diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index c566b9f95..f3f43764a 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -1,3 +1,11 @@
+Changes in Shorewall 4.3.1
+
+1) Allow addresses in rules to be enclosed in square brackets.
+
+2) Fix parsing of 6 hosts file.
+
+3) Don't require Socket6 unless doing IPv6 DNS name resolution.
+
Changes in Shorewall 4.3.0
1) Verify User/Group names.
@@ -21,43 +29,3 @@ Changes in Shorewall 4.3.0
10) IPv6 Alpha release.
-Changes in Shorewall 4.2.2
-
-1) Insure that lines copied from a user file are newline-terminated.
-
-2) Added macro.JAP.
-
-3) Added macro.DAAP.
-
-4) Added macro.DCC.
-
-5) Added macro.GNUnet.
-
-6) Prevent invalid rules when KLUDGEFREE is not set.
-
-7) Separated detection of old conntrack syntax from new conntrack
- feature detection.
-
-8) Fix nonat rules with destination IP address.
-
-9) Correct NEW_CONNTRACK_MATCH with server port but no dest port.
-
-Changes in Shorewall 4.2.1
-
-1) Added CONNBYTES to tcrules manpage. Flesh out description of HELPER.
-
-2) Fixed minor CONNBYTES editing issue.
-
-3) Add CONNLIMIT to policy and rules.
-
-4) Allow use of iptables-1.4.1.
-
-5) Add time match support.
-
-6) Applied Lennart Sorensen's patch for length match.
-
-7) Take advantage of --ctorigdstport
-
-8) Fix syntax error in 'export'
-
-Initial release of Shorewall 4.2.0.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index b6c1f9fda..af5f6289f 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -1,13 +1,33 @@
-Shorewall 4.3.0
+Shorewall 4.3.1
----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S
----------------------------------------------------------------------------
1) Support is included for IPv6.
+Problems Corrected in 4.3.1
+
+1) Shorewall6 parsing of the hosts file HOSTS column has been
+ corrected.
+
+Other changes in 4.3.1
+
+1) It is now permitted to enclose addresses in [] even when an
+ interface name is not specified.
+
+ Example:
+
+ ACCEPT net:[2001:1::1] $FW
+
+2) The Socket6 perl module is only required now if DNS names appear in
+ your Shorewall6 configuration files.
+
+3) Shorewall6 now recognizes IPv4 addresses embedded in the IPv6
+ address space (e.g., ::ffff:192.168.1.3).
+
Migration Issues.
-None.
+ None.
New Features in Shorewall 4.3
@@ -59,13 +79,31 @@ New Features in Shorewall 4.3
marking and connection marking are available to feed your current
traffic shaping defined in Shorewall.
- f) When both an interface and an IPv6 address or address list need to
+ f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in
square brackets. Example:
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
+ Note that this includes MAC addresses as well as IPv6 addresses.
+
+ The HOSTS column in /etc/shorewall6/hosts also uses this
+ convention:
+
+ #ZONE HOSTS OPTIONS
+ chat6 eth0:[2001:19f0:feee::dead:beef:cafe]
+
g) There are currently no Shorewall6 or Shorewall6-lite manpages.
h) The options available in shorewall6.conf are a subset of those
available in shorewall.conf.
+
+ i) The Socket6.pm Perl module is required if you include DNS names
+ in your Shorewall6 configuration. Note that it is loaded the
+ first time that a DNS name is encountered so if it is missing,
+ you get a message similar to this one:
+
+ ...
+ Checking /etc/shorewall6/rules...
+ Can't locate Socket6.pm in @INC (@INC contains: /root ...
+ teastep@ursa:~/Configs/standalone6$
diff --git a/Shorewall-perl/Shorewall/IPAddrs.pm b/Shorewall-perl/Shorewall/IPAddrs.pm
index ec5adbfbe..c2a4b8e40 100644
--- a/Shorewall-perl/Shorewall/IPAddrs.pm
+++ b/Shorewall-perl/Shorewall/IPAddrs.pm
@@ -480,11 +480,20 @@ sub valid_6address( $ ) {
my $address = $_[0];
my @address = split /:/, $address;
+ my $max;
- return 0 if @address > 8;
- return 0 if @address < 8 && ! $address =~ /::/;
- return 0 if $address =~ /:::/ || $address =~ /::.*::/;
+ if ( $address[-1] && $address[-1] =~ /^\d+\.\d+\.\d+\.\d+$/ ) {
+ return 0 unless valid_4address pop @address;
+ $max = 6;
+ $address = join ':', @address;
+ } else {
+ $max = 8;
+ }
+ return 0 if @address > $max;
+ return 0 if @address < $max && ! $address =~ /::/;
+ return 0 if $address =~ /:::/ || $address =~ /::.*::/;
+
if ( $address =~ /^:/ ) {
unless ( $address eq '::' ) {
return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
@@ -506,8 +515,8 @@ sub validate_6address( $$ ) {
my @addrs = ( $addr );
unless ( valid_6address $addr ) {
- require Socket6;
fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
+ require Socket6;
fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6()));
if ( defined wantarray ) {
diff --git a/manpages6/shorewall6-accounting.xml b/manpages6/shorewall6-accounting.xml
index e2107d083..78a976244 100644
--- a/manpages6/shorewall6-accounting.xml
+++ b/manpages6/shorewall6-accounting.xml
@@ -1,7 +1,9 @@
+
- shorewall-accounting
+ shorewall6-accounting5
@@ -9,12 +11,12 @@
accounting
- Shorewall Accounting file
+ Shorewall6 Accounting file
- /etc/shorewall/accounting
+ /etc/shorewall6/accounting
@@ -23,7 +25,7 @@
Accounting rules exist simply to count packets and bytes in
categories that you define in this file. You may display these rules and
- their packet and byte counters using the shorewall show
+ their packet and byte counters using the shorewall6 show
accounting command.The columns in the file are as follows.
