mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
More Blacklist and Secmark documentation updates
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
f3255cd83a
commit
50b4bd8dfe
@ -1397,6 +1397,7 @@ sub process_secmark_rule() {
|
||||
my $chain1= $chns{$chain};
|
||||
|
||||
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
|
||||
fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && chain1 ne 'tcout';
|
||||
|
||||
if ( ( $state ||= '' ) ne '' ) {
|
||||
my $state1;
|
||||
|
@ -167,6 +167,29 @@ ipset -A Blacklist 206.124.146.177
|
||||
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
|
||||
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
|
||||
|
||||
<para>Beginning with Shoreall 4.4.13, outgoing blacklisting is also
|
||||
supported. The "blacklist" setting in <ulink
|
||||
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
|
||||
specifes whether an interface is an Internet-facing interface (value 1) or
|
||||
an internal interface (value 2). Additionally, entries in
|
||||
<filename>/etc/shorewall/blacklist</filename> can be specified as defining
|
||||
the destination IP address rather than the source address.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Traffic entering an Internet-facing interface is passed against
|
||||
those blacklist entries that specify the source IP address. Traffic
|
||||
originating on the firewall and leaving on an Interface-facing
|
||||
interface is passed against the blacklist entries that specify the
|
||||
destination IP address.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Traffic entering an internal interface is passed against those
|
||||
blacklist entries that specify the destination IP address.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section id="Dynamic">
|
||||
|
@ -335,11 +335,11 @@
|
||||
|
||||
<para><filename>/etc/shorewall/secmarks</filename>:</para>
|
||||
|
||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
system_u:object_r:mysqld_t:s0 I:N lo 127.0.0.1 tcp 3306
|
||||
SAVE I:N lo 127.0.0.1 tcp 3306
|
||||
RESTORE I:E</programlisting>
|
||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
|
||||
SAVE I:N lo 127.0.0.1 tcp 3306
|
||||
RESTORE I:E</programlisting>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
@ -332,11 +332,11 @@
|
||||
|
||||
<para><filename>/etc/shorewall6/secmarks</filename>:</para>
|
||||
|
||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
system_u:object_r:mysqld_t:s0 I:N lo ::1 tcp 3306
|
||||
SAVE I:N lo ::1 tcp 3306
|
||||
RESTORE I:E</programlisting>
|
||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
||||
# STATE PORT(S) PORT(S) GROUP
|
||||
system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
|
||||
SAVE I:N lo ::1 tcp 3306
|
||||
RESTORE I:E</programlisting>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
Loading…
Reference in New Issue
Block a user