extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-07 16:24:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove support for 'norfc1918' and it's associated settings in shorewall.conf

Browse Source
This commit is contained in:
Tom Eastep 2009-06-05 10:51:30 -07:00
parent ed5dc806cc
commit c370dc650c
34 changed files with 121 additions and 596 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Samples/one-interface/shorewall.conf
View File

@ -54,8 +54,6 @@ MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
@ -149,7 +147,7 @@ DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
NULL_ROUTE_RFC1918=No
MACLIST_TABLE=filter

4
Samples/three-interfaces/shorewall.conf
View File

@ -54,8 +54,6 @@ MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
@ -149,7 +147,7 @@ DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
NULL_ROUTE_RFC1918=No
MACLIST_TABLE=filter

4
Samples/two-interfaces/shorewall.conf
View File

@ -61,8 +61,6 @@ MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
@ -156,7 +154,7 @@ DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
NULL_ROUTE_RFC1918=No
MACLIST_TABLE=filter

13
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -328,18 +328,6 @@ sub generate_script_3($) {
}
if ( $family == F_IPV4 ) {
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit ( "addr=\$(\$IP -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
'if [ -n "$addr" ]; then',
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
' if in_network $addr $network; then',
" error_message \"WARNING: The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
' fi',
' done',
"fi\n" );
}
my @ipsets = all_ipsets;
if ( @ipsets ) {
@ -600,7 +588,6 @@ sub compiler {
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' , 's' ) if $config{MACLIST_TTL};
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' , 's' ) if $config{HIGH_ROUTE_MARKS};
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' , 's' ) if $config{TC_ENABLED};
require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's' ) if $config{RFC1918_STRICT};
set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;

10
Shorewall/Perl/Shorewall/Config.pm
View File

@ -350,7 +350,6 @@ sub initialize( $ ) {
BLACKLIST_LOGLEVEL => undef,
MACLIST_LOG_LEVEL => undef,
TCP_FLAGS_LOG_LEVEL => undef,
RFC1918_LOG_LEVEL => undef,
SMURF_LOG_LEVEL => undef,
LOG_MARTIANS => undef,
LOG_VERBOSITY => undef,
@ -412,7 +411,6 @@ sub initialize( $ ) {
DISABLE_IPV6 => undef,
DYNAMIC_ZONES => undef,
PKTTYPE=> undef,
RFC1918_STRICT => undef,
MACLIST_TABLE => undef,
MACLIST_TTL => undef,
SAVE_IPSETS => undef,
@ -2296,6 +2294,9 @@ sub get_configuration( $ ) {
default_yes_no 'LOGTAGONLY' , ''; $globals{LOGTAGONLY} = $config{LOGTAGONLY};
default_yes_no 'RFC1918_STRICT' , '';
warning_message 'RFC1918_STRICT=Yes ignored. The "norfc1918" interface/host option is no longer supported' if $config{RFC1918_STRICT};
default_yes_no 'FASTACCEPT' , '';
fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
@ -2328,7 +2329,10 @@ sub get_configuration( $ ) {
default_log_level 'BLACKLIST_LOGLEVEL', '';
default_log_level 'MACLIST_LOG_LEVEL', '';
default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
default_log_level 'RFC1918_LOG_LEVEL', 6;
default_log_level 'RFC1918_LOG_LEVEL', '';
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
default_log_level 'SMURF_LOG_LEVEL', '';
default_log_level 'LOGALLNEW', '';

65
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -219,66 +219,6 @@ sub add_rule_pair( $$$$ ) {
add_rule $chainref , "${predicate}-j $target";
}
sub setup_rfc1918_filteration( $ ) {
my $listref = $_[0];
my $norfc1918ref = new_standard_chain 'norfc1918';
my $rfc1918ref = new_standard_chain 'rfc1918';
my $chainref = $norfc1918ref;
warning_message q(The 'norfc1918' option is deprecated);
log_rule $config{RFC1918_LOG_LEVEL} , $rfc1918ref , 'DROP' , '';
add_rule $rfc1918ref , '-j DROP';
$chainref = new_standard_chain 'rfc1918d' if $config{RFC1918_STRICT};
my $fn = open_file 'rfc1918';
first_entry "$doing $fn...";
while ( read_a_line ) {
require_capability 'CONNTRACK_MATCH', "The norfc1918 option" , 's';
my ( $networks, $target ) = split_line 2, 2, 'rfc1918 file';
my $s_target;
if ( $target eq 'logdrop' ) {
$target = 'rfc1918';
$s_target = 'rfc1918';
} elsif ( $target eq 'DROP' ) {
$s_target = 'DROP';
} elsif ( $target eq 'RETURN' ) {
$s_target = $config{RFC1918_STRICT} ? 'rfc1918d' : 'RETURN';
} else {
fatal_error "Invalid target ($target) for $networks";
}
for my $network ( split_list $networks, 'network' ) {
add_rule $norfc1918ref , match_source_net( $network ) . "-j $s_target";
add_rule $chainref , match_orig_dest( $network ) . "-j $target" ;
}
}
add_rule $norfc1918ref , '-j rfc1918d' if $config{RFC1918_STRICT};
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
for my $hostref ( @$listref ) {
my $interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for my $chain ( first_chains $interface ) {
add_rule $filter_table->{$chain} , join( '', "-m state --state $state ", match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
}
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
}
}
sub setup_blacklist() {
my $hosts = find_hosts_by_option 'blacklist';
@ -614,11 +554,6 @@ sub add_common_rules() {
}
}
if ( $family == F_IPV4 ) {
$list = find_hosts_by_option 'norfc1918';
setup_rfc1918_filteration $list if @$list;
}
$list = find_hosts_by_option 'tcpflags';
if ( @$list ) {

