Recognize IPv4 Addresses embedded in the IPv6 address space

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8994 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-11 19:24:34 +00:00
parent b75b9693b0
commit 71e7eb26f6
14 changed files with 332 additions and 854 deletions

View File

@ -1,3 +1,11 @@
Changes in Shorewall 4.3.1
1) Allow addresses in rules to be enclosed in square brackets.
2) Fix parsing of 6 hosts file.
3) Don't require Socket6 unless doing IPv6 DNS name resolution.
Changes in Shorewall 4.3.0
1) Verify User/Group names.
@ -21,43 +29,3 @@ Changes in Shorewall 4.3.0
10) IPv6 Alpha release.
Changes in Shorewall 4.2.2
1) Insure that lines copied from a user file are newline-terminated.
2) Added macro.JAP.
3) Added macro.DAAP.
4) Added macro.DCC.
5) Added macro.GNUnet.
6) Prevent invalid rules when KLUDGEFREE is not set.
7) Separated detection of old conntrack syntax from new conntrack
feature detection.
8) Fix nonat rules with destination IP address.
9) Correct NEW_CONNTRACK_MATCH with server port but no dest port.
Changes in Shorewall 4.2.1
1) Added CONNBYTES to tcrules manpage. Flesh out description of HELPER.
2) Fixed minor CONNBYTES editing issue.
3) Add CONNLIMIT to policy and rules.
4) Allow use of iptables-1.4.1.
5) Add time match support.
6) Applied Lennart Sorensen's patch for length match.
7) Take advantage of --ctorigdstport
8) Fix syntax error in 'export'
Initial release of Shorewall 4.2.0.

View File

@ -1,13 +1,33 @@
Shorewall 4.3.0
Shorewall 4.3.1
----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S
----------------------------------------------------------------------------
1) Support is included for IPv6.
Problems Corrected in 4.3.1
1) Shorewall6 parsing of the hosts file HOSTS column has been
corrected.
Other changes in 4.3.1
1) It is now permitted to enclose addresses in [] even when an
interface name is not specified.
Example:
ACCEPT net:[2001:1::1] $FW
2) The Socket6 perl module is only required now if DNS names appear in
your Shorewall6 configuration files.
3) Shorewall6 now recognizes IPv4 addresses embedded in the IPv6
address space (e.g., ::ffff:192.168.1.3).
Migration Issues.
None.
None.
New Features in Shorewall 4.3
@ -59,13 +79,31 @@ New Features in Shorewall 4.3
marking and connection marking are available to feed your current
traffic shaping defined in Shorewall.
f) When both an interface and an IPv6 address or address list need to
f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in
square brackets. Example:
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
Note that this includes MAC addresses as well as IPv6 addresses.
The HOSTS column in /etc/shorewall6/hosts also uses this
convention:
#ZONE HOSTS OPTIONS
chat6 eth0:[2001:19f0:feee::dead:beef:cafe]
g) There are currently no Shorewall6 or Shorewall6-lite manpages.
h) The options available in shorewall6.conf are a subset of those
available in shorewall.conf.
i) The Socket6.pm Perl module is required if you include DNS names
in your Shorewall6 configuration. Note that it is loaded the
first time that a DNS name is encountered so if it is missing,
you get a message similar to this one:
...
Checking /etc/shorewall6/rules...
Can't locate Socket6.pm in @INC (@INC contains: /root ...
