mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 06:10:42 +01:00
First batch of mindless ID changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6693 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
177cb0487f
commit
f96772989c
@ -40,7 +40,7 @@
|
||||
documentation for that release.</para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>What are Shorewall Actions?</title>
|
||||
|
||||
<para>Shorewall actions allow a symbolic name to be associated with a
|
||||
@ -112,7 +112,7 @@ ACCEPT - - tcp 135,139,445
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Enabling">
|
||||
<title>Enabling the Use of Actions</title>
|
||||
|
||||
<para>In Shorewall version 3.4 and later, to make use of any of the three
|
||||
@ -188,7 +188,7 @@ Reject:REJECT #Default Action for REJECT policy</programlisting>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Defining">
|
||||
<title>Defining your own Actions</title>
|
||||
|
||||
<para>Before defining a new action, you should evaluate whether your goal
|
||||
@ -445,7 +445,7 @@ Reject:REJECT #Default Action for REJECT policy</programlisting>
|
||||
LogAndAccept loc $FW tcp 22</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Logging">
|
||||
<title>Actions and Logging</title>
|
||||
|
||||
<para>Specifying a log level in a rule that specifies a user-defined or
|
||||
@ -589,7 +589,7 @@ acton:info:test $FW net</programlisting>
|
||||
one like this.</para>
|
||||
</note></para>
|
||||
|
||||
<example>
|
||||
<example id="Example">
|
||||
<title>An action to drop all broadcast packets</title>
|
||||
|
||||
<para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>
|
||||
|
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Products">
|
||||
<title>Products</title>
|
||||
|
||||
<para>Shorewall 4.0 consists of four packages.</para>
|
||||
@ -73,7 +73,7 @@
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall">
|
||||
<title>Shorewall</title>
|
||||
|
||||
<para>The Shorewall product includes a large number of files which are
|
||||
@ -84,7 +84,7 @@
|
||||
class="directory">/var/lilb/shorewall/</filename>. These are described in
|
||||
the sub-sections that follow.</para>
|
||||
|
||||
<section>
|
||||
<section id="sbin">
|
||||
<title>/sbin</title>
|
||||
|
||||
<para>The <filename>/sbin/shorewall</filename> shell program is use to
|
||||
@ -92,7 +92,7 @@
|
||||
url="manpages/shorewall.html">shorewall</ulink>(8).</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="share-shorewall">
|
||||
<title>/usr/share/shorewall</title>
|
||||
|
||||
<para>The bulk of Shorewall is installed here.</para>
|
||||
@ -175,14 +175,14 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="shorewall">
|
||||
<title>/etc/shorewall</title>
|
||||
|
||||
<para>This is where the modifiable configuration files are
|
||||
installed.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="init">
|
||||
<title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
|
||||
|
||||
<para>An init script is installed here. Depending on the distribution,
|
||||
@ -190,7 +190,7 @@
|
||||
<filename>rc.firewall</filename>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="var">
|
||||
<title>/var/lib/shorewall</title>
|
||||
|
||||
<para>Shorewall doesn't install any files in this directory but rather
|
||||
@ -288,7 +288,7 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall-shell">
|
||||
<title>Shorewall-shell</title>
|
||||
|
||||
<para>The Shorewall-shell product installs all of its files in
|
||||
@ -318,7 +318,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall-perl">
|
||||
<title>Shorewall-perl</title>
|
||||
|
||||
<para>The Shorewall-perl product installs all of its files in
|
||||
@ -352,7 +352,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall-lite">
|
||||
<title>Shorewall-lite</title>
|
||||
|
||||
<para>The Shorewall-lite product includes files installed in /<filename
|
||||
@ -363,7 +363,7 @@
|
||||
class="directory">/var/lilb/shorewall/</filename>. These are described in
|
||||
the sub-sections that follow.</para>
|
||||
|
||||
<section>
|
||||
<section id="sbin-lite">
|
||||
<title>/sbin</title>
|
||||
|
||||
<para>The <filename>/sbin/shorewall-lite</filename> shell program is use
|
||||
@ -371,7 +371,7 @@
|
||||
url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8).</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="init-lite">
|
||||
<title>/etc/init.d or /etc/rc.d (depends on distribution)</title>
|
||||
|
||||
<para>An init script is installed here. Depending on the distribution,
|
||||
@ -379,14 +379,14 @@
|
||||
<filename>rc.firewall</filename>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="shorewall-lite">
|
||||
<title>/etc/shorewall-lite</title>
|
||||
|
||||
<para>This is where the modifiable configuration files are
|
||||
installed.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="share-lite">
|
||||
<title>/usr/share/shorewall-lite</title>
|
||||
|
||||
<para>The bulk of Shorewall-lite is installed here.</para>
|
||||
@ -435,7 +435,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="var-lite">
|
||||
<title>/var/lib/shorewall-lite</title>
|
||||
|
||||
<para>Shorewall-lite doesn't install any files in this directory but
|
||||
|
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Overview">
|
||||
<title>Overview</title>
|
||||
|
||||
<para>Beginning with Shorewall version 3.1, Shorewall has the capability
|
||||
@ -43,7 +43,7 @@
|
||||
system with <emphasis>Shorewall Lite</emphasis> installed and can serve as
|
||||
the firewall creation script for that system.</para>
|
||||
|
||||
<section>
|
||||
<section id="Restrictions">
|
||||
<title>Restrictions</title>
|
||||
|
||||
<para>While compiled Shorewall programs are useful in many cases, there
|
||||
@ -552,7 +552,7 @@ clean:
|
||||
<programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command></programlisting>
|
||||
</blockquote>
|
||||
|
||||
<section>
|
||||
<section id="Converting">
|
||||
<title>Converting a system from Shorewall to Shorewall Lite</title>
|
||||
|
||||
