mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 09:33:14 +01:00
Support a richer SOURCE and DEST syntax
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
6c8dae45c4
commit
5ea3334a66
@ -7602,7 +7602,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Returns the destination interface specified in the rule, if any.
|
# Returns the destination interface specified in the rule, if any.
|
||||||
#
|
#
|
||||||
sub expand_rule( $$$$$$$$$$$$;$ )
|
sub expand_rule1( $$$$$$$$$$$$;$ )
|
||||||
{
|
{
|
||||||
my ($chainref , # Chain
|
my ($chainref , # Chain
|
||||||
$restriction, # Determines what to do with interface names in the SOURCE or DEST
|
$restriction, # Determines what to do with interface names in the SOURCE or DEST
|
||||||
@ -7619,8 +7619,6 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
|||||||
$logname, # Name of chain to name in log messages
|
$logname, # Name of chain to name in log messages
|
||||||
) = @_;
|
) = @_;
|
||||||
|
|
||||||
return if $chainref->{complete};
|
|
||||||
|
|
||||||
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
||||||
( '', '', '', '', '', '', '', '', '', '' );
|
( '', '', '', '', '', '', '', '', '', '' );
|
||||||
my $chain = $actparams{chain} || $chainref->{name};
|
my $chain = $actparams{chain} || $chainref->{name};
|
||||||
@ -7855,6 +7853,78 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
|||||||
$diface;
|
$diface;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub expand_rule( $$$$$$$$$$$$;$$$ )
|
||||||
|
{
|
||||||
|
my ($chainref , # Chain
|
||||||
|
$restriction, # Determines what to do with interface names in the SOURCE or DEST
|
||||||
|
$prerule, # Matches that go at the front of the rule
|
||||||
|
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
|
||||||
|
$source, # SOURCE
|
||||||
|
$dest, # DEST
|
||||||
|
$origdest, # ORIGINAL DEST
|
||||||
|
$target, # Target ('-j' part of the rule - may be empty)
|
||||||
|
$loglevel , # Log level (and tag)
|
||||||
|
$disposition, # Primtive part of the target (RETURN, ACCEPT, ...)
|
||||||
|
$exceptionrule,# Caller's matches used in exclusion case
|
||||||
|
$usergenerated,# Rule came from the IP[6]TABLES target
|
||||||
|
$logname, # Name of chain to name in log messages
|
||||||
|
$device, # TC Device Name
|
||||||
|
$classid, # TC Class Id
|
||||||
|
) = @_;
|
||||||
|
|
||||||
|
return if $chainref->{complete};
|
||||||
|
|
||||||
|
my ( @source, @dest );
|
||||||
|
|
||||||
|
$source = '' unless defined $source;
|
||||||
|
$dest = '' unless defined $dest;
|
||||||
|
|
||||||
|
if ( $source =~ /\(.+\)/ ) {
|
||||||
|
@source = split_list3( $source, 'SOURCE' );
|
||||||
|
} else {
|
||||||
|
@source = ( $source );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $dest =~ /\(.+\)/ ) {
|
||||||
|
@dest = split_list3( $dest, 'DEST' );
|
||||||
|
} else {
|
||||||
|
@dest = ( $dest );
|
||||||
|
}
|
||||||
|
|
||||||
|
for $source ( @source ) {
|
||||||
|
if ( $source =~ /^(.+?):\((.+)\)$/ ) {
|
||||||
|
$source = join( ':', $1, $2 );
|
||||||
|
} elsif ( $source =~ /^\((.+)\)$/ ) {
|
||||||
|
$source = $1;
|
||||||
|
}
|
||||||
|
|
||||||
|
for $dest ( @dest ) {
|
||||||
|
if ( $dest =~ /^(.+?):\((.+)\)$/ ) {
|
||||||
|
$dest = join( ':', $1, $2 );
|
||||||
|
} elsif ( $dest =~ /^\((.+)\)$/ ) {
|
||||||
|
$dest = $1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ( my $result = expand_rule1( $chainref ,
|
||||||
|
$restriction ,
|
||||||
|
$prerule ,
|
||||||
|
$rule ,
|
||||||
|
$source ,
|
||||||
|
$dest ,
|
||||||
|
$origdest ,
|
||||||
|
$target ,
|
||||||
|
$loglevel ,
|
||||||
|
$disposition ,
|
||||||
|
$exceptionrule ,
|
||||||
|
$usergenerated ,
|
||||||
|
$logname ,
|
||||||
|
) ) && $device ) {
|
||||||
|
fatal_error "Class Id $classid is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Returns true if the passed interface is associated with exactly one zone
|
# Returns true if the passed interface is associated with exactly one zone
|
||||||
#
|
#
|
||||||
|
@ -2718,8 +2718,6 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
|
# For now, we'll just strip the parens from the SOURCE and DEST. In a later release, we might be able to do something more with them
|
||||||
#
|
#
|
||||||
$source =~ s/[()]//g;
|
|
||||||
$dest =~ s/[()]//g;
|
|
||||||
|
|
||||||
if ( $actiontype == MACRO ) {
|
if ( $actiontype == MACRO ) {
|
||||||
#
|
#
|
||||||
@ -3847,7 +3845,11 @@ sub process_raw_rule ( ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for $source ( @source ) {
|
for $source ( @source ) {
|
||||||
|
$source = join(':', $1, $2 ) if $source =~ /^(.+?):\((.+)\)$/;
|
||||||
|
|
||||||
for $dest ( @dest ) {
|
for $dest ( @dest ) {
|
||||||
|
$dest = join( ':', $1, $2 ) if $dest =~ /^(.+?):\((.+)\)$/;
|
||||||
|
|
||||||
process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
|
process_raw_rule1( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -4936,37 +4938,35 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
$restriction |= $chainref->{restriction};
|
$restriction |= $chainref->{restriction};
|
||||||
|
|
||||||
if ( ( my $result = expand_rule( $chainref ,
|
expand_rule( $chainref ,
|
||||||
$restriction,
|
$restriction,
|
||||||
$prerule,
|
$prerule,
|
||||||
do_proto( $proto, $ports, $sports) . $matches .
|
do_proto( $proto, $ports, $sports) . $matches .
|
||||||
do_user( $user ) .
|
do_user( $user ) .
|
||||||
do_test( $testval, $globals{TC_MASK} ) .
|
do_test( $testval, $globals{TC_MASK} ) .
|
||||||
do_length( $length ) .
|
do_length( $length ) .
|
||||||
do_tos( $tos ) .
|
do_tos( $tos ) .
|
||||||
do_connbytes( $connbytes ) .
|
do_connbytes( $connbytes ) .
|
||||||
do_helper( $helper ) .
|
do_helper( $helper ) .
|
||||||
do_headers( $headers ) .
|
do_headers( $headers ) .
|
||||||
do_probability( $probability ) .
|
do_probability( $probability ) .
|
||||||
do_dscp( $dscp ) .
|
do_dscp( $dscp ) .
|
||||||
state_match( $state ) .
|
state_match( $state ) .
|
||||||
do_time( $time ) .
