extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Consolidate manpages between Shorewall and Shorewall6

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-06-16 15:01:41 -07:00
parent 62a60ad995
commit d8ef934f24
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
35 changed files with 1075 additions and 382 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/manpages/shorewall-accounting.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/accounting</command> <command>/etc/shorewall[6]/accounting</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -783,6 +783,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/accounting</para> <para>/etc/shorewall/accounting</para>
<para>/etc/shorewall6/accounting</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

20
Shorewall/manpages/shorewall-actions.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/actions</command> <command>/etc/shorewall[6]/actions</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -148,8 +148,8 @@
<listitem> <listitem>
<para>Added in Shorewall 5.0.7. Specifies that this action is <para>Added in Shorewall 5.0.7. Specifies that this action is
to be used in <ulink to be used in <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> rather url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
than <ulink rather than <ulink
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para> url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -160,11 +160,11 @@
<listitem> <listitem>
<para>Added in Shorewall 5.0.13. Specifies that this action is <para>Added in Shorewall 5.0.13. Specifies that this action is
to be used in <ulink to be used in <ulink
url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink> rather url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink>
than <ulink rather than <ulink
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>. The url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.
<option>mangle</option> and <option>nat</option> options are The <option>mangle</option> and <option>nat</option> options
mutually exclusive.</para> are mutually exclusive.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -206,7 +206,7 @@
<para>Given that neither the <filename>snat</filename> nor the <para>Given that neither the <filename>snat</filename> nor the
<filename>mangle</filename> file is sectioned, this parameter <filename>mangle</filename> file is sectioned, this parameter
has no effect when <option>mangle</option> or has no effect when <option>mangle</option> or
<option>nat</option> is specified. </para> <option>nat</option> is specified.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -239,6 +239,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/actions</para> <para>/etc/shorewall/actions</para>
<para>/etc/shorewall6/actions</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

55
Shorewall/manpages/shorewall-blrules.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/blrules</command> <command>/etc/shorewall[6]/blrules</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -27,12 +27,9 @@
<para>This file is used to perform blacklisting and whitelisting.</para> <para>This file is used to perform blacklisting and whitelisting.</para>
<para>Rules in this file are applied depending on the setting of <para>Rules in this file are applied depending on the setting of BLACKLIST
BLACKLISTNEWONLY in <ulink in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
connections in the NEW and INVALID states.</para>
<para>The format of rules in this file is the same as the format of rules <para>The format of rules in this file is the same as the format of rules
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
@ -118,10 +115,10 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>A_DROP and A_DROP!</term> <term>A_DROP</term>
<listitem> <listitem>
<para>Audited versions of DROP. Requires AUDIT_TARGET support <para>Audited version of DROP. Requires AUDIT_TARGET support
in the kernel and ip6tables.</para> in the kernel and ip6tables.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -276,11 +273,11 @@
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>Example</title> <title>Examples</title>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1:</term> <term>IPv4 Example 1:</term>
<listitem> <listitem>
<para>Drop Teredo packets from the net.</para> <para>Drop Teredo packets from the net.</para>
@ -290,7 +287,28 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2:</term> <term>IPv4 Example 2:</term>
<listitem>
<para>Don't subject packets from 2001:DB8::/64 to the remaining
rules in the file.</para>
<programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>Drop Teredo packets from the net.</para>
<programlisting>DROP net:[2001::/32] all</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem> <listitem>
<para>Don't subject packets from 2001:DB8::/64 to the remaining <para>Don't subject packets from 2001:DB8::/64 to the remaining
@ -306,6 +324,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/blrules</para> <para>/etc/shorewall/blrules</para>
<para>/etc/shorewall6/blrules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -319,10 +339,11 @@
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5), shorewall-mangle(5) shorewall6-netmap(5),shorewall-params(5),
shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5),
shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-secmarks(5), shorewall-snat(5),shorewall-tcclasses(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

44
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/conntrack</command> <command>/etc/shorewall[6]/conntrack</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -35,7 +35,7 @@
<emphasis role="bold">conntrack</emphasis>.</para> <emphasis role="bold">conntrack</emphasis>.</para>
<para>The file supports three different column layouts: FORMAT 1, FORMAT <para>The file supports three different column layouts: FORMAT 1, FORMAT
2, and FORMAT 3, FORMAT 1 being the default. The three differ as 2, and FORMAT 3 with FORMAT 1 being the default. The three differ as
follows:</para> follows:</para>
<itemizedlist> <itemizedlist>
@ -311,9 +311,9 @@
<listitem> <listitem>
<para><option>ULOG</option></para> <para><option>ULOG</option></para>
<para>Added in Shoreawll 4.6.0. Queues the packet to a backend <para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
logging daemon using the ULOG netfilter target with the a backend logging daemon using the ULOG netfilter target with
specified <replaceable>ulog-parameters</replaceable>.</para> the specified <replaceable>ulog-parameters</replaceable>.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -689,31 +689,57 @@
<refsect1> <refsect1>
<title>EXAMPLE</title> <title>EXAMPLE</title>
<para>Example 1:</para> <para>IPv4 Example 1:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting> CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>Example 2 (Shorewall 4.5.10 or later):</para> <para>IPv4 Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para> <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
<programlisting>FORMAT 2 <programlisting>?FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER #ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP all-:1.2.3.4 - DROP all-:1.2.3.4 -
DROP all 1.2.3.4</programlisting> DROP all 1.2.3.4</programlisting>
<para>or<programlisting>FORMAT 3 <para>or<programlisting>?FORMAT 3
#ACTION SOURCE DEST PROTO DPORT SPORT USER #ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP:P 1.2.3.4 - DROP:P 1.2.3.4 -
DROP:PO - 1.2.3.4 DROP:PO - 1.2.3.4
</programlisting></para> </programlisting></para>
<para>IPv6 Example 1:</para>
<para>Use the FTP helper for TCP port 21 connections from the firewall
itself.</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>IPv6 Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP all-:2001:1.2.3::4 -
DROP all 2001:1.2.3::4
</programlisting>
<para>or<programlisting>FORMAT 3
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP:P 2001:1.2.3::4 -
DROP:PO - 2001:1.2.3::4</programlisting></para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/conntrack</para> <para>/etc/shorewall/conntrack</para>
<para>/etc/shorewall6/conntrack</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

4
Shorewall/manpages/shorewall-ecn.xml
View File

@ -26,7 +26,9 @@
<title>Description</title> <title>Description</title>
<para>Use this file to list the destinations for which you want to disable <para>Use this file to list the destinations for which you want to disable
ECN (Explicit Congestion Notification).</para> ECN (Explicit Congestion Notification). Use of this file is deprecated in
favor of ECN rules in <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(8).</para>
<para>The columns in the file are as follows.</para> <para>The columns in the file are as follows.</para>

19
Shorewall/manpages/shorewall-exclusion.xml
View File

@ -49,9 +49,10 @@
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is <para>Beginning in Shorewall 4.4.13, the second form of exclusion is
allowed after <emphasis role="bold">all</emphasis> and <emphasis allowed after <emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> in the SOURCE and DEST columns of role="bold">any</emphasis> in the SOURCE and DEST columns of <ulink
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5). It allows
generated by those key words.</para> you to omit arbitrary zones from the list generated by those key
words.</para>
<warning> <warning>
<para>If you omit a sub-zone and there is an explicit or explicit <para>If you omit a sub-zone and there is an explicit or explicit
@ -117,7 +118,7 @@ ACCEPT all!z2 net tcp 22</programlisting>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1 - All IPv4 addresses except 192.168.3.4</term> <term>IPv4 Example 1 - All IPv4 addresses except 192.168.3.4</term>
<listitem> <listitem>
<para>!192.168.3.4</para> <para>!192.168.3.4</para>
@ -125,8 +126,8 @@ ACCEPT all!z2 net tcp 22</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24 <term>IPv4 Example 2 - All IPv4 addresses except the network
and the host 10.2.3.4</term> 192.168.1.0/24 and the host 10.2.3.4</term>
<listitem> <listitem>
<para>!192.168.1.0/24,10.1.3.4</para> <para>!192.168.1.0/24,10.1.3.4</para>
@ -134,7 +135,7 @@ ACCEPT all!z2 net tcp 22</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 3 - All IPv4 addresses except the range <term>IPv4 Example 3 - All IPv4 addresses except the range
192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term> 192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>
<listitem> <listitem>
@ -143,8 +144,8 @@ ACCEPT all!z2 net tcp 22</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3 <term>IPv4 Example 4 - The network 192.168.1.0/24 except hosts
and 192.168.1.9</term> 192.168.1.3 and 192.168.1.9</term>
<listitem> <listitem>
<para>192.168.1.0/24!192.168.1.3,192.168.1.9</para> <para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>

4
Shorewall/manpages/shorewall-hosts.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/hosts</command> <command>/etc/shorewall[6]/hosts</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -270,6 +270,8 @@ vpn ppp+:192.168.3.0/24</programlisting></para>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/hosts</para> <para>/etc/shorewall/hosts</para>
<para>/etc/shorewall6/hosts</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

