mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-10 23:58:14 +01:00
Remove references to Shorewall-shell, Shorewall-perl and prior Shorewall versions from the manpages
This commit is contained in:
parent
9c2966448e
commit
f16b2300b6
Shorewall
manpages
shorewall-accounting.xmlshorewall-interfaces.xmlshorewall-masq.xmlshorewall-nat.xmlshorewall-netmap.xmlshorewall-notrack.xmlshorewall-policy.xmlshorewall-providers.xmlshorewall-routestopped.xmlshorewall-rules.xmlshorewall-tcclasses.xmlshorewall-tcdevices.xmlshorewall-tcrules.xmlshorewall-tos.xmlshorewall-zones.xmlshorewall.conf.xmlshorewall.xml
@ -743,6 +743,14 @@ sub compiler {
|
||||
# Setup Masquerading/SNAT
|
||||
#
|
||||
setup_masq;
|
||||
#
|
||||
# Setup Nat
|
||||
#
|
||||
setup_nat;
|
||||
#
|
||||
# Setup NETMAP
|
||||
#
|
||||
setup_netmap;
|
||||
}
|
||||
|
||||
#
|
||||
@ -770,17 +778,6 @@ sub compiler {
|
||||
# Apply Policies
|
||||
#
|
||||
apply_policy_rules;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
#
|
||||
# Setup Nat
|
||||
#
|
||||
setup_nat;
|
||||
#
|
||||
# Setup NETMAP
|
||||
#
|
||||
setup_netmap;
|
||||
}
|
||||
#
|
||||
# Accounting.
|
||||
#
|
||||
|
@ -1303,7 +1303,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
|
||||
my $chn;
|
||||
|
||||
for ( zone_interfaces $sourcezone ) {
|
||||
for ( keys %{zone_interfaces $sourcezone} ) {
|
||||
my $ichain = input_chain $_;
|
||||
|
||||
if ( $nat_table->{$ichain} ) {
|
||||
|
@ -4,6 +4,10 @@ Changes in Shorewall 4.4.0-RC1
|
||||
|
||||
2) Fix routing when no providers.
|
||||
|
||||
3) Add 'any' as a SOURCE/DEST in rules.
|
||||
|
||||
4) Fix NONAT on child zone.
|
||||
|
||||
Changes in Shorewall 4.4.0-Beta4
|
||||
|
||||
1) Add more macros.
|
||||
|
@ -118,6 +118,9 @@ Shorewall 4.4.0 RC1
|
||||
2) Previously, Shorewall might alter the routing when there were no
|
||||
providers, even if the "-n" option was given.
|
||||
|
||||
3) Previously, NONAT rules on a sub-zone were not exempted from
|
||||
DNAT/REDIRECT rules of a parent zone.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
K N O W N P R O B L E M S R E M A I N I N G
|
||||
----------------------------------------------------------------------------
|
||||
@ -128,7 +131,11 @@ None.
|
||||
N E W F E A T U R E S I N 4 . 4 . 0 RC1
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
None.
|
||||
1) A new keyword 'any' may be used in the SOURCE and DEST columns of
|
||||
the rules file. In the absense of nested zones, 'any' works the
|
||||
same as 'all'. When there are nested zones, 'any' only selects the
|
||||
top-level zones. 'any' is intended to be used with
|
||||
IMPLICIT_CONTINUE=Yes in shorewall.conf.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S IN 4 . 4
|
||||
|
@ -300,8 +300,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested. This option is only supported by
|
||||
Shorewall-perl.</para>
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -79,16 +79,15 @@ loc eth2 -</programlisting>
|
||||
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
|
||||
discussion of this problem.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as
|
||||
an interface name.</para>
|
||||
<para>Shorewall allows '+' as an interface name.</para>
|
||||
|
||||
<para>There is no need to define the loopback interface (lo) in this
|
||||
file.</para>
|
||||
|
||||
<para>(Shorewall-perl only) If a <replaceable>port</replaceable> is
|
||||
given, then the <replaceable>interface</replaceable> must have been
|
||||
defined previously with the <option>bridge</option> option. The
|
||||
OPTIONS column may not contain the following options when a
|
||||
<para>If a <replaceable>port</replaceable> is given, then the
|
||||
<replaceable>interface</replaceable> must have been defined
|
||||
previously with the <option>bridge</option> option. The OPTIONS
|
||||
column may not contain the following options when a
|
||||
<replaceable>port</replaceable> is given.</para>
|
||||
|
||||
<simplelist>
|
||||
@ -134,12 +133,6 @@ loc eth2 -</programlisting>
|
||||
<para>If you don't want to give a value for this column but you want
|
||||
to enter a value in the OPTIONS column, enter <emphasis
|
||||
role="bold">-</emphasis> in this column.</para>
|
||||
|
||||
<para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
|
||||
Shorewall-perl only supports <option>detect</option> or <emphasis
|
||||
role="bold">-</emphasis> in this column. If you specify
|
||||
<replaceable>address</replaceable>es, a compilation warning will be
|
||||
issued.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -164,12 +157,10 @@ loc eth2 -</programlisting>
|
||||
requests for IP addresses on any of the firewall's interface.
