diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index ab1189f55..99826f455 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -18,7 +18,7 @@ - /etc/shorewall/accounting + /etc/shorewall[6]/accounting @@ -783,6 +783,8 @@ FILES /etc/shorewall/accounting + + /etc/shorewall6/accounting diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml index d96026d10..b76540b1c 100644 --- a/Shorewall/manpages/shorewall-actions.xml +++ b/Shorewall/manpages/shorewall-actions.xml @@ -18,7 +18,7 @@ - /etc/shorewall/actions + /etc/shorewall[6]/actions @@ -148,8 +148,8 @@ Added in Shorewall 5.0.7. Specifies that this action is to be used in shorewall-mangle(5) rather - than shorewall-mangle(5) + rather than shorewall-rules(5). @@ -160,11 +160,11 @@ Added in Shorewall 5.0.13. Specifies that this action is to be used in shorewall-snat(5) rather - than shorewall-rules(5). The - and options are - mutually exclusive. + url="/manpages/shorewall-snat.html">shorewall-snat(5) + rather than shorewall-rules(5). + The and options + are mutually exclusive. @@ -206,7 +206,7 @@ Given that neither the snat nor the mangle file is sectioned, this parameter has no effect when or - is specified. + is specified. @@ -239,6 +239,8 @@ FILES /etc/shorewall/actions + + /etc/shorewall6/actions diff --git a/Shorewall/manpages/shorewall-blrules.xml b/Shorewall/manpages/shorewall-blrules.xml index dd8f6ebe7..6f7e9a4db 100644 --- a/Shorewall/manpages/shorewall-blrules.xml +++ b/Shorewall/manpages/shorewall-blrules.xml @@ -18,7 +18,7 @@ - /etc/shorewall/blrules + /etc/shorewall[6]/blrules @@ -27,12 +27,9 @@ This file is used to perform blacklisting and whitelisting. - Rules in this file are applied depending on the setting of - BLACKLISTNEWONLY in shorewall.conf(5). If - BLACKLISTNEWONLY=No, then they are applied regardless of the connection - tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to - connections in the NEW and INVALID states. + Rules in this file are applied depending on the setting of BLACKLIST + in shorewall.conf(5). The format of rules in this file is the same as the format of rules in shorewall-rules @@ -118,10 +115,10 @@ - A_DROP and A_DROP! + A_DROP - Audited versions of DROP. Requires AUDIT_TARGET support + Audited version of DROP. Requires AUDIT_TARGET support in the kernel and ip6tables. @@ -276,11 +273,11 @@ - Example + Examples - Example 1: + IPv4 Example 1: Drop Teredo packets from the net. @@ -290,7 +287,28 @@ - Example 2: + IPv4 Example 2: + + + Don't subject packets from 2001:DB8::/64 to the remaining + rules in the file. + + WHITELIST net:[2001:DB8::/64] all + + + + + IPv6 Example 1: + + + Drop Teredo packets from the net. + + DROP net:[2001::/32] all + + + + + IPv6 Example 2: Don't subject packets from 2001:DB8::/64 to the remaining @@ -306,6 +324,8 @@ FILES /etc/shorewall/blrules + + /etc/shorewall6/blrules @@ -319,10 +339,11 @@ shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5), - shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5), - shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5), - shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-mangle(5) shorewall6-netmap(5),shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5), + shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), + shorewall-secmarks(5), shorewall-snat(5),shorewall-tcclasses(5), + shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 746435796..f1ab7bffb 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -18,7 +18,7 @@ - /etc/shorewall/conntrack + /etc/shorewall[6]/conntrack @@ -35,7 +35,7 @@ conntrack. The file supports three different column layouts: FORMAT 1, FORMAT - 2, and FORMAT 3, FORMAT 1 being the default. The three differ as + 2, and FORMAT 3 with FORMAT 1 being the default. The three differ as follows: @@ -311,9 +311,9 @@ - Added in Shoreawll 4.6.0. Queues the packet to a backend - logging daemon using the ULOG netfilter target with the - specified ulog-parameters. + IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to + a backend logging daemon using the ULOG netfilter target with + the specified ulog-parameters. @@ -689,31 +689,57 @@ EXAMPLE - Example 1: + IPv4 Example 1: #ACTION SOURCE DEST PROTO DPORT SPORT USER CT:helper:ftp(expevents=new) fw - tcp 21 - Example 2 (Shorewall 4.5.10 or later): + IPv4 Example 2 (Shorewall 4.5.10 or later): Drop traffic to/from all zones to IP address 1.2.3.4 - FORMAT 2 + ?FORMAT 2 #ACTION SOURCE DEST PROTO DPORT SPORT USER DROP all-:1.2.3.4 - DROP all 1.2.3.4 - orFORMAT 3 + or?FORMAT 3 #ACTION SOURCE DEST PROTO DPORT SPORT USER DROP:P 1.2.3.4 - DROP:PO - 1.2.3.4 + + IPv6 Example 1: + + Use the FTP helper for TCP port 21 connections from the firewall + itself. + + FORMAT 2 +#ACTION SOURCE DEST PROTO DPORT SPORT USER +CT:helper:ftp(expevents=new) fw - tcp 21 + + IPv6 Example 2 (Shorewall 4.5.10 or later): + + Drop traffic to/from all zones to IP address 2001:1.2.3::4 + + FORMAT 2 +#ACTION SOURCE DEST PROTO DPORT SPORT USER +DROP all-:2001:1.2.3::4 - +DROP all 2001:1.2.3::4 + + + orFORMAT 3 +#ACTION SOURCE DEST PROTO DPORT SPORT USER +DROP:P 2001:1.2.3::4 - +DROP:PO - 2001:1.2.3::4 FILES /etc/shorewall/conntrack + + /etc/shorewall6/conntrack diff --git a/Shorewall/manpages/shorewall-ecn.xml b/Shorewall/manpages/shorewall-ecn.xml index fa3758a04..728009340 100644 --- a/Shorewall/manpages/shorewall-ecn.xml +++ b/Shorewall/manpages/shorewall-ecn.xml @@ -26,7 +26,9 @@ Description Use this file to list the destinations for which you want to disable - ECN (Explicit Congestion Notification). + ECN (Explicit Congestion Notification). Use of this file is deprecated in + favor of ECN rules in shorewall-mangle(8). The columns in the file are as follows. diff --git a/Shorewall/manpages/shorewall-exclusion.xml b/Shorewall/manpages/shorewall-exclusion.xml index e3b9952ad..13bdf2ee5 100644 --- a/Shorewall/manpages/shorewall-exclusion.xml +++ b/Shorewall/manpages/shorewall-exclusion.xml @@ -49,9 +49,10 @@ Beginning in Shorewall 4.4.13, the second form of exclusion is allowed after all and any in the SOURCE and DEST columns of - /etc/shorewall/rules. It allows you to omit arbitrary zones from the list - generated by those key words. + role="bold">any in the SOURCE and DEST columns of shorewall-rules(5). It allows + you to omit arbitrary zones from the list generated by those key + words. If you omit a sub-zone and there is an explicit or explicit @@ -117,7 +118,7 @@ ACCEPT all!z2 net tcp 22 - Example 1 - All IPv4 addresses except 192.168.3.4 + IPv4 Example 1 - All IPv4 addresses except 192.168.3.4 !192.168.3.4 @@ -125,8 +126,8 @@ ACCEPT all!z2 net tcp 22 - Example 2 - All IPv4 addresses except the network 192.168.1.0/24 - and the host 10.2.3.4 + IPv4 Example 2 - All IPv4 addresses except the network + 192.168.1.0/24 and the host 10.2.3.4 !192.168.1.0/24,10.1.3.4 @@ -134,7 +135,7 @@ ACCEPT all!z2 net tcp 22 - Example 3 - All IPv4 addresses except the range + IPv4 Example 3 - All IPv4 addresses except the range 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8 @@ -143,8 +144,8 @@ ACCEPT all!z2 net tcp 22 - Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3 - and 192.168.1.9 + IPv4 Example 4 - The network 192.168.1.0/24 except hosts + 192.168.1.3 and 192.168.1.9 192.168.1.0/24!192.168.1.3,192.168.1.9 diff --git a/Shorewall/manpages/shorewall-hosts.xml b/Shorewall/manpages/shorewall-hosts.xml index 98e4fff8e..fac38f2c3 100644 --- a/Shorewall/manpages/shorewall-hosts.xml +++ b/Shorewall/manpages/shorewall-hosts.xml @@ -18,7 +18,7 @@ - /etc/shorewall/hosts + /etc/shorewall[6]/hosts @@ -270,6 +270,8 @@ vpn ppp+:192.168.3.0/24 FILES /etc/shorewall/hosts + + /etc/shorewall6/hosts diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index b386558cd..d8652f9e3 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -199,11 +199,12 @@ loc eth2 - arp_filter[={0|1}] - If specified, this interface will only respond to ARP - who-has requests for IP addresses configured on the interface. - If not specified, the interface can respond to ARP who-has - requests for IP addresses on any of the firewall's interface. - The interface must be up when Shorewall is started. + IPv4 only. If specified, this interface will only + respond to ARP who-has requests for IP addresses configured on + the interface. If not specified, the interface can respond to + ARP who-has requests for IP addresses on any of the firewall's + interface. The interface must be up when Shorewall is + started. Only those interfaces with the option will have their setting @@ -225,8 +226,8 @@ loc eth2 - role="bold">arp_ignore[=number] - If specified, this interface will respond to arp - requests based on the value of number + IPv4 only. If specified, this interface will respond to + arp requests based on the value of number (defaults to 1). 