95
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -199,11 +199,12 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term> <term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
<listitem> <listitem>
<para>If specified, this interface will only respond to ARP <para>IPv4 only. If specified, this interface will only
who-has requests for IP addresses configured on the interface. respond to ARP who-has requests for IP addresses configured on
If not specified, the interface can respond to ARP who-has the interface. If not specified, the interface can respond to
requests for IP addresses on any of the firewall's interface. ARP who-has requests for IP addresses on any of the firewall's
The interface must be up when Shorewall is started.</para> interface. The interface must be up when Shorewall is
started.</para>
<para>Only those interfaces with the <para>Only those interfaces with the
<option>arp_filter</option> option will have their setting <option>arp_filter</option> option will have their setting
@ -225,8 +226,8 @@ loc eth2 -</programlisting>
role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term> role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
<listitem> <listitem>
<para>If specified, this interface will respond to arp <para>IPv4 only. If specified, this interface will respond to
requests based on the value of <emphasis>number</emphasis> arp requests based on the value of <emphasis>number</emphasis>
(defaults to 1).</para> (defaults to 1).</para>
<para>1 - reply only if the target IP address is local address <para>1 - reply only if the target IP address is local address
@ -411,8 +412,8 @@ loc eth2 -</programlisting>
<listitem> <listitem>
<para>the interface is a <ulink <para>the interface is a <ulink
url="/SimpleBridge.html">simple bridge</ulink> with a url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
DHCP server on one port and DHCP clients on another server on one port and DHCP clients on another
port.</para> port.</para>
<note> <note>
@ -467,15 +468,15 @@ loc eth2 -</programlisting>
role="bold">logmartians[={0|1}]</emphasis></term> role="bold">logmartians[={0|1}]</emphasis></term>
<listitem> <listitem>
<para>Turn on kernel martian logging (logging of packets with <para>IPv4 only. Turn on kernel martian logging (logging of
impossible source addresses. It is strongly suggested that if packets with impossible source addresses. It is strongly
you set <emphasis role="bold">routefilter</emphasis> on an suggested that if you set <emphasis
interface that you also set <emphasis role="bold">routefilter</emphasis> on an interface that you
role="bold">logmartians</emphasis>. Even if you do not specify also set <emphasis role="bold">logmartians</emphasis>. Even if
the <option>routefilter</option> option, it is a good idea to you do not specify the <option>routefilter</option> option, it
specify <option>logmartians</option> because your distribution is a good idea to specify <option>logmartians</option> because
may have enabled route filtering without you knowing your distribution may have enabled route filtering without you
it.</para> knowing it.</para>
<para>Only those interfaces with the <para>Only those interfaces with the
<option>logmartians</option> option will have their setting <option>logmartians</option> option will have their setting
@ -576,8 +577,8 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">nosmurfs</emphasis></term> <term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem> <listitem>
<para>Filter packets for smurfs (packets with a broadcast <para>IPv4 only. Filter packets for smurfs (packets with a
address as the source).</para> broadcast address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of <para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink SMURF_LOG_LEVEL in <ulink
@ -596,9 +597,9 @@ loc eth2 -</programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>a <filename <para>a <filename
class="directory">/proc/sys/net/ipv4/conf/</filename> class="directory">/proc/sys/net/ipv[46]/conf/</filename>
entry for the interface cannot be modified (including for entry for the interface cannot be modified (including for
proxy ARP).</para> proxy ARP or proxy NDP).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -638,7 +639,7 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term> <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
<listitem> <listitem>
<para>Sets <para>IPv4 only. Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp. /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through Do NOT use this option if you are employing Proxy ARP through
entries in <ulink entries in <ulink
@ -659,6 +660,24 @@ loc eth2 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
<listitem>
<para>IPv6 only. Sets
/proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
<para><emphasis role="bold">Note</emphasis>: This option does
not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para>
<para>Only those interfaces with the <option>proxyndp</option>
option will have their setting changed; the value assigned to
the setting will be the value specified (if any) or 1 if no
value is given.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">required</emphasis></term> <term><emphasis role="bold">required</emphasis></term>
@ -700,8 +719,8 @@ loc eth2 -</programlisting>
role="bold">routefilter[={0|1|2}]</emphasis></term> role="bold">routefilter[={0|1|2}]</emphasis></term>
<listitem> <listitem>
<para>Turn on kernel route filtering for this interface <para>IPv4 only. Turn on kernel route filtering for this
(anti-spoofing measure).</para> interface (anti-spoofing measure).</para>
<para>Only those interfaces with the <para>Only those interfaces with the
<option>routefilter</option> option will have their setting <option>routefilter</option> option will have their setting
@ -886,10 +905,13 @@ loc eth2 -</programlisting>
role="bold">routefilter</emphasis></member> role="bold">routefilter</emphasis></member>
<member><emphasis <member><emphasis
role="bold">sourceroute</emphasis></member> role="bold">proxyarp</emphasis></member>
<member><emphasis <member><emphasis
role="bold">proxyndp</emphasis></member> role="bold">proxyudp</emphasis></member>
<member><emphasis
role="bold">sourceroute</emphasis></member>
</simplelist> </simplelist>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -902,7 +924,9 @@ loc eth2 -</programlisting>
<listitem> <listitem>
<para>Incoming requests from this interface may be remapped <para>Incoming requests from this interface may be remapped
via UPNP (upnpd). See <ulink via UPNP (upnpd). See <ulink
url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para> url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.
Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -916,7 +940,8 @@ loc eth2 -</programlisting>
causes Shorewall to detect the default gateway through the causes Shorewall to detect the default gateway through the
interface and to accept UDP packets from that gateway. Note interface and to accept UDP packets from that gateway. Note
that, like all aspects of UPnP, this is a security hole so use that, like all aspects of UPnP, this is a security hole so use
this option at your own risk.</para> this option at your own risk. Supported in IPv4 and in IPv6 in
Shorewall 5.1.4 and later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -943,7 +968,7 @@ loc eth2 -</programlisting>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1:</term> <term>IPv4 Example 1:</term>
<listitem> <listitem>
<para>Suppose you have eth0 connected to a DSL modem and eth1 <para>Suppose you have eth0 connected to a DSL modem and eth1
@ -956,7 +981,7 @@ loc eth2 -</programlisting>
<para>Your entries for this setup would look like:</para> <para>Your entries for this setup would look like:</para>
<programlisting>FORMAT 1 <programlisting>?FORMAT 1
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.191.149.223 dhcp net eth0 206.191.149.223 dhcp
loc eth1 192.168.1.255 loc eth1 192.168.1.255
@ -971,7 +996,7 @@ dmz eth2 192.168.2.255</programlisting>
<para>The same configuration without specifying broadcast addresses <para>The same configuration without specifying broadcast addresses
is:</para> is:</para>
<programlisting>FORMAT 2 <programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS #ZONE INTERFACE OPTIONS
net eth0 dhcp net eth0 dhcp
loc eth1 loc eth1
@ -986,7 +1011,7 @@ dmz eth2</programlisting>
<para>You have a simple dial-in system with no Ethernet <para>You have a simple dial-in system with no Ethernet
connections.</para> connections.</para>
<programlisting>FORMAT 2 <programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS #ZONE INTERFACE OPTIONS
net ppp0 -</programlisting> net ppp0 -</programlisting>
</listitem> </listitem>
@ -999,7 +1024,7 @@ net ppp0 -</programlisting>
<para>You have a bridge with no IP address and you want to allow <para>You have a bridge with no IP address and you want to allow
traffic through the bridge.</para> traffic through the bridge.</para>
<programlisting>FORMAT 2 <programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS #ZONE INTERFACE OPTIONS
- br0 bridge</programlisting> - br0 bridge</programlisting>
</listitem> </listitem>
@ -1011,6 +1036,8 @@ net ppp0 -</programlisting>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/interfaces</para> <para>/etc/shorewall/interfaces</para>
<para>/etc/shorewall6/interfaces</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

20
Shorewall/manpages/shorewall-ipsets.xml
View File

@ -251,21 +251,39 @@
<para>/etc/shorewall/accounting</para> <para>/etc/shorewall/accounting</para>
<para>/etc/shorewall6/accounting</para>
<para>/etc/shorewall/blrules</para> <para>/etc/shorewall/blrules</para>
<para>/etc/shorewall6/blrules</para>
<para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis> <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para> Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis> <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para> Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall/masq</para> <para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall/rules</para> <para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/rules</para>
<para>/etc/shorewall/secmarks</para> <para>/etc/shorewall/secmarks</para>
<para>/etc/shorewall6/secmarks</para>
<para>/etc/shorewall/mangle</para> <para>/etc/shorewall/mangle</para>
<para>/etc/shorewall6/mangle</para>
<para>/etc/shorewall/snat</para>
<para>/etc/shorewall6/snat</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

4
Shorewall/manpages/shorewall-maclist.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/maclist</command> <command>/etc/shorewall[6]/maclist</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -97,6 +97,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/maclist</para> <para>/etc/shorewall/maclist</para>
<para>/etc/shorewall6/maclist</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

75
Shorewall/manpages/shorewall-mangle.xml
View File

@ -18,31 +18,17 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/mangle</command> <command>/etc/shorewall[6]/mangle</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file was introduced in Shorewall 4.6.0 and is intended to <para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
replace <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
file is only processed by the compiler if:</para> file is only processed by the compiler if:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
or</para>
</listitem>
<listitem>
<para>The first file named 'tcrules' found on the CONFIG_PATH contains
no non-commentary entries.</para>
</listitem>
</orderedlist>
<para>Entries in this file cause packets to be marked as a means of <para>Entries in this file cause packets to be marked as a means of
classifying them for traffic control or policy routing.</para> classifying them for traffic control or policy routing.</para>
@ -117,9 +103,7 @@
SOURCE is $FW, the generated rule is always placed in the OUTPUT SOURCE is $FW, the generated rule is always placed in the OUTPUT
chain. If DEST is '$FW', then the rule is placed in the INPUT chain. chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
Additionally, a <replaceable>chain-designator</replaceable> may not Additionally, a <replaceable>chain-designator</replaceable> may not
be specified in an action body unless the action is declared as be specified in an action body.</para>
<option>inline</option> in <ulink
url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
<para>Where a command takes parameters, those parameters are <para>Where a command takes parameters, those parameters are
enclosed in parentheses ("(....)") and separated by commas.</para> enclosed in parentheses ("(....)") and separated by commas.</para>
@ -365,8 +349,9 @@ DIVERTHA - - tcp</programlisting>
<listitem> <listitem>
<para>Added in Shorewall 5.0.6 as an alternative to entries in <para>Added in Shorewall 5.0.6 as an alternative to entries in
<ulink url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a <ulink
PROTO is specified, it must be 'tcp' (6). If no PROTO is url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>.
If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
supplied, TCP is assumed. This action causes all ECN bits in supplied, TCP is assumed. This action causes all ECN bits in
the TCP header to be cleared.</para> the TCP header to be cleared.</para>
</listitem> </listitem>
@ -915,7 +900,8 @@ Normal-Service =&gt; 0x00</programlisting>
Matches packets leaving the firewall through the named Matches packets leaving the firewall through the named
interface. May not be used in the PREROUTING chain (:P in the interface. May not be used in the PREROUTING chain (:P in the
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
in <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink> in <ulink
url="/manpages/shorewall.conf">shorewall.conf</ulink>
(5)).</para> (5)).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1543,7 +1529,7 @@ Normal-Service =&gt; 0x00</programlisting>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1:</term> <term>IPv4 Example 1:</term>
<listitem> <listitem>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
@ -1572,7 +1558,7 @@ Normal-Service =&gt; 0x00</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2:</term> <term>IPv4 Example 2:</term>
<listitem> <listitem>
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@ -1584,12 +1570,41 @@ Normal-Service =&gt; 0x00</programlisting>
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
/etc/shorewall/masq: /etc/shorewall/snat:
#INTERFACE SOURCE ADDRESS ... #ACTION SOURCE DEST ...
eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C SNAT(1.1.1.1) eth0:192.168.1.0/24 - { mark=1:C }
eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C SNAT(1.1.1.3) eth0:192.168.1.0/24 - { mark=2:C }
eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting> SNAT(1.1.1.4) eth0:192.168.1.0/24 - { mark=3:C }</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
to peer traffic with packet mark 4.</para>
<para>This is a little more complex than otherwise expected. Since
the ipp2p module is unable to determine all packets in a connection
are P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match.</para>
<para>We assume packet/connection mark 0 means unclassified.</para>
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(1):T ::/0 ::/0 icmp echo-request
MARK(1):T ::/0 ::/0 icmp echo-reply
RESTORE:T ::/0 ::/0 all - - - 0
CONTINUE:T ::/0 ::/0 all - - - !0
MARK(4):T ::/0 ::/0 ipp2p:all
SAVE:T ::/0 ::/0 all - - - !0</programlisting>
<para>If a packet hasn't been classified (packet mark is 0), copy
the connection mark to the packet mark. If the packet mark is set,
we're done. If the packet is P2P, set the packet mark to 4. If the
packet mark has been set, save it to the connection mark.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -1599,6 +1614,8 @@ Normal-Service =&gt; 0x00</programlisting>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/mangle</para> <para>/etc/shorewall/mangle</para>
<para>/etc/shorewall6/mangle</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