|
||||
The interface must be up when Shorewall is started.</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>arp_filter</option> option will
|
||||
have their setting changes; the value assigned to the setting
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
<para>Only those interfaces with the
|
||||
<option>arp_filter</option> option will have their setting
|
||||
changes; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
@ -237,8 +228,7 @@ loc eth2 -</programlisting>
|
||||
<term><emphasis role="bold">bridge</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>(Shorewall-perl only) Designates the interface as a
|
||||
bridge.</para>
|
||||
<para>Designates the interface as a bridge.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -300,12 +290,10 @@ loc eth2 -</programlisting>
|
||||
specify <option>logmartians</option> because your distribution
|
||||
may be enabling route filtering without you knowing it.</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>logmartians</option> option will
|
||||
have their setting changes; the value assigned to the setting
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
<para>Only those interfaces with the
|
||||
<option>logmartians</option> option will have their setting
|
||||
changes; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para>To find out if route filtering is set on a given
|
||||
<replaceable>interface</replaceable>, check the contents of
|
||||
@ -377,9 +365,8 @@ loc eth2 -</programlisting>
|
||||
<term><emphasis role="bold">optional</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only supported by Shorewall-perl. When
|
||||
<option>optional</option> is specified for an interface,
|
||||
Shorewall will be silent when:</para>
|
||||
<para>When <option>optional</option> is specified for an
|
||||
interface, Shorewall will be silent when:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -436,12 +423,10 @@ loc eth2 -</programlisting>
|
||||
not work with a wild-card <replaceable>interface</replaceable>
|
||||
name (e.g., eth0.+) in the INTERFACE column.</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>proxyarp</option> option will have
|
||||
their setting changed; the value assigned to the setting will
|
||||
be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
<para>Only those interfaces with the <option>proxyarp</option>
|
||||
option will have their setting changed; the value assigned to
|
||||
the setting will be the value specified (if any) or 1 if no
|
||||
value is given.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -466,12 +451,10 @@ loc eth2 -</programlisting>
|
||||
<para>Turn on kernel route filtering for this interface
|
||||
(anti-spoofing measure).</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>routefilter</option> option will
|
||||
have their setting changes; the value assigned to the setting
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
<para>Only those interfaces with the
|
||||
<option>routefilter</option> option will have their setting
|
||||
changes; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
@ -502,12 +485,10 @@ loc eth2 -</programlisting>
|
||||
This might represent a security risk and is not usually
|
||||
needed.</para>
|
||||
|
||||
<para>The option value (0 or 1) may only be specified if you
|
||||
are using Shorewall-perl. With Shorewall-perl, only those
|
||||
interfaces with the <option>sourceroute</option> option will
|
||||
have their setting changes; the value assigned to the setting
|
||||
will be the value specified (if any) or 1 if no value is
|
||||
given.</para>
|
||||
<para>Only those interfaces with the
|
||||
<option>sourceroute</option> option will have their setting
|
||||
changes; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
@ -551,7 +532,7 @@ loc eth2 -</programlisting>
|
||||
causes Shorewall to detect the default gateway through the
|
||||
interface and to accept UDP packets from that gateway. Note
|
||||
that, like all aspects of UPnP, this is a security hole so use
|
||||
this option at your own risk. </para>
|
||||
this option at your own risk.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -50,22 +50,19 @@
|
||||
role="bold">,</emphasis><emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]]|COMMENT}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Outgoing <emphasis>interfacelist</emphasis>. Prior to
|
||||
Shorewall 4.1.4, this must be a single interface name; in 4.1.4 and
|
||||
later, this may be a comma-separated list of interface names. This
|
||||
is usually your internet interface. If ADD_SNAT_ALIASES=Yes in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5), you may
|
||||
add ":" and a <emphasis>digit</emphasis> to indicate that you want
|
||||
the alias added with that name (e.g., eth0:0). This will allow the
|
||||
alias to be displayed with ifconfig. <emphasis role="bold">That is
|
||||
the only use for the alias name; it may not appear in any other
|
||||
place in your Shorewall configuratio</emphasis>n.</para>
|
||||
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
|
||||
comma-separated list of interface names. This is usually your
|
||||
internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
|
||||
and a <emphasis>digit</emphasis> to indicate that you want the alias
|
||||
added with that name (e.g., eth0:0). This will allow the alias to be
|
||||
displayed with ifconfig. <emphasis role="bold">That is the only use
|
||||
for the alias name; it may not appear in any other place in your
|
||||
Shorewall configuratio</emphasis>n.</para>
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Prior to Shorewall 4.1.4, this must be an exact match.
|
||||
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
|
||||
entries in <ulink
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
@ -113,7 +110,7 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
|
||||
-
|
||||
{<emphasis>interface</emphasis>[[:]<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
|
||||
{<emphasis>interface</emphasis>[:<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
|
||||
|
||||
<listitem>
|
||||
@ -131,15 +128,11 @@
|
||||
list of IP addresses (host or net) that you wish to exclude (see
|
||||
<ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).