1 - reply only if the target IP address is local address @@ -411,8 +412,8 @@ loc eth2 - the interface is a simple bridge with a - DHCP server on one port and DHCP clients on another + url="/SimpleBridge.html">simple bridge with a DHCP + server on one port and DHCP clients on another port. @@ -467,15 +468,15 @@ loc eth2 - role="bold">logmartians[={0|1}] - Turn on kernel martian logging (logging of packets with - impossible source addresses. It is strongly suggested that if - you set routefilter on an - interface that you also set logmartians. Even if you do not specify - the option, it is a good idea to - specify because your distribution - may have enabled route filtering without you knowing - it. + IPv4 only. Turn on kernel martian logging (logging of + packets with impossible source addresses. It is strongly + suggested that if you set routefilter on an interface that you + also set logmartians. Even if + you do not specify the option, it + is a good idea to specify because + your distribution may have enabled route filtering without you + knowing it. Only those interfaces with the option will have their setting @@ -576,8 +577,8 @@ loc eth2 - nosmurfs - Filter packets for smurfs (packets with a broadcast - address as the source). + IPv4 only. Filter packets for smurfs (packets with a + broadcast address as the source). Smurfs will be optionally logged based on the setting of SMURF_LOG_LEVEL in a /proc/sys/net/ipv4/conf/ + class="directory">/proc/sys/net/ipv[46]/conf/ entry for the interface cannot be modified (including for - proxy ARP). + proxy ARP or proxy NDP). @@ -638,7 +639,7 @@ loc eth2 - proxyarp[={0|1}] - Sets + IPv4 only. Sets /proc/sys/net/ipv4/conf/interface/proxy_arp. Do NOT use this option if you are employing Proxy ARP through entries in + + proxyndp[={0|1}] + + + IPv6 only. Sets + /proc/sys/net/ipv6/conf/interface/proxy_ndp. + + Note: This option does + not work with a wild-card interface + name (e.g., eth0.+) in the INTERFACE column. + + Only those interfaces with the + option will have their setting changed; the value assigned to + the setting will be the value specified (if any) or 1 if no + value is given. + + + required @@ -700,8 +719,8 @@ loc eth2 - role="bold">routefilter[={0|1|2}] - Turn on kernel route filtering for this interface - (anti-spoofing measure). + IPv4 only. Turn on kernel route filtering for this + interface (anti-spoofing measure). Only those interfaces with the option will have their setting @@ -886,10 +905,13 @@ loc eth2 - role="bold">routefilter sourceroute + role="bold">proxyarp proxyndp + role="bold">proxyudp + + sourceroute @@ -902,7 +924,9 @@ loc eth2 - Incoming requests from this interface may be remapped via UPNP (upnpd). See http://www.shorewall.net/UPnP.html. + url="/UPnP.html">http://www.shorewall.net/UPnP.html. + Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and + later. @@ -916,7 +940,8 @@ loc eth2 - causes Shorewall to detect the default gateway through the interface and to accept UDP packets from that gateway. Note that, like all aspects of UPnP, this is a security hole so use - this option at your own risk. + this option at your own risk. Supported in IPv4 and in IPv6 in + Shorewall 5.1.4 and later. @@ -943,7 +968,7 @@ loc eth2 - - Example 1: + IPv4 Example 1: Suppose you have eth0 connected to a DSL modem and eth1 @@ -956,7 +981,7 @@ loc eth2 - Your entries for this setup would look like: - FORMAT 1 + ?FORMAT 1 #ZONE INTERFACE BROADCAST OPTIONS net eth0 206.191.149.223 dhcp loc eth1 192.168.1.255 @@ -971,7 +996,7 @@ dmz eth2 192.168.2.255 The same configuration without specifying broadcast addresses is: - FORMAT 2 + ?FORMAT 2 #ZONE INTERFACE OPTIONS net eth0 dhcp loc eth1 @@ -986,7 +1011,7 @@ dmz eth2 You have a simple dial-in system with no Ethernet connections. - FORMAT 2 + ?FORMAT 2 #ZONE INTERFACE OPTIONS net ppp0 - @@ -999,7 +1024,7 @@ net ppp0 - You have a bridge with no IP address and you want to allow traffic through the bridge. - FORMAT 2 + ?FORMAT 2 #ZONE INTERFACE OPTIONS - br0 bridge @@ -1011,6 +1036,8 @@ net ppp0 - FILES /etc/shorewall/interfaces + + /etc/shorewall6/interfaces diff --git a/Shorewall/manpages/shorewall-ipsets.xml b/Shorewall/manpages/shorewall-ipsets.xml index 0bb47f632..47672c9ae 100644 --- a/Shorewall/manpages/shorewall-ipsets.xml +++ b/Shorewall/manpages/shorewall-ipsets.xml @@ -251,21 +251,39 @@ /etc/shorewall/accounting + /etc/shorewall6/accounting + /etc/shorewall/blrules + /etc/shorewall6/blrules + /etc/shorewall/hosts -- Note: Multiple matches enclosed in +[...] may not be used in this file. + /etc/shorewall6/hosts -- Note: + Multiple matches enclosed in +[...] may not be used in this file. + /etc/shorewall/maclist -- Note: Multiple matches enclosed in +[...] may not be used in this file. - /etc/shorewall/masq + /etc/shorewall6/maclist -- Note: + Multiple matches enclosed in +[...] may not be used in this file. /etc/shorewall/rules + /etc/shorewall6/rules + /etc/shorewall/secmarks + /etc/shorewall6/secmarks + /etc/shorewall/mangle + + /etc/shorewall6/mangle + + /etc/shorewall/snat + + /etc/shorewall6/snat diff --git a/Shorewall/manpages/shorewall-maclist.xml b/Shorewall/manpages/shorewall-maclist.xml index 612c812e9..f3ff3375c 100644 --- a/Shorewall/manpages/shorewall-maclist.xml +++ b/Shorewall/manpages/shorewall-maclist.xml @@ -18,7 +18,7 @@ - /etc/shorewall/maclist + /etc/shorewall[6]/maclist @@ -97,6 +97,8 @@ FILES /etc/shorewall/maclist + + /etc/shorewall6/maclist diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index d27e7de55..2476a8779 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -18,31 +18,17 @@ - /etc/shorewall/mangle + /etc/shorewall[6]/mangle Description - This file was introduced in Shorewall 4.6.0 and is intended to - replace This file was introduced in Shorewall 4.6.0 and replaces shorewall-tcrules(5). This file is only processed by the compiler if: - - - No file named 'tcrules' exists on the current CONFIG_PATH (see - shorewall.conf(5)); - or - - - - The first file named 'tcrules' found on the CONFIG_PATH contains - no non-commentary entries. - - - Entries in this file cause packets to be marked as a means of classifying them for traffic control or policy routing. @@ -117,9 +103,7 @@ SOURCE is $FW, the generated rule is always placed in the OUTPUT chain. If DEST is '$FW', then the rule is placed in the INPUT chain. Additionally, a chain-designator may not - be specified in an action body unless the action is declared as - in shorewall-actions(5). + be specified in an action body. Where a command takes parameters, those parameters are enclosed in parentheses ("(....)") and separated by commas. @@ -365,8 +349,9 @@ DIVERTHA - - tcp Added in Shorewall 5.0.6 as an alternative to entries in - shorewall-ecn(5). If a - PROTO is specified, it must be 'tcp' (6). If no PROTO is + shorewall-ecn(5). + If a PROTO is specified, it must be 'tcp' (6). If no PROTO is supplied, TCP is assumed. This action causes all ECN bits in the TCP header to be cleared. @@ -915,7 +900,8 @@ Normal-Service => 0x00 Matches packets leaving the firewall through the named interface. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No - in shorewall.conf + in shorewall.conf (5)). @@ -1543,7 +1529,7 @@ Normal-Service => 0x00 - Example 1: + IPv4 Example 1: Mark all ICMP echo traffic with packet mark 1. Mark all peer @@ -1572,7 +1558,7 @@ Normal-Service => 0x00 - Example 2: + IPv4 Example 2: SNAT outgoing connections on eth0 from 192.168.1.0/24 in @@ -1584,12 +1570,41 @@ Normal-Service => 0x00 #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW -/etc/shorewall/masq: +/etc/shorewall/snat: - #INTERFACE SOURCE ADDRESS ... - eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C - eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C - eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C + #ACTION SOURCE DEST ... + SNAT(1.1.1.1) eth0:192.168.1.0/24 - { mark=1:C } + SNAT(1.1.1.3) eth0:192.168.1.0/24 - { mark=2:C } + SNAT(1.1.1.4) eth0:192.168.1.0/24 - { mark=3:C } + + + + + IPv6 Example 1: + + + Mark all ICMP echo traffic with packet mark 1. Mark all peer + to peer traffic with packet mark 4. + + This is a little more complex than otherwise expected. Since + the ipp2p module is unable to determine all packets in a connection + are P2P packets, we mark the entire connection as P2P if any of the + packets are determined to match. + + We assume packet/connection mark 0 means unclassified. + + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST + MARK(1):T ::/0 ::/0 icmp echo-request + MARK(1):T ::/0 ::/0 icmp echo-reply + RESTORE:T ::/0 ::/0 all - - - 0 + CONTINUE:T ::/0 ::/0 all - - - !0 + MARK(4):T ::/0 ::/0 ipp2p:all + SAVE:T ::/0 ::/0 all - - - !0 + + If a packet hasn't been classified (packet mark is 0), copy + the connection mark to the packet mark. If the packet mark is set, + we're done. If the packet is P2P, set the packet mark to 4. If the + packet mark has been set, save it to the connection