extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-28 16:39:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation cleanup. Left off on Actions.xml.

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
el_cubano 2008-08-18 04:32:14 +00:00
parent ab7d13a6f9
commit ad0c872a85
3 changed files with 111 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/6to4.xml
View File

@ -63,9 +63,8 @@
<para>We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is
accomplished through use of the
<filename><filename>/etc/shorewall/tunnels</filename></filename> file and
the <quote>ip</quote> utility for network interface and routing
accomplished through use of the <filename>/etc/shorewall/tunnels</filename>
file and the <quote>ip</quote> utility for network interface and routing
configuration.</para>
<para>Unlike GRE and IPIP tunneling, the
@ -78,13 +77,13 @@
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
this traffic.</para>
<para>In <filename>/etc/shorewall/tunnels </filename>on system A, we need
<para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
the following:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE
6to4 net 134.28.54.2</programlisting>
<para>This entry in <filename>/etc/shorewall/tunnels</filename>, opens the
<para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
firewall so that the IPv6 encapsulation protocol (41) will be accepted
to/from the remote gateway.</para>

80
docs/Accounting.xml
View File

@ -45,15 +45,15 @@
<title>Accounting Basics</title>
<para>Shorewall accounting rules are described in the file
/etc/shorewall/accounting. By default, the accounting rules are placed in
a chain called <quote>accounting</quote> and can thus be displayed using
<quote>shorewall[-lite] show accounting</quote>. All traffic passing into,
out of, or through the firewall traverses the accounting chain including
traffic that will later be rejected by interface options such as
<quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
support the connection tracking match extension (Kernel 2.4.21) then some
traffic rejected under <quote>norfc1918</quote> will not traverse the
accounting chain.</para>
<filename>/etc/shorewall/accounting</filename>. By default, the
accounting rules are placed in a chain called <quote>accounting</quote>
and can thus be displayed using <quote>shorewall[-lite] show
accounting</quote>. All traffic passing into, out of, or through the
firewall traverses the accounting chain including traffic that will later
be rejected by interface options such as <quote>tcpflags</quote> and
<quote>maclist</quote>. If your kernel doesn't support the connection
tracking match extension (Kernel 2.4.21) then some traffic rejected under
<quote>norfc1918</quote> will not traverse the accounting chain.</para>
<para>The columns in the accounting file are as follows:</para>
@ -76,7 +76,7 @@
<listitem>
<para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain;
Shorewall will create the chain automatically if it doesn't
already exist. Causes a jump to this chain will be generated from
already exist. A jump to this chain will be generated from
the chain specified by the CHAIN column. If the name of the chain
is followed by <quote>:COUNT</quote> then a COUNT rule matching
this entry will automatically be added to &lt;chain&gt;. Chain
@ -113,25 +113,26 @@
<listitem>
<para><emphasis role="bold">DESTINATION</emphasis> - Packet
Destination Format the same as the SOURCE column.</para>
Destination. Format the same as the SOURCE column.</para>
</listitem>
<listitem>
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name
(from <filename>/etc/protocols</filename>), a protocol number or
"ipp2p". For "ipp2p", your kernel and iptables must have ipp2p match
support from <ulink url="http://www.netfilter.org">Netfilter
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
<filename>/etc/protocols</filename>), a protocol number or
<quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
iptables must have ipp2p match support from <ulink
url="http://www.netfilter.org">Netfilter
Patch_o_matic_ng</ulink>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
number. Service name from <filename>/etc/services</filename> or port
number. May only be specified if the protocol is TCP or UDP (6 or 17).
If the PROTOCOL is "ipp2p", then this column is interpreted as an
ipp2p option without the leading "--" (default "ipp2p"). For a list of
value ipp2p options, as root type <command>iptables -m ipp2p
--help</command>.</para>
number. May only be specified if the protocol is TCP or UDP (6 or
17). If the PROTOCOL is <quote>ipp2p</quote>, then this column is
interpreted as an ipp2p option without the leading <quote>--</quote>
(default <quote>ipp2p</quote>). For a list of value ipp2p options, as
root type <command>iptables -m ipp2p --help</command>.</para>
</listitem>
<listitem>
@ -145,23 +146,23 @@
only be non-empty if the CHAIN is OUTPUT. The column may
contain:</para>
<programlisting> [!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
<programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
<para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
&lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
that id if "!" is given).</para>
that id if <quote>!</quote> is given).</para>
<para>Examples:</para>
<simplelist>
<member>joe #program must be run by joe</member>
<member>:kids #program must be run by a member of the 'kids'
group.</member>
<member>:kids #program must be run by a member of the
<quote>kids</quote> group.</member>
<member>!:kids #program must not be run by a member of the 'kids'
group</member>
<member>!:kids #program must not be run by a member of the
<quote>kids</quote> group</member>
<member>+upnpd #program named upnpd (This feature was removed from
Netfilter in kernel version 2.6.14).</member>
@ -170,12 +171,13 @@
<listitem>
<para><emphasis role="bold">MARK</emphasis> - Only count packets with
particular mark values.<programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>Defines
a test on the existing packet or connection mark. The rule will match
only if the test returns true.</para>
particular mark values.
<programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>
Defines a test on the existing packet or connection mark. The rule will
match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify anything
in the following columns, place a "-" in this field.<simplelist>
in the following columns, place a <quote>-</quote> in this field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;value&gt; — Value of the packet or connection
@ -192,14 +194,14 @@
</itemizedlist>
<para>In all columns except ACTION and CHAIN, the values
<quote>-</quote>,<quote>any</quote> and <quote>all</quote> are treated as
<quote>-</quote>, <quote>any</quote> and <quote>all</quote> are treated as
wild-cards.</para>
<para>The accounting rules are evaluated in the Netfilter
<quote>filter</quote> table. This is the same environment where the
<quote>rules</quote> file rules are evaluated and in this environment,
DNAT has already occurred in inbound packets and SNAT has not yet occurred
on outbound ones.</para>
on outbound packets.</para>
<para>Accounting rules are not stateful -- each rule only handles traffic
in one direction. For example, if eth0 is your Internet interface, and you
@ -222,9 +224,9 @@
web:COUNT - eth1 eth0 tcp - 443
DONE web</programlisting>
<para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
for Shorewall Lite users) will give you a breakdown of your web
traffic:</para>
<para>Now <command>shorewall show web</command> (or <command>shorewall-lite
show web</command> for Shorewall Lite users) will give you a breakdown
of your web traffic:</para>
<programlisting> [root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
@ -251,9 +253,9 @@
COUNT web eth0 eth1
COUNT web eth1 eth0</programlisting>
<para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
for Shorewall Lite users) simply gives you a breakdown by input and
output:</para>
<para>Now <command>shorewall show web</command> (or <command>shorewall-lite
show web<command> for Shorewall Lite users) simply gives you a
breakdown by input and output:</para>
<programlisting> [root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
@ -343,7 +345,7 @@
</listitem>
</itemizedlist>
<para>If the CHAIN column contains '-', then:</para>
<para>If the CHAIN column contains <quote>-</quote>, then:</para>
<itemizedlist>
<listitem>

123
docs/Actions.xml
View File

@ -97,9 +97,10 @@ ACCEPT - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>If you wish to modify one of the standard actions, do not modify
the definition in /usr/share/shorewall. Rather, copy the file to
<filename class="directory">/etc/shorewall</filename> (or somewhere
else on your CONFIG_PATH) and modify the copy.</para>
the definition in <filename
class="directory">/usr/share/shorewall</filename>. Rather, copy the
file to <filename class="directory">/etc/shorewall</filename> (or
somewhere else on your CONFIG_PATH) and modify the copy.</para>
<para>Standard Actions were largely replaced by <ulink
url="Macros.html">macros</ulink> in Shorewall 3.0 and later major
@ -108,9 +109,11 @@ ACCEPT - - tcp 135,139,445
<listitem>
<para>User-defined Actions. These actions are created by end-users.
