extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-30 14:14:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update documentation regarding Hack removal

Browse Source
This commit is contained in:
Tom Eastep 2010-12-14 11:19:17 -08:00
parent 999ef7105b
commit 880a94e42f
4 changed files with 507 additions and 478 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall/Perl/Shorewall/Actions.pm
View File

@ -437,8 +437,6 @@ sub find_logactionchain( $ ) {
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"}; fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
} }
sub process_action1( $$ );
# #
# The functions process_actions1-3() implement the three phases of action processing. # The functions process_actions1-3() implement the three phases of action processing.
# #
@ -508,7 +506,10 @@ sub process_actions1() {
while ( read_a_line ) { while ( read_a_line ) {
my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands; my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands;
#
# When passed an action name in the first argument, process_rule_common() only
# deals with the target and the parameter.
#
process_rule_common( $action , process_rule_common( $action ,
$wholetarget , $wholetarget ,
'' , # Current Param '' , # Current Param

2
Shorewall/changelog.txt
View File

@ -10,6 +10,8 @@ Changes in Shorewall 4.4.16 Beta 5
5) Allow DNAT and REDIRECT in actions. 5) Allow DNAT and REDIRECT in actions.
6) Remove kludgy restrictions regarding Macros and Actions.
Changes in Shorewall 4.4.16 Beta 4 Changes in Shorewall 4.4.16 Beta 4
1) Only issue get_params() warnings under 'trace' 1) Only issue get_params() warnings under 'trace'

298
docs/Actions.xml
View File

@ -213,194 +213,206 @@ ACCEPT - - tcp 135,139,445
</listitem> </listitem>
</orderedlist> </orderedlist>
<para><emphasis role="bold">Beginning with Shorewall 4.4.16, the columns <section>
in action.template are the same as those in <ulink <title>Shorewall 4.4.16 and Later.</title>
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
</emphasis>The first non-commentary line in the template must be</para>
<programlisting>FORMAT 2</programlisting> <para>Beginning with Shorewall 4.4.16, the columns in action.template
are the same as those in shorewall-rules (5). The first non-commentary
line in the template must be</para>
<para>Prior to 4.4.16, columns in the <filename>action.template</filename> <programlisting>FORMAT 2</programlisting>
file were as follows:</para>
<itemizedlist> <para>When using Shorewall 4.4.16 or later, there are no restrictions
<listitem> regarding which targets can be used within your action.</para>
<para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or </section>
an &lt;<emphasis>action</emphasis>&gt; where
&lt;<emphasis>action</emphasis>&gt; is a previously-defined action
(that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These actions
have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a colon
(<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case) as
a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>You may also use a <ulink url="Macros.html">macro</ulink> in <section>
your action provided that the macro's expansion only results in the <title>Shorewall 4.4.15 and Earlier.</title>
ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
<filename>/usr/share/shorewall/action.Drop</filename> for an example
of an action that users macros extensively.</para>
</listitem>
<listitem> <para>Prior to 4.4.16, columns in the
<para>SOURCE - Source hosts to which the rule applies. A <filename>action.template</filename> file were as follows:</para>
comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; MAC addresses must begin with <quote>~</quote>
and must use <quote>-</quote> as a separator.</para>
<para>Alternatively, clients may be specified by interface name. For <itemizedlist>
example, eth1 specifies a client that communicates with the firewall <listitem>
system through eth1. This may be optionally followed by another colon <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
(<quote>:</quote>) and an IP/MAC/subnet address as described above an &lt;<emphasis>action</emphasis>&gt; where
(e.g., eth1:192.168.1.5).</para> &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
</listitem> (that is, it must precede the action being defined in this file in
your <filename>/etc/shorewall/actions</filename> file). These
actions have the same meaning as they do in the
<filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
processing of the current action and returns to the point where that
action was invoked). The TARGET may optionally be followed by a
colon (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
ACCEPT:debugging). This causes the packet to be logged at the
specified level. You may also specify ULOG (must be in upper case)
as a log level. This will log to the ULOG target for routing to a
separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<listitem> <para>You may also use a <ulink url="Macros.html">macro</ulink> in
<para>DEST - Location of Server. Same as above with the exception that your action provided that the macro's expansion only results in the
MAC addresses are not allowed.</para> ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
</listitem> <filename>/usr/share/shorewall/action.Drop</filename> for an example
of an action that users macros extensively.</para>
</listitem>
<listitem> <listitem>
<para>PROTO - Protocol - Must be <quote>tcp</quote>, <para>SOURCE - Source hosts to which the rule applies. A
<quote>udp</quote>, <quote>icmp</quote>, a protocol number, or comma-separated list of subnets and/or hosts. Hosts may be specified
<quote>all</quote>.</para> by IP or MAC address; MAC addresses must begin with <quote>~</quote>
</listitem> and must use <quote>-</quote> as a separator.</para>
<listitem> <para>Alternatively, clients may be specified by interface name. For
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port example, eth1 specifies a client that communicates with the firewall
names (from <filename>/etc/services</filename>), port numbers or port system through eth1. This may be optionally followed by another
ranges; if the protocol is <quote>icmp</quote>, this column is colon (<quote>:</quote>) and an IP/MAC/subnet address as described
interpreted as the destination icmp-type(s).</para> above (e.g., eth1:192.168.1.5).</para>
</listitem>
<para>A port range is expressed as &lt;<emphasis>low <listitem>
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para> <para>DEST - Location of Server. Same as above with the exception
that MAC addresses are not allowed.</para>
</listitem>
<para>This column is ignored if PROTO = <quote>all</quote>, but must <listitem>
be entered if any of the following fields are supplied. In that case, <para>PROTO - Protocol - Must be <quote>tcp</quote>,
it is suggested that this field contain <quote>-</quote>.</para> <quote>udp</quote>, <quote>icmp</quote>, a protocol number, or
</listitem> <quote>all</quote>.</para>
</listitem>
<listitem> <listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any <para>DEST PORT(S) - Destination Ports. A comma-separated list of
source port is acceptable. Specified as a comma-separated list of port Port names (from <filename>/etc/services</filename>), port numbers
names, port numbers or port ranges.</para> or port ranges; if the protocol is <quote>icmp</quote>, this column
is interpreted as the destination icmp-type(s).</para>
<para>If you don't want to restrict client ports but need to specify <para>A port range is expressed as &lt;<emphasis>low
any of the subsequent fields, then place <quote>-</quote> in this port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
column.</para>
</listitem>
<listitem> <para>This column is ignored if PROTO = <quote>all</quote>, but must
<para>RATE LIMIT - You may rate-limit the rule by placing a value in be entered if any of the following fields are supplied. In that
this column:</para> case, it is suggested that this field contain
<quote>-</quote>.</para>
</listitem>
<para><programlisting> &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where <listitem>
&lt;<emphasis>rate</emphasis>&gt; is the number of connections per <para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or source port is acceptable. Specified as a comma-separated list of
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the port names, port numbers or port ranges.</para>
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded in
the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para> <para>If you don't want to restrict client ports but need to specify
</listitem> any of the subsequent fields, then place <quote>-</quote> in this
column.</para>
</listitem>
<listitem> <listitem>
<para>USER/GROUP - For output rules (those with the firewall as their <para>RATE LIMIT - You may rate-limit the rule by placing a value in
source), you may control connections based on the effective UID and/or this column:</para>
GID of the process requesting the connection. This column can contain
any of the following:</para>
<simplelist> <para><programlisting> &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member> &lt;<emphasis>rate</emphasis>&gt; is the number of connections per
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded
in the specification.</para>
<member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member> <para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
<member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member> <listitem>
<para>USER/GROUP - For output rules (those with the firewall as
their source), you may control connections based on the effective
UID and/or GID of the process requesting the connection. This column