63
Shorewall/manpages/shorewall-masq.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/masq</command> <command>/etc/shorewall[6]/masq</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -579,7 +579,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1:</term> <term>IPv4 Example 1:</term>
<listitem> <listitem>
<para>You have a simple masquerading setup where eth0 connects to a <para>You have a simple masquerading setup where eth0 connects to a
@ -594,7 +594,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2:</term> <term>IPv4 Example 2:</term>
<listitem> <listitem>
<para>You add a router to your local network to connect subnet <para>You add a router to your local network to connect subnet
@ -607,7 +607,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 3:</term> <term>IPv4 Example 3:</term>
<listitem> <listitem>
<para>You have an IPSEC tunnel through ipsec0 and you want to <para>You have an IPSEC tunnel through ipsec0 and you want to
@ -620,7 +620,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 4:</term> <term>IPv4 Example 4:</term>
<listitem> <listitem>
<para>You want all outgoing traffic from 192.168.1.0/24 through eth0 <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@ -634,7 +634,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 5:</term> <term>IPv4 Example 5:</term>
<listitem> <listitem>
<para>You want all outgoing SMTP traffic entering the firewall from <para>You want all outgoing SMTP traffic entering the firewall from
@ -654,7 +654,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 6:</term> <term>IPv4 Example 6:</term>
<listitem> <listitem>
<para>Connections leaving on eth0 and destined to any host defined <para>Connections leaving on eth0 and destined to any host defined
@ -667,7 +667,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 7:</term> <term>IPv4 Example 7:</term>
<listitem> <listitem>
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@ -689,7 +689,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 8:</term> <term>IPv4 Example 8:</term>
<listitem> <listitem>
<para>Your eth1 has two public IP addresses: 70.90.191.121 and <para>Your eth1 has two public IP addresses: 70.90.191.121 and
@ -716,6 +716,49 @@
</programlisting> </programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>You have a simple 'masquerading' setup where eth0 connects to
a DSL or cable modem and eth1 connects to your local network with
subnet 2001:470:b:787::0/64</para>
<para>Your entry in the file will be:</para>
<programlisting> #INTERFACE SOURCE ADDRESS
eth0 2001:470:b:787::0/64 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>Your sit1 interface has two public IP addresses:
2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
iptables statistics match to masquerade outgoing connections evenly
between these two addresses.</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
INLINE(sit1) ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 ::/0 2001:470:a:227::2
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then these rules may be specified as follows:</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
sit1 ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 ::/0 2001:470:a:227::2</programlisting>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
@ -723,6 +766,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/masq</para> <para>/etc/shorewall/masq</para>
<para>/etc/shorewall6/masq</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

12
Shorewall/manpages/shorewall-modules.xml
View File

@ -18,11 +18,11 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/usr/share/shorewall/modules</command> <command>/usr/share/shorewall[6]/modules</command>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>/usr/share/shorewall/helpers</command> <command>/usr/share/shorewall[6]/helpers</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -82,6 +82,14 @@
<para>/etc/shorewall/modules</para> <para>/etc/shorewall/modules</para>
<para>/etc/shorewall/helpers</para> <para>/etc/shorewall/helpers</para>
<para>/usr/share/shorewall6/modules</para>
<para>/usr/share/shorewall6/helpers</para>
<para>/etc/shorewall6/modules</para>
<para>/etc/shorewall6/helpers</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

4
Shorewall/manpages/shorewall-nat.xml
View File

@ -34,6 +34,8 @@
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also, url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
in many cases, Proxy ARP (<ulink in many cases, Proxy ARP (<ulink
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5)) url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
or Proxy-NDP(<ulink
url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
is a better solution that one-to-one NAT.</para> is a better solution that one-to-one NAT.</para>
</warning> </warning>
@ -208,6 +210,8 @@ all all REJECT info
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/nat</para> <para>/etc/shorewall/nat</para>
<para>/etc/shorewall6/nat</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

10
Shorewall/manpages/shorewall-nesting.xml
View File

@ -200,6 +200,16 @@
<para>/etc/shorewall/policy</para> <para>/etc/shorewall/policy</para>
<para>/etc/shorewall/rules</para> <para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/zones</para>
<para>/etc/shorewall6/interfaces</para>
<para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall6/policy</para>
<para>/etc/shorewall6/rules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

6
Shorewall/manpages/shorewall-netmap.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/netmap</command> <command>/etc/shorewall[6]/netmap</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -44,8 +44,6 @@
role="bold">SNAT}</emphasis></term> role="bold">SNAT}</emphasis></term>
<listitem> <listitem>
<para>Must be DNAT or SNAT</para>
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
its destination address rewritten to the corresponding address in its destination address rewritten to the corresponding address in
NET2.</para> NET2.</para>
@ -169,6 +167,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/netmap</para> <para>/etc/shorewall/netmap</para>
<para>/etc/shorewall6/netmap</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

8
Shorewall/manpages/shorewall-params.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/params</command> <command>/etc/shorewall[6]/params</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -107,7 +107,7 @@
<programlisting>NET_IF=eth0 <programlisting>NET_IF=eth0
NET_BCAST=130.252.100.255 NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918</programlisting> NET_OPTIONS=routefilter</programlisting>
<para>Example <ulink <para>Example <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
@ -119,13 +119,15 @@ net $NET_IF $NET_BCAST $NET_OPTIONS</programlisting>
<para>This is the same as if the interfaces file had contained:</para> <para>This is the same as if the interfaces file had contained:</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS <programlisting>ZONE INTERFACE BROADCAST OPTIONS
net eth0 130.252.100.255 routefilter,norfc1918</programlisting> net eth0 130.252.100.255 routefilter</programlisting>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/params</para> <para>/etc/shorewall/params</para>
<para>/etc/shorewall6/params</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

27
Shorewall/manpages/shorewall-policy.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/policy</command> <command>/etc/shorewall[6]/policy</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -33,25 +33,30 @@
<para>The order of entries in this file is important</para> <para>The order of entries in this file is important</para>
<para>This file determines what to do with a new connection request if <para>This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall/rules file . For each we don't get a match from the <ulink
source/destination pair, the file is processed in order until a match is url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5) or
found ("all" will match any source or destination).</para> <ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5)
files. For each source/destination pair, the file is processed in order
until a match is found ("all" will match any source or
destination).</para>
</important> </important>
<important> <important>
<para>Intra-zone policies are pre-defined</para> <para>Intra-zone policies are pre-defined</para>
<para>For $FW and for all of the zones defined in /etc/shorewall/zones, <para>For $FW and for all of the zones defined in <ulink
the POLICY for connections from the zone to itself is ACCEPT (with no url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), the
POLICY for connections from the zone to itself is ACCEPT (with no
logging or TCP connection rate limiting) but may be overridden by an logging or TCP connection rate limiting) but may be overridden by an
entry in this file. The overriding entry must be explicit (specifying entry in this file. The overriding entry must be explicit (specifying
the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall
4.5.17 or later).</para> 4.5.17 or later).</para>
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in <ulink
then the implicit policy to/from any sub-zone is CONTINUE. These url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then the
implicit CONTINUE policies may also be overridden by an explicit entry implicit policy to/from any sub-zone is CONTINUE. These implicit
in this file.</para> CONTINUE policies may also be overridden by an explicit entry in this
file.</para>
</important> </important>
<para>The columns in the file are as follows (where the column name is <para>The columns in the file are as follows (where the column name is
@ -396,6 +401,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/policy</para> <para>/etc/shorewall/policy</para>
<para>/etc/shorewall6/policy</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

53
Shorewall/manpages/shorewall-providers.xml
View File

@ -82,14 +82,11 @@
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
file to direct packets to this provider.</para> file to direct packets to this provider.</para>
<para>If HIGH_ROUTE_MARKS=Yes in <ulink <para>If PROVIDER_OFFSET is non-zero in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
the value must be a multiple of 256 between 256 and 65280 or their the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte number of significant bits may not exceed PROVIDER_OFFSET +
of the value being zero). Otherwise, the value must be between 1 and PROVIDER_BITS.</para>
255. Each provider must be assigned a unique mark value. This column
may be omitted if you don't use packet marking to direct connections
to a particular provider.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -116,9 +113,9 @@
listed in <ulink listed in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
In general, that interface should not have the In general, that interface should not have the
<option>proxyarp</option> option specified unless <option>proxyarp</option> or <option>proxyndp</option> option
<option>loose</option> is given in the OPTIONS column of this specified unless <option>loose</option> is given in the OPTIONS
entry.</para> column of this entry.</para>
<para>Where more than one provider is serviced through a single <para>Where more than one provider is serviced through a single
interface, the <emphasis>interface</emphasis> must be followed by a interface, the <emphasis>interface</emphasis> must be followed by a
@ -461,7 +458,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1:</term> <term>IPv4 Example 1:</term>
<listitem> <listitem>
<para>You run squid in your DMZ on IP address 192.168.2.99. Your DMZ <para>You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
@ -473,7 +470,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2:</term> <term>IPv4 Example 2:</term>
<listitem> <listitem>
<para>eth0 connects to ISP 1. The IP address of eth0 is <para>eth0 connects to ISP 1. The IP address of eth0 is
@ -491,6 +488,36 @@
ISP2 2 2 main eth1 130.252.99.254 track,balance eth2</programlisting> ISP2 2 2 main eth1 130.252.99.254 track,balance eth2</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2.
Your DMZ interface is eth2</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 2002:ce7c:92b4:1::2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>eth0 connects to ISP 1. The ISP's gateway router has IP
address 2001:ce7c:92b4:1::2.</para>
<para>eth1 connects to ISP 2. The ISP's gateway router has IP
address 2001:d64c:83c9:12::8b.</para>
<para>eth2 connects to a local network.</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
ISP1 1 1 main eth0 2001:ce7c:92b4:1::2 track eth2
ISP2 2 2 main eth1 2001:d64c:83c9:12::8b track eth2</programlisting>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
@ -498,6 +525,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/providers</para> <para>/etc/shorewall/providers</para>
<para>/etc/shorewall6/providers</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

4
Shorewall/manpages/shorewall-routes.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/routes</command> <command>/etc/shorewall[6]/routes</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -109,6 +109,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/routes</para> <para>/etc/shorewall/routes</para>
<para>/etc/shorewall6/routes</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

