mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 07:38:57 +01:00
Log prefix; set routeback on brige ports
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1199 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9ec066441c
commit
e3584b67ed
@ -696,7 +696,7 @@ validate_interfaces_file() {
|
|||||||
# Validate the zone names and options in the hosts file
|
# Validate the zone names and options in the hosts file
|
||||||
#
|
#
|
||||||
validate_hosts_file() {
|
validate_hosts_file() {
|
||||||
local z hosts options r interface host option
|
local z hosts options r interface host option options1 bridge
|
||||||
|
|
||||||
while read z hosts options; do
|
while read z hosts options; do
|
||||||
expandv z hosts options
|
expandv z hosts options
|
||||||
@ -712,22 +712,32 @@ validate_hosts_file() {
|
|||||||
hosts=${hosts#*:}
|
hosts=${hosts#*:}
|
||||||
|
|
||||||
for host in $(separate_list $hosts); do
|
for host in $(separate_list $hosts); do
|
||||||
|
bridge=
|
||||||
|
|
||||||
[ -n "$BRIDGING" ] && case $host in
|
[ -n "$BRIDGING" ] && case $host in
|
||||||
*:*)
|
*:*)
|
||||||
eval ${iface}_is_bridge=Yes
|
bridge=Yes
|
||||||
list_search ${host%:*} $all_interfaces && \
|
list_search ${host%:*} $all_interfaces && \
|
||||||
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
||||||
;;
|
;;
|
||||||
*.*.*.*)
|
*.*.*.*)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
bridge=Yes
|
||||||
eval ${iface}_is_bridge=Yes
|
eval ${iface}_is_bridge=Yes
|
||||||
list_search $host $all_interfaces && \
|
list_search $host $all_interfaces && \
|
||||||
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
for option in $(separate_list $options); do
|
options1=$(separate_list $options)
|
||||||
|
|
||||||
|
if [ -n "$bridge" ]; then
|
||||||
|
eval ${iface}_is_bridge=Yes
|
||||||
|
list_search routeback $options1 || options1="$options1 routeback"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for option in $options1 ; do
|
||||||
case $option in
|
case $option in
|
||||||
maclist|-)
|
maclist|-)
|
||||||
;;
|
;;
|
||||||
@ -1012,21 +1022,32 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
|
|||||||
local disposition=$3
|
local disposition=$3
|
||||||
local rulenum=
|
local rulenum=
|
||||||
local limit="${4:-$LOGLIMIT}"
|
local limit="${4:-$LOGLIMIT}"
|
||||||
|
local dx="";
|
||||||
|
local logprefix="${5:-$dx}"
|
||||||
|
logprefix="$logprefix "
|
||||||
|
|
||||||
shift;shift;shift;shift
|
shift;shift;shift;shift;shift
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ -n "$LOGRULENUMBERS" ]; then
|
if [ -n "$LOGRULENUMBERS" ]; then
|
||||||
eval rulenum=\$${chain}_logrules
|
eval rulenum=\$${chain}_logrules
|
||||||
|
|
||||||
[ -z "$rulenum" ] && rulenum=1
|
[ -z "$rulenum" ] && rulenum=1
|
||||||
|
|
||||||
|
logprefixtemp="$(printf "$LOGFORMAT" $chain $rulenum $disposition)$logprefix"
|
||||||
|
if [ ${#logprefixtemp} -gt 29 ]; then
|
||||||
|
logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
|
||||||
|
echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
|
||||||
|
fi
|
||||||
|
|
||||||
case $level in
|
case $level in
|
||||||
ULOG)
|
ULOG)
|
||||||
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"'
|
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$logprefixtemp"'
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
|
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$logprefixtemp"'
|
||||||
--log-prefix '"$(printf "$LOGFORMAT" $chain $rulenum $disposition)"'
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -1038,13 +1059,21 @@ log_rule_limit() # $1 = log level, $2 = chain, $3 = disposition , $4 = rate limi
|
|||||||
|
|
||||||
eval ${chain}_logrules=$rulenum
|
eval ${chain}_logrules=$rulenum
|
||||||
else
|
else
|
||||||
|
|
||||||
|
logprefixtemp="$(printf "$LOGFORMAT" $chain $disposition)$logprefix"
|
||||||
|
if [ ${#logprefixtemp} -gt 29 ]; then
|
||||||
|
logprefixtemp="$(echo $logprefixtemp |cut -b -29)"
|
||||||
|
echo " Logprefix too LONG ! cutting it to 29 : $logprefixtemp"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