5
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -201,7 +201,7 @@ sub initialize( $ ) {
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
logmartians => BINARY_IF_OPTION,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
norfc1918 => SIMPLE_IF_OPTION + IF_OPTION_HOST,
norfc1918 => OBSOLETE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
optional => SIMPLE_IF_OPTION,
proxyarp => BINARY_IF_OPTION,
@ -215,7 +215,6 @@ sub initialize( $ ) {
%validhostoptions = (
blacklist => 1,
maclist => 1,
norfc1918 => 1,
nosmurfs => 1,
routeback => 1,
tcpflags => 1,
@ -1095,6 +1094,8 @@ sub process_host( ) {
$type = IPSEC;
$zoneref->{options}{complex} = 1;
$ipsec = 1;
} elseif ( $option eq 'norfc1918' ) {
warning_message "The 'norfc1918' option is no longer supported"
} elsif ( $validhostoptions{$option}) {
$options{$option} = 1;
} else {

2
Shorewall/changelog.txt
View File

@ -13,6 +13,8 @@ Changes in Shorewall 4.3.12
6) Fix 'findgw'.
7) Remove 'norfc1918' support.
Changes in Shorewall 4.3.11
1) Reduce the number of arguments passed in may cases.

4
Shorewall/configfiles/shorewall.conf
View File

@ -52,8 +52,6 @@ MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
@ -147,7 +145,7 @@ DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
NULL_ROUTE_RFC1918=No
MACLIST_TABLE=filter

5
Shorewall/install.sh
View File

@ -510,11 +510,6 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcfilters ]; then
echo "TC Filters file installed as ${PREFIX}/etc/shorewall/tcfilters"
fi
#
# Install the rfc1918 file
#
install_file rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0644
echo "RFC 1918 file installed as ${PREFIX}/usr/share/shorewall/rfc1918"
#
# Install the default config path file
#

20
Shorewall/releasenotes.txt
View File

@ -89,7 +89,20 @@ released late in 2009.
to renumber the class IDs for devices 10 and greater.
6) Jozsef Kadlecsik has removed the set binding capability from ipset
3.1. As a consequence, Shorewall 4.3 no longer supports set binding.
3.1. As a consequence, Shorewall 4.3 no longer supports set
binding.
9) Support for the 'norfc1918' interface and host option has been
removed. If 'norfc1918' is specified for an entry in either the
interfaces or the hosts file, a warning is issued and the option is
ignored.
Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL
is given in shorewall.conf, a warning will be issued and the option
will be ignored.
Users who currently use 'norfc1918' are encouraged to consider
using NULL_ROUTE_RFC1918=Yes instead.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 12
@ -180,7 +193,10 @@ None.
The LENGTH value must be a numeric power of two between 32 and 8192
inclusive. Packets with a total length that is strictly less that
the specified value will match the rule.
the specified value will match the rule.
4) Support for 'norfc1918' has been removed. See the Migration
Considerations above.
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3

9
Shorewall/rfc1918
View File

@ -1,9 +0,0 @@
#
# Shorewall version 4 - Rfc1918 File
#
###############################################################################
#SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

3
Shorewall/shorewall.spec
View File

@ -89,7 +89,6 @@ fi
%attr(0644,root,root) /usr/share/shorewall/lib.cli
%attr(0644,root,root) /usr/share/shorewall/macro.*
%attr(0644,root,root) /usr/share/shorewall/modules
%attr(0644,root,root) /usr/share/shorewall/rfc1918
%attr(0644,root,root) /usr/share/shorewall/configpath
%attr(0755,root,root) /usr/share/shorewall/wait4ifup
@ -105,6 +104,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
- Remove 'rfc1918' file
* Sun May 10 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.11-0base
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net