|
do_time( $time ) .
|
||||||
( $ttl ? "-t $ttl " : '' ) .
|
( $ttl ? "-t $ttl " : '' ) .
|
||||||
$raw_matches ,
|
$raw_matches ,
|
||||||
$source ,
|
$source ,
|
||||||
$dest ,
|
$dest ,
|
||||||
'' ,
|
'' ,
|
||||||
$target,
|
$target,
|
||||||
'' ,
|
'' ,
|
||||||
$target ,
|
$target ,
|
||||||
$exceptionrule ,
|
$exceptionrule ,
|
||||||
$usergenerated ) )
|
$usergenerated ,
|
||||||
&& $device ) {
|
'' , # Log Name
|
||||||
#
|
$device ,
|
||||||
# expand_rule() returns destination device if any
|
$params
|
||||||
#
|
);
|
||||||
fatal_error "Class Id $params is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
progress_message " Mangle Rule \"$currentline\" $done";
|
progress_message " Mangle Rule \"$currentline\" $done";
|
||||||
|
@ -900,108 +900,185 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
<term><emphasis role="bold">SOURCE -
|
||||||
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
|
<replaceable>source-spec</replaceable>[,...]</emphasis></term>
|
||||||
role="bold">all</emphasis>|<emphasis
|
|
||||||
role="bold">any</emphasis>}[<emphasis
|
|
||||||
role="bold">+</emphasis>][<emphasis
|
|
||||||
role="bold">-</emphasis>]}<emphasis
|
|
||||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
|
||||||
role="bold">:</emphasis>[(]{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}[)][,...]</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Source hosts to which the rule applies. May be a
|
<para>Source hosts to which the rule applies.</para>
|
||||||
<replaceable>zone</replaceable> declared in /etc/shorewall/zones,
|
|
||||||
<emphasis role="bold">$FW</emphasis> to indicate the firewall
|
|
||||||
itself, <emphasis role="bold">all</emphasis>, <emphasis
|
|
||||||
role="bold">all+</emphasis>, <emphasis role="bold">all-</emphasis>,
|
|
||||||
<emphasis role="bold">all+-</emphasis> or <emphasis
|
|
||||||
role="bold">none</emphasis>.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
<para><replaceable>source-spec</replaceable> is one of the
|
||||||
<replaceable>zone-list </replaceable>which consists of a
|
following:</para>
|
||||||
comma-separated list of zones declared in <ulink
|
|
||||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
|
|
||||||
This <replaceable>zone-list</replaceable> may be optionally followed
|
|
||||||
by "+" to indicate that the rule is to apply to intra-zone traffic
|
|
||||||
as well as inter-zone traffic.</para>
|
|
||||||
|
|
||||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
<variablelist>
|
||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
<varlistentry>
|
||||||
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
<term><emphasis
|
||||||
|
role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
|
||||||
|
|
||||||
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
<listitem>
|
||||||
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
<para>The name of a zone defined in <ulink
|
||||||
means "All Zones, except the firewall itself". When <emphasis
|
url="shorewall-zones.html">shorewall-zones</ulink>(5). When
|
||||||
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
only the zone name is specified, the packet source may be any
|
||||||
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
host in that zone.</para>
|
||||||
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
|
||||||
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
|
||||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
|
||||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
|
||||||
<ulink
|
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
|
||||||
|
|
||||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
<para>zone may also be one of the following:</para>
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
|
||||||
<emphasis role="bold">any</emphasis>[<emphasis
|
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
|
||||||
specified, clients may be further restricted to a list of networks
|
|
||||||
and/or hosts by appending ":" and a comma-separated list of network
|
|
||||||
and/or host addresses. Hosts may be specified by IP or MAC address;
|
|
||||||
mac addresses must begin with "~" and must use "-" as a
|
|
||||||
separator.</para>
|
|
||||||
|
|
||||||
<para>The above restriction on <emphasis
|
<variablelist>
|
||||||
role="bold">all</emphasis>[<emphasis
|
<varlistentry>
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] and
|
<term>all[+][-]</term>
|
||||||
<emphasis role="bold">any</emphasis>[<emphasis
|
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
|
||||||
removed in Shorewall-4.4.13.</para>
|
|
||||||
|
|
||||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
<listitem>
|
||||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
<para><emphasis role="bold">all</emphasis>, without the
|
||||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
"-" means "All Zones, including the firewall zone". If
|
||||||
only refers to top-level zones (those with no parent zones). Note
|
the "-" is included, the firewall zone is omitted.
|
||||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
Normally all omits intra-zone traffic, but intra-zone
|
||||||
zones, since those zones are nested within the firewall zone.
|
traffic can be included specifying "+".</para>
|
||||||
Beginning with Shorewall 4.4.13, exclusion is supported with
|
</listitem>
|
||||||
<emphasis role="bold">any</emphasis> -- see see <ulink
|
</varlistentry>
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
|
||||||
|
|
||||||
<para>Hosts may also be specified as an IP address range using the
|
<varlistentry>
|
||||||
syntax
|
<term>any[+][-]</term>
|
||||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
||||||
This requires that your kernel and iptables contain iprange match
|
|
||||||
support. If your kernel and iptables have ipset match support then
|
|
||||||
you may give the name of an ipset prefaced by "+". The ipset name
|
|
||||||
may be optionally followed by a number from 1 to 6 enclosed in
|
|
||||||
square brackets ([]) to indicate the number of levels of source
|
|
||||||
bindings to be matched.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
<listitem>
|
||||||
firewall interface can be specified by an ampersand ('&')
|
<para><emphasis role="bold">any</emphasis> is equivalent
|
||||||
followed by the logical name of the interface as found in the
|
to <emphasis role="bold">all</emphasis> when there are
|
||||||
INTERFACE column of <ulink
|
no nested zones. When there are nested zones, <emphasis
|
||||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
role="bold">any</emphasis> only refers to top-level
|
||||||
(5).</para>
|
zones (those with no parent zones). Note that <emphasis
|
||||||
|
role="bold">any</emphasis> excludes all vserver zones,
|
||||||
|
since those zones are nested within the firewall
|
||||||
|
zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, A
|
<varlistentry>
|
||||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
<term>none</term>
|
||||||
countrycode-list is a comma-separated list of up to 15 two-character
|
|
||||||
ISO-3661 country codes enclosed in square brackets ('[...]') and
|
|
||||||
preceded by a caret ('^'). When a single country code is given, the
|
|
||||||
square brackets may be omitted. A list of country codes supported by
|
|
||||||
Shorewall may be found at <ulink
|
|
||||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
|
||||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
|
||||||
Kernel.</para>
|
|
||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<listitem>
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
<para>When <emphasis role="bold">none</emphasis> is used
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||||
|
<emphasis role="bold">DEST</emphasis> column, the rule
|
||||||
|
is ignored.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Similar to with <emphasis role="bold">all</emphasis> and
|
||||||
|
<emphasis role="bold">any</emphasis>, intra-zone traffic is
|
||||||
|
normally excluded when multiple zones are listed. Intra-zone
|
||||||
|
traffic may be included by following the list with a plus sign
|
||||||
|
("+").</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">all</emphasis> and <emphasis
|
||||||
|
role="bold">any</emphasis> may be followed by an exclamation
|
||||||
|
point ("!") and a comma-separated list of zone names to be
|
||||||
|
omitted.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When this form is used,
|
||||||
|
<replaceable>interface</replaceable> must be the name of an
|
||||||
|
interface associated with the named
|
||||||
|
<replaceable>zone</replaceable> in either <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
