remote LapTop</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net ::/0 gw</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 3:</term>
<listitem>
<para>Host 2001:cec792b4:1::44 is a standalone system connected via
an ipsec tunnel to the firewall system. The host is in zone
gw.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 2001:cec792b4:1::44 gw</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 4:</term>
<listitem>
<para>OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
openvpn uses port 7777.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
openvpn:7777 net 2001:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 8:</term>
<listitem>
<para>You have a tunnel that is not one of the supported types. Your
tunnel uses UDP port 4444. The other end of the tunnel is
2001:cec792b4:1::44.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
generic:udp:4444 net 2001:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 9:</term>
<listitem>
<para>TINC tunnel where the remote gateways are not specified. If
you wish to specify a list of gateways, you can do so in the GATEWAY
column.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
tinc net ::/0</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tunnels</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

67
Shorewall6/manpages/shorewall6-vardir.xml
View File

@ -1,67 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-vardir</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>vardir</refname>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/vardir</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file does not exist by default. You may create the file if you
want to change the directory used by Shorewall6 to store state
information, including compiled firewall scripts. By default, the
directory used is <filename>/var/lib/shorewall6/</filename>.</para>
<para>The file contains a single variable assignment:</para>
<para><option>VARDIR=</option><replaceable>directory</replaceable></para>
<para>where <replaceable>directory</replaceable> is the name of a
directory. If you add this file, you should copy the files from
<filename>/var/lib/shorewall6</filename> to the new directory before
performing a <command>shorewall6 restart</command>.</para>
</refsect1>
<refsect1>
<title>Example</title>
<para>VARDIR=/root/shorewall6</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/vardir</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

