extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-18 11:38:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update documentation regarding Hack removal

Browse Source
This commit is contained in:
Tom Eastep 2010-12-14 11:19:17 -08:00
parent 999ef7105b
commit 880a94e42f
4 changed files with 507 additions and 478 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -437,8 +437,6 @@ sub find_logactionchain( $ ) {
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"}; fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
} }
sub process_action1( $$ );
# #
# The functions process_actions1-3() implement the three phases of action processing. # The functions process_actions1-3() implement the three phases of action processing.
# #
@ -508,7 +506,10 @@ sub process_actions1() {
while ( read_a_line ) { while ( read_a_line ) {
my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands; my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands;
#
# When passed an action name in the first argument, process_rule_common() only
# deals with the target and the parameter.
#
process_rule_common( $action , process_rule_common( $action ,
$wholetarget , $wholetarget ,
'' , # Current Param '' , # Current Param

2
Shorewall/changelog.txt
View File

@ -10,6 +10,8 @@ Changes in Shorewall 4.4.16 Beta 5
5) Allow DNAT and REDIRECT in actions. 5) Allow DNAT and REDIRECT in actions.
6) Remove kludgy restrictions regarding Macros and Actions.
Changes in Shorewall 4.4.16 Beta 4 Changes in Shorewall 4.4.16 Beta 4
1) Only issue get_params() warnings under 'trace' 1) Only issue get_params() warnings under 'trace'

