From c117061c213cbb7b5bf20ff427fecad60abfb65f Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 15 Nov 2006 23:32:14 +0000 Subject: [PATCH] Finish rules man page git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4890 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages/shorewall-rules.xml | 586 ++++++++++++++++++++++++++++++++--- 1 file changed, 538 insertions(+), 48 deletions(-) diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index 90b35de81..6ce02e567 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -47,7 +47,7 @@ - ESTABLISHED + ESTABLISHED Packets in the ESTABLISHED state are processed by rules in @@ -62,7 +62,7 @@ - RELATED + RELATED Packets in the RELATED state are processed by rules in this @@ -77,7 +77,7 @@ - NEW + NEW Packets in the NEW and INVALID states are processed by rules @@ -89,34 +89,34 @@ If you are not familiar with Netfilter to the point where you are comfortable with the differences between the various connection tracking - states, then I suggest that you omit the ESTABLISHED and RELATED - sections and place all of your rules in the NEW section (That's after - the line that reads SECTION NEW'). + states, then I suggest that you omit the ESTABLISHED and RELATED sections and place all of your rules in + the NEW section (That's after the line that reads SECTION NEW'). If you specify FASTACCEPT=Yes in shorewall.conf(5) then the - ESTABLISHED and RELATED sections must be empty. + ESTABLISHED and RELATED sections must be empty. You may omit any section that you don't need. If no Section Headers - appear in the file then all rules are assumed to be in the NEW section. - + appear in the file then all rules are assumed to be in the NEW + section. The columns in the file are as follows. - ACTION + ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, LOG, - QUEUE, COMMENT, a macro, or an - action. + Must be one of the following. - ACCEPT + ACCEPT Allow the connection request. @@ -124,16 +124,19 @@ - ACCEPT+ + ACCEPT+ like ACCEPT but also excludes the connection from any - subsequent DNAT[-] or REDIRECT[-] rules + subsequent DNAT[-] or REDIRECT[-] rules - NONAT + NONAT Excludes the connection from any subsequent - DROP + DROP Ignore the request. @@ -152,7 +155,7 @@ - REJECT + REJECT disallow the request and return an icmp-unreachable or @@ -161,7 +164,7 @@ - DNAT + DNAT Forward the request to another system (and optionally @@ -170,39 +173,43 @@ - DNAT- + DNAT- Advanced users only. - Like DNAT but only generates the DNAT iptables rule and - not the companion ACCEPT rule. + Like DNAT but only + generates the DNAT iptables + rule and not the companion ACCEPT rule. - SAME + SAME - Similar to DNAT except that the port may not be remapped - and when multiple server addresses are listed, all requests - from a given remote system go to the same server. + Similar to DNAT except + that the port may not be remapped and when multiple server + addresses are listed, all requests from a given remote system + go to the same server. - SAME- + SAME- Advanced users only. Like SAME but only generates the NAT iptables rule and - not the companion ACCEPT rule. + not the companion ACCEPT + rule. - REDIRECT + REDIRECT Redirect the request to a server on the firewall. @@ -210,21 +217,23 @@ - REDIRECT- + REDIRECT- Advanced users only. - Like REDIRET but only generates the REDIRECT iptables - rule and not the companion ACCEPT rule. + Like REDIRECT but only + generates the REDIRECT + iptables rule and not the companion ACCEPT rule. - CONTINUE + CONTINUE - For experts only. + For experts only. Do not process any of the following rules for this (source zone,destination zone). If the source and/or @@ -235,7 +244,7 @@ - LOG + LOG Simply log the packet and continue. @@ -243,7 +252,7 @@ - QUEUE + QUEUE Queue the packet to a user-space application such as @@ -252,7 +261,7 @@ - COMMENT + COMMENT the rest of the line will be attached as a comment to @@ -269,7 +278,7 @@ The name of an action defined in - shorewall.actions(5) or in + shorewall-actions(5) or in /usr/share/shorewall/actions.std. @@ -282,7 +291,9 @@ macro accepts an action parameter (Look at the macro source to see if it has PARAM in the TARGET column) then the macro name is followed by "/" and the - action (ACCEPT, DROP, REJECT, ...) to be substituted for the + action (ACCEPT, DROP, REJECT, ...) to be substituted for the parameter. Example: FTP/ACCEPT. @@ -290,13 +301,14 @@ - The ACTION may optionally be followed by ":" and a syslog log - level (e.g, REJECT:info or DNAT:debug). This causes the packet to be - logged at the specified level. + The ACTION may optionally be + followed by ":" and a syslog log level (e.g, REJECT:info or + DNAT:debug). This causes the packet to be logged at the specified + level. - If the ACTION names an action defined in - shorewall.actions(5) or in /usr/share/shorewall/actions.std - then: + If the ACTION names an + action defined in shorewall-actions(5) or in + /usr/share/shorewall/actions.std then: @@ -329,19 +341,497 @@ the log prefix generated by the LOGPREFIX setting. + + + SOURCE + + + Source hosts to which the rule applies. May be a zone defined + in /etc/shorewall/zones, $FW to + indicate the firewall itself, all, + all+, all-, all+- + or none. + + When