@@ -65,7 +67,7 @@
Where chain is the name of a chain;
- Shorewall will create the chain automatically if it doesn't
+ shorewall6 will create the chain automatically if it doesn't
already exist. Causes a jump to that chain to be added to the
chain specified in the CHAIN column. If :COUNT is included, a counting rule
@@ -96,7 +98,7 @@
role="bold">-|any|all|interface|interface:address|address}
+ role="bold">:address|address}
Packet Source.
@@ -112,8 +114,7 @@
DESTINATION - {-|any|all|interface|interface:address|address}
+ role="bold">all|interface|interfaceaddress|address}
Packet Destination.
@@ -306,7 +307,7 @@
FILES
- /etc/shorewall/accounting
+ /etc/shorewall6/accounting
@@ -316,13 +317,12 @@
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
- shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
- shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
- shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
- shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
- shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
- shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
- shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+ shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
+ shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+ shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+ shorewall6-route_rules(5), shorewall6-routestopped(5),
+ shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+ shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall6-zones(5)
diff --git a/manpages6/shorewall6-actions.xml b/manpages6/shorewall6-actions.xml
index 94ab3d113..c89f82782 100644
--- a/manpages6/shorewall6-actions.xml
+++ b/manpages6/shorewall6-actions.xml
@@ -1,7 +1,9 @@
+
- shorewall-actions
+ shorewall6-actions5
@@ -9,12 +11,12 @@
actions
- Shorewall action declaration file
+ shorewall6 action declaration file
- /etc/shorewall/actions
+ /etc/shorewall6/actions
@@ -22,12 +24,12 @@
DescriptionThis file allows you to define new ACTIONS for use in rules (see
- shorewall-rules(5)). You define
+ shorewall6-rules(5)). You define
the iptables rules to be performed in an ACTION in
- /etc/shorewall/action.action-name.
+ /etc/shorewall6/action.action-name.
ACTION names should begin with an upper-case letter to distinguish
- them from Shorewall-generated chain names and they must meet the
+ them from shorewall6-generated chain names and they must meet the
requirements of a Netfilter chain. If you intend to log from the action
then the name must be no longer than 11 characters in length. Names must
also meet the requirements for a Bourne Shell identifier (must begin with
@@ -38,22 +40,21 @@
FILES
- /etc/shorewall/actions
+ /etc/shorewall6/actionsSee ALSOhttp://shorewall.net/Actions.html
+ url="http://shorewall.net/Actions.html">http://shorewall6.net/Actions.html
- shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
- shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
- shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
- shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
- shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
- shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
- shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
+ shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+ shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+ shorewall6-route_rules(5), shorewall6-routestopped(5),
+ shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+ shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall-zones(5)
diff --git a/manpages6/shorewall6-blacklist.xml b/manpages6/shorewall6-blacklist.xml
index 915ee6f69..7e52425d2 100644
--- a/manpages6/shorewall6-blacklist.xml
+++ b/manpages6/shorewall6-blacklist.xml
@@ -1,7 +1,9 @@
+
- shorewall-blacklist
+ shorewall6-blacklist5
@@ -9,12 +11,12 @@
blacklist
- Shorewall Blacklist file
+ shorewall6 Blacklist file
- /etc/shorewall/blacklist
+ /etc/shorewall6/blacklist
@@ -74,12 +76,12 @@
When a packet arrives on an interface that has the blacklist option specified in shorewall-interfaces(5), its
+ url="shorewall-interfaces.html">shorewall6-interfaces(5), its
source IP address and MAC address is checked against this file and
disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall.conf(5). If shorewall6.conf(5). If PROTOCOL or PROTOCOL and PORTS
are supplied, only packets matching the protocol (and one of the ports if
@@ -94,10 +96,11 @@
Example 1:
- To block DNS queries from address 192.0.2.126:
+ To block DNS queries from address
+ fe80::2a0:ccff:fedb:31c4:
- #ADDRESS/SUBNET PROTOCOL PORT
- 192.0.2.126 udp 53
+ #ADDRESS/SUBNET PROTOCOL PORT
+ fe80::2a0:ccff:fedb:31c4/ udp 53
@@ -118,22 +121,21 @@
FILES
- /etc/shorewall/blacklist
+ /etc/shorewall6/blacklistSee ALSOhttp://shorewall.net/blacklisting_support.htm
+ url="http://shorewall.net/blacklisting_support.htm">http://shorewall6.net/blacklisting_support.htm
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
- shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
- shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
- shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
- shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
- shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+ shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+ shorewall6-route_rules(5), shorewall6-routestopped(5),
+ shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+ shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall6-zones(5)
diff --git a/manpages6/shorewall6-ecn.xml b/manpages6/shorewall6-ecn.xml
index b557a5630..2f8dfa925 100644
--- a/manpages6/shorewall6-ecn.xml
+++ b/manpages6/shorewall6-ecn.xml
@@ -1,7 +1,9 @@
+
- shorewall-ecn
+ shorewall6-ecn5
@@ -9,12 +11,12 @@
ecn
- Shorewall ECN file
+ shorewall6 ECN file
- /etc/shorewall/ecn
+ /etc/shorewall6/ecn
@@ -44,8 +46,8 @@
Comma-separated list of host and/or network addresses. If left
- empty or supplied as "-", 0.0.0.0/0 is assumed. If your kernel and
- iptables include iprange match support then IP address ranges are
+ empty or supplied as "-", ::/0 is assumed. If your kernel and
+ ip6tables include iprange match support then IP address ranges are
also permitted.
