mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-25 15:09:12 +01:00
Update for Shorewall 2.2.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1745 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
1026b57442
commit
5a1b6dfeb3
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Sample Interface File For One Interface
|
# Shorewall 2.2 -- Sample Interface File For One Interface
|
||||||
#
|
#
|
||||||
# /etc/shorewall/interfaces
|
# /etc/shorewall/interfaces
|
||||||
#
|
#
|
||||||
@ -76,6 +76,14 @@
|
|||||||
# Check packets arriving on this interface
|
# Check packets arriving on this interface
|
||||||
# against the /etc/shorewall/blacklist
|
# against the /etc/shorewall/blacklist
|
||||||
# file.
|
# file.
|
||||||
|
# logmartians
|
||||||
|
# Turn on kernel martian logging (logging
|
||||||
|
# of packets with impossible source
|
||||||
|
# addresses. It is suggested that if you
|
||||||
|
# set routefilter on an interface that
|
||||||
|
# you also set logmartians. This option
|
||||||
|
# may also be enabled globally in the
|
||||||
|
# /etc/shorewall/shorewall.conf file.
|
||||||
# maclist
|
# maclist
|
||||||
# Connection requests from this interface
|
# Connection requests from this interface
|
||||||
# are compared against the contents of
|
# are compared against the contents of
|
||||||
@ -105,9 +113,19 @@
|
|||||||
# which are not part of an established connection
|
# which are not part of an established connection
|
||||||
# will be accepted from this interface, even if
|
# will be accepted from this interface, even if
|
||||||
# NEWNOTSYN=No has been specified in
|
# NEWNOTSYN=No has been specified in
|
||||||
# /etc/shorewall/shorewall.conf.
|
# /etc/shorewall/shorewall.conf. In other
|
||||||
|
# words, packets coming in on this interface
|
||||||
|
# are processed as if NEWNOTSYN=Yes had been
|
||||||
|
# specified in /etc/shorewall/shorewall.conf.
|
||||||
#
|
#
|
||||||
# This option has no effect if NEWNOTSYN=Yes
|
# This option has no effect if NEWNOTSYN=Yes
|
||||||
|
#
|
||||||
|
# It is the opinion of the author that
|
||||||
|
# NEWNOTSYN=No creates more problems than
|
||||||
|
# it solves and I recommend against using
|
||||||
|
# that setting in shorewall.conf (hence
|
||||||
|
# making the use of the 'newnotsyn'
|
||||||
|
# interface option unnecessary).
|
||||||
# routeback
|
# routeback
|
||||||
# If specified, indicates that Shorewall
|
# If specified, indicates that Shorewall
|
||||||
# should include rules that allow filtering
|
# should include rules that allow filtering
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.0 -- Sample Policy File For One Interface
|
# Shorewall 2.2 -- Sample Policy File For One Interface
|
||||||
#
|
#
|
||||||
# /etc/shorewall/policy
|
# /etc/shorewall/policy
|
||||||
#
|
#
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.0 - Sample Rules File For One Interface
|
# Shorewall version 2.2 - Sample Rules File For One Interface
|
||||||
#
|
#
|
||||||
# /etc/shorewall/rules
|
# /etc/shorewall/rules
|
||||||
#
|
#
|
||||||
@ -121,6 +121,10 @@
|
|||||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||||
# itself or "all"
|
# itself or "all"
|
||||||
#
|
#
|
||||||
|
# When "all" is used either in the SOURCE or DEST column
|
||||||
|
# intra-zone traffic is not affected. You must add
|
||||||
|
# separate rules to handle that traffic.
|
||||||
|
#
|
||||||
# Except when "all" is specified, the server may be
|
# Except when "all" is specified, the server may be
|
||||||
# further restricted to a particular subnet, host or
|
# further restricted to a particular subnet, host or
|
||||||
# interface by appending ":" and the subnet, host or
|
# interface by appending ":" and the subnet, host or
|
||||||
@ -156,14 +160,20 @@
|
|||||||
# contain the port number on the firewall that the
|
# contain the port number on the firewall that the
|
||||||
# request should be redirected to.
|
# request should be redirected to.
|
||||||
#
|
#
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number or
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
# "all".
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
#
|
#
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
# names (from /etc/services), port numbers or port
|
# names (from /etc/services), port numbers or port
|
||||||
# ranges; if the protocol is "icmp", this column is
|
# ranges; if the protocol is "icmp", this column is
|
||||||
# interpreted as the destination icmp-type(s).
|
# interpreted as the destination icmp-type(s).
|
||||||
#
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example "bit"
|
||||||
|
# for bit-torrent). If no port is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
# A port range is expressed as <low port>:<high port>.
|
# A port range is expressed as <low port>:<high port>.
|
||||||
#
|
#
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
@ -185,8 +195,8 @@
|
|||||||
# ranges.
|
# ranges.
|
||||||
#
|
#
|
||||||
# If you don't want to restrict client ports but need to
|
# If you don't want to restrict client ports but need to
|
||||||
# specify an ADDRESS in the next column, then place "-"
|
# specify an ORIGINAL DEST in the next column, then place
|
||||||
# in this column.
|
# "-" in this column.
|
||||||
#
|
#
|
||||||
# If your kernel contains multiport match support, then
|
# If your kernel contains multiport match support, then
|
||||||
# only a single Netfilter rule will be generated if in
|
# only a single Netfilter rule will be generated if in
|
||||||
@ -213,14 +223,6 @@
|
|||||||
# destination address in the connection request does not
|
# destination address in the connection request does not
|
||||||
# match any of the addresses listed.
|
# match any of the addresses listed.
|
||||||
#
|
#
|
||||||
# The address may optionally be followed by
|
|
||||||
# a colon (":") and a second IP address. This causes
|
|
||||||
# Shorewall to use the second IP address as the source
|
|
||||||
# address in forwarded packets. See the Shorewall
|
|
||||||
# documentation for restrictions concerning this feature.
|
|
||||||
# If no source IP address is given, the original source
|
|
||||||
# address is not altered.
|
|
||||||
#
|
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
|
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
|
||||||
#
|
#
|
||||||
# <rate>/<interval>[:<burst>]
|
# <rate>/<interval>[:<burst>]
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user