mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
fixed quotes, add CVS Id
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@972 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
caf8e2a63e
commit
be5a11b988
@ -2,6 +2,8 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article id="Shorewall_and_Aliased_Interfaces">
|
<article id="Shorewall_and_Aliased_Interfaces">
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Shorewall and Aliased Interfaces</title>
|
<title>Shorewall and Aliased Interfaces</title>
|
||||||
|
|
||||||
@ -30,8 +32,8 @@
|
|||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled "<ulink
|
Texts. A copy of the license is included in the section entitled
|
||||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -75,15 +77,15 @@ eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
|
|||||||
[root@gateway root]# </programlisting>
|
[root@gateway root]# </programlisting>
|
||||||
|
|
||||||
<para><note><para>One <emphasis role="bold">cannot</emphasis> type
|
<para><note><para>One <emphasis role="bold">cannot</emphasis> type
|
||||||
"ip addr show dev eth0:0" because "eth0:0" is a label
|
<quote>ip addr show dev eth0:0</quote> because <quote>eth0:0</quote> is
|
||||||
for a particular address rather than a device name.</para><programlisting>[root@gateway root]# ip addr show dev eth0:0
|
a label for a particular address rather than a device name.</para><programlisting>[root@gateway root]# ip addr show dev eth0:0
|
||||||
Device "eth0:0" does not exist.
|
Device "eth0:0" does not exist.
|
||||||
[root@gateway root]#</programlisting></note></para>
|
[root@gateway root]#</programlisting></note></para>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para>The iptables program doesn't support virtual interfaces in
|
<para>The iptables program doesn't support virtual interfaces in
|
||||||
either it's "-i" or "-o" command options; as a
|
either it's <quote>-i</quote> or <quote>-o</quote> command options; as
|
||||||
consequence, Shorewall does not allow them to be used in the
|
a consequence, Shorewall does not allow them to be used in the
|
||||||
/etc/shorewall/interfaces file or anywhere else except as described in the
|
/etc/shorewall/interfaces file or anywhere else except as described in the
|
||||||
discussion below.</para>
|
discussion below.</para>
|
||||||
</section>
|
</section>
|
||||||
@ -230,7 +232,7 @@ esac</programlisting>
|
|||||||
|
|
||||||
<para>Shorewall can create the alias (additional address) for you if you
|
<para>Shorewall can create the alias (additional address) for you if you
|
||||||
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
|
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
|
||||||
with Shorewall 1.3.14, Shorewall can actually create the "label"
|
with Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote>
|
||||||
(virtual interface) so that you can see the created address using
|
(virtual interface) so that you can see the created address using
|
||||||
ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the
|
ifconfig. In addition to setting ADD_SNAT_ALIASES=Yes, you specify the
|
||||||
virtual interface name in the INTERFACE column as follows:</para>
|
virtual interface name in the INTERFACE column as follows:</para>
|
||||||
@ -311,7 +313,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
|||||||
|
|
||||||
<para>Shorewall can create the alias (additional address) for you if you
|
<para>Shorewall can create the alias (additional address) for you if you
|
||||||
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
|
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
|
||||||
Shorewall 1.3.14, Shorewall can actually create the "label"
|
Shorewall 1.3.14, Shorewall can actually create the <quote>label</quote>
|
||||||
(virtual interface) so that you can see the created address using
|
(virtual interface) so that you can see the created address using
|
||||||
ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the
|
ifconfig. In addition to setting ADD_IP_ALIASES=Yes, you specify the
|
||||||
virtual interface name in the INTERFACE column as follows:</para>
|
virtual interface name in the INTERFACE column as follows:</para>
|
||||||
@ -501,7 +503,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
<note id="multiple_subnets-ex1-n1">
|
<note id="multiple_subnets-ex1-n1">
|
||||||
<para> If you are running Shorewall 1.3.10 or earlier then you
|
<para>If you are running Shorewall 1.3.10 or earlier then you
|
||||||
must specify the <emphasis role="bold">multi</emphasis>
|
must specify the <emphasis role="bold">multi</emphasis>
|
||||||
option.</para>
|
option.</para>
|
||||||
</note>
|
</note>
|