@@ -55,20 +57,18 @@
FILES
- /etc/shorewall/ecn
+ /etc/shorewall6/ecnSee ALSO
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
- shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
- shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
- shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
- shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
- shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
- shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
- shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+ shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+ shorewall6-providers(5), shorewall6-route_rules(5),
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+ shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)
diff --git a/manpages6/shorewall6-exclusion.xml b/manpages6/shorewall6-exclusion.xml
index f313c8e61..eeb8541a6 100644
--- a/manpages6/shorewall6-exclusion.xml
+++ b/manpages6/shorewall6-exclusion.xml
@@ -1,7 +1,9 @@
+
- shorewall-exclusion
+ shorewall6-exclusion5
@@ -9,7 +11,7 @@
exclusion
- Exclude a set of hosts from a definition in a shorewall
+ Exclude a set of hosts from a definition in a shorewall6
configuration file.
@@ -26,9 +28,9 @@
Exclusion is used when you wish to exclude one or more addresses
from a definition. An exclaimation point is followed by a comma-separated
list of addresses. The addresses may be single host addresses (e.g.,
- 192.168.1.4) or they may be network addresses in CIDR format (e.g.,
- 192.168.1.0/24). If your kernel and iptables include iprange support, you
- may also specify ranges of ip addresses of the form
+ fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
+ (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and iptables include
+ iprange support, you may also specify ranges of ip addresses of the form
lowaddress-highaddressNo embedded whitespace is allowed.
@@ -39,70 +41,27 @@
exclusion.
-
- Examples
-
-
-
- Example 1 - All IPv4 addresses except 192.168.3.4
-
-
- !192.168.3.4
-
-
-
-
- Example 2 - All IPv4 addresses except the network 192.168.1.0/24
- and the host 10.2.3.4
-
-
- !192.168.1.0/24,10.1.3.4
-
-
-
-
- Example 3 - All IPv4 addresses except the range
- 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8
-
-
- !192.168.1.3-192.168.1.12,10.0.0.0/8
-
-
-
-
- Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
- and 192.168.1.9
-
-
- 192.168.1.0/24!192.168.1.3,192.168.1.9
-
-
-
-
-
FILES
- /etc/shorewall/hosts
+ /etc/shorewall6/hosts
- /etc/shorewall/masq
+ /etc/shorewall6/masq
- /etc/shorewall/rules
+ /etc/shorewall6/rules
- /etc/shorewall/tcrules
+ /etc/shorewall6/tcrulesSee ALSO
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
- shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
- shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
- shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
- shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
- shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
- shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
- shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+ shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+ shorewall6-providers(5), shorewall6-route_rules(5),
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+ shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)
-
\ No newline at end of file
+
diff --git a/manpages6/shorewall6-hosts.xml b/manpages6/shorewall6-hosts.xml
index 3944f6285..a26ae40d0 100644
--- a/manpages6/shorewall6-hosts.xml
+++ b/manpages6/shorewall6-hosts.xml
@@ -1,7 +1,9 @@
+
- shorewall-hosts
+ shorewall6-hosts5
@@ -9,12 +11,12 @@
hosts
- Shorewall file
+ shorewall6 file
- /etc/shorewall/hosts
+ /etc/shorewall6/hosts
@@ -27,8 +29,8 @@
The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in shorewall-zones(5) determines the order
- in which the records in this file are interpreted.
+ url="shorewall-zones.html">shorewall6-zones(5) determines the
+ order in which the records in this file are interpreted.
The only time that you need this file is when you have more than
@@ -37,7 +39,7 @@
If you have an entry for a zone and interface in shorewall-interfaces(5) then do
+ url="shorewall-interfaces.html">shorewall6-interfaces(5) then do
not include any entries in this file for that same (zone, interface)
pair.
@@ -51,26 +53,26 @@
The name of a zone declared in shorewall-zones(5). You may not
+ url="shorewall-zones.html">shorewall6-zones(5). You may not
list the firewall zone in this column.HOST(S) -
- interface:{[{address-or-range[interface:{[{address-or-range[,address-or-range]...|+ipset}[exclusion]
+ role="bold">+ipset}[exclusion]
The name of an interface defined in the shorewall-interfaces(5) file
- followed by a colon (":") and a comma-separated list whose elements
- are either:
+ url="shorewall-interfaces.html">shorewall6-interfaces(5)
+ file followed by a colon (":") and a comma-separated list whose
+ elements are either:
- The IP address of a
+ The IPv6 address of a
host.
@@ -92,7 +94,7 @@
You may also exclude certain hosts through use of an
exclusion (see shorewall-exclusion(5).
+ url="shorewall-exclusion.html">shorewall6-exclusion(5).
@@ -107,24 +109,11 @@
must have no embedded white space.