|
or <ulink
|
||||||
|
url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
|
||||||
|
packets from hosts in the <replaceable>zone</replaceable> that
|
||||||
|
arrive through the named interface will match the rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>where address can be:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>A host or network IP address. A network address may
|
||||||
|
be followed by exclusion (see <ulink
|
||||||
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>An address range, specified using the syntax
|
||||||
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>+<replaceable>ipset</replaceable> where
|
||||||
|
<replaceable>ipset</replaceable> is the name of an ipset
|
||||||
|
and must be preceded by a plus sign ("+").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>A MAC address in Shorewall format (preceded by a
|
||||||
|
tilde ("~") and with the hex byte values separated by
|
||||||
|
dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>^<replaceable>country-code</replaceable> where
|
||||||
|
country-code is a two-character ISO-3661 country code
|
||||||
|
preceded by a caret ("^").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>^<replaceable>country-code-list</replaceable> where
|
||||||
|
<replaceable>country-code-list</replaceable> is a
|
||||||
|
comma-separated list of up to 15 ISO-3661 country codes
|
||||||
|
enclosed in square brackets ("[...]").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The primary IP address of a firewall interface can
|
||||||
|
be specified by an ampersand ('&') followed by the
|
||||||
|
logical name of the interface as found in the INTERFACE
|
||||||
|
column of <ulink
|
||||||
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>zone:interface:address[,...]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form combines the preceding two and requires that
|
||||||
|
both the incoming interface and source address match.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form matches if the host IP address does not match
|
||||||
|
any of the entries in the exclusion (see <ulink
|
||||||
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 5.1.0, multiple
|
||||||
|
<replaceable>source-spec</replaceable>s may be listed, provided that
|
||||||
|
extended forms of the source-spec are used:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
|
||||||
|
|
||||||
|
<para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
|
||||||
|
|
||||||
|
<para>zone:(interface:address[,...])</para>
|
||||||
|
|
||||||
|
<para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
<para>Examples:</para>
|
<para>Examples:</para>
|
||||||
|
|
||||||
@ -1070,8 +1147,8 @@
|
|||||||
<term>$FW:&eth0</term>
|
<term>$FW:&eth0</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The primary IP address of eth0 in the firewall zone
|
<para>The primary IP address of eth0 in the firewall
|
||||||
(Shorewall 4.4.17 and later).</para>
|
zone.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1092,24 +1169,23 @@
|
|||||||
zone.</para>
|
zone.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 5.1.0, multiple
|
|
||||||
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
|
|
||||||
tupples can be listed, separated by commas. Where the
|
|
||||||
<replaceable>address-list</replaceable> consists of more than a
|
|
||||||
single address, the list must be enclosed in parentheses.</para>
|
|
||||||
|
|
||||||
<para>Example:</para>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>dmz:(192.168.2.2,192.168.2.3),net:(206.124.146.22,155.186.235.0/24!155.186.235.16/28)</term>
|
<term>net:^CN</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Hosts 192.168.2.2 and 192.168.2.3 in the dmz zone, host
|
<para>China.</para>
|
||||||
206.124.146.22 in the dmz zone and network 155.186.235.0/24 in
|
</listitem>
|
||||||
the net zone excluding 155.186.235.16/28.</para>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
|
||||||
|
packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
|
||||||
|
in the dmz zone when the packet arrives through eth2 plus all
|
||||||
|
of the net zone.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -1117,87 +1193,223 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST</emphasis> -
|
<term><emphasis role="bold">DEST -
|
||||||
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
|
<replaceable>dest-spec</replaceable>[,...]</emphasis></term>
|
||||||
role="bold">all</emphasis>|<emphasis
|
|
||||||
role="bold">any</emphasis>}[<emphasis
|
|
||||||
role="bold">+</emphasis>][<emphasis
|
|
||||||
role="bold">-</emphasis>]}<emphasis
|
|
||||||
role="bold">[:{</emphasis><emphasis>interface</emphasis>|[(]<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>][)]|[(]<emphasis>exclusion</emphasis>[)]|<emphasis
|
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
|
|
||||||
role="bold">random</emphasis>]]</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Location of Server. May be a zone declared in <ulink
|
<para>Destination hosts to which the rule applies.</para>
|
||||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
|
|
||||||
$<emphasis role="bold">FW</emphasis> to indicate the firewall
|
|
||||||
itself, <emphasis role="bold">all</emphasis>. <emphasis
|
|
||||||
role="bold">all+</emphasis> or <emphasis
|
|
||||||
role="bold">none</emphasis>.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
<para><replaceable>dest-spec</replaceable> is one of the
|
||||||
<replaceable>zone-list </replaceable>which consists of a
|
following:</para>
|
||||||
comma-separated list of zones declared in <ulink
|
|
||||||
url="/manpages/shorewall-zones.html">shorewall-zones</ulink> (5).
|
|
||||||
This <replaceable>zone-list</replaceable> may be optionally followed
|
|
||||||
by "+" to indicate that the rule is to apply to intra-zone traffic
|
|
||||||
as well as inter-zone traffic.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, A
|
<variablelist>
|
||||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
<varlistentry>
|
||||||
countrycode-list is a comma-separated list of up to 15 two-character
|
<term><emphasis
|
||||||
ISO-3661 country codes enclosed in square brackets ('[...]') and
|
role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
|
||||||
preceded by a caret ('^'). When a single country code is given, the
|
|
||||||
square brackets may be omitted. A list of country codes supported by
|
|
||||||
Shorewall may be found at <ulink
|
|
||||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
|
||||||
<firstterm>GeoIP Match</firstterm> support in your iptables and
|
|
||||||
Kernel.</para>
|
|
||||||
|
|
||||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
<listitem>
|
||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
<para>The name of a zone defined in <ulink
|
||||||
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
url="shorewall-zones.html">shorewall-zones</ulink>(5). When
|
||||||
|
only the zone name is specified, the packet destination may be
|
||||||
|
any host in that zone.</para>
|
||||||
|
|
||||||
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
<para>zone may also be one of the following:</para>
|
||||||
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
|
||||||
means "All Zones, except the firewall itself". When <emphasis
|
|
||||||
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
|
||||||
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
|
||||||
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
|
||||||
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
|
||||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
|
||||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
|
||||||
<ulink
|
|
||||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
|
||||||
|
|
||||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
<variablelist>
|
||||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
<varlistentry>
|
||||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
<term>all[+][-]</term>
|
||||||
only refers to top-level zones (those with no parent zones). Note
|
|
||||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
|
||||||
zones, since those zones are nested within the firewall zone.</para>
|
|
||||||
|
|
||||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
<listitem>
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
<para><emphasis role="bold">all</emphasis>, without the
|
||||||
<emphasis role="bold">any</emphasis>[<emphasis
|
"-" means "All Zones, including the firewall zone". If
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
the "-" is included, the firewall zone is omitted.