|
||||
Note that with Shorewall-perl, a colon (":") must appear between an
|
||||
Note that a colon (":") must appear between an
|
||||
<replaceable>interface</replaceable> name and the
|
||||
<replaceable>exclusion</replaceable>;</para>
|
||||
|
||||
<para>Example (shorewall-shell):
|
||||
eth1!192.168.1.4,192.168.32.0/27</para>
|
||||
|
||||
<para>Example (shorewall-perl):
|
||||
eth1:!192.168.1.4,192.168.32.0/27</para>
|
||||
<para>Example: eth1:!192.168.1.4,192.168.32.0/27</para>
|
||||
|
||||
<para>In that example traffic from eth1 would be masqueraded unless
|
||||
it came from 192.168.1.4 or 196.168.32.0/27</para>
|
||||
@ -166,12 +159,11 @@
|
||||
want the SNAT address to be assigned from that range in a
|
||||
round-robin fashion by connection. The range is specified by
|
||||
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
|
||||
Beginning with Shorewall 4.0.6, you may follow the port range
|
||||
with<emphasis role="bold"> :random</emphasis> in which case
|
||||
assignment of ports from the list will be random. <emphasis
|
||||
role="bold">random</emphasis> may also be specified by itself in
|
||||
this column in which case random local port assignments are made for
|
||||
the outgoing connections.</para>
|
||||
You may follow the port range with<emphasis role="bold">
|
||||
:random</emphasis> in which case assignment of ports from the list
|
||||
will be random. <emphasis role="bold">random</emphasis> may also be
|
||||
specified by itself in this column in which case random local port
|
||||
assignments are made for the outgoing connections.</para>
|
||||
|
||||
<para>Example: 206.124.146.177-206.124.146.180</para>
|
||||
|
||||
@ -379,8 +371,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested. This option is only supported by
|
||||
Shorewall-perl.</para>
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -85,9 +85,7 @@
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Prior to Shorewall 4.1.4, this must be an exact match.
|
||||
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
|
||||
entries in <ulink
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
@ -95,11 +93,6 @@
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
||||
<para>Prior to Shorewall 4.1.4,
|
||||
<replaceable>interfacelist</replaceable> must be a single interface
|
||||
name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may
|
||||
specify a comma-separated list of interfaces.</para>
|
||||
|
||||
<para>If you want to override ADD_IP_ALIASES=Yes for a particular
|
||||
entry, follow the interface name with ":" and no digit (e.g.,
|
||||
"eth0:").</para>
|
||||
|
@ -1,4 +1,6 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall-netmap</refentrytitle>
|
||||
@ -66,10 +68,8 @@
|
||||
<listitem>
|
||||
<para>The name of a network interface. The interface must be defined
|
||||
in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
Prior to Shorewall 4.1.4, this must be an exact match.
|
||||
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
|
||||
entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Shorewall allows loose matches to wildcard entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
@ -111,4 +111,4 @@
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
</refentry>
|
||||
|
@ -27,9 +27,6 @@
|
||||
connection tracking. Traffic matching entries in this fill will not be
|
||||
tracked.</para>
|
||||
|
||||
<para>The file was added in shorewall-perl 4.2.7 and is not supported by
|
||||
shorewall-shell or by earlier versions of shorewall-perl.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
<variablelist>
|
||||
|
@ -165,9 +165,9 @@
|
||||
<term><emphasis role="bold">NFQUEUE</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.0.3. Queue the request for a
|
||||
user-space application using the nfnetlink_queue mechanism. If
|
||||
a <replaceable>queuenumber</replaceable> is not given, queue
|
||||
<para>Queue the request for a user-space application using the
|
||||
nfnetlink_queue mechanism. If a
|
||||
<replaceable>queuenumber</replaceable> is not given, queue
|
||||
zero (0) is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -256,17 +256,17 @@
|
||||
<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number
|
||||
of simultaneous connections from each individual host to
|
||||
<replaceable>limit</replaceable> connections. While the limit is
|
||||
only checked on connections to which this policy could apply, the
|
||||
number of current connections is calculated over all current
|
||||
connections from the SOURCE host. By default, the limit is applied
|
||||
to each host individually but can be made to apply to networks of
|
||||
hosts by specifying a <replaceable>mask</replaceable>. The
|
||||
<replaceable>mask</replaceable> specifies the width of a VLSM mask
|
||||
to be applied to the source address; the number of current
|
||||
connections is then taken over all hosts in the subnet
|
||||
<para>May be used to limit the number of simultaneous connections
|
||||
from each individual host to <replaceable>limit</replaceable>
|
||||
connections. While the limit is only checked on connections to which
|
||||
this policy could apply, the number of current connections is
|
||||
calculated over all current connections from the SOURCE host. By
|
||||
default, the limit is applied to each host individually but can be
|
||||
made to apply to networks of hosts by specifying a
|
||||
<replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
|
||||
specifies the width of a VLSM mask to be applied to the source
|
||||
address; the number of current connections is then taken over all
|
||||
hosts in the subnet
|
||||
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -214,13 +214,13 @@
|
||||
role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.1.5. Specifies the source
|
||||
address to use when routing to this provider and none is known
|
||||
(the local client has bound to the 0 address). May not be
|
||||
specified when an <replaceable>address</replaceable> is given
|
||||
in the INTERFACE column. If this option is not used, Shorewall
|
||||
substitutes the primary IP address on the interface named in
|
||||
the INTERFACE column.</para>
|
||||
<para>Specifies the source address to use when routing to this
|
||||
provider and none is known (the local client has bound to the
|
||||
0 address). May not be specified when an
|
||||
<replaceable>address</replaceable> is given in the INTERFACE
|
||||
column. If this option is not used, Shorewall substitutes the
|
||||
primary IP address on the interface named in the INTERFACE
|
||||
column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -229,9 +229,9 @@
|
||||
role="bold">mtu=</emphasis><replaceable>number</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.1.5. Specifies the MTU when
|
||||
forwarding through this provider. If not given, the MTU of the
|
||||
interface named in the INTERFACE column is assumed.</para>
|
||||
<para>Specifies the MTU when forwarding through this provider.