none is used either in + the SOURCE or DEST column, the rule is ignored. + + all means "All Zones", + including the firewall itself. all- + means "All Zones, except the firewall itself". When all[-] is + used either in the SOURCE or + DEST column intra-zone traffic is + not affected. When all+[-] is "used, intra-zone traffic is + affected. + + Except when all[+][-] is + specified, clients may be further restricted to a list of subnets + and/or hosts by appending ":" and a comma-separated list of subnets + and/or hosts. Hosts may be specified by IP or MAC address; mac + addresses must begin with "~" and must use "-" as a + separator. + + Hosts may be specified as an IP address range using the syntax + lowaddress-highaddress. + This requires that your kernel and iptables contain iprange match + support. If you kernel and iptables have ipset match support then + you may give the name of an ipset prefaced by "+". The ipset name + may be optionally followed by a number from 1 to 6 enclosed in + square brackets ([]) to indicate the number of levels of source + bindings to be matched. + + Examples: + + + + dmz:192.168.2.2 + + + Host 192.168.2.2 in the DMZ + + + + + net:155.186.235.0/24 + + + Subnet 155.186.235.0/24 on the Internet + + + + + loc:192.168.1.1,192.168.1.2 + + + Hosts 192.168.1.1 and 192.168.1.2 in the local + zone. + + + + + loc:~00-A0-C9-15-39-78 + + + Host in the local zone with MAC address + 00:A0:C9:15:39:78. + + + + + net:192.0.2.11-192.0.2.17 + + + Hosts 192.0.2.11-192.0.2.17 in the net zone. + + + + + Alternatively, clients may be specified by interface by + appending ":" to the zone name followed by the interface name. For + example, loc:eth1 specifies a client that communicates with the + firewall system through eth1. This may be optionally followed by + another colon (":") and an IP/MAC/subnet address as described above + (e.g., loc:eth1:192.168.1.5). + + + + + DEST + + + Location of Server. May be a zone defined in + shorewall-zones(5), $FW to indicate + the firewall itself, all. all+ or none. + + When none is used either in + the SOURCE or DEST column, the rule is ignored. + + When all is used either in + the SOURCE or DEST column intra-zone traffic is not + affected. When all+ is used, + intra-zone traffic is affected. + + Except when all[+] is specified, the server may be further + restricted to a particular subnet, host or interface by appending + ":" and the subnet, host or interface. See above. + + Restrictions: + + 1. MAC addresses are not allowed. + + 2. In DNAT rules, only IP + addresses are allowed; no FQDNs or subnet addresses are + permitted. + + 3. You may not specify both an interface and an + address. + + Like in the SOURCE column, + you may specify a range of IP addresses using the syntax + lowaddress-highaddress. + When the ACTION is DNAT or DNAT-, the connections will be assigned to + addresses in the range in a round-robin fashion. + + If you kernel and iptables have ipset match support then you + may give the name of an ipset prefaced by "+". The ipset name may be + optionally followed by a number from 1 to 6 enclosed in square + brackets ([]) to indicate the number of levels of destination + bindings to be matched. Only one of the SOURCE and DEST columns may specify an ipset + name. + + The port that the server is listening on may be included and + separated from the server's IP address by ":". If omitted, the + firewall will not modifiy the destination port. A destination port + may only be included if the ACTION + is DNAT or REDIRECT. Example: + + + + Example: + + + "loc:192.168.1.3:3128" specifies a local server at IP + address 192.168.1.3 and listening on port 3128. The port + number MUST be specified as an integer and not as a name from + services(5). + + + + + if the ACTION is REDIRECT, this column needs only to contain + the port number on the firewall that the request should be + redirected to. + + + + + PROTO (Optional) + + + Protocol - Must be tcp, + tcp:syn, udp, icmp, + ipp2p, + ipp2p:udp, ipp2p:all a + number, or all. ipp2p* + requires ipp2p match support in your kernel and iptables. tcp:syn implies tcp plus the SYN flag must be set and the + RST,ACK and FIN flags must be reset. + + + + + DEST PORT(S) (Optional) + + + Destination Ports. A comma-separated list of Port names (from + services(5)), port numbers or port ranges; if the protocol is + icmp, this column is interpreted as + the destination icmp-type(s). + + If the protocol is ipp2p, + this column is interpreted as an ipp2p option without the leading + "--" (example bit for bit-torrent). + If no port is given, ipp2p is + assumed. + + A port range is expressed as + lowport:highport. + + This column is ignored if PROTO = all + but must be entered if any of the following columns are supplied. In + that case, it is suggested that this field contain a dash (-). + + If your kernel contains multi-port match support, then only a + single Netfilter rule will be generated if in this list and the + CLIENT PORT(S) list below: + + 1. There are 15 or less ports listed. + + 2. No port ranges are included or your kernel and iptables + contain extended multiport match support. + + Otherwise, a separate rule will be generated for each + port. + + + + + SOURCE