||||||
@ -564,8 +566,8 @@ eth0:2 = 206.124.146.180</programlisting>
|
|||||||
align="center">INTERFACE</entry><entry align="center">BROADCAST</entry><entry
|
align="center">INTERFACE</entry><entry align="center">BROADCAST</entry><entry
|
||||||
align="center">OPTIONS</entry></row></thead><tbody><row><entry>-</entry><entry>eth1</entry><entry>192.168.1.255,192.168.20.255</entry><entry><xref
|
align="center">OPTIONS</entry></row></thead><tbody><row><entry>-</entry><entry>eth1</entry><entry>192.168.1.255,192.168.20.255</entry><entry><xref
|
||||||
linkend="multiple_subnets-ex2-n1" /></entry></row></tbody></tgroup></table><note
|
linkend="multiple_subnets-ex2-n1" /></entry></row></tbody></tgroup></table><note
|
||||||
id="multiple_subnets-ex2-n1"><para> If you are running Shorewall
|
id="multiple_subnets-ex2-n1"><para>If you are running Shorewall 1.3.10
|
||||||
1.3.10 or earlier then you must specify the <emphasis role="bold">multi</emphasis>
|
or earlier then you must specify the <emphasis role="bold">multi</emphasis>
|
||||||
option.</para></note></para>
|
option.</para></note></para>
|
||||||
|
|
||||||
<para>In /etc/shorewall/hosts:<table><title>/etc/shorewall/hosts</title><tgroup
|
<para>In /etc/shorewall/hosts:<table><title>/etc/shorewall/hosts</title><tgroup
|
||||||
|
@ -2,6 +2,8 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article id="Shorewall_and_Kazaa">
|
<article id="Shorewall_and_Kazaa">
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Kazaa Filtering</title>
|
<title>Kazaa Filtering</title>
|
||||||
|
|
||||||
@ -26,22 +28,22 @@
|
|||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled "<ulink
|
Texts. A copy of the license is included in the section entitled
|
||||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
<para>Beginning with Shorewall version 1.4.8, Shorewall can interface to
|
<para>Beginning with Shorewall version 1.4.8, Shorewall can interface to
|
||||||
ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink
|
ftwall. <emphasis role="bold">ftwall</emphasis> is part of the <ulink
|
||||||
url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a
|
url="http://p2pwall.sourceforge.net">p2pwall project</ulink> and is a
|
||||||
user-space filter for applications based on the "Fast Track" peer to
|
user-space filter for applications based on the <quote>Fast Track</quote>
|
||||||
peer protocol. Applications using this protocol include Kazaa, KazaaLite,
|
peer to peer protocol. Applications using this protocol include Kazaa,
|
||||||
iMash and Grokster.</para>
|
KazaaLite, iMash and Grokster.</para>
|
||||||
|
|
||||||
<para>To filter traffic from your 'loc' zone with ftwall, you insert
|
<para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
|
||||||
the following rules <emphasis role="bold">near the top</emphasis> of your
|
insert the following rules <emphasis role="bold">near the top</emphasis> of
|
||||||
/etc/shorewall/rules file (before and ACCEPT rules whose source is the
|
your /etc/shorewall/rules file (before and ACCEPT rules whose source is the
|
||||||
'loc' zone).</para>
|
<quote>loc</quote> zone).</para>
|
||||||
|
|
||||||
<programlisting> QUEUE loc net tcp
|
<programlisting> QUEUE loc net tcp
|
||||||
QUEUE loc net udp
|
QUEUE loc net udp
|
||||||
|
@ -2,6 +2,8 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article id="UserSets">
|
<article id="UserSets">
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Controlling Output Traffic by UID/GID</title>
|
<title>Controlling Output Traffic by UID/GID</title>
|
||||||
|
|
||||||
@ -26,8 +28,8 @@
|
|||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled "<ulink
|
Texts. A copy of the license is included in the section entitled
|
||||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -42,9 +44,9 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Shorewall allows you to define collections of users called "<link
|
<para>Shorewall allows you to define collections of users called
|
||||||
linkend="UserSet">User Sets</link>" and then to restrict certain
|
<quote><link linkend="UserSet">User Sets</link></quote> and then to
|
||||||
rules in /etc/shorewall/rules to a given User Set.</para>
|
restrict certain rules in /etc/shorewall/rules to a given User Set.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -105,7 +107,7 @@
|
|||||||
|
|
||||||
<para>In the REJECT and ACCEPT columns, if you don't want to specify a
|
<para>In the REJECT and ACCEPT columns, if you don't want to specify a
|
||||||
value in the column but you want to specify a value in a following column,
|
value in the column but you want to specify a value in a following column,
|
||||||
you may enter "-".</para>
|