teastep@ursa:~/Configs/standalone6$

View File

@ -480,9 +480,18 @@ sub valid_6address( $ ) {
my $address = $_[0];
my @address = split /:/, $address;
my $max;
return 0 if @address > 8;
return 0 if @address < 8 && ! $address =~ /::/;
if ( $address[-1] && $address[-1] =~ /^\d+\.\d+\.\d+\.\d+$/ ) {
return 0 unless valid_4address pop @address;
$max = 6;
$address = join ':', @address;
} else {
$max = 8;
}
return 0 if @address > $max;
return 0 if @address < $max && ! $address =~ /::/;
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
if ( $address =~ /^:/ ) {
@ -506,8 +515,8 @@ sub validate_6address( $$ ) {
my @addrs = ( $addr );
unless ( valid_6address $addr ) {
require Socket6;
fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
require Socket6;
fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6()));
if ( defined wantarray ) {

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-accounting</refentrytitle>
<refentrytitle>shorewall6-accounting</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>accounting</refname>
<refpurpose>Shorewall Accounting file</refpurpose>
<refpurpose>Shorewall6 Accounting file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/accounting</command>
<command>/etc/shorewall6/accounting</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -23,7 +25,7 @@
<para>Accounting rules exist simply to count packets and bytes in
categories that you define in this file. You may display these rules and
their packet and byte counters using the <command>shorewall show
their packet and byte counters using the <command>shorewall6 show
accounting</command> command.</para>
<para>The columns in the file are as follows.</para>
@ -65,7 +67,7 @@
<listitem>
<para>Where <emphasis>chain</emphasis> is the name of a chain;
Shorewall will create the chain automatically if it doesn't
shorewall6 will create the chain automatically if it doesn't
already exist. Causes a jump to that chain to be added to the
chain specified in the CHAIN column. If <emphasis
role="bold">:COUNT</emphasis> is included, a counting rule
@ -96,7 +98,7 @@
role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
role="bold">:<option>[</option></emphasis><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
<listitem>
<para>Packet Source.</para>
@ -112,8 +114,7 @@
<term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
<listitem>
<para>Packet Destination.</para>
@ -306,7 +307,7 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/accounting</para>
<para>/etc/shorewall6/accounting</para>
</refsect1>
<refsect1>
@ -316,13 +317,12 @@
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
</ulink></para>
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-actions</refentrytitle>
<refentrytitle>shorewall6-actions</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>actions</refname>
<refpurpose>Shorewall action declaration file</refpurpose>
<refpurpose>shorewall6 action declaration file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/actions</command>
<command>/etc/shorewall6/actions</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -22,12 +24,12 @@
<title>Description</title>
<para>This file allows you to define new ACTIONS for use in rules (see
<ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
<ulink url="shorewall-rules.html">shorewall6-rules(5)</ulink>). You define
the iptables rules to be performed in an ACTION in
/etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
/etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
<para>ACTION names should begin with an upper-case letter to distinguish
them from Shorewall-generated chain names and they must meet the
them from shorewall6-generated chain names and they must meet the
requirements of a Netfilter chain. If you intend to log from the action
then the name must be no longer than 11 characters in length. Names must
also meet the requirements for a Bourne Shell identifier (must begin with
@ -38,22 +40,21 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/actions</para>
<para>/etc/shorewall6/actions</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
url="http://shorewall.net/Actions.html">http://shorewall6.net/Actions.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-blacklist</refentrytitle>
<refentrytitle>shorewall6-blacklist</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>blacklist</refname>
<refpurpose>Shorewall Blacklist file</refpurpose>
<refpurpose>shorewall6 Blacklist file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/blacklist</command>
<command>/etc/shorewall6/blacklist</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -74,12 +76,12 @@
<para>When a packet arrives on an interface that has the <emphasis
role="bold">blacklist</emphasis> option specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5), its
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5), its
source IP address and MAC address is checked against this file and
disposed of according to the <emphasis
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). If <emphasis
url="shorewall.conf.html">shorewall6.conf</ulink>(5). If <emphasis
role="bold">PROTOCOL</emphasis> or <emphasis
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
are supplied, only packets matching the protocol (and one of the ports if
@ -94,10 +96,11 @@
<term>Example 1:</term>
<listitem>
<para>To block DNS queries from address 192.0.2.126:</para>
<para>To block DNS queries from address
fe80::2a0:ccff:fedb:31c4:</para>
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
192.0.2.126 udp 53</programlisting>
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
fe80::2a0:ccff:fedb:31c4/ udp 53</programlisting>
</listitem>
</varlistentry>
@ -118,22 +121,21 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/blacklist</para>
<para>/etc/shorewall6/blacklist</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
url="http://shorewall.net/blacklisting_support.htm">http://shorewall6.net/blacklisting_support.htm</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-ecn</refentrytitle>
<refentrytitle>shorewall6-ecn</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>ecn</refname>