|
||||||
specified, clients may be further restricted to a list of networks
|
Normally all omits intra-zone traffic, but intra-zone
|
||||||
and/or hosts by appending ":" and a comma-separated list of network
|
traffic can be included specifying "+".</para>
|
||||||
and/or host addresses. Hosts may be specified by IP or MAC address;
|
</listitem>
|
||||||
mac addresses must begin with "~" and must use "-" as a
|
</varlistentry>
|
||||||
separator.</para>
|
|
||||||
|
|
||||||
<para>When <emphasis role="bold">all</emphasis> is used either in
|
<varlistentry>
|
||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
<term>any[+][-]</term>
|
||||||
role="bold">DEST</emphasis> column intra-zone traffic is not
|
|
||||||
affected. When <emphasis role="bold">all+</emphasis> is used,
|
|
||||||
intra-zone traffic is affected. Beginning with Shorewall 4.4.13,
|
|
||||||
exclusion is supported -- see see <ulink
|
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
|
||||||
|
|
||||||
<para>The <replaceable>zone</replaceable> should be omitted in
|
<listitem>
|
||||||
DNAT-, REDIRECT- and NONAT rules.</para>
|
<para><emphasis role="bold">any</emphasis> is equivalent
|
||||||
|
to <emphasis role="bold">all</emphasis> when there are
|
||||||
|
no nested zones. When there are nested zones, <emphasis
|
||||||
|
role="bold">any</emphasis> only refers to top-level
|
||||||
|
zones (those with no parent zones). Note that <emphasis
|
||||||
|
role="bold">any</emphasis> excludes all vserver zones,
|
||||||
|
since those zones are nested within the firewall
|
||||||
|
zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>none</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When <emphasis role="bold">none</emphasis> is used
|
||||||
|
either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||||
|
<emphasis role="bold">DEST</emphasis> column, the rule
|
||||||
|
is ignored.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Similar to with <emphasis role="bold">all</emphasis> and
|
||||||
|
<emphasis role="bold">any</emphasis>, intra-zone traffic is
|
||||||
|
normally excluded when multiple zones are listed. Intra-zone
|
||||||
|
traffic may be included by following the list with a plus sign
|
||||||
|
("+").</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">all</emphasis> and <emphasis
|
||||||
|
role="bold">any</emphasis> may be followed by an exclamation
|
||||||
|
point ("!") and a comma-separated list of zone names to be
|
||||||
|
omitted.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When this form is used,
|
||||||
|
<replaceable>interface</replaceable> must be the name of an
|
||||||
|
interface associated with the named
|
||||||
|
<replaceable>zone</replaceable> in either <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||||
|
or <ulink
|
||||||
|
url="shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
|
||||||
|
packets to hosts in the <replaceable>zone</replaceable> that
|
||||||
|
are sent through the named interface will match the
|
||||||
|
rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>where address can be:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>A host or network IP address. A network address may
|
||||||
|
be followed by exclusion (see <ulink
|
||||||
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>An address range, specified using the syntax
|
||||||
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>+<replaceable>ipset</replaceable> where
|
||||||
|
<replaceable>ipset</replaceable> is the name of an ipset
|
||||||
|
and must be preceded by a plus sign ("+").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>^<replaceable>country-code</replaceable> where
|
||||||
|
country-code is a two-character ISO-3661 country code
|
||||||
|
preceded by a caret ("^").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>^<replaceable>country-code-list</replaceable> where
|
||||||
|
<replaceable>country-code-list</replaceable> is a
|
||||||
|
comma-separated list of up to 15 ISO-3661 country codes
|
||||||
|
enclosed in square brackets ("[...]").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The primary IP address of a firewall interface can
|
||||||
|
be specified by an ampersand ('&') followed by the
|
||||||
|
logical name of the interface as found in the INTERFACE
|
||||||
|
column of <ulink
|
||||||
|
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>zone:interface:address[,...]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form combines the preceding two and requires that
|
||||||
|
both the outgoing interface and destinationaddress
|
||||||
|
match.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form matches if the host IP address does not match
|
||||||
|
any of the entries in the exclusion (see <ulink
|
||||||
|
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form applies when the ACTION is DNAT[-] or
|
||||||
|
REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
|
||||||
|
assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
|
||||||
|
rules.</para>
|
||||||
|
|
||||||
|
<para><replaceable role="bold">server-IP</replaceable> is not
|
||||||
|
allowed in REDIRECT rules and may be omitted in DNAT[-] rules
|
||||||
|
provided that <replaceable>port-or-port-range</replaceable> is
|
||||||
|
included.</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>The IP address of the server to which the packet is
|
||||||
|
to be sent.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>A range of IP address with the low and high address
|
||||||
|
separated by a dash (:"-"). Connections are distributed
|
||||||
|
among the IP addresses in the range.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>If <replaceable>server-IP </replaceable>is omitted in a
|
||||||
|
DNAT[-] rule, only the destination port number is modified by
|
||||||
|
the rule.</para>
|
||||||
|
|
||||||
|
<para>port-or-port-range may be:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>An integer port number in the range 1 -
|
||||||
|
65535.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The name of a service from
|
||||||
|
<filename>/etc/services</filename>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>A port range with the low and high integer port
|
||||||
|
numbers separated by a dash ("-"). Connections are
|
||||||
|
distributed among the ports in the range.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>If <emphasis role="bold">random</emphasis> is specified,
|
||||||
|
port mapping will be randomized.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
|
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
|
||||||
then either:<orderedlist numeration="loweralpha">
|
then either:<orderedlist numeration="loweralpha">
|
||||||
@ -1214,89 +1426,132 @@
|
|||||||
<para>the SOURCE <replaceable>zone</replaceable> must be an
|
<para>the SOURCE <replaceable>zone</replaceable> must be an
|
||||||
ipv4 zone that is associated with only the same bridge.</para>
|
ipv4 zone that is associated with only the same bridge.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist></para>
|
</orderedlist>Beginning with Shorewall 5.1.0, multiple
|
||||||
|
<replaceable>dest-spec</replaceable>s may be listed, provided that
|
||||||
|
extended forms of the source-spec are used:</para>
|
||||||
|
|
||||||
<para>Except when <emphasis
|
<blockquote>
|
||||||
role="bold">{all|any}</emphasis>[<emphasis
|
<para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
|
||||||
role="bold">+]|[-</emphasis>] is specified, the server may be
|
|
||||||
further restricted to a particular network, host or interface by
|
|
||||||
appending ":" and the network, host or interface. See <emphasis
|
|
||||||
role="bold">SOURCE</emphasis> above.</para>
|
|
||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
|
||||||
|
|
||||||
<para>Restriction: MAC addresses are not allowed (this is a
|
<para>zone:(interface:address[,...])</para>
|
||||||
Netfilter restriction).</para>
|
|
||||||
|
|
||||||
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
<para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
|
||||||
you may specify a range of IP addresses using the syntax
|
</blockquote>
|
||||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
||||||
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
||||||
role="bold">DNAT</emphasis> or <emphasis
|
|
||||||
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
|
||||||
addresses in the range in a round-robin fashion.</para>
|
|
||||||
|
|
||||||
<para>If your kernel and iptables have ipset match support then you
|
<para>Multiple <replaceable>dest-spec</replaceable>s are not
|
||||||
may give the name of an ipset prefaced by "+". The ipset name may be
|
permitted in DNAT[-] and REDIRECT[-] rules.</para>
|
||||||
optionally followed by a number from 1 to 6 enclosed in square
|
|
||||||
brackets ([]) to indicate the number of levels of destination
|
|
||||||
bindings to be matched. Only one of the <emphasis
|
|
||||||
role="bold">SOURCE</emphasis> and <emphasis
|
|
||||||
role="bold">DEST</emphasis> columns may specify an ipset
|
|
||||||
name.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.17, the primary IP address of a
|
<para>Examples:</para>
|
||||||
firewall interface can be specified by an ampersand ('&')
|
|
||||||
followed by the logical name of the interface as found in the
