From 531800538da8aa6fb59393aa9c1e6d1358233f1e Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 18 Dec 2006 23:59:27 +0000 Subject: [PATCH] Shorewall 3.4 documentation updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5134 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/Actions.xml | 44 +++++-- docs/Documentation_Index.xml | 61 ++++----- docs/Macros.xml | 23 ++++ docs/Modularization.xml | 235 +++++++++++++++++++++++++++++++++++ 4 files changed, 325 insertions(+), 38 deletions(-) create mode 100644 docs/Modularization.xml diff --git a/docs/Actions.xml b/docs/Actions.xml index 06f3ec281..56ffebd09 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -113,6 +113,14 @@ ACCEPT - - tcp 135,139,445
+ Enabling the Use of Actions + + In Shorewall version 3.4 and later, to make use of any of the three + types of actions you must set the USE_ACTIONS option to Yes in + /etc/shorewall/shorewall.conf. +
+ +
Default Actions (Formerly Common Actions) Shorewall allows the association of a default @@ -140,17 +148,37 @@ ACCEPT - - tcp 135,139,445 - Shorewall provides default actions for the REJECT and DROP policies. - The default action for REJECT is named Reject and - the default action for DROP is named Drop. These - associations are made through two entries in - /usr/share/shorewall/actions.std: + If you are running Shorewall 3.2 or earlier, then: - Drop:DROP #Default Action for DROP policy +
+ Shorewall provides default actions for the REJECT and DROP + policies. The default action for REJECT is named + Reject and the default action for DROP is named + Drop. These associations are made through two + entries in /usr/share/shorewall/actions.std: + + Drop:DROP #Default Action for DROP policy Reject:REJECT #Default Action for REJECT policy - These may be overridden by entries in your /etc/shorewall/actions - file. + These may be overridden by entries in your /etc/shorewall/actions + file. +
+ + If you are running Shorewall 3.4 or later, then: + +
+ Shorewall supports default actions for the ACCEPT, REJECT, DROP + and QUEUE policies. These default actions are specified in the + /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT, + REJECT_DEFAULT, DROP_DEFAULT and QUEUE_DEFAULT options respectively. + Policies whose default is set to a value of "none" have no default + action. + + In addition, the default specified in + /etc/shorewall/shorewall.conf may be overridden by specifying a + different default in the POLICY column of /etc/shorewall/policy. +
Entries in the DROP and REJECT default actions Limiting per-IPaddress Connection Rate - Shorewall Setup - Guide + Shorewall + Modularization @@ -206,7 +206,8 @@ Logging - SMB + Shorewall Setup + Guide @@ -215,8 +216,7 @@ Macros - Squid with - Shorewall + SMB @@ -226,9 +226,8 @@ MAC Verification - Starting/stopping the - Firewall + Squid with + Shorewall @@ -238,8 +237,9 @@ Multiple Internet Connections from a Single Firewall - Static (one-to-one) - NAT + Starting/stopping the + Firewall @@ -249,7 +249,8 @@ Multiple Zones Through One Interface - Support + Static (one-to-one) + NAT @@ -259,8 +260,7 @@ My Shorewall Configuration - Traffic - Accounting + Support @@ -270,8 +270,8 @@ Netfilter Overview - Traffic - Shaping/QOS + Traffic + Accounting @@ -280,8 +280,8 @@ Network Mapping - Troubleshooting + Traffic + Shaping/QOS @@ -290,7 +290,8 @@ One-to-one NAT (Static NAT) - UPnP + Troubleshooting @@ -299,8 +300,7 @@ OpenVPN - Upgrade - Issues + UPnP @@ -310,7 +310,8 @@ Operating Shorewall - VPN + Upgrade + Issues @@ -320,8 +321,7 @@ Packet Marking - White List - Creation + VPN @@ -331,8 +331,8 @@ Packet Processing in a Shorewall-based Firewall - Xen - Shorewall in a Bridged Xen - DomU + White List + Creation @@ -340,8 +340,8 @@ 'Ping' Management - Xen - Shorewall in Bridged Xen - Dom0 + Xen - Shorewall in a Bridged Xen + DomU @@ -350,8 +350,8 @@ Port Information - Xen - Shorewall in Routed - Xen Dom0 + Xen - Shorewall in Bridged Xen + Dom0 @@ -361,7 +361,8 @@ Port Knocking and Other Uses of the 'Recent Match' - + Xen - Shorewall in Routed + Xen Dom0 diff --git a/docs/Macros.xml b/docs/Macros.xml index c4ba45f78..1bc67131f 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -245,6 +245,29 @@ ACCEPT fw loc tcp 135,139,445 from actions cannot themselves invoke other actions.