<refpurpose>Shorewall ECN file</refpurpose>
<refpurpose>shorewall6 ECN file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/ecn</command>
<command>/etc/shorewall6/ecn</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -44,8 +46,8 @@
<listitem>
<para>Comma-separated list of host and/or network addresses. If left
empty or supplied as "-", 0.0.0.0/0 is assumed. If your kernel and
iptables include iprange match support then IP address ranges are
empty or supplied as "-", ::/0 is assumed. If your kernel and
ip6tables include iprange match support then IP address ranges are
also permitted.</para>
</listitem>
</varlistentry>
@ -55,20 +57,18 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/ecn</para>
<para>/etc/shorewall6/ecn</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-exclusion</refentrytitle>
<refentrytitle>shorewall6-exclusion</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,7 +11,7 @@
<refnamediv>
<refname>exclusion</refname>
<refpurpose>Exclude a set of hosts from a definition in a shorewall
<refpurpose>Exclude a set of hosts from a definition in a shorewall6
configuration file.</refpurpose>
</refnamediv>
@ -26,9 +28,9 @@
<para>Exclusion is used when you wish to exclude one or more addresses
from a definition. An exclaimation point is followed by a comma-separated
list of addresses. The addresses may be single host addresses (e.g.,
192.168.1.4) or they may be network addresses in CIDR format (e.g.,
192.168.1.0/24). If your kernel and iptables include iprange support, you
may also specify ranges of ip addresses of the form
fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
(e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and iptables include
iprange support, you may also specify ranges of ip addresses of the form
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
<para>No embedded whitespace is allowed.</para>
@ -39,70 +41,27 @@
exclusion.</para>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1 - All IPv4 addresses except 192.168.3.4</term>
<listitem>
<para>!192.168.3.4</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
and the host 10.2.3.4</term>
<listitem>
<para>!192.168.1.0/24,10.1.3.4</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 3 - All IPv4 addresses except the range
192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>
<listitem>
<para>!192.168.1.3-192.168.1.12,10.0.0.0/8</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
and 192.168.1.9</term>
<listitem>
<para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/hosts</para>
<para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall/masq</para>
<para>/etc/shorewall6/masq</para>
<para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/rules</para>
<para>/etc/shorewall/tcrules</para>
<para>/etc/shorewall6/tcrules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-hosts</refentrytitle>
<refentrytitle>shorewall6-hosts</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>hosts</refname>
<refpurpose>Shorewall file</refpurpose>
<refpurpose>shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/hosts</command>
<command>/etc/shorewall6/hosts</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -27,8 +29,8 @@
<para>The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
in which the records in this file are interpreted.</para>
url="shorewall-zones.html">shorewall6-zones</ulink>(5) determines the
order in which the records in this file are interpreted.</para>
<warning>
<para>The only time that you need this file is when you have more than
@ -37,7 +39,7 @@
<warning>
<para>If you have an entry for a zone and interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5) then do
not include any entries in this file for that same (zone, interface)
pair.</para>
</warning>
@ -51,26 +53,26 @@
<listitem>
<para>The name of a zone declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5). You may not
url="shorewall-zones.html">shorewall6-zones</ulink>(5). You may not
list the firewall zone in this column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HOST(S)</emphasis> -
<emphasis>interface</emphasis>:{[{<emphasis>address-or-range</emphasis>[<emphasis
<emphasis>interface</emphasis>:<option>[</option>{[{<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term>
role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]<option>]</option></term>
<listitem>
<para>The name of an interface defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
followed by a colon (":") and a comma-separated list whose elements
are either:</para>
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
file followed by a colon (":") and a comma-separated list whose
elements are either:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The IP <replaceable>address</replaceable> of a
<para>The IPv6 <replaceable>address</replaceable> of a
host.</para>
</listitem>
@ -92,7 +94,7 @@
<blockquote>
<para>You may also exclude certain hosts through use of an
<emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
url="shorewall-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
</blockquote>
</listitem>
</varlistentry>
@ -107,24 +109,11 @@
must have no embedded white space.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from these hosts are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC or equivalent and must be up before Shorewall is
started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>Shorewall should set up the infrastructure to pass
<para>shorewall6 should set up the infrastructure to pass
packets from this/these address(es) back to themselves. This
is necessary if hosts in this group use the services of a
transparent proxy that is a member of the group or if DNAT is
@ -141,7 +130,7 @@
bridge.</para>
<para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>
@ -158,23 +147,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem>
<para>This option only makes sense for ports on a
bridge.</para>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipsec</emphasis></term>
@ -182,94 +154,32 @@
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an
