diff --git a/docs/Accounting.xml b/docs/Accounting.xml
index fd33dd011..1dd987f69 100644
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -74,20 +74,18 @@
have a web server in your DMZ connected to eth1, then to count HTTP
traffic in both directions requires two rules:
- #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
- # PORT PORT
- DONE - eth0 eth1 tcp 80
- DONE - eth1 eth0 tcp - 80
+ #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
+ DONE - eth0 eth1 tcp 80
+ DONE - eth1 eth0 tcp - 80Associating a counter with a chain allows for nice reporting. For
example:
- #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
- # PORT PORT
- web:COUNT - eth0 eth1 tcp 80
- web:COUNT - eth1 eth0 tcp - 80
- web:COUNT - eth0 eth1 tcp 443
- web:COUNT - eth1 eth0 tcp - 443
+ #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
+ web:COUNT - eth0 eth1 tcp 80
+ web:COUNT - eth1 eth0 tcp - 80
+ web:COUNT - eth0 eth1 tcp 443
+ web:COUNT - eth1 eth0 tcp - 443
DONE webNow shorewall show web (or
@@ -110,12 +108,11 @@
Here is a slightly different example:
- #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
- # PORT PORT
- web - eth0 eth1 tcp 80
- web - eth1 eth0 tcp - 80
- web - eth0 eth1 tcp 443
- web - eth1 eth0 tcp - 443
+ #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
+ web - eth0 eth1 tcp 80
+ web - eth1 eth0 tcp - 80
+ web - eth0 eth1 tcp 443
+ web - eth1 eth0 tcp - 443
COUNT web eth0 eth1
COUNT web eth1 eth0
@@ -152,12 +149,11 @@
you have to reverse the rules below.
- #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
- # PORT PORT
- web - eth0 - tcp 80
- web - - eth0 tcp - 80
- web - eth0 - tcp 443
- web - - eth0 tcp - 443
+ #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
+ web - eth0 - tcp 80
+ web - - eth0 tcp - 80
+ web - eth0 - tcp 443
+ web - - eth0 tcp - 443
COUNT web eth0
COUNT web - eth0
@@ -309,7 +305,7 @@
Section headers have the form:
-
+ section-nameWhen sections are enabled:
@@ -414,19 +410,19 @@
lives on the firewall itself.
- #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
-# PORT(S) PORT(S) GROUP
-SECTION INPUT
-ACCOUNT(fw-net,$FW_NET) - COM_IF
-ACCOUNT(dmz-net,$DMZ_NET) - COM_IF
+
+#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
+?SECTION INPUT
+ACCOUNT(fw-net,$FW_NET) - COM_IF
+ACCOUNT(dmz-net,$DMZ_NET) - COM_IF
-SECTION OUTPUT
-ACCOUNT(fw-net,$FW_NET) - - COM_IF
-ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF
+?SECTION OUTPUT
+ACCOUNT(fw-net,$FW_NET) - - COM_IF
+ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF
-SECTION FORWARD
-ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF
-ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
+?SECTION FORWARD
+ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF
+ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
@@ -504,9 +500,9 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
is eth1 with network 172.20.1.0/24. To account for all traffic between the
WAN and LAN interfaces:
- #ACTION CHAIN SOURCE DEST ...
-ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
-ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0
+ #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
+ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
+ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0This will create a net-loc table
for counting packets and bytes for traffic between the two
diff --git a/docs/Audit.xml b/docs/Audit.xml
index 2eac40e46..59c3d9b98 100644
--- a/docs/Audit.xml
+++ b/docs/Audit.xml
@@ -139,9 +139,8 @@
Example:
- #SOURCE DEST POLICY LOG
-# LEVEL
-net fw DROP:audit
+ #SOURCE DEST POLICY
+net $FW DROP:auditIt is allowed to also specify a log level on audited policies
resulting in both auditing and logging.
@@ -170,8 +169,8 @@ net fw DROP:auditExample:
- #ACTION SOURCE DEST PROTO
-A_ACCEPT:info loc net ...
+ #ACTION SOURCE DEST PROTO
+A_ACCEPT:info loc net ...
