mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
SOURCE/DEST changes in the mangle manpages
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
b4d42507b2
commit
cb7ab3908a
@ -775,98 +775,253 @@ Normal-Service => 0x00</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
|
||||
<term><emphasis role="bold">SOURCE -
|
||||
{-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>May be:</para>
|
||||
<para>where <replaceable>source-spec</replaceable> is one of:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>An interface name - matches traffic entering the firewall
|
||||
on the specified interface. May not be used in classify rules or
|
||||
in rules using the :T chain qualifier.</para>
|
||||
</listitem>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of host or network IP addresses or
|
||||
MAC addresses. <emphasis role="bold">This form will not match
|
||||
traffic that originates on the firewall itself unless either
|
||||
<major><minor> or the :T chain qualifier is used in
|
||||
the ACTION column.</emphasis></para>
|
||||
<listitem>
|
||||
<para>where <replaceable>interface</replaceable> is the
|
||||
logical name of an interface defined in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Matches packets entering the firewall from the named
|
||||
interface. May not be used in CLASSIFY rules or in rules using
|
||||
the :T chain qualifier.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<para>Examples:<simplelist>
|
||||
<member>0.0.0.0/0</member>
|
||||
</simplelist></para>
|
||||
<varlistentry>
|
||||
<term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<para><simplelist>
|
||||
<member>192.168.1.0/24, 172.20.4.0/24</member>
|
||||
</simplelist></para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>where <replaceable>address</replaceable> is:</para>
|
||||
|
||||
<listitem>
|
||||
<para>An interface name followed by a colon (":") followed by a
|
||||
comma-separated list of host or network IP addresses or MAC
|
||||
addresses. May not be used in classify rules or in rules using
|
||||
the :T chain qualifier.</para>
|
||||
</listitem>
|
||||
<blockquote>
|
||||
<para>A host or network IP address.</para>
|
||||
|
||||
<listitem>
|
||||
<para>$FW optionally followed by a colon (":") and a
|
||||
comma-separated list of host or network IP addresses. Matches
|
||||
packets originating on the firewall. May not be used with a
|
||||
chain qualifier (:P, :F, etc.) in the ACTION column.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
<para>The name of an ipset preceded by a plus sign
|
||||
("+").</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
<para>A MAC address in Shorewall format (preceded by a tilde
|
||||
("~") and using dash ("-") as a separator (e.g.,
|
||||
~00-A0-C9-15-39-78).</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
||||
<para>Matches traffic whose source IP address matches one of
|
||||
the listed addresses and that does not match an address listed
|
||||
in the <replaceable>exclusion</replaceable> (see <ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
<para><emphasis role="bold">This form will not match traffic
|
||||
that originates on the firewall itself unless either
|
||||
<major><minor> or the :T chain qualifier is used
|
||||
in the ACTION column.</emphasis></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This form combines the preceding two forms and matches
|
||||
when both the incoming interface and source IP address
|
||||
match.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This form matches packets arriving through the named
|
||||
<replaceable>interface</replaceable> and whose source IP
|
||||
address does not match any of the addresses in the
|
||||
<replaceable>exclusion</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW</term>
|
||||
|
||||
<listitem>
|
||||
<para>Matches packets originating on the firewall system. May
|
||||
not be used with a chain qualifier (:P, :F, etc.) in the
|
||||
ACTION column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>address</replaceable> is as above
|
||||
(MAC addresses are not permitted). Matches packets originating
|
||||
on the firewall and whose source IP address matches one of the
|
||||
listed addresses and does not match any address listed in the
|
||||
<replaceable>exclusion</replaceable>. May not be used with a
|
||||
chain qualifier (:P, :F, etc.) in the ACTION column. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:<replaceable>exclusion</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Matches traffic originating on the firewall, provided
|
||||
that the source IP address does not match any address listed
|
||||
in the <replaceable>exclusion</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Beginning with Shorewall 5.1.0, multiple
|
||||
<replaceable>source_spec</replaceable>s, separated by commas, may be
|
||||
given provided that the following alternative forms are used:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
|
||||
|
||||
<para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para>$FW:(<replaceable>exclusion</replaceable>)</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
|
||||
<term><emphasis role="bold">DEST -
|
||||
{-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>May be:</para>
|
||||
<para>where <replaceable>dest-spec</replaceable> is one of:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>An interface name. May not be used in the PREROUTING chain
|
||||
(:P in the mark column or no chain qualifier and
|
||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
|
||||
interface name may be optionally followed by a colon (":") and
|
||||
an IP address list.</para>
|
||||
</listitem>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of host or network IP addresses.
