From 8dd0175ab42c1fc181d12c57f1f91eccc067994d Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 27 Feb 2006 23:55:26 +0000 Subject: [PATCH] More 3.1 documentation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3603 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/CompiledPrograms.xml | 204 ++++++++++++++++++++++++++++++++++++++ docs/Documentation.xml | 16 ++- docs/MAC_Validation.xml | 18 +++- 3 files changed, 232 insertions(+), 6 deletions(-) create mode 100644 docs/CompiledPrograms.xml diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml new file mode 100644 index 000000000..aa1efc212 --- /dev/null +++ b/docs/CompiledPrograms.xml @@ -0,0 +1,204 @@ + + +
+ + + + Compiled Firewall Programs + + + + Tom + + Eastep + + + + 2006-02-27 + + + 2006 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Overview + + Beginning with Shorewall version 3.1, Shorewall has the capability + to compile a Shorewall configuration and produce a runnable firewall + program script. The script is a complete program which can be placed in + the /etc/init.d/ directory on a system without Shorewall installed and can + serve as the firewall creation script for that system. + + Compiled programs can also be created to instantiate special + configurations during parts of the day; for example, to disallow web + browsing between the hours of 9pm and 7AM. The program can be run as a + cron job at 9PM and another program run at 6AM to restore normal + operation. +
+ +
+ The "shorewall compile" command + + A compiled script is produced using the compile + command: + +
+ shorewall compile [ -e ] [ -d <distro> ] [ + <directory name> ] <path name> +
+ + where + +
+ + + -e + + + Indicates that the program is to be "exported" to another + system. When this flag is set, the "detectnets" interface is not + allowed but the created program may be run on a system that + doesn't even have Shorewall installed. + + When this flag is given, Shorewall does not probe the + current system to determine the kernel/iptables features that it + supports. It rather reads those capabilities from + /etc/shorewall/capabilities. See below for + details. + + + + + -d <distro> + + + is normally used with "-e" and specifies the Linux + distribution that is running on the remote system. The program + will be taylored so that it integrates with the intialization + script system (init) on that system. Distributions currently + supported are: + + + suse + + + + + + <directory name> + + + specifies a directory to be searched for configuration files + before those directories listed in the CONFIG_PATH variable in + shorewall.conf. + + + + + <path name> + + + specifies the name of the script to be created. + + + +
+
+ +
+ The /etc/shorewall/capabilities file and the shorecap + program + + As mentioned above, the /etc/shorewall/capabilities file specifies + that kernel/iptables capabilities of the target system. Here is a sample + file: + +
+ NAT_ENABLED=Yes # NAT +MANGLE_ENABLED=Yes # Packet Mangling +CONNTRACK_MATCH=Yes # Connection Tracking Match +USEPKTTYPE= # Packet Type Match +MULTIPORT=Yes # Multi-port Match +XMULTIPORT=Yes # Extended Multi-port Match +POLICY_MATCH=Yes # Policy Match +PHYSDEV_MATCH=Yes # Physdev Match +LENGTH_MATCH=Yes # Packet Length Match +IPRANGE_MATCH=Yes # IP range Match +RECENT_MATCH=Yes # Recent Match +OWNER_MATCH=Yes # Owner match +IPSET_MATCH= # Ipset Match +CONNMARK=Yes # CONNMARK Target +CONNMARK_MATCH=Yes # Connmark Match +RAW_TABLE=Yes # Raw Table +IPP2P_MATCH= # IPP2P Match +CLASSIFY_TARGET=Yes # CLASSIFY Target +ENHANCED_REJECT=Yes # Extended REJECT +
+ + As you can see, the file contains a simple list of shell variable + assignments -- the variables correspond to the capabilities listed by the + shorewall show capabilities command appear in the same + order as the output of that command. + + To aid in creating this file, Shorewall 3.1 and later include a + shorecap program. The program is installed in the documentation directory + by the .rpm and is in the directory created when you untar the tarball. It + may be copied to /usr/bin on a remote system then run as follows: + +
+ shorecap > capabilities +
+ + The capabilities file may then be copied to a + system with Shorewall installed and used when compiling firewall programs + to run on the remote system. +
+ +
+ Running compiled programs + + Compiled firewall programs are complete programs that support the + following run-line commands: + +
+ + <program> [ -q ] [ -v ] [ -n ] + start + + <program> [ -q ] [ -v ] [ -n ] + stop + + <program> [ -q ] [ -v ] [ -n ] + clear + + <program> [ -q ] [ -v ] [ -n ] + restart + + <program> [ -q ] [ -v ] [ -n ] + status + + <program> [ -q ] [ -v ] [ -n ] + version + +
+ + The options have their same meaning is when they are passed to + /sbin/shorewall itself. The default VERBOSITY level + is the level specified in the shorewall.conf file used when then program + was compiled. +
+
\ No newline at end of file diff --git a/docs/Documentation.xml b/docs/Documentation.xml index b0c78fceb..db477c91f 100644 --- a/docs/Documentation.xml +++ b/docs/Documentation.xml @@ -378,11 +378,13 @@ - routes + capabilities - file in /etc/shorewall that is used to interface to the - experimental ROUTE target from Netfilter patch-o-matic-ng. + file in /etc/shorewall that is used to define the + iptables/kernel capabilities of a remote system. The file allows + firewall scripts compiled on one system to be taylored for a remote + system where the script will ultimately run. @@ -1900,6 +1902,14 @@ ACCEPT:info - - tc Protocol. Must be a protocol name from /etc/protocols, a number, or all. Specifies the protocol of the connection request. + + In the ESTABLISHED and RELATED sections, may also be "ipp2p", + "ipp2p:udp", "ipp2p:all"; requires ipp2p match support in your + kernel and iptables. + + Beginning with Shorewall 3.1, you may also specify "tcp:syn" + in this column. This is equivalent to "tcp" but also requires that + the SYN flag be set and the FIN, ACK and RST flags be reset. diff --git a/docs/MAC_Validation.xml b/docs/MAC_Validation.xml index b2f75cc71..35476d193 100644 --- a/docs/MAC_Validation.xml +++ b/docs/MAC_Validation.xml @@ -15,7 +15,7 @@ - 2005-10-13 + 2006-02-27 2001-2005 @@ -160,6 +160,17 @@ The columns in /etc/shorewall/maclist are: + + DISPOSITION (Added in Shorewall version 3.1) + + + Must be ACCEPT, DROP or REJECT (REJECT may not be specified if + MACLIST_TABLE=mangle). May be + optionally followed by ":" and a log level to cause packets matching + the rule to be logged. + + + INTERFACE @@ -175,8 +186,9 @@ The MAC address of a device on the ethernet segment connected by INTERFACE. It is not necessary to use the Shorewall MAC format in - this column although you may use that format if you so - choose. + this column although you may use that format if you so choose. + Beginning with Shorewall 3.1, you may specify "-" here if you enter + an IP address in the next column.