mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Add INVALID section to the rules file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
a03e793907
commit
c2bc74cdfe
@ -131,6 +131,7 @@ our %EXPORT_TAGS = (
|
||||
rules_chain
|
||||
blacklist_chain
|
||||
related_chain
|
||||
invalid_chain
|
||||
zone_forward_chain
|
||||
use_forward_chain
|
||||
input_chain
|
||||
@ -293,6 +294,7 @@ our $VERSION = 'MODULEVERSION';
|
||||
# level 8.
|
||||
# complete => The last rule in the chain is a -g or a simple -j to a terminating target
|
||||
# Suppresses adding additional rules to the chain end of the chain
|
||||
# sections => { <section> = 1, ... } - Records sections that have been completed.
|
||||
# } ,
|
||||
# <chain2> => ...
|
||||
# }
|
||||
@ -1628,6 +1630,13 @@ sub related_chain($$) {
|
||||
'+' . &rules_chain(@_);
|
||||
}
|
||||
|
||||
#
|
||||
# Name of the invalid chain between an ordered pair of zones
|
||||
#
|
||||
sub invalid_chain($$) {
|
||||
'_' . &rules_chain(@_);
|
||||
}
|
||||
|
||||
#
|
||||
# Create the base for a chain involving the passed interface -- we make this a function so it will be
|
||||
# easy to change the mapping should the need ever arrive.
|
||||
|
@ -642,7 +642,7 @@ sub initialize( $;$$) {
|
||||
EXPORT => 0,
|
||||
KLUDGEFREE => '',
|
||||
STATEMATCH => '-m state --state',
|
||||
VERSION => "4.5.13-Beta1",
|
||||
VERSION => "4.5.13-Beta3",
|
||||
CAPVERSION => 40512 ,
|
||||
);
|
||||
#
|
||||
@ -663,6 +663,7 @@ sub initialize( $;$$) {
|
||||
LOGALLNEW => undef,
|
||||
BLACKLIST_LOGLEVEL => undef,
|
||||
RELATED_LOG_LEVEL => undef,
|
||||
INVALID_LOG_LEVEL => undef,
|
||||
RFC1918_LOG_LEVEL => undef,
|
||||
MACLIST_LOG_LEVEL => undef,
|
||||
TCP_FLAGS_LOG_LEVEL => undef,
|
||||
@ -782,6 +783,7 @@ sub initialize( $;$$) {
|
||||
SFILTER_DISPOSITION => undef,
|
||||
RPFILTER_DISPOSITION => undef,
|
||||
RELATED_DISPOSITION => undef,
|
||||
INVALID_DISPOSITION => undef,
|
||||
#
|
||||
# Mark Geometry
|
||||
#
|
||||
@ -5224,6 +5226,7 @@ sub get_configuration( $$$$ ) {
|
||||
default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
|
||||
default_log_level 'RFC1918_LOG_LEVEL', '';
|
||||
default_log_level 'RELATED_LOG_LEVEL', '';
|
||||
default_log_level 'INVALID_LOG_LEVEL', '';
|
||||
|
||||
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
|
||||
|
||||
@ -5278,12 +5281,31 @@ sub get_configuration( $$$$ ) {
|
||||
fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
|
||||
}
|
||||
|
||||
require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
|
||||
require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
|
||||
} else {
|
||||
$config{RELATED_DISPOSITION} =
|
||||
$globals{RELATED_TARGET} = 'ACCEPT';
|
||||
}
|
||||
|
||||
if ( $val = $config{INVALID_DISPOSITION} ) {
|
||||
if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
|
||||
$globals{INVALID_TARGET} = $val;
|
||||
} elsif ( $val eq 'REJECT' ) {
|
||||
$globals{INVALID_TARGET} = 'reject';
|
||||
} elsif ( $val eq 'A_REJECT' ) {
|
||||
$globals{INVALID_TARGET} = $val;
|
||||
} elsif ( $val eq 'CONTINUE' ) {
|
||||
$globals{INVALID_TARGET} = '';
|
||||
} else {
|
||||
fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION"
|
||||
}
|
||||
|
||||
require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
|
||||
} else {
|
||||
$config{INVALID_DISPOSITION} = 'CONTINUE';
|
||||
$globals{INVALID_TARGET} = '';
|
||||
}
|
||||
|
||||
if ( $val = $config{MACLIST_TABLE} ) {
|
||||
if ( $val eq 'mangle' ) {
|
||||
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
|
||||
|
@ -67,14 +67,16 @@ use constant { NULL_SECTION => 0,
|
||||
ALL_SECTION => 2,
|
||||
ESTABLISHED_SECTION => 4,
|
||||
RELATED_SECTION => 8,
|
||||
NEW_SECTION => 16,
|
||||
DEFAULTACTION_SECTION => 32 };
|
||||
INVALID_SECTION => 16,
|
||||
NEW_SECTION => 32,
|
||||
DEFAULTACTION_SECTION => 64 };
|
||||
#
|
||||
# These are the sections that may appear in a section header
|
||||
#
|
||||
our %section_map = ( ALL => ALL_SECTION,