<para>Converting a firewall system that is currently running Shorewall
|
||||
@ -822,7 +822,7 @@ MANGLE_FORWARD # Mangle table has FORWARD chain</programlisting
|
||||
does not attempt to load additional kernel modules.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Running">
|
||||
<title>Running compiled programs directly</title>
|
||||
|
||||
<para>Compiled firewall programs are complete programs that support the
|
||||
|
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Shorewall supports two different forms of blacklisting; static and
|
||||
@ -73,7 +73,7 @@
|
||||
</important>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Static">
|
||||
<title>Static Blacklisting</title>
|
||||
|
||||
<para>Shorewall static blacklisting support has the following
|
||||
@ -153,7 +153,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Dynamic">
|
||||
<title>Dynamic Blacklisting</title>
|
||||
|
||||
<para>Dynamic blacklisting doesn't use any configuration parameters but is
|
||||
@ -216,7 +216,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
<quote>blacklist</quote> option in
|
||||
<filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<example>
|
||||
<example id="Ignore">
|
||||
<title>Ignore packets from a pair of systems</title>
|
||||
|
||||
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
|
||||
@ -224,7 +224,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="Allow">
|
||||
<title>Re-enable packets from a system</title>
|
||||
|
||||
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
|
||||
|
@ -41,7 +41,7 @@
|
||||
documentation for that release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Background">
|
||||
<title>Background</title>
|
||||
|
||||
<para>Systems where Shorewall runs normally function as
|
||||
@ -78,7 +78,7 @@
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Requirements">
|
||||
<title>Requirements</title>
|
||||
|
||||
<para>Note that if you need a bridge but do not need to restrict the
|
||||
@ -123,7 +123,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Application">
|
||||
<title>Application</title>
|
||||
|
||||
<para>The following diagram shows a typical application of a
|
||||
@ -183,7 +183,7 @@
|
||||
fileref="images/bridge3.png" /></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Bridge">
|
||||
<title>Configuring the Bridge</title>
|
||||
|
||||
<para>Configuring the bridge itself is quite simple and uses the
|
||||
@ -502,7 +502,7 @@ rc-update add bridge boot
|
||||
can post it here.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall">
|
||||
<title>Configuring Shorewall</title>
|
||||
|
||||
<para>As described above, Shorewall bridge support requires the
|
||||
@ -715,7 +715,7 @@ ACCEPT $FW $DMZ tcp 53 </
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Limitations">
|
||||
<title>Limitations</title>
|
||||
|
||||
<para>Bridging doesn't work with some wireless cards — see <ulink
|
||||
|
@ -241,7 +241,7 @@
|
||||
place comments at the end of any line, again by delimiting the comment
|
||||
from the rest of the line with a pound sign.</para>
|
||||
|
||||
<example>
|
||||
<example id="comment">
|
||||
<title>Comments in a Configuration File</title>
|
||||
|
||||
<programlisting># This is a comment
|
||||
@ -335,7 +335,7 @@ gateway:~ #
|
||||
backslash (<quote>\</quote>) followed immediately by a new line character
|
||||
(Enter key).</para>
|
||||
|
||||
<example>
|
||||
<example id="continuation">
|
||||
<title>Line Continuation</title>
|
||||
|
||||
<programlisting>ACCEPT net $FW tcp \↵
|
||||
@ -372,7 +372,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
<filename>params</filename> file.</para>
|
||||
</caution>
|
||||
|
||||
<example>
|
||||
<example id="include">
|
||||
<title>Use of INCLUDE</title>
|
||||
|
||||
<programlisting> shorewall/params.mgmt:
|
||||
@ -478,7 +478,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
Shorewall to insure backward compatibility with existing configuration
|
||||
files.</para>
|
||||
|
||||
<example>
|
||||
<example id="validdns">
|
||||
<title>Valid DNS Names</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -492,7 +492,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
</itemizedlist>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="invaliddns">
|
||||
<title>Invalid DNS Names</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -650,7 +650,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||||
omit the high port number, a value of 65535 is assumed.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Portlists">
|
||||
<title>Port Lists</title>
|
||||
|
||||
<para>In most cases where a port or port range may appear, a
|
||||
@ -795,7 +795,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||||
<para>In GNU/Linux, MAC addresses are usually written as a series of 6 hex
|
||||
numbers separated by colons.</para>
|
||||
|
||||
<example>
|
||||
<example id="mac">
|
||||
<title>MAC Address of an Ethernet Controller</title>
|
||||
|
||||
<programlisting> [root@gateway root]# <command>ifconfig eth0</command>
|
||||
@ -859,7 +859,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Save">
|
||||
<title>Saved Configurations</title>
|
||||
|
||||
<para>Shorewall allows you to <firstterm>save</firstterm> the
|
||||
|
@ -50,7 +50,7 @@
|
||||
Shorewall-generated Netfilter logging rules.</para>
|
||||
</note>
|
||||
|
||||
<section>
|
||||
<section id="Firewall">
|
||||
<title>If you want to Run a DHCP Server on your firewall</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -77,7 +77,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Client">
|
||||
<title>If a Firewall Interface gets its IP Address via DHCP</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -122,7 +122,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Bridge">
|
||||
<title>If you wish to pass DHCP requests and responses through a
|
||||
bridge</title>
|
||||
|
||||
@ -137,7 +137,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Relay">
|
||||
<title>Running dhcrelay on the firewall</title>
|
||||
|
||||
<itemizedlist>
|
||||
|
Loading…
Reference in New Issue
Block a user