More Blacklist and Secmark documentation updates

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-06 17:26:49 -07:00
parent f3255cd83a
commit 50b4bd8dfe
4 changed files with 34 additions and 10 deletions

View File

@ -1397,6 +1397,7 @@ sub process_secmark_rule() {
my $chain1= $chns{$chain};
fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && chain1 ne 'tcout';
if ( ( $state ||= '' ) ne '' ) {
my $state1;

View File

@ -167,6 +167,29 @@ ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
<para>Beginning with Shoreall 4.4.13, outgoing blacklisting is also
supported. The "blacklist" setting in <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
specifes whether an interface is an Internet-facing interface (value 1) or
an internal interface (value 2). Additionally, entries in
<filename>/etc/shorewall/blacklist</filename> can be specified as defining
the destination IP address rather than the source address.</para>
<itemizedlist>
<listitem>
<para>Traffic entering an Internet-facing interface is passed against
those blacklist entries that specify the source IP address. Traffic
originating on the firewall and leaving on an Interface-facing
interface is passed against the blacklist entries that specify the
destination IP address.</para>
</listitem>
<listitem>
<para>Traffic entering an internal interface is passed against those
blacklist entries that specify the destination IP address.</para>
</listitem>
</itemizedlist>
</section>
<section id="Dynamic">

View File

@ -337,7 +337,7 @@
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
# STATE PORT(S) PORT(S) GROUP
system_u:object_r:mysqld_t:s0 I:N lo 127.0.0.1 tcp 3306
system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
SAVE I:N lo 127.0.0.1 tcp 3306
RESTORE I:E</programlisting>
</refsect1>

View File

@ -334,7 +334,7 @@
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
# STATE PORT(S) PORT(S) GROUP
system_u:object_r:mysqld_t:s0 I:N lo ::1 tcp 3306
system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
SAVE I:N lo ::1 tcp 3306
RESTORE I:E</programlisting>
</refsect1>