100
docs/Actions.xml
View File

@ -213,15 +213,24 @@ ACCEPT - - tcp 135,139,445
</listitem> </listitem>
</orderedlist> </orderedlist>
<para><emphasis role="bold">Beginning with Shorewall 4.4.16, the columns <section>
in action.template are the same as those in <ulink <title>Shorewall 4.4.16 and Later.</title>
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
</emphasis>The first non-commentary line in the template must be</para> <para>Beginning with Shorewall 4.4.16, the columns in action.template
are the same as those in shorewall-rules (5). The first non-commentary
line in the template must be</para>
<programlisting>FORMAT 2</programlisting> <programlisting>FORMAT 2</programlisting>
<para>Prior to 4.4.16, columns in the <filename>action.template</filename> <para>When using Shorewall 4.4.16 or later, there are no restrictions
file were as follows:</para> regarding which targets can be used within your action.</para>
</section>
<section>
<title>Shorewall 4.4.15 and Earlier.</title>
<para>Prior to 4.4.16, columns in the
<filename>action.template</filename> file were as follows:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -229,15 +238,15 @@ ACCEPT - - tcp 135,139,445
an &lt;<emphasis>action</emphasis>&gt; where an &lt;<emphasis>action</emphasis>&gt; where
&lt;<emphasis>action</emphasis>&gt; is a previously-defined action &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
(that is, it must precede the action being defined in this file in (that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These actions your <filename>/etc/shorewall/actions</filename> file). These
have the same meaning as they do in the actions have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates <filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a colon action was invoked). The TARGET may optionally be followed by a
(<quote>:</quote>) and a syslog log level (e.g, REJECT:info or colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case) as specified level. You may also specify ULOG (must be in upper case)
a log level. This will log to the ULOG target for routing to a as a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para> url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
@ -256,14 +265,14 @@ ACCEPT - - tcp 135,139,445
<para>Alternatively, clients may be specified by interface name. For <para>Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another colon system through eth1. This may be optionally followed by another
(<quote>:</quote>) and an IP/MAC/subnet address as described above colon (<quote>:</quote>) and an IP/MAC/subnet address as described
(e.g., eth1:192.168.1.5).</para> above (e.g., eth1:192.168.1.5).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>DEST - Location of Server. Same as above with the exception that <para>DEST - Location of Server. Same as above with the exception
MAC addresses are not allowed.</para> that MAC addresses are not allowed.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -273,23 +282,24 @@ ACCEPT - - tcp 135,139,445
</listitem> </listitem>
<listitem> <listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port <para>DEST PORT(S) - Destination Ports. A comma-separated list of
names (from <filename>/etc/services</filename>), port numbers or port Port names (from <filename>/etc/services</filename>), port numbers
ranges; if the protocol is <quote>icmp</quote>, this column is or port ranges; if the protocol is <quote>icmp</quote>, this column
interpreted as the destination icmp-type(s).</para> is interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &lt;<emphasis>low <para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para> port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTO = <quote>all</quote>, but must <para>This column is ignored if PROTO = <quote>all</quote>, but must
be entered if any of the following fields are supplied. In that case, be entered if any of the following fields are supplied. In that
it is suggested that this field contain <quote>-</quote>.</para> case, it is suggested that this field contain
<quote>-</quote>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any <para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of port source port is acceptable. Specified as a comma-separated list of
names, port numbers or port ranges.</para> port names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify <para>If you don't want to restrict client ports but need to specify
any of the subsequent fields, then place <quote>-</quote> in this any of the subsequent fields, then place <quote>-</quote> in this
@ -305,17 +315,17 @@ ACCEPT - - tcp 135,139,445
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or &lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the <quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded in given, a value of 5 is assumed. There may be no whitespace embedded
the specification.</para> in the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para> <para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem> </listitem>
<listitem> <listitem>
<para>USER/GROUP - For output rules (those with the firewall as their <para>USER/GROUP - For output rules (those with the firewall as
source), you may control connections based on the effective UID and/or their source), you may control connections based on the effective
GID of the process requesting the connection. This column can contain UID and/or GID of the process requesting the connection. This column
any of the following:</para> can contain any of the following:</para>
<simplelist> <simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member> <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
@ -339,10 +349,11 @@ ACCEPT - - tcp 135,139,445
name</emphasis>&gt;</member> name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user <member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member> name</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note: support <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
for this form was removed from Netfilter in kernel version support for this form was removed from Netfilter in kernel version
2.6.14).</member> 2.6.14).</member>
</simplelist> </simplelist>
</listitem> </listitem>
@ -357,19 +368,19 @@ ACCEPT - - tcp 135,139,445
<para>Defines a test on the existing packet or connection mark. The <para>Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.</para> rule will match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify anything <para>If you dont want to define a test but need to specify
in the subsequent columns, place a <quote>-</quote> in this anything in the subsequent columns, place a <quote>-</quote> in this
field.<simplelist> field.<simplelist>
<member>! — Inverts the test (not equal)</member> <member>! — Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
or connection mark.</member> or connection mark.</member>
<member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied to <member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
the mark before testing.</member> to the mark before testing.</member>
<member>:C — Designates a connection mark. If omitted, the packet <member>:C — Designates a connection mark. If omitted, the
marks value is tested. This option is only supported by packet marks value is tested. This option is only supported by
Shorewall-perl</member> Shorewall-perl</member>
</simplelist></para> </simplelist></para>
</listitem> </listitem>
@ -387,8 +398,8 @@ ACCEPT - - tcp 135,139,445
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
role="bold">Note:</emphasis> If your role="bold">Note:</emphasis> If your
<filename>/etc/shorewall/actions</filename> file doesn't have an <filename>/etc/shorewall/actions</filename> file doesn't have an
indication where to place the comment, put the <quote>#</quote> in column indication where to place the comment, put the <quote>#</quote> in
21.</para> column 21.</para>
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info <para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para> ACCEPT</programlisting></para>
@ -396,12 +407,13 @@ ACCEPT - - tcp 135,139,445
<para>Placing a comment on the line causes the comment to appear in the <para>Placing a comment on the line causes the comment to appear in the
output of the <command>shorewall show actions</command> command.</para> output of the <command>shorewall show actions</command> command.</para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename> you <para>To use your action, in <filename>/etc/shorewall/rules</filename>
might do something like:</para> you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting> LogAndAccept loc $FW tcp 22</programlisting>
</section> </section>
</section>
<section id="Logging"> <section id="Logging">
<title>Actions and Logging</title> <title>Actions and Logging</title>