They are listed in the file /etc/shorewall/actions and are defined in
action.* files in /etc/shorewall or in another directory listed in
your CONFIG_PATH (defined in <ulink
They are listed in the file
<filename>/etc/shorewall/actions</filename> and are defined in
<filename>action.*</filename> files in <filename
class="directory">/etc/shorewall</filename> or in another directory
listed in your CONFIG_PATH (defined in <ulink
url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>).</para>
</listitem>
</orderedlist>
@ -148,22 +151,20 @@ ACCEPT - - tcp 135,139,445
AUTH protocol of client authentication<footnote>
<para>AUTH is actually pretty silly on today's Internet but it's
amazing how many servers still employ it.</para>
</footnote></para>
</footnote>.</para>
</listitem>
</orderedlist>
<para>Shorewall supports default actions for the ACCEPT, REJECT, DROP,
QUEUE and NFQUEUE policies. These default actions are specified in the
/etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options
respectively. Policies whose default is set to a value of "none" have no
default action.</para>
<filename>/etc/shorewall/shorewall.conf</filename> file using the
ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
value of <quote>none</quote> have no default action.</para>
<para></para>
<para>In addition, the default specified in /etc/shorewall/shorewall.conf
may be overridden by specifying a different default in the POLICY column
of <ulink
<para>In addition, the default specified in
<filename>/etc/shorewall/shorewall.conf</filename> may be overridden by
specifying a different default in the POLICY column of <ulink
url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink>.</para>
<warning>
@ -177,15 +178,17 @@ ACCEPT - - tcp 135,139,445
<section id="Limit">
<title>Limiting Per-IP Connection Rate</title>
<para>Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' <ulink
url="Actions.html">action</ulink>. Limit is invoked with a comma-separated
list in place of a logging tag. The list has three elements:</para>
<para>Beginning with Shorewall 3.0.4, Shorewall has a <quote>Limit</quote>
<ulink url="Actions.html">action</ulink>. Limit is invoked with a
comma-separated list in place of a logging tag. The list has three
elements:</para>
<orderedlist>
<listitem>
<para>The name of a 'recent' set; you select the set name which must
conform to the rules for a valid chain name. Different rules that
specify the same set name will use the same set of counters.</para>
<para>The name of a <quote>recent</quote> set; you select the set name
which must conform to the rules for a valid chain name. Different
rules that specify the same set name will use the same set of
counters.</para>
</listitem>
<listitem>
@ -200,9 +203,9 @@ ACCEPT - - tcp 135,139,445
<para>Connections that exceed the specified rate are dropped.</para>
<para>For example,to use a recent set name of <emphasis
role="bold">SSHA</emphasis>, and to limiting SSH to 3 per minute, use this
entry in <filename>/etc/shorewall/rules</filename>:</para>
<para>For example, to use a recent set name of <emphasis
role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
use this entry in <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
@ -218,12 +221,12 @@ Limit:info:SSHA,3,60 net $FW tcp 22</programl
<itemizedlist>
<listitem>
<para>The log level. If you don't want to log, specify "none".</para>
<para>The log level. If you don't want to log, specify <quote>none</quote>.</para>
</listitem>
<listitem>
<para>The name of the recent set that you want to use ("SSHA" in this
example).</para>
<para>The name of the recent set that you want to use
(<quote>SSHA</quote> in this example).</para>
</listitem>
<listitem>
@ -246,7 +249,7 @@ Limit:info:SSHA,3,60 net $FW tcp 22</programl
<itemizedlist>
<listitem>
<para>The file
<filename>/usr/share/shorewall/action</filename>.Limit is
<filename>/usr/share/shorewall/action</filename>. Limit is
empty.</para>
</listitem>
@ -324,9 +327,9 @@ add_rule $chainref, '-j ACCEPT';
<orderedlist>
<listitem>
<para>Add a line to
<filename><filename>/etc/shorewall/actions</filename></filename> that
<filename>/etc/shorewall/actions</filename> that
names your new action. Action names must be valid shell variable names
((must begin with a letter and be composed of letters, digits and
(must begin with a letter and be composed of letters, digits and
underscore characters) as well as valid Netfilter chain names. If you
intend to log from the action, the name must have a maximum of 11
characters. It is recommended that the name you select for a new
@ -335,8 +338,8 @@ add_rule $chainref, '-j ACCEPT';
<para>The name of the action may be optionally followed by a colon
(<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
named action will become the <emphasis>default action </emphasis>for
policies of type ACCEPT, DROP or REJECT respectively. The default
named action will become the <emphasis>default action</emphasis> for
policies of type ACCEPT, DROP or REJECT, respectively. The default
action is applied immediately before the policy is enforced (before
any logging is done under that policy) and is used mainly to suppress
logging of uninteresting traffic which would otherwise clog your logs.