case $level in
|
case $level in
|
||||||
ULOG)
|
ULOG)
|
||||||
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"'
|
eval iptables -A $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix '"$logprefixtemp"'
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level \
|
|
||||||
--log-prefix '"$(printf "$LOGFORMAT" $chain $disposition)"'
|
eval iptables -A $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix '"$logprefixtemp"'
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -1062,7 +1091,7 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
|
|||||||
|
|
||||||
shift;shift;shift
|
shift;shift;shift
|
||||||
|
|
||||||
log_rule_limit $level $chain $disposition "$LOGLIMIT" $@
|
log_rule_limit $level $chain $disposition "$LOGLIMIT" "$logprefix" $@
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2331,7 +2360,7 @@ add_an_action()
|
|||||||
for serv1 in $(separate_list $serv); do
|
for serv1 in $(separate_list $serv); do
|
||||||
for srv in $(ip_range $serv1); do
|
for srv in $(ip_range $serv1); do
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logprefix" $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2341,7 +2370,7 @@ add_an_action()
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $action $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $action $logtarget "$ratelimit" "$logprefix" $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $cli $dports)
|
$(fix_bang $proto $sports $multiport $cli $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2373,7 +2402,8 @@ process_action() # $1 = action
|
|||||||
local cports="$7"
|
local cports="$7"
|
||||||
local ratelimit="$8"
|
local ratelimit="$8"
|
||||||
local userspec="$9"
|
local userspec="$9"
|
||||||
local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit)"
|
local logprefix="${10}"
|
||||||
|
local rule="$(echo $target $clients $servers $protocol $ports $cports $ratelimit $logprefix)"
|
||||||
local userandgroup=
|
local userandgroup=
|
||||||
|
|
||||||
if [ -n "$ratelimit" ]; then
|
if [ -n "$ratelimit" ]; then
|
||||||
@ -2579,7 +2609,7 @@ process_actions1() {
|
|||||||
if [ -f $fn ]; then
|
if [ -f $fn ]; then
|
||||||
echo " Pre-processing $fn..."
|
echo " Pre-processing $fn..."
|
||||||
strip_file $f $fn
|
strip_file $f $fn
|
||||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
|
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec xlogprefix; do
|
||||||
expandv xtarget
|
expandv xtarget
|
||||||
temp="${xtarget%:*}"
|
temp="${xtarget%:*}"
|
||||||
case "${temp%<*}" in
|
case "${temp%<*}" in
|
||||||
@ -2589,7 +2619,7 @@ process_actions1() {
|
|||||||
if list_search $temp $ACTIONS; then
|
if list_search $temp $ACTIONS; then
|
||||||
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
|
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
|
||||||
else
|
else
|
||||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
|
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix)"
|
||||||
fatal_error "Invalid TARGET in rule \"$rule\""
|
fatal_error "Invalid TARGET in rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
@ -2623,7 +2653,7 @@ process_actions2() {
|
|||||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||||
if [ "$ypolicy" != NONE ] ; then
|
if [ "$ypolicy" != NONE ] ; then
|
||||||
process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -2631,7 +2661,7 @@ process_actions2() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
do_it() {
|
do_it() {
|
||||||
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
|
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec xlogprefix
|
||||||
|
|
||||||
if [ "x$xclients" = xall ]; then
|
if [ "x$xclients" = xall ]; then
|
||||||
xclients="$zones $FW"
|
xclients="$zones $FW"
|
||||||
@ -2648,7 +2678,7 @@ process_actions2() {
|
|||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xlogprefix
|
||||||
|
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
@ -2681,7 +2711,7 @@ process_actions2() {
|
|||||||
fn=$(find_file $f)
|
fn=$(find_file $f)
|
||||||
|
|
||||||
echo "Processing $fn..."