PORT(S) + (Optional) + + + Port(s) used by the client. If omitted, any source port is + acceptable. Specified as a comma- separated list of port names, port + numbers or port ranges. + + + Unless you really understand TCP/IP, you should leave this + column empty or place a dash (-) + in the column. Most people who try to use this column get it + wrong. + + + If you don't want to restrict client ports but need to specify + an ORIGINAL DEST in the next + column, then place "-" in this column. + + If your kernel contains multi-port match support, then only a + single Netfilter rule will be generated if in this list and the + DEST PORT(S) list above: + + 1. There are 15 or less ports listed. + + 2. No port ranges are included or your kernel and iptables + contain extended multiport match support. + + Otherwise, a separate rule will be generated for each + port. + + + + + ORIGINAL DEST (Optional) + + + If ACTION is DNAT[-] or REDIRECT[-] + then if included and different from the IP address given in the + SERVER column, this is an address + on some interface on the firewall and connections to that address + will be forwarded to the IP and port specified in the DEST column. + + A comma-separated list of addresses may also be used. This is + usually most useful with the REDIRECT target where you want to redirect + traffic destined for particular set of hosts. Finally, if the list + of addresses begins with "!" then the rule will be followed only if + the original destination address in the connection request does not + match any of the addresses listed. + + For other actions, this column may be included and may contain + one or more addresses (host or network) separated by commas. Address + ranges are not allowed. When this column is supplied, rules are + generated that require that the original destination address matches + one of the listed addresses. This feature is most useful when you + want to generate a filter rule that corresponds to a DNAT- or REDIRECT- rule. In this usage, the list of + addresses should not begin with "!". + + See http://shorewall.net/PortKnocking.html for an example of + using an entry in this column with a user-defined action + rule. + + + + + RATE LIMIT (Optional) + + + You may rate-limit the rule by placing a value in this column: + + + rate/interval[:burst] + where rate is the number of connections per + interval (sec + or min) and + burst is the largest burst permitted. If no + burst is given, a value of 5 is assumed. There + may be no no whitespace embedded in the specification. + + Example: 10/sec:20 + + + + + USER/GROUP (Optional) + + + This column may only be non-empty if the SOURCE is the + firewall itself. + + The column may contain: + + [!][user name or number][:group + name or number][+program name] + + + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + user and/or group + specified (or is NOT running under that id if "!" is given). + + Examples: + + + + joe + + + program must be run by joe + + + + + :kids + + + program must be run by a member of the 'kids' + group + + + + + !:kids + + + program must not be run by a member of the 'kids' + group + + + + + +upnpd + + + #program named upnpd + + + The ability to specify a program name was removed from + Netfilter in kernel version 2.6.14. + + + + + + Example - + + + Example 1: + + + Accept SMTP requests from the DMZ to the internet + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL + # PORT PORT(S) DEST + ACCEPT dmz net tcp smtp + + + + + Example 2: + + + Forward all ssh and http connection requests from the internet + to local system 192.168.1.3 + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL + # PORT PORT(S) DEST + DNAT net loc:192.168.1.3 tcp ssh,http + + + + + Example 3: + + + Forward all http connection requests from the internet to + local system 192.168.1.3 with a limit of 3 per second and a maximum + burst of 10 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE + # PORT PORT(S) DEST LIMIT + DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 + + + + + Example 4: + + + Redirect all locally-originating www connection requests to + port 3128 on the firewall (Squid running on the firewall system) + except when the destination address is 192.168.2.2 + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL + # PORT PORT(S) DEST + REDIRECT loc 3128 tcp www - !192.168.2.2 + + + + + Example 5: + + + All http requests from the internet to address 130.252.100.69 + are to be forwarded to 192.168.1.3 + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL + # PORT PORT(S) DEST + DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 + + + + + Example 6: + + + You want to accept SSH connections to your firewall only from + internet IP addresses 130.252.100.69 and 130.252.100.70 + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL + # PORT PORT(S) DEST + ACCEPT net:130.252.100.69,130.252.100.70 $FW \ + tcp 22 + + + + + Example 7: + + + You wish to accept connections from the internet to your + firewall on port 2222 and you want to forward them to local system + 192.168.1.3, port 22 + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL + # PORT PORT(S) DEST + ACCEPT net loc:192.168.1.3:22 tcp 2222 + + + FILES - /etc/shorewall/ + /etc/shorewall/rules