6
Shorewall/manpages/shorewall-rtrules.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/rtrules</command> <command>/etc/shorewall[6]/rtrules</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -177,7 +177,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2:</term> <term>IPv4 Example 2:</term>
<listitem> <listitem>
<para>You use OpenVPN (routed setup /tunX) in combination with <para>You use OpenVPN (routed setup /tunX) in combination with
@ -199,6 +199,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/rtrules</para> <para>/etc/shorewall/rtrules</para>
<para>/etc/shorewall6/rtrules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

289
Shorewall/manpages/shorewall-rules.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/rules</command> <command>/etc/shorewall[6]/rules</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -54,7 +54,8 @@
<listitem> <listitem>
<para>This section was added in Shorewall 4.4.23. Rules in this <para>This section was added in Shorewall 4.4.23. Rules in this
section are applied, regardless of the connection tracking state of section are applied, regardless of the connection tracking state of
the packet.</para> the packet and are applied before rules in the other
sections.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -211,7 +212,8 @@
role="bold">DNAT</emphasis>[<emphasis role="bold">DNAT</emphasis>[<emphasis
role="bold">-</emphasis>] or <emphasis role="bold">-</emphasis>] or <emphasis
role="bold">REDIRECT</emphasis>[<emphasis role="bold">REDIRECT</emphasis>[<emphasis
role="bold">-</emphasis>] rules.</para> role="bold">-</emphasis>] rules. Use with IPv6 requires
Shorewall 4.5.14 or later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -232,7 +234,7 @@
<para>The name of an <emphasis>action</emphasis> declared in <para>The name of an <emphasis>action</emphasis> declared in
<ulink <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5) url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall/actions.std.</para> or in /usr/share/shorewall[6]/actions.std.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -286,7 +288,8 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT, <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
in the kernel and iptables.</para> in the kernel and iptables. A_ACCEPT+ with IPv6 requires
Shorewall 4.5.14 or later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -401,7 +404,8 @@
<listitem> <listitem>
<para>Forward the request to another system (and optionally <para>Forward the request to another system (and optionally
another port).</para> another port). Use with IPv6 requires Shorewall 4.5.14 or
later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -414,7 +418,8 @@
<para>Like <emphasis role="bold">DNAT</emphasis> but only <para>Like <emphasis role="bold">DNAT</emphasis> but only
generates the <emphasis role="bold">DNAT</emphasis> iptables generates the <emphasis role="bold">DNAT</emphasis> iptables
rule and not the companion <emphasis rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para> role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
Shorewall 4.5.14 or later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -496,11 +501,11 @@
[<replaceable>option</replaceable> ...])</term> [<replaceable>option</replaceable> ...])</term>
<listitem> <listitem>
<para>This action allows you to specify an iptables target <para>IPv4 only. This action allows you to specify an iptables
with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If target with options (e.g., 'IPTABLES(MARK --set-xmark
the <replaceable>iptables-target</replaceable> is not one 0x01/0xff)'. If the <replaceable>iptables-target</replaceable>
recognized by Shorewall, the following error message will be is not one recognized by Shorewall, the following error
issued:</para> message will be issued:</para>
<programlisting> ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting> <programlisting> ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
@ -521,6 +526,39 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
[<replaceable>option</replaceable> ...])</term>
<listitem>
<para>IPv6 only. This action allows you to specify an
ip6tables target with options (e.g., 'IPTABLES(MARK
--set-xmark 0x01/0xff)'. If the
<replaceable>ip6tables-target</replaceable> is not one
recognized by Shorewall, the following error message will be
issued:</para>
<programlisting> ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
<para>This error message may be eliminated by adding
the<replaceable>
ip6tables-</replaceable><replaceable>target</replaceable> as a
builtin action in <ulink
url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
<important>
<para>If you specify REJECT as the
<replaceable>ip6tables-target</replaceable>, the target of
the rule will be the i6ptables REJECT target and not
Shorewall's builtin 'reject' chain which is used when REJECT
(see below) is specified as the
<replaceable>target</replaceable> in the ACTION
column.</para>
</important>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">LOG:<replaceable>level</replaceable></emphasis></term> role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
@ -673,7 +711,8 @@
<para>Excludes the connection from any subsequent <emphasis <para>Excludes the connection from any subsequent <emphasis
role="bold">DNAT</emphasis>[-] or <emphasis role="bold">DNAT</emphasis>[-] or <emphasis
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
a rule to accept the traffic.</para> a rule to accept the traffic. Use with IPv6 requires Shorewall
4.5.14 or later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -708,7 +747,7 @@
<para>Beginning with Shorewall 5.0.8, the type of reject may <para>Beginning with Shorewall 5.0.8, the type of reject may
be specified in the <replaceable>option</replaceable> be specified in the <replaceable>option</replaceable>
paramater. Valid <replaceable>option</replaceable> values paramater. Valid IPv4 <replaceable>option</replaceable> values
are:</para> are:</para>
<simplelist> <simplelist>
@ -731,6 +770,28 @@
option may also be specified as option may also be specified as
<option>tcp-reset</option>.</member> <option>tcp-reset</option>.</member>
</simplelist> </simplelist>
<para>Valid IPv6 <replaceable>option</replaceable> values
are:</para>
<simplelist>
<member><option>icmp6-no-route</option></member>
<member><option>no-route</option></member>
<member><option>i</option><option>cmp6-adm-prohibited</option></member>
<member><option>adm-prohibited</option></member>
<member><option>icmp6-addr-unreachable</option></member>
<member><option>addr-unreach</option></member>
<member><option>icmp6-port-unreachable</option></member>
<member><option>tcp-reset</option> (the PROTO column must
specify TCP)</member>
</simplelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -749,7 +810,8 @@
<listitem> <listitem>
<para>Redirect the request to a server running on the <para>Redirect the request to a server running on the
firewall.</para> firewall. Use with IPv6 requires Shorewall 4.5.14 or
later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -762,7 +824,8 @@
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
generates the <emphasis role="bold">REDIRECT</emphasis> generates the <emphasis role="bold">REDIRECT</emphasis>
iptables rule and not the companion <emphasis iptables rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para> role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
Shorewall 4.5.14 or later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -842,9 +905,9 @@
role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term> role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.10. Queues matching packets to a <para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
back end logging daemon via a netlink socket then continues to packets to a back end logging daemon via a netlink socket then
the next rule. See <ulink continues to the next rule. See <ulink
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para> url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
<para>Similar to<emphasis role="bold"> <para>Similar to<emphasis role="bold">
@ -889,10 +952,10 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>You may also specify <emphasis role="bold">ULOG</emphasis> or <para>You may also specify <emphasis role="bold">ULOG</emphasis>
<emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a (IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in
log level.This will log to the ULOG or NFLOG target for routing to a upper case) as a log level.This will log to the ULOG or NFLOG target
separate log through use of ulogd (<ulink for routing to a separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para> url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>Actions specifying logging may be followed by a log tag (a <para>Actions specifying logging may be followed by a log tag (a
@ -922,9 +985,9 @@
<listitem> <listitem>
<para>The name of a zone defined in <ulink <para>The name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
only the zone name is specified, the packet source may be any When only the zone name is specified, the packet source may be
host in that zone.</para> any host in that zone.</para>
<para>zone may also be one of the following:</para> <para>zone may also be one of the following:</para>
@ -991,9 +1054,10 @@
<replaceable>zone</replaceable> in either <ulink <replaceable>zone</replaceable> in either <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink or <ulink
url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5). Only url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5).
packets from hosts in the <replaceable>zone</replaceable> that Only packets from hosts in the <replaceable>zone</replaceable>
arrive through the named interface will match the rule.</para> that arrive through the named interface will match the
rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1208,6 +1272,49 @@
of the net zone.</para> of the net zone.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>dmz:[2002:ce7c:2b4:1::2]</term>
<listitem>
<para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:2001:4d48:ad51:24::/64</term>
<listitem>
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
<listitem>
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
local zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:~00-A0-C9-15-39-78</term>
<listitem>
<para>Host in the local zone with MAC address
00:A0:C9:15:39:78.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
<listitem>
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
2001:4d48:ad51:24:6::/80.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1229,9 +1336,9 @@
<listitem> <listitem>
<para>The name of a zone defined in <ulink <para>The name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
only the zone name is specified, the packet destination may be When only the zone name is specified, the packet destination
any host in that zone.</para> may be any host in that zone.</para>
<para>zone may also be one of the following:</para> <para>zone may also be one of the following:</para>
@ -1298,9 +1405,9 @@
<replaceable>zone</replaceable> in either <ulink <replaceable>zone</replaceable> in either <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5) url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink or <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5). Only url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
packets to hosts in the <replaceable>zone</replaceable> that Only packets to hosts in the <replaceable>zone</replaceable>
are sent through the named interface will match the that are sent through the named interface will match the
rule.</para> rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2082,12 +2189,100 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HEADERS</emphasis></term> <term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.15. Not used in IPv4 configurations. If <para>This column is only used in IPv6. In IPv4, supply "-" in this
you with to supply a value for one of the later columns, enter '-' column if you with to place a value in one of the following
in this column.</para> columns.</para>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">43</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2413,6 +2608,20 @@
SECCTX builtin</programlisting> SECCTX builtin</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>Example 15:</term>
<listitem>
<para>You want to accept SSH connections to your firewall only from
internet IP addresses 2002:ce7c::92b4:1::2 and
2002:ce7c::92b4:1::22</para>
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
ACCEPT net:&lt;2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22&gt; \
$FW tcp 22</programlisting>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
@ -2420,6 +2629,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/rules</para> <para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/rules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

6
Shorewall/manpages/shorewall-secmarks.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/secmarks</command> <command>/etc/shorewall[6]/secmarks</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -229,7 +229,7 @@
role="bold">all}[,...]</emphasis></term> role="bold">all}[,...]</emphasis></term>
<listitem> <listitem>
<para> See <ulink <para>See <ulink
url="shorewall-rules.html">shorewall-rules(5)</ulink> for url="shorewall-rules.html">shorewall-rules(5)</ulink> for
details.</para> details.</para>
@ -404,6 +404,8 @@ RESTORE I:ER</programlisting>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/secmarks</para> <para>/etc/shorewall/secmarks</para>
<para>/etc/shorewall6/secmarks</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

