extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add 'log' option to DYNAMIC_BLACKLIST

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-06-03 13:50:00 -07:00
parent 4ac64a545c
commit 527533ecb6
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
3 changed files with 117 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Shorewall-core/lib.cli
View File

@ -2651,6 +2651,7 @@ allow_command() {
if [ -n "$g_blacklistipset" ]; then if [ -n "$g_blacklistipset" ]; then
if qt $IPSET -D $g_blacklistipset $1; then if qt $IPSET -D $g_blacklistipset $1; then
allowed=Yes allowed=Yes
[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
fi fi
fi fi
@ -2667,6 +2668,7 @@ allow_command() {
*) *)
if [ -n "$g_blacklistipset" ]; then if [ -n "$g_blacklistipset" ]; then
if qt $IPSET -D $g_blacklistipset $1; then if qt $IPSET -D $g_blacklistipset $1; then
[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
allowed=Yes allowed=Yes
fi fi
fi fi
@ -3646,6 +3648,7 @@ blacklist_command() {
local message local message
progress_message2 "$1 Blacklisted" progress_message2 "$1 Blacklisted"
[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
if [ -n "$g_disconnect" ]; then if [ -n "$g_disconnect" ]; then
message="$(conntrack -D -s $1 2>&1)" message="$(conntrack -D -s $1 2>&1)"
@ -3900,7 +3903,7 @@ setup_dbl() {
case $DYNAMIC_BLACKLIST in case $DYNAMIC_BLACKLIST in
ipset*,src-dst*) ipset*,src-dst*)
# #
# This utility doesn't need to know about 'src-dst' # Capture 'src-dst'
# #
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//') DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
@ -3908,6 +3911,17 @@ setup_dbl() {
;; ;;
esac esac
case $DYNAMIC_BLACKLIST in
ipset*,log*)
#
# Capture 'log'
#
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
g_dbllog=Yes
;;
esac
case $DYNAMIC_BLACKLIST in case $DYNAMIC_BLACKLIST in
ipset*,timeout*) ipset*,timeout*)
# #
@ -4480,6 +4494,7 @@ shorewall_cli() {
g_havemutex= g_havemutex=
g_trace= g_trace=
g_dbltimeout= g_dbltimeout=
g_dbllog=
VERBOSE= VERBOSE=
VERBOSITY=1 VERBOSITY=1

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -6695,7 +6695,7 @@ sub get_configuration( $$$ ) {
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) { if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
if ( $val =~ /^ipset/ ) { if ( $val =~ /^ipset/ ) {
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 ); my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1 );
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 ); my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );

199
Shorewall/manpages/shorewall.conf.xml
View File

@ -245,8 +245,8 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
is enabled (see <ulink is enabled (see <ulink
url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
If not specified or set to the empty value, ACCOUNTING=Yes is not specified or set to the empty value, ACCOUNTING=Yes is
assumed.</para> assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -271,8 +271,8 @@
<listitem> <listitem>
<para>This parameter determines whether Shorewall automatically adds <para>This parameter determines whether Shorewall automatically adds
the external address(es) in <ulink the external address(es) in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5), and is url="shorewall-nat.html">shorewall-nat</ulink>(5), and is only
only available in IPv4 configurations. If the variable is set to available in IPv4 configurations. If the variable is set to
<emphasis role="bold">Yes</emphasis> or <emphasis <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these role="bold">yes</emphasis> then Shorewall automatically adds these
aliases. If it is set to <emphasis role="bold">No</emphasis> or aliases. If it is set to <emphasis role="bold">No</emphasis> or
@ -300,8 +300,8 @@
<listitem> <listitem>
<para>This parameter determines whether Shorewall automatically adds <para>This parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in <ulink the SNAT ADDRESS in <ulink
url="shorewall-masq.html">shorewall-masq</ulink>(5), and url="shorewall-masq.html">shorewall-masq</ulink>(5), and is only
is only available in IPv4 configurations. If the variable is set to available in IPv4 configurations. If the variable is set to
<emphasis role="bold">Yes</emphasis> or <emphasis <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these role="bold">yes</emphasis> then Shorewall automatically adds these
addresses. If it is set to <emphasis role="bold">No</emphasis> or addresses. If it is set to <emphasis role="bold">No</emphasis> or
@ -445,8 +445,7 @@
<listitem> <listitem>
<para>Specify the appropriate helper in the HELPER column in <para>Specify the appropriate helper in the HELPER column in
<ulink <ulink url="shorewall-rules.html">shorewall-rules</ulink>
url="shorewall-rules.html">shorewall-rules</ulink>
(5).</para> (5).</para>
<note> <note>
@ -514,8 +513,8 @@
<para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
determines whether the <option>balance</option> provider option (see determines whether the <option>balance</option> provider option (see
<ulink <ulink
url="shorewall-providers.html">shorewall-providers(5)</ulink>) url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
is the default. When BALANCE_PROVIDERS=Yes, then the the default. When BALANCE_PROVIDERS=Yes, then the
<option>balance</option> option is assumed unless the <option>balance</option> option is assumed unless the