-
- maclist
-
-
- Connection requests from these hosts are compared
- against the contents of shorewall-maclist(5). If
- this option is specified, the interface must be an ethernet
- NIC or equivalent and must be up before Shorewall is
- started.
-
-
-
routeback
- Shorewall should set up the infrastructure to pass
+ shorewall6 should set up the infrastructure to pass
packets from this/these address(es) back to themselves. This
is necessary if hosts in this group use the services of a
transparent proxy that is a member of the group or if DNAT is
@@ -141,7 +130,7 @@
bridge.Check packets arriving on this port against the shorewall-blacklist(5)
+ url="shorewall-blacklist.html">shorewall6-blacklist(5)
file.
@@ -158,23 +147,6 @@
-
- nosmurfs
-
-
- This option only makes sense for ports on a
- bridge.
-
- Filter packets for smurfs (packets with a broadcast
- address as the source).
-
- Smurfs will be optionally logged based on the setting of
- SMURF_LOG_LEVEL in shorewall.conf(5). After
- logging, the packets are dropped.
-
-
-
ipsec
@@ -182,94 +154,32 @@
The zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an
IPSEC zone in the shorewall-zones(5) file
+ url="shorewall-zones.html">shorewall6-zones(5) file
then you do NOT need to specify the 'ipsec' option
here.
-
-
- broadcast
-
-
- Used when you want to include limited broadcasts
- (destination IP address 255.255.255.255) from the firewall to
- this zone. Only necessary when:
-
-
-
- The network specified in the HOST(S) column does not
- include 255.255.255.255.
-
-
-
- The zone does not have an entry for this interface
- in shorewall-interfaces(5).
-
-
-
-
-
-
- destonly
-
-
- Normally used with the Multi-cast IP address range
- (224.0.0.0/4). Specifies that traffic will be sent to the
- specified net(s) but that no traffic will be received from the
- net(s).
-
-
-
- Examples
-
-
-
- Example 1
-
-
- The firewall runs a PPTP server which creates a ppp interface
- for each remote client. The clients are assigned IP addresses in the
- network 192.168.3.0/24 and in a zone named 'vpn'.#ZONE HOST(S) OPTIONS
-vpn ppp+:192.168.3.0/24
-
- If you are running a Shorewall version prior to 4.1.4, it is
- especially recommended to define such a zone using this file rather
- than shorewall-interfaces(8) if
- there is another zone that uses a fixed PPP interface (for example,
- if the 'net' zone always interfaces through ppp0). See shorewall-nesting(8) for
- additional information.
-
-
-
-
-
FILES
- /etc/shorewall/hosts
+ /etc/shorewall6/hostsSee ALSO
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5),
- shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
- shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
- shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
- shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
- shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
- shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
- shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+ shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+ shorewall6-route_rules(5), shorewall6-routestopped(5),
+ shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+ shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall-zones(5)
-
\ No newline at end of file
+
diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml
index 5cdca4763..c3ca0dd92 100644
--- a/manpages6/shorewall6-interfaces.xml
+++ b/manpages6/shorewall6-interfaces.xml
@@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
- shorewall-interfaces
+ shorewall6-interfaces5
@@ -11,12 +11,12 @@
interfaces
- Shorewall interfaces file
+ shorewall6 interfaces file
- /etc/shorewall/interfaces
+ /etc/shorewall6/interfaces
@@ -24,7 +24,7 @@
DescriptionThe interfaces file serves to define the firewall's network
- interfaces to Shorewall. The order of entries in this file is not
+ interfaces to shorewall6. The order of entries in this file is not
significant in determining zone composition.The columns in the file are as follows.
@@ -36,11 +36,11 @@
Zone for this interface. Must match the name of a zone
- declared in /etc/shorewall/zones. You may not list the firewall zone
- in this column.
+ declared in /etc/shorewall6/zones. You may not list the firewall
+ zone in this column.
If the interface serves multiple zones that will be defined in
- the shorewall-hosts(5)
+ the shorewall6-hosts(5)
file, you should place "-" in this column.If there are multiple interfaces to the same zone, you must
@@ -73,51 +73,31 @@ loc eth2 -
applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
ppp1, ppp2, …
- When using Shorewall versions before 4.1.4, care must be
- exercised when using wildcards where there is another zone that uses
- a matching specific interface. See shorewall-nesting(5) for a
+ Care must be exercised when using wildcards where there is
+ another zone that uses a matching specific interface. See shorewall6-nesting(5) for a
discussion of this problem.
- Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as
- an interface name.
+ Shorewall6-perl allows '+' as an interface name.There is no need to define the loopback interface (lo) in this
file.
- (Shorewall-perl only) If a port is
- given, then the interface must have been
- defined previously with the option. The
- OPTIONS column must be empty when a port
- is given.
+ If a port is given, then the
+ interface must have been defined
+ previously with the option. The OPTIONS
+ column must be empty when a port is
+ given.
- BROADCAST (Optional) -
- {-|detect|address[,address]...}
+ UNICAST - -
- The broadcast address(es) for the network(s) to which the
- interface belongs. For P-T-P interfaces, this column is left blank.
- If the interface has multiple addresses on multiple subnets then
- list the broadcast addresses as a comma-separated list.
-
- If you use the special value detect, Shorewall will detect the broadcast
- address(es) for you. If you select this option, the interface must
- be up before the firewall is started.
-
- If you don't want to give a value for this column but you want
- to enter a value in the OPTIONS column, enter - in this column.