471
Shorewall6/manpages/shorewall6-zones.xml
View File

@ -1,471 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-zones</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>Configuration Files</refmiscinfo>
</refmeta>
<refnamediv>
<refname>zones</refname>
<refpurpose>Shorewall6 zone declaration file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/zones</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The /etc/shorewall6/zones file declares your network zones. You
specify the hosts in each zone through entries in
<filename>/etc/shorewall6/interfaces</filename> or
<filename>/etc/shorewall6/hosts</filename>.</para>
<para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ZONE</emphasis> -
<emphasis>zone</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>parent-zone</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>parent-zone</emphasis>]...]</term>
<listitem>
<para>Name of the <emphasis>zone</emphasis>. Must start with a
letter and consist of letters, digits or '_'. The names "all",
"none", "any", "SOURCE" and "DEST" are reserved and may not be used
as zone names. The maximum length of a zone name is determined by
the setting of the LOGFORMAT option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). With
the default LOGFORMAT, zone names can be at most 5 characters
long.</para>
<blockquote>
<para>The maximum length of an iptables log prefix is 29 bytes. As
explained in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5), the legacy
default LOGPREFIX formatting string is “Shorewall:%s:%s:” where
the first %s is replaced by the chain name and the second is
replaced by the disposition.</para>
<itemizedlist>
<listitem>
<para>The "Shorewall:%s:%s:" formatting string has 12 fixed
characters ("Shorewall" and three colons).</para>
</listitem>
<listitem>
<para>The longest of the standard dispositions are ACCEPT and
REJECT which have 6 characters each.</para>
</listitem>
<listitem>
<para>The canonical name for the chain containing the rules
for traffic going from zone 1 to zone 2 is "&lt;zone
1&gt;2&lt;zone 2&gt;" or "&lt;zone 1&gt;-&lt;zone
2&gt;".</para>
</listitem>
<listitem>
<para>So if M is the maximum zone name length, such chains can
have length 2*M + 1.</para>
<simplelist>
<member>12 + 6 + 2*M + 1 = 29 which reduces to</member>
<member>2*M = 29 - 12 - 6 - 1 = 10 or</member>
<member>M = 5</member>
</simplelist>
</listitem>
</itemizedlist>
<para>In Shorewall 5.1.0, the LOGFORMAT in the default and sample
shorewall.conf files was changed to "%s:%s ".</para>
<itemizedlist>
<listitem>
<para>That formatting string has 2 fixed characters (":" and a
space).</para>
</listitem>
<listitem>
<para>So the maximum zone name length M is calculated
as:</para>
<simplelist>
<member>2 + 6 + 2*M + 1 = 29</member>
<member>2M = 29 - 2 + 6 + 1 = 20</member>
<member>M = 10</member>
</simplelist>
</listitem>
</itemizedlist>
</blockquote>
<para>The order in which Shorewall6 matches addresses from packets
to zones is determined by the order of zone declarations. Where a
zone is nested in one or more other zones, you may either ensure
that the nested zone precedes its parents in this file, or you may
follow the (sub)zone name by ":" and a comma-separated list of the
parent zones. The parent zones must have been declared in earlier
records in this file. See <ulink
url="/manpages6/shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
for additional information.</para>
<para>Example:</para>
<programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
a ipv6
b ipv6
c:a,b ipv6</programlisting>
<para>Currently, Shorewall6 uses this information to reorder the
zone list so that parent zones appear after their subzones in the
list. The IMPLICIT_CONTINUE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) can
also create implicit CONTINUE policies to/from the subzone.</para>
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
explicitly included as a child of an <emphasis
role="bold">ipv6</emphasis> zone, the ruleset allows CONTINUE
policies (explicit or implicit) to work as expected.</para>
<para>In the future, Shorewall6 may make additional use of nesting
information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TYPE</emphasis></term>
<listitem>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ipv6</emphasis></term>
<listitem>
<para>This is the standard Shorewall6 zone type and is the
default if you leave this column empty or if you enter "-" in
the column. Communication with some zone hosts may be
encrypted. Encrypted hosts are designated using the 'ipsec'
option in <ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipsec</emphasis> (or <emphasis
role="bold">ipsec6</emphasis>)</term>
<listitem>
<para>Communication with all zone hosts is encrypted. Your
kernel and ip6tables must include policy match support.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">firewall</emphasis></term>
<listitem>
<para>Designates the firewall itself. You must have exactly
one 'firewall' zone. No options are permitted with a
'firewall' zone. The name that you enter in the ZONE column
will be stored in the shell variable $FW which you may use in
other configuration files to designate the firewall
zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">bport</emphasis> (or <emphasis
role="bold">bport6</emphasis>)</term>
<listitem>
<para>The zone is associated with one or more ports on a
single bridge.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">vserver</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.11 Beta 2 - A zone composed of
Linux-vserver guests. The zone contents must be defined in
<ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>
(5).</para>
<para>Vserver zones are implicitly handled as subzones of the