you may enter <quote>-</quote>.</para>
|
||||||
|
|
||||||
<para>Users and/or groups are added to User Sets using the
|
<para>Users and/or groups are added to User Sets using the
|
||||||
/etc/shorewall/users file. Columns in that file are:</para>
|
/etc/shorewall/users file. Columns in that file are:</para>
|
||||||
@ -137,7 +139,7 @@
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>Only one of the USER and GROUP column needs to be non-empty. If you
|
<para>Only one of the USER and GROUP column needs to be non-empty. If you
|
||||||
wish to specify a GROUP but not a USER, enter "-" in the user
|
wish to specify a GROUP but not a USER, enter <quote>-</quote> in the user
|
||||||
column.</para>
|
column.</para>
|
||||||
|
|
||||||
<para>If both USER and GROUP are specified then only programs running
|
<para>If both USER and GROUP are specified then only programs running
|
||||||
@ -151,14 +153,14 @@
|
|||||||
<para>When the name of a user set is given in the USER SET column, you
|
<para>When the name of a user set is given in the USER SET column, you
|
||||||
may not include a log level in the ACTION column; logging of such rules
|
may not include a log level in the ACTION column; logging of such rules
|
||||||
is governed solely by the user set's definition in the
|
is governed solely by the user set's definition in the
|
||||||
/etc/shorewall/userset file. </para>
|
/etc/shorewall/userset file.</para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>You want members of the 'admin' group and 'root'
|
<title>You want members of the <quote>admin</quote> group and
|
||||||
to be able to use ssh on the firewall to connect to local systems. You
|
<quote>root</quote> to be able to use ssh on the firewall to connect to
|
||||||
want to log all connections accepted for these users using syslog at the
|
local systems. You want to log all connections accepted for these users
|
||||||
'info' level.</title>
|
using syslog at the <quote>info</quote> level.</title>
|
||||||
|
|
||||||
<para>/etc/shorewall/usersets</para>
|
<para>/etc/shorewall/usersets</para>
|
||||||
|
|
||||||
@ -189,14 +191,14 @@ ACCEPT $FW loc tcp 22 - - -
|
|||||||
<programlisting>[ <<emphasis>user name or number</emphasis>> ] : [ <<emphasis>group name or number</emphasis>> ]</programlisting>
|
<programlisting>[ <<emphasis>user name or number</emphasis>> ] : [ <<emphasis>group name or number</emphasis>> ]</programlisting>
|
||||||
|
|
||||||
<para>When a user and/or group name is given in the USER SET column, it is
|
<para>When a user and/or group name is given in the USER SET column, it is
|
||||||
OK to specify a log level in the ACTION column. </para>
|
OK to specify a log level in the ACTION column.</para>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>You want user <emphasis role="bold">mail</emphasis> to be able to
|
<title>You want user <emphasis role="bold">mail</emphasis> to be able to
|
||||||
send email from the firewall to the local net zone</title>
|
send email from the firewall to the local net zone</title>
|
||||||
|
|
||||||
<para>/etc/shorewall/rules (be sure to note the ":" in the USER
|
<para>/etc/shorewall/rules (be sure to note the <quote>:</quote> in the
|
||||||
SET column entry).</para>
|
USER SET column entry).</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
|
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER
|
||||||
# PORT(S) DESTINATION SET
|
# PORT(S) DESTINATION SET
|
||||||
|
@ -2,6 +2,8 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article id="VPN">
|
<article id="VPN">
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>VPN</title>
|
<title>VPN</title>
|
||||||
|
|
||||||
@ -49,7 +51,7 @@
|
|||||||
<para>If PPTP is being used, there are no firewall requirements beyond the
|
<para>If PPTP is being used, there are no firewall requirements beyond the
|
||||||
default loc->net ACCEPT policy. There is one restriction however: Only
|
default loc->net ACCEPT policy. There is one restriction however: Only
|
||||||
one local system at a time can be connected to a single remote gateway
|
one local system at a time can be connected to a single remote gateway
|
||||||
unless you patch your kernel from the 'Patch-o-matic' patches
|
unless you patch your kernel from the <quote>Patch-o-matic</quote> patches
|
||||||
available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
|
available at <ulink url="http://www.netfilter.org">http://www.netfilter.org</ulink>.</para>
|
||||||
|
|
||||||
<para>If IPSEC is being used then only one system may connect to the
|
<para>If IPSEC is being used then only one system may connect to the
|
||||||
|
Loading…
Reference in New Issue
Block a user