mark. @@ -1599,6 +1614,8 @@ Normal-Service => 0x00 FILES /etc/shorewall/mangle + + /etc/shorewall6/mangle diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index c255b67e6..deac60c23 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -18,7 +18,7 @@ - /etc/shorewall/masq + /etc/shorewall[6]/masq @@ -579,7 +579,7 @@ - Example 1: + IPv4 Example 1: You have a simple masquerading setup where eth0 connects to a @@ -594,7 +594,7 @@ - Example 2: + IPv4 Example 2: You add a router to your local network to connect subnet @@ -607,7 +607,7 @@ - Example 3: + IPv4 Example 3: You have an IPSEC tunnel through ipsec0 and you want to @@ -620,7 +620,7 @@ - Example 4: + IPv4 Example 4: You want all outgoing traffic from 192.168.1.0/24 through eth0 @@ -634,7 +634,7 @@ - Example 5: + IPv4 Example 5: You want all outgoing SMTP traffic entering the firewall from @@ -654,7 +654,7 @@ - Example 6: + IPv4 Example 6: Connections leaving on eth0 and destined to any host defined @@ -667,7 +667,7 @@ - Example 7: + IPv4 Example 7: SNAT outgoing connections on eth0 from 192.168.1.0/24 in @@ -689,7 +689,7 @@ - Example 8: + IPv4 Example 8: Your eth1 has two public IP addresses: 70.90.191.121 and @@ -716,6 +716,49 @@ + + + IPv6 Example 1: + + + You have a simple 'masquerading' setup where eth0 connects to + a DSL or cable modem and eth1 connects to your local network with + subnet 2001:470:b:787::0/64 + + Your entry in the file will be: + + #INTERFACE SOURCE ADDRESS + eth0 2001:470:b:787::0/64 - + + + + + IPv6 Example 2: + + + Your sit1 interface has two public IP addresses: + 2001:470:a:227::1 and 2001:470:b:227::1. You want to use the + iptables statistics match to masquerade outgoing connections evenly + between these two addresses. + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + INLINE(sit1) ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50 + sit1 ::/0 2001:470:a:227::2 + + + If INLINE_MATCHES=Yes in shorewall6.conf(5), + then these rules may be specified as follows: + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + sit1 ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50 + sit1 ::/0 2001:470:a:227::2 + + @@ -723,6 +766,8 @@ FILES /etc/shorewall/masq + + /etc/shorewall6/masq diff --git a/Shorewall/manpages/shorewall-modules.xml b/Shorewall/manpages/shorewall-modules.xml index 55112cab4..0601ed067 100644 --- a/Shorewall/manpages/shorewall-modules.xml +++ b/Shorewall/manpages/shorewall-modules.xml @@ -18,11 +18,11 @@ - /usr/share/shorewall/modules + /usr/share/shorewall[6]/modules - /usr/share/shorewall/helpers + /usr/share/shorewall[6]/helpers @@ -82,6 +82,14 @@ /etc/shorewall/modules /etc/shorewall/helpers + + /usr/share/shorewall6/modules + + /usr/share/shorewall6/helpers + + /etc/shorewall6/modules + + /etc/shorewall6/helpers diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml index 50c29b4f4..2d07af1cc 100644 --- a/Shorewall/manpages/shorewall-nat.xml +++ b/Shorewall/manpages/shorewall-nat.xml @@ -34,6 +34,8 @@ url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1. Also, in many cases, Proxy ARP (shorewall-proxyarp(5)) + or Proxy-NDP(shorewall6-proxyndp(5)) is a better solution that one-to-one NAT. @@ -208,6 +210,8 @@ all all REJECT info FILES /etc/shorewall/nat + + /etc/shorewall6/nat diff --git a/Shorewall/manpages/shorewall-nesting.xml b/Shorewall/manpages/shorewall-nesting.xml index 48598e82a..c4366106f 100644 --- a/Shorewall/manpages/shorewall-nesting.xml +++ b/Shorewall/manpages/shorewall-nesting.xml @@ -200,6 +200,16 @@ /etc/shorewall/policy /etc/shorewall/rules + + /etc/shorewall6/zones + + /etc/shorewall6/interfaces + + /etc/shorewall6/hosts + + /etc/shorewall6/policy + + /etc/shorewall6/rules diff --git a/Shorewall/manpages/shorewall-netmap.xml b/Shorewall/manpages/shorewall-netmap.xml index 56b714ae7..3b1ad6420 100644 --- a/Shorewall/manpages/shorewall-netmap.xml +++ b/Shorewall/manpages/shorewall-netmap.xml @@ -18,7 +18,7 @@ - /etc/shorewall/netmap + /etc/shorewall[6]/netmap @@ -44,8 +44,6 @@ role="bold">SNAT} - Must be DNAT or SNAT - If DNAT, traffic entering INTERFACE and addressed to NET1 has its destination address rewritten to the corresponding address in NET2. @@ -169,6 +167,8 @@ FILES /etc/shorewall/netmap + + /etc/shorewall6/netmap diff --git a/Shorewall/manpages/shorewall-params.xml b/Shorewall/manpages/shorewall-params.xml index 1a923fc8f..c18081eaa 100644 --- a/Shorewall/manpages/shorewall-params.xml +++ b/Shorewall/manpages/shorewall-params.xml @@ -18,7 +18,7 @@ - /etc/shorewall/params + /etc/shorewall[6]/params @@ -107,7 +107,7 @@ NET_IF=eth0 NET_BCAST=130.252.100.255 -NET_OPTIONS=routefilter,norfc1918 +NET_OPTIONS=routefilter Example shorewall-interfaces(5) @@ -119,13 +119,15 @@ net $NET_IF $NET_BCAST $NET_OPTIONS This is the same as if the interfaces file had contained: ZONE INTERFACE BROADCAST OPTIONS -net eth0 130.252.100.255 routefilter,norfc1918 +net eth0 130.252.100.255 routefilter FILES /etc/shorewall/params + + /etc/shorewall6/params diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index 523731c37..bd21c68c8 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -18,7 +18,7 @@ - /etc/shorewall/policy + /etc/shorewall[6]/policy @@ -33,25 +33,30 @@ The order of entries in this file is important This file determines what to do with a new connection request if - we don't get a match from the /etc/shorewall/rules file . For each - source/destination pair, the file is processed in order until a match is - found ("all" will match any source or destination). + we don't get a match from the shorewall-blrules(5) or + shorewall-rules(5) + files. For each source/destination pair, the file is processed in order + until a match is found ("all" will match any source or + destination). Intra-zone policies are pre-defined - For $FW and for all of the zones defined in /etc/shorewall/zones, - the POLICY for connections from the zone to itself is ACCEPT (with no + For $FW and for all of the zones defined in shorewall-zones(5), the + POLICY for connections from the zone to itself is ACCEPT (with no logging or TCP connection rate limiting) but may be overridden by an entry in this file. The overriding entry must be explicit (specifying the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall 4.5.17 or later). - Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, - then the implicit policy to/from any sub-zone is CONTINUE. These - implicit CONTINUE policies may also be overridden by an explicit entry - in this file. + Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf(5), then the + implicit policy to/from any sub-zone is CONTINUE. These implicit + CONTINUE policies may also be overridden by an explicit entry in this + file. The columns in the file are as follows (where the column name is @@ -396,6 +401,8 @@ FILES /etc/shorewall/policy + + /etc/shorewall6/policy diff --git a/Shorewall/manpages/shorewall-providers.xml b/Shorewall/manpages/shorewall-providers.xml index 6df17ac9e..a6bc454f6 100644 --- a/Shorewall/manpages/shorewall-providers.xml +++ b/Shorewall/manpages/shorewall-providers.xml @@ -82,14 +82,11 @@ url="/manpages/shorewall-mangle.html">shorewall-mangle(5) file to direct packets to this provider. - If HIGH_ROUTE_MARKS=Yes in If PROVIDER_OFFSET is non-zero in shorewall.conf(5), then - the value must be a multiple of 256 between 256 and 65280 or their - hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte - of the value being zero). Otherwise, the value must be between 1 and - 255. Each provider must be assigned a unique mark value. This column - may be omitted if you don't use packet marking to direct connections - to a particular provider. + the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the + number of significant bits may not exceed PROVIDER_OFFSET + + PROVIDER_BITS. @@ -116,9 +113,9 @@ listed in shorewall-interfaces(5). In general, that interface should not have the - option specified unless - is given in the OPTIONS column of this - entry. + or option + specified unless is given in the OPTIONS + column of this entry. Where more than one provider is serviced through a single interface, the interface must be followed by a @@ -461,7 +458,7 @@ - Example 1: + IPv4 Example 1: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ @@ -473,7 +470,7 @@ - Example 2: + IPv4 Example 2: eth0 connects to ISP 1. The IP address of eth0 is @@ -491,6 +488,36 @@ ISP2 2 2 main eth1 130.252.99.254 track,balance eth2 + + + IPv6 Example 1: + + + You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2. + Your DMZ interface is eth2 + + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS + Squid 1 1 - eth2 2002:ce7c:92b4:1::2 - + + + + + IPv6 Example 2: + + + eth0 connects to ISP 1. The ISP's gateway router has IP + address 2001:ce7c:92b4:1::2. + + eth1 connects to ISP 2. The ISP's gateway router has IP + address 2001:d64c:83c9:12::8b. + + eth2 connects to a local network. + + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY + ISP1 1 1 main eth0 2001:ce7c:92b4:1::2 track eth2 + ISP2 2 2 main eth1 2001:d64c:83c9:12::8b track eth2 + + @@ -498,6 +525,8 @@ FILES /etc/shorewall/providers + + /etc/shorewall6/providers diff --git a/Shorewall/manpages/shorewall-routes.xml b/Shorewall/manpages/shorewall-routes.xml index b65222862..1c26dc073 100644 --- a/Shorewall/manpages/shorewall-routes.xml +++ b/Shorewall/manpages/shorewall-routes.xml @@ -18,7 +18,7 @@ - /etc/shorewall/routes + /etc/shorewall[6]/routes @@ -109,6 +109,8 @@ FILES /etc/shorewall/routes + + /etc/shorewall6/routes diff --git a/Shorewall/manpages/shorewall-rtrules.xml b/Shorewall/manpages/shorewall-rtrules.xml index 03b5e4bb9..7dbfb4a63 100644 --- a/Shorewall/manpages/shorewall-rtrules.xml +++ b/Shorewall/manpages/shorewall-rtrules.xml @@ -18,7 +18,7 @@ - /etc/shorewall/rtrules + /etc/shorewall[6]/rtrules @@ -177,7 +177,7 @@ - Example 2: + IPv4 Example 2: You use OpenVPN (routed setup /tunX) in combination with @@ -199,6 +199,8 @@ FILES /etc/shorewall/rtrules + + /etc/shorewall6/rtrules diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 3f04c6c1b..f17b6f95e 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -18,7 +18,7 @@ - /etc/shorewall/rules + /etc/shorewall[6]/rules @@ -54,7 +54,8 @@ This section was added in Shorewall 4.4.23. Rules in this section are applied, regardless of the connection tracking state of - the packet. + the packet and are applied before rules in the other + sections. @@ -211,7 +212,8 @@ role="bold">DNAT[-] or REDIRECT[-] rules. + role="bold">-] rules. Use with IPv6 requires + Shorewall 4.5.14 or later. @@ -232,7 +234,7 @@ The name of an action declared in shorewall-actions(5) - or in /usr/share/shorewall/actions.std. + or in /usr/share/shorewall[6]/actions.std. @@ -286,7 +288,8 @@ Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support - in the kernel and iptables. + in the kernel and iptables. A_ACCEPT+ with IPv6 requires + Shorewall 4.5.14 or later. @@ -401,7 +404,8 @@ Forward the request to another system (and optionally - another port). + another port). Use with IPv6 requires Shorewall 4.5.14 or + later. @@ -414,7 +418,8 @@ Like DNAT but only generates the DNAT iptables rule and not the companion ACCEPT rule. + role="bold">ACCEPT rule. Use with IPv6 requires + Shorewall 4.5.14 or later. @@ -496,11 +501,11 @@ [option ...]) - This action allows you to specify an iptables target - with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If - the iptables-target is not one - recognized by Shorewall, the following error message will be - issued: + IPv4 only. This action allows you to specify an iptables + target with options (e.g., 'IPTABLES(MARK --set-xmark + 0x01/0xff)'. If the iptables-target + is not one recognized by Shorewall, the following error + message will be issued: ERROR: Unknown target (iptables-target) @@ -521,6 +526,39 @@ + + IP6TABLES({ip6tables-target + [option ...]) + + + IPv6 only. This action allows you to specify an + ip6tables target with options (e.g., 'IPTABLES(MARK + --set-xmark 0x01/0xff)'. If the + ip6tables-target is not one + recognized by Shorewall, the following error message will be + issued: + + ERROR: Unknown target (ip6tables-target) + + This error message may be eliminated by adding + the + ip6tables-target as a + builtin action in shorewall-actions(5). + + + If you specify REJECT as the + ip6tables-target, the target of + the rule will be the i6ptables REJECT target and not + Shorewall's builtin 'reject' chain which is used when REJECT + (see below) is specified as the + target in the ACTION + column. + + + + LOG:level @@ -673,7 +711,8 @@ Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules but doesn't generate - a rule to accept the traffic. + a rule to accept the traffic. Use with IPv6 requires Shorewall + 4.5.14 or later. @@ -708,7 +747,7 @@ Beginning with Shorewall 5.0.8, the type of reject may be specified in the option - paramater. Valid option values + paramater. Valid IPv4 option values are: @@ -731,6 +770,28 @@ option may also be specified as . + + Valid IPv6 option values + are: + + + + + + + + + + + + + + + + + (the PROTO column must + specify TCP) + @@ -749,7 +810,8 @@ Redirect the request to a server running on the - firewall. + firewall. Use with IPv6 requires Shorewall 4.5.14 or + later. @@ -762,7 +824,8 @@ Like REDIRECT but only generates the REDIRECT iptables rule and not the companion ACCEPT rule. + role="bold">ACCEPT rule. Use with IPv6 requires + Shorewall 4.5.14 or later. @@ -842,9 +905,9 @@ role="bold">ULOG[(ulog-parameters)] - Added in Shorewall 4.5.10. Queues matching packets to a - back end logging daemon via a netlink socket then continues to - the next rule. See IPv4 only. Added in Shorewall 4.5.10. Queues matching + packets to a back end logging daemon via a netlink socket then + continues to the next rule. See http://www.shorewall.net/shorewall_logging.html. Similar to @@ -889,10 +952,10 @@ - You may also specify ULOG or - NFLOG (must be in upper case) as a - log level.This will log to the ULOG or NFLOG target for routing to a - separate log through use of ulogd (You may also specify ULOG + (IPv4 only) or NFLOG (must be in + upper case) as a log level.This will log to the ULOG or NFLOG target + for routing to a separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html). Actions specifying logging may be followed by a log tag (a @@ -922,9 +985,9 @@ The name of a zone defined in shorewall-zones(5). When - only the zone name is specified, the packet source may be any - host in that zone. + url="/manpages/shorewall-zones.html">shorewall-zones(5). + When only the zone name is specified, the packet source may be + any host in that zone. zone may also be one of the following: @@ -991,9 +1054,10 @@ zone in either shorewall-interfaces(5) or shorewall-hosts(5). Only - packets from hosts in the zone that - arrive through the named interface will match the rule. + url="/manpages/shorewall.hosts.html">shorewall-hosts(5). + Only packets from hosts in the zone + that arrive through the named interface will match the + rule. @@ -1208,6 +1272,49 @@ of the net zone. + + + dmz:[2002:ce7c:2b4:1::2] + + + Host 2002:ce7c:92b4:1::2 in the DMZ + + + + + net:2001:4d48:ad51:24::/64 + + + Subnet 2001:4d48:ad51:24::/64 on the Internet + + + + + loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44] + + + Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the + local zone. + + + + + loc:~00-A0-C9-15-39-78 + + + Host in the local zone with MAC address + 00:A0:C9:15:39:78. + + + + + net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80 + + + Subnet 2001:4d48:ad51:24::/64 on the Internet except for + 2001:4d48:ad51:24:6::/80. + + @@ -1229,9 +1336,9 @@ The name of a zone defined in shorewall-zones(5). When - only the zone name is specified, the packet destination may be - any host in that zone. + url="/manpages/shorewall-zones.html">shorewall-zones(5). + When only the zone name is specified, the packet destination + may be any host in that zone. zone may also be one of the following: @@ -1298,9 +1405,9 @@ zone in either shorewall-interfaces(5) or shorewall-hosts(5). Only - packets to hosts in the zone that - are sent through the named interface will match the + url="/manpages/shorewall-hosts.html">shorewall-hosts(5). + Only packets to hosts in the zone + that are sent through the named interface will match the rule. @@ -2082,12 +2189,100 @@ - HEADERS + HEADERS - + [!][any:|exactly:]header-list + (Optional - Added in Shorewall 4.4.15) - Added in Shorewall 4.4.15. Not used in IPv4 configurations. If - you with to supply a value for one of the later columns, enter '-' - in this column. + This column is only used in IPv6. In IPv4, supply "-" in this + column if you with to place a value in one of the following + columns. + + The header-list consists of a + comma-separated list of headers from the following list. + + + + auth, ah, or 51 + + + Authentication Headers extension + header. + + + + + esp, or 50 + + + Encrypted Security Payload + extension header. + + + + + hop, hop-by-hop or 0 + + + Hop-by-hop options extension header. + + + + + route, ipv6-route or 43 + + + IPv6 Route extension header. + + + + + frag, ipv6-frag or 44 + + + IPv6 fragmentation extension header. + + + + + none, ipv6-nonxt or 59 + + + No next header + + + + + proto, protocol or 255 + + + Any protocol header. + + + + + If any: is specified, the + rule will match if any of the listed headers are present. If + exactly: is specified, the will + match packets that exactly include all specified headers. If neither + is given, any: is assumed. + + If ! is entered, the rule + will match those packets which would not be matched when ! is omitted. @@ -2413,6 +2608,20 @@ SECCTX builtin + + + Example 15: + + + You want to accept SSH connections to your firewall only