5
docs/Accounting.xml
View File

@ -51,10 +51,7 @@
<quote>shorewall[-lite] show -x accounting</quote>. All traffic passing
into, out of, or through the firewall traverses the accounting chain
including traffic that will later be rejected by interface options such as
<quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
support the connection tracking match extension (Kernel 2.4.21) then some
traffic rejected under <quote>norfc1918</quote> will not traverse the
accounting chain.</para>
<quote>tcpflags</quote> and <quote>maclist</quote>.</para>
<para>The columns in the accounting file are as follows:</para>

172
docs/FAQ.xml
View File

@ -1279,47 +1279,6 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
in the log message) in Shorewall:</para>
<variablelist>
<varlistentry>
<term>man1918 or logdrop</term>
<listitem>
<para>The destination address is listed in
<filename>/usr/share/shorewall/rfc1918</filename> with a <emphasis
role="bold">logdrop</emphasis> target -- see <filename> <ulink
url="manpages/shorewall-rfc1918.html">/usr/share/shorewall/rfc1918</ulink>
</filename>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>rfc1918 or logdrop</term>
<listitem>
<para>The source or destination address is listed in
<filename>/usr/share/shorewall/rfc1918</filename> with a <emphasis
role="bold">logdrop</emphasis> target -- see <filename> <ulink
url="manpages/shorewall-rfc1918.html">/usr/share/shorewall/rfc1918</ulink>
</filename>.</para>
<note>
<para>If you see packets being dropped in the rfc1918 chain and
neither the source nor the destination IP address is reserved by
RFC 1918, that usually means that you have a old
<filename>rfc1918</filename> file in <filename
class="directory">/etc/shorewall</filename> (this problem most
frequently occurs if you are running Debian or one if its
derivatives). The <filename>rfc1918</filename> file used to
include bogons as well as the three ranges reserved by RFC 1918
and it resided in <filename
class="directory">/etc/shorewall</filename>. The file now only
includes the three RFC 1918 ranges and it resides in <filename
class="directory">/usr/share/shorewall</filename>. Remove the
stale <filename>rfc1918</filename> file in <filename
class="directory">/etc/shorewall</filename>.</para>
</note>
</listitem>
</varlistentry>
<varlistentry id="all2all">
<term>all2<emphasis>zone</emphasis>, <emphasis>zone</emphasis>2all
or all2all</term>
@ -1591,10 +1550,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
your firewall has no record of having sent a DNS reply to 172.16.1.10 so
this ICMP doesn't appear to be related to anything that was sent. The
final result is that the packet gets logged and dropped in the all2all
chain. I have also seen cases where the source IP in the ICMP itself
isn't set back to the external IP of the remote NAT gateway; that causes
your firewall to log and drop the packet out of the rfc1918 chain
because the source IP is reserved by RFC 1918.</para>
chain.</para>
</section>
<section id="faq52">
@ -2057,7 +2013,8 @@ We have an error talking to the kernel
<para><emphasis role="bold">Answer:</emphasis> Yes! Shorewall support is
available in Webmin. See <ulink
url="http://www.webmin.com">http://www.webmin.com</ulink></para>
url="http://www.webmin.com">http://www.webmin.com</ulink>. But beware of
the issue described in <link linkend="faq36">FAQ 36</link>.</para>
</section>
<section id="faq13">
@ -2170,9 +2127,9 @@ We have an error talking to the kernel
<para><emphasis role="bold">Answer:</emphasis> Shorewall implements a
stateful firewall which requires connection tracking be present in
ip6tables and in the kernel. Linux kernel's before 2.6.20 didn't have
connection tracking for IPv6. So we could not even start to develop
IPv6 support until 2.6.20. We understand that there were significant
ip6tables and in the kernel. Linux kernel's before 2.6.20 didn't
support connection tracking for IPv6. So we could not even start to
develop Shorewall IPv6 support until 2.6.20 and there were significant
problems with the facility until at least kernel 2.6.23. When
distributions began offering IPv6 connection tracking support, it was
with kernel 2.6.25. So that is what we developed IPv6 support on and
@ -2194,123 +2151,6 @@ else
</section>
</section>
<section id="RFC1918">
<title>RFC 1918</title>
<section id="faq14">
<title>(FAQ 14) I'm connected via a cable modem and it has an internal
web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface (the Internet one), it
also blocks the cable modems web server.</title>
<para>Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of the
modem in/out but still block all other rfc1918 addresses?</para>
<para><emphasis role="bold">Answer:</emphasis> Use of the norfc1918
interface is currently deprecated and support for the option will be
removed entirely in a future version. So deleting the option from <ulink
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
(5) is the preferred solution.</para>
<para>Otherwise, add the following to <filename><ulink
url="manpages/shorewall-rfc1918.html">/etc/shorewall/rfc1918</ulink></filename>
(Note: If you are running Shorewall 2.0.0 or later, you may need to
first copy <filename>/usr/share/shorewall/rfc1918</filename> to
<filename>/etc/shorewall/rfc1918</filename>):</para>
<para>Be sure that you add the entry ABOVE the entry for
192.168.0.0/16.</para>
<programlisting>#SUBNET TARGET
192.168.100.1 RETURN</programlisting>
<note>
<para>If you add a second IP address to your external firewall
interface to correspond to the modem address, you must also make an
entry in <filename>/etc/shorewall/rfc1918</filename> for that address.
For example, if you configure the address 192.168.100.2 on your
firewall, then you would add two entries to
<filename>/etc/shorewall/rfc1918</filename>:</para>
<programlisting>#SUBNET TARGET
192.168.100.1 RETURN
192.168.100.2 RETURN</programlisting>
</note>
<section id="faq14a">
<title>(FAQ 14a) Even though it assigns public IP addresses, my ISP's
DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on
my external interface, my DHCP client cannot renew its lease.</title>
<para><emphasis role="bold">Answer:</emphasis> The solution is the
same as <xref linkend="faq14" /> above.</para>
</section>
<section id="faq14b">
<title>(FAQ 14b) I connect to the Internet with PPPoE. When I try to
access the built-in web server in my DSL Modem, I get connection
Refused.</title>
<para>I see the following in my log:</para>
<programlisting>Mar 1 18:20:07 Mail kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.2 DST=192.168.1.1 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=26774 DF PROTO=TCP SPT=32797 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 </programlisting>
<para><emphasis role="bold">Answer:</emphasis> The fact that the
message is being logged from the OUTPUT chain means that the
destination IP address is not in any defined zone (see <link
linkend="faq17">FAQ 17</link>). You need to:</para>
<orderedlist>
<listitem>
<para>Add a zone for the modem in
<filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS
modem ipv4</programlisting>
</listitem>
<listitem>
<para>Define the zone to be associated with <filename
class="devicefile">eth0</filename> (or whatever interface connects
to your modem) in
<filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
modem eth0 detect</programlisting>
</listitem>
<listitem>
<para>Allow web traffic to the modem in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT fw modem tcp 80
ACCEPT loc modem tcp 80</programlisting>
</listitem>
</orderedlist>
<para>Note that many of these ADSL/Cable Modems have no default
gateway or their default gateway is at a fixed IP address that is
different from the IP address you have assigned to your external
interface. In either case, you may have problems browsing the modem
from your local network even if you have the correct routes
established on your firewall. This is usually solved by masquerading
traffic from your local network to the modem.</para>
<para><filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SOURCE ADDRESS
eth0 eth1 # eth1 = interface to local network</programlisting>
<para>For an example of this when the ADSL/Cable modem is bridged, see
<ulink url="XenMyWay-Routed.html">my configuration</ulink>. In that
case, I masquerade using the IP address of my local interface!</para>
</section>
</section>
</section>
<section id="ALIASES">
<title>Alias IP Addresses/Virtual Interfaces</title>