|
||||
If not given, the MTU of the interface named in the INTERFACE
|
||||
column is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -240,9 +240,8 @@
|
||||
role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.2.5. Indicates that a default
|
||||
route through the provider should be added to the default
|
||||
routing table (table 253). If a
|
||||
<para>Indicates that a default route through the provider
|
||||
should be added to the default routing table (table 253). If a
|
||||
<replaceable>weight</replaceable> is given, a balanced route
|
||||
is added with the weight of this provider equal to the
|
||||
specified <replaceable>weight</replaceable>. If the option is
|
||||
|
@ -25,9 +25,7 @@
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file is used to define the hosts that are accessible when the
|
||||
firewall is stopped or is being stopped. When shorewall-shell is being
|
||||
used, the file also determines those hosts that are accessible when the
|
||||
firewall is in the process of being [re]started.</para>
|
||||
firewall is stopped or is being stopped.</para>
|
||||
|
||||
<warning>
|
||||
<para>Changes to this file do not take effect until after the next
|
||||
@ -125,7 +123,7 @@
|
||||
<replaceable>protocol-name-or-number</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only available with Shorewall-perl 4.2.7 and later.</para>
|
||||
<para>Protocol.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -134,10 +132,9 @@
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only available with Shorewall-perl 4.2.7 and later. A
|
||||
comma-separated list of port numbers and/or service names from
|
||||
<filename>/etc/services</filename>. May also include port ranges of
|
||||
the form
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
from <filename>/etc/services</filename>. May also include port
|
||||
ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
</listitem>
|
||||
@ -148,10 +145,9 @@
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only available with Shorewall-perl 4.2.7 and later. A
|
||||
comma-separated list of port numbers and/or service names from
|
||||
<filename>/etc/services</filename>. May also include port ranges of
|
||||
the form
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
from <filename>/etc/services</filename>. May also include port
|
||||
ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
</listitem>
|
||||
|
@ -343,8 +343,6 @@
|
||||
<term>NFQUEUE</term>
|
||||
|
||||
<listitem>
|
||||
<para>Only supported by Shorewall-perl >= 4.0.3.</para>
|
||||
|
||||
<para>Queues the packet to a user-space application using the
|
||||
nfnetlink_queue mechanism. If a
|
||||
<replaceable>queuenumber</replaceable> is not specified, queue
|
||||
@ -471,8 +469,9 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> -
|
||||
{<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>[<emphasis
|
||||
{<emphasis>zone</emphasis>|{<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>}[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||
@ -509,6 +508,11 @@
|
||||
mac addresses must begin with "~" and must use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||
only refers to top-level zones (those with no parent zones).</para>
|
||||
|
||||
<para>Hosts may also be specified as an IP address range using the
|
||||
syntax
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||
@ -586,60 +590,14 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<blockquote>
|
||||
<para>Alternatively, clients may be specified by interface by
|
||||
appending ":" to the zone name followed by the interface name. For
|
||||
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
|
||||
client that communicates with the firewall system through eth1.
|
||||
This may be optionally followed by another colon (":") and an
|
||||
IP/MAC/subnet address as described above (e.g., <emphasis
|
||||
role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
|
||||
|
||||
<para>It is important to note that when <emphasis
|
||||
role="bold">using Shorewall-shell</emphasis> and specifying an
|
||||
address list that will be split (i.e., a comma separated list),
|
||||
there is a subtle behavior which has the potential to cause
|
||||
confusion. Consider the two examples below:</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>loc:eth1:192.168.1.3,192.168.1.5</term>
|
||||
|
||||
<listitem>
|
||||
<para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
|
||||
with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
|
||||
from any interface in the zone.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>loc:eth1:192.168.1.3,eth1:192.168.1.5</term>
|
||||
|
||||
<listitem>
|
||||
<para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
|
||||
with <emphasis role="bold">both</emphasis> originating from
|
||||
eth1.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<blockquote>
|
||||
<para>That is, the interface name must be explicitly stated for
|
||||
each member of the comma separated list. Again, this distinction
|
||||
in behavior only occurs when <emphasis role="bold">using
|
||||
Shorewall-shell</emphasis>.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
{<emphasis>zone</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>[<emphasis
|
||||
{<emphasis>zone</emphasis>|{<emphasis
|
||||
role="bold">all</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>}[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis
|
||||
role="bold">-</emphasis>]}<emphasis
|
||||
role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
|
||||
@ -663,9 +621,13 @@
|
||||
affected. When <emphasis role="bold">all+</emphasis> is used,
|
||||
intra-zone traffic is affected.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.1.4, the
|
||||
<replaceable>zone</replaceable> should be omitted in DNAT-,
|
||||
REDIRECT- and NONAT rules.</para>
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||
only refers to top-level zones (those with no parent zones).</para>
|
||||
|
||||
<para>The <replaceable>zone</replaceable> should be omitted in
|
||||
DNAT-, REDIRECT- and NONAT rules.</para>
|
||||
|
||||
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
|
||||
then either:<orderedlist numeration="loweralpha">
|
||||
@ -702,12 +664,7 @@
|
||||
<para>1. MAC addresses are not allowed (this is a Netfilter