from + internet IP addresses 2002:ce7c::92b4:1::2 and + 2002:ce7c::92b4:1::22 + + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \ + $FW tcp 22 + + @@ -2420,6 +2629,8 @@ FILES /etc/shorewall/rules + + /etc/shorewall6/rules diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml index 89c35344d..64e0e1f73 100644 --- a/Shorewall/manpages/shorewall-secmarks.xml +++ b/Shorewall/manpages/shorewall-secmarks.xml @@ -18,7 +18,7 @@ - /etc/shorewall/secmarks + /etc/shorewall[6]/secmarks @@ -229,7 +229,7 @@ role="bold">all}[,...] - See See shorewall-rules(5) for details. @@ -404,6 +404,8 @@ RESTORE I:ER FILES /etc/shorewall/secmarks + + /etc/shorewall6/secmarks diff --git a/Shorewall/manpages/shorewall-snat.xml b/Shorewall/manpages/shorewall-snat.xml index acf68160c..75fa88f56 100644 --- a/Shorewall/manpages/shorewall-snat.xml +++ b/Shorewall/manpages/shorewall-snat.xml @@ -18,7 +18,7 @@ - /etc/shorewall/snat + /etc/shorewall[6]/snat @@ -86,7 +86,7 @@ ADD_SNAT_ALIASES is set to Yes or yes in shorewall.conf(5) then Shorewall will automatically add this address to the - INTERFACE named in the first column. + INTERFACE named in the first column (IPv4 only). You may also specify a range of up to 256 IP addresses if you want the SNAT address to be assigned from that range in @@ -105,9 +105,7 @@ role="bold">:random) with :persistent. This is only useful when an address range is specified and causes a client to be given - the same source/destination IP pair. This feature replaces the - SAME modifier which was removed from Shorewall in version - 4.4.0. + the same source/destination IP pair. You may also use the special value which causes Shorewall to determine @@ -150,8 +148,8 @@ where action is an action declared in shorewall-actions(5) with - the option. See shorewall-actions(5) + with the option. See www.shorewall.net/Actions.html for further information. @@ -257,7 +255,8 @@ If you wish to restrict this entry to a particular protocol then enter the protocol name (from protocols(5)) or number here. See - shorewall-rules(5) for + shorewall-rules(5) for details. Beginning with Shorewall 4.5.12, this column can accept a @@ -599,7 +598,7 @@ - Example 1: + IPv4 Example 1: You have a simple masquerading setup where eth0 connects to a @@ -614,7 +613,7 @@ - Example 2: + IPv4 Example 2: You add a router to your local network to connect subnet @@ -628,7 +627,7 @@ - Example 3: + IPv4 Example 3: You want all outgoing traffic from 192.168.1.0/24 through eth0 @@ -642,7 +641,7 @@ - Example 4: + IPv4 Example 4: You want all outgoing SMTP traffic entering the firewall from @@ -666,7 +665,7 @@ - Example 5: + IPv4 Example 5: Connections leaving on eth0 and destined to any host defined @@ -679,7 +678,7 @@ - Example 6: + IPv4 Example 6: SNAT outgoing connections on eth0 from 192.168.1.0/24 in @@ -701,19 +700,34 @@ - Example 7: + IPv6 Example 1: - Your eth1 has two public IP addresses: 70.90.191.121 and - 70.90.191.123. You want to use the iptables statistics match to - masquerade outgoing connections evenly between these two - addresses. + You have a simple 'masquerading' setup where eth0 connects to + a DSL or cable modem and eth1 connects to your local network with + subnet 2001:470:b:787::0/64 + + Your entry in the file will be: + + #ACTION SOURCE DEST + MASQUERADE 2001:470:b:787::0/64 eth0 + + + + + IPv6 Example 2: + + + Your sit1 interface has two public IP addresses: + 2001:470:a:227::1 and 2001:470:b:227::1. You want to use the + iptables statistics match to masquerade outgoing connections evenly + between these two addresses. /etc/shorewall/snat: - #ACTION SOURCE DEST - SNAT(70.90.191.121) - eth1 { probability=.50 } - SNAT(70.90.191.123) - eth1 + #ACTION SOURCE DEST + SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 } + SNAT(2001:470:a:227::2) ::/0 sit @@ -723,6 +737,8 @@ FILES /etc/shorewall/snat + + /etc/shorewall6/snat diff --git a/Shorewall/manpages/shorewall-stoppedrules.xml b/Shorewall/manpages/shorewall-stoppedrules.xml index f6aab918b..a0155d73b 100644 --- a/Shorewall/manpages/shorewall-stoppedrules.xml +++ b/Shorewall/manpages/shorewall-stoppedrules.xml @@ -19,7 +19,7 @@ - /etc/shorewall/stoppedrules + /etc/shorewall[6]/stoppedrules @@ -153,6 +153,8 @@ FILES /etc/shorewall/stoppedrules + + /etc/shorewall6/stoppedrules diff --git a/Shorewall/manpages/shorewall-tcclasses.xml b/Shorewall/manpages/shorewall-tcclasses.xml index 90e59f25f..389f17eca 100644 --- a/Shorewall/manpages/shorewall-tcclasses.xml +++ b/Shorewall/manpages/shorewall-tcclasses.xml @@ -18,7 +18,7 @@ - /etc/shorewall/tcclasses + /etc/shorewall[6]/tcclasses @@ -763,6 +763,8 @@ FILES /etc/shorewall/tcclasses + + /etc/shorewall6/tcclasses diff --git a/Shorewall/manpages/shorewall-tcdevices.xml b/Shorewall/manpages/shorewall-tcdevices.xml index 6c5f77e2e..97432e944 100644 --- a/Shorewall/manpages/shorewall-tcdevices.xml +++ b/Shorewall/manpages/shorewall-tcdevices.xml @@ -18,7 +18,7 @@ - /etc/shorewall/tcdevices + /etc/shorewall[6]/tcdevices @@ -276,6 +276,8 @@ FILES /etc/shorewall/tcdevices + + /etc/shorewall6/tcdevices diff --git a/Shorewall/manpages/shorewall-tcfilters.xml b/Shorewall/manpages/shorewall-tcfilters.xml index db51a3f1e..6c5c9f015 100644 --- a/Shorewall/manpages/shorewall-tcfilters.xml +++ b/Shorewall/manpages/shorewall-tcfilters.xml @@ -18,7 +18,7 @@ - /etc/shorewall/tcfilters + /etc/shorewall[6]/tcfilters @@ -89,12 +89,12 @@ Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') may be used if your kernel and ip6tables have the Basic Ematch capability and you set BASIC_FILTERS=Yes in - shorewall.conf (5). The - ipset name may optionally be followed by a number or a comma - separated list of src and/or dst enclosed in square brackets - ([...]). See shorewall-ipsets(5) for - details. + shorewall.conf + (5). The ipset name may optionally be followed by a number + or a comma separated list of src and/or dst enclosed in square + brackets ([...]). See shorewall-ipsets(5) + for details. @@ -108,12 +108,12 @@ Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') may be used if your kernel and ip6tables have the Basic Ematch capability and you set BASIC_FILTERS=Yes in - shorewall.conf (5). The - ipset name may optionally be followed by a number or a comma - separated list of src and/or dst enclosed in square brackets - ([...]). See shorewall-ipsets(5) for - details. + shorewall.conf + (5). The ipset name may optionally be followed by a number + or a comma separated list of src and/or dst enclosed in square + brackets ([...]). See shorewall-ipsets(5) + for details. You may exclude certain hosts from the set already defined through use of an exclusion (see - Example 1: + IPv4 Example 1: Place all 'ping' traffic on interface 1 in class 10. Note that @@ -310,7 +310,7 @@ - Example 2: + IPv4 Example 2: Add two filters with priority 10 (Shorewall 4.5.8 or @@ -324,6 +324,22 @@ 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 10 + + + IPv6 Example 1: + + + Add two filters with priority 10 (Shorewall 4.5.8 or + later). + + #CLASS SOURCE DEST PROTO DPORT PRIORITY + + IPV6 + + 1:10 ::/0 ::/0 icmp echo-request 10 + 1:10 ::/0 ::/0 icmp echo-reply 10 + + @@ -331,6 +347,8 @@ FILES /etc/shorewall/tcfilters + + /etc/shorewall6/tcfilters diff --git a/Shorewall/manpages/shorewall-tcinterfaces.xml b/Shorewall/manpages/shorewall-tcinterfaces.xml index 1bc40c57b..b2837f02a 100644 --- a/Shorewall/manpages/shorewall-tcinterfaces.xml +++ b/Shorewall/manpages/shorewall-tcinterfaces.xml @@ -18,7 +18,7 @@ - /etc/shorewall/tcinterfaces + /etc/shorewall[6]/tcinterfaces @@ -201,7 +201,9 @@ FILES - /etc/shorewall/tcinterfaces. + /etc/shorewall/tcinterfaces + + /etc/shorewall6/tcinterfaces diff --git a/Shorewall/manpages/shorewall-tcpri.xml b/Shorewall/manpages/shorewall-tcpri.xml index dc68f60d3..335e9840e 100644 --- a/Shorewall/manpages/shorewall-tcpri.xml +++ b/Shorewall/manpages/shorewall-tcpri.xml @@ -18,7 +18,7 @@ - /etc/shorewall/tcpri + /etc/shorewall[6]/tcpri @@ -148,6 +148,8 @@ FILES /etc/shorewall/tcpri + + /etc/shorewall6/tcpri diff --git a/Shorewall/manpages/shorewall-tunnels.xml b/Shorewall/manpages/shorewall-tunnels.xml index aafef2135..a78ac716c 100644 --- a/Shorewall/manpages/shorewall-tunnels.xml +++ b/Shorewall/manpages/shorewall-tunnels.xml @@ -18,7 +18,7 @@ - /etc/shorewall/tunnels + /etc/shorewall[6]/tunnels @@ -173,7 +173,7 @@ - Example 1: + IPv4 Example 1: IPSec tunnel. @@ -187,7 +187,7 @@ - Example 2: + IPv4 Example 2: Road Warrior (LapTop that may connect from anywhere) where the @@ -199,7 +199,7 @@ - Example 3: + IPv4 Example 3: Host 4.33.99.124 is a standalone system connected via an ipsec @@ -211,7 +211,7 @@ - Example 4: + IPv4 Example 4: Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The @@ -225,7 +225,7 @@ - Example 5: + IPv4 Example 5: You run the Linux PPTP client on your firewall and connect to @@ -237,7 +237,7 @@ - Example 6: + IPv4 