can contain any of the following:</para>
<member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member> <simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
<member>[!]&lt;<emphasis>user <member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user <member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
name</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user <member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user <member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member> number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note: support <member>[!]&lt;<emphasis>user
for this form was removed from Netfilter in kernel version name</emphasis>&gt;:&lt;<emphasis>group
2.6.14).</member> number</emphasis>&gt;</member>
</simplelist>
</listitem>
<listitem> <member>[!]&lt;<emphasis>user
<para>MARK</para> inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<para><simplelist> <member>[!]&lt;<emphasis>user
<member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member> name</emphasis>&gt;:&lt;<emphasis>group
</simplelist></para> name</emphasis>&gt;</member>
<para>Defines a test on the existing packet or connection mark. The <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
rule will match only if the test returns true.</para> support for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
<para>If you dont want to define a test but need to specify anything <listitem>
in the subsequent columns, place a <quote>-</quote> in this <para>MARK</para>
field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet <para><simplelist>
or connection mark.</member> <member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
</simplelist></para>
<member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied to <para>Defines a test on the existing packet or connection mark. The
the mark before testing.</member> rule will match only if the test returns true.</para>
<member>:C — Designates a connection mark. If omitted, the packet <para>If you dont want to define a test but need to specify
marks value is tested. This option is only supported by anything in the subsequent columns, place a <quote>-</quote> in this
Shorewall-perl</member> field.<simplelist>
</simplelist></para> <member>! — Inverts the test (not equal)</member>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
(<quote>-</quote>).</para> or connection mark.</member>
<para>Example:</para> <member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied
to the mark before testing.</member>
<para><filename>/etc/shorewall/actions</filename>:</para> <member>:C — Designates a connection mark. If omitted, the
packet marks value is tested. This option is only supported by
Shorewall-perl</member>
</simplelist></para>
</listitem>
</itemizedlist>
<para><programlisting> #ACTION COMMENT (place '# ' below the 'C' in comment followed by <para>Omitted column entries should be entered using a dash
(<quote>-</quote>).</para>
<para>Example:</para>
<para><filename>/etc/shorewall/actions</filename>:</para>
<para><programlisting> #ACTION COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action) # v a comment describing the action)
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
role="bold">Note:</emphasis> If your role="bold">Note:</emphasis> If your
<filename>/etc/shorewall/actions</filename> file doesn't have an <filename>/etc/shorewall/actions</filename> file doesn't have an
indication where to place the comment, put the <quote>#</quote> in column indication where to place the comment, put the <quote>#</quote> in
21.</para> column 21.</para>
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info <para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para> ACCEPT</programlisting></para>
<para>Placing a comment on the line causes the comment to appear in the <para>Placing a comment on the line causes the comment to appear in the
output of the <command>shorewall show actions</command> command.</para> output of the <command>shorewall show actions</command> command.</para>
<para>To use your action, in <filename>/etc/shorewall/rules</filename> you <para>To use your action, in <filename>/etc/shorewall/rules</filename>
might do something like:</para> you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting> LogAndAccept loc $FW tcp 22</programlisting>
</section>
</section> </section>
<section id="Logging"> <section id="Logging">

678
docs/Macros.xml
View File

@ -277,411 +277,425 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para><emphasis role="bold">Beginning with Shorewall 4.4.16, the columns <section>
in macro.template are the same as those in <ulink <title>Shorewall 4.4.16 and Later</title>
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
</emphasis>The first non-commentary line in the template must be</para>
<programlisting>FORMAT 2</programlisting> <para>Beginning with Shorewall 4.4.16, the columns in macro.template are