2
docs/MAC_Validation.xml
View File

@ -173,7 +173,7 @@ MACLIST_LOG_LEVEL=info</programlisting>
<para>/etc/shorewall/interfaces:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
net $EXT_IF 206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF 192.168.1.255 dhcp
dmz $DMZ_IF -
vpn tun+ -

4
docs/Manpages.xml
View File

@ -117,10 +117,6 @@
<member><ulink url="manpages/shorewall-proxyarp.html">proxyarp</ulink>
- Define Proxy ARP.</member>
<member><ulink url="manpages/shorewall-rfc1918.html">rfc1918</ulink> -
Specify address ranges affected by the <option>norfc1918</option>
interface option.</member>
<member><ulink
url="manpages/shorewall-route_rules.html">route_rules</ulink> - Define
routing rules.</member>

4
docs/Manpages6.xml
View File

@ -102,10 +102,6 @@
url="manpages6/shorewall6-providers.html">providers</ulink> - Define
routing tables, usually for multiple Internet links.</member>
<member><ulink url="manpages6/shorewall6-rfc1918.html">rfc1918</ulink>
- Specify address ranges affected by the <option>norfc1918</option>
interface option.</member>
<member><ulink
url="manpages6/shorewall6-route_rules.html">route_rules</ulink> -
Define routing rules.</member>

2
docs/OPENVPN.xml
View File

@ -677,7 +677,7 @@ verb 3</programlisting>
option.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth2 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
net eth2 206.124.146.255 dhcp,logmartians,blacklist,tcpflags,nosmurfs
loc br0 192.168.1.255 dhcp,<emphasis role="bold">routeback</emphasis>
dmz eth1 - logmartians
Wifi eth0 192.168.3.255 dhcp,maclist

6
docs/PPTP.xml
View File

@ -295,7 +295,7 @@ vpn ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 norfc1918
net eth0 206.124.146.255
loc eth2 192.168.10.255
vpn ppp+</programlisting>
@ -335,7 +335,7 @@ vpn3 ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 norfc1918
net eth0 206.124.146.255
loc eth2 192.168.10.255
- ppp+</programlisting>
@ -662,4 +662,4 @@ pptpclient modem 192.168.1.1</programlisting>
</listitem>
</orderedlist>
</section>
</article>
</article>