<option>fallback</option>, <option>loose</option>, <option>fallback</option>, <option>loose</option>,
<option>load</option> or <option>tproxy</option> option is <option>load</option> or <option>tproxy</option> option is
@ -531,8 +530,8 @@
<listitem> <listitem>
<para>Added in Shorewall-4.6.0. When set to <emphasis <para>Added in Shorewall-4.6.0. When set to <emphasis
role="bold">Yes</emphasis>, causes entries in <ulink role="bold">Yes</emphasis>, causes entries in <ulink
url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
to generate a basic filter rather than a u32 filter. This setting generate a basic filter rather than a u32 filter. This setting
requires the <firstterm>Basic Ematch</firstterm> capability in your requires the <firstterm>Basic Ematch</firstterm> capability in your
kernel and iptables.</para> kernel and iptables.</para>
@ -589,8 +588,7 @@
<para>The BLACKLIST_DISPOSITION setting determines the disposition <para>The BLACKLIST_DISPOSITION setting determines the disposition
of packets sent to the <emphasis role="bold">blacklog</emphasis> of packets sent to the <emphasis role="bold">blacklog</emphasis>
target of <ulink target of <ulink url="shorewall-blrules.html">shorewall-blrules
url="shorewall-blrules.html">shorewall-blrules
</ulink>(5), but otherwise does not affect entries in that </ulink>(5), but otherwise does not affect entries in that
file.</para> file.</para>
</listitem> </listitem>
@ -652,8 +650,8 @@
not supply an /etc/shorewall/tcstart file. That way, your traffic not supply an /etc/shorewall/tcstart file. That way, your traffic
shaping rules can still use the “fwmark” classifier based on packet shaping rules can still use the “fwmark” classifier based on packet
marking defined in <ulink marking defined in <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
If not specified, CLEAR_TC=Yes is assumed.</para> specified, CLEAR_TC=Yes is assumed.</para>
<warning> <warning>
<para>When you specify TC_ENABLED=shared (see below), then you <para>When you specify TC_ENABLED=shared (see below), then you
@ -943,6 +941,16 @@
</important> </important>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>log</term>
<listitem>
<para>Added in Shorewall 5.2.5. When specified, successful
'blacklist' and 'allow' commands will log a message to the
system log.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>When ipset-based dynamic blacklisting is enabled, the contents <para>When ipset-based dynamic blacklisting is enabled, the contents
@ -1159,12 +1167,11 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<para>Subzones are defined by following their name with ":" and a <para>Subzones are defined by following their name with ":" and a
list of parent zones (in <ulink list of parent zones (in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5)). url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
Normally, you want to have a set of special rules for the subzone you want to have a set of special rules for the subzone and if a
and if a connection doesn't match any of those subzone-specific connection doesn't match any of those subzone-specific rules then
rules then you want the parent zone rules and policies to be you want the parent zone rules and policies to be applied; see
applied; see <ulink <ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
With IMPLICIT_CONTINUE=Yes, that happens automatically.</para> With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@ -1182,10 +1189,10 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
INVALID packets through the NEW section of <ulink INVALID packets through the NEW section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5). url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
When a packet in INVALID state fails to match any rule in the packet in INVALID state fails to match any rule in the INVALID
INVALID section, the packet is disposed of based on this setting. section, the packet is disposed of based on this setting. The
The default value is CONTINUE for compatibility with earlier default value is CONTINUE for compatibility with earlier
versions.</para> versions.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1197,9 +1204,9 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Packets in the INVALID state that <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
do not match any rule in the INVALID section of <ulink do not match any rule in the INVALID section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5) are url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
logged at this level. The default value is empty which means no this level. The default value is empty which means no logging is
logging is performed.</para> performed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1482,8 +1489,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
sample configurations use this as the default log level and changing sample configurations use this as the default log level and changing
it will change all packet logging done by the configuration. In any it will change all packet logging done by the configuration. In any
configuration file (except <ulink configuration file (except <ulink
url="shorewall-params.html">shorewall-params(5)</ulink>), url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
$LOG_LEVEL will expand to this value.</para> will expand to this value.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1635,8 +1642,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<note> <note>