|
|
||||||
INTERFACE column of <ulink
|
|
||||||
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
|
||||||
(5).</para>
|
|
||||||
|
|
||||||
<para>The <replaceable>port</replaceable> that the server is
|
|
||||||
listening on may be included and separated from the server's IP
|
|
||||||
address by ":". If omitted, the firewall will not modify the
|
|
||||||
destination port. A destination port may only be included if the
|
|
||||||
<emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
||||||
role="bold">DNAT</emphasis> or <emphasis
|
|
||||||
role="bold">REDIRECT</emphasis>.</para>
|
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>Example:</term>
|
<term>dmz:192.168.2.2</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
|
<para>Host 192.168.2.2 in the DMZ</para>
|
||||||
specifies a local server at IP address 192.168.1.3 and
|
</listitem>
|
||||||
listening on port 3128.</para>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>net:155.186.235.0/24</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Subnet 155.186.235.0/24 on the Internet</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>loc:192.168.1.1,192.168.1.2</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Hosts 192.168.1.1 and 192.168.1.2 in the local
|
||||||
|
zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>net:192.0.2.11-192.0.2.17</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>net:!192.0.2.11-192.0.2.17</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>All hosts in the net zone except for
|
||||||
|
192.0.2.11-192.0.2.17.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>net:155.186.235.0/24!155.186.235.16/28</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Subnet 155.186.235.0/24 on the Internet except for
|
||||||
|
155.186.235.16/28</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>$FW:&eth0</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The primary IP address of eth0 in the firewall
|
||||||
|
zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>loc,dmz</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Both the <emphasis role="bold">loc</emphasis> and
|
||||||
|
<emphasis role="bold">dmz</emphasis> zones.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>all!dmz</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>All but the <emphasis role="bold">dmz</emphasis>
|
||||||
|
zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>net:^CN</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>China.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>dmz:192.168.10.4:25</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Port 25 on server 192.168.10.4 in the dmz zone (DNAT
|
||||||
|
rule).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>loc:(eth1:1.2.3.4,2.3.4.5),dmz:(eth2:5.6.7.8,9.10.11.12),net</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Hosts 1.2.3.4 and 2.3.4.5 in the loc zone when the
|
||||||
|
packet arrives through eth1 plus hosts 5.6.7.8 and 9.10.11.12
|
||||||
|
in the dmz zone when the packet arrives through eth2 plus all
|
||||||
|
of the net zone.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>The <emphasis>port</emphasis> may be specified as a service
|
|
||||||
name. You may specify a port range in the form
|
|
||||||
<emphasis>lowport-highport</emphasis> to cause connections to be
|
|
||||||
assigned to ports in the range in round-robin fashion. When a port
|
|
||||||
range is specified, <emphasis>lowport</emphasis> and
|
|
||||||
<emphasis>highport</emphasis> must be given as integers; service
|
|
||||||
names are not permitted. Additionally, the port range may be
|
|
||||||
optionally followed by <emphasis role="bold">:random</emphasis>
|
|
||||||
which causes assignment to ports in the list to be random.</para>
|
|
||||||
|
|
||||||
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
||||||
role="bold">REDIRECT</emphasis> or <emphasis
|
|
||||||
role="bold">REDIRECT-</emphasis>, this column needs only to contain
|
|
||||||
the port number on the firewall that the request should be
|
|
||||||
redirected to. That is equivalent to specifying
|
|
||||||
<option>$FW</option>::<replaceable>port</replaceable>.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 5.1.0, multiple
|
|
||||||
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
|
|
||||||
tupples can be listed, separated by commas. Where the
|
|
||||||
<replaceable>address-list</replaceable> consists of more than a
|
|
||||||
single address, the list must be enclosed in parentheses. See the
|
|
||||||
example in the SOURCE section above.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -822,8 +822,8 @@
|
|||||||
|
|
||||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||||
<emphasis>action</emphasis> declared in <ulink
|
<emphasis>action</emphasis> declared in <ulink
|
||||||
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
|
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
||||||
or in /usr/share/shorewall/actions.std then:</para>
|
/usr/share/shorewall/actions.std then:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -861,100 +861,187 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
<term><emphasis role="bold">SOURCE -
|
||||||
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|<emphasis
|
<replaceable>source-spec</replaceable>[,...]</emphasis></term>
|
||||||
role="bold">{all|any}</emphasis>[<emphasis
|
|
||||||
role="bold">+</emphasis>][<emphasis
|
|
||||||
role="bold">-</emphasis>]}<emphasis
|
|
||||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][(][<emphasis
|
|
||||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}[)][,...]</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Source hosts to which the rule applies. May be a zone declared
|
<para>Source hosts to which the rule applies.</para>
|
||||||
in /etc/shorewall6/zones, <emphasis role="bold">$FW</emphasis> to
|
|
||||||
indicate the firewall itself, <emphasis role="bold">all</emphasis>,
|
|
||||||
<emphasis role="bold">all+</emphasis>, <emphasis
|
|
||||||
role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
|
|
||||||
or <emphasis role="bold">none</emphasis>.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
<para><replaceable>source-spec</replaceable> is one of the
|
||||||
<replaceable>zone-list </replaceable>which consists of a
|
following:</para>
|
||||||
comma-separated list of zones declared in <ulink
|
|
||||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
|
|
||||||
This <replaceable>zone-list</replaceable> may be optionally followed
|
|
||||||
by "+" to indicate that the rule is to apply to intra-zone traffic
|
|
||||||
as well as inter-zone traffic.</para>
|
|
||||||
|
|
||||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
<variablelist>
|
||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
<varlistentry>
|
||||||
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
<term><emphasis
|
||||||
|
role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
|
||||||
|
|
||||||
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
<listitem>
|
||||||
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
<para>The name of a zone defined in <ulink
|
||||||
means "All Zones, except the firewall itself". When <emphasis
|
url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
|
||||||
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
only the zone name is specified, the packet source may be any
|
||||||
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
host in that zone.</para>
|
||||||
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
|
||||||
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
|
||||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
|
||||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
|
||||||
<ulink
|
|
||||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
|
||||||
|
|
||||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
<para>zone may also be one of the following:</para>
|
||||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
|
||||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
|
||||||
only refers to top-level zones (those with no parent zones). Note
|
|
||||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
|
||||||
zones, since those zones are nested within the firewall zone.</para>
|
|
||||||
|
|
||||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
<variablelist>
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
<varlistentry>
|
||||||
<emphasis role="bold">any</emphasis>[<emphasis
|
<term>all[+][-]</term>
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
|
||||||
specified, clients may be further restricted to a list of networks
|
|
||||||
and/or hosts by appending ":" and a comma-separated list of network
|
|
||||||
and/or host addresses. Hosts may be specified by IP or MAC address;
|
|
||||||
mac addresses must begin with "~" and must use "-" as a
|
|
||||||
separator.</para>
|
|
||||||
|
|
||||||
<para>Hosts may also be specified as an IP address range using the
|
<listitem>
|
||||||
syntax
|
<para><emphasis role="bold">all</emphasis>, without the
|
||||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
"-" means "All Zones, including the firewall zone". If
|
||||||
This requires that your kernel and ip6tables contain iprange match
|
the "-" is included, the firewall zone is omitted.