+
+ Default Macros + + Beginning with Shorewall release 3.4, Shorewall supports + default macros; default macros perform the same + function as default actions. The DEFAULT_ACCEPT, + DEFAULT_REJECT, DEFAULT_DROP and DEFAULT_QUEUE options in + /etc/shorewall/shorewall.conf may specify the name of + a macro. In that case, the rules in the macro will be traversed before the + associated policy is applied. + + The value of the DEFAULT_... settings is interpreted as follows. If + USE_ACTIONS=Yes in shorewall.conf, then the value is treated like the name + of an action -- if that action is not found, then the value is treated + like the name of a macro. If USE_ACTIONS=No, then the value is treated + like the name of a macro. The special value "none" is always interpreted + as "no default rules should be applied". + + Shorewall versions 3.4 and later include standard 'Reject' and + 'Drop' macros that are equivalent to the 'Reject' and 'Drop' + actions. +
+
Defining your own Macros diff --git a/docs/Modularization.xml b/docs/Modularization.xml new file mode 100644 index 000000000..1196f6ff2 --- /dev/null +++ b/docs/Modularization.xml @@ -0,0 +1,235 @@ + + +
+ + + + Shorewall Modularization + + + + Tom + + Eastep + + + + + + + 2006 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Introduction + + One of the major changes in Shorewall version 3.4 involved breaking + much of the code into libraries. This + modularization is expected to be used primarily by embedded distributions + that wish to minimize the Shorewall disk and RAM footprint. + + Shorewall libraries are Bourne shell source files that contain + nothing but function declarations. Shorewall libraries may be loaded into + a running shell program using the shell's "." operator. The library files + have names which begin with "lib." and are installed in /usr/share/shorewall/. + + Individual libraries are of one of two classes. The first class of + libraries are required libraries which, as their + name implies, must be included in any Shorewall installation. The other + libraries are optional libraries that implement a + particular function. Each optional library may be included or omitted + based on the requirements of the individual installation. +
+ +
+ Required Libraries + + Shorewall 3.4 includes the following required libraries. + + + + lib.base — includes functions needed by all Shorewall + programs. + + + + lib.cli — includes functions common to both + /sbin/shorewall and + /sbin/shorewall-lite. + + + + lib.config — contains functions common to both + /sbin/shorewall and + /usr/share/shorewall/firewall. + + + + lib.base and lib.cli are installed in /usr/share/shorewall-lite/ on + Shorewall Lite systems. +
+ +
+ Optional Libraries + + Optional libraries are loaded upon demand based on the user's + configuration. + + In Shorewall 3.4, the optional librares are as follows. + + + + lib.accounting — required if the + /etc/shorewall/accounting file is + non-empty. + + + + lib.actions — required if USE_ACTIONS=Yes in + /etc/shorewall/shorewall.conf. + + + + lib.dynamiczones — required if DYNAMIC_ZONES=Yes in + /etc/shorewall/shorewall.conf. + + + + lib.maclist — required if the maclist option is specified in any + entry in /etc/shorewall/interfaces or + /etc/shorewall/hosts. + + + + lib.nat — required if the + /etc/shorewall/masq, + /etc/shorewall/nat or + /etc/shorewall/netmap files are non-empty or if + DNAT[-] rules are present in + /etc/shorewall/rules. + + + + lib.providers — required if the + /etc/shorewall/providers file is + non-empty. + + + + lib.proxyarp — required if the + /etc/shorewall/proxyarp file is non-empty or if + the proxyarp option is specified in + an entry in /etc/shorewall/interfaces. + + + + lib.tc — required if the + /etc/shorewall/tcdevices or + /etc/shorewall/tcclasses file is + non-empty. + + + + lib.tcrules — required if the + /etc/shorewall/tcrules file is non-empty. + + + + lib.tunnels — required if the + /etc/shorewall/tunnels file is + non-empty. + + + + As described, many of the libraries are required when one or more + configuration files are non-empty and embedded distribution providers are + encouraged to package each optional library together with its associated + configuration files. + + + + + + + + Library + + Files + + + + lib.accounting + + /etc/shorewall/accounting + + + + lib.actions + + /etc/shorewall/actions + + + + lib.maclist + + /etc/shorewall/maclist + + + + lib.nat + + /etc/shorewall/masq, /etc/shorewall/nat, + /etc/shorewall/netmap + + + + lib.providers + + /etc/shorewall/route_rules, + /etc/shorewall/providers + + + + lib.proxyarp + + /etc/shorewall/proxyarp + + + + lib.tc + + /etc/shorewall/tcclasses, + /etc/shorewall/tcdevices + + + + lib.tcrules + + /etc/shorewall/tcrules + + + + lib.tunnels + + /etc/shorewall/tunnels + + + + +
+
\ No newline at end of file