|
||||
The list may include ip address ranges if your kernel and
|
||||
iptables include iprange support.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>where <replaceable>interface</replaceable> is the
|
||||
logical name of an interface defined in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Matches packets leaving the firewall through the named
|
||||
interface. May not be used in the PREROUTING chain (:P in the
|
||||
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
|
||||
in <ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.4.13, $FW may be specified by
|
||||
itself or qualified by an address list. This causes marking to
|
||||
occur in the INPUT chain.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
<varlistentry>
|
||||
<term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
<listitem>
|
||||
<para>where <replaceable>address</replaceable> is:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>A host or network IP address.</para>
|
||||
|
||||
<para>The name of an ipset preceded by a plus sign
|
||||
("+").</para>
|
||||
|
||||
<para>A MAC address in Shorewall format (preceded by a tilde
|
||||
("~") and using dash ("-") as a separator (e.g.,
|
||||
~00-A0-C9-15-39-78).</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Matches traffic whose destination IP address matches one
|
||||
of the listed addresses and that does not match an address
|
||||
listed in the <replaceable>exclusion</replaceable> (see <ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This form combines the preceding two forms and matches
|
||||
when both the outgoing interface and destination IP address
|
||||
match. May not be used in the PREROUTING chain (:P in the mark
|
||||
column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
|
||||
<ulink url="manpages/shorewall.conf">shorewall.conf</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This form matches packets leaving through the named
|
||||
<replaceable>interface</replaceable> and whose destination IP
|
||||
address does not match any of the addresses in the
|
||||
<replaceable>exclusion</replaceable>. May not be used in the
|
||||
PREROUTING chain (:P in the mark column or no chain qualifier
|
||||
and MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="manpages/shorewall.conf">shorewall.conf</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW</term>
|
||||
|
||||
<listitem>
|
||||
<para>Matches packets originating on the firewall system. May
|
||||
not be used with a chain qualifier (:P, :F, etc.) in the
|
||||
ACTION column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>address</replaceable> is as above
|
||||
(MAC addresses are not permitted). Matches packets destined
|
||||
for the firewall and whose destination IP address matches one
|
||||
of the listed addresses and does not match any address listed
|
||||
in the <replaceable>exclusion</replaceable>. May not be used
|
||||
with a chain qualifier (:P, :F, etc.) in the ACTION
|
||||
column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:<replaceable>exclusion</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Matches traffic destined for the firewall, provided that
|
||||
the destination IP address does not match any address listed
|
||||
in the <replaceable>exclusion</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Beginning with Shorewall 5.1.0, multiple
|
||||
<replaceable>dest_spec</replaceable>s, separated by commas, may be
|
||||
given provided that the following alternative forms are used:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
|
||||
|
||||
<para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para>$FW:(<replaceable>exclusion</replaceable>)</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -767,98 +767,252 @@ Normal-Service => 0x00</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
|
||||
role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
|
||||
<term><emphasis role="bold">SOURCE -
|
||||
{-|<replaceable>source-spec</replaceable>[,...]}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>May be:</para>
|
||||
<para>where <replaceable>source-spec</replaceable> is one of:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>An interface name - matches traffic entering the firewall
|
||||
on the specified interface. May not be used in classify rules or
|
||||
in rules using the :T chain qualifier.</para>
|
||||
</listitem>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of host or network IP addresses or
|
||||
MAC addresses. <emphasis role="bold">This form will not match
|
||||
traffic that originates on the firewall itself unless either
|
||||
<major><minor> or the :T chain qualifier is used in
|
||||
the ACTION column.</emphasis></para>
|
||||
<listitem>
|
||||
<para>where <replaceable>interface</replaceable> is the
|
||||
logical name of an interface defined in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
Matches packets entering the firewall from the named
|
||||
interface. May not be used in CLASSIFY rules or in rules using
|
||||
the :T chain qualifier.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<para>Examples:<simplelist>
|
||||
<member>0.0.0.0/0</member>
|
||||
</simplelist></para>
|
||||
<varlistentry>
|
||||
<term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<para><simplelist>
|
||||
<member>192.168.1.0/24, 172.20.4.0/24</member>
|
||||
</simplelist></para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>where <replaceable>address</replaceable> is:</para>
|
||||
|
||||
<listitem>
|
||||
<para>An interface name followed by a colon (":") followed by a
|
||||
comma-separated list of host or network IP addresses or MAC
|
||||
addresses. May not be used in classify rules or in rules using
|
||||
the :T chain qualifier.</para>
|
||||
</listitem>
|
||||
<blockquote>
|
||||
<para>A host or network IP address.</para>
|
||||
|
||||
<listitem>
|
||||
<para>$FW optionally followed by a colon (":") and a
|
||||
comma-separated list of host or network IP addresses. Matches
|
||||
packets originating on the firewall. May not be used with a
|
||||
chain qualifier (:P, :F, etc.) in the ACTION column.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
<para>The name of an ipset preceded by a plus sign
|
||||
("+").</para>
|
||||
|
||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
||||
separator.</para>
|
||||
<para>A MAC address in Shorewall format (preceded by a tilde
|
||||
("~") and using dash ("-") as a separator (e.g.,
|
||||
~00-A0-C9-15-39-78).</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
||||
<para>Matches traffic whose source IP address matches one of
|
||||
the listed addresses and that does not match an address listed
|
||||
in the <replaceable>exclusion</replaceable> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