11
docs/PacketHandling.xml
View File

@ -163,17 +163,6 @@
optimized away and its rules are transferred to another chain.</para>
</listitem>
<listitem>
<para>If the interface on which the packet entered the firewall has
the <emphasis>norfc1918</emphasis> option specified in
<filename>/etc/shorewall/interfaces</filename>, then the packet is
processed against your rfc1918 file (normally
<filename>/usr/share/shorewall/rfc1918</filename> but that file may be
copied to <filename>/etc/shorewall/rfc1918</filename> and modified).
This happens in the <emphasis>filter</emphasis> table's <emphasis
role="bold">norfc1918</emphasis> chain.</para>
</listitem>
<listitem>
<para>If the interface on which the packet entered the firewall has
the <emphasis>tcpflags</emphasis> option specified in

6
docs/PortKnocking.xml
View File

@ -148,8 +148,10 @@ SSHKnock net loc:192.168.1.5 tcp 22 -
<note>
<para>You can use SSHKnock with DNAT on earlier releases provided
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
This rule will be quite secure provided that you specify 'norfc1918'
on your external interface.</para>
This rule will be quite secure provided that you specify
'routefilter' on your external interface and have
NULL_ROUTE_RFC1918=Yes in
<filename>shorewall.conf</filename>.</para>
</note>
</listitem>
</orderedlist>

2
docs/UPnP.xml
View File

@ -97,7 +97,7 @@ forward_chain_name = forwardUPnP</programlisting>
<para>Example:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect dhcp,routefilter,norfc1918,tcpflags,<emphasis
net eth1 detect dhcp,routefilter,tcpflags,<emphasis
role="bold">upnp</emphasis></programlisting>
<para>If your fw-&gt;loc policy is not ACCEPT then you need this

2
docs/XenMyWay-Routed.xml
View File

@ -467,7 +467,6 @@ LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=
SMURF_LOG_LEVEL=$LOG
LOG_MARTIANS=No
IPTABLES=
@ -502,7 +501,6 @@ DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
RFC1918_STRICT=Yes
MACLIST_TABLE=mangle
MACLIST_TTL=60
SAVE_IPSETS=No

4
docs/XenMyWay.xml
View File

@ -504,7 +504,6 @@ LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=$LOG
LOG_MARTIANS=No
IPTABLES=/usr/sbin/iptables
@ -534,7 +533,6 @@ DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=No
RFC1918_STRICT=Yes
MACLIST_TTL=60
SAVE_IPSETS=No
MAPOLDACTIONS=No
@ -604,7 +602,7 @@ OMAK=&lt;IP address at our second home&gt;
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
net $EXT_IF 206.124.146.255 dhcp,logmartians,blacklist,tcpflags,nosmurfs
dmz $DMZ_IF 192.168.0.255 logmartians
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
wifi $WIFI_IF 192.168.3.255 dhcp,maclist

17
docs/configuration_file_basics.xml
View File

@ -219,15 +219,6 @@
macros defined by Shorewall.</para>
</listitem>
<listitem>
<para><filename>/usr/share/rfc1918</filename> — Defines the behavior
of the 'norfc1918' interface option in
<filename>/etc/shorewall/interfaces</filename>. <emphasis
role="bold">If you need to change this file, copy it to
<filename>/etc/shorewall</filename> and modify the
copy</emphasis>.</para>
</listitem>
<listitem>
<para><filename>/usr/share/modules</filename> — Specifies the kernel
modules to be loaded during shorewall start/restart . <emphasis
@ -545,7 +536,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918
NET_OPTIONS=routefilter,routefilter
    /etc/shorewall/interfaces record:
@ -553,7 +544,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
    The result will be the same as if the record had been written
net eth0 130.252.100.255 routefilter,norfc1918
net eth0 130.252.100.255 routefilter,routefilter
</programlisting>
</blockquote>
@ -867,8 +858,8 @@ POP(ACCEPT) loc net:pop.gmail.com</programlisting>
<itemizedlist>
<listitem>
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,norfc1918
Invalid: routefilter,     dhcp,     norfc1818</programlisting></para>
<para>Must not have any embedded white space.<programlisting> Valid: routefilter,dhcp,arpfilter
Invalid: routefilter,     dhcp,     arpfilter</programlisting></para>
</listitem>
<listitem>