@@ -330,12 +329,12 @@ A_ACCEPT:info loc net ... The parameters can be passed in the POLICY column of the policy
file.
- SOURCE DEST POLICY
-net all DROP:Drop(audit):audit #Same as DROP:A_DROP:audit
+ #SOURCE DEST POLICY
+net all DROP:Drop(audit):audit #Same as DROP:A_DROP:audit
- SOURCE DEST POLICY
-net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth
+ #SOURCE DEST POLICY
+net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth
The parameters can also be specified in shorewall.conf:
diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index 6f8e465b4..d311b462d 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -207,28 +207,26 @@
port-forwarding rule from the net to a local system
is as follows:
- #ACTION SOURCE DEST PROTO DEST PORT
+ #ACTION SOURCE DEST PROTO DPORT
DNAT net loc:local-IP-address[:local-port] protocolport-numberSo to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:
- #ACTION SOURCE DEST PROTO DEST PORT
+ #ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.5 udp 7777If you want to forward requests directed to a particular address (
external-IP ) on your firewall to an internal
system:
- #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
-# PORT DEST.
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:local-IP-address>[:local-port] protocolport-number - external-IPIf you want to forward requests from a particular Internet address
( address ):
- #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
-# PORT DEST.
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net:address loc:local-IP-address[:local-port] protocolport-number -Finally, if you need to forward a range of ports, in the DEST PORT
@@ -386,7 +384,7 @@ DNAT net:address loc:local-IP-addressAnswer:In
/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT
+ #ACTION SOURCE DEST PROTO DPORT
DNAT net loc:192.168.1.3:22 tcp 1022
@@ -448,8 +446,7 @@ DNAT net fw:192.168.1.1:22 tcp 4104
- You have this rule on the Shorewall system:#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
-# PORT DEST.
+ You have this rule on the Shorewall system:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
DNAT net loc:192.168.1.4 tcp 21 - 206.124.146.176
@@ -494,8 +491,8 @@ DNAT net loc:192.168.1.4 tcp 21 - 206.1
default gateway on the FTP server to the Shorewall system's internal
IP address (192.168.1.1). But if that isn't possible, you can work
around the problem with the following ugly hack in
- /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS PROTO PORT
-eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21
+ /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS PROTO PORT
+eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21This rule has the undesirable side effect of making all FTP
connections from the net appear to the FTP server as if they
@@ -514,17 +511,25 @@ eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21net and connects
on interface eth0:
- In /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
-# PORT DEST.
-DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176
+ In /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
+
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+
+DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176In /etc/shorewall/interfaces, specify the
routeback option on
- eth0:#ZONE INTERFACE BROADCAST OPTIONS
-net eth0 detect routeback
+ eth0:?FORMAT 2
+#ZONE INTERFACE OPTIONS
+net eth0 routeback
- /etc/shorewall/masq;#INTERFACE SOURCE ADDRESS PROTO PORT
-eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993
+ /etc/shorewall/masq;#INTERFACE SOURCE ADDRESS PROTO PORT
+eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993and in
/etc/shorewall/shorewall.conf:
@@ -542,9 +547,8 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993Answer: Use this rule.
- #ACTION SOURCE DEST PROTO DEST
-# PORT(S)
-REDIRECT net 22 tcp 9022
+ #ACTION SOURCE DEST PROTO DPORT
+REDIRECT net 22 tcp 9022Note that the above rule will also allow connections from the
net on TCP port 22. If you don't want that, see Example:
- #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
-# PORT DEST.
-DNAT net net:192.168.4.22 tcp 80,443 - #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
+DNAT net net:192.168.4.22 tcp 80,443 - 206.124.146.178
@@ -704,14 +707,15 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
In /etc/shorewall/interfaces:
- #ZONE INTERFACE BROADCAST OPTIONS
-loc eth1 detect routeback
+ ?FORMAT 2
+#ZONE INTERFACE OPTIONS
+loc eth1 routebackIn /etc/shorewall/masq:
- #INTERFACE SOURCE ADDRESS PROTO PORT(S)
+ #INTERFACE SOURCE ADDRESS PROTO PORT
eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp wwwNote: The technique described here is known as
@@ -721,16 +725,23 @@ loc eth1 detect routebackexternal IP address be used as the
source:
- #INTERFACE SOURCE ADDRESS PROTO PORT(S)
+ #INTERFACE SOURCE ADDRESS PROTO PORT
eth1:192.168.1.5 192.168.1.0/24 130.151.100.69 tcp wwwIn /etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
-# PORT DEST.
-DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
+
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+
+DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69That rule (and the second one in the previous bullet) only
works of course if you have a static external IP address. If you
@@ -741,9 +752,16 @@ eth1:192.168.1.5 192.168.1.0/24 130.151.100.69and make your DNAT rule:
- #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
-# PORT DEST.
-DNAT loc loc:192.168.1.5 tcp www - #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
+
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+
+DNAT loc loc:192.168.1.5 tcp www - $ETH0_IPUsing this technique, you will want to configure your
@@ -825,14 +843,14 @@ DNAT loc loc:192.168.1.5 tcp www - In /etc/shorewall/interfaces:
- #ZONE INTERFACE BROADCAST OPTIONS
-dmz eth2 192.168.2.255 routeback
+ ?FORMAT 2
+#ZONE INTERFACE OPTIONS
+dmz eth2 routebackIn /etc/shorewall/masq:
- #INTERFACE: SOURCE ADDRESS
-#ADDRESS
-eth2:192.168.1.2 192.168.2.0/24
+ #INTERFACE SOURCE
+eth2:192.168.1.2 192.168.2.0/24In /etc/shorewall/nat, be sure that you
have Yes in the ALL INTERFACES column.
@@ -862,9 +880,16 @@ eth2:192.168.1.2 192.168.2.0/24You can enable access to the server from your local network
using the firewall's external IP address by adding this rule:
- #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
-# PORT DEST
-DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176
+ #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
+
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+
+DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176If your external IP address is dynamic, then you must do the
following:
@@ -875,9 +900,16 @@ eth2:192.168.1.2 192.168.2.0/24and make your DNAT rule:
- #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
-# PORT DEST.
-DNAT loc dmz:192.168.2.4 tcp 80 - #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
+
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+
+DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP
@@ -1433,16 +1465,23 @@ net-fw DROP eth2 5 packets from 61.158.162.9 to 206.124.146.177Answer: Temporarily add the
following rule:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-DROP net fw udp 10619
+ #ACTION SOURCE DEST PROTO DPORT
- Alternatively, if you do not set BLACKLIST_LOGLEVEL and you have
- specifed the 'blacklist' option on your external interface in
- /etc/shorewall/interfaces, then you can blacklist
- the port. In /etc/shorewall/blacklist:
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
- #ADDRESS/SUBNET PROTOCOL PORT
-- udp 10619
+DROP net $FW udp 10619
+
+ Alternatively, if you do not set BLACKLIST_LOGLEVEL you can blacklist
+ the port. In /etc/shorewall/blrules:
+
+ #ACTION SOURCE DEST PROTO DPORT
+
+DROP net $FW udp 10619
@@ -2361,12 +2400,11 @@ gateway:~# Answer: Suppose that you want all
traffic to go out through ISP1 (mark 1) unless you specify otherwise.
Then simply add these two rules as the first marking rules in your
- /etc/shorewall/mangle
- (/etc/shorewall/tcrules) file:
+ /etc/shorewall/mangle (was tcrules) file:
- #ACTION SOURCE DEST
-1:P 0.0.0.0/0
-1 $FW
+ #ACTION SOURCE DEST
+MARK(1):P 0.0.0.0/0
+MARK(1) $FW
other MARK rulesNow any traffic that isn't marked by one of your other MARK rules
@@ -2449,8 +2487,8 @@ root@gateway:~#
at 10-12kb and adjust as necessary. Example (simple traffic
shaping):
- #INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
-eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
+eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:10kb
@@ -2495,8 +2533,7 @@ root@gateway:/etc/shorewall#
Example from /etc/shorewall/tcdevices:
- #NUMBER: IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
-#INTERFACE
+ #INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
1:COMB_IF ~20mbit:250ms:4sec ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0To create a rate-estimated filter, precede the bandwidth with a
@@ -2674,9 +2711,17 @@ VS3=fw:192.168.2.14/etc/shorewall/rules:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-ACCEPT $VS1 net tcp 25
-DNAT net $VS1 tcp 25
+ #ACTION SOURCE DEST PROTO DPORT
+
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+
+ACCEPT $VS1 net tcp 25
+DNAT net $VS1 tcp 25
etc...