<para><emphasis role="bold">This form will not match traffic
|
||||
that originates on the firewall itself unless either
|
||||
<major><minor> or the :T chain qualifier is used
|
||||
in the ACTION column.</emphasis></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This form combines the preceding two forms and matches
|
||||
when both the incoming interface and source IP address
|
||||
match.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This form matches packets arriving through the named
|
||||
<replaceable>interface</replaceable> and whose source IP
|
||||
address does not match any of the addresses in the
|
||||
<replaceable>exclusion</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW</term>
|
||||
|
||||
<listitem>
|
||||
<para>Matches packets originating on the firewall system. May
|
||||
not be used with a chain qualifier (:P, :F, etc.) in the
|
||||
ACTION column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>address</replaceable> is as above
|
||||
(MAC addresses are not permitted). Matches packets originating
|
||||
on the firewall and whose source IP address matches one of the
|
||||
listed addresses and does not match any address listed in the
|
||||
<replaceable>exclusion</replaceable>. May not be used with a
|
||||
chain qualifier (:P, :F, etc.) in the ACTION column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:<replaceable>exclusion</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Matches traffic originating on the firewall, provided
|
||||
that the source IP address does not match any address listed
|
||||
in the <replaceable>exclusion</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Beginning with Shorewall 5.1.0, multiple
|
||||
<replaceable>source_spec</replaceable>s, separated by commas, may be
|
||||
given provided that the following alternative forms are used:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
|
||||
|
||||
<para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para>$FW:(<replaceable>exclusion</replaceable>)</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
|
||||
<term><emphasis role="bold">DEST -
|
||||
{-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>May be:</para>
|
||||
<para>where <replaceable>dest-spec</replaceable> is one of:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>An interface name. May not be used in the PREROUTING chain
|
||||
(:P in the mark column or no chain qualifier and
|
||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
||||
(5)). The interface name may be optionally followed by a colon
|
||||
(":") and an IP address list.</para>
|
||||
</listitem>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of host or network IP addresses.
|
||||
The list may include ip address ranges if your kernel and
|
||||
iptables include iprange support.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>where <replaceable>interface</replaceable> is the
|
||||
logical name of an interface defined in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
Matches packets leaving the firewall through the named
|
||||
interface. May not be used in the PREROUTING chain (:P in the
|
||||
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
|
||||
in <ulink url="shorewall6.conf">shorewall6.conf</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.4.13, $FW may be specified by
|
||||
itself or qualified by an address list. This causes marking to
|
||||
occur in the INPUT chain.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
<varlistentry>
|
||||
<term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
<listitem>
|
||||
<para>where <replaceable>address</replaceable> is:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>A host or network IP address.</para>
|
||||
|
||||
<para>The name of an ipset preceded by a plus sign
|
||||
("+").</para>
|
||||
|
||||
<para>A MAC address in Shorewall format (preceded by a tilde
|
||||
("~") and using dash ("-") as a separator (e.g.,
|
||||
~00-A0-C9-15-39-78).</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Matches traffic whose destination IP address matches one
|
||||
of the listed addresses and that does not match an address
|
||||
listed in the <replaceable>exclusion</replaceable> (see <ulink
|
||||
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable>:<replaceable>address</replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This form combines the preceding two forms and matches
|
||||
when both the outgoing interface and destination IP address
|
||||
match. May not be used in the PREROUTING chain (:P in the mark
|
||||
column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
|
||||
<ulink url="shorewall6.conf">shorewall6.conf</ulink>
|
||||
(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This form matches packets leaving through the named
|
||||
<replaceable>interface</replaceable> and whose destination IP
|
||||
address does not match any of the addresses in the
|
||||
<replaceable>exclusion</replaceable>. May not be used in the
|
||||
PREROUTING chain (:P in the mark column or no chain qualifier
|
||||
and MARK_IN_FORWARD_CHAIN=No in <ulink
|
||||
url="shorewall6.conf">shorewall6.conf</ulink> (5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW</term>
|
||||
|
||||
<listitem>
|
||||
<para>Matches packets originating on the firewall system. May
|
||||
not be used with a chain qualifier (:P, :F, etc.) in the
|
||||
ACTION column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>address</replaceable> is as above
|
||||
(MAC addresses are not permitted). Matches packets destined
|
||||
for the firewall and whose destination IP address matches one
|
||||
of the listed addresses and does not match any address listed
|
||||
in the <replaceable>exclusion</replaceable>. May not be used
|
||||
with a chain qualifier (:P, :F, etc.) in the ACTION
|
||||
column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>$FW:<replaceable>exclusion</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Matches traffic destined for the firewall, provided that
|
||||
the destination IP address does not match any address listed
|
||||
in the <replaceable>exclusion</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Beginning with Shorewall 5.1.0, multiple
|
||||
<replaceable>dest_spec</replaceable>s, separated by commas, may be
|
||||
given provided that the following alternative forms are used:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para><replaceable>interface</replaceable>:(<replaceable>exclusion</replaceable>)</para>
|
||||
|
||||
<para>$FW:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
|
||||
|
||||
<para>$FW:(<replaceable>exclusion</replaceable>)</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user