29
docs/shorewall_setup_guide.xml
View File

@ -116,9 +116,9 @@
<para>Note that you must copy <filename
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall-common/default-config/modules to <filename
class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
and /usr/share/doc/shorewall-common/default-config/modules to
<filename class="directory">/etc/shorewall</filename> even if you do
not modify those files.</para>
</warning></para>
<para>As each file is introduced, I suggest that you look through the
@ -343,8 +343,8 @@ all all REJECT info</programlisting>
<para>The simplest way to define zones is to associate the zone name
(previously defined in /etc/shorewall/zones) with a network interface.
This is done in the <ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink> file.
The firewall illustrated above has three network interfaces. Where
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>
file. The firewall illustrated above has three network interfaces. Where
Internet connectivity is through a cable or DSL <quote>Modem</quote>, the
<emphasis>External Interface</emphasis> will be the Ethernet adapter that
is connected to that <quote>Modem</quote> (e.g., <filename
@ -413,11 +413,11 @@ all all REJECT info</programlisting>
<para>The Shorewall default configuration does not define the contents of
any zone. To define the above configuration using the <ulink
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces </ulink>file,
that file would might contain:</para>
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
</ulink>file, that file would might contain:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918
net eth0 detect
loc eth1 detect
dmz eth2 detect</programlisting>
@ -436,7 +436,7 @@ dmz eth2 detect</programlisting>
<title>Multiple Interfaces to a Zone</title>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918
net eth0 detect
loc eth1 detect
loc eth2 detect</programlisting>
</example>
@ -444,8 +444,8 @@ loc eth2 detect</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>You may define more complicated zones using the<filename> <ulink
url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink></filename> file
but in most cases, that isn't necessary. See <ulink
url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink></filename>
file but in most cases, that isn't necessary. See <ulink
url="Shorewall_and_Aliased_Interfaces.html">Shorewall_and_Aliased_Interfaces.html</ulink>
and <ulink url="Multiple_Zones.html">Multiple_Zones.html</ulink> for
examples.</para>
@ -1817,7 +1817,7 @@ ACCEPT net $FW tcp ssh #SSH to the
<quote>options</quote> will be very site-specific).</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,routefilter
net eth0 detect routefilter
loc eth1 detect
dmz eth2 detect</programlisting>
@ -1829,7 +1829,7 @@ dmz eth2 detect</programlisting>
interfaces.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 192.0.2.255 norfc1918
net eth0 192.0.2.255
loc eth1 192.168.201.7
dmz eth2 192.168.202.7</programlisting>
@ -2423,8 +2423,7 @@ foobar.net. 86400 IN A 192.0.2.177
Also, I don't recommend using <quote>shorewall restart</quote>; it is
better to create an <ulink
url="starting_and_stopping_shorewall.htm"><emphasis>an alternate
configuration</emphasis></ulink> and test it using the
<quote><ulink
configuration</emphasis></ulink> and test it using the <quote><ulink
url="starting_and_stopping_shorewall.htm"><command>shorewall
try</command></ulink></quote> command.</para>
</caution>

26
docs/standalone.xml
View File

@ -413,32 +413,6 @@ root@lists:~# </programlisting>
<emphasis>Network Address Translation</emphasis> <emphasis>-
</emphasis><acronym>NAT</acronym>) to rewrite packet headers when
forwarding to/from the Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Before starting Shorewall, <emphasis role="bold">you should look at
the IP address of your external interface and if it is in one of the above
ranges, you should remove the <quote>norfc1918</quote> option from the
entry in <filename>/etc/shorewall/interfaces</filename>.</emphasis><tip>
<para>To determine the IP address of your external interface, as root
type <command>ip addr ls dev &lt;interface&gt;</command> at the
command line where &lt;<emphasis>interface</emphasis>&gt; is your
external interface. The line beginning with <emphasis>inet</emphasis>
identifies your IP address.</para>
<para>Example:</para>
<programlisting>root@lists:~# ip addr ls dev eth0
2: eth0: &lt;BROADCAST,MULTICAST,UP,10000&gt; mtu 1500 qdisc htb qlen 1000
link/ether 00:02:e3:08:48:4c brd ff:ff:ff:ff:ff:ff
inet <emphasis role="bold">206.124.146.176</emphasis>/24 brd 206.124.146.255 scope global eth0
inet6 fe80::202:e3ff:fe08:484c/64 scope link
valid_lft forever preferred_lft forever
root@lists:~# </programlisting>
<para>In this example, the IP address of the external interface is
206.124.146.176</para>
</tip></para>
</section>
<section id="Logging">

