Add Raw table to Netfilter Overview

This commit is contained in:
Tom Eastep 2009-10-16 11:25:57 -07:00
parent a61c9a9e06
commit f6913953fe
4 changed files with 1003 additions and 1011 deletions

View File

@ -57,26 +57,31 @@
release.</emphasis></para>
</caution>
<important>
<para><emphasis role="bold">Shorewall does not configure IPSEC for
you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
configuration.</para>
</important>
<important>
<para>The information in this article is only applicable if you plan to
have IPSEC end-points on the same system where Shorewall is used.</para>
</important>
<important>
<para>While this article shows configuration of IPSEC using ipsec-tools,
Shorewall configuration is exactly the same when using OpenSwan or
<para>While this <emphasis role="bold">article shows configuration of
IPSEC using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
configuration is exactly the same when using OpenSwan</emphasis> or
FreeSwan.</para>
</important>
<warning>
<para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
policy match support are broken when used with a bridge device. The
problem has been reported to the responsible Netfilter developer who has
confirmed the problem. The problem was corrected in Kernel 2.6.20 as a
result of the removal of deferred FORWARD/OUTPUT processing of traffic
destined for a bridge. See the <ulink
url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and Bridged
Firewalls</emphasis>"</ulink> article.</para>
problem was corrected in Kernel 2.6.20 as a result of the removal of
deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See
the <ulink url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and
Bridged Firewalls</emphasis>"</ulink> article.</para>
</warning>
<section id="Overview">
@ -132,12 +137,12 @@
<para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
and zones was made easy by the presence of IPSEC pseudo-interfaces with
names of the form <filename class="devicefile">ipsecn</filename> (e.g.
names of the form <filename class="devicefile">ipsecN</filename> (e.g.
<filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
traffic (case 1.) was send through an <filename
class="devicefile">ipsecn</filename> device while incoming unencrypted
class="devicefile">ipsecN</filename> device while incoming unencrypted
traffic (case 2) arrived from an <filename
class="devicefile">ipsecn</filename> device. The 2.6 kernel-based
class="devicefile">ipsecN</filename> device. The 2.6 kernel-based
implementation does away with these pseudo-interfaces. Outgoing traffic
that is going to be encrypted and incoming traffic that has been decrypted
must be matched against policies in the SPD and/or the appropriate

View File

@ -197,8 +197,7 @@ Chain POSTROUTING (policy ACCEPT 11579 packets, 771K bytes)
Chain OUTPUT (policy ACCEPT 11579 packets, 771K bytes)
pkts bytes target prot opt in out source destination</programlisting>
<para>And finally, the <emphasis role="bold">Mangle</emphasis>
table:</para>
<para>Next, the <emphasis role="bold">Mangle</emphasis> table:</para>
<programlisting>Mangle Table
@ -231,6 +230,16 @@ Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination</programlisting>
<para>And finally, the <emphasis role="bold">Raw</emphasis> table:</para>
<programlisting>Raw Table
Chain PREROUTING (policy ACCEPT 1004K packets, 658M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 926K packets, 186M bytes)
pkts bytes target prot opt in out source destination</programlisting>
</section>
</article>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 19 KiB

File diff suppressed because one or more lines are too long