|
||||
restriction).</para>
|
||||
|
||||
<para>2.Prior to Shorewall 4.1.4, only IP addresses are allowed in
|
||||
<emphasis role="bold">DNAT</emphasis> rules; no DNS names are
|
||||
permitted. In no case may a network be specified as the
|
||||
server.</para>
|
||||
|
||||
<para>3. You may not specify both an interface and an
|
||||
<para>2. You may not specify both an interface and an
|
||||
address.</para>
|
||||
|
||||
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
||||
@ -747,20 +704,15 @@
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>If you are using Shorewall-shell or Shorewall-perl before
|
||||
version 4.0.5, then the port number MUST be specified as an
|
||||
integer and not as a name from services(5). Shorewall-perl 4.0.5
|
||||
and later permit the <emphasis>port</emphasis> to be specified as
|
||||
a service name. Additionally, Shorewall-perl 4.0.5 and later
|
||||
permit specifying a port range in the form
|
||||
<para>The <emphasis>port</emphasis> may be specified as a service
|
||||
name. You may specify a port range in the form
|
||||
<emphasis>lowport-highport</emphasis> to cause connections to be
|
||||
assigned to ports in the range in round-robin fashion. When a port
|
||||
range is specified, <emphasis>lowport</emphasis> and
|
||||
<emphasis>highport</emphasis> must be given as integers; service
|
||||
names are not permitted. Beginning with Shorewall 4.0.6, the port
|
||||
range may be optionally followed by <emphasis
|
||||
role="bold">:random</emphasis> which causes assignment to ports in
|
||||
the list to be random.</para>
|
||||
names are not permitted. Additionally, the port range may be
|
||||
optionally followed by <emphasis role="bold">:random</emphasis>
|
||||
which causes assignment to ports in the list to be random.</para>
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">REDIRECT</emphasis> or <emphasis
|
||||
@ -825,11 +777,6 @@
|
||||
|
||||
<para>2. No port ranges are included or your kernel and iptables
|
||||
contain extended multiport match support.</para>
|
||||
|
||||
<para>Otherwise, unless you are using <ulink
|
||||
url="../Shorewall-perl.html">Shorewall-perl</ulink>, a separate rule
|
||||
will be generated for each port. Shorewall-perl does not
|
||||
automatically break up lists into individual rules.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -864,11 +811,6 @@
|
||||
|
||||
<para>2. No port ranges are included or your kernel and iptables
|
||||
contain extended multiport match support.</para>
|
||||
|
||||
<para>Otherwise, unless you are using <ulink
|
||||
url="../Shorewall-perl.html">Shorewall-perl</ulink>, a separate
|
||||
rule will be generated for each port. Shorewall-perl does not
|
||||
automatically break up lists into individual rules.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -1058,8 +1000,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested. This option is only supported by
|
||||
Shorewall-perl.</para>
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -1178,18 +1119,7 @@
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Restrictions</title>
|
||||
|
||||
<para>Unless you are using <ulink
|
||||
url="../Shorewall-perl.html">Shorewall-perl</ulink> and your
|
||||
iptables/kernel have <firstterm>Repeat Match</firstterm> support (see the
|
||||
output of <command>shorewall show capabilities</command>), if you specify
|
||||
a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice
|
||||
versa.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Example</title>
|
||||
<title>Examples</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
|
@ -236,8 +236,8 @@
|
||||
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.1. A comma-separated list of options
|
||||
including the following:</para>
|
||||
<para>A comma-separated list of options including the
|
||||
following:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -266,7 +266,7 @@
|
||||
<para>This lets you define a classifier for the given
|
||||
<emphasis>value</emphasis>/<emphasis>mask</emphasis>
|
||||
combination of the IP packet's TOS/Precedence/DiffSrv octet
|
||||
(aka the TOS byte). </para>
|
||||
(aka the TOS byte).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -113,10 +113,9 @@
|
||||
|
||||
<para>Shorewall assigns a sequential <firstterm>interface
|
||||
number</firstterm> to each interface (the first entry in the file is
|
||||
interface 1, the second is interface 2 and so on) Beginning with
|
||||
Shorewall-perl 4.1.6, you can explicitly specify the interface
|
||||
number by prefixing the interface name with the number and a colon
|
||||
(":"). Example: 1:eth0.</para>
|
||||
interface 1, the second is interface 2 and so on) You can explicitly
|
||||
specify the interface number by prefixing the interface name with
|
||||
the number and a colon (":"). Example: 1:eth0.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -176,13 +175,12 @@
|
||||
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.1.6. May only be specified if the
|
||||
interface in the INTERFACE column is an Intermediate Frame Block
|
||||
(IFB) device. Causes packets that enter each listed interface to be
|
||||
passed through the egress filters defined for this device, thus
|
||||
providing a form of incoming traffic shaping. When this column is
|
||||
non-empty, the <emphasis role="bold">classify</emphasis> option is
|
||||
assumed.</para>
|
||||
<para>May only be specified if the interface in the INTERFACE column
|
||||
is an Intermediate Frame Block (IFB) device. Causes packets that
|
||||
enter each listed interface to be passed through the egress filters
|
||||
defined for this device, thus providing a form of incoming traffic
|
||||
shaping. When this column is non-empty, the <emphasis
|
||||
role="bold">classify</emphasis> option is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -93,14 +93,11 @@
|
||||
<para>- If the SOURCE is <emphasis
|
||||
role="bold">$FW</emphasis>[<emphasis
|
||||
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
|
||||
then the rule is inserted into the OUTPUT chain. The behavior
|
||||
changed in Shorewall-perl 4.1. Previously, when
|
||||
HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values
|
||||
< 256 to be assigned in the OUTPUT chain. This has been
|
||||
changed so that only high mark values may be assigned there.
