mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 08:33:40 +01:00
Merge branch 'master' of ssh://teastep@shorewall.git.sourceforge.net/gitroot/shorewall/shorewall
This commit is contained in:
commit
94d039bf56
@ -161,7 +161,7 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<para>Only those interfaces with the
|
<para>Only those interfaces with the
|
||||||
<option>arp_filter</option> option will have their setting
|
<option>arp_filter</option> option will have their setting
|
||||||
changes; the value assigned to the setting will be the value
|
changed; the value assigned to the setting will be the value
|
||||||
specified (if any) or 1 if no value is given.</para>
|
specified (if any) or 1 if no value is given.</para>
|
||||||
|
|
||||||
<para></para>
|
<para></para>
|
||||||
@ -188,7 +188,7 @@ loc eth2 -</programlisting>
|
|||||||
|
|
||||||
<para>2 - reply only if the target IP address is local address
|
<para>2 - reply only if the target IP address is local address
|
||||||
configured on the incoming interface and the sender's IP
|
configured on the incoming interface and the sender's IP
|
||||||
address is part from same subnet on this interface</para>
|
address is part from same subnet on this interface's address</para>
|
||||||
|
|
||||||
<para>3 - do not reply for local addresses configured with
|
<para>3 - do not reply for local addresses configured with
|
||||||
scope host, only resolutions for global and link</para>
|
scope host, only resolutions for global and link</para>
|
||||||
@ -290,11 +290,11 @@ loc eth2 -</programlisting>
|
|||||||
role="bold">logmartians</emphasis>. Even if you do not specify
|
role="bold">logmartians</emphasis>. Even if you do not specify
|
||||||
the <option>routefilter</option> option, it is a good idea to
|
the <option>routefilter</option> option, it is a good idea to
|
||||||
specify <option>logmartians</option> because your distribution
|
specify <option>logmartians</option> because your distribution
|
||||||
may be enabling route filtering without you knowing it.</para>
|
may have enabled route filtering without you knowing it.</para>
|
||||||
|
|
||||||
<para>Only those interfaces with the
|
<para>Only those interfaces with the
|
||||||
<option>logmartians</option> option will have their setting
|
<option>logmartians</option> option will have their setting
|
||||||
changes; the value assigned to the setting will be the value
|
changed; the value assigned to the setting will be the value
|
||||||
specified (if any) or 1 if no value is given.</para>
|
specified (if any) or 1 if no value is given.</para>
|
||||||
|
|
||||||
<para>To find out if route filtering is set on a given
|
<para>To find out if route filtering is set on a given
|
||||||
@ -510,12 +510,12 @@ loc eth2 -</programlisting>
|
|||||||
(sets
|
(sets
|
||||||
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
|
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
|
||||||
to 1). Only set this option if you know what you are doing.
|
to 1). Only set this option if you know what you are doing.
|
||||||
This might represent a security risk and is not usually
|
This might represent a security risk and is usually
|
||||||
needed.</para>
|
unneeded.</para>
|
||||||
|
|
||||||
<para>Only those interfaces with the
|
<para>Only those interfaces with the
|
||||||
<option>sourceroute</option> option will have their setting
|
<option>sourceroute</option> option will have their setting
|
||||||
changes; the value assigned to the setting will be the value
|
changed; the value assigned to the setting will be the value
|
||||||
specified (if any) or 1 if no value is given.</para>
|
specified (if any) or 1 if no value is given.</para>
|
||||||
|
|
||||||
<para></para>
|
<para></para>
|
||||||
@ -579,7 +579,7 @@ loc eth2 -</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Suppose you have eth0 connected to a DSL modem and eth1
|
<para>Suppose you have eth0 connected to a DSL modem and eth1
|
||||||
connected to your local network and that your local subnet is
|
connected to your local network and that your local subnet is
|
||||||
192.168.1.0/24. The interface gets it's IP address via DHCP from
|
192.168.1.0/24. The interface gets its IP address via DHCP from
|
||||||
subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
|
subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
|
||||||
using eth2.</para>
|
using eth2.</para>
|
||||||
|
|
||||||
|
@ -409,7 +409,7 @@
|
|||||||
<para>Only locally-generated connections will match if this column
|
<para>Only locally-generated connections will match if this column
|
||||||
is non-empty.</para>
|
is non-empty.</para>
|
||||||
|
|
||||||
<para>When this column is non-empty, the rule applies only if the
|
<para>When this column is non-empty, the rule matches only if the
|
||||||
program generating the output is running under the effective
|
program generating the output is running under the effective
|
||||||
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
||||||
specified (or is NOT running under that id if "!" is given).</para>
|
specified (or is NOT running under that id if "!" is given).</para>
|
||||||
|
@ -63,7 +63,7 @@
|
|||||||
role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
|
role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Interfacees that have the <emphasis
|
<para>Interfaces that have the <emphasis
|
||||||
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
|
||||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
|
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
|
||||||
Shorewall will automatically add the EXTERNAL address to this
|
Shorewall will automatically add the EXTERNAL address to this
|
||||||
|
@ -43,7 +43,7 @@
|
|||||||
<para>Must be DNAT or SNAT.</para>
|
<para>Must be DNAT or SNAT.</para>
