extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Macros: update headers

Browse Source 
Signed-off-by: Tuomo Soini <tis@foobar.fi>
This commit is contained in:
Tuomo Soini 2016-02-15 14:31:00 +02:00
parent 4014fdb204
commit 97b3dd244a
1 changed files with 67 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
docs/Macros.xml
View File

@ -78,19 +78,20 @@
macro.</para> macro.</para>
<programlisting># <programlisting>#
# Shorewall 3.0 /usr/share/shorewall/macro.SMB # Shorewall -- /usr/share/shorewall/macro.SMB
# #
# Handle Microsoft SMB traffic. You need to invoke this macro in # This macro handles Microsoft SMB traffic. You need to invoke
# both directions. # this macro in both directions. Beware! This rule opens a lot
# of ports, and could possibly be used to compromise your firewall
# if not used with care. You should only allow SMB traffic
# between hosts you fully trust.
# #
###################################################################################### ######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ #TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 135,445 PARAM - - udp 135,445
PARAM - - udp 137:139 PARAM - - udp 137:139
PARAM - - udp 1024: 137 PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445 PARAM - - tcp 135,139,445</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>If you wish to modify one of the standard macros, do not modify <para>If you wish to modify one of the standard macros, do not modify
the definition in <filename the definition in <filename
@ -121,17 +122,19 @@ PARAM - - tcp 135,139,445
<blockquote> <blockquote>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SMB(ACCEPT) loc fw </programlisting>
SMB(ACCEPT) loc $FW</programlisting>
<para>The above is equivalent to coding the following series of <para>The above is equivalent to coding the following series of
rules:</para> rules:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(s) <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT loc fw udp 135,445
ACCEPT loc fw udp 137:139 ACCEPT loc $FW udp 135,445
ACCEPT loc fw udp 1024: 137 ACCEPT loc $FW udp 137:139
ACCEPT loc fw tcp 135,139,445</programlisting> ACCEPT loc $FW udp 1024: 137
ACCEPT loc $FW tcp 135,139,445</programlisting>
</blockquote> </blockquote>
<para>Logging is covered in <link linkend="Logging">a following <para>Logging is covered in <link linkend="Logging">a following
@ -154,23 +157,23 @@ ACCEPT loc fw tcp 135,139,445</programlisting>
<blockquote> <blockquote>
<para>/etc/shorewall/macro.SMTP</para> <para>/etc/shorewall/macro.SMTP</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
PARAM - loc tcp 25</programlisting> PARAM - loc tcp 25</programlisting>
<para>/etc/shorewall/rules (Shorewall 4.0):</para> <para>/etc/shorewall/rules (Shorewall 4.0):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SMTP(DNAT):info net 192.168.1.5</programlisting> SMTP(DNAT):info net 192.168.1.5</programlisting>
<para>/etc/shorewall/rules (Shorewall 4.2.0 and later):</para> <para>/etc/shorewall/rules (Shorewall 4.2.0 and later):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SMTP(DNAT):info net 192.168.1.5</programlisting> SMTP(DNAT):info net 192.168.1.5</programlisting>
<para>This would be equivalent to coding the following directly in <para>This would be equivalent to coding the following directly in
/etc/shorewall/rules</para> /etc/shorewall/rules</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT:info net loc:192.168.1.5 tcp 25</programlisting> DNAT:info net loc:192.168.1.5 tcp 25</programlisting>
</blockquote> </blockquote>
@ -179,18 +182,19 @@ DNAT:info net loc:192.168.1.5 tcp 25</programlisting>
<blockquote> <blockquote>
<para>/etc/shorewall/macro.SMTP</para> <para>/etc/shorewall/macro.SMTP</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S) <programlisting>
#ACTION SOURCE DEST PROTO DPORT
PARAM - 192.168.1.5 tcp 25</programlisting> PARAM - 192.168.1.5 tcp 25</programlisting>
<para>/etc/shorewall/rules</para> <para>/etc/shorewall/rules</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SMTP(DNAT):info net loc</programlisting> SMTP(DNAT):info net loc</programlisting>