|
||||||
support. If your kernel and ip6tables have ipset match support then
|
Normally all omits intra-zone traffic, but intra-zone
|
||||||
you may give the name of an ipset prefaced by "+". The ipset name
|
traffic can be included specifying "+".</para>
|
||||||
may be optionally followed by a number from 1 to 6 enclosed in
|
</listitem>
|
||||||
square brackets ([]) to indicate the number of levels of source
|
</varlistentry>
|
||||||
bindings to be matched.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
<varlistentry>
|
||||||
firewall interface can be specified by an ampersand ('&')
|
<term>any[+][-]</term>
|
||||||
followed by the logical name of the interface as found in the
|
|
||||||
INTERFACE column of <ulink
|
|
||||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
|
||||||
(5).</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, A
|
<listitem>
|
||||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
<para><emphasis role="bold">any</emphasis> is equivalent
|
||||||
countrycode-list is a comma-separated list of up to 15 two-character
|
to <emphasis role="bold">all</emphasis> when there are
|
||||||
ISO-3661 country codes enclosed in square brackets ('[...]') and
|
no nested zones. When there are nested zones, <emphasis
|
||||||
preceded by a caret ('^'). When a single country code is given, the
|
role="bold">any</emphasis> only refers to top-level
|
||||||
square brackets may be omitted. A list of country codes supported by
|
zones (those with no parent zones). Note that <emphasis
|
||||||
Shorewall may be found at <ulink
|
role="bold">any</emphasis> excludes all vserver zones,
|
||||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
since those zones are nested within the firewall
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
zone.</para>
|
||||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
</listitem>
|
||||||
Kernel.</para>
|
</varlistentry>
|
||||||
|
|
||||||
<para>When an <replaceable>interface</replaceable> is not specified,
|
<varlistentry>
|
||||||
you may omit the angled brackets ('<' and '>') around the
|
<term>none</term>
|
||||||
address(es) or you may supply them to improve readability.</para>
|
|
||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<listitem>
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
<para>When <emphasis role="bold">none</emphasis> is used
|
||||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||||
|
<emphasis role="bold">DEST</emphasis> column, the rule
|
||||||
|
is ignored.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Similar to with <emphasis role="bold">all</emphasis> and
|
||||||
|
<emphasis role="bold">any</emphasis>, intra-zone traffic is
|
||||||
|
normally excluded when multiple zones are listed. Intra-zone
|
||||||
|
traffic may be included by following the list with a plus sign
|
||||||
|
("+").</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">all</emphasis> and <emphasis
|
||||||
|
role="bold">any</emphasis> may be followed by an exclamation
|
||||||
|
point ("!") and a comma-separated list of zone names to be
|
||||||
|
omitted.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When this form is used,
|
||||||
|
<replaceable>interface</replaceable> must be the name of an
|
||||||
|
interface associated with the named
|
||||||
|
<replaceable>zone</replaceable> in either <ulink
|
||||||
|
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
|
or <ulink
|
||||||
|
url="shorewall6.hosts.html">shorewall6-hosts</ulink>(5). Only
|
||||||
|
packets from hosts in the <replaceable>zone</replaceable> that
|
||||||
|
arrive through the named interface will match the rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>where address can be:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>A host or network IP address. IPv6 ddresses must
|
||||||
|
follow the standard convention and be enclosed in square
|
||||||
|
brackets (e.g., [2001:470:b:227::0]/64). A network address
|
||||||
|
may be followed by exclusion (see <ulink
|
||||||
|
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>An address range, specified using the syntax
|
||||||
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>+<replaceable>ipset</replaceable> where
|
||||||
|
<replaceable>ipset</replaceable> is the name of an ipset
|
||||||
|
and must be preceded by a plus sign ("+").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>A MAC address in Shorewall format (preceded by a
|
||||||
|
tilde ("~") and with the hex byte values separated by
|
||||||
|
dashes (e.g., "~00-0a-f6-04-9c-7d").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>^<replaceable>country-code</replaceable> where
|
||||||
|
country-code is a two-character ISO-3661 country code
|
||||||
|
preceded by a caret ("^").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>^<replaceable>country-code-list</replaceable> where
|
||||||
|
<replaceable>country-code-list</replaceable> is a
|
||||||
|
comma-separated list of up to 15 ISO-3661 country codes
|
||||||
|
enclosed in square brackets ("[...]").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The primary IP address of a firewall interface can
|
||||||
|
be specified by an ampersand ('&') followed by the
|
||||||
|
logical name of the interface as found in the INTERFACE
|
||||||
|
column of <ulink
|
||||||
|
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>zone:interface:address[,...]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form combines the preceding two and requires that
|
||||||
|
both the incoming interface and source address match.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form matches if the host IP address does not match
|
||||||
|
any of the entries in the exclusion (see <ulink
|
||||||
|
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 5.1.0, multiple
|
||||||
|
<replaceable>source-spec</replaceable>s may be listed, provided that
|
||||||
|
extended forms of the source-spec are used:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