|
||||
Packet marking rules for traffic shaping of packets originating
|
||||
on the firewall must be coded in the POSTROUTING chain (see
|
||||
below).</para>
|
||||
then the rule is inserted into the OUTPUT chain. When
|
||||
HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
|
||||
there. Packet marking rules for traffic shaping of packets
|
||||
originating on the firewall must be coded in the POSTROUTING
|
||||
chain (see below).</para>
|
||||
|
||||
<para>- Otherwise, the chain is determined by the setting of
|
||||
MARK_IN_FORWARD_CHAIN in <ulink
|
||||
@ -162,12 +159,12 @@
|
||||
followed the value with <option>:F</option>) or the OUTPUT chain
|
||||
(SOURCE is <emphasis role="bold">$FW</emphasis>). With
|
||||
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
|
||||
permitted. Shorewall 4.1 and later versions prohibit non-zero
|
||||
mark values less that 256 in the OUTPUT chain when
|
||||
HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
|
||||
in the OUTPUT chain, it is strongly recommended that with
|
||||
HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
|
||||
traffic shaping marks/classification.</para>
|
||||
permitted. Shorewall prohibits non-zero mark values less that
|
||||
256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
|
||||
versions allow such values in the OUTPUT chain, it is strongly
|
||||
recommended that with HIGH_ROUTE_MARKS=Yes, you use the
|
||||
POSTROUTING chain to apply traffic shaping
|
||||
marks/classification.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -239,16 +236,15 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">SAME</emphasis> (Added in Shorewall
|
||||
4.3.5) -- Some websites run applications that require multiple
|
||||
connections from a client browser. Where multiple 'balanced'
|
||||
providers are configured, this can lead to problems when some of
|
||||
the connections are routed through one provider and some through
|
||||
another. The SAME target allows you to work around that problem.
|
||||
SAME may be used in the PREROUTING and OUTPUT chains. When used
|
||||
in PREROUTING, it causes matching connections from an individual
|
||||
local system to all use the same provider. For example:
|
||||
<programlisting>#MARK/ SOURCE DEST PROTO DEST
|
||||
<para><emphasis role="bold">SAME</emphasis> Some websites run
|
||||
applications that require multiple connections from a client
|
||||
browser. Where multiple 'balanced' providers are configured,
|
||||
this can lead to problems when some of the connections are
|
||||
routed through one provider and some through another. The SAME
|
||||
target allows you to work around that problem. SAME may be used
|
||||
in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
|
||||
causes matching connections from an individual local system to
|
||||
all use the same provider. For example: <programlisting>#MARK/ SOURCE DEST PROTO DEST
|
||||
#CLASSIFY PORT(S)
|
||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
|
||||
@ -682,8 +678,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Connection Bytes; defines a byte or packet range that the
|
||||
connection must fall within in order for the rule to match. Added in
|
||||
Shorewall-perl 4.2.0.</para>
|
||||
connection must fall within in order for the rule to match.</para>
|
||||
|
||||
<para>A packet matches if the the packet/byte count is within the
|
||||
range defined by <emphasis>min</emphasis> and
|
||||
@ -697,8 +692,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
<para><emphasis role="bold">O</emphasis> - The original
|
||||
direction of the connection.</para>
|
||||
|
||||
<para><emphasis role="bold">R</emphasis> - The opposite
|
||||
direction from the original connection.</para>
|
||||
<para>- The opposite direction from the original
|
||||
connection.</para>
|
||||
|
||||
<para><emphasis role="bold">B</emphasis> - The total of both
|
||||
directions.</para>
|
||||
@ -725,13 +720,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</emphasis><emphasis>helper</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.2.0. Names a Netfiler protocol
|
||||
<firstterm>helper</firstterm> module such as <option>ftp</option>,
|
||||
<option>sip</option>, <option>amanda</option>, etc. A packet will
|
||||
match if it was accepted by the named helper module. You can also
|
||||
append "-" and a port number to the helper module name (e.g.,
|
||||
<emphasis role="bold">ftp-21</emphasis>) to specify the port number
|
||||
that the original connection was made on.</para>
|
||||
<para>Names a Netfiler protocol <firstterm>helper</firstterm> module
|
||||
such as <option>ftp</option>, <option>sip</option>,
|
||||
<option>amanda</option>, etc. A packet will match if it was accepted
|
||||
by the named helper module. You can also append "-" and a port
|
||||
number to the helper module name (e.g., <emphasis
|
||||
role="bold">ftp-21</emphasis>) to specify the port number that the
|
||||
original connection was made on.</para>
|
||||
|
||||
<para>Example: Mark all FTP data connections with mark
|
||||
4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
|
@ -141,8 +141,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>Designates a connection mark. If omitted, the packet
|
||||
mark's value is tested. This option is only supported by
|
||||
Shorewall-perl.</para>
|
||||
mark's value is tested.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -158,8 +158,8 @@ c:a,b ipv4</programlisting>
|
||||
<term>bport (or bport4)</term>
|
||||
|
||||
<listitem>
|
||||
<para>(Shorewall-perl only) The zone is associated with one or
|
||||
more ports on a single bridge.</para>
|
||||
<para>The zone is associated with one or more ports on a
|
||||
single bridge.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -117,7 +117,7 @@
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis>macro</emphasis>|<emphasis
|
||||
role="bold">none</emphasis>} (Shorewall-perl 4.0.3 and later)</term>
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>In earlier Shorewall versions, a "default action" for DROP and
|
||||
@ -140,10 +140,7 @@
|
||||
<member>a) The name of an
|
||||
<replaceable>action</replaceable>.</member>
|
||||
|
||||
<member>b) The name of a <replaceable>macro</replaceable>
|
||||
(Shorewall-shell only)</member>
|
||||
|
||||
<member>c) <emphasis role="bold">None</emphasis> or <emphasis
|
||||
<member>b) <emphasis role="bold">None</emphasis> or <emphasis
|
||||
role="bold">none</emphasis></member>
|
||||
</simplelist>
|
||||
|
||||
@ -334,22 +331,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BRIDGING=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, enables Shorewall Bridging
|
||||
support.</para>
|
||||
|
||||
<para><note>
|
||||
<para>BRIDGING=Yes may not work properly with Linux kernel
|
||||
2.6.20 or later and is not supported by Shorewall-perl.</para>
|
||||
</note></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
@ -433,40 +414,15 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DELAYBLACKLISTLOAD=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Users with a large static black list (<ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)) may
|
||||
want to set the DELAYBLACKLISTLOAD option to <emphasis
|
||||
role="bold">Yes</emphasis>. When DELAYBLACKLISTLOAD=Yes, Shorewall
|
||||
will enable new connections before loading the blacklist rules.