@ -350,7 +353,7 @@ add_rule $chainref, '-j ACCEPT';
<listitem>
<para>Once you have defined your new action name (ActionName), then
copy /usr/share/shorewall/action.template to
copy <filename>/usr/share/shorewall/action.template</filename> to
<filename>/etc/shorewall/action.ActionName</filename> (for example, if
your new action name is <quote>Foo</quote> then copy
<filename>/usr/share/shorewall/action.template</filename> to
@ -362,7 +365,8 @@ add_rule $chainref, '-j ACCEPT';
</listitem>
</orderedlist>
<para>Columns in the action.template file are as follows:</para>
<para>Columns in the <filename>action.template</filename> file are as
follows:</para>
<itemizedlist>
<listitem>
@ -392,7 +396,7 @@ add_rule $chainref, '-j ACCEPT';
<listitem>
<para>SOURCE - Source hosts to which the rule applies. A
comma-separated list of subnets and/or hosts. Hosts may be specified
by IP or MAC address; mac addresses must begin with <quote>~</quote>
by IP or MAC address; MAC addresses must begin with <quote>~</quote>
and must use <quote>-</quote> as a separator.</para>
<para>Alternatively, clients may be specified by interface name. For
@ -426,9 +430,9 @@ add_rule $chainref, '-j ACCEPT';
<para>A port range is expressed as &lt;<emphasis>low
port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
<para>This column is ignored if PROTO = "all", but must be entered if
any of the following fields are supplied. In that case, it is
suggested that this field contain <quote>-</quote>.</para>
<para>This column is ignored if PROTO = <quote>all</quote>, but must be
entered if any of the following fields are supplied. In that case, it
is suggested that this field contain <quote>-</quote>.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
@ -454,7 +458,8 @@ add_rule $chainref, '-j ACCEPT';
names, port numbers or port ranges.</para>
<para>If you don't want to restrict client ports but need to specify
any of the following fields, then place "-" in this column.</para>
any of the subsequent fields, then place <quote>-</quote> in this
column.</para>
<para>If your kernel contains multi-port match support, then only a
single Netfilter rule will be generated if in this list and in the
@ -536,7 +541,7 @@ add_rule $chainref, '-j ACCEPT';
rule will match only if the test returns true.</para>
<para>If you dont want to define a test but need to specify anything
in the following columns, place a "-" in this field.<simplelist>
in the subsequent columns, place a <quote>-</quote> in this field.<simplelist>
<member>! — Inverts the test (not equal)</member>
<member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
@ -552,7 +557,8 @@ add_rule $chainref, '-j ACCEPT';
</listitem>
</itemizedlist>
<para>Omitted column entries should be entered using a dash ("-").</para>
<para>Omitted column entries should be entered using a dash
(<quote>-</quote>).</para>
<para>Example:</para>
@ -563,7 +569,8 @@ add_rule $chainref, '-j ACCEPT';
LogAndAccept # LOG and ACCEPT a connection</programlisting><emphasis
role="bold">Note:</emphasis> If your
<filename>/etc/shorewall/actions</filename> file doesn't have an
indication where to place the comment, put the '#' in column 21.</para>
indication where to place the comment, put the <quote>#</quote> in column
21.</para>
<para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting> LOG:info
ACCEPT</programlisting></para>
@ -607,8 +614,8 @@ bar:info</programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug $FW net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
defined as:</para>
<para>Logging in the invoke <quote>foo</quote> action will be as if foo
had been defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
@ -616,8 +623,9 @@ bar:info</programlisting>
</listitem>
<listitem>
<para>If you follow the log level with "!" then logging will be set at
that level for all rules recursively invoked by the action.</para>
<para>If you follow the log level with <quote>!</quote> then logging
will be set at that level for all rules recursively invoked by the
action.</para>
<para>Example:</para>
@ -632,8 +640,8 @@ bar:info</programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
foo:debug! $FW net</programlisting>
<para>Logging in the invoke 'foo' action will be as if foo had been
defined as:</para>
<para>Logging in the invoke <quote>foo</quote> action will be as if foo
had been defined as:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST PORT(S)
ACCEPT:debug - - tcp 22
@ -641,8 +649,8 @@ bar:debug</programlisting>
</listitem>
</orderedlist>
<para>If you define an action 'acton' and you have an
<filename>/etc/shorewall/acton</filename> script then when that script is
<para>If you define an action <quote>acton</quote> and you have an
<filename>/etc/shorewall/acton</filename> script, when that script is
invoked, the following three variables will be set for use by the
script:</para>
@ -670,19 +678,20 @@ bar:debug</programlisting>
<programlisting>#ACTION SOURCE DEST
acton:info:test $FW net</programlisting>
<para>Your /etc/shorewall/acton file will be run with:</para>
<para>Your </filename>/etc/shorewall/acton</filename> file will be run
with:</para>
<itemizedlist>
<listitem>
<para>$CHAIN="%acton1"</para>
<para>$CHAIN=<quote>%acton1</quote></para>
</listitem>
<listitem>
<para>$LEVEL="info"</para>
<para>$LEVEL=<quote>info</quote></para>
</listitem>
<listitem>
<para>$TAG="test"</para>
<para>$TAG=<quote>test</quote></para>
</listitem>
</itemizedlist>
@ -714,8 +723,8 @@ acton:info:test $FW net</programlisting>
<title>Creating an Action using an Extension Script</title>
<para>There may be cases where you wish to create a chain with rules that
can't be constructed using the tools defined in the action.template. In
that case, you can use an <ulink
can't be constructed using the tools defined in the
<filename>action.template</filename>. In that case, you can use an <ulink
url="shorewall_extension_scripts.htm">extension script</ulink>.<note>
<para>If you actually need an action to drop broadcast packets, use
the <command>dropBcast</command> standard action rather than create