mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
Change references to 'recent set' to 'recent list' to match -m recent documentation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9567 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5767a96005
commit
757d0b8d7c
@ -178,9 +178,9 @@ ACCEPT - - tcp 135,139,445
|
|||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of a <quote>recent</quote> set; you select the set name
|
<para>The name of a <quote>recent</quote> list. You select the list
|
||||||
which must conform to the rules for a valid chain name. Different
|
name which must conform to the rules for a valid chain name. Different
|
||||||
rules that specify the same set name will use the same set of
|
rules that specify the same list name will use the same set of
|
||||||
counters.</para>
|
counters.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -196,7 +196,7 @@ ACCEPT - - tcp 135,139,445
|
|||||||
|
|
||||||
<para>Connections that exceed the specified rate are dropped.</para>
|
<para>Connections that exceed the specified rate are dropped.</para>
|
||||||
|
|
||||||
<para>For example, to use a recent set name of <emphasis
|
<para>For example, to use a recent list name of <emphasis
|
||||||
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
|
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
|
||||||
use this entry in <filename>/etc/shorewall/rules</filename>:</para>
|
use this entry in <filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
@ -219,7 +219,7 @@ Limit:info:SSHA,3,60 net $FW tcp 22</programl
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The name of the recent set that you want to use
|
<para>The name of the recent list that you want to use
|
||||||
(<quote>SSHA</quote> in this example).</para>
|
(<quote>SSHA</quote> in this example).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -242,10 +242,10 @@ Limit:info:SSHA,3,60 net $FW tcp 22</programl
|
|||||||
|
|
||||||
<programlisting>my @tag = split /,/, $tag;
|
<programlisting>my @tag = split /,/, $tag;
|
||||||
|
|
||||||
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
|
fatal_error 'Limit rules must include <list name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
|
||||||
unless @tag == 3;
|
unless @tag == 3;
|
||||||
|
|
||||||
my $set = $tag[0];
|
my $list = $tag[0];
|
||||||
|
|
||||||
for ( @tag[1,2] ) {
|
for ( @tag[1,2] ) {
|
||||||
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
|
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
|
||||||
@ -253,15 +253,15 @@ for ( @tag[1,2] ) {
|
|||||||
|
|
||||||
my $count = $tag[1] + 1;
|
my $count = $tag[1] + 1;
|
||||||
|
|
||||||
add_rule $chainref, "-m recent --name $set --set";
|
add_rule $chainref, "-m recent --name $list --set";
|
||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||||
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
||||||
add_rule $xchainref, '-j DROP';
|
add_rule $xchainref, '-j DROP';
|
||||||
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
add_rule $chainref, "-m recent --name $list --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
||||||
} else {
|
} else {
|
||||||
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
|
add_rule $chainref, "-m recent --update --name $list --seconds $tag[2] --hitcount $count -j DROP";
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-j ACCEPT';
|
add_rule $chainref, '-j ACCEPT';
|
||||||
|
@ -96,35 +96,8 @@
|
|||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The Perl-based compiler requires the following capabilities in
|
<para>The Perl-based compiler requires multiport match in your
|
||||||
your kernel and iptables.</para>
|
kernel and iptables.</para>
|
||||||
|
|
||||||
<itemizedlist>
|
|
||||||
<listitem>
|
|
||||||
<para>addrtype match (Restriction relaxed in Shorewall-perl
|
|
||||||
4.0.1)</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>multiport match (will not be relaxed)</para>
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
|
||||||
|
|
||||||
<para>These capabilities are in current distributions.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Now that Netfilter has features to deal reasonably with port
|
|
||||||
lists, I see no reason to duplicate those features in Shorewall. The
|
|
||||||
Shorewall-shell compiler goes to great pain (in some cases) to break
|
|
||||||
very long port lists ( > 15 where port ranges in lists count as
|
|
||||||
two ports) into individual rules. In the new compiler, I'm avoiding
|
|
||||||
the ugliness required to do that for source port lists. The new
|
|
||||||
compiler just generates an error if your source list is too long
|
|
||||||
(beginning with Shorewall 4.0.5, the compiler will break rules with
|
|
||||||
a long destination port list into multiple rules).. It will also
|
|
||||||
produce an error if you insert a port range into a port list and you
|
|
||||||
don't have extended multiport support.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -134,6 +107,12 @@
|
|||||||
is provided by Shorewall-perl.</para>
|
is provided by Shorewall-perl.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>DYNAMIC_ZONES=Yes is not supported. <ulink
|
||||||
|
url="ipsets.html#Dynamic">Use an ipset </ulink>to define your
|
||||||
|
dytnamic zones.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The BROADCAST column in the interfaces file is essentially
|
<para>The BROADCAST column in the interfaces file is essentially
|
||||||
unused if your kernel/iptables has Address Type Match support. If
|
unused if your kernel/iptables has Address Type Match support. If
|
||||||
@ -490,9 +469,8 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The PKTTYPE option is ignored by Shorewall-perl.