58
Shorewall/manpages/shorewall-snat.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/snat</command> <command>/etc/shorewall[6]/snat</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -86,7 +86,7 @@
ADD_SNAT_ALIASES is set to Yes or yes in <ulink ADD_SNAT_ALIASES is set to Yes or yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
then Shorewall will automatically add this address to the then Shorewall will automatically add this address to the
INTERFACE named in the first column.</para> INTERFACE named in the first column (IPv4 only).</para>
<para>You may also specify a range of up to 256 IP addresses <para>You may also specify a range of up to 256 IP addresses
if you want the SNAT address to be assigned from that range in if you want the SNAT address to be assigned from that range in
@ -105,9 +105,7 @@
role="bold">:random</emphasis>) with <emphasis role="bold">:random</emphasis>) with <emphasis
role="bold">:persistent</emphasis>. This is only useful when role="bold">:persistent</emphasis>. This is only useful when
an address range is specified and causes a client to be given an address range is specified and causes a client to be given
the same source/destination IP pair. This feature replaces the the same source/destination IP pair.</para>
SAME modifier which was removed from Shorewall in version
4.4.0.</para>
<para>You may also use the special value <para>You may also use the special value
<option>detect</option> which causes Shorewall to determine <option>detect</option> which causes Shorewall to determine
@ -150,8 +148,8 @@
<listitem> <listitem>
<para>where <replaceable>action</replaceable> is an action <para>where <replaceable>action</replaceable> is an action
declared in <ulink declared in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink> with url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
the <option>nat</option> option. See <ulink with the <option>nat</option> option. See <ulink
url="/Actions.html">www.shorewall.net/Actions.html</ulink> for url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
further information.</para> further information.</para>
</listitem> </listitem>
@ -257,7 +255,8 @@
<listitem> <listitem>
<para>If you wish to restrict this entry to a particular protocol <para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number here. See then enter the protocol name (from protocols(5)) or number here. See
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for <ulink
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
details.</para> details.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a <para>Beginning with Shorewall 4.5.12, this column can accept a
@ -599,7 +598,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1:</term> <term>IPv4 Example 1:</term>
<listitem> <listitem>
<para>You have a simple masquerading setup where eth0 connects to a <para>You have a simple masquerading setup where eth0 connects to a
@ -614,7 +613,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2:</term> <term>IPv4 Example 2:</term>
<listitem> <listitem>
<para>You add a router to your local network to connect subnet <para>You add a router to your local network to connect subnet
@ -628,7 +627,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 3:</term> <term>IPv4 Example 3:</term>
<listitem> <listitem>
<para>You want all outgoing traffic from 192.168.1.0/24 through eth0 <para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@ -642,7 +641,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 4:</term> <term>IPv4 Example 4:</term>
<listitem> <listitem>
<para>You want all outgoing SMTP traffic entering the firewall from <para>You want all outgoing SMTP traffic entering the firewall from
@ -666,7 +665,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 5:</term> <term>IPv4 Example 5:</term>
<listitem> <listitem>
<para>Connections leaving on eth0 and destined to any host defined <para>Connections leaving on eth0 and destined to any host defined
@ -679,7 +678,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 6:</term> <term>IPv4 Example 6:</term>
<listitem> <listitem>
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@ -701,19 +700,34 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 7:</term> <term>IPv6 Example 1:</term>
<listitem> <listitem>
<para>Your eth1 has two public IP addresses: 70.90.191.121 and <para>You have a simple 'masquerading' setup where eth0 connects to
70.90.191.123. You want to use the iptables statistics match to a DSL or cable modem and eth1 connects to your local network with
masquerade outgoing connections evenly between these two subnet 2001:470:b:787::0/64</para>
addresses.</para>
<para>Your entry in the file will be:</para>
<programlisting> #ACTION SOURCE DEST
MASQUERADE 2001:470:b:787::0/64 eth0</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>Your sit1 interface has two public IP addresses:
2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
iptables statistics match to masquerade outgoing connections evenly
between these two addresses.</para>
<programlisting>/etc/shorewall/snat: <programlisting>/etc/shorewall/snat:
#ACTION SOURCE DEST #ACTION SOURCE DEST
SNAT(70.90.191.121) - eth1 { probability=.50 } SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 }
SNAT(70.90.191.123) - eth1</programlisting> SNAT(2001:470:a:227::2) ::/0 sit</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -723,6 +737,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/snat</para> <para>/etc/shorewall/snat</para>
<para>/etc/shorewall6/snat</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

4
Shorewall/manpages/shorewall-stoppedrules.xml
View File

@ -19,7 +19,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/stoppedrules</command> <command>/etc/shorewall[6]/stoppedrules</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -153,6 +153,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/stoppedrules</para> <para>/etc/shorewall/stoppedrules</para>
<para>/etc/shorewall6/stoppedrules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

4
Shorewall/manpages/shorewall-tcclasses.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/tcclasses</command> <command>/etc/shorewall[6]/tcclasses</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -763,6 +763,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/tcclasses</para> <para>/etc/shorewall/tcclasses</para>
<para>/etc/shorewall6/tcclasses</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

4
Shorewall/manpages/shorewall-tcdevices.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/tcdevices</command> <command>/etc/shorewall[6]/tcdevices</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -276,6 +276,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/tcdevices</para> <para>/etc/shorewall/tcdevices</para>
<para>/etc/shorewall6/tcdevices</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

48
Shorewall/manpages/shorewall-tcfilters.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/tcfilters</command> <command>/etc/shorewall[6]/tcfilters</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -89,12 +89,12 @@
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The <ulink url="/manpages/shorewall.conf.html">shorewall.conf
ipset name may optionally be followed by a number or a comma (5)</ulink>. The ipset name may optionally be followed by a number
separated list of src and/or dst enclosed in square brackets or a comma separated list of src and/or dst enclosed in square
([...]). See <ulink brackets ([...]). See <ulink
url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
details.</para> for details.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -108,12 +108,12 @@
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The <ulink url="/manpages/shorewall.conf.html">shorewall.conf
ipset name may optionally be followed by a number or a comma (5)</ulink>. The ipset name may optionally be followed by a number
separated list of src and/or dst enclosed in square brackets or a comma separated list of src and/or dst enclosed in square
([...]). See <ulink brackets ([...]). See <ulink
url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
details.</para> for details.</para>
<para>You may exclude certain hosts from the set already defined <para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink through use of an <emphasis>exclusion</emphasis> (see <ulink
@ -288,7 +288,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1:</term> <term>IPv4 Example 1:</term>
<listitem> <listitem>
<para>Place all 'ping' traffic on interface 1 in class 10. Note that <para>Place all 'ping' traffic on interface 1 in class 10. Note that
@ -310,7 +310,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2:</term> <term>IPv4 Example 2:</term>
<listitem> <listitem>
<para>Add two filters with priority 10 (Shorewall 4.5.8 or <para>Add two filters with priority 10 (Shorewall 4.5.8 or
@ -324,6 +324,22 @@
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 10</programlisting> 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 10</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
later).</para>
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
IPV6
1:10 ::/0 ::/0 icmp echo-request 10
1:10 ::/0 ::/0 icmp echo-reply 10</programlisting>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
@ -331,6 +347,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/tcfilters</para> <para>/etc/shorewall/tcfilters</para>
<para>/etc/shorewall6/tcfilters</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

6
Shorewall/manpages/shorewall-tcinterfaces.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/tcinterfaces</command> <command>/etc/shorewall[6]/tcinterfaces</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -201,7 +201,9 @@
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/tcinterfaces.</para> <para>/etc/shorewall/tcinterfaces</para>
<para>/etc/shorewall6/tcinterfaces</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

4
Shorewall/manpages/shorewall-tcpri.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/tcpri</command> <command>/etc/shorewall[6]/tcpri</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -148,6 +148,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/tcpri</para> <para>/etc/shorewall/tcpri</para>
<para>/etc/shorewall6/tcpri</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

97
Shorewall/manpages/shorewall-tunnels.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/tunnels</command> <command>/etc/shorewall[6]/tunnels</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -173,7 +173,7 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>Example 1:</term> <term>IPv4 Example 1:</term>
<listitem> <listitem>
<para>IPSec tunnel.</para> <para>IPSec tunnel.</para>
@ -187,7 +187,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 2:</term> <term>IPv4 Example 2:</term>
<listitem> <listitem>
<para>Road Warrior (LapTop that may connect from anywhere) where the <para>Road Warrior (LapTop that may connect from anywhere) where the
@ -199,7 +199,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 3:</term> <term>IPv4 Example 3:</term>
<listitem> <listitem>
<para>Host 4.33.99.124 is a standalone system connected via an ipsec <para>Host 4.33.99.124 is a standalone system connected via an ipsec
@ -211,7 +211,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 4:</term> <term>IPv4 Example 4:</term>
<listitem> <listitem>
<para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The <para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
@ -225,7 +225,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 5:</term> <term>IPv4 Example 5:</term>
<listitem> <listitem>
<para>You run the Linux PPTP client on your firewall and connect to <para>You run the Linux PPTP client on your firewall and connect to
@ -237,7 +237,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 6:</term> <term>IPv4 Example 6:</term>
<listitem> <listitem>
<para>You run a PPTP server on your firewall.</para> <para>You run a PPTP server on your firewall.</para>
@ -260,7 +260,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 8:</term> <term>IPv4 Example 8:</term>
<listitem> <listitem>
<para>You have a tunnel that is not one of the supported types. Your <para>You have a tunnel that is not one of the supported types. Your
@ -273,7 +273,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Example 9:</term> <term>IPv4 Example 9:</term>
<listitem> <listitem>
<para>TINC tunnel where the remote gateways are not specified. If <para>TINC tunnel where the remote gateways are not specified. If
@ -284,6 +284,83 @@
tinc net 0.0.0.0/0</programlisting> tinc net 0.0.0.0/0</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>IPSec tunnel.</para>
<para>The remote gateway is 2001:cec792b4:1::44. The tunnel does not
use the AH protocol</para>
<programlisting> #TYPE ZONE GATEWAY
ipsec:noah net 2002:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>Road Warrior (LapTop that may connect from anywhere) where the
"gw" zone is used to represent the remote LapTop</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net ::/0 gw</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 3:</term>
<listitem>
<para>Host 2001:cec792b4:1::44 is a standalone system connected via
an ipsec tunnel to the firewall system. The host is in zone
gw.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 2001:cec792b4:1::44 gw</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 4:</term>
<listitem>
<para>OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
openvpn uses port 7777.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
openvpn:7777 net 2001:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 8:</term>
<listitem>
<para>You have a tunnel that is not one of the supported types. Your
tunnel uses UDP port 4444. The other end of the tunnel is
2001:cec792b4:1::44.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
generic:udp:4444 net 2001:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 9:</term>
<listitem>
<para>TINC tunnel where the remote gateways are not specified. If
you wish to specify a list of gateways, you can do so in the GATEWAY
column.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
tinc net ::/0</programlisting>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
@ -291,6 +368,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/tunnels</para> <para>/etc/shorewall/tunnels</para>
<para>/etc/shorewall6/tunnels</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

7
Shorewall/manpages/shorewall-vardir.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/vardir</command> <command>/etc/shorewall[6]/vardir</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -28,7 +28,8 @@
<para>This file does not exist by default. You may create the file if you <para>This file does not exist by default. You may create the file if you
want to change the directory used by Shorewall to store state information, want to change the directory used by Shorewall to store state information,
including compiled firewall scripts. By default, the directory used is including compiled firewall scripts. By default, the directory used is
<filename>/var/lib/shorewall/</filename>.</para> <filename>/var/lib/shorewall/</filename> for IPv4 and /var/lib/shorewall6/
for IPv6</para>
<para>The file contains a single variable assignment:</para> <para>The file contains a single variable assignment:</para>
@ -50,6 +51,8 @@
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/vardir</para> <para>/etc/shorewall/vardir</para>
<para>/etc/shorewall6/vardir</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