IPSEC zone in the <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) file
url="shorewall-zones.html">shorewall6-zones</ulink>(5) file
then you do NOT need to specify the 'ipsec' option
here.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>broadcast</term>
<listitem>
<para>Used when you want to include limited broadcasts
(destination IP address 255.255.255.255) from the firewall to
this zone. Only necessary when:</para>
<orderedlist>
<listitem>
<para>The network specified in the HOST(S) column does not
include 255.255.255.255.</para>
</listitem>
<listitem>
<para>The zone does not have an entry for this interface
in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>destonly</term>
<listitem>
<para>Normally used with the Multi-cast IP address range
(224.0.0.0/4). Specifies that traffic will be sent to the
specified net(s) but that no traffic will be received from the
net(s).</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1</term>
<listitem>
<para>The firewall runs a PPTP server which creates a ppp interface
for each remote client. The clients are assigned IP addresses in the
network 192.168.3.0/24 and in a zone named 'vpn'.<programlisting>#ZONE HOST(S) OPTIONS
vpn ppp+:192.168.3.0/24</programlisting></para>
<para>If you are running a Shorewall version prior to 4.1.4, it is
especially recommended to define such a zone using this file rather
than <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8) if
there is another zone that uses a fixed PPP interface (for example,
if the 'net' zone always interfaces through ppp0). See <ulink
url="shorewall-nesting.html">shorewall-nesting</ulink>(8) for
additional information.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/hosts</para>
<para>/etc/shorewall6/hosts</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-interfaces</refentrytitle>
<refentrytitle>shorewall6-interfaces</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -11,12 +11,12 @@
<refnamediv>
<refname>interfaces</refname>
<refpurpose>Shorewall interfaces file</refpurpose>
<refpurpose>shorewall6 interfaces file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/interfaces</command>
<command>/etc/shorewall6/interfaces</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -24,7 +24,7 @@
<title>Description</title>
<para>The interfaces file serves to define the firewall's network
interfaces to Shorewall. The order of entries in this file is not
interfaces to shorewall6. The order of entries in this file is not
significant in determining zone composition.</para>
<para>The columns in the file are as follows.</para>
@ -36,11 +36,11 @@
<listitem>
<para>Zone for this interface. Must match the name of a zone
declared in /etc/shorewall/zones. You may not list the firewall zone
in this column.</para>
declared in /etc/shorewall6/zones. You may not list the firewall
zone in this column.</para>
<para>If the interface serves multiple zones that will be defined in
the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
the <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
file, you should place "-" in this column.</para>
<para>If there are multiple interfaces to the same zone, you must
@ -73,51 +73,31 @@ loc eth2 -</programlisting>
applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
ppp1, ppp2, …</para>
<para>When using Shorewall versions before 4.1.4, care must be
exercised when using wildcards where there is another zone that uses
a matching specific interface. See <ulink
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
<para>Care must be exercised when using wildcards where there is
another zone that uses a matching specific interface. See <ulink
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
discussion of this problem.</para>
<para>Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as
an interface name.</para>
<para>Shorewall6-perl allows '+' as an interface name.</para>
<para>There is no need to define the loopback interface (lo) in this
file.</para>
<para>(Shorewall-perl only) If a <replaceable>port</replaceable> is
given, then the <replaceable>interface</replaceable> must have been
defined previously with the <option>bridge</option> option. The
OPTIONS column must be empty when a <replaceable>port</replaceable>
is given.</para>
<para>If a <replaceable>port</replaceable> is given, then the
<replaceable>interface</replaceable> must have been defined
previously with the <option>bridge</option> option. The OPTIONS
column must be empty when a <replaceable>port</replaceable> is
given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">BROADCAST</emphasis> (Optional) -
{<emphasis role="bold">-</emphasis>|<emphasis
role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>
<term><emphasis role="bold">UNICAST</emphasis> - <emphasis
role="bold">-</emphasis></term>
<listitem>
<para>The broadcast address(es) for the network(s) to which the
interface belongs. For P-T-P interfaces, this column is left blank.
If the interface has multiple addresses on multiple subnets then
list the broadcast addresses as a comma-separated list.</para>
<para>If you use the special value <emphasis
role="bold">detect</emphasis>, Shorewall will detect the broadcast
address(es) for you. If you select this option, the interface must
be up before the firewall is started.</para>
<para>If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter <emphasis
role="bold">-</emphasis> in this column.</para>
<para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
Shorewall-perl only supports <option>detect</option> or <emphasis
role="bold">-</emphasis> in this column. If you specify
<replaceable>address</replaceable>es, a compilation warning will be
issued.</para>
<para>Enter '<emphasis role="bold">-'</emphasis> in this column. It
is here for compatibility between Shorewall6 and Shorewall.</para>
</listitem>
</varlistentry>
@ -132,81 +112,13 @@ loc eth2 -</programlisting>
should have no embedded white space.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
<listitem>
<para>If specified, this interface will only respond to ARP
who-has requests for IP addresses configured on the interface.