Example 6: You run a PPTP server on your firewall. @@ -260,7 +260,7 @@ - Example 8: + IPv4 Example 8: You have a tunnel that is not one of the supported types. Your @@ -273,7 +273,7 @@ - Example 9: + IPv4 Example 9: TINC tunnel where the remote gateways are not specified. If @@ -284,6 +284,83 @@ tinc net 0.0.0.0/0 + + + IPv6 Example 1: + + + IPSec tunnel. + + The remote gateway is 2001:cec792b4:1::44. The tunnel does not + use the AH protocol + + #TYPE ZONE GATEWAY + ipsec:noah net 2002:cec792b4:1::44 + + + + + IPv6 Example 2: + + + Road Warrior (LapTop that may connect from anywhere) where the + "gw" zone is used to represent the remote LapTop + + #TYPE ZONE GATEWAY GATEWAY ZONES + ipsec net ::/0 gw + + + + + IPv6 Example 3: + + + Host 2001:cec792b4:1::44 is a standalone system connected via + an ipsec tunnel to the firewall system. The host is in zone + gw. + + #TYPE ZONE GATEWAY GATEWAY ZONES + ipsec net 2001:cec792b4:1::44 gw + + + + + IPv6 Example 4: + + + OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and + openvpn uses port 7777. + + #TYPE ZONE GATEWAY GATEWAY ZONES + openvpn:7777 net 2001:cec792b4:1::44 + + + + + IPv6 Example 8: + + + You have a tunnel that is not one of the supported types. Your + tunnel uses UDP port 4444. The other end of the tunnel is + 2001:cec792b4:1::44. + + #TYPE ZONE GATEWAY GATEWAY ZONES + generic:udp:4444 net 2001:cec792b4:1::44 + + + + + IPv6 Example 9: + + + TINC tunnel where the remote gateways are not specified. If + you wish to specify a list of gateways, you can do so in the GATEWAY + column. + + #TYPE ZONE GATEWAY GATEWAY ZONES + tinc net ::/0 + + @@ -291,6 +368,8 @@ FILES /etc/shorewall/tunnels + + /etc/shorewall6/tunnels diff --git a/Shorewall/manpages/shorewall-vardir.xml b/Shorewall/manpages/shorewall-vardir.xml index 670daa8fb..c6978f50e 100644 --- a/Shorewall/manpages/shorewall-vardir.xml +++ b/Shorewall/manpages/shorewall-vardir.xml @@ -18,7 +18,7 @@ - /etc/shorewall/vardir + /etc/shorewall[6]/vardir @@ -28,7 +28,8 @@ This file does not exist by default. You may create the file if you want to change the directory used by Shorewall to store state information, including compiled firewall scripts. By default, the directory used is - /var/lib/shorewall/. + /var/lib/shorewall/ for IPv4 and /var/lib/shorewall6/ + for IPv6 The file contains a single variable assignment: @@ -50,6 +51,8 @@ FILES /etc/shorewall/vardir + + /etc/shorewall6/vardir diff --git a/Shorewall/manpages/shorewall-zones.xml b/Shorewall/manpages/shorewall-zones.xml index 23bef021d..1ad3f8e39 100644 --- a/Shorewall/manpages/shorewall-zones.xml +++ b/Shorewall/manpages/shorewall-zones.xml @@ -128,9 +128,9 @@ Example: #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS -a ipv4 -b ipv4 -c:a,b ipv4 +a ip +b ip +c:a,b ip Currently, Shorewall uses this information to reorder the zone list so that parent zones appear after their subzones in the list. @@ -140,8 +140,8 @@ c:a,b ipv4 Where an ipsec zone is explicitly included as a child of an ipv4 zone, the ruleset allows CONTINUE - policies (explicit or implicit) to work as expected. + role="bold">ip zone, the ruleset allows CONTINUE policies + (explicit or implicit) to work as expected. In the future, Shorewall may make additional use of nesting information. @@ -154,7 +154,7 @@ c:a,b ipv4 - ipv4 + ip This is the standard Shorewall zone type and is the @@ -162,17 +162,22 @@ c:a,b ipv4 the column. Communication with some zone hosts may be encrypted. Encrypted hosts are designated using the 'ipsec' option in shorewall-hosts(5). + url="/manpages/shorewall-hosts.html">shorewall-hosts(5). + For clarity, this zone type may be specified as + in IPv4 configurations and + in IPv6 configurations. - ipsec (or ipsec4) + ipsec Communication with all zone hosts is encrypted. Your - kernel and iptables must include policy match support. + kernel and iptables must include policy match support. For + clarity, this zone type may be specified as + in IPv4 configurations and + in IPv6 configurations. @@ -190,12 +195,13 @@ c:a,b ipv4 - bport (or bport4) + bport The zone is associated with one or more ports on a - single bridge. + single bridge. For clarity, this zone type may be specified as + in IPv4 configurations and + in IPv6 configurations. @@ -424,6 +430,8 @@ c:a,b ipv4 FILES /etc/shorewall/zones + + /etc/shorewall6/zones diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index a99981e70..c0d1cf3d3 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -18,14 +18,15 @@ - /etc/shorewall/shorewall.conf + /etc/shorewall/shorewall.conf and + /etc/shorewall6/shorewall6.conf Description - This file sets options that apply to Shorewall as a whole. + This file sets options that apply to Shorewall[6] as a whole. The file consists of Shell comments (lines beginning with '#'), blank lines and assignment statements @@ -65,16 +66,13 @@ level to choose, 6 (info) is a safe bet. You may specify levels by name or by number. - If you have built your kernel with ULOG and/or NFLOG target support, - you may also specify a log level of ULOG and/or NFLOG (must be all caps). - Rather than log its messages to syslogd, Shorewall will direct netfilter - to log the messages via the ULOG or NFLOG target which will send them to a - process called 'ulogd'. ulogd is available with most Linux distributions - (although it probably isn't installed by default). Ulogd is also available - from http://www.netfilter.org/projects/ulogd/index.html - and can be configured to log all Shorewall messages to their own log - file. + If you have built your kernel with ULOG (IPv4 only) and/or NFLOG + target support, you may also specify a log level of ULOG and/or NFLOG + (must be all caps). Rather than log its messages to syslogd, Shorewall + will direct netfilter to log the messages via the ULOG or NFLOG target + which will send them to a process called 'ulogd'. ulogd is available with + most Linux distributions (although it probably isn't installed by + default). If you want to specify parameters to ULOG or NFLOG (e.g., @@ -82,7 +80,7 @@ Example: - MACLIST_LOG_LEVEL="NFLOG(1,0,1)" + LOG_LEVEL="NFLOG(1,0,1)" Beginning with Shorewall 5.0.0, the log level may be followed by a @@ -265,8 +263,9 @@ This parameter determines whether Shorewall automatically adds the external address(es) in shorewall-nat(5). If the - variable is set to Yes or shorewall-nat(5), and is + only available in IPv4 configurations. If the variable is set to + Yes or yes then Shorewall automatically adds these aliases. If it is set to No or no, you must add these aliases @@ -293,13 +292,14 @@ This parameter determines whether Shorewall automatically adds the SNAT ADDRESS in shorewall-masq(5). If - the variable is set to Yes or - yes then Shorewall automatically - adds these addresses. If it is set to No or no, - you must add these addresses yourself using your distribution's - network configuration tools. + url="/manpages/shorewall-masq.html">shorewall-masq(5), and + is only available in IPv4 configurations. If the variable is set to + Yes or yes then Shorewall automatically adds these + addresses. If it is set to No or + no, you must add these addresses + yourself using your distribution's network configuration + tools. If this variable is not set or is given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed. @@ -379,10 +379,10 @@ role="bold">ARPTABLES=[pathname] - Added in Shorewall 4.5.12. This parameter names the arptables - executable to be used by Shorewall. If not specified or if specified - as a null value, then the arptables executable located using the - PATH option is used. + Added in Shorewall 4.5.12 and available in IPv4 only. This + parameter names the arptables executable to be used by Shorewall. If + not specified or if specified as a null value, then the arptables + executable located using the PATH option is used. Regardless of how the arptables utility is located (specified via arptables= or located via PATH), Shorewall uses the @@ -483,8 +483,8 @@ Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option determines whether the provider option (see shorewall-providers(5)) is - the default. When BALANCE_PROVIDERS=Yes, then the + url="/manpages/shorewall-providers.html">shorewall-providers(5)) + is the default. When BALANCE_PROVIDERS=Yes, then the option is assumed unless the , , or option is @@ -500,8 +500,8 @@ Added in Shorewall-4.6.0. When set to Yes, causes entries in shorewall-tcfilters(5) to - generate a basic filter rather than a u32 filter. This setting + url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5) + to generate a basic filter rather than a u32 filter. This setting requires the Basic Ematch capability in your kernel and iptables. @@ -624,6 +624,11 @@ marking defined in shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is assumed. + + + When you specify TC_ENABLED=shared (see below), then