34
Shorewall/manpages/shorewall-zones.xml
View File

@ -128,9 +128,9 @@
<para>Example:</para> <para>Example:</para>
<programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS <programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
a ipv4 a ip
b ipv4 b ip
c:a,b ipv4</programlisting> c:a,b ip</programlisting>
<para>Currently, Shorewall uses this information to reorder the zone <para>Currently, Shorewall uses this information to reorder the zone
list so that parent zones appear after their subzones in the list. list so that parent zones appear after their subzones in the list.
@ -140,8 +140,8 @@ c:a,b ipv4</programlisting>
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is <para>Where an <emphasis role="bold">ipsec</emphasis> zone is
explicitly included as a child of an <emphasis explicitly included as a child of an <emphasis
role="bold">ipv4</emphasis> zone, the ruleset allows CONTINUE role="bold">ip</emphasis> zone, the ruleset allows CONTINUE policies
policies (explicit or implicit) to work as expected.</para> (explicit or implicit) to work as expected.</para>
<para>In the future, Shorewall may make additional use of nesting <para>In the future, Shorewall may make additional use of nesting
information.</para> information.</para>
@ -154,7 +154,7 @@ c:a,b ipv4</programlisting>
<listitem> <listitem>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ipv4</emphasis></term> <term><emphasis role="bold">ip</emphasis></term>
<listitem> <listitem>
<para>This is the standard Shorewall zone type and is the <para>This is the standard Shorewall zone type and is the
@ -162,17 +162,22 @@ c:a,b ipv4</programlisting>
the column. Communication with some zone hosts may be the column. Communication with some zone hosts may be
encrypted. Encrypted hosts are designated using the 'ipsec' encrypted. Encrypted hosts are designated using the 'ipsec'
option in <ulink option in <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).</para> url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
For clarity, this zone type may be specified as
<option>ipv4</option> in IPv4 configurations and
<option>ipv6</option> in IPv6 configurations.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ipsec</emphasis> (or <emphasis <term><emphasis role="bold">ipsec</emphasis></term>
role="bold">ipsec4</emphasis>)</term>
<listitem> <listitem>
<para>Communication with all zone hosts is encrypted. Your <para>Communication with all zone hosts is encrypted. Your
kernel and iptables must include policy match support.</para> kernel and iptables must include policy match support. For
clarity, this zone type may be specified as
<option>ipsec4</option> in IPv4 configurations and
<option>ipsec6</option> in IPv6 configurations.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -190,12 +195,13 @@ c:a,b ipv4</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">bport</emphasis> (or <emphasis <term><emphasis role="bold">bport</emphasis></term>
role="bold">bport4</emphasis>)</term>
<listitem> <listitem>
<para>The zone is associated with one or more ports on a <para>The zone is associated with one or more ports on a
single bridge.</para> single bridge. For clarity, this zone type may be specified as
<option>bport4</option> in IPv4 configurations and
<option>bport6</option> in IPv6 configurations.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -424,6 +430,8 @@ c:a,b ipv4</programlisting>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/zones</para> <para>/etc/shorewall/zones</para>
<para>/etc/shorewall6/zones</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