-
- Note to Shorewall-perl users:
- Shorewall-perl only supports or - in this column. If you specify
- addresses, a compilation warning will be
- issued.
+ Enter '-' in this column. It
+ is here for compatibility between Shorewall6 and Shorewall.
@@ -132,81 +112,13 @@ loc eth2 -
should have no embedded white space.
-
- arp_filter[={0|1}]
-
-
- If specified, this interface will only respond to ARP
- who-has requests for IP addresses configured on the interface.
- If not specified, the interface can respond to ARP who-has
- requests for IP addresses on any of the firewall's interface.
- The interface must be up when Shorewall is started.
-
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will
- have their setting changes; the value assigned to the setting
- will be the value specified (if any) or 1 if no value is
- given.
-
-
-
-
- This option does not work with a wild-card
- interface name (e.g., eth0.+) in
- the INTERFACE column.
-
-
-
-
-
- arp_ignore[=number]
-
-
- If specified, this interface will respond to arp
- requests based on the value of number
- (defaults to 1).
-
- 1 - reply only if the target IP address is local address
- configured on the incoming interface
-
- 2 - reply only if the target IP address is local address
- configured on the incoming interface and the sender's IP
- address is part from same subnet on this interface
-
- 3 - do not reply for local addresses configured with
- scope host, only resolutions for global and link
-
- 4-7 - reserved
-
- 8 - do not reply for all local addresses
-
-
-
-
- This option does not work with a wild-card
- interface name (e.g., eth0.+) in
- the INTERFACE column.
-
-
-
-
-
- Do not specify arp_ignore for any interface involved
- in Proxy ARP.
-
-
-
-
blacklistCheck packets arriving on this interface against the
shorewall-blacklist(5)
+ url="shorewall6-blacklist.html">shorewall6-blacklist(5)
file.
@@ -215,237 +127,43 @@ loc eth2 -
bridge
- (Shorewall-perl only) Designates the interface as a
+ (shorewall6-perl only) Designates the interface as a
bridge.
-
- detectnets
- (Deprecated)
-
-
- Automatically tailors the zone named in the ZONE column
- to include only those hosts routed through the
- interface.
-
-
-
-
- Do not set the detectnets option on your internet
- interface.
-
- Support for this option will be removed in a future
- release of Shorewall-perl. Better to use the routefilter option together with the
- logmartians option.
-
-
-
-
-
- dhcp
-
-
- Specify this option when any of the following are
- true:
-
-
-
- the interface gets its IP address via DHCP
-
-
-
- the interface is used by a DHCP server running on
- the firewall
-
-
-
- the interface has a static IP but is on a LAN
- segment with lots of DHCP clients.
-
-
-
- the interface is a bridge with a DHCP server on one
- port and DHCP clients on another port.
-
-
-
- This option allows DHCP datagrams to enter and leave the
- interface.
-
-
-
-
- logmartians[={0|1}]
-
-
- Turn on kernel martian logging (logging of packets with
- impossible source addresses. It is strongly suggested that if
- you set routefilter on an
- interface that you also set logmartians. Even if you do not specify
- the option, it is a good idea to
- specify because your distribution
- may be enabling route filtering without you knowing it.
-
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will
- have their setting changes; the value assigned to the setting
- will be the value specified (if any) or 1 if no value is
- given.
-
- To find out if route filtering is set on a given
- interface, check the contents of
- /proc/sys/net/ipv4/conf/interface/rp_filter
- - a non-zero value indicates that route filtering is
- enabled.
-
- Example:
-
- teastep@lists:~$ cat /proc/sys/net/ipv4/conf/eth0/rp_filter
- 1
- teastep@lists:~$
-
-
-
-
- This option does not work with a wild-card
- interface name (e.g., eth0.+) in
- the INTERFACE column.
-
-
-
- This option may also be enabled globally in the shorewall.conf(5)
- file.
-
-
-
-
-
- maclist
-
-
- Connection requests from this interface are compared
- against the contents of shorewall-maclist(5). If
- this option is specified, the interface must be an ethernet
- NIC and must be up before Shorewall is started.
-
-
-
mss[=number]
- Added in Shorewall 4.0.3. Causes forwarded TCP SYN
- packets entering or leaving on this interface to have their
- MSS field set to the specified
+ Causes forwarded TCP SYN packets entering or leaving on
+ this interface to have their MSS field set to the specified
number.
-
- norfc1918
-
-
- This interface should not receive any packets whose
- source is in one of the ranges reserved by RFC 1918 (i.e.,
- private or "non-routable" addresses). If packet mangling or
- connection-tracking match is enabled in your kernel, packets
- whose destination addresses are reserved by RFC 1918 are also
- rejected.
-
-
-
-
- nosmurfs
-
-
- Filter packets for smurfs (packets with a broadcast
- address as the source).
-
- Smurfs will be optionally logged based on the setting of
- SMURF_LOG_LEVEL in shorewall.conf(5). After
- logging, the packets are dropped.
-
-
-
optional
- Only supported by Shorewall-perl. When
- is specified for an interface,
- Shorewall will be silent when:
+ When is specified for an
+ interface, shorewall6 will be silent when:a /proc/sys/net/ipv4/conf/
- entry for the interface cannot be modified (including for
- proxy ARP).
+ class="directory">/proc/sys/net/ipv5/conf/
+ entry for the interface cannot be modified.
- The first address of the interface cannot be
- obtained.