@@ -2925,7 +2970,7 @@ else
(FAQ 26) When I try to use any of the SYN options in nmap on or
behind the firewall, I get <quote>operation not permitted</quote>. How
- can I use nmap with Shorewall?"
+ can I use nmap with Shorewall?
Answer: Temporarily remove any
rejNotSyn,
- #ACTION SOURCE DEST PROTO
-REJECT fw net:pagead2.googlesyndication.com all
+ #ACTION SOURCE DEST PROTO
+REJECT fw net:pagead2.googlesyndication.com allHowever, this also sometimes restricts access to "google.com". Why
is that? Using dig, I found these IPs for domain
@@ -2992,9 +3037,9 @@ REJECT fw net:pagead2.googlesyndication.com all
- #ACTION SOURCE DEST PROTO
-REJECT fw net:216.239.37.99 all
-REJECT fw net:216.239.39.99 allGiven that
+ #ACTION SOURCE DEST PROTO
+REJECT $FW net:216.239.37.99 all
+REJECT $FW net:216.239.39.99 allGiven that
name-based multiple hosting is a common practice (another example:
lists.shorewall.net and www1.shorewall.net are both hosted on the same
system with a single IP address), it is not possible to filter
@@ -3079,10 +3124,9 @@ gateway:~# Answer: Add these two
policies:
- #SOURCE DESTINATION POLICY LOG LIMIT:BURST
-# LEVEL
-$FW loc ACCEPT
-loc $FW ACCEPT
+ #SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
+$FW loc ACCEPT
+loc $FW ACCEPTYou should also delete any ACCEPT rules from $FW->loc and
loc->$FW since those rules are redundant with the above
@@ -3121,16 +3165,16 @@ loc $FW ACCEPT /etc/shorewall/masq:
- #INTERFACE SOURCE ADDRESS
+ #INTERFACE SOURCE ADDRESS
COMMENT DSL Modem
-EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
+EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
/etc/shorewall/proxyarp:
- #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
+ #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
172.20.1.2 EXT_IF INT_IF no yes
@@ -3159,11 +3203,11 @@ EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
Your entry in /etc/shorewall/masq would
then be:
- #INTERFACE SOURCE ADDRESS
+ #INTERFACE SOURCE ADDRESS
-COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html
+COMMENT DSL Modem
-EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
+EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
@@ -3192,8 +3236,9 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
default name for the firewall zone is fw:
- #ZONE TYPE OPTIONS
-fw firewall
+ #ZONE TYPE OPTIONS
+
+fw firewallSo, using the default or sample configurations, writing $FW is the same as writing $FW would be the same as writing
gate.
- #ZONE TYPE OPTIONS
-gate firewall
+ #ZONE TYPE OPTIONS
+
+gate firewallWhy was that done?
diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml
index 3ecb05bd0..d5ffa2f74 100644
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -92,7 +92,7 @@
- Beginning with Shorewall 4.6.0, ection headers are now preceded
+ Beginning with Shorewall 4.6.0, section headers are now preceded
by '?' (e.g., '?SECTION ...'). If your configuration contains any bare
'SECTION' entries, the following warning is issued:
@@ -1139,8 +1139,7 @@ shorewall restart The RPMs are set up so that if
Example:
- #SOURCE DEST POLICY LOG
-# LEVEL
+ #SOURCE DEST POLICY LOGLEVEL
loc net ACCEPT
net all DROP:MyDrop info
#