extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

more updates for v3..

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2713 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
judas_iscariote 2005-09-19 19:27:22 +00:00
parent 1a5852b7c9
commit ae60b56f41
1 changed files with 31 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-09-12</pubdate> <pubdate>2005-09-19</pubdate>
<copyright> <copyright>
<year>2002-2005</year> <year>2002-2005</year>
@ -34,6 +34,13 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<section> <section>
<title>Introduction</title> <title>Introduction</title>
@ -340,13 +347,13 @@ $FW net ACCEPT</programlisting>
to the computer using a cross-over cable).</para> to the computer using a cross-over cable).</para>
<caution> <caution>
<para>Do not connect the internal and external interface to the same hub <para><emphasis role="bold">Do NOT connect the internal and external
or switch except for testing AND you are running Shorewall version 1.4.7 interface to the same hub or switch except for testing</emphasis>. You
or later. When using these recent versions, you can test using this kind can test using this kind of configuration if you specify the arp_filter
of configuration if you specify the arp_filter option in option in <filename>/etc/shorewall/interfaces</filename> for all
<filename>/etc/shorewall/interfaces</filename> for all interfaces interfaces connected to the common hub/switch. <emphasis
connected to the common hub/switch. Using such a setup with a production role="bold">Using such a setup with a production firewall is strongly
firewall is strongly recommended against.</para> recommended against</emphasis>.</para>
</caution> </caution>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -732,19 +739,16 @@ DNS/ACCEPT dmz $FW </programlisting> Run name server on DMZ
DNS/ACCEPT loc dmz:10.10.11.1 DNS/ACCEPT loc dmz:10.10.11.1
DNS/ACCEPT $FW dmz:10.10.11.1 </programlisting></para> DNS/ACCEPT $FW dmz:10.10.11.1 </programlisting></para>
<para>In the rules shown above, <quote>AllowDNS</quote> is an example of a <para>In the rules shown above, <quote>DNS/ACCEPT</quote> is an example of
<emphasis>defined action</emphasis>. Shorewall includes a number of a <emphasis>defined macro</emphasis>. Shorewall includes a number of
defined actions and <ulink url="Actions.html">you can add your defined macros and <ulink url="Actions.html">you can add your own</ulink>.
own</ulink>. To see the list of actions included with your version of To see the list of macros included with your version of Shorewall, look in
Shorewall, look in the file the file <filename>/usr/share/shorewall/actions.std</filename>.</para>
<filename>/usr/share/shorewall/actions.std</filename>. Those actions that
accept connection requests have names that begin with
<quote>Allow</quote>.</para>
<para>You don't have to use defined actions when coding a rule in <para>You don't have to use defined macros when coding a rule in
<filename>/etc/shorewall/rules</filename>; the generated Netfilter ruleset <filename>/etc/shorewall/rules</filename>; the generated Netfilter ruleset
is slightly more efficient if you code your rules directly rather than is slightly more efficient if you code your rules directly rather than
using defined actions. The first example above (name server on the using defined macros. The first example above (name server on the
firewall) could also have been coded as follows:</para> firewall) could also have been coded as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
@ -753,8 +757,8 @@ ACCEPT loc $FW udp 53
ACCEPT dmz $FW tcp 53 ACCEPT dmz $FW tcp 53
ACCEPT dmz $FW udp 53 </programlisting> ACCEPT dmz $FW udp 53 </programlisting>
<para>In cases where Shorewall doesn't include a defined action to meet <para>In cases where Shorewall doesn't include a defined macro to meet
your needs, you can either define the action yourself or you can simply your needs, you can either define the macro yourself or you can simply
code the appropriate rules directly.</para> code the appropriate rules directly.</para>
</section> </section>
@ -775,7 +779,7 @@ SSH/ACCEPT loc dmz </programlisting>Those rules allow you to run
connect to those servers from your local systems.</para> connect to those servers from your local systems.</para>
<para>If you wish to enable other connections between your systems, the <para>If you wish to enable other connections between your systems, the
general format for using a defined action is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) general format for using a defined macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
&lt;<emphasis>macro</emphasis>&gt; <emphasis>&lt;source zone&gt; &lt;destination zone&gt;</emphasis></programlisting></para> &lt;<emphasis>macro</emphasis>&gt; <emphasis>&lt;source zone&gt; &lt;destination zone&gt;</emphasis></programlisting></para>
<para>The general format when not using a defined action <para>The general format when not using a defined action
@ -892,17 +896,16 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>The <ulink url="Install.htm">installation procedure</ulink> <para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but beginning configures your system to start Shorewall at system boot but startup is
with Shorewall version 1.3.9 startup is disabled so that your system won't disabled so that your system won't try to start Shorewall before
try to start Shorewall before configuration is complete. Once you have configuration is complete. Once you have completed configuration of your
completed configuration of your firewall, you can enable Shorewall startup firewall, you can enable Shorewall startup by removing the file
by removing the file <filename>/etc/shorewall/startup_disabled</filename>. <filename>/etc/shorewall/startup_disabled</filename>. <important>
<important>
<para>Users of the <filename>.deb</filename> package must edit <para>Users of the <filename>.deb</filename> package must edit
<filename>/etc/default/shorewall</filename> and set <filename>/etc/default/shorewall</filename> and set
<varname>startup=1</varname>.</para> <varname>startup=1</varname>.</para>
</important><important> </important><important>
<para>Users running Shorewall 2.1.3 or later should edit <para>You should edit
<filename>/etc/shorewall/shorewall.conf</filename> and set <filename>/etc/shorewall/shorewall.conf</filename> and set
STARTUP_ENABLED=Yes.</para> STARTUP_ENABLED=Yes.</para>
</important>The firewall is started using the <command>shorewall </important>The firewall is started using the <command>shorewall