the same as those in shorewall-rules (5). The first non-commentary line
in the template must be</para>
<para>Before 4.4.16, columns in the macro.template file were as <programlisting>FORMAT 2</programlisting>
follows:</para>
<itemizedlist> <para>There are no restrictions regarding the ACTIONs that can be
<listitem> performed in a macro.</para>
<para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, </section>
LOG, QUEUE, PARAM or an action name. Note that a macro may not invoke
another macro.</para>
<simplelist> <section>
<member>ACCEPT - allow the connection request</member> <title>Shorewall 4.4.15 and Earlier</title>
<member>ACCEPT+ - like ACCEPT but also excludes the connection from <para>Before 4.4.16, columns in the macro.template file were as
any subsequent DNAT[-] or REDIRECT[-] rules.</member> follows:</para>
<member>NONAT - Excludes the connection from any subsequent DNAT[-] <itemizedlist>
or REDIRECT[-] rules but doesn't generate a rule to accept the <listitem>
traffic.</member> <para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
CONTINUE, LOG, QUEUE, PARAM or an action name. Note that a macro may
not invoke another macro.</para>
<member>DROP - ignore the request</member> <simplelist>
<member>ACCEPT - allow the connection request</member>
<member>REJECT - disallow the request and return an icmp unreachable <member>ACCEPT+ - like ACCEPT but also excludes the connection
or an RST packet.</member> from any subsequent DNAT[-] or REDIRECT[-] rules.</member>
<member>DNAT - Forward the request to another address (and <member>NONAT - Excludes the connection from any subsequent
optionally another port).</member> DNAT[-] or REDIRECT[-] rules but doesn't generate a rule to accept
the traffic.</member>
<member>DNAT- - Advanced users only. Like DNAT but only generates <member>DROP - ignore the request</member>
the DNAT iptables rule and not the companion ACCEPT rule.</member>
<member>SAME - Similar to DNAT except that the port may not be <member>REJECT - disallow the request and return an icmp
remapped and when multiple server addresses are listed, all requests unreachable or an RST packet.</member>
from a given remote system go to the same server.</member>
<member>SAME- - Advanced users only. Like SAME but only generates <member>DNAT - Forward the request to another address (and
the SAME iptables rule and not the companion ACCEPT rule.</member> optionally another port).</member>
<member>REDIRECT - Redirect the request to a local port on the <member>DNAT- - Advanced users only. Like DNAT but only generates
firewall.</member> the DNAT iptables rule and not the companion ACCEPT rule.</member>
<member>REDIRECT- - Advanced users only. Like REDIRECT but only <member>SAME - Similar to DNAT except that the port may not be
generates the REDIRECT iptables rule and not the companion ACCEPT remapped and when multiple server addresses are listed, all
rule.</member> requests from a given remote system go to the same
server.</member>
<member>CONTINUE - (For experts only). Do not process any of the <member>SAME- - Advanced users only. Like SAME but only generates
following rules for this (source zone,destination zone). If The the SAME iptables rule and not the companion ACCEPT rule.</member>
source and/or destination If the address falls into a zone defined
later in /etc/shorewall/zones, this connection request will be
passed to the rules defined for that (those) zone(s).</member>
<member>LOG - Simply log the packet and continue.</member> <member>REDIRECT - Redirect the request to a local port on the
firewall.</member>
<member>QUEUE - Queue the packet to a user-space application such as <member>REDIRECT- - Advanced users only. Like REDIRECT but only
ftwall (http://p2pwall.sf.net).</member> generates the REDIRECT iptables rule and not the companion ACCEPT
</simplelist> rule.</member>
<para>The ACTION may optionally be followed by ":" and a syslog log <member>CONTINUE - (For experts only). Do not process any of the
level (e.g, REJECT:info or DNAT:debug). This causes the packet to be following rules for this (source zone,destination zone). If The
logged at the specified level.</para> source and/or destination If the address falls into a zone defined
</listitem> later in /etc/shorewall/zones, this connection request will be
passed to the rules defined for that (those) zone(s).</member>
<listitem> <member>LOG - Simply log the packet and continue.</member>
<para>SOURCE - Source hosts to which the rule applies. A
comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; mac addresses must begin with <quote>~</quote>
and must use <quote>-</quote> as a separator.</para>
<para>Alternatively, clients may be specified by interface name. For <member>QUEUE - Queue the packet to a user-space application such
example, eth1 specifies a client that communicates with the firewall as ftwall (http://p2pwall.sf.net).</member>