322
Shorewall/manpages/shorewall.conf.xml
View File

@ -18,14 +18,15 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/shorewall.conf</command> <command>/etc/shorewall/shorewall.conf and
/etc/shorewall6/shorewall6.conf</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file sets options that apply to Shorewall as a whole.</para> <para>This file sets options that apply to Shorewall[6] as a whole.</para>
<para>The file consists of Shell comments (lines beginning with '#'), <para>The file consists of Shell comments (lines beginning with '#'),
blank lines and assignment statements blank lines and assignment statements
@ -65,16 +66,13 @@
level to choose, 6 (info) is a safe bet. You may specify levels by name or level to choose, 6 (info) is a safe bet. You may specify levels by name or
by number.</para> by number.</para>
<para>If you have built your kernel with ULOG and/or NFLOG target support, <para>If you have built your kernel with ULOG (IPv4 only) and/or NFLOG
you may also specify a log level of ULOG and/or NFLOG (must be all caps). target support, you may also specify a log level of ULOG and/or NFLOG
Rather than log its messages to syslogd, Shorewall will direct netfilter (must be all caps). Rather than log its messages to syslogd, Shorewall
to log the messages via the ULOG or NFLOG target which will send them to a will direct netfilter to log the messages via the ULOG or NFLOG target
process called 'ulogd'. ulogd is available with most Linux distributions which will send them to a process called 'ulogd'. ulogd is available with
(although it probably isn't installed by default). Ulogd is also available most Linux distributions (although it probably isn't installed by
from <ulink default).</para>
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
and can be configured to log all Shorewall messages to their own log
file.</para>
<note> <note>
<para>If you want to specify parameters to ULOG or NFLOG (e.g., <para>If you want to specify parameters to ULOG or NFLOG (e.g.,
@ -82,7 +80,7 @@
<para>Example:</para> <para>Example:</para>
<programlisting>MACLIST_LOG_LEVEL="NFLOG(1,0,1)"</programlisting> <programlisting>LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
</note> </note>
<para>Beginning with Shorewall 5.0.0, the log level may be followed by a <para>Beginning with Shorewall 5.0.0, the log level may be followed by a
@ -265,8 +263,9 @@
<listitem> <listitem>
<para>This parameter determines whether Shorewall automatically adds <para>This parameter determines whether Shorewall automatically adds
the external address(es) in <ulink the external address(es) in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5), and is
variable is set to <emphasis role="bold">Yes</emphasis> or <emphasis only available in IPv4 configurations. If the variable is set to
<emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these role="bold">yes</emphasis> then Shorewall automatically adds these
aliases. If it is set to <emphasis role="bold">No</emphasis> or aliases. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these aliases <emphasis role="bold">no</emphasis>, you must add these aliases
@ -293,13 +292,14 @@
<listitem> <listitem>
<para>This parameter determines whether Shorewall automatically adds <para>This parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in <ulink the SNAT ADDRESS in <ulink
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5), and
the variable is set to <emphasis role="bold">Yes</emphasis> or is only available in IPv4 configurations. If the variable is set to
<emphasis role="bold">yes</emphasis> then Shorewall automatically <emphasis role="bold">Yes</emphasis> or <emphasis
adds these addresses. If it is set to <emphasis role="bold">yes</emphasis> then Shorewall automatically adds these
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>, addresses. If it is set to <emphasis role="bold">No</emphasis> or
you must add these addresses yourself using your distribution's <emphasis role="bold">no</emphasis>, you must add these addresses
network configuration tools.</para> yourself using your distribution's network configuration
tools.</para>
<para>If this variable is not set or is given an empty value <para>If this variable is not set or is given an empty value
(ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para> (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para>
@ -379,10 +379,10 @@
role="bold">ARPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term> role="bold">ARPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.12. This parameter names the arptables <para>Added in Shorewall 4.5.12 and available in IPv4 only. This
executable to be used by Shorewall. If not specified or if specified parameter names the arptables executable to be used by Shorewall. If
as a null value, then the arptables executable located using the not specified or if specified as a null value, then the arptables
PATH option is used.</para> executable located using the PATH option is used.</para>
<para>Regardless of how the arptables utility is located (specified <para>Regardless of how the arptables utility is located (specified
via arptables= or located via PATH), Shorewall uses the via arptables= or located via PATH), Shorewall uses the
@ -483,8 +483,8 @@
<para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
determines whether the <option>balance</option> provider option (see determines whether the <option>balance</option> provider option (see
<ulink <ulink
url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>) is url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>)
the default. When BALANCE_PROVIDERS=Yes, then the is the default. When BALANCE_PROVIDERS=Yes, then the
<option>balance</option> option is assumed unless the <option>balance</option> option is assumed unless the
<option>fallback</option>, <option>loose</option>, <option>fallback</option>, <option>loose</option>,
<option>load</option> or <option>tproxy</option> option is <option>load</option> or <option>tproxy</option> option is
@ -500,8 +500,8 @@
<listitem> <listitem>
<para>Added in Shorewall-4.6.0. When set to <emphasis <para>Added in Shorewall-4.6.0. When set to <emphasis
role="bold">Yes</emphasis>, causes entries in <ulink role="bold">Yes</emphasis>, causes entries in <ulink
url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
generate a basic filter rather than a u32 filter. This setting to generate a basic filter rather than a u32 filter. This setting
requires the <firstterm>Basic Ematch</firstterm> capability in your requires the <firstterm>Basic Ematch</firstterm> capability in your
kernel and iptables.</para> kernel and iptables.</para>
@ -624,6 +624,11 @@
marking defined in <ulink marking defined in <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5). url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
If not specified, CLEAR_TC=Yes is assumed.</para> If not specified, CLEAR_TC=Yes is assumed.</para>
<warning>
<para>When you specify TC_ENABLED=shared (see below), then you
should also specify CLEAR_TC=No.</para>
</warning>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -662,17 +667,17 @@
role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term> role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>
<listitem> <listitem>
<para>Specifies where configuration files other than shorewall.conf <para>Specifies where configuration files other than
may be found. CONFIG_PATH is specifies as a list of directory names shorewall[6].conf may be found. CONFIG_PATH is specifies as a list
separated by colons (":"). When looking for a configuration of directory names separated by colons (":"). When looking for a
file:</para> configuration file:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>If the command is "try" or a "&lt;configuration <para>If the command is "try" or a "&lt;configuration
directory&gt;" was specified in the command (e.g., directory&gt;" was specified in the command (e.g.,
<command>shorewall check ./gateway</command>) then the directory <command>shorewall [-6] check ./gateway</command>) then the
given in the command is searched first.</para> directory given in the command is searched first.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -697,8 +702,8 @@
<listitem> <listitem>
<para>Added in Shorewall 4.5.12. When set to 'Yes' (the default), <para>Added in Shorewall 4.5.12. When set to 'Yes' (the default),
DNS names are validated in the compiler and then passed on to the DNS names are validated in the compiler and then passed on to the
generated script where they are resolved by iptables-restore. This generated script where they are resolved by ip[6]tables-restore.
is an advantage if you use AUTOMAKE=Yes and the IP address This is an advantage if you use AUTOMAKE=Yes and the IP address
associated with the DNS name is subject to change. When associated with the DNS name is subject to change. When
DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses
by the compiler. This has the advantage that when AUTOMAKE=Yes, the by the compiler. This has the advantage that when AUTOMAKE=Yes, the
@ -715,7 +720,7 @@
<listitem> <listitem>
<para>If set to Yes (the default value), entries in the <para>If set to Yes (the default value), entries in the
/etc/shorewall/rtrules files cause an 'ip rule del' command to be /etc/shorewall[6]/rtrules files cause an 'ip rule del' command to be
generated in addition to an 'ip rule add' command. Setting this generated in addition to an 'ip rule add' command. Setting this
option to No, causes the 'ip rule del' command to be omitted.</para> option to No, causes the 'ip rule del' command to be omitted.</para>
</listitem> </listitem>
@ -726,6 +731,8 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, Shorewall will detect the first IP role="bold">yes</emphasis>, Shorewall will detect the first IP
address of the interface to the source zone and will include this address of the interface to the source zone and will include this
@ -742,6 +749,8 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, IPv6 traffic to, from and through the role="bold">yes</emphasis>, IPv6 traffic to, from and through the
firewall system is disabled. If set to <emphasis firewall system is disabled. If set to <emphasis
@ -761,7 +770,8 @@
</listitem> </listitem>
<listitem> <listitem>
<para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No</para> <para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No in
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -807,20 +817,21 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.7. When set to <emphasis <para>Added in Shorewall 4.4.7. When set to <emphasis
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>, role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
chain-based dynamic blacklisting using <command>shorewall chain-based dynamic blacklisting using <command>shorewall [-6] [-l]
drop</command>, <command>shorewall reject</command>, drop</command>, <command>shorewall [-6] [-l] reject</command>,
<command>shorewall logdrop</command> and <command>shorewall <command>shorewall logdrop</command> and <command>shorewall [-6]
logreject</command> is disabled. Default is <emphasis [-l] logreject</command> is disabled. Default is <emphasis
role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8, role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
ipset-based dynamic blacklisting using the <command>shorewall ipset-based dynamic blacklisting using the <command>shorewall
blacklist</command> command is also supported. The name of the set blacklist</command> command is also supported. The name of the set
(<replaceable>setname</replaceable>) and the level (<replaceable>setname</replaceable>) and the level
(<replaceable>log_level</replaceable>), if any, at which blacklisted (<replaceable>log_level</replaceable>), if any, at which blacklisted
traffic is to be logged may also be specified. The default set name traffic is to be logged may also be specified. The default IPv4 set
is SW_DBL4 and the default log level is <option>none</option> (no name is SW_DBL4 and the default IPv6 set name is SW_DBL6. The
logging). If <option>ipset-only</option> is given, then chain-based default log level is <option>none</option> (no logging). If
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No <option>ipset-only</option> is given, then chain-based dynamic
had been specified.</para> blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
specified.</para>
<para>Possible <replaceable>option</replaceable>s are:</para> <para>Possible <replaceable>option</replaceable>s are:</para>
@ -866,9 +877,9 @@
<important> <important>
<para>Once the dynamic blacklisting ipset has been created, <para>Once the dynamic blacklisting ipset has been created,
changing this option setting requires a complete restart of changing this option setting requires a complete restart of
the firewall; <command>shorewall restart</command> if the firewall; <command>shorewall [-6] restart</command> if
RESTART=restart, otherwise <command>shorewall stop RESTART=restart, otherwise <command>shorewall [-6] [-l] stop
&amp;&amp; shorewall start</command></para> &amp;&amp; shorewall [-6] [-l] start</command></para>
</important> </important>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -910,13 +921,15 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<listitem> <listitem>
<para>Added in Shorewall 4.4.17. When set to Yes when compiling for <para>Added in Shorewall 4.4.17. When set to Yes when compiling for
use by Shorewall Lite (<command>shorewall load</command>, use by Shorewall Lite (<command>shorewall [-6]
<command>shorewall reload </command>or <command>shorewall remote-start</command>, <command>shorewall [-6] remote-reload,
shorewall [-6] remote-restart </command>or <command>shorewall [-6]
export</command> commands), the compiler will copy the modules or export</command> commands), the compiler will copy the modules or
helpers file from the administrative system into the script. When helpers file from the administrative system into the script. When
set to No or not specified, the compiler will not copy the modules set to No or not specified, the compiler will not copy the modules
or helpers file from <filename>/usr/share/shorewall</filename> but or helpers file from <filename>/usr/share/shorewall[6]</filename>
will copy those found in another location on the CONFIG_PATH.</para> but will copy those found in another location on the
CONFIG_PATH.</para>
<para>When compiling for direct use by Shorewall, causes the <para>When compiling for direct use by Shorewall, causes the
contents of the local module or helpers file to be copied into the contents of the local module or helpers file to be copied into the
@ -1114,10 +1127,12 @@ net all DROP info</programlisting>then the chain name is 'net-all'
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
specified, the specifications on the right are interpreted as if specified, the specifications on the right are interpreted as if
INLINE had been specified in the ACTION column. This also applies to INLINE had been specified in the ACTION column. This also applies to
<ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink> and <ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink>
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>) which and <ulink
also support INLINE. If not specified or if specified as the empty url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>)
value, the value 'No' is assumed for backward compatibility.</para> which also support INLINE. If not specified or if specified as the
empty value, the value 'No' is assumed for backward
compatibility.</para>
<para>Beginning with Shorewall 5.0.0, it is no longer necessary to <para>Beginning with Shorewall 5.0.0, it is no longer necessary to
set INLINE_MATCHES=Yes in order to be able to specify your own set INLINE_MATCHES=Yes in order to be able to specify your own
@ -1176,9 +1191,13 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">Keep</emphasis>]</term> role="bold">Keep</emphasis>]</term>
<listitem> <listitem>
<para>This parameter determines whether Shorewall enables or <para>This IPv4 parameter determines whether Shorewall enables or
disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). disables IPv4 Packet Forwarding
Possible values are:</para> (<filename>/proc/sys/net/ipv4/ip_forward</filename>). In an IPv6
configuration, this parameter determines the setting of
<filename>/proc/sys/net/ipv6/config/all/ip_forwarding</filename>.</para>
<para>Possible values are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -1210,12 +1229,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para/>
<blockquote>
<para>If this variable is not set or is given an empty value <para>If this variable is not set or is given an empty value
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para> (IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
</blockquote>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1258,6 +1273,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term> role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>This parameter names the iptables executable to be used by <para>This parameter names the iptables executable to be used by
Shorewall. If not specified or if specified as a null value, then Shorewall. If not specified or if specified as a null value, then
the iptables executable located using the PATH option is the iptables executable located using the PATH option is
@ -1270,22 +1287,71 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">IP6TABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>IPv6 only.</para>
<para>This parameter names the ip6tables executable to be used by
Shorewall6. If not specified or if specified as a null value, then