<para>The setting of LOGFORMAT has an effect of the permitted <para>The setting of LOGFORMAT has an effect of the permitted
length of zone names. See <ulink length of zone names. See <ulink
url="shorewall-zones.html">shorewall-zones</ulink> url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
(5).</para>
</note> </note>
<caution> <caution>
@ -1793,8 +1799,8 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>The performance of configurations with a large numbers of <para>The performance of configurations with a large numbers of
entries in <ulink entries in <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5) url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
can be improved by setting the MACLIST_TTL variable in <ulink improved by setting the MACLIST_TTL variable in <ulink
url="shorewall.conf.html">shorewall[6].conf</ulink>(5).</para> url="shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
<para>If your iptables and kernel support the "Recent Match" (see <para>If your iptables and kernel support the "Recent Match" (see
@ -1804,15 +1810,14 @@ LOG:info:,bar net fw</programlisting>
<para>When a new connection arrives from a 'maclist' interface, the <para>When a new connection arrives from a 'maclist' interface, the
packet passes through then list of entries for that interface in packet passes through then list of entries for that interface in
<ulink <ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). there is a match then the source IP address is added to the 'Recent'
If there is a match then the source IP address is added to the set for that interface. Subsequent connection attempts from that IP
'Recent' set for that interface. Subsequent connection attempts from address occurring within $MACLIST_TTL seconds will be accepted
that IP address occurring within $MACLIST_TTL seconds will be without having to scan all of the entries. After $MACLIST_TTL from
accepted without having to scan all of the entries. After the first accepted connection request from an IP address, the next
$MACLIST_TTL from the first accepted connection request from an IP connection request from that IP address will be checked against the
address, the next connection request from that IP address will be entire list.</para>
checked against the entire list.</para>
<para>If MACLIST_TTL is not specified or is specified as empty (e.g, <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@ -2386,13 +2391,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
<listitem> <listitem>
<para>Added in Shorewall 4.4.27. Shorewall has traditionally <para>Added in Shorewall 4.4.27. Shorewall has traditionally
ACCEPTed RELATED packets that don't match any rule in the RELATED ACCEPTed RELATED packets that don't match any rule in the RELATED
section of <ulink section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
url="shorewall-rules.html">shorewall-rules</ulink> (5). (5). Concern about the safety of this practice resulted in the
Concern about the safety of this practice resulted in the addition addition of this option. When a packet in RELATED state fails to
of this option. When a packet in RELATED state fails to match any match any rule in the RELATED section, the packet is disposed of
rule in the RELATED section, the packet is disposed of based on this based on this setting. The default value is ACCEPT for compatibility
setting. The default value is ACCEPT for compatibility with earlier with earlier versions.</para>
versions.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2403,9 +2407,9 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
<listitem> <listitem>
<para>Added in Shorewall 4.4.27. Packets in the related state that <para>Added in Shorewall 4.4.27. Packets in the related state that
do not match any rule in the RELATED section of <ulink do not match any rule in the RELATED section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5) are url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
logged at this level. The default value is empty which means no this level. The default value is empty which means no logging is
logging is performed.</para> performed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2506,8 +2510,7 @@ INLINE - - - ;; -j REJECT
<para>Added in Shorewall 4.4.10. The default is No. If set to Yes, <para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
at least one optional interface must be up in order for the firewall at least one optional interface must be up in order for the firewall
to be in the started state. Intended to be used with the <ulink to be in the started state. Intended to be used with the <ulink
url="shorewall-init.html">Shorewall Init url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
Package</ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2593,18 +2596,17 @@ INLINE - - - ;; -j REJECT
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5) and url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
<ulink url="shorewall-masq.html">shorewall-masq</ulink>(5) url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
are processed then are re-added later. This is done to help ensure then are re-added later. This is done to help ensure that the
that the addresses can be added with the specified labels but can addresses can be added with the specified labels but can have the
have the undesirable side effect of causing routes to be quietly undesirable side effect of causing routes to be quietly deleted.