you + should also specify CLEAR_TC=No. + @@ -662,17 +667,17 @@ role="bold">CONFIG_PATH=[directory[:directory]...] - Specifies where configuration files other than shorewall.conf - may be found. CONFIG_PATH is specifies as a list of directory names - separated by colons (":"). When looking for a configuration - file: + Specifies where configuration files other than + shorewall[6].conf may be found. CONFIG_PATH is specifies as a list + of directory names separated by colons (":"). When looking for a + configuration file: If the command is "try" or a "<configuration directory>" was specified in the command (e.g., - shorewall check ./gateway) then the directory - given in the command is searched first. + shorewall [-6] check ./gateway) then the + directory given in the command is searched first. @@ -697,8 +702,8 @@ Added in Shorewall 4.5.12. When set to 'Yes' (the default), DNS names are validated in the compiler and then passed on to the - generated script where they are resolved by iptables-restore. This - is an advantage if you use AUTOMAKE=Yes and the IP address + generated script where they are resolved by ip[6]tables-restore. + This is an advantage if you use AUTOMAKE=Yes and the IP address associated with the DNS name is subject to change. When DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses by the compiler. This has the advantage that when AUTOMAKE=Yes, the @@ -715,7 +720,7 @@ If set to Yes (the default value), entries in the - /etc/shorewall/rtrules files cause an 'ip rule del' command to be + /etc/shorewall[6]/rtrules files cause an 'ip rule del' command to be generated in addition to an 'ip rule add' command. Setting this option to No, causes the 'ip rule del' command to be omitted. @@ -726,6 +731,8 @@ role="bold">Yes|No] + IPv4 only. + If set to Yes or yes, Shorewall will detect the first IP address of the interface to the source zone and will include this @@ -742,6 +749,8 @@ role="bold">Yes|No] + IPv4 only. + If set to Yes or yes, IPv6 traffic to, from and through the firewall system is disabled. If set to - Change DISABLE_IPV6=Yes to DISABLE_IPV6=No + Change DISABLE_IPV6=Yes to DISABLE_IPV6=No in + /etc/shorewall/shorewall.conf. @@ -807,20 +817,21 @@ Added in Shorewall 4.4.7. When set to No or no, - chain-based dynamic blacklisting using shorewall - drop, shorewall reject, - shorewall logdrop and shorewall - logreject is disabled. Default is shorewall [-6] [-l] + drop, shorewall [-6] [-l] reject, + shorewall logdrop and shorewall [-6] + [-l] logreject is disabled. Default is Yes. Beginning with Shorewall 5.0.8, ipset-based dynamic blacklisting using the shorewall blacklist command is also supported. The name of the set (setname) and the level (log_level), if any, at which blacklisted - traffic is to be logged may also be specified. The default set name - is SW_DBL4 and the default log level is (no - logging). If is given, then chain-based - dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No - had been specified. + traffic is to be logged may also be specified. The default IPv4 set + name is SW_DBL4 and the default IPv6 set name is SW_DBL6. The + default log level is (no logging). If + is given, then chain-based dynamic + blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been + specified. Possible options are: @@ -866,9 +877,9 @@ Once the dynamic blacklisting ipset has been created, changing this option setting requires a complete restart of - the firewall; shorewall restart if - RESTART=restart, otherwise shorewall stop - && shorewall start + the firewall; shorewall [-6] restart if + RESTART=restart, otherwise shorewall [-6] [-l] stop + && shorewall [-6] [-l] start @@ -910,13 +921,15 @@ net all DROP infothen the chain name is 'net-all' Added in Shorewall 4.4.17. When set to Yes when compiling for - use by Shorewall Lite (shorewall load, - shorewall reload or shorewall + use by Shorewall Lite (shorewall [-6] + remote-start, shorewall [-6] remote-reload, + shorewall [-6] remote-restart or shorewall [-6] export commands), the compiler will copy the modules or helpers file from the administrative system into the script. When set to No or not specified, the compiler will not copy the modules - or helpers file from /usr/share/shorewall but - will copy those found in another location on the CONFIG_PATH. + or helpers file from /usr/share/shorewall[6] + but will copy those found in another location on the + CONFIG_PATH. When compiling for direct use by Shorewall, causes the contents of the local module or helpers file to be copied into the @@ -1114,10 +1127,12 @@ net all DROP infothen the chain name is 'net-all' specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the specifications on the right are interpreted as if INLINE had been specified in the ACTION column. This also applies to - shorewall-masq(5) and - shorewall-mangle(5) which - also support INLINE. If not specified or if specified as the empty - value, the value 'No' is assumed for backward compatibility. + shorewall-masq(5) + and shorewall-mangle(5) + which also support INLINE. If not specified or if specified as the + empty value, the value 'No' is assumed for backward + compatibility. Beginning with Shorewall 5.0.0, it is no longer necessary to set INLINE_MATCHES=Yes in order to be able to specify your own @@ -1176,9 +1191,13 @@ net all DROP infothen the chain name is 'net-all' role="bold">Keep] - This parameter determines whether Shorewall enables or - disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). - Possible values are: + This IPv4 parameter determines whether Shorewall enables or + disables IPv4 Packet Forwarding + (/proc/sys/net/ipv4/ip_forward). In an IPv6 + configuration, this parameter determines the setting of + /proc/sys/net/ipv6/config/all/ip_forwarding. + + Possible values are: @@ -1210,12 +1229,8 @@ net all DROP infothen the chain name is 'net-all' - - -
- If this variable is not set or is given an empty value - (IP_FORWARD="") then IP_FORWARD=On is assumed. -
+ If this variable is not set or is given an empty value + (IP_FORWARD="") then IP_FORWARD=On is assumed. @@ -1258,6 +1273,8 @@ net all DROP infothen the chain name is 'net-all' role="bold">IPTABLES=[pathname] + IPv4 only. + This parameter names the iptables executable to be used by Shorewall. If not specified or if specified as a null value, then the iptables executable located using the PATH option is @@ -1270,22 +1287,71 @@ net all DROP infothen the chain name is 'net-all' + + IP6TABLES=[pathname] + + + IPv6 only. + + This parameter names the ip6tables executable to be used by + Shorewall6. If not specified or if specified as a null value, then + the ip6tables executable located using the PATH option is + used. + + Regardless of how the ip6tables utility is located (specified + via IP6TABLES= or located via PATH), Shorewall6 uses the + ip6tables-restore and ip6tables-save utilities from that same + directory. + + + KEEP_RT_TABLES={Yes|No} - When set to , this option prevents - generated scripts from altering the /etc/iproute2/rt_tables database - when there are entries in - /etc/shorewall/providers. If you set this - option to while Shorewall (Shorewall-lite) is - running, you should remove the file - /var/lib/shorewall/rt_tables - (/var/lib/shorewall-lite/rt_tables) before your - next stop, refresh, - restore, reload - or restart command. + IPv4: + +
+ When set to , this option prevents + generated scripts from altering the /etc/iproute2/rt_tables + database when there are entries in + /etc/shorewall/providers. If you set this + option to while Shorewall (Shorewall-lite) is + running, you should remove the file + /var/lib/shorewall/rt_tables + (/var/lib/shorewall-lite/rt_tables) before + your next stop, refresh, + restore, reload or restart + command. +
+ + IPv6: + +
+ When set to , this option prevents + scripts generated by Shorewall6 from altering the + /etc/iproute2/rt_tables database when there are entries in + /etc/shorewall6/providers. If you set this + option to while Shorewall6 (Shorewall6-lite) + is running, you should remove the file + /var/lib/shorewall6/rt_tables + (/var/lib/shorewall6-lite/rt_tables) before + your next stop, refresh, + restore, reload or restart + command. +
