extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

More Blacklist and Secmark documentation updates

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-06 17:26:49 -07:00
parent f3255cd83a
commit 50b4bd8dfe
4 changed files with 34 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -1397,6 +1397,7 @@ sub process_secmark_rule() {
my $chain1= $chns{$chain}; my $chain1= $chns{$chain};
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1; fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && chain1 ne 'tcout';
if ( ( $state ||= '' ) ne '' ) { if ( ( $state ||= '' ) ne '' ) {
my $state1; my $state1;

23
docs/blacklisting_support.xml
View File

@ -167,6 +167,29 @@ ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting> ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para> <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
<para>Beginning with Shoreall 4.4.13, outgoing blacklisting is also
supported. The "blacklist" setting in <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
specifes whether an interface is an Internet-facing interface (value 1) or
an internal interface (value 2). Additionally, entries in
<filename>/etc/shorewall/blacklist</filename> can be specified as defining
the destination IP address rather than the source address.</para>
<itemizedlist>
<listitem>
<para>Traffic entering an Internet-facing interface is passed against
those blacklist entries that specify the source IP address. Traffic
originating on the firewall and leaving on an Interface-facing
interface is passed against the blacklist entries that specify the
destination IP address.</para>
</listitem>
<listitem>
<para>Traffic entering an internal interface is passed against those
blacklist entries that specify the destination IP address.</para>
</listitem>
</itemizedlist>
</section> </section>
<section id="Dynamic"> <section id="Dynamic">

10
manpages/shorewall-secmarks.xml
View File

@ -335,11 +335,11 @@
<para><filename>/etc/shorewall/secmarks</filename>:</para> <para><filename>/etc/shorewall/secmarks</filename>:</para>
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK <programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
# STATE PORT(S) PORT(S) GROUP # STATE PORT(S) PORT(S) GROUP
system_u:object_r:mysqld_t:s0 I:N lo 127.0.0.1 tcp 3306 system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
SAVE I:N lo 127.0.0.1 tcp 3306 SAVE I:N lo 127.0.0.1 tcp 3306
RESTORE I:E</programlisting> RESTORE I:E</programlisting>
</refsect1> </refsect1>
<refsect1> <refsect1>

10
manpages6/shorewall6-secmarks.xml
View File

@ -332,11 +332,11 @@
<para><filename>/etc/shorewall6/secmarks</filename>:</para> <para><filename>/etc/shorewall6/secmarks</filename>:</para>
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK <programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
# STATE PORT(S) PORT(S) GROUP # STATE PORT(S) PORT(S) GROUP
system_u:object_r:mysqld_t:s0 I:N lo ::1 tcp 3306 system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
SAVE I:N lo ::1 tcp 3306 SAVE I:N lo ::1 tcp 3306
RESTORE I:E</programlisting> RESTORE I:E</programlisting>
</refsect1> </refsect1>
<refsect1> <refsect1>