deleted. When RETAIN_ALIASES is set to Yes, existing addresses will When RETAIN_ALIASES is set to Yes, existing addresses will not be
not be deleted. Regardless of the setting of RETAIN_ALIASES, deleted. Regardless of the setting of RETAIN_ALIASES, addresses
addresses added during <emphasis role="bold">shorewall added during <emphasis role="bold">shorewall start</emphasis> are
start</emphasis> are still deleted at a subsequent <emphasis still deleted at a subsequent <emphasis role="bold">shorewall
role="bold">shorewall [stop</emphasis>, <emphasis [stop</emphasis>, <emphasis role="bold">shorewall reload</emphasis>
role="bold">shorewall reload</emphasis> or <emphasis or <emphasis role="bold">shorewall restart</emphasis>.</para>
role="bold">shorewall restart</emphasis>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2708,9 +2710,9 @@ INLINE - - - ;; -j REJECT
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Determines the disposition of <para>Added in Shorewall 4.4.20. Determines the disposition of
packets matching the <option>sfilter</option> option (see <ulink packets matching the <option>sfilter</option> option (see <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
and of <firstterm>hairpin</firstterm> packets on interfaces without of <firstterm>hairpin</firstterm> packets on interfaces without the
the <option>routeback</option> option.<footnote> <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the <para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para> same interface that they arrived on.</para>
</footnote></para> </footnote></para>
@ -2724,9 +2726,9 @@ INLINE - - - ;; -j REJECT
<listitem> <listitem>
<para>Added on Shorewall 4.4.20. Determines the logging of packets <para>Added on Shorewall 4.4.20. Determines the logging of packets
matching the <option>sfilter</option> option (see <ulink matching the <option>sfilter</option> option (see <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
and of <firstterm>hairpin</firstterm> packets on interfaces without of <firstterm>hairpin</firstterm> packets on interfaces without the
the <option>routeback</option> option.<footnote> <option>routeback</option> option.<footnote>
<para>Hairpin packets are packets that are routed out of the <para>Hairpin packets are packets that are routed out of the
same interface that they arrived on.</para> same interface that they arrived on.</para>
</footnote> The default is <option>info</option>. If you don't </footnote> The default is <option>info</option>. If you don't
@ -2754,9 +2756,9 @@ INLINE - - - ;; -j REJECT
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. The default setting is DROP which <para>Added in Shorewall 4.4.20. The default setting is DROP which
causes smurf packets (see the nosmurfs option in <ulink causes smurf packets (see the nosmurfs option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
to be dropped. A_DROP causes the packets to be audited prior to be dropped. A_DROP causes the packets to be audited prior to being
being dropped and requires AUDIT_TARGET support in the kernel and dropped and requires AUDIT_TARGET support in the kernel and
iptables.</para> iptables.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2768,8 +2770,8 @@ INLINE - - - ;; -j REJECT
<listitem> <listitem>
<para>Specifies the logging level for smurf packets (see the <para>Specifies the logging level for smurf packets (see the
nosmurfs option in <ulink nosmurfs option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
logged.</para> logged.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2871,8 +2873,7 @@ INLINE - - - ;; -j REJECT
<para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later), <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
simple traffic shaping using <ulink simple traffic shaping using <ulink
url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5) url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
and <ulink and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
enabled.</para> enabled.</para>
<para>If you set TC_ENABLED=Internal or internal or leave the option <para>If you set TC_ENABLED=Internal or internal or leave the option