If not specified, the interface can respond to ARP who-has
requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>arp_filter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
<listitem>
<para>If specified, this interface will respond to arp
requests based on the value of <emphasis>number</emphasis>
(defaults to 1).</para>
<para>1 - reply only if the target IP address is local address
configured on the incoming interface</para>
<para>2 - reply only if the target IP address is local address
configured on the incoming interface and the sender's IP
address is part from same subnet on this interface</para>
<para>3 - do not reply for local addresses configured with
scope host, only resolutions for global and link</para>
<para>4-7 - reserved</para>
<para>8 - do not reply for all local addresses</para>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<para></para>
<warning>
<para>Do not specify <emphasis
role="bold">arp_ignore</emphasis> for any interface involved
in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Check packets arriving on this interface against the
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para>
</listitem>
</varlistentry>
@ -215,237 +127,43 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">bridge</emphasis></term>
<listitem>
<para>(Shorewall-perl only) Designates the interface as a
<para>(shorewall6-perl only) Designates the interface as a
bridge.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">detectnets</emphasis>
(Deprecated)</term>
<listitem>
<para>Automatically tailors the zone named in the ZONE column
to include only those hosts routed through the
interface.</para>
<para></para>
<warning>
<para>Do not set the <emphasis
role="bold">detectnets</emphasis> option on your internet
interface.</para>
<para>Support for this option will be removed in a future
release of Shorewall-perl. Better to use the <emphasis
role="bold">routefilter</emphasis> option together with the
<emphasis role="bold">logmartians</emphasis> option.</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">dhcp</emphasis></term>
<listitem>
<para>Specify this option when any of the following are
true:</para>
<orderedlist spacing="compact">
<listitem>
<para>the interface gets its IP address via DHCP</para>
</listitem>
<listitem>
<para>the interface is used by a DHCP server running on
the firewall</para>
</listitem>
<listitem>
<para>the interface has a static IP but is on a LAN
segment with lots of DHCP clients.</para>
</listitem>
<listitem>
<para>the interface is a bridge with a DHCP server on one
port and DHCP clients on another port.</para>
</listitem>
</orderedlist>
<para>This option allows DHCP datagrams to enter and leave the
interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">logmartians[={0|1}]</emphasis></term>
<listitem>
<para>Turn on kernel martian logging (logging of packets with
impossible source addresses. It is strongly suggested that if
you set <emphasis role="bold">routefilter</emphasis> on an
interface that you also set <emphasis
role="bold">logmartians</emphasis>. Even if you do not specify
the <option>routefilter</option> option, it is a good idea to
specify <option>logmartians</option> because your distribution
may be enabling route filtering without you knowing it.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>logmartians</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para>To find out if route filtering is set on a given
<replaceable>interface</replaceable>, check the contents of
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
- a non-zero value indicates that route filtering is
enabled.</para>
<para>Example:</para>
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
1
teastep@lists:~$ </programlisting>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<blockquote>
<para>This option may also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">mss</emphasis>[=<emphasis>number</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
packets entering or leaving on this interface to have their
MSS field set to the specified
<para>Causes forwarded TCP SYN packets entering or leaving on
this interface to have their MSS field set to the specified
<replaceable>number</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">norfc1918</emphasis></term>
<listitem>
<para>This interface should not receive any packets whose
source is in one of the ranges reserved by RFC 1918 (i.e.,
private or "non-routable" addresses). If packet mangling or
connection-tracking match is enabled in your kernel, packets
whose destination addresses are reserved by RFC 1918 are also
rejected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">optional</emphasis></term>
<listitem>
<para>Only supported by Shorewall-perl. When
<option>optional</option> is specified for an interface,
Shorewall will be silent when:</para>
<para>When <option>optional</option> is specified for an
interface, shorewall6 will be silent when:</para>
<itemizedlist>
<listitem>
<para>a <filename
class="directory">/proc/sys/net/ipv4/conf/</filename>
entry for the interface cannot be modified (including for
proxy ARP).</para>
class="directory">/proc/sys/net/ipv5/conf/</filename>