+ The first global IPv6 address of the interface
+ cannot be obtained.
-
-
- I specify on interfaces to
- Xen virtual machines that may or may not be running when
- Shorewall is [re]started.
-
-
-
-
- Use at your own risk. If
- you [re]start Shorewall when an 'optional' interface is
- not available and then do a shorewall
- save, subsequent shorewall
- restore and shorewall -f
- start operations will instantiate a ruleset that
- does not support that interface, even if it is available
- at the time of the restore/start.
-
-
-
-
-
-
- proxyarp[={0|1}]
-
-
- Sets
- /proc/sys/net/ipv4/conf/interface/proxy_arp.
- Do NOT use this option if you are employing Proxy ARP through
- entries in shorewall-proxyarp(5).
- This option is intended solely for use with Proxy ARP
- sub-networking as described at: http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
-
-
- Note: This option does
- not work with a wild-card interface
- name (e.g., eth0.+) in the INTERFACE column.
-
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will have
- their setting changes; the value assigned to the setting will
- be the value specified (if any) or 1 if no value is
- given.
@@ -453,7 +171,7 @@ loc eth2 -
routeback
- If specified, indicates that Shorewall should include
+ If specified, indicates that shorewall6 should include
rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you
@@ -471,7 +189,7 @@ loc eth2 -
(anti-spoofing measure).The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
+ are using shorewall6-perl. With shorewall6-perl, only those
interfaces with the option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
@@ -487,7 +205,7 @@ loc eth2 -
This option can also be enabled globally in the shorewall.conf(5)
+ url="shorewall6.conf.html">shorewall6.conf(5)
file.
@@ -501,19 +219,15 @@ loc eth2 -
If this option is not specified for an interface, then
source-routed packets will not be accepted from that interface
(sets
- /proc/sys/net/ipv4/conf/interface/accept_source_route
+ /proc/sys/net/ipv6/conf/interface/accept_source_route
to 1). Only set this option if you know what you are doing.
This might represent a security risk and is not usually
needed.
- The option value (0 or 1) may only be specified if you
- are using Shorewall-perl. With Shorewall-perl, only those
- interfaces with the option will
- have their setting changes; the value assigned to the setting
- will be the value specified (if any) or 1 if no value is
- given.
-
-
+ Only those interfaces with the
+ option will have their setting
+ changes; the value assigned to the setting will be the value
+ specified (if any) or 1 if no value is given.This option does not work with a wild-card
@@ -559,43 +273,14 @@ loc eth2 -
Suppose you have eth0 connected to a DSL modem and eth1
- connected to your local network and that your local subnet is
- 192.168.1.0/24. The interface gets it's IP address via DHCP from
- subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
- using eth2.
+ connected to your local network You have a DMZ using eth2.Your entries for this setup would look like:
- #ZONE INTERFACE BROADCAST OPTIONS
-net eth0 206.191.149.223 dhcp
-loc eth1 192.168.1.255
-dmz eth2 192.168.2.255
-
-
-
-
- Example 2:
-
-
- The same configuration without specifying broadcast addresses
- is:
-
- #ZONE INTERFACE BROADCAST OPTIONS
-net eth0 detect dhcp
-loc eth1 detect
-dmz eth2 detect
-
-
-
-
- Example 3:
-
-
- You have a simple dial-in system with no ethernet
- connections.
-
- #ZONE INTERFACE BROADCAST OPTIONS
-net ppp0 -
+ #ZONE INTERFACE UNICAST OPTIONS
+net eth0 -
+loc eth1 -
+dmz eth2 -
@@ -604,19 +289,18 @@ net ppp0 -
FILES
- /etc/shorewall/interfaces
+ /etc/shorewall6/interfacesSee ALSO
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall-ipsec(5),
- shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
- shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
- shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
- shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
- shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
+ shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+ shorewall6-route_rules(5), shorewall6-routestopped(5),
+ shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+ shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall6-zones(5)
diff --git a/manpages6/shorewall6-maclist.xml b/manpages6/shorewall6-maclist.xml
index 92b6ef59b..ad063c50f 100644
--- a/manpages6/shorewall6-maclist.xml
+++ b/manpages6/shorewall6-maclist.xml
@@ -1,7 +1,9 @@
+
- shorewall-maclist
+ shorewall6-maclist5
@@ -9,12 +11,12 @@
maclist
- Shorewall MAC Verification file
+ shorewall6 MAC Verification file
- /etc/shorewall/maclist
+ /etc/shorewall6/maclist
@@ -22,12 +24,12 @@
DescriptionThis file is used to define the MAC addresses and optionally their
- associated IP addresses to be allowed to use the specified interface. The
- feature is enabled by using the maclist
- option in the shorewall-interfaces(5) or shorewall-hosts(5) configuration
- file.
+ associated IPv6 addresses to be allowed to use the specified interface.
+ The feature is enabled by using the maclist option in the shorewall6-interfaces(5) or
+ shorewall6-hosts(5)
+ configuration file.
The columns in the file are as follows.
@@ -41,8 +43,8 @@
ACCEPT or DROP (if MACLIST_TABLE=filter in shorewall.conf(5), then REJECT is
- also allowed). If specified, the
+ url="shorewall6.conf.html">shorewall6.conf(5), then REJECT
+ is also allowed). If specified, the
log-level causes packets matching the
rule to be logged at that level.