system through eth1. This may be optionally followed by another colon </simplelist>
(<quote>:</quote>) and an IP/MAC/subnet address as described above
(e.g. eth1:192.168.1.5).</para>
<para>May also contain 'DEST' as described above.</para> <para>The ACTION may optionally be followed by ":" and a syslog log
</listitem> level (e.g, REJECT:info or DNAT:debug). This causes the packet to be
logged at the specified level.</para>
</listitem>
<listitem> <listitem>
<para>DEST - Location of Server. Same as above with the exception that <para>SOURCE - Source hosts to which the rule applies. A
MAC addresses are not allowed.</para> comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; mac addresses must begin with <quote>~</quote>
and must use <quote>-</quote> as a separator.</para>
<para>Unlike in the SOURCE column, you may specify a range of up to <para>Alternatively, clients may be specified by interface name. For
256 IP addresses using the syntax &lt;<emphasis>first example, eth1 specifies a client that communicates with the firewall
ip</emphasis>&gt;-&lt;<emphasis>last ip</emphasis>&gt;.</para> system through eth1. This may be optionally followed by another
colon (<quote>:</quote>) and an IP/MAC/subnet address as described
above (e.g. eth1:192.168.1.5).</para>
<para>May also contain 'SOURCE' as described above.</para> <para>May also contain 'DEST' as described above.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>PROTO - Protocol - Must be <quote>tcp</quote>, <para>DEST - Location of Server. Same as above with the exception
<quote>udp</quote>, <quote>icmp</quote>, a number, or that MAC addresses are not allowed.</para>
<quote>all</quote>.</para>
</listitem>
<listitem> <para>Unlike in the SOURCE column, you may specify a range of up to
<para>DEST PORT(S) - Destination Ports. A comma-separated list of Port 256 IP addresses using the syntax &lt;<emphasis>first
names (from <filename>/etc/services</filename>), port numbers or port ip</emphasis>&gt;-&lt;<emphasis>last ip</emphasis>&gt;.</para>
ranges; if the protocol is <quote>icmp</quote>, this column is
interpreted as the destination icmp-type(s).</para>
<para>A port range is expressed as &lt;<emphasis>low <para>May also contain 'SOURCE' as described above.</para>
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para> </listitem>
<para>This column is ignored if PROTOCOL = all but must be entered if <listitem>
any of the following fields are supplied. In that case, it is <para>PROTO - Protocol - Must be <quote>tcp</quote>,
suggested that this field contain <quote>-</quote>.</para> <quote>udp</quote>, <quote>icmp</quote>, a number, or
<quote>all</quote>.</para>
</listitem>
<para>If your kernel contains multi-port match support, then only a <listitem>
single Netfilter rule will be generated if in this list and in the <para>DEST PORT(S) - Destination Ports. A comma-separated list of
CLIENT PORT(S) list below:</para> Port names (from <filename>/etc/services</filename>), port numbers
or port ranges; if the protocol is <quote>icmp</quote>, this column
is interpreted as the destination icmp-type(s).</para>
<orderedlist> <para>A port range is expressed as &lt;<emphasis>low
<listitem> port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>There are 15 or less ports listed.</para>
</listitem>
<listitem> <para>This column is ignored if PROTOCOL = all but must be entered
<para>No port ranges are included.</para> if any of the following fields are supplied. In that case, it is
</listitem> suggested that this field contain <quote>-</quote>.</para>
</orderedlist>
<para>Otherwise, a separate rule will be generated for each <para>If your kernel contains multi-port match support, then only a
port.</para> single Netfilter rule will be generated if in this list and in the
</listitem> CLIENT PORT(S) list below:</para>
<listitem> <orderedlist>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any <listitem>
source port is acceptable. Specified as a comma-separated list of port <para>There are 15 or less ports listed.</para>
names, port numbers or port ranges.</para> </listitem>
<para>If you don't want to restrict client ports but need to specify
an ADDRESS in the next column, then place "-" in this column.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
DEST PORT(S) list above:</para>
<orderedlist>
<listitem>
<para>There are 15 or less ports listed.</para>
</listitem>
<listitem>
<para>No port ranges are included.</para>
</listitem>
</orderedlist>
<para>Otherwise, a separate rule will be generated for each
port.</para>
</listitem>
<listitem>
<para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
<para>To use this column, you must include 'FORMAT 2' as the first
non-comment line in your macro file.</para>
<para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