<para>This would be equivalent to coding the following directly in <para>This would be equivalent to coding the following directly in
/etc/shorewall/rules</para> /etc/shorewall/rules</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
DNAT:info net loc:192.168.1.5 tcp 25</programlisting> DNAT:info net loc:192.168.1.5 tcp 25</programlisting>
</blockquote> </blockquote>
@ -205,8 +209,7 @@ DNAT:info net loc:192.168.1.5 tcp 25</programlisting>
is already a standard macro like this released as part of is already a standard macro like this released as part of
Shorewall):</para> Shorewall):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 135,445 PARAM - - udp 135,445
PARAM - - udp 137:139 PARAM - - udp 137:139
PARAM - - udp 1024: 137 PARAM - - udp 1024: 137
@ -214,26 +217,28 @@ PARAM - - tcp 135,139,445
PARAM DEST SOURCE udp 135,445 PARAM DEST SOURCE udp 135,445
PARAM DEST SOURCE udp 137:139 PARAM DEST SOURCE udp 137:139
PARAM DEST SOURCE udp 1024: 137 PARAM DEST SOURCE udp 1024: 137
PARAM DEST SOURCE tcp 135,139,445 PARAM DEST SOURCE tcp 135,139,445</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
SMBBI(ACCEPT) loc fw</programlisting>
SMBBI(ACCEPT) loc $FW</programlisting>
<para>This would be equivalent to coding the following directly in <para>This would be equivalent to coding the following directly in
/etc/shorewall/rules</para> /etc/shorewall/rules</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
ACCEPT loc fw udp 135,445
ACCEPT loc fw udp 137:139 ACCEPT loc $FW udp 135,445
ACCEPT loc fw udp 1024: 137 ACCEPT loc $FW udp 137:139
ACCEPT loc fw tcp 135,139,445 ACCEPT loc $FW udp 1024: 137
ACCEPT fw loc udp 135,445 ACCEPT loc $FW tcp 135,139,445
ACCEPT fw loc udp 137:139
ACCEPT fw loc udp 1024: 137 ACCEPT $FW loc udp 135,445
ACCEPT fw loc tcp 135,139,445</programlisting> ACCEPT $FW loc udp 137:139
ACCEPT $FW loc udp 1024: 137
ACCEPT $FW loc tcp 135,139,445</programlisting>
</blockquote> </blockquote>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -696,7 +701,7 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
</itemizedlist> </itemizedlist>
<para>Omitted column entries should be entered using a dash <para>Omitted column entries should be entered using a dash
("-:).</para> ("-").</para>
<para>Example:</para> <para>Example:</para>
@ -706,7 +711,8 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
<para>To use your macro, in <filename>/etc/shorewall/rules</filename> <para>To use your macro, in <filename>/etc/shorewall/rules</filename>
you might do something like:</para> you might do something like:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
LogAndAccept loc $FW tcp 22</programlisting> LogAndAccept loc $FW tcp 22</programlisting>
</section> </section>
</section> </section>
@ -731,19 +737,19 @@ LogAndAccept loc $FW tcp 22</programlisting>
<para>/etc/shorewall/macro.foo</para> <para>/etc/shorewall/macro.foo</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT - - tcp 22 ACCEPT - - tcp 22
bar:info</programlisting> bar:info</programlisting>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
foo:debug $FW net</programlisting> foo:debug $FW net</programlisting>
<para>Logging in the invoked 'foo' macro will be as if foo had been <para>Logging in the invoked 'foo' macro will be as if foo had been
defined as:</para> defined as:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT:debug - - tcp 22 ACCEPT:debug - - tcp 22
bar:info</programlisting> bar:info</programlisting>
</listitem> </listitem>
@ -756,19 +762,19 @@ bar:info</programlisting>
<para>/etc/shorewall/macro.foo</para> <para>/etc/shorewall/macro.foo</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT - - tcp 22 ACCEPT - - tcp 22
bar:info</programlisting> bar:info</programlisting>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
foo:debug! $FW net</programlisting> foo:debug! $FW net</programlisting>
<para>Logging in the invoked 'foo' macro will be as if foo had been <para>Logging in the invoked 'foo' macro will be as if foo had been
defined as:</para> defined as:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DPORT
ACCEPT:debug - - tcp 22 ACCEPT:debug - - tcp 22
bar:debug</programlisting> bar:debug</programlisting>
</listitem> </listitem>