|
||||||
|
|
||||||
|
<para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
|
||||||
|
|
||||||
|
<para>zone:(interface:address[,...])</para>
|
||||||
|
|
||||||
|
<para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
<para>Examples:</para>
|
<para>Examples:</para>
|
||||||
|
|
||||||
@ -1011,108 +1098,229 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>Alternatively, clients may be specified by interface by
|
|
||||||
appending ":" to the zone name followed by the interface name. For
|
|
||||||
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
|
|
||||||
client that communicates with the firewall system through eth1. This
|
|
||||||
may be optionally followed by another colon (":") and an
|
|
||||||
IP/MAC/subnet address as described above (e.g., <emphasis
|
|
||||||
role="bold">loc:eth1:<2002:ce7c::92b4:1::2></emphasis>).</para>
|
|
||||||
|
|
||||||
<para>Examples:</para>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term>loc:eth1:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
|
|
||||||
Local zone, with <emphasis role="bold">both</emphasis>
|
|
||||||
originating from eth1</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 5.1.0, multiple
|
|
||||||
<replaceable>zone</replaceable>:[<replaceable>interface</replaceable>:](<replaceable>address-list</replaceable>)
|
|
||||||
tupples can be listed, separated by commas. Where the
|
|
||||||
<replaceable>address-list</replaceable> consists of more than a
|
|
||||||
single address, the list must be enclosed in parentheses.</para>
|
|
||||||
|
|
||||||
<para>Example:</para>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term>dmz:([2002:c37c:92b4:1::2],[2002:c37c:92b4:1::3]),loc:eth1:([2002:cec792b4:1::2],[2002:cec792b4:1::44])</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Hosts 2002:c37c:92b4:1::2 and 2002:c37c:92b4:1::3 in the
|
|
||||||
dmz zone and hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44
|
|
||||||
in the loc zone via interface eth1</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold"><emphasis role="bold">DEST</emphasis> -
|
<term><emphasis role="bold">DEST -
|
||||||
{<emphasis>zone|zone-list</emphasis>[+]|<emphasis
|
<replaceable>dest-spec</replaceable>[,...]</emphasis></term>
|
||||||
role="bold">all</emphasis>[<emphasis
|
|
||||||
role="bold">+</emphasis>][<emphasis
|
|
||||||
role="bold">-</emphasis>]}<emphasis
|
|
||||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
|
||||||
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}[<option>:</option><replaceable>port</replaceable>[:<emphasis
|
|
||||||
role="bold">random</emphasis>]]</emphasis></term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Location of Server. May be a zone declared in <ulink
|
<para>Destination hosts to which the rule applies.</para>
|
||||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5),
|
|
||||||
$<emphasis role="bold">FW</emphasis> to indicate the firewall
|
|
||||||
itself, <emphasis role="bold">all</emphasis>. <emphasis
|
|
||||||
role="bold">all+</emphasis> or <emphasis
|
|
||||||
role="bold">none</emphasis>.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.13, you may use a
|
<para><replaceable>dest-spec</replaceable> is one of the
|
||||||
<replaceable>zone-list </replaceable>which consists of a
|
following:</para>
|
||||||
comma-separated list of zones declared in <ulink
|
|
||||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink> (5).
|
|
||||||
Ths <replaceable>zone-list</replaceable> may be optionally followed
|
|
||||||
by "+" to indicate that the rule is to apply to intra-zone traffic
|
|
||||||
as well as inter-zone traffic. Beginning with Shorewall-4.4.13,
|
|
||||||
exclusion is supported -- see see <ulink
|
|
||||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall6 4.4.17, the primary IP address of a
|
<variablelist>
|
||||||
firewall interface can be specified by an ampersand ('&')
|
<varlistentry>
|
||||||
followed by the logical name of the interface as found in the
|
<term><emphasis
|
||||||
INTERFACE column of <ulink
|
role="bold"><replaceable>zone</replaceable>[,...[+]]</emphasis></term>
|
||||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
|
||||||
(5).</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.4, A
|
<listitem>
|
||||||
<replaceable>countrycode-list</replaceable> may be specified. A
|
<para>The name of a zone defined in <ulink
|
||||||
countrycode-list is a comma-separated list of up to 15 two-character
|
url="shorewall6-zones.html">shorewall6-zones</ulink>(5). When
|
||||||
ISO-3661 country codes enclosed in square brackets ('[...]') and
|
only the zone name is specified, the packet destination may be
|
||||||
preceded by a caret ('^'). When a single country code is given, the
|
any host in that zone.</para>
|
||||||
square brackets may be omitted. A list of country codes supported by
|
|
||||||
Shorewall may be found at <ulink
|
|
||||||
url="/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
|
|
||||||
Specifying a <replaceable>countrycode-list</replaceable> requires
|
|
||||||
<firstterm>GeoIP Match</firstterm> support in your ip6tables and
|
|
||||||
Kernel.</para>
|
|
||||||
|
|
||||||
<para>When <emphasis role="bold">none</emphasis> is used either in
|
<para>zone may also be one of the following:</para>
|
||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
||||||
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
||||||
|
|
||||||
<para>When <emphasis role="bold">all</emphasis> is used either in
|
<variablelist>
|
||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
<varlistentry>
|
||||||
role="bold">DEST</emphasis> column intra-zone traffic is not
|
<term>all[+][-]</term>
|
||||||
affected. When <emphasis role="bold">all+</emphasis> is used,
|
|
||||||
intra-zone traffic is affected.</para>
|
<listitem>
|
||||||
|
<para><emphasis role="bold">all</emphasis>, without the
|
||||||
|
"-" means "All Zones, including the firewall zone". If
|
||||||
|
the "-" is included, the firewall zone is omitted.