|
||||
ESTABLISHED => ESTABLISHED_SECTION,
|
||||
RELATED => RELATED_SECTION,
|
||||
INVALID => INVALID_SECTION,
|
||||
NEW => NEW_SECTION );
|
||||
|
||||
our @policy_chains;
|
||||
@ -170,6 +172,7 @@ sub initialize( $ ) {
|
||||
%sections = ( ALL => 0,
|
||||
ESTABLISHED => 0,
|
||||
RELATED => 0,
|
||||
INVALID => 0,
|
||||
NEW => 0
|
||||
);
|
||||
#
|
||||
@ -212,6 +215,15 @@ sub initialize( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Create a rules chain
|
||||
#
|
||||
sub new_rules_chain( $ ) {
|
||||
my $chainref = new_chain( 'filter', $_[0] );
|
||||
$chainref->{sections} = {};
|
||||
$chainref;
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
# Functions moved from the former Policy Module
|
||||
###############################################################################
|
||||
@ -250,7 +262,7 @@ sub new_policy_chain($$$$$)
|
||||
{
|
||||
my ($source, $dest, $policy, $provisional, $audit) = @_;
|
||||
|
||||
my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
|
||||
my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );
|
||||
|
||||
convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );
|
||||
|
||||
@ -266,7 +278,7 @@ sub set_policy_chain($$$$$)
|
||||
|
||||
my $chainref1 = $filter_table->{$chain1};
|
||||
|
||||
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
|
||||
$chainref1 = new_rules_chain $chain1 unless $chainref1;
|
||||
|
||||
unless ( $chainref1->{policychain} ) {
|
||||
if ( $config{EXPAND_POLICIES} ) {
|
||||
@ -837,10 +849,12 @@ sub ensure_rules_chain( $ )
|
||||
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
$chainref = new_chain( 'filter', $chain ) unless $chainref;
|
||||
$chainref = new_rules_chain( $chain ) unless $chainref;
|
||||
|
||||
unless ( $chainref->{referenced} ) {
|
||||
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
||||
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
|
||||
} elsif ( $section == INVALID_SECTION ) {
|
||||
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED';
|
||||
} elsif ( $section == RELATED_SECTION ) {
|
||||
finish_chain_section $chainref , $chainref, 'ESTABLISHED';
|
||||
@ -853,7 +867,7 @@ sub ensure_rules_chain( $ )
|
||||
}
|
||||
|
||||
#
|
||||
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
|
||||
# Add ESTABLISHED,RELATED,INVALID rules and synparam jumps to the passed chain
|
||||
#
|
||||
sub finish_chain_section ($$$) {
|
||||
my ($chainref,
|
||||
@ -862,8 +876,20 @@ sub finish_chain_section ($$$) {
|
||||
my $chain = $chainref->{name};
|
||||
my $related_level = $config{RELATED_LOG_LEVEL};
|
||||
my $related_target = $globals{RELATED_TARGET};
|
||||
my $invalid_level = $config{INVALID_LOG_LEVEL};
|
||||
my $invalid_target = $globals{INVALID_TARGET};
|
||||
my $save_comment = push_comment;
|
||||
my $relatedchain = $chainref->{name} =~ /^\+/;
|
||||
my $invalidchain = $chainref->{name} =~ /^_/;
|
||||
my %state;
|
||||
|
||||
$state{$_} = 1 for split ',', $state;
|
||||
|
||||
for ( qw/ESTABLISHED RELATED INVALID/ ) {
|
||||
delete $state{$_} if $chain1ref->{sections}{$_};
|
||||
}
|
||||
|
||||
$chain1ref->{sections}{$_} = 1 for keys %state;
|
||||
|
||||
if ( $state =~ /RELATED/ && ( $relatedchain || $related_level || $related_target ne 'ACCEPT' ) ) {
|
||||
|
||||
@ -879,7 +905,7 @@ sub finish_chain_section ($$$) {
|
||||
log_rule( $related_level,
|
||||
$relatedref,
|
||||
$config{RELATED_DISPOSITION},
|
||||
'' ) if $related_level;
|
||||
'' );
|
||||
|
||||
$related_target = ensure_audit_chain( $related_target ) if ( $targets{$related_target} || 0 ) & AUDIT;
|
||||
|
||||
@ -890,15 +916,53 @@ sub finish_chain_section ($$$) {
|
||||
|
||||
if ( $relatedchain ) {
|
||||
add_ijump $chainref, g => $related_target;
|
||||
$state = '';
|
||||
%state = ();
|
||||
} else {
|
||||
add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
|
||||
$state =~ s/,?RELATED//;
|
||||
delete $state{RELATED};
|
||||
}
|
||||
}
|
||||
|
||||
if ( $state ) {
|
||||