|
||||||
|
|
||||||
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
|
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
|
||||||
it's destination address rewritten to the corresponding address in
|
its destination address rewritten to the corresponding address in
|
||||||
NET2.</para>
|
NET2.</para>
|
||||||
|
|
||||||
<para>If SNAT, traffic leaving INTERFACE with a source address in
|
<para>If SNAT, traffic leaving INTERFACE with a source address in
|
||||||
|
@ -41,7 +41,7 @@
|
|||||||
|
|
||||||
<para>For $FW and for all of the zones defined in /etc/shorewall/zones,
|
<para>For $FW and for all of the zones defined in /etc/shorewall/zones,
|
||||||
the POLICY for connections from the zone to itself is ACCEPT (with no
|
the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||||
logging or TCP connection rate limiting but may be overridden by an
|
logging or TCP connection rate limiting) but may be overridden by an
|
||||||
entry in this file. The overriding entry must be explicit (cannot use
|
entry in this file. The overriding entry must be explicit (cannot use
|
||||||
"all" in the SOURCE or DEST).</para>
|
"all" in the SOURCE or DEST).</para>
|
||||||
|
|
||||||
@ -95,7 +95,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Policy if no match from the rules file is found.</para>
|
<para>Policy if no match from the rules file is found.</para>
|
||||||
|
|
||||||
<para>If the policy is other than CONTINUE or NONE then the policy
|
<para>If the policy is neither CONTINUE nor NONE then the policy
|
||||||
may be followed by ":" and one of the following:</para>
|
may be followed by ":" and one of the following:</para>
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
<orderedlist numeration="loweralpha">
|
||||||
|
@ -175,7 +175,7 @@
|
|||||||
specified will get outbound traffic load-balanced among them.
|
specified will get outbound traffic load-balanced among them.
|
||||||
By default, all interfaces with <option>balance</option>
|
By default, all interfaces with <option>balance</option>
|
||||||
specified will have the same weight (1). You can change the
|
specified will have the same weight (1). You can change the
|
||||||
weight of an interface by specifiying
|
weight of an interface by specifying
|
||||||
<option>balance=</option><replaceable>weight</replaceable>
|
<option>balance=</option><replaceable>weight</replaceable>
|
||||||
where <replaceable>weight</replaceable> is the weight of the
|
where <replaceable>weight</replaceable> is the weight of the
|
||||||
route out of this interface.</para>
|
route out of this interface.</para>
|
||||||
|
@ -67,8 +67,8 @@
|
|||||||
or <emphasis role="bold">yes</emphasis> in this column. Otherwise,
|
or <emphasis role="bold">yes</emphasis> in this column. Otherwise,
|
||||||
enter <emphasis role="bold">no</emphasis> or <emphasis
|
enter <emphasis role="bold">no</emphasis> or <emphasis
|
||||||
role="bold">No</emphasis> or leave the column empty and Shorewall
|
role="bold">No</emphasis> or leave the column empty and Shorewall
|
||||||
will add the route for you. If Shorewall adds the route,the route
|
will add the route for you. If Shorewall adds the route, its
|
||||||
will be persistent if the <emphasis
|
persistence depends on the value of the<emphasis
|
||||||
role="bold">PERSISTENT</emphasis> column contains <emphasis
|
role="bold">PERSISTENT</emphasis> column contains <emphasis
|
||||||
role="bold">Yes</emphasis>; otherwise, <emphasis
|
role="bold">Yes</emphasis>; otherwise, <emphasis
|
||||||
role="bold">shorewall stop</emphasis> or <emphasis
|
role="bold">shorewall stop</emphasis> or <emphasis
|
||||||
|
@ -68,7 +68,7 @@
|
|||||||
(although it probably isn't installed by default). Ulogd is also available
|
(although it probably isn't installed by default). Ulogd is also available
|
||||||
from <ulink
|
from <ulink
|
||||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
|
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
|
||||||
and can be configured to log all Shorewall message to their own log
|
and can be configured to log all Shorewall messages to their own log
|
||||||
file</para>
|
file</para>
|
||||||
|
|
||||||
<para>The following options may be set in shorewall.conf.</para>
|
<para>The following options may be set in shorewall.conf.</para>
|
||||||
@ -262,7 +262,7 @@
|
|||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If set, the behavior of the 'start' command is change; if no
|
<para>If set, the behavior of the 'start' command is changed; if no
|
||||||
files in /etc/shorewall have been changed since the last successful
|
files in /etc/shorewall have been changed since the last successful
|
||||||
<command>start</command> or <command>restart</command> command, then
|
<command>start</command> or <command>restart</command> command, then
|
||||||
the compilation step is skipped and the compiled script that
|
the compilation step is skipped and the compiled script that
|
||||||
@ -362,7 +362,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
<para>If this option is set to <emphasis role="bold">No</emphasis>
|
||||||
then Shorewall won't clear the current traffic control rules during
|
then Shorewall won't clear the current traffic control rules during
|
||||||
[re]start. This setting is intended for use by people that prefer to
|
[re]start. This setting is intended for use by people who prefer to
|
||||||
configure traffic shaping when the network interfaces come up rather
|
configure traffic shaping when the network interfaces come up rather
|
||||||
than when the firewall is started. If that is what you want to do,
|
than when the firewall is started. If that is what you want to do,
|
||||||
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
|
||||||
|
Loading…
Reference in New Issue
Block a user