From 50b4bd8dfe123e2aa7afc3f3d8f5dd88adc7ff36 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 6 Sep 2010 17:26:49 -0700 Subject: [PATCH] More Blacklist and Secmark documentation updates Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 1 + docs/blacklisting_support.xml | 23 +++++++++++++++++++++++ manpages/shorewall-secmarks.xml | 10 +++++----- manpages6/shorewall6-secmarks.xml | 10 +++++----- 4 files changed, 34 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index cb52a68d9..60bc463af 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1397,6 +1397,7 @@ sub process_secmark_rule() { my $chain1= $chns{$chain}; fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1; + fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && chain1 ne 'tcout'; if ( ( $state ||= '' ) ne '' ) { my $state1; diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index e841193c3..02a38787e 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -167,6 +167,29 @@ ipset -A Blacklist 206.124.146.177 ipset -B Blacklist 206.124.146.177 -b SMTP This will blacklist SMTP traffic from host 206.124.146.177. + + Beginning with Shoreall 4.4.13, outgoing blacklisting is also + supported. The "blacklist" setting in /etc/shorewall/interfaces + specifes whether an interface is an Internet-facing interface (value 1) or + an internal interface (value 2). Additionally, entries in + /etc/shorewall/blacklist can be specified as defining + the destination IP address rather than the source address. + + + + Traffic entering an Internet-facing interface is passed against + those blacklist entries that specify the source IP address. Traffic + originating on the firewall and leaving on an Interface-facing + interface is passed against the blacklist entries that specify the + destination IP address. + + + + Traffic entering an internal interface is passed against those + blacklist entries that specify the destination IP address. + +
diff --git a/manpages/shorewall-secmarks.xml b/manpages/shorewall-secmarks.xml index a2f26e4d6..40c5d7451 100644 --- a/manpages/shorewall-secmarks.xml +++ b/manpages/shorewall-secmarks.xml @@ -335,11 +335,11 @@ /etc/shorewall/secmarks: - #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK -# STATE PORT(S) PORT(S) GROUP -system_u:object_r:mysqld_t:s0 I:N lo 127.0.0.1 tcp 3306 -SAVE I:N lo 127.0.0.1 tcp 3306 -RESTORE I:E + #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK +# STATE PORT(S) PORT(S) GROUP +system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306 +SAVE I:N lo 127.0.0.1 tcp 3306 +RESTORE I:E diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml index 8735c6b60..5835329b5 100644 --- a/manpages6/shorewall6-secmarks.xml +++ b/manpages6/shorewall6-secmarks.xml @@ -332,11 +332,11 @@ /etc/shorewall6/secmarks: - #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK -# STATE PORT(S) PORT(S) GROUP -system_u:object_r:mysqld_t:s0 I:N lo ::1 tcp 3306 -SAVE I:N lo ::1 tcp 3306 -RESTORE I:E + #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK +# STATE PORT(S) PORT(S) GROUP +system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306 +SAVE I:N lo ::1 tcp 3306 +RESTORE I:E