included and is different from the IP address given in the DEST
column, then connections destined for that address will be forwarded
to the IP and port specified in the DEST column.</para>
<para>A comma-separated list of addresses may also be used. This is
most useful with the REDIRECT target where you want to redirect
traffic destined for particular set of hosts. Finally, if the list of
addresses begins with "!" (exclusion) then the rule will be followed
only if the original destination address in the connection request
does not match any of the addresses listed.</para>
<para>For other actions, this column may be included and may contain
one or more addresses (host or network) separated by commas. Address
ranges are not allowed. When this column is supplied, rules are
generated that require that the original destination address matches
one of the listed addresses. This feature is most useful when you want
to generate a filter rule that corresponds to a DNAT- or REDIRECT-
rule. In this usage, the list of addresses should not begin with
"!".</para>
<para>It is also possible to specify a set of addresses then exclude
part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
specifies the addresses 192.168.1.0-182.168.1.15 and
192.168.1.32-192.168.1.255. See <ulink
url="manpages/shorewall_exclusion.html">shorewall-exclusion</ulink>(5).</para>
<para>See <ulink
url="http://shorewall.net/PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
for an example of using an entry in this column with a user-defined
action rule.</para>
</listitem>
<listitem>
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para><programlisting> &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
&lt;<emphasis>rate</emphasis>&gt; is the number of connections per
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded in
the specification.</para>
<para><programlisting> Example: 10/sec:20</programlisting></para>
</listitem>
<listitem>
<para>USER/GROUP - For output rules (those with the firewall as their
source), you may control connections based on the effective UID and/or
GID of the process requesting the connection. This column can contain
any of the following:</para>
<simplelist>
<member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
<member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
<member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
<member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<member>[!]&lt;<emphasis>user
name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
<member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note: support
for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
<listitem>
<para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
packet or connection mark. The rule will match only if the test
returns true. Must be empty or '-' if the macro is to be used within
an action.</para>
<programlisting> [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
<variablelist>
<varlistentry>
<term>!</term>
<listitem> <listitem>
<para>Inverts the test (not equal)</para> <para>No port ranges are included.</para>
</listitem> </listitem>
</varlistentry> </orderedlist>
<varlistentry> <para>Otherwise, a separate rule will be generated for each
<term><replaceable>value</replaceable></term> port.</para>
</listitem>
<listitem>
<para>SOURCE PORT(S) - Port(s) used by the client. If omitted, any
source port is acceptable. Specified as a comma-separated list of
port names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify
an ADDRESS in the next column, then place "-" in this column.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
DEST PORT(S) list above:</para>
<orderedlist>
<listitem>
<para>There are 15 or less ports listed.</para>
</listitem>
<listitem> <listitem>
<para>Value of the packet or connection mark.</para> <para>No port ranges are included.</para>
</listitem> </listitem>
</varlistentry> </orderedlist>
<varlistentry> <para>Otherwise, a separate rule will be generated for each
<term><replaceable>mask</replaceable></term> port.</para>
</listitem>
<listitem> <listitem>
<para>A mask to be applied to the mark before testing.</para> <para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
</listitem>
</varlistentry>
<varlistentry> <para>To use this column, you must include 'FORMAT 2' as the first
<term>:C</term> non-comment line in your macro file.</para>
<listitem> <para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
<para>Designates a connection mark. If omitted, the # packet included and is different from the IP address given in the DEST
mark's value is tested.</para> column, then connections destined for that address will be forwarded
</listitem> to the IP and port specified in the DEST column.</para>
</varlistentry>
</variablelist>
</listitem>
<listitem> <para>A comma-separated list of addresses may also be used. This is