+ + + When both IPv4 and IPv6 Shorewall configurations are + present, KEEP_RT_TABLES=No should be specified in only one of the + two configurations unless the two provider configurations are + identical with respect to interface and provider names and + numbers. + The default is KEEP_RT_TABLES=No. @@ -1298,9 +1364,9 @@ net all DROP infothen the chain name is 'net-all' Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules loaded by shorewall to those listed in - /var/lib/shorewall/helpers and those that are actually used. When - not set, or set to the empty value, LOAD_HELPERS_ONLY=No is - assumed. + /var/lib/shorewall[6]/helpers and those that + are actually used. When not set, or set to the empty value, + LOAD_HELPERS_ONLY=No is assumed. @@ -1309,11 +1375,11 @@ net all DROP infothen the chain name is 'net-all' role="bold">LOCKFILE=[pathname] - Specifies the name of the Shorewall lock file, used to prevent - simultaneous state-changing commands. If not specified, - ${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib - but can be changed when Shorewall-core is installed -- see the - output of shorewall show vardir). + Specifies the name of the Shorewall[6] lock file, used to + prevent simultaneous state-changing commands. If not specified, + ${VARDIR}/shorewall[6]/lock is assumed (${VARDIR} is normally + /var/lib but can be changed when Shorewall-core is installed -- see + the output of shorewall show vardir). @@ -1341,6 +1407,8 @@ net all DROP infothen the chain name is 'net-all' ULOG + IPv4 only. + Use ULOG logging to ulogd. @@ -1365,8 +1433,8 @@ net all DROP infothen the chain name is 'net-all' sample configurations use this as the default log level and changing it will change all packet logging done by the configuration. In any configuration file (except shorewall-params(5)), $LOG_LEVEL - will expand to this value. + url="/manpages/shorewall-params.html">shorewall-params(5)), + $LOG_LEVEL will expand to this value. @@ -1376,6 +1444,8 @@ net all DROP infothen the chain name is 'net-all' role="bold">No|Keep] + IPv4 only. + If set to Yes or yes, sets /proc/sys/net/ipv4/conf/*/log_martians to 1 @@ -1523,7 +1593,9 @@ net all DROP infothen the chain name is 'net-all' Beginning with Shorewall 5.1.0, the default and sample - shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log + shorewall[6].conf files set LOGFORMAT="%s %s ". + + Regardless of the LOGFORMAT setting, Shorewall IPv4 log messages that use this LOGFORMAT can be uniquely identified using the following regular expression: @@ -1531,8 +1603,15 @@ net all DROP infothen the chain name is 'net-all' 'IN=.* OUT=.* SRC=.*\..* DST=' - To match all Netfilter log messages (Both IPv4 and IPv6), - use: + and Shorewall IPv6 log messages can be uniquely identified + using the following regular expression: + + + 'IN=.* OUT=.* SRC=.*:.* DST=' + + + To match all Netfilter log messages (Both IPv4 and IPv6 and + regardless of the LOGFORMAT setting), use: 'IN=.* OUT=.* SRC=.* DST=' @@ -1625,7 +1704,7 @@ LOG:info:,bar net fw A_DROP and A_REJECT are audited versions of DROP and REJECT respectively and were added in Shorewall 4.4.20. They require - AUDIT_TARGET in the kernel and iptables. + AUDIT_TARGET in the kernel and ip[6]tables. @@ -1668,7 +1747,7 @@ LOG:info:,bar net fw entries in shorewall-maclist(5) can be improved by setting the MACLIST_TTL variable in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall[6].conf(5). If your iptables and kernel support the "Recent Match" (see the output of "shorewall check" near the top), you can cache the @@ -1710,6 +1789,8 @@ LOG:info:,bar net fw role="bold">Yes|No] + IPv4 only. + This option is included for compatibility with old Shorewall configuration. New installs should always have MAPOLDACTIONS=No. @@ -1740,11 +1821,11 @@ LOG:info:,bar net fw PREROUTING chain. This permits you to mark inbound traffic based on its destination address when DNAT is in use. To determine if your kernel has a FORWARD chain in the mangle table, use the shorewall show mangle command; if a FORWARD - chain is displayed then your kernel will support this option. If - this option is not specified or if it is given the empty value - (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is - assumed. + role="bold">shorewall [-6] show mangle command; if a + FORWARD chain is displayed then your kernel will support this + option. If this option is not specified or if it is given the empty + value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No + is assumed. @@ -1826,7 +1907,8 @@ LOG:info:,bar net fw "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset" where uname holds the output of 'uname -r' and g_family holds '4'. + role="bold">g_family holds '4' in IPv4 configurations and + '6' in IPv6 configurations. The option plus sign ('+') was added in Shorewall 5.0.3 and causes the listed pathnames to be appended to the default list @@ -1839,6 +1921,8 @@ LOG:info:,bar net fw role="bold">Yes|No] + IPv4 only. + This option will normally be set to 'No' (the default). It should be set to 'Yes' under the following circumstances: @@ -1865,17 +1949,18 @@ LOG:info:,bar net fw The value of this variable determines the number of seconds - that programs will wait for exclusive access to the Shorewall lock - file. After the number of seconds corresponding to the value of this - variable, programs will assume that the last program to hold the - lock died without releasing the lock. + that programs will wait for exclusive access to the Shorewall[6] + lock file. After the number of seconds corresponding to the value of + this variable, programs will assume that the last program to hold + the lock died without releasing the lock. If not set or set to the empty value, a value of 60 (60 seconds) is assumed. An appropriate value for this parameter would be twice the length of time that it takes your firewall system to process a - shorewall restart command. + shorewall [-6] restart + command. @@ -1899,6 +1984,8 @@ LOG:info:,bar net fw role="bold">prohibit] + IPv4 only. + When set to Yes, causes Shorewall to null-route the IPv4 address ranges reserved by RFC1918. The default value is 'No'. @@ -1935,12 +2022,11 @@ LOG:info:,bar net fw Optimization category 1 - Traditionally, Shorewall has - created rules for the complete matrix of - host groups defined by the zones, interfaces and hosts - files. Any traffic that didn't correspond to an element - of that matrix was rejected in one of the built-in chains. When - the matrix is sparse, this results in lots of largely useless - rules. + created rules for the complete matrix of host groups defined by + the zones, interfaces and hosts files. Any traffic that didn't + correspond to an element of that matrix was rejected in one of + the built-in chains. When the matrix is sparse, this results in + lots of largely useless rules. These extra rules can be eliminated by setting the 1 bit in OPTIMIZE. @@ -2316,7 +2402,7 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination} if the protocol is UDP (17) then the packet is rejected - with an 'port-unreachable' ICMP (ICMP6). + with an 'port-unreachable' ICMP. @@ -2324,6 +2410,11 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination} with a 'host-unreachable' ICMP. + + if the protocol is ICMP6 (1) then the packet is rejected + with a 'icmp6-addr-unreachable' ICMP6. + + otherwise, the packet is rejected with a 'host-prohibited' ICMP. @@ -2333,11 +2424,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination} You can modify this behavior by implementing your own action that handles REJECT and specifying it's name in this option. The nolog - and inline options will + and noinline options will automatically be assumed for the specified action. - The following action implements the standard behavior: + The following action implements the default reject + action: ?format 2 #TARGET SOURCE DEST PROTO @@ -2437,10 +2529,10 @@ INLINE - - - ;; -j REJECT Specifies the simple name of a file in /var/lib/shorewall to be used as the default restore script in the shorewall save, shorewall restore, shorewall forget and shorewall -f start commands. + role="bold">shorewall [-6] save, shorewall [-6] restore, shorewall [-6] forget and shorewall [6] -f start commands. @@ -2449,6 +2541,8 @@ INLINE - - - ;; -j REJECT role="bold">Yes|No} + IPv4 only. + During shorewall start, IP addresses to be added as a consequence of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall start are still deleted at a subsequent shorewall stop, shorewall [stop, shorewall reload or shorewall restart. @@ -3150,6 +3244,8 @@ INLINE - - - ;; -j REJECT FILES /etc/shorewall/shorewall.conf + + /etc/shorewall6/shorewall6.conf diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 89177e02a..04d04086e 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -1934,6 +1934,27 @@ SSH(ACCEPT) net:$MYIP $FW init extension script, then the value 255 is assumed. + + + Care must be exercised when using port variables in port ranges. + At run-time, the generated script will verify that each port variable is + either empty or contains a valid port number or service name. It does + not ensure that the low port number in a range is strictly less than the + high port number, when either of these is specified as a port + variable. + + Example: The following definitions will result in an + iptables-restore failure during start/restart/reload: + + /etc/shorewall/init: + + LOW_PORT=100 + HIGH_PORT=50 + + /etc/shorewall/rules: + + ACCEPT net $FW tcp ${LOW_PORT}:${HIGH_PORT} +