firewall zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">loopback</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.17.</para>
<para>Normally, Shorewall treats the loopback interface (lo)
in the following way:</para>
<itemizedlist>
<listitem>
<para>By default, all traffic through the interface is
ACCEPTed.</para>
</listitem>
<listitem>
<para>If a $FW -&gt; $FW policy is defined or $FW -&gt;
$FW rules are defined, they are placed in a chain named
${FW}2${F2} or ${FW}-${FW} (e.g., 'fw2fw' or 'fw-fw' )
depending on the ZONE2ZONE setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
<listitem>
<para>$FW -&gt; $FW traffic is only filtered in the OUTPUT
chain.</para>
</listitem>
</itemizedlist>
<para>By defining a <emphasis role="bold">loopback</emphasis>
zone and associating it with the loopback interface in
shorewall-interfaces(5), you can effect a slightly different
model. Suppose that the <emphasis
role="bold">loopback</emphasis> zone name is 'local';
then:</para>
<itemizedlist>
<listitem>
<para>Both $FW -&gt; local and local -&gt; $FW chains are
created.</para>
</listitem>
<listitem>
<para>The $FW -&gt; local and local -&gt; $FW policies may
be different.</para>
</listitem>
<listitem>
<para>Both $FW -&gt; local and local -&gt; $FW rules may
be specified.</para>
</listitem>
</itemizedlist>
<para>Rules to/from the <emphasis
role="bold">loopback</emphasis> zone and any zone other than
the firewall zone are ignored with a warning.</para>
<para><emphasis role="bold">loopback</emphasis> zones may be
nested within other <emphasis role="bold">loopback</emphasis>
zones.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>local</term>
<listitem>
<para>Added in Shorewall 4.5.17. <emphasis
role="bold">local</emphasis> is the same as <emphasis
role="bold">ipv6</emphasis> with the exception that the zone
is only accessible from the <emphasis
role="bold">firewall</emphasis> and <emphasis
role="bold">vserver</emphasis> zones.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS, IN OPTIONS and OUT
OPTIONS</emphasis> (options, in_options, out_options) -
[<emphasis>option</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
<listitem>
<para>A comma-separated list of options. With the exception of the
<option>mss</option> and <option>blacklist</option> options, these
only apply to TYPE <option>ipsec</option> zones.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.13. May not be specified for
<emphasis role="bold">firewall</emphasis> or <emphasis
role="bold">vserver</emphasis> zones.</para>
<para>When specified in the IN_OPTIONS column, causes all
traffic from this zone to be passed against the <emphasis
role="bold">src</emphasis> entries in <ulink
url="/manpages6/shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5).</para>
<para>When specified in the OUT_OPTIONS column, causes all
traffic to this zone to be passed against the <emphasis
role="bold">dst</emphasis> entries in s<ulink
url="/manpages6/shorewall6-blacklist.html">horewall6-blacklist</ulink>(5).</para>
<para>Specifying this option in the OPTIONS column is
equivalent to entering it in both of the IN_OPTIONS and
OUT_OPTIONS column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">dynamic_shared</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.9. May only be specified in the
OPTIONS column and indicates that only a single ipset should
be created for this zone if it has multiple dynamic entries in
<ulink
url="/manpages6/shorewall6-hosts.html">shorewall6-hosts</ulink>(5).
Without this option, a separate ipset is created for each
interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>where <emphasis>number</emphasis> is specified using
setkey(8) using the 'unique:<emphasis>number</emphasis> option
for the SPD level.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
<listitem>
<para>where <emphasis>number</emphasis> is the SPI of the SA
used to encrypt/decrypt packets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto=</emphasis><emphasis
role="bold">ah</emphasis>|<emphasis
role="bold">esp</emphasis>|<emphasis
role="bold">ipcomp</emphasis></term>
<listitem>
<para>IPSEC Encapsulation Protocol</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss=</emphasis><emphasis>number</emphasis></term>
<listitem>
<para>sets the MSS field in TCP packets. If you supply this
option, you should also set FASTACCEPT=No in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
to insure that both the SYN and SYN,ACK packets have their MSS
field adjusted.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">mode=</emphasis><emphasis
role="bold">transport</emphasis>|<emphasis
role="bold">tunnel</emphasis></term>
<listitem>
<para>IPSEC mode</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
<listitem>
<para>only available with mode=tunnel</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">strict</emphasis></term>
<listitem>
<para>Means that packets must match all rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">next</emphasis></term>
<listitem>
<para>Separates rules; can only be used with strict</para>
</listitem>
</varlistentry>
</variablelist>
<para>The options in the OPTIONS column are applied to both incoming
and outgoing traffic. The IN OPTIONS are applied to incoming traffic
(in addition to OPTIONS) and the OUT OPTIONS are applied to outgoing
traffic.</para>
<para>If you wish to leave a column empty but need to make an entry
in a following column, use "-".</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/zones</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
<para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-nesting(8),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5)</para>
</refsect1>
</refentry>

2833
Shorewall6/manpages/shorewall6.conf.xml
View File

File diff suppressed because it is too large Load Diff