mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-21 23:23:13 +01:00
Correct policy file column heading names
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
0a73d365dd
commit
839f7f3329
@ -127,7 +127,7 @@ GATEWAY=::192.88.99.1</programlisting></para>
|
||||
wireless). eth4 goes to my DMZ which holds a single server. Here is a
|
||||
diagram of the IPv4 network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009.png" />
|
||||
<graphic align="center" fileref="images/Network2009.png"/>
|
||||
|
||||
<para>Here is the configuration after IPv6 is configured; the part in
|
||||
bold font is configured by the /etc/init.d/ipv6 script.</para>
|
||||
@ -283,7 +283,7 @@ ursa:~ #</programlisting></para>
|
||||
|
||||
<para>Here is the resulting simple IPv6 Network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009b.png" />
|
||||
<graphic align="center" fileref="images/Network2009b.png"/>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -338,7 +338,7 @@ ursa:~ #</programlisting></para>
|
||||
|
||||
<para>So the IPv4 network was transformed to this:</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2009a.png" />
|
||||
<graphic align="center" fileref="images/Network2009a.png"/>
|
||||
|
||||
<para>To implement the same IPv6 network as described above, I used this
|
||||
/etc/shorewall/interfaces file:</para>
|
||||
@ -407,7 +407,7 @@ iface sit1 inet6 v4tunnel
|
||||
|
||||
<para>That file produces the following IPv6 network.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Network2008c.png" />
|
||||
<graphic align="center" fileref="images/Network2008c.png"/>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -475,7 +475,7 @@ dmz eth2 tcpflags,forward=1</programlisting></par
|
||||
<para><filename>/etc/shorewall6/policy</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
net all DROP info
|
||||
loc net ACCEPT
|
||||
dmz net ACCEPT
|
||||
@ -505,8 +505,7 @@ SSH(ACCEPT) loc $FW
|
||||
#
|
||||
# Allow Ping everywhere
|
||||
#
|
||||
Ping(ACCEPT) all all</programlisting>
|
||||
</para>
|
||||
Ping(ACCEPT) all all</programlisting></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
@ -652,7 +651,7 @@ interface eth2 {
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoIPv6Nets1.png" />
|
||||
<graphic fileref="images/TwoIPv6Nets1.png"/>
|
||||
|
||||
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
|
||||
communicate with the systems in the 2002:488:999::/64 network. This is
|
||||
|
||||
@ -74,12 +74,11 @@
|
||||
<section>
|
||||
<title>Policy Rate Limiting</title>
|
||||
|
||||
<para>The LIMIT:BURST column in the
|
||||
<filename>/etc/shorewall/policy</filename> file applies to TCP
|
||||
connections that are subject to the policy. The limiting is applied
|
||||
BEFORE the connection request is passed through the rules generated by
|
||||
entries in <filename>/etc/shorewall/rules</filename>. Those connections
|
||||
in excess of the limit are logged and dropped.</para>
|
||||
<para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
|
||||
file applies to TCP connections that are subject to the policy. The
|
||||
limiting is applied BEFORE the connection request is passed through the
|
||||
rules generated by entries in <filename>/etc/shorewall/rules</filename>.
|
||||
Those connections in excess of the limit are logged and dropped.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
||||
@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
<para>You have a policy for traffic from
|
||||
<replaceable>zone1</replaceable> to
|
||||
<replaceable>zone2</replaceable> that specifies TCP connection
|
||||
rate limiting (value in the LIMIT:BURST column). The logged packet
|
||||
rate limiting (value in the LIMIT column). The logged packet
|
||||
exceeds that limit and was dropped. Note that these log messages
|
||||
themselves are severely rate-limited so that a syn-flood won't
|
||||
generate a secondary DOS because of excessive log message. These
|
||||
|
||||
@ -771,7 +771,7 @@ l2tp ppp+ -
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW all ACCEPT
|
||||
loc net ACCEPT
|
||||
loc l2tp ACCEPT # Allows local machines to connect to road warriors
|
||||
@ -913,7 +913,7 @@ loc eth0:192.168.20.0/24</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW all ACCEPT
|
||||
loc $FW ACCEPT
|
||||
net loc NONE
|
||||
|
||||
@ -266,13 +266,13 @@ dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
|
||||
<para>The <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
file included with the three-interface sample has the following policies:
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the three-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the Internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW net ACCEPT</programlisting> The above policies will:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -316,8 +316,7 @@ $FW net ACCEPT</programlisting> The above policies will:
|
||||
url="manpages/shorewall-rules.html"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net $FW tcp 22</programlisting>
|
||||
|
||||
<para>So although you have a policy of ignoring all connection attempts
|
||||
|
||||
@ -892,7 +892,7 @@ net eth1 detect …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOGLEVEL LIMIT
|
||||
net net DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
@ -552,8 +552,7 @@ smc COMC_IF:10.0.0.0/24
|
||||
<section id="policy">
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW dmz REJECT $LOG
|
||||
$FW net REJECT $LOG
|
||||
?else
|
||||
|
||||
@ -581,7 +581,7 @@ loc:world bport
|
||||
<para>A conventional two-zone policy file is appropriate here —
|
||||
<filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
|
||||
Loading…
Reference in New Issue
Block a user