@@ -63,7 +65,7 @@
MAC address of the host -- you do not
- need to use the Shorewall format for MAC addresses here. If
+ need to use the shorewall6 format for MAC addresses here. If
IP ADDRESSESES is supplied then
MAC can be supplied as a dash
(-)
@@ -90,7 +92,7 @@
FILES
- /etc/shorewall/maclist
+ /etc/shorewall6/maclist
@@ -99,13 +101,12 @@
http://shorewall.net/MAC_Validation.html
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
- shorewall-ipsec(5), shorewall-masq(5), shorewall-nat(5),
- shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
- shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
- shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
- shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+ shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+ shorewall6-route_rules(5), shorewall6-routestopped(5),
+ shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+ shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall6-zones(5)
-
\ No newline at end of file
+
diff --git a/manpages6/shorewall6-modules.xml b/manpages6/shorewall6-modules.xml
index 051a421c0..dbd575634 100644
--- a/manpages6/shorewall6-modules.xml
+++ b/manpages6/shorewall6-modules.xml
@@ -1,7 +1,9 @@
+
- shorewall-modules
+ shorewall6-modules5
@@ -9,19 +11,19 @@
modules
- Shorewall file
+ shorewall6 file
- /usr/share/shorewall/modules
+ /usr/share/shorewall6/modulesDescription
- This file specifies which kernel modules Shorewall will load before
+ This file specifies which kernel modules shorewall6 will load before
trying to determine your iptables/kernel's capabilities. Each record in
the file has the following format:
@@ -35,19 +37,19 @@
The modulename names a kernel module
- (without suffix). Shorewall will search for modules based on your
+ (without suffix). shorewall6 will search for modules based on your
MODULESDIR and MODULE_SUFFIX settings in shorewall.conf(8). The
+ url="shorewall6.conf.html">shorewall6.conf(8). The
moduleoptions are passed to modprobe (if
installed) or to insmod.
- The /usr/share/shorewall/modules file contains a large number of
- modules. Users are encouraged to copy the file to /etc/shorewall/modules
+ The /usr/share/shorewall6/modules file contains a large number of
+ modules. Users are encouraged to copy the file to /etc/shorewall6/modules
and modify the copy to load only the modules required.If you build monolithic kernels and have not installed
- module-init-tools, then create an empty /etc/shorewall/modules file;
- that will prevent Shorewall from trying to load modules at all.
-
+ module-init-tools, then create an empty /etc/shorewall6/modules file;
+ that will prevent shorewall6 from trying to load modules at
+ all.
@@ -60,22 +62,20 @@
FILES
- /usr/share/shorewall/modules
+ /usr/share/shorewall6/modules
- /etc/shorewall/modules
+ /etc/shorewall6/modulesSee ALSO
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
- shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
- shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
- shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
- shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
- shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
- shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
- shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+ shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+ shorewall6-providers(5), shorewall6-route_rules(5),
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+ shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
-
\ No newline at end of file
+
diff --git a/manpages6/shorewall6-nesting.xml b/manpages6/shorewall6-nesting.xml
index 12b2ca6ff..7edbea347 100644
--- a/manpages6/shorewall6-nesting.xml
+++ b/manpages6/shorewall6-nesting.xml
@@ -1,7 +1,9 @@
+
- shorewall-nesting
+ shorewall6-nesting5
@@ -9,7 +11,7 @@
nesting
- Shorewall Nested Zones
+ shorewall6 Nested Zones
@@ -22,40 +24,40 @@
Description
- In shorewall-zones(5), a
+ In shorewall6-zones(5), a
zone may be declared to be a sub-zone of one or more other zones using the
above syntax.Where zones are nested, the CONTINUE policy in shorewall-policy(5) allows hosts that
- are within multiple zones to be managed under the rules of all of these
- zones.
+ url="shorewall6-policy.html">shorewall6-policy(5) allows hosts
+ that are within multiple zones to be managed under the rules of all of
+ these zones.Example
- /etc/shorewall/zones:
+ /etc/shorewall6/zones: #ZONE TYPE OPTION
fw firewall
- net ipv4
- sam:net ipv4
- loc ipv4
+ net ipv6
+ sam:net ipv6
+ loc ipv6
- /etc/shorewall/interfaces:
+ /etc/shorewall6/interfaces: #ZONE INTERFACE BROADCAST OPTIONS
- - eth0 detect dhcp,norfc1918
+ - eth0 detect blacklist
loc eth1 detect
- /etc/shorewall/hosts:
+ /etc/shorewall6/hosts: #ZONE HOST(S) OPTIONS
- net eth0:0.0.0.0/0
- sam eth0:206.191.149.197
+ net eth0:[::\]
+ sam eth0:[2001:19f0:feee::dead:beef:cafe]
- /etc/shorewall/policy:
+ /etc/shorewall6/policy: #SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT
@@ -69,143 +71,45 @@
under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in
- shorewall.conf(5).
+ shorewall6.conf(5).
- Partial /etc/shorewall/rules:
+ Partial /etc/shorewall6/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
...
- DNAT sam loc:192.168.1.3 tcp ssh
- DNAT net loc:192.168.1.5 tcp www
+ ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
+ ACCEPT net loc:2001:19f0:feee::5 tcp www
...