140
docs/Macros.xml
View File

@ -277,36 +277,45 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para><emphasis role="bold">Beginning with Shorewall 4.4.16, the columns <section>
in macro.template are the same as those in <ulink <title>Shorewall 4.4.16 and Later</title>
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
</emphasis>The first non-commentary line in the template must be</para> <para>Beginning with Shorewall 4.4.16, the columns in macro.template are
the same as those in shorewall-rules (5). The first non-commentary line
in the template must be</para>
<programlisting>FORMAT 2</programlisting> <programlisting>FORMAT 2</programlisting>
<para>There are no restrictions regarding the ACTIONs that can be
performed in a macro.</para>
</section>
<section>
<title>Shorewall 4.4.15 and Earlier</title>
<para>Before 4.4.16, columns in the macro.template file were as <para>Before 4.4.16, columns in the macro.template file were as
follows:</para> follows:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, <para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
LOG, QUEUE, PARAM or an action name. Note that a macro may not invoke CONTINUE, LOG, QUEUE, PARAM or an action name. Note that a macro may
another macro.</para> not invoke another macro.</para>
<simplelist> <simplelist>
<member>ACCEPT - allow the connection request</member> <member>ACCEPT - allow the connection request</member>
<member>ACCEPT+ - like ACCEPT but also excludes the connection from <member>ACCEPT+ - like ACCEPT but also excludes the connection
any subsequent DNAT[-] or REDIRECT[-] rules.</member> from any subsequent DNAT[-] or REDIRECT[-] rules.</member>
<member>NONAT - Excludes the connection from any subsequent DNAT[-] <member>NONAT - Excludes the connection from any subsequent
or REDIRECT[-] rules but doesn't generate a rule to accept the DNAT[-] or REDIRECT[-] rules but doesn't generate a rule to accept
traffic.</member> the traffic.</member>
<member>DROP - ignore the request</member> <member>DROP - ignore the request</member>
<member>REJECT - disallow the request and return an icmp unreachable <member>REJECT - disallow the request and return an icmp
or an RST packet.</member> unreachable or an RST packet.</member>
<member>DNAT - Forward the request to another address (and <member>DNAT - Forward the request to another address (and
optionally another port).</member> optionally another port).</member>
@ -315,8 +324,9 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
the DNAT iptables rule and not the companion ACCEPT rule.</member> the DNAT iptables rule and not the companion ACCEPT rule.</member>
<member>SAME - Similar to DNAT except that the port may not be <member>SAME - Similar to DNAT except that the port may not be
remapped and when multiple server addresses are listed, all requests remapped and when multiple server addresses are listed, all
from a given remote system go to the same server.</member> requests from a given remote system go to the same
server.</member>
<member>SAME- - Advanced users only. Like SAME but only generates <member>SAME- - Advanced users only. Like SAME but only generates
the SAME iptables rule and not the companion ACCEPT rule.</member> the SAME iptables rule and not the companion ACCEPT rule.</member>
@ -336,8 +346,8 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<member>LOG - Simply log the packet and continue.</member> <member>LOG - Simply log the packet and continue.</member>
<member>QUEUE - Queue the packet to a user-space application such as <member>QUEUE - Queue the packet to a user-space application such
ftwall (http://p2pwall.sf.net).</member> as ftwall (http://p2pwall.sf.net).</member>
</simplelist> </simplelist>
<para>The ACTION may optionally be followed by ":" and a syslog log <para>The ACTION may optionally be followed by ":" and a syslog log
@ -353,16 +363,16 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<para>Alternatively, clients may be specified by interface name. For <para>Alternatively, clients may be specified by interface name. For
example, eth1 specifies a client that communicates with the firewall example, eth1 specifies a client that communicates with the firewall
system through eth1. This may be optionally followed by another colon system through eth1. This may be optionally followed by another
(<quote>:</quote>) and an IP/MAC/subnet address as described above colon (<quote>:</quote>) and an IP/MAC/subnet address as described
(e.g. eth1:192.168.1.5).</para> above (e.g. eth1:192.168.1.5).</para>
<para>May also contain 'DEST' as described above.</para> <para>May also contain 'DEST' as described above.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>DEST - Location of Server. Same as above with the exception that <para>DEST - Location of Server. Same as above with the exception
MAC addresses are not allowed.</para> that MAC addresses are not allowed.</para>
<para>Unlike in the SOURCE column, you may specify a range of up to <para>Unlike in the SOURCE column, you may specify a range of up to
256 IP addresses using the syntax &lt;<emphasis>first 256 IP addresses using the syntax &lt;<emphasis>first
@ -378,16 +388,16 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port <para>DEST PORT(S) - Destination Ports. A comma-separated list of
names (from <filename>/etc/services</filename>), port numbers or port Port names (from <filename>/etc/services</filename>), port numbers
ranges; if the protocol is <quote>icmp</quote>, this column is or port ranges; if the protocol is <quote>icmp</quote>, this column
interpreted as the destination icmp-type(s).</para> is interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &lt;<emphasis>low <para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para> port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTOCOL = all but must be entered if <para>This column is ignored if PROTOCOL = all but must be entered
any of the following fields are supplied. In that case, it is if any of the following fields are supplied. In that case, it is
suggested that this field contain <quote>-</quote>.</para> suggested that this field contain <quote>-</quote>.</para>
<para>If your kernel contains multi-port match support, then only a <para>If your kernel contains multi-port match support, then only a
@ -410,8 +420,8 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<listitem> <listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any <para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of port source port is acceptable. Specified as a comma-separated list of
names, port numbers or port ranges.</para> port names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify <para>If you don't want to restrict client ports but need to specify
an ADDRESS in the next column, then place "-" in this column.</para> an ADDRESS in the next column, then place "-" in this column.</para>