|
echo "Processing $fn..."
|
||||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
|
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec xlogprefix; do
|
||||||
do_it
|
do_it
|
||||||
done < $TMP_DIR/$f
|
done < $TMP_DIR/$f
|
||||||
;;
|
;;
|
||||||
@ -2787,14 +2817,14 @@ add_nat_rule() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule $loglevel $chain $logtarget -t nat
|
log_rule $loglevel $chain $logtarget "$logprefix" -t nat
|
||||||
fi
|
fi
|
||||||
|
|
||||||
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
|
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
|
||||||
else
|
else
|
||||||
for adr in $(separate_list $addr); do
|
for adr in $(separate_list $addr); do
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" -t nat \
|
log_rule_limit $loglevel $OUTPUT $logtarget "$ratelimit" "$logprefix" -t nat \
|
||||||
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
|
$(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -2825,7 +2855,7 @@ add_nat_rule() {
|
|||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -t nat
|
||||||
fi
|
fi
|
||||||
|
|
||||||
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
|
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
|
||||||
@ -2833,7 +2863,7 @@ add_nat_rule() {
|
|||||||
for adr in $(separate_list $addr); do
|
for adr in $(separate_list $addr); do
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
ensurenatchain $chain
|
ensurenatchain $chain
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -t nat \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -t nat \
|
||||||
$(fix_bang $proto $cli $sports -d $adr $multiport $dports)
|
$(fix_bang $proto $cli $sports -d $adr $multiport $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3041,7 +3071,7 @@ add_a_rule()
|
|||||||
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
||||||
for adr in $(separate_list $addr); do
|
for adr in $(separate_list $addr); do
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" -m conntrack --ctorigdst $adr \
|
||||||
$userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
$userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3050,7 +3080,7 @@ add_a_rule()
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3061,7 +3091,7 @@ add_a_rule()
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \
|
||||||
$(fix_bang $proto $sports $multiport $cli $dports)
|
$(fix_bang $proto $sports $multiport $cli $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3080,7 +3110,7 @@ add_a_rule()
|
|||||||
|
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
|
log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logprefix" $userandgroup \
|
||||||
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
|
$(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -3114,8 +3144,9 @@ process_rule() # $1 = target
|
|||||||
local address="$7"
|
local address="$7"
|
||||||
local ratelimit="$8"
|
local ratelimit="$8"
|
||||||
local userspec="$9"
|
local userspec="$9"
|
||||||
|
local logprefix="${10}"
|
||||||
local userandgroup=
|
local userandgroup=
|
||||||
local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec)"
|
local rule="$(echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userspec $logprefix)"
|
||||||
|
|
||||||
# Function Body - isolate rate limit
|
# Function Body - isolate rate limit
|
||||||
|
|
||||||
@ -3406,7 +3437,7 @@ process_rules()
|
|||||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
||||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
||||||
if [ "$ypolicy" != NONE ] ; then
|
if [ "$ypolicy" != NONE ] ; then
|
||||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
@ -3414,7 +3445,7 @@ process_rules()
|
|||||||
}
|
}
|
||||||
|
|
||||||
do_it() {
|
do_it() {
|
||||||
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec
|
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xlogprefix
|
||||||
|
|
||||||
if [ "x$xclients" = xall ]; then
|
if [ "x$xclients" = xall ]; then
|
||||||
xclients="$zones $FW"
|
xclients="$zones $FW"
|
||||||
@ -3431,10 +3462,10 @@ process_rules()
|
|||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix
|
||||||
}
|
}
|
||||||
|
|
||||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xlogprefix; do
|
||||||
temp="${xtarget%:*}"
|
temp="${xtarget%:*}"
|
||||||
case "${temp%<*}" in
|
case "${temp%<*}" in
|
||||||
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
|
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
|
||||||
@ -3449,7 +3480,7 @@ process_rules()
|
|||||||
|
|
||||||
do_it
|
do_it
|
||||||
else
|
else
|
||||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
|
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xlogprefix)"
|
||||||
fatal_error "Invalid Action in rule \"$rule\""
|
fatal_error "Invalid Action in rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
@ -208,7 +208,7 @@
|
|||||||
# address is not altered.
|
# address is not altered.
|
||||||
#
|
#
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||||
# this colume:
|
# this column:
|
||||||
#
|
#
|
||||||
# <rate>/<interval>[:<burst>]
|
# <rate>/<interval>[:<burst>]
|
||||||
#
|
#
|
||||||
@ -240,6 +240,29 @@
|
|||||||
# !:kids #program must not be run by a member
|
# !:kids #program must not be run by a member
|
||||||
# #of the 'kids' group
|
# #of the 'kids' group
|
||||||
#
|
#
|
||||||
|
#
|
||||||
|
# LOGPREFIX You may add a specific log prefix to rules which are
|
||||||
|
# already logged (see the ACTIONS paragraph) by adding
|
||||||
|
# a word in this column. Spaces are not allowed, but
|
||||||
|
# underscores are.
|
||||||
|
#
|
||||||
|
# Examples:
|
||||||
|
#
|
||||||
|
# pingw # print Shorewall:fw2lan:ACCEPT:pingw
|
||||||
|
# mailo # print Shorewall:fw2lan:ACCEPT:mailo
|
||||||
|
# ma_ou # print Shorewall:fw2lan:ACCEPT:ma_ou
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# The default log format is LOGFORMAT="Shorewall:%s:%s:"
|
||||||
|
# You might want to reduce it to something shorter to
|
||||||
|
# allow you longer logprefixes. (in shorewall.conf :
|
||||||
|
# LOGFORMAT="Sw:%s:%s:" or something similar)
|
||||||
|
# (the total lenght permitted by iptables is 29 chars.)
|
||||||
|
# Shorewall:fw2lan:ACCEPT is already 23 chars.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
# Example: Accept SMTP requests from the DMZ to the internet
|
# Example: Accept SMTP requests from the DMZ to the internet
|
||||||
#
|
#
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||||
@ -257,9 +280,9 @@
|
|||||||
# to local system 192.168.1.3 with a limit of 3 per second and
|
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||||
# a maximum burst of 10
|
# a maximum burst of 10
|
||||||
#
|
#
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
# # PORT PORT(S) DEST
|
# # PORT PORT(S) DEST LIMIT
|
||||||
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
|
# DNAT net loc:192.168.1.3 tcp http - - <3/sec:10>
|
||||||
#
|
#
|
||||||
# Example: Redirect all locally-originating www connection requests to
|
# Example: Redirect all locally-originating www connection requests to
|
||||||
# port 3128 on the firewall (Squid running on the firewall
|
# port 3128 on the firewall (Squid running on the firewall
|
||||||
@ -283,7 +306,20 @@
|
|||||||
# # PORT PORT(S) DEST
|
# # PORT PORT(S) DEST
|
||||||
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
|
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
|
||||||
# tcp 22
|
# tcp 22
|
||||||
|
#
|
||||||
|
# Example: You want to explicitly log when a user named bob use https
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
|
||||||
|
# # PORT PORT(S) DEST LIMIT GROUP PREFIX
|
||||||
|
# ACCEPT:debug fw lan tcp 443 - - - bob hs_bob
|
||||||
|
#
|
||||||
|
# Example: You want to explicitly log outgoing pings
|
||||||
|
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
|
||||||
|
# # PORT PORT(S) DEST LIMIT GROUP PREFIX
|
||||||
|
# ACCEPT:debug fw lan icmp 8 - - - - p_out
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
####################################################################################################
|
####################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ LOG
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP PREFIX
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
Loading…
Reference in New Issue
Block a user