add_ijump $chain1ref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
|
||||
if ( $state =~ /INVALID/ && ( $invalidchain || $invalid_level || $invalid_target ne 'ACCEPT' ) ) {
|
||||
|
||||
if ( $invalid_level ) {
|
||||
my $invalidref;
|
||||
|
||||
if ( $invalidchain ) {
|
||||
$invalidref = $chainref;
|
||||
} else {
|
||||
$invalidref = new_chain( 'filter', "_$chainref->{name}" );
|
||||
}
|
||||
|
||||
log_rule( $invalid_level,
|
||||
$invalidref,
|
||||
$config{INVALID_DISPOSITION},
|
||||
'' );
|
||||
|
||||
$invalid_target = ensure_audit_chain( $invalid_target ) if ( $targets{$invalid_target} || 0 ) & AUDIT;
|
||||
|
||||
add_ijump( $invalidref, g => $invalid_target ) if $invalid_target;
|
||||
|
||||
$invalid_target = $invalidref->{name} unless $invalidchain;
|
||||
}
|
||||
|
||||
if ( $invalidchain ) {
|
||||
add_ijump $chainref, g => $invalid_target;
|
||||
%state = ();
|
||||
} else {
|
||||
add_ijump $chainref, g => $invalid_target, state_imatch 'INVALID' if $invalid_target;
|
||||
delete $state{INVALID};
|
||||
}
|
||||
}
|
||||
|
||||
if ( keys %state && ! $config{FASTACCEPT} ) {
|
||||
my @state;
|
||||
|
||||
for ( qw/ESTABLISHED RELATED/ ) {
|
||||
push @state, $_ if $state{$_};
|
||||
}
|
||||
|
||||
add_ijump $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) if @state;
|
||||
}
|
||||
|
||||
if ($sections{NEW} ) {
|
||||
@ -939,6 +1003,8 @@ sub finish_section ( $ ) {
|
||||
|
||||
if ( $section == RELATED_SECTION ) {
|
||||
$function = \&related_chain;
|
||||
} elsif ( $section == INVALID_SECTION ) {
|
||||
$function = \&invalid_chain;
|
||||
} else {
|
||||
$function = \&rules_chain;
|
||||
}
|
||||
@ -2258,14 +2324,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
#
|
||||
$chainref = ensure_rules_chain $chain;
|
||||
#
|
||||
# Handle rules in the BLACKLIST and RELATED sections
|
||||
# Handle rules in the BLACKLIST, RELATED and INVALID sections
|
||||
#
|
||||
if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION ) ) {
|
||||
if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION ) ) {
|
||||
my $auxchain;
|
||||
my $auxref;
|
||||
|
||||
if ( $blacklist ) {
|
||||
$auxchain = blacklist_chain( ${sourcezone}, ${destzone} );
|
||||
} elsif ( $section == INVALID_SECTION ) {
|
||||
$auxchain = invalid_chain( ${sourcezone}, ${destzone} );
|
||||
} else {
|
||||
$auxchain = related_chain( ${sourcezone}, ${destzone} );
|
||||
}
|
||||
@ -2280,6 +2348,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
if ( $blacklist ) {
|
||||
@state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
|
||||
$auxref->{blacklistsection} = 1;
|
||||
} elsif ( $section == INVALID_SECTION ) {
|
||||
@state = state_imatch( 'INVALID' );
|
||||
} else {
|
||||
@state = state_imatch 'RELATED';
|
||||
};
|
||||
@ -2369,7 +2439,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
do_headers( $headers ) ,
|
||||
do_condition( $condition , $chain ) ,
|
||||
);
|
||||
} elsif ( $section == RELATED_SECTION ) {
|
||||
} elsif ( $section & ( INVALID_SECTION | RELATED_SECTION ) ) {
|
||||
$rule = join( '',
|
||||
do_proto($proto, $ports, $sports),
|
||||
do_ratelimit( $ratelimit, $basictarget ) ,
|
||||
@ -2400,8 +2470,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
||||
$basictarget eq 'dropInvalid' ) {
|
||||
if ( $config{FASTACCEPT} ) {
|
||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
|
||||
$section == RELATED_SECTION && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} )
|
||||
}
|
||||
( $section & ( RELATED_SECTION | INVALID_SECTION ) ) && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} )
|
||||
}
|
||||
|
||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||
$rule .= "$globals{STATEMATCH} ESTABLISHED " if $section == ESTABLISHED_SECTION;
|
||||
@ -2535,7 +2605,6 @@ sub process_section ($) {
|
||||
#
|
||||
fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
|
||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||
$sections{$sect} = 1;
|
||||
|
||||