entry for the interface cannot be modified.</para>
</listitem>
<listitem>
<para>The first address of the interface cannot be
obtained.</para>
<para>The first global IPv6 address of the interface
cannot be obtained.</para>
</listitem>
</itemizedlist>
<para></para>
<blockquote>
<para>I specify <option>optional</option> on interfaces to
Xen virtual machines that may or may not be running when
Shorewall is [re]started.</para>
<para></para>
<caution>
<para>Use <option>optional</option> at your own risk. If
you [re]start Shorewall when an 'optional' interface is
not available and then do a <command>shorewall
save</command>, subsequent <command>shorewall
restore</command> and <command>shorewall -f
start</command> operations will instantiate a ruleset that
does not support that interface, even if it is available
at the time of the restore/start.</para>
</caution>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
<listitem>
<para>Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in <ulink
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
This option is intended solely for use with Proxy ARP
sub-networking as described at: <ulink
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
</ulink></para>
<para><emphasis role="bold">Note</emphasis>: This option does
not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>proxyarp</option> option will have
their setting changes; the value assigned to the setting will
be the value specified (if any) or 1 if no value is
given.</para>
</listitem>
</varlistentry>
@ -453,7 +171,7 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>If specified, indicates that Shorewall should include
<para>If specified, indicates that shorewall6 should include
rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you
@ -471,7 +189,7 @@ loc eth2 -</programlisting>
(anti-spoofing measure).</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
are using shorewall6-perl. With shorewall6-perl, only those
interfaces with the <option>routefilter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
@ -487,7 +205,7 @@ loc eth2 -</programlisting>
<blockquote>
<para>This option can also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)
file.</para>
</blockquote>
</listitem>
@ -501,19 +219,15 @@ loc eth2 -</programlisting>
<para>If this option is not specified for an interface, then
source-routed packets will not be accepted from that interface
(sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
/proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/accept_source_route
to 1). Only set this option if you know what you are doing.
This might represent a security risk and is not usually
needed.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>sourceroute</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para>
<para>Only those interfaces with the
<option>sourceroute</option> option will have their setting
changes; the value assigned to the setting will be the value
specified (if any) or 1 if no value is given.</para>
<note>
<para>This option does not work with a wild-card
@ -559,43 +273,14 @@ loc eth2 -</programlisting>
<listitem>
<para>Suppose you have eth0 connected to a DSL modem and eth1
connected to your local network and that your local subnet is
192.168.1.0/24. The interface gets it's IP address via DHCP from
subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
using eth2.</para>
connected to your local network You have a DMZ using eth2.</para>
<para>Your entries for this setup would look like:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.191.149.223 dhcp
loc eth1 192.168.1.255
dmz eth2 192.168.2.255</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>The same configuration without specifying broadcast addresses
is:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
loc eth1 detect
dmz eth2 detect</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 3:</term>
<listitem>
<para>You have a simple dial-in system with no ethernet
connections.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 -</programlisting>
<programlisting>#ZONE INTERFACE UNICAST OPTIONS
net eth0 -
loc eth1 -
dmz eth2 -</programlisting>
</listitem>
</varlistentry>
</variablelist>
@ -604,19 +289,18 @@ net ppp0 -</programlisting>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/interfaces</para>
<para>/etc/shorewall6/interfaces</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-maclist</refentrytitle>
<refentrytitle>shorewall6-maclist</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>maclist</refname>
<refpurpose>Shorewall MAC Verification file</refpurpose>
<refpurpose>shorewall6 MAC Verification file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/maclist</command>
<command>/etc/shorewall6/maclist</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -22,12 +24,12 @@
<title>Description</title>
<para>This file is used to define the MAC addresses and optionally their
associated IP addresses to be allowed to use the specified interface. The
feature is enabled by using the <emphasis role="bold">maclist</emphasis>
option in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
file.</para>
associated IPv6 addresses to be allowed to use the specified interface.