|
||||
While this may allow connections from blacklisted hosts to slip by
|
||||
during construction of the blacklist, it can substantially reduce
|
||||
the time that all new connections are disabled during <emphasis
|
||||
role="bold">shorewall</emphasis> [<emphasis
|
||||
role="bold">re</emphasis>]<emphasis
|
||||
role="bold">start</emphasis>.</para>
|
||||
|
||||
<note>
|
||||
<para>DELAYBLACKLISTLOAD=Yes is not supported by
|
||||
Shorewall-perl.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DELETE_THEN_ADD=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.0.4. If set to Yes (the default value),
|
||||
entries in the /etc/shorewall/route_stopped files cause an 'ip rule
|
||||
del' command to be generated in addition to an 'ip rule add'
|
||||
command. Setting this option to No, causes the 'ip rule del' command
|
||||
to be omitted.</para>
|
||||
<para>If set to Yes (the default value), entries in the
|
||||
/etc/shorewall/route_stopped files cause an 'ip rule del' command to
|
||||
be generated in addition to an 'ip rule add' command. Setting this
|
||||
option to No, causes the 'ip rule del' command to be omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -520,9 +476,6 @@
|
||||
role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
|
||||
is not allowed in configurations that will run under Shorewall
|
||||
Lite.</para>
|
||||
|
||||
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
|
||||
later.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -538,8 +491,8 @@
|
||||
# LEVEL
|
||||
net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
which is also the chain named in Shorewall log messages generated as
|
||||
a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall-perl
|
||||
will create a separate chain for each pair of zones covered by the
|
||||
a result of the policy. If EXPAND_POLICIES=Yes, then Shorewall will
|
||||
create a separate chain for each pair of zones covered by the
|
||||
policy. This makes the resulting log messages easier to interpret
|
||||
since the chain in the messages will have a name of the form 'a2b'
|
||||
where 'a' is the SOURCE zone and 'b' is the DEST zone.</para>
|
||||
@ -776,10 +729,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.0.3. When set to <option>Yes</option>,
|
||||
this option prevents scripts generated by Shorewall-perl from
|
||||
altering the /etc/iproute2/rt_tables database when there are entries
|
||||
in <filename>/etc/shorewall/providers</filename>. If you set this
|
||||
<para>When set to <option>Yes</option>, this option prevents
|
||||
generated scripts from altering the /etc/iproute2/rt_tables database
|
||||
when there are entries in
|
||||
<filename>/etc/shorewall/providers</filename>. If you set this
|
||||
option to <option>Yes</option> while Shorewall (Shorewall-lite) is
|
||||
running, you should remove the file
|
||||
<filename>/var/lib/shorewall/rt_tables</filename>
|
||||
@ -1059,28 +1012,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Previously, Shorewall included a large number of standard
|
||||
actions (AllowPing, AllowFTP, ...). These have been replaced with
|
||||
parameterized macros. For compatibility, Shorewall can map the old
|
||||
names into invocations of the new macros if you set
|
||||
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
|
||||
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
<note>
|
||||
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
|
||||
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
|
||||
value then MAPOLDACTIONS=No is assumed.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
|
||||
@ -1151,9 +1082,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
|
||||
<para>In such cases, you will configure a <option>destonly</option>
|
||||
network on each zone receiving multicasts.</para>
|
||||
|
||||
<para>The MULTICAST option is only recognized by Shorewall-perl and
|
||||
is ignored by Shorewall-shell.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1320,9 +1248,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.2.6, this option determines whether to
|
||||
restore the default route saved when here are 'balance' providers
|
||||
defined but all of them are down.</para>
|
||||
<para>This option determines whether to restore the default route
|
||||
saved when here are 'balance' providers defined but all of them are
|
||||
down.</para>
|
||||
|
||||
<para>The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
|
||||
pre-4.2.6 behavior.</para>
|
||||
@ -1384,9 +1312,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
state. The default value is <emphasis
|
||||
role="bold">no</emphasis>.</para>
|
||||
|
||||
<para>The value <emphasis role="bold">Keep</emphasis> is only
|
||||
allowed under Shorewall-perl. It causes Shorewall to ignore the
|
||||
option. If the option is set to <emphasis
|
||||
<para>The value <emphasis role="bold">Keep</emphasis> causes
|
||||
Shorewall to ignore the option. If the option is set to <emphasis
|
||||
role="bold">Yes</emphasis>, then route filtering occurs on all
|
||||
interfaces. If the option is set to <emphasis
|
||||
role="bold">No</emphasis>, then route filtering is disabled on all
|
||||
@ -1408,35 +1335,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SHOREWALL_COMPILER=</emphasis>{<emphasis
|
||||
role="bold">perl</emphasis>|<emphasis
|
||||
role="bold">shell</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Specifies the compiler to use to generate firewall scripts
