mirror of
https://gitlab.com/shorewall/code.git
synced 2025-04-11 12:58:21 +02:00
Correct policy file column heading names
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
0a73d365dd
commit
839f7f3329
@ -475,7 +475,7 @@ dmz eth2 tcpflags,forward=1</programlisting></par
|
||||
<para><filename>/etc/shorewall6/policy</filename>:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
net all DROP info
|
||||
loc net ACCEPT
|
||||
dmz net ACCEPT
|
||||
@ -505,8 +505,7 @@ SSH(ACCEPT) loc $FW
|
||||
#
|
||||
# Allow Ping everywhere
|
||||
#
|
||||
Ping(ACCEPT) all all</programlisting>
|
||||
</para>
|
||||
Ping(ACCEPT) all all</programlisting></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -74,12 +74,11 @@
|
||||
<section>
|
||||
<title>Policy Rate Limiting</title>
|
||||
|
||||
<para>The LIMIT:BURST column in the
|
||||
<filename>/etc/shorewall/policy</filename> file applies to TCP
|
||||
connections that are subject to the policy. The limiting is applied
|
||||
BEFORE the connection request is passed through the rules generated by
|
||||
entries in <filename>/etc/shorewall/rules</filename>. Those connections
|
||||
in excess of the limit are logged and dropped.</para>
|
||||
<para>The LIMIT column in the <filename>/etc/shorewall/policy</filename>
|
||||
file applies to TCP connections that are subject to the policy. The
|
||||
limiting is applied BEFORE the connection request is passed through the
|
||||
rules generated by entries in <filename>/etc/shorewall/rules</filename>.
|
||||
Those connections in excess of the limit are logged and dropped.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
||||
@ -1685,7 +1685,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
<para>You have a policy for traffic from
|
||||
<replaceable>zone1</replaceable> to
|
||||
<replaceable>zone2</replaceable> that specifies TCP connection
|
||||
rate limiting (value in the LIMIT:BURST column). The logged packet
|
||||
rate limiting (value in the LIMIT column). The logged packet
|
||||
exceeds that limit and was dropped. Note that these log messages
|
||||
themselves are severely rate-limited so that a syn-flood won't
|
||||
generate a secondary DOS because of excessive log message. These
|
||||
|
||||
@ -771,7 +771,7 @@ l2tp ppp+ -
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW all ACCEPT
|
||||
loc net ACCEPT
|
||||
loc l2tp ACCEPT # Allows local machines to connect to road warriors
|
||||
@ -913,7 +913,7 @@ loc eth0:192.168.20.0/24</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW all ACCEPT
|
||||
loc $FW ACCEPT
|
||||
net loc NONE
|
||||
|
||||
@ -266,13 +266,13 @@ dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
|
||||
<para>The <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
file included with the three-interface sample has the following policies:
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the three-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the Internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW net ACCEPT</programlisting> The above policies will:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -316,8 +316,7 @@ $FW net ACCEPT</programlisting> The above policies will:
|
||||
url="manpages/shorewall-rules.html"><filename
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>:</ulink></para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net $FW tcp 22</programlisting>
|
||||
|
||||
<para>So although you have a policy of ignoring all connection attempts
|
||||
|
||||
@ -892,7 +892,7 @@ net eth1 detect …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DESTINATION POLICY LIMIT:BURST
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOGLEVEL LIMIT
|
||||
net net DROP</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
@ -552,8 +552,7 @@ smc COMC_IF:10.0.0.0/24
|
||||
<section id="policy">
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<para><programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
<para><programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
$FW dmz REJECT $LOG
|
||||
$FW net REJECT $LOG
|
||||
?else
|
||||
|
||||
@ -581,7 +581,7 @@ loc:world bport
|
||||
<para>A conventional two-zone policy file is appropriate here —
|
||||
<filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||
loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
|
||||
Loading…
Reference in New Issue
Block a user