mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 19:21:21 +02:00
Update the Bridge document for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
a47cfb4f63
commit
9e6109bc36
@ -596,8 +596,8 @@ all all REJECT info
|
|||||||
is connected to <filename class="devicefile">eth0</filename> and the
|
is connected to <filename class="devicefile">eth0</filename> and the
|
||||||
switch to <filename class="devicefile">eth1</filename>:</para>
|
switch to <filename class="devicefile">eth1</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
world br0 detect bridge
|
world br0 bridge
|
||||||
net br0:eth0
|
net br0:eth0
|
||||||
loc br0:eth1
|
loc br0:eth1
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
@ -645,9 +645,9 @@ br0 192.168.1.0/24 routeback
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||||
|
|
||||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting> #ZONE INTERFACE OPTIONS
|
||||||
world br0 - bridge
|
world br0 bridge
|
||||||
world br1 - bridge
|
world br1 bridge
|
||||||
z1 br0:p+
|
z1 br0:p+
|
||||||
z2 br1:p+</programlisting>
|
z2 br1:p+</programlisting>
|
||||||
|
|
||||||
@ -657,11 +657,11 @@ br0 192.168.1.0/24 routeback
|
|||||||
configuration may be defined using the following in
|
configuration may be defined using the following in
|
||||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||||
|
|
||||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting> #ZONE INTERFACE OPTIONS
|
||||||
world br0 - bridge
|
world br0 bridge
|
||||||
world br1 - bridge
|
world br1 bridge
|
||||||
z1 br0:x+ - physical=p+
|
z1 br0:x+ physical=p+
|
||||||
z2 br1:y+ - physical=p+</programlisting>
|
z2 br1:y+ physical=p+</programlisting>
|
||||||
|
|
||||||
<para>In this configuration, 'x+' is the logical name for ports p+ on
|
<para>In this configuration, 'x+' is the logical name for ports p+ on
|
||||||
bridge br0 while 'y+' is the logical name for ports p+ on bridge
|
bridge br0 while 'y+' is the logical name for ports p+ on bridge
|
||||||
@ -673,8 +673,7 @@ br0 192.168.1.0/24 routeback
|
|||||||
|
|
||||||
<para>Example from /etc/shorewall/rules:</para>
|
<para>Example from /etc/shorewall/rules:</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
|
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -710,11 +709,11 @@ loc ipv4</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
|
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
|
||||||
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
follows:<programlisting>#ZONE INTERFACE OPTIONS
|
||||||
pub br0 detect routefilter,bridge
|
pub br0 routefilter,bridge
|
||||||
net br0:eth0
|
net br0:eth0
|
||||||
dmz br0:eth2
|
dmz br0:eth2
|
||||||
loc eth1 detect</programlisting></para>
|
loc eth1</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -761,9 +760,7 @@ all all REJECT info</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||||
#
|
|
||||||
PORT(S) PORT(S)
|
|
||||||
ACCEPT all all icmp 8
|
ACCEPT all all icmp 8
|
||||||
ACCEPT loc $DMZ tcp 25,53,80,443,...
|
ACCEPT loc $DMZ tcp 25,53,80,443,...
|
||||||
ACCEPT loc $DMZ udp 53
|
ACCEPT loc $DMZ udp 53
|
||||||
@ -872,8 +869,7 @@ iface veth0 inet static
|
|||||||
<para>For this configuration, we need several additional zones as shown
|
<para>For this configuration, we need several additional zones as shown
|
||||||
here:</para>
|
here:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
fw firewall
|
fw firewall
|
||||||
net ipv4
|
net ipv4
|
||||||
zone1 bport
|
zone1 bport
|
||||||
@ -943,8 +939,7 @@ all all REJECT:info</programlisting>
|
|||||||
|
|
||||||
<para>Rules allowing traffic from the net to zone2 look like this:</para>
|
<para>Rules allowing traffic from the net to zone2 look like this:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
ACCEPT col zone2 tcp 22 - - - - <emphasis
|
ACCEPT col zone2 tcp 22 - - - - <emphasis
|
||||||
role="bold">net</emphasis></programlisting>
|
role="bold">net</emphasis></programlisting>
|
||||||
|
|
||||||
@ -969,8 +964,7 @@ ACCEPT col <emphasis role="bold">zone3</emphasis> tcp 22
|
|||||||
<para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
|
<para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
|
||||||
zone3:</para>
|
zone3:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
DNAT- net loc:172.168.4.45 tcp 80
|
DNAT- net loc:172.168.4.45 tcp 80
|
||||||
ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis
|
ACCEPT col zone3:172.168.4.45 tcp 80 - - - - <emphasis
|
||||||
role="bold">net</emphasis></programlisting>
|
role="bold">net</emphasis></programlisting>
|
||||||
@ -979,15 +973,13 @@ ACCEPT col zone3:172.168.4.45 tcp 80 - -
|
|||||||
role="bold">zonei</emphasis> zones to the <emphasis
|
role="bold">zonei</emphasis> zones to the <emphasis
|
||||||
role="bold">net</emphasis> zone look like this:</para>
|
role="bold">net</emphasis> zone look like this:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
ACCEPT loc net tcp 21 - - - - <emphasis
|
ACCEPT loc net tcp 21 - - - - <emphasis
|
||||||
role="bold">zone1</emphasis></programlisting>
|
role="bold">zone1</emphasis></programlisting>
|
||||||
|
|
||||||
<para>And to the firewall:</para>
|
<para>And to the firewall:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
ACCEPT zone2 col tcp - - - - <emphasis
|
ACCEPT zone2 col tcp - - - - <emphasis
|
||||||
role="bold">zone2</emphasis></programlisting>
|
role="bold">zone2</emphasis></programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user