|
||||||
|
Normally all omits intra-zone traffic, but intra-zone
|
||||||
|
traffic can be included specifying "+".</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>any[+][-]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">any</emphasis> is equivalent
|
||||||
|
to <emphasis role="bold">all</emphasis> when there are
|
||||||
|
no nested zones. When there are nested zones, <emphasis
|
||||||
|
role="bold">any</emphasis> only refers to top-level
|
||||||
|
zones (those with no parent zones). Note that <emphasis
|
||||||
|
role="bold">any</emphasis> excludes all vserver zones,
|
||||||
|
since those zones are nested within the firewall
|
||||||
|
zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>none</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When <emphasis role="bold">none</emphasis> is used
|
||||||
|
either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||||
|
<emphasis role="bold">DEST</emphasis> column, the rule
|
||||||
|
is ignored.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Similar to with <emphasis role="bold">all</emphasis> and
|
||||||
|
<emphasis role="bold">any</emphasis>, intra-zone traffic is
|
||||||
|
normally excluded when multiple zones are listed. Intra-zone
|
||||||
|
traffic may be included by following the list with a plus sign
|
||||||
|
("+").</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">all</emphasis> and <emphasis
|
||||||
|
role="bold">any</emphasis> may be followed by an exclamation
|
||||||
|
point ("!") and a comma-separated list of zone names to be
|
||||||
|
omitted.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>interface</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When this form is used,
|
||||||
|
<replaceable>interface</replaceable> must be the name of an
|
||||||
|
interface associated with the named
|
||||||
|
<replaceable>zone</replaceable> in either <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
|
||||||
|
or <ulink
|
||||||
|
url="shorewall.hosts.html">shorewall6-hosts</ulink>(5). Only
|
||||||
|
packets to hosts in the <replaceable>zone</replaceable> that
|
||||||
|
are sent through the named interface will match the
|
||||||
|
rule.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>address</replaceable>[,...]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>where address can be:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>A host or network IP address. A network address may
|
||||||
|
be followed by exclusion (see <ulink
|
||||||
|
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>An address range, specified using the syntax
|
||||||
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>+<replaceable>ipset</replaceable> where
|
||||||
|
<replaceable>ipset</replaceable> is the name of an ipset
|
||||||
|
and must be preceded by a plus sign ("+").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>^<replaceable>country-code</replaceable> where
|
||||||
|
country-code is a two-character ISO-3661 country code
|
||||||
|
preceded by a caret ("^").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>^<replaceable>country-code-list</replaceable> where
|
||||||
|
<replaceable>country-code-list</replaceable> is a
|
||||||
|
comma-separated list of up to 15 ISO-3661 country codes
|
||||||
|
enclosed in square brackets ("[...]").</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The primary IP address of a firewall interface can
|
||||||
|
be specified by an ampersand ('&') followed by the
|
||||||
|
logical name of the interface as found in the INTERFACE
|
||||||
|
column of <ulink
|
||||||
|
url="/manpages/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
||||||
|
(5).</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>zone:interface:address[,...]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form combines the preceding two and requires that
|
||||||
|
both the outgoing interface and destinationaddress
|
||||||
|
match.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><replaceable>zone</replaceable>:<replaceable>exclusion</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form matches if the host IP address does not match
|
||||||
|
any of the entries in the exclusion (see <ulink
|
||||||
|
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This form applies when the ACTION is DNAT[-] or
|
||||||
|
REDIRECT[-]. The zone may be omitted in REDIRECT rules ($FW is
|
||||||
|
assumed) and must be omitted in DNAT-, REDIRECT- and NONAT
|
||||||
|
rules.</para>
|
||||||
|
|
||||||
|
<para><replaceable role="bold">server-IP</replaceable> is not
|
||||||
|
allowed in REDIRECT rules and may be omitted in DNAT[-] rules
|
||||||
|
provided that <replaceable>port-or-port-range</replaceable> is
|
||||||
|
included. When omitting the
|
||||||
|
<replaceable>server-IP</replaceable>, simply enter "[]" (e.g.,
|
||||||
|
<emphasis role="bold">loc:[]:3128</emphasis>).</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>The IP address of the server to which the packet is
|
||||||
|
to be sent.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>A range of IP address with the low and high address
|
||||||
|
separated by a dash (:"-"). Connections are distributed
|
||||||
|
among the IP addresses in the range.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>If <replaceable>server-IP </replaceable>is omitted in a
|
||||||
|
DNAT[-] rule, only the destination port number is modified by
|
||||||
|
the rule.</para>
|
||||||
|
|
||||||
|
<para>port-or-port-range may be:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>An integer port number in the range 1 -
|
||||||
|
65535.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The name of a service from
|
||||||
|
<filename>/etc/services</filename>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>A port range with the low and high integer port
|
||||||
|
numbers separated by a dash ("-"). Connections are
|
||||||
|
distributed among the ports in the range.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>If <emphasis role="bold">random</emphasis> is specified,
|
||||||
|
port mapping will be randomized.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
|
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
|
||||||
then either:<orderedlist numeration="loweralpha">
|
then either:<orderedlist numeration="loweralpha">
|
||||||
@ -1127,79 +1335,24 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>the SOURCE <replaceable>zone</replaceable> must be an
|
<para>the SOURCE <replaceable>zone</replaceable> must be an
|
||||||
ipv4 zone that is associated with only the same bridge.</para>
|
ipv6 zone that is associated with only the same bridge.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist></para>
|
</orderedlist>Beginning with Shorewall 5.1.0, multiple
|
||||||
|
<replaceable>dest-spec</replaceable>s may be listed, provided that
|
||||||
|
extended forms of the source-spec are used:</para>
|
||||||
|
|
||||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
<blockquote>
|
||||||
role="bold">+]|[-</emphasis>] is specified, the server may be
|
<para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>)</para>
|
||||||
further restricted to a particular network, host or interface by
|
|
||||||
appending ":" and the network, host or interface. See <emphasis
|
|
||||||
role="bold">SOURCE</emphasis> above.</para>
|
|
||||||
|
|
||||||
<para>You may exclude certain hosts from the set already defined
|
<para><replaceable>zone</replaceable>:(<replaceable>address</replaceable>[,...])</para>
|
||||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
|
||||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
|
||||||
|
|
||||||
<para>Restriction: MAC addresses are not allowed (this is a
|
<para>zone:(interface:address[,...])</para>
|
||||||
Netfilter restriction).</para>
|
|
||||||
|
|
||||||
<para>If your kernel and ip6tables have ipset match support then you
|
<para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
|
||||||
may give the name of an ipset prefaced by "+". The ipset name may be
|
</blockquote>
|
||||||
optionally followed by a number from 1 to 6 enclosed in square
|
|
||||||
brackets ([]) to indicate the number of levels of destination
|
|
||||||
bindings to be matched. Only one of the <emphasis
|
|
||||||
role="bold">SOURCE</emphasis> and <emphasis
|
|
||||||
role="bold">DEST</emphasis> columns may specify an ipset
|
|
||||||
name.</para>
|
|
||||||
|
|
||||||
<para>The <replaceable>port</replaceable> that the server is
|
<para>Multiple <replaceable>dest-spec</replaceable>s are not
|
||||||
listening on may be included and separated from the server's IP
|
permitted in DNAT[-] and REDIRECT[-] rules.</para>
|
||||||
address by ":". If omitted, the firewall will not modify the
|
|
||||||
destination port. A destination port may only be included if the
|
|
||||||
<emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
||||||
role="bold">DNAT</emphasis> or <emphasis
|
|
||||||
role="bold">REDIRECT</emphasis>.</para>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term>Example 1:</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para><emphasis
|
|
||||||
role="bold">loc:[2001:470:b:227::44]:3128</emphasis> specifies
|
|
||||||
a local server at IP address 2001:470:b:227::44 and listening
|
|
||||||
on port 3128.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>Example 2:</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para><emphasis role="bold">loc:[]:3128</emphasis> specifies
|
|
||||||
that the destination port should be changed to 3128 but the IP
|
|
||||||
address should remain the same.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
|
|
||||||
<para>The <emphasis>port</emphasis> may be specified as a service
|
|
||||||
name. You may specify a port range in the form
|
|
||||||
<emphasis>lowport-highport</emphasis> to cause connections to be
|
|
||||||
assigned to ports in the range in round-robin fashion. When a port
|
|
||||||
range is specified, <emphasis>lowport</emphasis> and
|
|
||||||
<emphasis>highport</emphasis> must be given as integers; service
|
|
||||||
names are not permitted. Additionally, the port range may be
|
|
||||||
optionally followed by <emphasis role="bold">:random</emphasis>
|
|
||||||
which causes assignment to ports in the list to be random.</para>
|
|
||||||
|
|
||||||
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
|
||||||
role="bold">REDIRECT</emphasis> or <emphasis
|
|
||||||
role="bold">REDIRECT-</emphasis>, this column needs only to contain
|
|
||||||
the port number on the firewall that the request should be
|
|
||||||
redirected to. That is equivalent to specifying
|
|
||||||
<option>$FW</option>::<replaceable>port</replaceable>.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user