|
<para>The PKTTYPE option is ignored by Shorewall-perl.
|
||||||
Shorewall-perl 4.0.0 requires Address type match. Shorewall-perl
|
Shorewall-perl will use Address type match if it is available;
|
||||||
versions 4.0.1 and later will use Address type match if it is
|
otherwise, it will behave as if PKTTYPE=No had been
|
||||||
available; otherwise, they will behave as if PKTTYPE=No had been
|
|
||||||
specified.</para>
|
specified.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -531,9 +509,9 @@ ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 $fw tcp 22</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Beginning in Shorewall 4.2.0, Shorewall-perl gives a warning
|
<para>Shorewall-perl gives a warning if a zone name is entered in
|
||||||
if a zone name is entered in the DEST column of a
|
the DEST column of a <firstterm>nonat</firstterm> rule. Nonat rules
|
||||||
<firstterm>nonat</firstterm> rule. Nonat rules include:</para>
|
include:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -565,7 +543,8 @@ DNAT- net 192.168.1.3 tcp 21</programl
|
|||||||
footprint. This makes Shorewall-perl less desirable in an embedded
|
footprint. This makes Shorewall-perl less desirable in an embedded
|
||||||
environment. The best way to work around this limitation is to install
|
environment. The best way to work around this limitation is to install
|
||||||
Shorewall-perl on an administrative system and employ Shorewall-lite on
|
Shorewall-perl on an administrative system and employ Shorewall-lite on
|
||||||
your embedded systems.</para>
|
your embedded systems. Shorewall-perl will run on Windows under <ulink
|
||||||
|
url="http://www.cygwin.com/">Cygwin</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
@ -16,7 +16,7 @@
|
|||||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2008</year>
|
<year>2001-2009</year>
|
||||||
|
|
||||||
<holder>Thomas M Eastep</holder>
|
<holder>Thomas M Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -33,9 +33,9 @@
|
|||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
||||||
later. If you are running a version of Shorewall earlier than Shorewall
|
later. If you are running a version of Shorewall earlier than Shorewall
|
||||||
3.0.0 then please see the documentation for that
|
4.3.5 then please see the documentation for that
|
||||||
release.</emphasis></para>
|
release.</emphasis></para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
@ -79,6 +79,25 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Supports <emphasis role="bold">centralized firewall
|
||||||
|
administration</emphasis>.</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>Shorewall installed on a single administrative system. May
|
||||||
|
be a <trademark>Windows</trademark> PC running
|
||||||
|
<trademark>Cygwin</trademark>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Centrally generated firewall scripts run on the firewalls
|
||||||
|
under control of <ulink
|
||||||
|
url="CompiledPrograms.html#Lite">Shorewall-lite</ulink>.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink url="shorewall_quickstart_guide.htm">QuickStart Guides
|
<para><ulink url="shorewall_quickstart_guide.htm">QuickStart Guides
|
||||||
(HOWTOs)</ulink> to help get your first firewall up and running
|
(HOWTOs)</ulink> to help get your first firewall up and running
|
||||||
@ -188,8 +207,8 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink url="Install.htm#Install_RPM">RPM</ulink> and <ulink
|
<para><ulink url="Install.htm#Install_RPM">RPM</ulink> and <ulink
|
||||||
url="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian">Debian</ulink>
|
url="http://www.debian.org">Debian</ulink> packages
|
||||||
packages available.</para>
|
available.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -69,8 +69,9 @@
|
|||||||
<member><literal>eth3:192.0.2.123</literal></member>
|
<member><literal>eth3:192.0.2.123</literal></member>
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>You can use the <command moreinfo="none">shorewall check</command>
|
<para>You can use the <command moreinfo="none">shorewall show
|
||||||
command to see the groups associated with each of your zones.</para>
|
zones</command> command to see the groups associated with each of your
|
||||||
|
zones.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
|
Loading…
Reference in New Issue
Block a user