<para>CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if most useful with the REDIRECT target where you want to redirect
the macro is to be used within an action.</para> traffic destined for particular set of hosts. Finally, if the list
of addresses begins with "!" (exclusion) then the rule will be
followed only if the original destination address in the connection
request does not match any of the addresses listed.</para>
<programlisting> [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting> <para>For other actions, this column may be included and may contain
one or more addresses (host or network) separated by commas. Address
ranges are not allowed. When this column is supplied, rules are
generated that require that the original destination address matches
one of the listed addresses. This feature is most useful when you
want to generate a filter rule that corresponds to a DNAT- or
REDIRECT- rule. In this usage, the list of addresses should not
begin with "!".</para>
<para>May be used to limit the number of simultaneous connections from <para>It is also possible to specify a set of addresses then exclude
each individual host to limit connections. Requires connlimit match in part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
your kernel and iptables. While the limit is only checked on rules specifies the addresses 192.168.1.0-182.168.1.15 and
specifying CONNLIMIT, the number of current connections is calculated 192.168.1.32-192.168.1.255. See <ulink
over all current connections from the SOURCE host. By default, the url="manpages/shorewall_exclusion.html">shorewall-exclusion</ulink>(5).</para>
<replaceable>limit</replaceable> is applied to each host but can be
made to apply to networks of hosts by specifying a
<replaceable>mask</replaceable>. The mask specifies the width of a
VLSM mask to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
When ! is specified, the rule matches when the number of connection
exceeds the limit.</para>
</listitem>
<listitem> <para>See <ulink
<para>TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the url="http://shorewall.net/PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
macro is to be used within an action.</para> for an example of using an entry in this column with a user-defined
action rule.</para>
</listitem>
<programlisting> &lt;timeelement&gt;[&amp;...]</programlisting> <listitem>
<para>RATE LIMIT - You may rate-limit the rule by placing a value in
this column:</para>
<para><replaceable>timeelement</replaceable> may be:</para> <para><programlisting> &lt;<emphasis>rate</emphasis>&gt;/&lt;<emphasis>interval</emphasis>&gt;[:&lt;<emphasis>burst</emphasis>&gt;]</programlisting>where
&lt;<emphasis>rate</emphasis>&gt; is the number of connections per
&lt;<emphasis>interval</emphasis>&gt; (<quote>sec</quote> or
<quote>min</quote>) and &lt;<emphasis>burst</emphasis>&gt; is the
largest burst permitted. If no &lt;<emphasis>burst</emphasis>&gt; is
given, a value of 5 is assumed. There may be no whitespace embedded
in the specification.</para>
<variablelist> <para><programlisting> Example: 10/sec:20</programlisting></para>
<varlistentry> </listitem>
<term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
<listitem> <listitem>
<para>Defines the starting time of day.</para> <para>USER/GROUP - For output rules (those with the firewall as
</listitem> their source), you may control connections based on the effective
</varlistentry> UID and/or GID of the process requesting the connection. This column
can contain any of the following:</para>
<varlistentry> <simplelist>
<term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term> <member>[!]&lt;<emphasis>user number</emphasis>&gt;[:]</member>
<listitem> <member>[!]&lt;<emphasis>user name</emphasis>&gt;[:]</member>
<para>Defines the ending time of day.</para>
</listitem>
</varlistentry>
<varlistentry> <member>[!]:&lt;<emphasis>group number</emphasis>&gt;</member>
<term>utc</term>
<listitem> <member>[!]:&lt;<emphasis>group name</emphasis>&gt;</member>
<para>Times are expressed in Greenwich Mean Time.</para>
</listitem>
</varlistentry>
<varlistentry> <member>[!]&lt;<emphasis>user
<term>localtz</term> number</emphasis>&gt;:&lt;<emphasis>group
number</emphasis>&gt;</member>
<listitem> <member>[!]&lt;<emphasis>user
<para>Times are expressed in Local Civil Time (default).</para> name</emphasis>&gt;:&lt;<emphasis>group
</listitem> number</emphasis>&gt;</member>
</varlistentry>
<varlistentry> <member>[!]&lt;<emphasis>user
<term>weekdays=ddd[,ddd]...</term> inumber</emphasis>&gt;:&lt;<emphasis>group
name</emphasis>&gt;</member>
<listitem> <member>[!]&lt;<emphasis>user
<para>where <replaceable>ddd</replaceable> is one of name</emphasis>&gt;:&lt;<emphasis>group
<option>Mon</option>, <option>Tue</option>, name</emphasis>&gt;</member>
<option>Wed</option>, <option>Thu</option>,
<option>Fri</option>, <option>Sat</option> or
<option>Sun</option></para>