27
docs/three-interface.xml
View File

@ -499,33 +499,6 @@ root@lists:~# </programlisting>
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Before starting Shorewall, <emphasis role="bold">you should look at
the IP address of your external interface and if it is one of the above
ranges, you should remove the <varname>norfc1918</varname> option from the
external interface's entry in
<filename>/etc/shorewall/interfaces</filename>.</emphasis><tip>
<para>To determine the IP address of your external interface, as root
type <command>ip addr ls dev &lt;interface&gt;</command> at the
command line where &lt;<emphasis>interface</emphasis>&gt; is your
external interface. The line beginning with <emphasis>inet</emphasis>
identifies your IP address.</para>
<para>Example:</para>
<programlisting>root@lists:~# ip addr ls dev eth0
2: eth0: &lt;BROADCAST,MULTICAST,UP,10000&gt; mtu 1500 qdisc htb qlen 1000
link/ether 00:02:e3:08:48:4c brd ff:ff:ff:ff:ff:ff
inet <emphasis role="bold">206.124.146.176</emphasis>/24 brd 206.124.146.255 scope global eth0
inet6 fe80::202:e3ff:fe08:484c/64 scope link
valid_lft forever preferred_lft forever
root@lists:~# </programlisting>
<para>In this example, the IP address of the external interface is
206.124.146.176</para>
</tip></para>
<para>You will want to assign your local addresses from one sub-network or
subnet and your DMZ addresses from another subnet. For our purposes, we
can consider a subnet to consists of a range of addresses <systemitem

36
docs/two-interface.xml
View File

@ -459,38 +459,10 @@ root@lists:~# </programlisting>
1918</emphasis> reserves several <emphasis>Private</emphasis>
<acronym>IP</acronym> address ranges for this purpose: <programlisting>10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</programlisting> <inlinegraphic
fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Before starting Shorewall, <emphasis role="bold">you should look at
the IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in <filename
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</emphasis><tip>
<para>To determine the IP address of your external interface, as root
type <command>ip addr ls dev &lt;interface&gt;</command> at the
command line where &lt;<emphasis>interface</emphasis>&gt; is your
external interface. The line beginning with <emphasis>inet</emphasis>
identifies your IP address.</para>
<para>Example:</para>
<programlisting>root@lists:~# ip addr ls dev eth0
2: eth0: &lt;BROADCAST,MULTICAST,UP,10000&gt; mtu 1500 qdisc htb qlen 1000
link/ether 00:02:e3:08:48:4c brd ff:ff:ff:ff:ff:ff
inet <emphasis role="bold">206.124.146.176</emphasis>/24 brd 206.124.146.255 scope global eth0
inet6 fe80::202:e3ff:fe08:484c/64 scope link
valid_lft forever preferred_lft forever
root@lists:~# </programlisting>
<para>In this example, the IP address of the external interface is
206.124.146.176</para>
</tip></para>
<para>You will want to assign your addresses from the same sub-network
(subnet). For our purposes, we can consider a subnet to consists of a
range of addresses <varname>x.y.z.0 - x.y.z.255</varname>. Such a subnet
will have a Subnet Mask of <systemitem
192.168.0.0 - 192.168.255.255</programlisting>You will want to assign your
addresses from the same sub-network (subnet). For our purposes, we can
consider a subnet to consists of a range of addresses <varname>x.y.z.0 -
x.y.z.255</varname>. Such a subnet will have a Subnet Mask of <systemitem
class="netmask">255.255.255.0</systemitem>. The address
<varname>x.y.z.0</varname> is reserved as the <emphasis>Subnet
Address</emphasis> and <varname>x.y.z.255</varname> is reserved as the

34
docs/upgrade_issues.xml
View File

@ -93,21 +93,21 @@
<filename>routestopped</filename> file. The
<filename>routestopped</filename> file used is the one that was
present at the last <command>start</command>,
<command>restart</command> or <command>restore</command> command.
</para>
<command>restart</command> or <command>restore</command>
command.</para>
</listitem>
<listitem>
<para>The old macro parameter syntax (e.g., SSH/ACCEPT) is now
deprecated in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.3
documentation uses the new syntax exclusively, although the old syntax
continues to be supported. </para>
continues to be supported.</para>
</listitem>
<listitem>
<para>Support for the SAME target in /etc/shorewall/masq and
/etc/shorewall/rules has been removed, following the removal of the
underlying support in the Linux kernel. </para>
underlying support in the Linux kernel.</para>
</listitem>
<listitem>
@ -120,11 +120,11 @@
starts/restarts</para>
<para>To avoid this warning, replace interface names by the
corresponding network addresses (e.g., 192.168.144.0/24). </para>
corresponding network addresses (e.g., 192.168.144.0/24).</para>
</listitem>
<listitem>
<para> Previously, Shorewall has treated traffic shaping class IDs as
<para>Previously, Shorewall has treated traffic shaping class IDs as
decimal numbers (or pairs of decimal numbers). That worked fine until
IPMARK was implemented. IPMARK requires Shorewall to generate class
Ids in numeric sequence. In 4.3.9, that didn't work correctly because
@ -135,7 +135,27 @@
<para>This should only be an issue if you have more than 9 interfaces
defined in <filename>/etc/shorewall/tcdevices</filename> and if you
use class IDs in <filename>/etc/shorewall/tcrules</filename>. You will
need to renumber the class IDs for devices 10 and greater. </para>
need to renumber the class IDs for devices 10 and greater.</para>
</listitem>
<listitem>
<para>Jozsef Kadlecsik has removed the set binding capability from
ipset 3.1. As a consequence, Shorewall 4.3 no longer supports set
binding. </para>
</listitem>
<listitem>
<para>Support for the 'norfc1918' interface and host option has been
removed. If 'norfc1918' is specified for an entry in either the
interfaces or the hosts file, a warning is issued and the option is
ignored.</para>
<para>Similarly, if RFC1918_STRICT=Yes or a non-empty
RFC1918_LOG_LEVEL is given in shorewall.conf, a warning will be issued
and the option will be ignored.</para>
<para>Users who currently use 'norfc1918' are encouraged to consider
using NULL_ROUTE_RFC1918=Yes instead. </para>
</listitem>
</orderedlist>
</section>