|
||||
when both compilers are installed. The value of this option can be
|
||||
either <option>perl</option> or <option>shell</option>. If both
|
||||
compilers are installed and SHOREWALL_SHELL is not set, then
|
||||
SHOREWALL_SHELL=shell is assumed.</para>
|
||||
|
||||
<para>If you add 'SHOREWALL_COMPILER=perl' to
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> then by default,
|
||||
the Shorewall-perl compiler will be used on the system. If you add
|
||||
it to <filename>shorewall.conf</filename> in a separate directory
|
||||
(such as a Shorewall-lite export directory) then the Shorewall-perl
|
||||
compiler will only be used when you compile from that
|
||||
directory.</para>
|
||||
|
||||
<para>If you only install one compiler, it is suggested that you do
|
||||
not set SHOREWALL_COMPILER.</para>
|
||||
|
||||
<para>This setting may be overriden in those commands that invoke
|
||||
the compiler by using the -C command option (see <ulink
|
||||
url="shorewall.html">shorewall</ulink>(8)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
@ -1584,22 +1482,6 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USE_ACTIONS=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>While Shorewall Actions can be very useful, they also require
|
||||
a sizable amount of code to implement. By setting USE_ACTIONS=No,
|
||||
embedded Shorewall installations can omit the large library
|
||||
/usr/share/shorewall-shell/lib.actions.</para>
|
||||
|
||||
<note>
|
||||
<para>USE_ACTIONS=No is not supported by Shorewall-perl.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
@ -1644,10 +1526,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<para>All provider gateways must be specified explicitly in the
|
||||
GATEWAY column. <emphasis role="bold">detect</emphasis> may not
|
||||
be specified.<note>
|
||||
<para>Beginning with Shorewall 4.2.6, <emphasis
|
||||
role="bold">detect</emphasis> may be specified for
|
||||
interfaces whose configuration is managed by dhcpcd.
|
||||
Shorewall will use dhcpcd's database to find the
|
||||
<para><emphasis role="bold">detect</emphasis> may be
|
||||
specified for interfaces whose configuration is managed by
|
||||
dhcpcd. Shorewall will use dhcpcd's database to find the
|
||||
interfaces's gateway.</para>
|
||||
</note></para>
|
||||
</listitem>
|
||||
|
@ -701,9 +701,8 @@
|
||||
are untouched. Clear is often used to see if the firewall is causing
|
||||
connection problems.</para>
|
||||
|
||||
<para>The <option>-f</option> option was added in Shorewall 4.0.3.
|
||||
If <option>-f</option> is given, the command will be processed by
|
||||
the compiled script that executed the last successful <emphasis
|
||||
<para>If <option>-f</option> is given, the command will be processed
|
||||
by the compiled script that executed the last successful <emphasis
|
||||
role="bold">start</emphasis>, <emphasis
|
||||
role="bold">restart</emphasis> or <emphasis
|
||||
role="bold">refresh</emphasis> command if that script exists.</para>
|
||||
@ -736,9 +735,8 @@
|
||||
capabilities</emphasis> on a system with Shorewall Lite
|
||||
installed</para>
|
||||
|
||||
<para>The <option>-d</option> option only works when the compiler is
|
||||
Shorewall-perl. It causes the compiler to be run under control of
|
||||
the Perl debugger.</para>
|
||||
<para>The <option>-d</option> option causes the compiler to be run
|
||||
under control of the Perl debugger.</para>
|
||||
|
||||
<para>The <option>-p</option> option causes the compiler to be
|
||||
profiled via the Perl <option>-wd:DProf</option> command-line
|
||||
@ -995,13 +993,13 @@
|
||||
|
||||
<para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
|
||||
|
||||
<para>Beginning with Shorewall 4.1, the <emphasis
|
||||
role="bold">refresh</emphasis> command has slightly different
|
||||
behavior. When no chain name is given to the <emphasis
|
||||
role="bold">refresh</emphasis> command, the mangle table is
|
||||
refreshed along with the blacklist chain (if any). This allows you
|
||||
to modify <filename>/etc/shorewall/tcrules </filename>and install
|
||||
the changes using <emphasis role="bold">refresh</emphasis>.</para>
|
||||
<para>The <emphasis role="bold">refresh</emphasis> command has
|
||||
slightly different behavior. When no chain name is given to the
|
||||
<emphasis role="bold">refresh</emphasis> command, the mangle table
|
||||
is refreshed along with the blacklist chain (if any). This allows
|
||||
you to modify <filename>/etc/shorewall/tcrules </filename>and
|
||||
install the changes using <emphasis
|
||||
role="bold">refresh</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1346,9 +1344,8 @@
|
||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
or by ADMINISABSENTMINDED.</para>
|
||||
|
||||
<para>The <option>-f</option> option was added in Shorewall 4.0.3.
|
||||
If <option>-f</option> is given, the command will be processed by
|
||||
the compiled script that executed the last successful <emphasis
|
||||
<para>If <option>-f</option> is given, the command will be processed
|
||||
by the compiled script that executed the last successful <emphasis
|
||||
role="bold">start</emphasis>, <emphasis
|
||||
role="bold">restart</emphasis> or <emphasis
|
||||
role="bold">refresh</emphasis> command if that script exists.</para>
|
||||
|
Loading…
Reference in New Issue
Block a user