mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 00:53:49 +01:00
Add Raw table to Netfilter Overview
This commit is contained in:
parent
a61c9a9e06
commit
f6913953fe
@ -57,26 +57,31 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">Shorewall does not configure IPSEC for
|
||||
you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
|
||||
configuration.</para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
<para>The information in this article is only applicable if you plan to
|
||||
have IPSEC end-points on the same system where Shorewall is used.</para>
|
||||
</important>
|
||||
|
||||
<important>
|
||||
<para>While this article shows configuration of IPSEC using ipsec-tools,
|
||||
Shorewall configuration is exactly the same when using OpenSwan or
|
||||
<para>While this <emphasis role="bold">article shows configuration of
|
||||
IPSEC using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
|
||||
configuration is exactly the same when using OpenSwan</emphasis> or
|
||||
FreeSwan.</para>
|
||||
</important>
|
||||
|
||||
<warning>
|
||||
<para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
|
||||
policy match support are broken when used with a bridge device. The
|
||||
problem has been reported to the responsible Netfilter developer who has
|
||||
confirmed the problem. The problem was corrected in Kernel 2.6.20 as a
|
||||
result of the removal of deferred FORWARD/OUTPUT processing of traffic
|
||||
destined for a bridge. See the <ulink
|
||||
url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and Bridged
|
||||
Firewalls</emphasis>"</ulink> article.</para>
|
||||
problem was corrected in Kernel 2.6.20 as a result of the removal of
|
||||
deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See
|
||||
the <ulink url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and
|
||||
Bridged Firewalls</emphasis>"</ulink> article.</para>
|
||||
</warning>
|
||||
|
||||
<section id="Overview">
|
||||
@ -132,12 +137,12 @@
|
||||
|
||||
<para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
|
||||
and zones was made easy by the presence of IPSEC pseudo-interfaces with
|
||||
names of the form <filename class="devicefile">ipsecn</filename> (e.g.
|
||||
names of the form <filename class="devicefile">ipsecN</filename> (e.g.
|
||||
<filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
|
||||
traffic (case 1.) was send through an <filename
|
||||
class="devicefile">ipsecn</filename> device while incoming unencrypted
|
||||
class="devicefile">ipsecN</filename> device while incoming unencrypted
|
||||
traffic (case 2) arrived from an <filename
|
||||
class="devicefile">ipsecn</filename> device. The 2.6 kernel-based
|
||||
class="devicefile">ipsecN</filename> device. The 2.6 kernel-based
|
||||
implementation does away with these pseudo-interfaces. Outgoing traffic
|
||||
that is going to be encrypted and incoming traffic that has been decrypted
|
||||
must be matched against policies in the SPD and/or the appropriate
|
||||
|
@ -197,8 +197,7 @@ Chain POSTROUTING (policy ACCEPT 11579 packets, 771K bytes)
|
||||
Chain OUTPUT (policy ACCEPT 11579 packets, 771K bytes)
|
||||
pkts bytes target prot opt in out source destination</programlisting>
|
||||
|
||||
<para>And finally, the <emphasis role="bold">Mangle</emphasis>
|
||||
table:</para>
|
||||
<para>Next, the <emphasis role="bold">Mangle</emphasis> table:</para>
|
||||
|
||||
<programlisting>Mangle Table
|
||||
|
||||
@ -231,6 +230,16 @@ Chain tcpost (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain tcpre (1 references)
|
||||
pkts bytes target prot opt in out source destination</programlisting>
|
||||
|
||||
<para>And finally, the <emphasis role="bold">Raw</emphasis> table:</para>
|
||||
|
||||
<programlisting>Raw Table
|
||||
|
||||
Chain PREROUTING (policy ACCEPT 1004K packets, 658M bytes)
|
||||
pkts bytes target prot opt in out source destination
|
||||
|
||||
Chain OUTPUT (policy ACCEPT 926K packets, 186M bytes)
|
||||
pkts bytes target prot opt in out source destination</programlisting>
|
||||
</section>
|
||||
</article>
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 19 KiB |
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user