- Given these two rules, Sam can connect to the firewall's internet
- interface with ssh and the connection request will be forwarded to
- 192.168.1.3. Like all hosts in the net zone, Sam can connect to the
- firewall's internet interface on TCP port 80 and the connection request
- will be forwarded to 192.168.1.5. The order of the rules is not
- significant. Sometimes it is necessary to suppress port forwarding for a
- sub-zone. For example, suppose that all hosts can SSH to the firewall and
- be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
- firewall's external IP, he should be connected to the firewall itself.
- Because of the way that Netfilter is constructed, this requires two rules
- as follows:
-
- #ACTION SOURCE DEST PROTO DEST PORT(S)
- ...
- ACCEPT+ sam $FW tcp ssh
- DNAT net loc:192.168.1.3 tcp ssh
- ...
-
- The first rule allows Sam SSH access to the firewall. The second
- rule says that any clients from the net zone with the exception of those
- in the “sam” zone should have their connection port forwarded to
- 192.168.1.3. If you need to exclude more than one zone, simply use
- multiple ACCEPT+ rules. This technique also may be used when the ACTION is
- REDIRECT.
-
- Care must be taken when nesting occurs as a result of the use of
- wildcard interfaces (interface names ends in '+').
-
- Here's an example. /etc/shorewall/zones:
-
- /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS
- net ppp0
- loc eth1
- loc ppp+
- dmz eth2
-
- Because the net zone is declared before the loc zone, net is an
- implicit sub-zone of loc and in the absence of a net->... CONTINUE
- policy, traffic from the net zone will not be passed through loc->...
- rules. But DNAT and REDIRECT rules are an exception!
-
-
-
- DNAT and REDIRECT rules generate two Netfilter rules: a 'nat'
- table rule that rewrites the destination IP address and/or port
- number, and a 'filter' table rule that ACCEPTs the rewritten
- connection.
-
-
-
- Policies only affect the 'filter' table.
-
-
-
- As a consequence, the following rules will have unexpected
- behavior: #ACTION SOURCE DEST PROTO DEST
- # PORT(S)
- ACCEPT net dmz tcp 80
- REDIRECT loc 3128 tcp 80
-
- The second rule is intended to redirect local web requests to a
- proxy running on the firewall and listening on TCP port 3128. But the
- 'nat' part of that rule will cause all connection requests for TCP port 80
- arriving on interface ppp+ (including ppp0!) to have their destination
- port rewritten to 3128. Hence, the web server running in the DMZ will be
- inaccessible from the web.
-
- The above problem can be corrected in several ways.
-
- The preferred way is to use the pppd option
- to change the 'net' interface to something other than ppp0. That way, it
- won't match ppp+.
-
- If you are running Shorewall version 4.1.4 or later, a second way is
- to simply make the nested zones explicit: #ZONE TYPE OPTION
- fw firewall
- loc ipv4
- net:loc ipv4
- dmz ipv4
-
- If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
- shorewall.conf.
-
- When using other Shorewall versions, another way is to rewrite the
- DNAT rule (assume that the local zone is entirely within
- 192.168.2.0/23): #ACTION SOURCE DEST PROTO DEST
- # PORT(S)
- ACCEPT net dmz tcp 80
- REDIRECT loc:192.168.2.0/23 3128 tcp 80
-
- Another way is to restrict the definition of the loc zone:
-
- /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS
- net ppp0
- loc eth1
- - ppp+
- dmz eth2
-
- /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS
- loc ppp+:192.168.2.0/23
+ Given these two rules, Sam can connect with ssh to
+ 2001:19f0:feee::3. Like all hosts in the net zone, Sam can connect to TCP
+ port 80 on 2001:19f0:feee::5. The order of the rules is not
+ significant.FILES
- /etc/shorewall/zones
+ /etc/shorewall6/zones
- /etc/shorewall/interfaces
+ /etc/shorewall6/interfaces
- /etc/shorewall/hosts
+ /etc/shorewall6/hosts
- /etc/shorewall/policy
+ /etc/shorewall6/policy
- /etc/shorewall/rules
+ /etc/shorewall6/rulesSee ALSO
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
- shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
- shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
- shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
- shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
- shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
- shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
- shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+ shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+ shorewall6-providers(5), shorewall6-route_rules(5),
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+ shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
-
\ No newline at end of file
+
diff --git a/manpages6/shorewall6-params.xml b/manpages6/shorewall6-params.xml
index 6e0cd8798..ded58b474 100644
--- a/manpages6/shorewall6-params.xml
+++ b/manpages6/shorewall6-params.xml
@@ -1,7 +1,9 @@
+
- shorewall-params
+ shorewall6-params5
@@ -9,12 +11,12 @@
params
- Shorewall parameters file
+ Shorewall6 parameters file
- /etc/shorewall/params
+ /etc/shorewall6/params
@@ -34,7 +36,7 @@ NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918
Example shorewall-interfaces(5)
+ url="shorewall6-interfaces.html">shorewall6-interfaces(5)
file.ZONE INTERFACE BROADCAST OPTIONS
@@ -49,22 +51,22 @@ net eth0 130.252.100.255 routefilter,norfc1918FILES
- /etc/shorewall/params
+ /etc/shorewall6/paramsSee ALSOhttp://www.shorewall.net/configuration_file_basics.htm#Variables
+ url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall6.net/configuration_file_basics.htm#Variables
- shorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
- shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
- shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
- shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
- shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
- shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
+ shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
+ shorewall6-nat(5), shorewall6-netmap(5), shorewall6-policy(5),
+ shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-route_rules(5),
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+ shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
-
\ No newline at end of file
+