if ( $sect eq 'BLACKLIST' ) {
|
||||
fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
|
||||
@ -2544,9 +2613,14 @@ sub process_section ($) {
|
||||
} elsif ( $sect eq 'RELATED' ) {
|
||||
@sections{'ALL','ESTABLISHED'} = ( 1, 1);
|
||||
finish_section 'ESTABLISHED';
|
||||
} elsif ( $sect eq 'NEW' ) {
|
||||
} elsif ( $sect eq 'INVALID' ) {
|
||||
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
|
||||
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
||||
} elsif ( $sect eq 'NEW' ) {
|
||||
@sections{'ALL','ESTABLISHED','RELATED','INVALID','NEW'} = ( 1, 1, 1, 1, 1 );
|
||||
finish_section ( ( $section == RELATED_SECTION ) ? 'RELATED,INVALID' :
|
||||
( $section == INVALID_SECTION ) ? 'INVALID' :
|
||||
'ESTABLISHED,RELATED,INVALID' );
|
||||
}
|
||||
|
||||
$section = $section_map{$sect};
|
||||
@ -2822,7 +2896,9 @@ sub process_rules( $ ) {
|
||||
|
||||
process_rule while read_a_line( NORMAL_READ );
|
||||
}
|
||||
|
||||
#
|
||||
# No need to finish the NEW section since no rules need to be generated
|
||||
#
|
||||
$section = DEFAULTACTION_SECTION;
|
||||
}
|
||||
|
||||
|
@ -23,6 +23,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
@ -224,6 +226,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -34,6 +34,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
@ -235,6 +237,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -32,6 +32,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
@ -233,6 +235,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -35,6 +35,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
@ -236,6 +238,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -23,6 +23,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
@ -224,6 +226,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -81,8 +81,25 @@
|
||||
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
||||
REJECT, LOG and QUEUE</para>
|
||||
|
||||
<para>There is an implicit ACCEPT rule inserted at the end of this
|
||||
section.</para>
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the RELATED_DISPOSITION (<ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INVALID</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the INVALID state are
|
||||
processed by rules in this section.</para>
|
||||
|
||||
<para>The only Actions allowed in this section are ACCEPT, DROP,
|
||||
REJECT, LOG and QUEUE.</para>
|
||||
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the INVALID_DISPOSITION (<ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
|
||||
LOGALLNEW=
|
||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
|
||||
LOGALLNEW=
|
||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
|
||||
LOGALLNEW=
|
||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
|
||||
LOGALLNEW=
|
||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -24,6 +24,8 @@ VERBOSITY=1
|
||||
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
INVALID_LOG_LEVEL=
|
||||
|
||||
LOG_VERBOSITY=2
|
||||
|
||||
LOGALLNEW=
|
||||
@ -197,6 +199,8 @@ ZONE2ZONE=2
|
||||
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
INVALID_DISPOSITION=CONTINUE
|
||||
|
||||
MACLIST_DISPOSITION=REJECT
|
||||
|
||||
RELATED_DISPOSITION=ACCEPT
|
||||
|
@ -74,8 +74,25 @@
|
||||
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
||||
REJECT, LOG and QUEUE</para>
|
||||
|
||||
<para>There is an implicit ACCEPT rule inserted at the end of this
|
||||
section.</para>
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the RELATED_DISPOSITION (<ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INVALID</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.13. Packets in the INVALID state are
|
||||
processed by rules in this section.</para>
|
||||
|
||||
<para>The only Actions allowed in this section are ACCEPT, DROP,
|
||||
REJECT, LOG and QUEUE.</para>
|
||||
|
||||
<para>There is an implicit rule added at the end of this section
|
||||
that invokes the INVALID_DISPOSITION (<ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user