@ -2936,10 +2937,10 @@ INLINE - - - ;; -j REJECT
<para>Determines the disposition of TCP packets that fail the checks <para>Determines the disposition of TCP packets that fail the checks
enabled by the <emphasis role="bold">tcpflags</emphasis> interface enabled by the <emphasis role="bold">tcpflags</emphasis> interface
option (see <ulink option (see <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
and must have a value of ACCEPT (accept the packet), REJECT (send an must have a value of ACCEPT (accept the packet), REJECT (send an RST
RST response) or DROP (ignore the packet). If not set or if set to response) or DROP (ignore the packet). If not set or if set to the
the empty value (e.g., TCP_FLAGS_DISPOSITION="") then empty value (e.g., TCP_FLAGS_DISPOSITION="") then
TCP_FLAGS_DISPOSITION=DROP is assumed.</para> TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
@ -2968,8 +2969,8 @@ INLINE - - - ;; -j REJECT
<para>Added in Shorewall 4.4.3. When set to Yes, causes the <para>Added in Shorewall 4.4.3. When set to Yes, causes the
<option>track</option> option to be assumed on all providers defined <option>track</option> option to be assumed on all providers defined
in <ulink in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5). url="shorewall-providers.html">shorewall-providers</ulink>(5). May
May be overridden on an individual provider through use of the be overridden on an individual provider through use of the
<option>notrack</option> option. The default value is 'No'.</para> <option>notrack</option> option. The default value is 'No'.</para>
<para>Beginning in Shorewall 4.4.6, setting this option to 'Yes' <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@ -3023,10 +3024,10 @@ INLINE - - - ;; -j REJECT
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Shorewall has traditionally passed <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
UNTRACKED packets through the NEW section of <ulink UNTRACKED packets through the NEW section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5). url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
When a packet in UNTRACKED state fails to match any rule in the packet in UNTRACKED state fails to match any rule in the UNTRACKED
UNTRACKED section, the packet is disposed of based on this setting. section, the packet is disposed of based on this setting. The
The default value is CONTINUE for compatibility with earlier default value is CONTINUE for compatibility with earlier
versions.</para> versions.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -3038,9 +3039,9 @@ INLINE - - - ;; -j REJECT
<listitem> <listitem>
<para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
do not match any rule in the UNTRACKED section of <ulink do not match any rule in the UNTRACKED section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5) are url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
logged at this level. The default value is empty which means no this level. The default value is empty which means no logging is
logging is performed.</para> performed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -3062,8 +3063,8 @@ INLINE - - - ;; -j REJECT
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Both the DUPLICATE and the COPY columns in <ulink <para>Both the DUPLICATE and the COPY columns in <ulink
url="shorewall-providers.html">providers</ulink>(5) url="shorewall-providers.html">providers</ulink>(5) file must
file must remain empty (or contain "-").</para> remain empty (or contain "-").</para>
</listitem> </listitem>
<listitem> <listitem>
@ -3083,9 +3084,9 @@ INLINE - - - ;; -j REJECT
<listitem> <listitem>
<para>Packets are sent through the main routing table by a rule <para>Packets are sent through the main routing table by a rule
with priority 999. In <ulink with priority 999. In <ulink
url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5), url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5), the
the range 1-998 may be used for inserting rules that bypass the range 1-998 may be used for inserting rules that bypass the main
main table.</para> table.</para>
</listitem> </listitem>
<listitem> <listitem>