</listitem>
</varlistentry>
<varlistentry> <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note:
<term>monthdays=dd[,dd],...</term> support for this form was removed from Netfilter in kernel version
2.6.14).</member>
</simplelist>
</listitem>
<listitem> <listitem>
<para>where <replaceable>dd</replaceable> is an ordinal day of <para>MARK - (Added in Shorewall-4.4.2) Defines a test on the
the month</para> existing packet or connection mark. The rule will match only if the
</listitem> test returns true. Must be empty or '-' if the macro is to be used
</varlistentry> within an action.</para>
<varlistentry> <programlisting> [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
<term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
<listitem> <variablelist>
<para>Defines the starting date and time.</para> <varlistentry>
</listitem> <term>!</term>
</varlistentry>
<varlistentry> <listitem>
<term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term> <para>Inverts the test (not equal)</para>
</listitem>
</varlistentry>
<listitem> <varlistentry>
<para>Defines the ending date and time.</para> <term><replaceable>value</replaceable></term>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash ("-:).</para> <listitem>
<para>Value of the packet or connection mark.</para>
</listitem>
</varlistentry>
<para>Example:</para> <varlistentry>
<term><replaceable>mask</replaceable></term>
<para><phrase><filename>/etc/shorewall/macro.LogAndAccept</filename></phrase><programlisting> LOG:info <listitem>
<para>A mask to be applied to the mark before testing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>:C</term>
<listitem>
<para>Designates a connection mark. If omitted, the # packet
mark's value is tested.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
<listitem>
<para>CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
the macro is to be used within an action.</para>
<programlisting> [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
<para>May be used to limit the number of simultaneous connections
from each individual host to limit connections. Requires connlimit
match in your kernel and iptables. While the limit is only checked
on rules specifying CONNLIMIT, the number of current connections is
calculated over all current connections from the SOURCE host. By
default, the <replaceable>limit</replaceable> is applied to each
host but can be made to apply to networks of hosts by specifying a
<replaceable>mask</replaceable>. The mask specifies the width of a
VLSM mask to be applied to the source address; the number of current
connections is then taken over all hosts in the subnet
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
When ! is specified, the rule matches when the number of connection
exceeds the limit.</para>
</listitem>
<listitem>
<para>TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
macro is to be used within an action.</para>
<programlisting> &lt;timeelement&gt;[&amp;...]</programlisting>
<para><replaceable>timeelement</replaceable> may be:</para>
<variablelist>
<varlistentry>
<term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
<listitem>
<para>Defines the starting time of day.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
<listitem>
<para>Defines the ending time of day.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>utc</term>
<listitem>
<para>Times are expressed in Greenwich Mean Time.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>localtz</term>
<listitem>
<para>Times are expressed in Local Civil Time
(default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>weekdays=ddd[,ddd]...</term>
<listitem>
<para>where <replaceable>ddd</replaceable> is one of
<option>Mon</option>, <option>Tue</option>,
<option>Wed</option>, <option>Thu</option>,
<option>Fri</option>, <option>Sat</option> or
<option>Sun</option></para>
</listitem>
</varlistentry>
<varlistentry>
<term>monthdays=dd[,dd],...</term>
<listitem>
<para>where <replaceable>dd</replaceable> is an ordinal day of
the month</para>
</listitem>
</varlistentry>
<varlistentry>
<term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
<listitem>
<para>Defines the starting date and time.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
<listitem>
<para>Defines the ending date and time.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash
("-:).</para>
<para>Example:</para>
<para><phrase><filename>/etc/shorewall/macro.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para> ACCEPT</programlisting></para>
<para>To use your macro, in <filename>/etc/shorewall/rules</filename> you <para>To use your macro, in <filename>/etc/shorewall/rules</filename>
might do something like:</para> you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22</programlisting> LogAndAccept loc $FW tcp 22</programlisting>
</section>
</section> </section>
<section id="Logging"> <section id="Logging">