The feature is enabled by using the <emphasis
role="bold">maclist</emphasis> option in the <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
<ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
configuration file.</para>
<para>The columns in the file are as follows.</para>
@ -41,8 +43,8 @@
<listitem>
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
also allowed). If specified, the
url="shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
is also allowed). If specified, the
<replaceable>log-level</replaceable> causes packets matching the
rule to be logged at that level.</para>
</listitem>
@ -63,7 +65,7 @@
<listitem>
<para>MAC <emphasis>address</emphasis> of the host -- you do not
need to use the Shorewall format for MAC addresses here. If
need to use the shorewall6 format for MAC addresses here. If
<emphasis role="bold">IP ADDRESSESES</emphasis> is supplied then
<emphasis role="bold">MAC</emphasis> can be supplied as a dash
(<emphasis role="bold">-</emphasis>)</para>
@ -90,7 +92,7 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/maclist</para>
<para>/etc/shorewall6/maclist</para>
</refsect1>
<refsect1>
@ -99,13 +101,12 @@
<para><ulink
url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-modules</refentrytitle>
<refentrytitle>shorewall6-modules</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,19 +11,19 @@
<refnamediv>
<refname>modules</refname>
<refpurpose>Shorewall file</refpurpose>
<refpurpose>shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/usr/share/shorewall/modules</command>
<command>/usr/share/shorewall6/modules</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file specifies which kernel modules Shorewall will load before
<para>This file specifies which kernel modules shorewall6 will load before
trying to determine your iptables/kernel's capabilities. Each record in
the file has the following format:</para>
@ -35,19 +37,19 @@
</cmdsynopsis>
<para>The <replaceable>modulename</replaceable> names a kernel module
(without suffix). Shorewall will search for modules based on your
(without suffix). shorewall6 will search for modules based on your
MODULESDIR and MODULE_SUFFIX settings in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(8). The
url="shorewall6.conf.html">shorewall6.conf</ulink>(8). The
<replaceable>moduleoption</replaceable>s are passed to modprobe (if
installed) or to insmod.</para>
<para>The /usr/share/shorewall/modules file contains a large number of
modules. Users are encouraged to copy the file to /etc/shorewall/modules
<para>The /usr/share/shorewall6/modules file contains a large number of
modules. Users are encouraged to copy the file to /etc/shorewall6/modules
and modify the copy to load only the modules required.<note>
<para>If you build monolithic kernels and have not installed
module-init-tools, then create an empty /etc/shorewall/modules file;
that will prevent Shorewall from trying to load modules at all.
</para>
module-init-tools, then create an empty /etc/shorewall6/modules file;
that will prevent shorewall6 from trying to load modules at
all.</para>
</note></para>
</refsect1>
@ -60,22 +62,20 @@
<refsect1>
<title>FILES</title>
<para>/usr/share/shorewall/modules</para>
<para>/usr/share/shorewall6/modules</para>
<para>/etc/shorewall/modules</para>
<para>/etc/shorewall6/modules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-nesting</refentrytitle>
<refentrytitle>shorewall6-nesting</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,7 +11,7 @@
<refnamediv>
<refname>nesting</refname>
<refpurpose>Shorewall Nested Zones</refpurpose>
<refpurpose>shorewall6 Nested Zones</refpurpose>
</refnamediv>
<refsynopsisdiv>
@ -22,40 +24,40 @@
<refsect1>
<title>Description</title>
<para>In <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5), a
<para>In <ulink url="shorewall-zones.html">shorewall6-zones</ulink>(5), a
zone may be declared to be a sub-zone of one or more other zones using the
above syntax.</para>
<para>Where zones are nested, the CONTINUE policy in <ulink
url="shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that
are within multiple zones to be managed under the rules of all of these
zones.</para>
url="shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
that are within multiple zones to be managed under the rules of all of
these zones.</para>
</refsect1>
<refsect1>
<title>Example</title>
<para><filename>/etc/shorewall/zones</filename>:</para>
<para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTION
fw firewall
net ipv4
sam:net ipv4
loc ipv4</programlisting>
net ipv6
sam:net ipv6
loc ipv6</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect dhcp,norfc1918
- eth0 detect blacklist
loc eth1 detect</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<para><filename>/etc/shorewall6/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS
net eth0:0.0.0.0/0
sam eth0:206.191.149.197</programlisting>
net eth0:[::\]
sam eth0:[2001:19f0:feee::dead:beef:cafe]</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
<para><filename>/etc/shorewall6/policy</filename>:</para>
<programlisting> #SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT
@ -69,143 +71,45 @@
under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
...
DNAT sam loc:192.168.1.3 tcp ssh
DNAT net loc:192.168.1.5 tcp www
ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
ACCEPT net loc:2001:19f0:feee::5 tcp www
...</programlisting>
<para>Given these two rules, Sam can connect to the firewall's internet
interface with ssh and the connection request will be forwarded to
192.168.1.3. Like all hosts in the net zone, Sam can connect to the
firewall's internet interface on TCP port 80 and the connection request
will be forwarded to 192.168.1.5. The order of the rules is not
significant. Sometimes it is necessary to suppress port forwarding for a
sub-zone. For example, suppose that all hosts can SSH to the firewall and
be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
firewall's external IP, he should be connected to the firewall itself.