the ip6tables executable located using the PATH option is
used.</para>
<para>Regardless of how the ip6tables utility is located (specified
via IP6TABLES= or located via PATH), Shorewall6 uses the
ip6tables-restore and ip6tables-save utilities from that same
directory.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>IPv4:</para>
<blockquote>
<para>When set to <option>Yes</option>, this option prevents <para>When set to <option>Yes</option>, this option prevents
generated scripts from altering the /etc/iproute2/rt_tables database generated scripts from altering the /etc/iproute2/rt_tables
when there are entries in database when there are entries in
<filename>/etc/shorewall/providers</filename>. If you set this <filename>/etc/shorewall/providers</filename>. If you set this
option to <option>Yes</option> while Shorewall (Shorewall-lite) is option to <option>Yes</option> while Shorewall (Shorewall-lite) is
running, you should remove the file running, you should remove the file
<filename>/var/lib/shorewall/rt_tables</filename> <filename>/var/lib/shorewall/rt_tables</filename>
(<filename>/var/lib/shorewall-lite/rt_tables</filename>) before your (<filename>/var/lib/shorewall-lite/rt_tables</filename>) before
next <command>stop</command>, <command>refresh</command>, your next <command>stop</command>, <command>refresh</command>,
<command>restore</command>, <emphasis role="bold">reload</emphasis> <command>restore</command>, <emphasis
or <command>restart</command> command.</para> role="bold">reload</emphasis> or <command>restart</command>
command.</para>
</blockquote>
<para>IPv6:</para>
<blockquote>
<para>When set to <option>Yes</option>, this option prevents
scripts generated by Shorewall6 from altering the
/etc/iproute2/rt_tables database when there are entries in
<filename>/etc/shorewall6/providers</filename>. If you set this
option to <option>Yes</option> while Shorewall6 (Shorewall6-lite)
is running, you should remove the file
<filename>/var/lib/shorewall6/rt_tables</filename>
(<filename>/var/lib/shorewall6-lite/rt_tables</filename>) before
your next <command>stop</command>, <command>refresh</command>,
<command>restore</command>, <emphasis
role="bold">reload</emphasis> or <command>restart</command>
command.</para>
</blockquote>
<important>
<para>When both IPv4 and IPv6 Shorewall configurations are
present, KEEP_RT_TABLES=No should be specified in only one of the
two configurations unless the two provider configurations are
identical with respect to interface and provider names and
numbers.</para>
</important>
<para>The default is KEEP_RT_TABLES=No.</para> <para>The default is KEEP_RT_TABLES=No.</para>
</listitem> </listitem>
@ -1298,9 +1364,9 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<listitem> <listitem>
<para>Added in Shorewall 4.4.7. When set to Yes, restricts the set <para>Added in Shorewall 4.4.7. When set to Yes, restricts the set
of modules loaded by shorewall to those listed in of modules loaded by shorewall to those listed in
/var/lib/shorewall/helpers and those that are actually used. When <filename>/var/lib/shorewall[6]/helpers</filename> and those that
not set, or set to the empty value, LOAD_HELPERS_ONLY=No is are actually used. When not set, or set to the empty value,
assumed.</para> LOAD_HELPERS_ONLY=No is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1309,11 +1375,11 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term> role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem> <listitem>
<para>Specifies the name of the Shorewall lock file, used to prevent <para>Specifies the name of the Shorewall[6] lock file, used to
simultaneous state-changing commands. If not specified, prevent simultaneous state-changing commands. If not specified,
${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib ${VARDIR}/shorewall[6]/lock is assumed (${VARDIR} is normally
but can be changed when Shorewall-core is installed -- see the /var/lib but can be changed when Shorewall-core is installed -- see
output of <command>shorewall show vardir</command>).</para> the output of <command>shorewall show vardir</command>).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1341,6 +1407,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<term>ULOG</term> <term>ULOG</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>Use ULOG logging to ulogd.</para> <para>Use ULOG logging to ulogd.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1365,8 +1433,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
sample configurations use this as the default log level and changing sample configurations use this as the default log level and changing
it will change all packet logging done by the configuration. In any it will change all packet logging done by the configuration. In any
configuration file (except <ulink configuration file (except <ulink
url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>),
will expand to this value.</para> $LOG_LEVEL will expand to this value.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1376,6 +1444,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">No</emphasis>|Keep]</term> role="bold">No</emphasis>|Keep]</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, sets role="bold">yes</emphasis>, sets
<filename>/proc/sys/net/ipv4/conf/*/log_martians</filename> to 1 <filename>/proc/sys/net/ipv4/conf/*/log_martians</filename> to 1
@ -1523,7 +1593,9 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<caution> <caution>
<para>Beginning with Shorewall 5.1.0, the default and sample <para>Beginning with Shorewall 5.1.0, the default and sample
shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log shorewall[6].conf files set LOGFORMAT="%s %s ". </para>
<para>Regardless of the LOGFORMAT setting, Shorewall IPv4 log
messages that use this LOGFORMAT can be uniquely identified using messages that use this LOGFORMAT can be uniquely identified using
the following regular expression:</para> the following regular expression:</para>
@ -1531,8 +1603,15 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<member>'IN=.* OUT=.* SRC=.*\..* DST='</member> <member>'IN=.* OUT=.* SRC=.*\..* DST='</member>
</simplelist> </simplelist>
<para>To match all Netfilter log messages (Both IPv4 and IPv6), <para>and Shorewall IPv6 log messages can be uniquely identified
use:</para> using the following regular expression:</para>
<simplelist>
<member>'IN=.* OUT=.* SRC=.*:.* DST='</member>
</simplelist>
<para>To match all Netfilter log messages (Both IPv4 and IPv6 and
regardless of the LOGFORMAT setting), use:</para>
<simplelist> <simplelist>
<member>'IN=.* OUT=.* SRC=.* DST='</member> <member>'IN=.* OUT=.* SRC=.* DST='</member>
@ -1625,7 +1704,7 @@ LOG:info:,bar net fw</programlisting>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para> AUDIT_TARGET in the kernel and ip[6]tables.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1668,7 +1747,7 @@ LOG:info:,bar net fw</programlisting>
entries in <ulink entries in <ulink
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5) url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5)
can be improved by setting the MACLIST_TTL variable in <ulink can be improved by setting the MACLIST_TTL variable in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="/manpages/shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
<para>If your iptables and kernel support the "Recent Match" (see <para>If your iptables and kernel support the "Recent Match" (see
the output of "shorewall check" near the top), you can cache the the output of "shorewall check" near the top), you can cache the
@ -1710,6 +1789,8 @@ LOG:info:,bar net fw</programlisting>
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>This option is included for compatibility with old Shorewall <para>This option is included for compatibility with old Shorewall
configuration. New installs should always have configuration. New installs should always have
MAPOLDACTIONS=No.</para> MAPOLDACTIONS=No.</para>
@ -1740,11 +1821,11 @@ LOG:info:,bar net fw</programlisting>
PREROUTING chain. This permits you to mark inbound traffic based on PREROUTING chain. This permits you to mark inbound traffic based on
its destination address when DNAT is in use. To determine if your its destination address when DNAT is in use. To determine if your
kernel has a FORWARD chain in the mangle table, use the <emphasis kernel has a FORWARD chain in the mangle table, use the <emphasis
role="bold">shorewall show mangle</emphasis> command; if a FORWARD role="bold">shorewall [-6] show mangle</emphasis> command; if a
chain is displayed then your kernel will support this option. If FORWARD chain is displayed then your kernel will support this
this option is not specified or if it is given the empty value option. If this option is not specified or if it is given the empty
(e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
assumed.</para> is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1826,7 +1907,8 @@ LOG:info:,bar net fw</programlisting>
"/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset" "/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
where <emphasis role="bold">uname</emphasis> holds the output of where <emphasis role="bold">uname</emphasis> holds the output of
'<command>uname -r</command>' and <emphasis '<command>uname -r</command>' and <emphasis
role="bold">g_family</emphasis> holds '4'.</para> role="bold">g_family</emphasis> holds '4' in IPv4 configurations and
'6' in IPv6 configurations.</para>
<para>The option plus sign ('+') was added in Shorewall 5.0.3 and <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
causes the listed pathnames to be appended to the default list causes the listed pathnames to be appended to the default list
@ -1839,6 +1921,8 @@ LOG:info:,bar net fw</programlisting>
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>This option will normally be set to 'No' (the default). It <para>This option will normally be set to 'No' (the default). It
should be set to 'Yes' under the following circumstances:</para> should be set to 'Yes' under the following circumstances:</para>
@ -1865,17 +1949,18 @@ LOG:info:,bar net fw</programlisting>
<listitem> <listitem>
<para>The value of this variable determines the number of seconds <para>The value of this variable determines the number of seconds
that programs will wait for exclusive access to the Shorewall lock that programs will wait for exclusive access to the Shorewall[6]
file. After the number of seconds corresponding to the value of this lock file. After the number of seconds corresponding to the value of
variable, programs will assume that the last program to hold the this variable, programs will assume that the last program to hold
lock died without releasing the lock.</para> the lock died without releasing the lock.</para>
<para>If not set or set to the empty value, a value of 60 (60 <para>If not set or set to the empty value, a value of 60 (60
seconds) is assumed.</para> seconds) is assumed.</para>
<para>An appropriate value for this parameter would be twice the <para>An appropriate value for this parameter would be twice the
length of time that it takes your firewall system to process a length of time that it takes your firewall system to process a
<emphasis role="bold">shorewall restart</emphasis> command.</para> <emphasis role="bold">shorewall [-6] restart</emphasis>
command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1899,6 +1984,8 @@ LOG:info:,bar net fw</programlisting>
role="bold">prohibit</emphasis>]</term> role="bold">prohibit</emphasis>]</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>When set to Yes, causes Shorewall to null-route the IPv4 <para>When set to Yes, causes Shorewall to null-route the IPv4
address ranges reserved by RFC1918. The default value is address ranges reserved by RFC1918. The default value is
'No'.</para> 'No'.</para>
@ -1935,12 +2022,11 @@ LOG:info:,bar net fw</programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Optimization category 1 - Traditionally, Shorewall has <para>Optimization category 1 - Traditionally, Shorewall has
created rules for the complete matrix of created rules for the complete matrix of host groups defined by
host groups defined by the zones, interfaces and hosts the zones, interfaces and hosts files. Any traffic that didn't
files. Any traffic that didn't correspond to an element correspond to an element of that matrix was rejected in one of
of that matrix was rejected in one of the built-in chains. When the built-in chains. When the matrix is sparse, this results in
the matrix is sparse, this results in lots of largely useless lots of largely useless rules.</para>
rules.</para>
<para>These extra rules can be eliminated by setting the 1 bit <para>These extra rules can be eliminated by setting the 1 bit
in OPTIMIZE.</para> in OPTIMIZE.</para>
@ -2316,7 +2402,7 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
<listitem> <listitem>
<para>if the protocol is UDP (17) then the packet is rejected <para>if the protocol is UDP (17) then the packet is rejected
with an 'port-unreachable' ICMP (ICMP6).</para> with an 'port-unreachable' ICMP.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -2324,6 +2410,11 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
with a 'host-unreachable' ICMP.</para> with a 'host-unreachable' ICMP.</para>
</listitem> </listitem>
<listitem>
<para>if the protocol is ICMP6 (1) then the packet is rejected
with a 'icmp6-addr-unreachable' ICMP6.</para>
</listitem>
<listitem> <listitem>
<para>otherwise, the packet is rejected with a 'host-prohibited' <para>otherwise, the packet is rejected with a 'host-prohibited'
ICMP.</para> ICMP.</para>
@ -2333,11 +2424,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
<para>You can modify this behavior by implementing your own <para>You can modify this behavior by implementing your own
<replaceable>action</replaceable> that handles REJECT and specifying <replaceable>action</replaceable> that handles REJECT and specifying
it's name in this option. The <emphasis role="bold">nolog</emphasis> it's name in this option. The <emphasis role="bold">nolog</emphasis>
and <emphasis role="bold">inline</emphasis> options will and <emphasis role="bold">noinline</emphasis> options will
automatically be assumed for the specified automatically be assumed for the specified
<replaceable>action</replaceable>.</para> <replaceable>action</replaceable>.</para>
<para>The following action implements the standard behavior:</para> <para>The following action implements the default reject
action:</para>
<programlisting>?format 2 <programlisting>?format 2
#TARGET SOURCE DEST PROTO #TARGET SOURCE DEST PROTO
@ -2437,10 +2529,10 @@ INLINE - - - ;; -j REJECT
<listitem> <listitem>
<para>Specifies the simple name of a file in /var/lib/shorewall to <para>Specifies the simple name of a file in /var/lib/shorewall to
be used as the default restore script in the <emphasis be used as the default restore script in the <emphasis
role="bold">shorewall save</emphasis>, <emphasis role="bold">shorewall [-6] save</emphasis>, <emphasis
role="bold">shorewall restore</emphasis>, <emphasis role="bold">shorewall [-6] restore</emphasis>, <emphasis
role="bold">shorewall forget </emphasis>and <emphasis role="bold">shorewall [-6] forget </emphasis>and <emphasis
role="bold">shorewall -f start</emphasis> commands.</para> role="bold">shorewall [6] -f start</emphasis> commands.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2449,6 +2541,8 @@ INLINE - - - ;; -j REJECT
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>IPv4 only.</para>
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
@ -2461,7 +2555,7 @@ INLINE - - - ;; -j REJECT
not be deleted. Regardless of the setting of RETAIN_ALIASES, not be deleted. Regardless of the setting of RETAIN_ALIASES,
addresses added during <emphasis role="bold">shorewall addresses added during <emphasis role="bold">shorewall
start</emphasis> are still deleted at a subsequent <emphasis start</emphasis> are still deleted at a subsequent <emphasis
role="bold">shorewall stop</emphasis>, <emphasis role="bold">shorewall [stop</emphasis>, <emphasis
role="bold">shorewall reload</emphasis> or <emphasis role="bold">shorewall reload</emphasis> or <emphasis
role="bold">shorewall restart</emphasis>.</para> role="bold">shorewall restart</emphasis>.</para>
</listitem> </listitem>
@ -3150,6 +3244,8 @@ INLINE - - - ;; -j REJECT
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/shorewall.conf</para> <para>/etc/shorewall/shorewall.conf</para>
<para>/etc/shorewall6/shorewall6.conf</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

21
docs/configuration_file_basics.xml
View File

@ -1934,6 +1934,27 @@ SSH(ACCEPT) net:$MYIP $FW
<filename>init</filename> extension script, then the value 255 is <filename>init</filename> extension script, then the value 255 is
assumed.</para> assumed.</para>
</important> </important>
<caution>
<para>Care must be exercised when using port variables in port ranges.
At run-time, the generated script will verify that each port variable is
either empty or contains a valid port number or service name. It does
not ensure that the low port number in a range is strictly less than the
high port number, when either of these is specified as a port
variable.</para>
<para>Example: The following definitions will result in an
iptables-restore failure during start/restart/reload:</para>
<para>/etc/shorewall/init:</para>
<programlisting> LOW_PORT=100
HIGH_PORT=50</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting> ACCEPT net $FW tcp ${LOW_PORT}:${HIGH_PORT}</programlisting>
</caution>
</section> </section>
<section id="ActionVariables"> <section id="ActionVariables">