@ -447,19 +457,19 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<para>A comma-separated list of addresses may also be used. This is <para>A comma-separated list of addresses may also be used. This is
most useful with the REDIRECT target where you want to redirect most useful with the REDIRECT target where you want to redirect
traffic destined for particular set of hosts. Finally, if the list of traffic destined for particular set of hosts. Finally, if the list
addresses begins with "!" (exclusion) then the rule will be followed of addresses begins with "!" (exclusion) then the rule will be
only if the original destination address in the connection request followed only if the original destination address in the connection
does not match any of the addresses listed.</para> request does not match any of the addresses listed.</para>
<para>For other actions, this column may be included and may contain <para>For other actions, this column may be included and may contain
one or more addresses (host or network) separated by commas. Address one or more addresses (host or network) separated by commas. Address
ranges are not allowed. When this column is supplied, rules are ranges are not allowed. When this column is supplied, rules are
generated that require that the original destination address matches generated that require that the original destination address matches
one of the listed addresses. This feature is most useful when you want one of the listed addresses. This feature is most useful when you
to generate a filter rule that corresponds to a DNAT- or REDIRECT- want to generate a filter rule that corresponds to a DNAT- or
rule. In this usage, the list of addresses should not begin with REDIRECT- rule. In this usage, the list of addresses should not
"!".</para> begin with "!".</para>
<para>It is also possible to specify a set of addresses then exclude <para>It is also possible to specify a set of addresses then exclude
part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
@ -482,17 +492,17 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or &lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the <quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded in given, a value of 5 is assumed. There may be no whitespace embedded
the specification.</para> in the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para> <para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem> </listitem>
<listitem> <listitem>
<para>USER/GROUP - For output rules (those with the firewall as their <para>USER/GROUP - For output rules (those with the firewall as
source), you may control connections based on the effective UID and/or their source), you may control connections based on the effective
GID of the process requesting the connection. This column can contain UID and/or GID of the process requesting the connection. This column
any of the following:</para> can contain any of the following:</para>
<simplelist> <simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member> <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
@ -516,19 +526,20 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
name</emphasis>&gt;</member> name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user <member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member> name</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note: support <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
for this form was removed from Netfilter in kernel version support for this form was removed from Netfilter in kernel version
2.6.14).</member> 2.6.14).</member>
</simplelist> </simplelist>
</listitem> </listitem>
<listitem> <listitem>
<para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing <para>MARK - (Added in Shorewall-4.4.2) Defines a test on the
packet or connection mark. The rule will match only if the test existing packet or connection mark. The rule will match only if the
returns true. Must be empty or '-' if the macro is to be used within test returns true. Must be empty or '-' if the macro is to be used
an action.</para> within an action.</para>
<programlisting> [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting> <programlisting> [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
@ -574,13 +585,13 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<programlisting> [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting> <programlisting> [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
<para>May be used to limit the number of simultaneous connections from <para>May be used to limit the number of simultaneous connections
each individual host to limit connections. Requires connlimit match in from each individual host to limit connections. Requires connlimit
your kernel and iptables. While the limit is only checked on rules match in your kernel and iptables. While the limit is only checked
specifying CONNLIMIT, the number of current connections is calculated on rules specifying CONNLIMIT, the number of current connections is
over all current connections from the SOURCE host. By default, the calculated over all current connections from the SOURCE host. By
<replaceable>limit</replaceable> is applied to each host but can be default, the <replaceable>limit</replaceable> is applied to each
made to apply to networks of hosts by specifying a host but can be made to apply to networks of hosts by specifying a
<replaceable>mask</replaceable>. The mask specifies the width of a <replaceable>mask</replaceable>. The mask specifies the width of a
VLSM mask to be applied to the source address; the number of current VLSM mask to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet connections is then taken over all hosts in the subnet
@ -626,7 +637,8 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<term>localtz</term> <term>localtz</term>
<listitem> <listitem>
<para>Times are expressed in Local Civil Time (default).</para> <para>Times are expressed in Local Civil Time
(default).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -670,19 +682,21 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Omitted column entries should be entered using a dash ("-:).</para> <para>Omitted column entries should be entered using a dash
("-:).</para>
<para>Example:</para> <para>Example:</para>
<para><phrase><filename>/etc/shorewall/macro.LogAndAccept</filename></phrase><programlisting> LOG:info <para><phrase><filename>/etc/shorewall/macro.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para> ACCEPT</programlisting></para>
<para>To use your macro, in <filename>/etc/shorewall/rules</filename> you <para>To use your macro, in <filename>/etc/shorewall/rules</filename>
might do something like:</para> you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting> LogAndAccept loc $FW tcp 22</programlisting>
</section> </section>
</section>
<section id="Logging"> <section id="Logging">
<title>Macros and Logging</title> <title>Macros and Logging</title>