Because of the way that Netfilter is constructed, this requires two rules
as follows:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
...
ACCEPT+ sam $FW tcp ssh
DNAT net loc:192.168.1.3 tcp ssh
...</programlisting>
<para>The first rule allows Sam SSH access to the firewall. The second
rule says that any clients from the net zone with the exception of those
in the “sam” zone should have their connection port forwarded to
192.168.1.3. If you need to exclude more than one zone, simply use
multiple ACCEPT+ rules. This technique also may be used when the ACTION is
REDIRECT.</para>
<para>Care must be taken when nesting occurs as a result of the use of
wildcard interfaces (interface names ends in '+').</para>
<para>Here's an example. <filename>/etc/shorewall/zones</filename>:</para>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1
loc ppp+
dmz eth2</programlisting></para>
<para>Because the net zone is declared before the loc zone, net is an
implicit sub-zone of loc and in the absence of a net-&gt;... CONTINUE
policy, traffic from the net zone will not be passed through loc-&gt;...
rules. But DNAT and REDIRECT rules are an exception!</para>
<itemizedlist>
<listitem>
<para>DNAT and REDIRECT rules generate two Netfilter rules: a 'nat'
table rule that rewrites the destination IP address and/or port
number, and a 'filter' table rule that ACCEPTs the rewritten
connection.</para>
</listitem>
<listitem>
<para>Policies only affect the 'filter' table.</para>
</listitem>
</itemizedlist>
<para>As a consequence, the following rules will have unexpected
behavior:<programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net dmz tcp 80
REDIRECT loc 3128 tcp 80</programlisting></para>
<para>The second rule is intended to redirect local web requests to a
proxy running on the firewall and listening on TCP port 3128. But the
'nat' part of that rule will cause all connection requests for TCP port 80
arriving on interface ppp+ (including ppp0!) to have their destination
port rewritten to 3128. Hence, the web server running in the DMZ will be
inaccessible from the web.</para>
<para>The above problem can be corrected in several ways.</para>
<para>The preferred way is to use the <option>ifname</option> pppd option
to change the 'net' interface to something other than ppp0. That way, it
won't match ppp+.</para>
<para>If you are running Shorewall version 4.1.4 or later, a second way is
to simply make the nested zones explicit:<programlisting> #ZONE TYPE OPTION
fw firewall
loc ipv4
net:loc ipv4
dmz ipv4</programlisting></para>
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
<filename>shorewall.conf</filename>.</para>
<para>When using other Shorewall versions, another way is to rewrite the
DNAT rule (assume that the local zone is entirely within
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net dmz tcp 80
REDIRECT loc:192.168.2.0/23 3128 tcp 80</programlisting></para>
<para>Another way is to restrict the definition of the loc zone:</para>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1
- ppp+
dmz eth2</programlisting></para>
<para><filename>/etc/shorewall/hosts</filename>:<programlisting> #ZONE HOST(S) OPTIONS
loc ppp+:192.168.2.0/23</programlisting></para>
<para>Given these two rules, Sam can connect with ssh to
2001:19f0:feee::3. Like all hosts in the net zone, Sam can connect to TCP
port 80 on 2001:19f0:feee::5. The order of the rules is not
significant.</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/zones</para>
<para>/etc/shorewall6/zones</para>
<para>/etc/shorewall/interfaces</para>
<para>/etc/shorewall6/interfaces</para>
<para>/etc/shorewall/hosts</para>
<para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall/policy</para>
<para>/etc/shorewall6/policy</para>
<para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/rules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-params</refentrytitle>
<refentrytitle>shorewall6-params</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
@ -9,12 +11,12 @@
<refnamediv>
<refname>params</refname>
<refpurpose>Shorewall parameters file</refpurpose>
<refpurpose>Shorewall6 parameters file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/params</command>
<command>/etc/shorewall6/params</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -34,7 +36,7 @@ NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918</programlisting>
<para>Example <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
file.</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
@ -49,22 +51,22 @@ net eth0 130.252.100.255 routefilter,norfc1918</programlisting>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/params</para>
<para>/etc/shorewall6/params</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall6.net/configuration_file_basics.htm#Variables</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>