13
manpages/shorewall-interfaces.xml
View File

@ -359,19 +359,6 @@ loc eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">norfc1918</emphasis></term>
<listitem>
<para>This interface should not receive any packets whose
source is in one of the ranges reserved by RFC 1918 (i.e.,
private or "non-routable" addresses). If packet mangling or
connection-tracking match is enabled in your kernel, packets
whose destination addresses are reserved by RFC 1918 are also
rejected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>

100
manpages/shorewall-rfc1918.xml
View File

@ -1,100 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry>
<refmeta>
<refentrytitle>shorewall-rfc1918</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>rfc1918</refname>
<refpurpose>Shorewall file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/usr/share/shorewall/rfc1918</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The rfc1918 file determines the handling of connections under the
norfc1918 option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). Do not
modify <filename>/usr/share/shorewall/rfc1918</filename>; if you need to
change norfc1918 handling, then copy
<filename>/usr/share/shorewall/rfc1918</filename> to
<filename>/etc/shorewall/rfc1918</filename> and modify the copy.</para>
<para>The released version of this file logs and drops packets from the
three address ranges reserved by RFC 1918:</para>
<blockquote>
<programlisting>10.0.0.0/8
172.16.0.0/12
192.168.0.0/16</programlisting>
</blockquote>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">SUBNET -
<replaceable>address</replaceable></emphasis></term>
<listitem>
<para>Subnet address in CIDR format.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TARGET</emphasis> - {<emphasis
role="bold">RETURN</emphasis>|<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">logdrop</emphasis>}</term>
<listitem>
<para><emphasis role="bold">RETURN</emphasis> causes packets to/from
the specified subnet to be processed normally by the applicable
rules and policies.</para>
<para><emphasis role="bold">DROP</emphasis> causes packets from the
specified subnet to be silently dropped.</para>
<para><emphasis role="bold">logdrop</emphasis> causes packets from
the specified subnet to be logged at the level specified by the
RFC1918_LOG_LEVEL option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
</variablelist>
<para>Also, please see the RFC1918_STRICT option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/usr/share/shorewall/rfc1918</para>
<para>/etc/shorewall/rfc1918</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

67
manpages/shorewall.conf.xml
View File

@ -1177,6 +1177,24 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NULL_ROUTE_RFC1918=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>When set to Yes, causes Shorewall to null-route the IPv4
address ranges reserved by RFC1918. The default value is
'No'.</para>
<para>When combined with route filtering (ROUTE_FILTER=Yes or
<option>routefilter</option> in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)),
this option ensures that packets with an RFC1918 source address are
only accepted from interfaces having known routes to networks using
such addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIMIZE=</emphasis>[<emphasis
role="bold">0</emphasis>|<emphasis role="bold">1</emphasis>]</term>
@ -1353,55 +1371,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RFC1918_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>
<listitem>
<para>This parameter determines the level at which packets logged
under the <emphasis role="bold">norfc1918</emphasis> mechanism are
logged. The value must be a valid syslog level and if no level is
given, then info is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RFC1918_STRICT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Traditionally, the RETURN target in the 'rfc1918' file has
caused norfc1918 processing to cease for a packet if the packet's
source IP address matches the rule. Thus, if you have this entry in
<ulink
url="shorewall-rfc1918.html">shorewall-rfc1918</ulink>(5):</para>
<programlisting> #SUBNETS TARGET
192.168.1.0/24 RETURN</programlisting>
<para>then traffic from 192.168.1.4 to 10.0.3.9 will be accepted
even though you also have:</para>
<programlisting> #SUBNETS TARGET
10.0.0.0/8 logdrop</programlisting>
<para>Setting RFC1918_STRICT=Yes in shorewall.conf will cause such
traffic to be logged and dropped since while the packet's source
matches the RETURN rule, the packet's destination matches the
'logdrop' rule.</para>
<para>If not specified or specified as empty (e.g.,
RFC1918_STRICT="") then RFC1918_STRICT=No is assumed.</para>
<para></para>
<warning>
<para>RFC1918_STRICT=Yes requires that your kernel and iptables
support 'Connection Tracking' match.</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis