mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
New manpages
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
defdd320cf
commit
f9995a9515
@ -3216,30 +3216,38 @@
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall/</para>
|
||||
<para>/etc/shorewall/*</para>
|
||||
|
||||
<para>/etc/shorewall6/</para>
|
||||
<para>/etc/shorewall6/*</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
||||
<simplelist>
|
||||
<member><ulink
|
||||
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink>
|
||||
- Describes operational aspects of Shorewall.</member>
|
||||
|
||||
<para>shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
|
||||
shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
|
||||
shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
|
||||
shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
|
||||
shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
|
||||
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
|
||||
shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
|
||||
shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
|
||||
shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
|
||||
shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
|
||||
shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
|
||||
shorewall-zones(5)</para>
|
||||
<member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -
|
||||
Describes the various configuration files along with features and
|
||||
conventions common to those files.</member>
|
||||
|
||||
<member><ulink url="shorewall-names.html">shorewall-names(5)</ulink> -
|
||||
Describes naming of objects within a Shorewall configuration.</member>
|
||||
|
||||
<member><ulink
|
||||
url="shorewall-addresses.html">shorewall-addresses(5)</ulink> -
|
||||
Describes how to specify addresses within a Shorewall
|
||||
configuration.</member>
|
||||
|
||||
<member><ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion(5)</ulink> -
|
||||
Describes how to exclude certain hosts and/or networks from matching a
|
||||
rule.</member>
|
||||
|
||||
<member><ulink url="shorewall-nesting.html">shorewall-nesting(5)</ulink>
|
||||
- Describes how to nest one Shorewall zone inside another.</member>
|
||||
</simplelist>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
210
Shorewall/manpages/shorewall-addresses.xml
Normal file
210
Shorewall/manpages/shorewall-addresses.xml
Normal file
@ -0,0 +1,210 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall-addresses</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>Addresses</refname>
|
||||
|
||||
<refpurpose>Specifying addresses within a Shorewall
|
||||
configuration</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>In both Shorewall and Shorewall6, there are two basic types of
|
||||
addresses:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Host Address</term>
|
||||
|
||||
<listitem>
|
||||
<para>This address type refer to a single host.</para>
|
||||
|
||||
<para>In IPv4, the format is <emphasis>i.j.k.l</emphasis> where
|
||||
<emphasis>i</emphasis> through <emphasis>l</emphasis> are decimal
|
||||
numbers between 1 and 255.</para>
|
||||
|
||||
<para>In IPv6, the format is <emphasis>a:b:c:d:e:f:g:h</emphasis>
|
||||
where <emphasis>a</emphasis> through <emphasis>h</emphasis> consist
|
||||
of 1 to 4 hexidecimal digits (leading zeros may be omitted). a
|
||||
single series of 0 addresses may be omitted. For example
|
||||
2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Network Address</term>
|
||||
|
||||
<listitem>
|
||||
<para>A network address refers to 1 or more hosts and consists of a
|
||||
host address followed by a slash ("/") and a <firstterm>Variable
|
||||
Length Subnet Mask</firstterm> (VLSM). This is known as
|
||||
<firstterm>Classless Internet Domain Routing</firstterm> (CIDR)
|
||||
notation.</para>
|
||||
|
||||
<para>The VLSM is a decimal number. For IPv4, it is in the range 0
|
||||
through 32. For IPv6, the range is 0 through 128. The number
|
||||
represents the number of leading bits in the address that represent
|
||||
the network address; the remainder of the bits are a host address
|
||||
and are generally given as zero.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<para>IPv4: 192.168.1.0/24</para>
|
||||
|
||||
<para>IPv6: 2001:227:e857:1:0:0:0:0:1/64</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>In the Shorewall documentation and manpages, we have tried to make
|
||||
it clear which type of address is accepted in each specific case.</para>
|
||||
|
||||
<para>Because Shorewall uses a colon (":") as a separator in many
|
||||
contexts, IPv6 addresses are best written using the standard convention in
|
||||
which the address itself is enclosed in square brackets:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>[2001:227:e857:1::1]</member>
|
||||
|
||||
<member>[2001:227:e857:1:0:0:0:0:1]/64</member>
|
||||
</simplelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Specifying SOURCE and DEST</title>
|
||||
|
||||
<para>Entries in Shorewall configuration files often deal with the source
|
||||
(SOURCE) and destination (DEST) of connections and Shorewall implements a
|
||||
uniform way for specifying them.</para>
|
||||
|
||||
<para>A SOURCE or DEST consists of one to three parts separated by colons
|
||||
(":"):</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>ZONE — The name of a zone declared in
|
||||
<filename>/etc/shorewall/zones</filename> or
|
||||
<filename>/etc/shorewall6/zones</filename>. This part is only
|
||||
available in the rules file
|
||||
(<filename>/etc/shorewall/rules</filename>,
|
||||
<filename>/etc/shorewall/blrules</filename>,<filename>
|
||||
/etc/shorewall6/rules</filename> and
|
||||
<filename>/etc/shorewall6/blrules</filename>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>INTERFACE — The name of an interface that matches an entry in
|
||||
<filename>/etc/shorewall/interfaces</filename>
|
||||
(<filename>/etc/shorewall6/interfaces</filename>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ADDRESS LIST — A list of one or more addresses (host or network)
|
||||
or address ranges, separated by commas. In an IPv6 configuration, this
|
||||
list must be included in square or angled brackets ("[...]" or
|
||||
"<...>"). The list may have <link
|
||||
linkend="Exclusion">exclusion</link>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Examples.</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>All hosts in the <emphasis role="bold">net</emphasis> zone —
|
||||
<emphasis role="bold">net</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Subnet 192.168.1.0/29 in the <emphasis
|
||||
role="bold">loc</emphasis> zone — <emphasis
|
||||
role="bold">loc:192.168.1.0/29</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>All hosts in the net zone connecting through <filename
|
||||
class="devicefile">ppp0</filename> — <emphasis
|
||||
role="bold">net:ppp0</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>All hosts interfaced by <filename
|
||||
class="devicefile">eth3</filename> — <emphasis
|
||||
role="bold">eth3</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Subnet 10.0.1.0/24 interfacing through <filename><filename
|
||||
class="devicefile">eth2</filename></filename> — <emphasis
|
||||
role="bold">eth2:10.0.1.0/24</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
|
||||
role="bold">loc</emphasis> zone — <emphasis
|
||||
role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The primary IP address of eth0 in the $FW zone - <emphasis
|
||||
role="bold">$FW:&eth0</emphasis> (see <link
|
||||
linkend="Rvariables">Run-time Address Variables</link> below)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>All hosts in Vatican City - <emphasis
|
||||
role="bold">net:^VA</emphasis> (Shorwall 4.5.4 and later - See <ulink
|
||||
url="ISO-3661.html">this article</ulink>).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>IP Address Ranges</title>
|
||||
|
||||
<para>If you kernel and iptables have iprange match support, you may use
|
||||
IP address ranges in Shorewall configuration file entries; IP address
|
||||
ranges have the syntax <<emphasis>low IP
|
||||
address</emphasis>>-<<emphasis>high IP address</emphasis>>.
|
||||
Example: 192.168.1.5-192.168.1.12.</para>
|
||||
|
||||
<para>To see if your kernel and iptables have the required support, use
|
||||
the <command>shorewall show capabilities</command> command:</para>
|
||||
|
||||
<programlisting>>~ <command>shorewall show capabilities</command>
|
||||
...
|
||||
Shorewall has detected the following iptables/netfilter capabilities:
|
||||
NAT: Available
|
||||
Packet Mangling: Available
|
||||
Multi-port Match: Available
|
||||
Connection Tracking Match: Available
|
||||
Packet Type Match: Not available
|
||||
Policy Match: Available
|
||||
Physdev Match: Available
|
||||
<emphasis role="bold">IP range Match: Available <--------------</emphasis></programlisting>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title/>
|
||||
|
||||
<para/>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para>For more information about addressing, see the<ulink
|
||||
url="shorewall_setup_guide.htm#Addressing"> Setup Guide</ulink>.</para>
|
||||
</refsect1>
|
||||
</refentry>
|
967
Shorewall/manpages/shorewall-files.xml
Normal file
967
Shorewall/manpages/shorewall-files.xml
Normal file
@ -0,0 +1,967 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall-files</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>File</refname>
|
||||
|
||||
<refpurpose>Shorewall Configuration Files</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall[6]/*</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>The following are the Shorewall[6] configuration files:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename>
|
||||
and <filename>/etc/shorewall6/shorewall6.conf</filename></ulink> -
|
||||
used to set global firewall parameters.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-params.html">/etc/shorewall[6]/params</ulink></filename>
|
||||
- use this file to set shell variables that you will expand in other
|
||||
files. It is always processed by /bin/sh or by the shell specified
|
||||
through SHOREWALL_SHELL in
|
||||
<filename>/etc/shorewall/shorewall.conf.</filename></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-zones.html">/etc/shorewall[6]/zones</ulink></filename>
|
||||
- partition the firewall's view of the world into zones.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="shorewall-policy.html"><filename>/etc/shorewall[6]/policy</filename></ulink>
|
||||
- establishes firewall high-level policy.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall[6]/initdone</filename> - An optional
|
||||
Perl script that will be invoked by the Shorewall rules compiler when
|
||||
the compiler has finished it's initialization.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-interfaces.html">/etc/shorewall[6]/interfaces</ulink></filename>
|
||||
- describes the interfaces on the firewall system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-hosts.html">/etc/shorewall[6]/hosts</ulink></filename>
|
||||
- allows defining zones in terms of individual hosts and
|
||||
subnetworks.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-masq.html">/etc/shorewall[6]/masq</ulink></filename> -
|
||||
directs the firewall where to use many-to-one (dynamic) Network
|
||||
Address Translation (a.k.a. Masquerading) and Source Network Address
|
||||
Translation (SNAT). Superseded by /etc/shorewall[6]/snat in Shorewall
|
||||
5.0.14 and not supported in Shorewall 5.1.0 and later versions.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-mangle.html">/etc/shorewall[6]/mangle</ulink></filename>
|
||||
- supersedes <filename>/etc/shorewall/tcrules</filename> in Shorewall
|
||||
4.6.0. Contains rules for packet marking, TTL, TPROXY, etc.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-rules.html">/etc/shorewall[6]/rules</ulink></filename>
|
||||
- defines rules that are exceptions to the overall policies
|
||||
established in /etc/shorewall/policy.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-nat.html">/etc/shorewall[6]/nat</ulink></filename> -
|
||||
defines one-to-one NAT rules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-proxyarp.html">/etc/shorewall6/proxyarp</ulink></filename>
|
||||
- defines use of Proxy ARP.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-proxyndp.html">/etc/shorewall6/proxyndp</ulink></filename>
|
||||
- defines use of Proxy NDP.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall[6]/routestopped</filename> - defines
|
||||
hosts accessible when Shorewall is stopped. Superseded in Shorewall
|
||||
4.6.8 by <filename>/etc/shorewall/stoppedrules</filename>. Not
|
||||
supported in Shorewall 5.0.0 and later versions.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-tcrules.html">/etc/shorewall[6]/tcrules</ulink>
|
||||
</filename>- The file has a rather unfortunate name because it is used
|
||||
to define marking of packets for later use by both traffic
|
||||
control/shaping and policy routing. This file is superseded by
|
||||
<filename>/etc/shorewall/mangle</filename> in Shorewall 4.6.0. Not
|
||||
supported in Shorewall 5.0.0 and later releases.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-tos.html">/etc/shorewall[6]/tos</ulink></filename> -
|
||||
defines rules for setting the TOS field in packet headers. Superseded
|
||||
in Shorewall 4.5.1 by the TOS target in
|
||||
<filename>/etc/shorewall/tcrules</filename> (which file has since been
|
||||
superseded by <filename>/etc/shorewall/mangle</filename>). Not
|
||||
supported in Shorewall 5.0.0 and later versions.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="shorewall-tunnels.html"><filename>/etc/shorewall[6]/tunnels</filename></ulink>
|
||||
- defines tunnels (VPN) with end-points on the firewall system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="shorewall-blacklist.html"><filename>/etc/shorewall[6]/blacklist</filename></ulink>
|
||||
- Deprecated in favor of <filename>/etc/shorewall/blrules</filename>.
|
||||
Lists blacklisted IP/subnet/MAC addresses. Not supported in Shorewall
|
||||
5.0.0 and later releases.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall[6]/blrules</filename> — Added in
|
||||
Shorewall 4.5.0. Define blacklisting and whitelisting. Supersedes
|
||||
<filename>/etc/shorewall/blacklist</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall[6]/init</filename> - shell commands
|
||||
that you wish to execute at the beginning of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall[6]/start</filename> - shell commands
|
||||
that you wish to execute near the completion of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall[6]/started</filename> - shell commands
|
||||
that you wish to execute after the completion of a <quote>shorewall
|
||||
start</quote>, "shorewall reload" or <quote>shorewall
|
||||
restart</quote></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall[6]/stop </filename>- commands that you
|
||||
wish to execute at the beginning of a <quote>shorewall
|
||||
stop</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall[6]/stopped</filename> - shell commands
|
||||
that you wish to execute at the completion of a <quote>shorewall
|
||||
stop</quote>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="shorewall-ecn.html">/etc/shorewall/ecn</ulink> -
|
||||
disable Explicit Congestion Notification (ECN - RFC 3168) to remote
|
||||
hosts or networks. Superceded by ECN entries in
|
||||
<filename>/etc/shorewall/mangle</filename> in Shorewall 5.0.6.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-accounting.html">/etc/shorewall/accounting</ulink></filename>
|
||||
- define IP traffic accounting rules</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-actions.html">/etc/shorewall[6]/actions</ulink></filename>
|
||||
and <filename>/usr/share/shorewall[6]/action.template</filename> allow
|
||||
user-defined actions.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="???">/etc/shorewall[6]/providers</ulink></filename> - defines
|
||||
alternate routing tables.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-rtrules.html">/etc/shorewall[6]/rtrules</ulink></filename>
|
||||
- Defines routing rules to be used in conjunction with the routing
|
||||
tables defined in
|
||||
<filename>/etc/shorewall/providers</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-tcdevices.html">/etc/shorewall[6]/tcdevices</ulink></filename>,
|
||||
<filename><ulink
|
||||
url="shorewall-tcclasses.html">/etc/shorewall[6]/tcclasses</ulink></filename>,
|
||||
<filename><ulink
|
||||
url="shorewall-tcfilters.html">/etc/shorewall[6]/tcfilters</ulink></filename>
|
||||
- Define complex traffic shaping.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-tcrules.html">/etc/shorewall[6]/tcrules</ulink></filename>
|
||||
- Mark or classify traffic for traffic shaping or multiple providers.
|
||||
Deprecated in Shorewall 4.6.0 in favor of
|
||||
<filename>/etc/shorewall/mangle</filename>. Not supported in Shorewall
|
||||
5.0.0 and later releases.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="shorewall-tcinterfaces.html"><filename>/etc/shorewall[6]/tcinterfaces</filename></ulink>
|
||||
and <filename><ulink
|
||||
url="shorewall-tcpri.html">/etc/shorewall[6]/tcpri</ulink></filename>
|
||||
- Define simple traffic shaping.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-secmarks.html">/etc/shorewall[6]/secmarks</ulink></filename>
|
||||
- Added in Shorewall 4.4.13. Attach an SELinux context to selected
|
||||
packets.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-vardir.html">/etc/shorewall[6]/vardir</ulink></filename>
|
||||
- Determines the directory where Shorewall maintains its state.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-arprules.html">/etc/shorewall/arprules</ulink></filename>
|
||||
— Added in Shorewall 4.5.12. Allows specification of arptables
|
||||
rules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-mangle.html">/etc/shorewall/mangle</ulink></filename>
|
||||
-- Added in Shorewall 4.6.0. Supersedes<filename>
|
||||
/etc/shorewall/tcrules</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename><ulink
|
||||
url="shorewall-snat.html">/etc/shorewall[6]/snat</ulink></filename> -
|
||||
directs the firewall where to use many-to-one (dynamic) Network
|
||||
Address Translation (a.k.a. Masquerading) and Source Network Address
|
||||
Translation (SNAT). Superseded /etc/shorewall[6]/masq in Shorewall
|
||||
5.0.14</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/usr/share/shorewall[6]/actions.std</filename> -
|
||||
Actions defined by Shorewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/usr/share/shorewall[6]/action.*</filename> - Details
|
||||
of actions defined by Shorewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/usr/share/shorewall[6]/macro.*</filename> - Details
|
||||
of macros defined by Shorewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/usr/share/shorewall[6]/modules</filename> — Specifies
|
||||
the kernel modules to be loaded during shorewall start/restart.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><filename>/usr/share/shorewall[6]/helpers</filename> — Added in
|
||||
Shorewall 4.4.7. Specifies the kernel modules to be loaded during
|
||||
shorewall start/restart when LOAD_HELPERS_ONLY=Yes in
|
||||
<filename>shorewall.conf</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>CONFIG_PATH</title>
|
||||
|
||||
<para>The CONFIG_PATH option in <ulink
|
||||
url="???">shorewall[6].conf(5)</ulink> determines where the compiler
|
||||
searches for configuration files. The default setting is
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall which means that the
|
||||
compiler first looks in /etc/shorewall and if it doesn't find the file, it
|
||||
then looks in /usr/share/shorewall.</para>
|
||||
|
||||
<para>You can change this setting to have the compiler look in different
|
||||
places. For example, if you want to put your own versions of standard
|
||||
macros in /etc/shorewall/Macros, then you could set
|
||||
CONFIG_PATH=/etc/shorewall:/etc/shorewall/Macros:/usr/share/shorewall and
|
||||
the compiler will use your versions rather than the standard ones.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Comments</title>
|
||||
|
||||
<para>You may place comments in configuration files by making the first
|
||||
non-whitespace character a pound sign (<quote>#</quote>). You may also
|
||||
place comments at the end of any line, again by delimiting the comment
|
||||
from the rest of the line with a pound sign.</para>
|
||||
|
||||
<example id="comment">
|
||||
<title>Comments in a Configuration File</title>
|
||||
|
||||
<programlisting># This is a comment
|
||||
ACCEPT net $FW tcp www #This is an end-of-line comment</programlisting>
|
||||
</example>
|
||||
|
||||
<important>
|
||||
<para>Except in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
|
||||
url="shorewall-params.html">params(5)</ulink>, if a comment ends with a
|
||||
backslash ("\"), the next line will also be treated as a comment. See
|
||||
<link linkend="Continuation">Line Continuation</link> below.</para>
|
||||
</important>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Blank Lines</title>
|
||||
|
||||
<para>Most of the configuration files are organized into space-separated
|
||||
columns. If you don't want to supply a value in a column but want to
|
||||
supply a value in a following column, simply enter '-' to make the column
|
||||
appear empty.</para>
|
||||
|
||||
<para>Example:<programlisting>#INTERFACE BROADCAST OPTIONS
|
||||
br0 - routeback</programlisting></para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Line Continuation</title>
|
||||
|
||||
<para>Lines may be continued using the usual backslash (<quote>\</quote>)
|
||||
followed immediately by a new line character (Enter key).</para>
|
||||
|
||||
<programlisting>ACCEPT net $FW tcp \↵
|
||||
smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
|
||||
<important>
|
||||
<para>What follows does NOT apply to <ulink
|
||||
url="manpages/shorewall-params.html">shorewall-params(5)</ulink> and
|
||||
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>In certain cases, leading white space is ignored in continuation
|
||||
lines:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>The continued line ends with a colon (":")</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The continued line ends with a comma (",")</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Example (<filename>/etc/shorewall/rules</filename>):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
ACCEPT net:\
|
||||
206.124.146.177,\
|
||||
206.124.146.178,\
|
||||
206.124.146.180\
|
||||
dmz tcp 873</programlisting>
|
||||
|
||||
<para>The leading white space on the first through third continuation
|
||||
lines is ignored so the SOURCE column effectively contains
|
||||
"net:206.124.146.177,206.124.147.178,206.124.146.180". Because the third
|
||||
continuation line does not end with a comma or colon, the leading white
|
||||
space in the last line is not ignored.</para>
|
||||
|
||||
<important>
|
||||
<para>A trailing backslash is not ignored in a comment. So the continued
|
||||
rule above can be commented out with a single '#' as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
<emphasis role="bold">#</emphasis>ACCEPT net:\
|
||||
206.124.146.177,\
|
||||
206.124.146.178,\
|
||||
206.124.146.180\
|
||||
dmz tcp 873</programlisting>
|
||||
</important>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Alternative Specification of Column Values</title>
|
||||
|
||||
<para>Some of the configuration files now have a large number of columns.
|
||||
That makes it awkward to specify a value for one of the right-most columns
|
||||
as you must have the correct number of intervening '-' columns.</para>
|
||||
|
||||
<para>This problem is addressed by allowing column values to be specified
|
||||
as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
|
||||
pairs.</para>
|
||||
|
||||
<para>There is considerable flexibility in how you specify the
|
||||
pairs:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>At any point, you can enter a left curly bracket ('{') followed
|
||||
by one or more specifications of the following forms:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
|
||||
|
||||
<member><replaceable>column-name</replaceable>=<replaceable>>value</replaceable></member>
|
||||
|
||||
<member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
|
||||
</simplelist>
|
||||
|
||||
<para>The pairs must be followed by a right curly bracket
|
||||
("}").</para>
|
||||
|
||||
<para>The value may optionally be enclosed in double quotes.</para>
|
||||
|
||||
<para>The pairs must be separated by white space, but you can add a
|
||||
comma adjacent to the <replaceable>values</replaceable> for
|
||||
readability as in:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">{ proto=>udp, port=1024
|
||||
}</emphasis></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You can also separate the pairs from columns by using a
|
||||
semicolon:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">; proto:udp,
|
||||
port:1024</emphasis></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In Shorewall 5.0.3, the sample configuration files and the man pages
|
||||
were updated to use the same column names in both the column headings and
|
||||
in the alternate specification format. The following table shows the
|
||||
column names for each of the table-oriented configuration files.</para>
|
||||
|
||||
<note>
|
||||
<para>Column names are <emphasis
|
||||
role="bold">case-insensitive</emphasis>.</para>
|
||||
</note>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><emphasis role="bold">File</emphasis></entry>
|
||||
|
||||
<entry><emphasis role="bold">Column names</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>accounting</entry>
|
||||
|
||||
<entry>action,chain, source, dest, proto, dport, sport, user,
|
||||
mark, ipsec, headers</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>conntrack</entry>
|
||||
|
||||
<entry>action,source,dest,proto,dport,sport,user,switch</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>blacklist</entry>
|
||||
|
||||
<entry>networks,proto,port,options</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>blrules</entry>
|
||||
|
||||
<entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>ecn</entry>
|
||||
|
||||
<entry>interface,hosts. Beginning with Shorewall 4.5.4, 'host' is
|
||||
a synonym for 'hosts'.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>hosts</entry>
|
||||
|
||||
<entry>zone,hosts,options. Beginning with Shorewall 4.5.4, 'host'
|
||||
is a synonym for 'hosts'.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>interfaces</entry>
|
||||
|
||||
<entry>zone,interface,broadcast,options</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>maclist</entry>
|
||||
|
||||
<entry>disposition,interface,mac,addresses</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>mangle</entry>
|
||||
|
||||
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>masq</entry>
|
||||
|
||||
<entry>interface,source,address,proto,port,ipsec,mark,user,switch</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>nat</entry>
|
||||
|
||||
<entry>external,interface,internal,allints,local</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>netmap</entry>
|
||||
|
||||
<entry>type,net1,interface,net2,net3,proto,dport,sport</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>notrack</entry>
|
||||
|
||||
<entry>source,dest,proto,dport,sport,user</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>policy</entry>
|
||||
|
||||
<entry>source,dest,policy,loglevel,limit,connlimit</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>providers</entry>
|
||||
|
||||
<entry>table,number,mark,duplicate,interface,gateway,options,copy</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>proxyarp and proxyndp</entry>
|
||||
|
||||
<entry>address,interface,external,haveroute,persistent</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>rtrules</entry>
|
||||
|
||||
<entry>source,dest,provider,priority</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>routes</entry>
|
||||
|
||||
<entry>provider,dest,gateway,device</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>routestopped</entry>
|
||||
|
||||
<entry>interface,hosts,options,proto,dport,sport</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>rules</entry>
|
||||
|
||||
<entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch,helper</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>secmarks</entry>
|
||||
|
||||
<entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tcclasses</entry>
|
||||
|
||||
<entry>interface,mark,rate,ceil,prio,options</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tcdevices</entry>
|
||||
|
||||
<entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tcfilters</entry>
|
||||
|
||||
<entry>class,source,dest,proto,dport,sport,tos,length</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tcinterfaces</entry>
|
||||
|
||||
<entry>interface,type,in_bandwidth,out_bandwidth</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tcpri</entry>
|
||||
|
||||
<entry>band,proto,port,address,interface,helper</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tcrules</entry>
|
||||
|
||||
<entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers.
|
||||
Beginning with Shorewall 4.5.3, 'action' is a synonym for
|
||||
'mark'.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tos</entry>
|
||||
|
||||
<entry>source,dest,proto,dport,sport,tos,mark</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>tunnels</entry>
|
||||
|
||||
<entry>type,zone,gateway,gateway_zone. Beginning with Shorewall
|
||||
4.5.3, 'gateways' is a synonym for 'gateway'. Beginning with
|
||||
Shorewall 4.5.4, 'gateway_zones' is a synonym for
|
||||
'gateway_zone'.</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>zones</entry>
|
||||
|
||||
<entry>zone,type,options,in_options,out_options</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
|
||||
<para>Example (rules file):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting>
|
||||
|
||||
<para>Here's the same line in several equivalent formats:</para>
|
||||
|
||||
<programlisting>{ action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
|
||||
; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
|
||||
DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.11, ip[6]table comments can be attached
|
||||
to individual rules using the <option>comment</option> keyword.</para>
|
||||
|
||||
<para>Example from the rules file:</para>
|
||||
|
||||
<programlisting> ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }</programlisting>
|
||||
|
||||
<para>As shown in that example, when the comment contains whitespace, it
|
||||
must be enclosed in double quotes and any embedded double quotes must be
|
||||
escaped using a backslash ("\").</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Time Columns</title>
|
||||
|
||||
<para>Several of the files include a TIME colum that allows you to specify
|
||||
times when the rule is to be applied. Contents of this column is a list of
|
||||
<replaceable>timeelement</replaceable>s separated by apersands
|
||||
(&).</para>
|
||||
|
||||
<para>Each <replaceable>timeelement</replaceable> is one of the
|
||||
following:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines the starting time of day.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines the ending time of day.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>contiguous</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shoreawll 5.0.12. When <emphasis
|
||||
role="bold">timestop</emphasis> is smaller than <emphasis
|
||||
role="bold">timestart</emphasis> value, match this as a single time
|
||||
period instead of distinct intervals. See the Examples below.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>utc</term>
|
||||
|
||||
<listitem>
|
||||
<para>Times are expressed in Greenwich Mean Time.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>localtz</term>
|
||||
|
||||
<listitem>
|
||||
<para>Deprecated by the Netfilter team in favor of <emphasis
|
||||
role="bold">kerneltz</emphasis>. Times are expressed in Local Civil
|
||||
Time (default).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>kerneltz</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.2. Times are expressed in Local Kernel
|
||||
Time (requires iptables 1.4.12 or later).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>weekdays=ddd[,ddd]...</term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>ddd</replaceable> is one of
|
||||
<option>Mon</option>, <option>Tue</option>, <option>Wed</option>,
|
||||
<option>Thu</option>, <option>Fri</option>, <option>Sat</option> or
|
||||
<option>Sun</option></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>monthdays=dd[,dd],...</term>
|
||||
|
||||
<listitem>
|
||||
<para>where <replaceable>dd</replaceable> is an ordinal day of the
|
||||
month</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines the starting date and time.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines the ending date and time.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>To match on weekends, use:</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>weekdays=Sat,Sun</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Or, to match (once) on a national holiday block:</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>datestart=2016-12-24&datestop=2016-12-27</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Since the stop time is actually inclusive, you would need the
|
||||
following stop time to not match the first second of the new
|
||||
day:</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>datestart=2016-12-24T17:00&datestop=2016-12-27T23:59:59</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>During Lunch Hour</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>The fourth Friday in the month:</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>weekdays=Fri&monthdays=22,23,24,25,26,27,28</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Matching across days might not do what is expected. For
|
||||
instance,</term>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
|
||||
<para>weekdays=Mon&timestart=23:00&timestop=01:00</para>
|
||||
|
||||
<para>Will match Monday, for one hour from midnight to 1 a.m., and
|
||||
then again for another hour from 23:00 onwards. If this is unwanted,
|
||||
e.g. if you would like 'match for two hours from Montay 23:00
|
||||
onwards' you need to also specify the <emphasis
|
||||
role="bold">contiguous</emphasis> option in the example
|
||||
above.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Switches</title>
|
||||
|
||||
<para>here are times when you would like to enable or disable one or more
|
||||
rules in the configuration without having to do a <command>shorewall
|
||||
reload</command> or <command>shorewall restart</command>. This may be
|
||||
accomplished using the SWITCH column in <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink
|
||||
url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Using
|
||||
this column requires that your kernel and iptables include
|
||||
<firstterm>Condition Match Support</firstterm> and you must be running
|
||||
Shorewall 4.4.24 or later. See the output of <command>shorewall show
|
||||
capabilities</command> and <command>shorewall version</command> to
|
||||
determine if you can use this feature.</para>
|
||||
|
||||
<para>The SWITCH column contains the name of a
|
||||
<firstterm>switch.</firstterm> Each switch is initially in the <emphasis
|
||||
role="bold">off</emphasis> position. You can turn on the switch named
|
||||
<emphasis>switch1</emphasis> by:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><command>echo 1 >
|
||||
/proc/net/nf_condition/switch1</command></member>
|
||||
</simplelist>
|
||||
|
||||
<para>You can turn it off again by:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><command>echo 0 >
|
||||
/proc/net/nf_condition/switch1</command></member>
|
||||
</simplelist>
|
||||
|
||||
<para>If you simply include the switch name in the SWITCH column, then the
|
||||
rule is enabled only when the switch is <emphasis
|
||||
role="bold">on</emphasis>. If you precede the switch name with ! (e.g.,
|
||||
!switch1), then the rule is enabled only when the switch is <emphasis
|
||||
role="bold">off</emphasis>. Switch settings are retained over
|
||||
<command>shorewall restart</command>.</para>
|
||||
|
||||
<para>Shorewall requires that switch names:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>begin with a letter and be composed of letters, digits,
|
||||
underscore ('_') or hyphen ('-'); and</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>be 30 characters or less in length.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Multiple rules can be controlled by the same switch.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
|
||||
on.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - <emphasis
|
||||
role="bold">primary_down</emphasis> </programlisting>
|
||||
</blockquote>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall[6]/*</para>
|
||||
</refsect1>
|
||||
</refentry>
|
310
Shorewall/manpages/shorewall-names.xml
Normal file
310
Shorewall/manpages/shorewall-names.xml
Normal file
@ -0,0 +1,310 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall-names</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
|
||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>Names</refname>
|
||||
|
||||
<refpurpose>Shorewall object names</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>When you define an object in Shorewall (<ulink
|
||||
url="manpages/shorewall-zones.html">Zone</ulink>, <link
|
||||
linkend="Logical">Logical Interface</link>, <ulink
|
||||
url="ipsets.html">ipsets</ulink>, <ulink
|
||||
url="Actions.html">Actions</ulink>, etc., you give it a name. Shorewall
|
||||
names start with a letter and consist of letters, digits or underscores
|
||||
("_"). Except for Zone names, Shorewall does not impose a limit on name
|
||||
length.</para>
|
||||
|
||||
<para>When an ipset is referenced, the name must be preceded by a plus
|
||||
sign ("+").</para>
|
||||
|
||||
<para>The last character of an interface may also be a plus sign to
|
||||
indicate a wildcard name.</para>
|
||||
|
||||
<para>Physical interface names match names shown by 'ip link ls'; if the
|
||||
name includes an at sign ("@"), do not include that character or any
|
||||
character that follows. For example, "sit1@NONE" is referred to as simply
|
||||
'sit1".</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Zone and Chain Names</title>
|
||||
|
||||
<para>For a pair of zones, Shorewall creates two Netfilter chains; one for
|
||||
connections in each direction. The names of these chains are formed by
|
||||
separating the names of the two zones by either "2" or "-".</para>
|
||||
|
||||
<para>Example: Traffic from zone A to zone B would go through chain A2B
|
||||
(think "A to B") or "A-B".</para>
|
||||
|
||||
<para>In Shorewall 4.6, the default separator is "-" but you can override
|
||||
that by setting ZONE_SEPARATOR="2" in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
||||
|
||||
<note>
|
||||
<para>Prior to Shorewall 4.6, the default separator was "2".</para>
|
||||
</note>
|
||||
|
||||
<para>Zones themselves have names that begin with a letter and are
|
||||
composed of letters, numerals, and "_". The maximum length of a name is
|
||||
dependent on the setting of LOGFORMAT in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). See <ulink
|
||||
url="manpages/shorewall-zones.html">shorewall-zones</ulink> (5) for
|
||||
details.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Using DNS Names</title>
|
||||
|
||||
<caution>
|
||||
<para>I personally recommend strongly against using DNS names in
|
||||
Shorewall configuration files. If you use DNS names and you are called
|
||||
out of bed at 2:00AM because Shorewall won't start as a result of DNS
|
||||
problems then don't say that you were not forewarned.</para>
|
||||
</caution>
|
||||
|
||||
<para>Host addresses in Shorewall configuration files may be specified as
|
||||
either IP addresses or DNS Names.</para>
|
||||
|
||||
<para>DNS names in iptables rules aren't nearly as useful as they first
|
||||
appear. When a DNS name appears in a rule, the iptables utility resolves
|
||||
the name to one or more IP addresses and inserts those addresses into the
|
||||
rule. So changes in the DNS->IP address relationship that occur after
|
||||
the firewall has started have absolutely no effect on the firewall's rule
|
||||
set.</para>
|
||||
|
||||
<para>For some sites, using DNS names is very risky. Here's an
|
||||
example:</para>
|
||||
|
||||
<programlisting>teastep@ursa:~$ dig pop.gmail.com
|
||||
|
||||
; <<>> DiG 9.4.2-P1 <<>> pop.gmail.com
|
||||
;; global options: printcmd
|
||||
;; Got answer:
|
||||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1774
|
||||
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
|
||||
|
||||
;; QUESTION SECTION:
|
||||
;pop.gmail.com. IN A
|
||||
|
||||
;; ANSWER SECTION:
|
||||
pop.gmail.com. <emphasis role="bold">300</emphasis> IN CNAME gmail-pop.l.google.com.
|
||||
gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.201.109
|
||||
gmail-pop.l.google.com. <emphasis role="bold">300</emphasis> IN A 209.85.201.111</programlisting>
|
||||
|
||||
<para>Note that the TTL is 300 -- 300 seconds is only 5 minutes. So five
|
||||
minutes later, the answer may change!</para>
|
||||
|
||||
<para>So this rule may work for five minutes then suddently stop
|
||||
working:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
POP(ACCEPT) loc net:pop.gmail.com</programlisting>
|
||||
|
||||
<para>There are two options in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink> that
|
||||
affect the use of DNS names in Shorewall[6] config files:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at
|
||||
compile time; when set to Yes, DNS Names are resolved at
|
||||
runtime.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>AUTOMAKE - When set to Yes, <command>start</command>,
|
||||
<command>restart</command> and <command>reload</command> only result
|
||||
in compilation if one of the files on the CONFIG_PATH has changed
|
||||
since the the last compilation.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation
|
||||
will only take place at boot time if a change had been make to the config
|
||||
but no <command>restart</command> or <command>reload</command> had taken
|
||||
place. This is clearly spelled out in the shorewall.conf manpage. So with
|
||||
these settings, so long as a 'reload' or 'restart' takes place after the
|
||||
Shorewall configuration is changes, there should be no DNS-related
|
||||
problems at boot time.</para>
|
||||
|
||||
<important>
|
||||
<para>When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change
|
||||
makes it necessary to recompile an existing firewall script, the
|
||||
<option>-c</option> option must be used with the
|
||||
<command>reload</command> or <command>restart</command> command to force
|
||||
recompilation.</para>
|
||||
</important>
|
||||
|
||||
<para>If your firewall rules include DNS names then, even if
|
||||
DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If your <filename>/etc/resolv.conf </filename>is wrong then your
|
||||
firewall may not start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your <filename>/etc/nsswitch.conf</filename> is wrong then
|
||||
your firewall may not start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your Name Server(s) is(are) down then your firewall may not
|
||||
start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your startup scripts try to start your firewall before
|
||||
starting your DNS server then your firewall may not start.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Factors totally outside your control (your ISP's router is down
|
||||
for example), can prevent your firewall from starting.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You must bring up your network interfaces prior to starting your
|
||||
firewall, or the firewall may not start.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Each DNS name must be fully qualified and include a minimum of two
|
||||
periods (although one may be trailing). This restriction is imposed by
|
||||
Shorewall to insure backward compatibility with existing configuration
|
||||
files.</para>
|
||||
|
||||
<example id="validdns">
|
||||
<title>Valid DNS Names</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>mail.shorewall.net</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>shorewall.net. (note the trailing period).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</example>
|
||||
|
||||
<example id="invaliddns">
|
||||
<title>Invalid DNS Names</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>mail (not fully qualified)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>shorewall.net (only one period)</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</example>
|
||||
|
||||
<para>DNS names may not be used as:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The server address in a DNAT rule (/etc/shorewall/rules
|
||||
file)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In the ADDRESS column of an entry in /etc/shorewall/masq.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para/>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In the <filename>/etc/shorewall/nat</filename> file.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>These restrictions are imposed by Netfilter and not by
|
||||
Shorewall.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Logical Interface Names</title>
|
||||
|
||||
<para>When dealing with a complex configuration, it is often awkward to
|
||||
use physical interface names in the Shorewall configuration.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>You need to remember which interface is which.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you move the configuration to another firewall, the interface
|
||||
names might not be the same.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.4, you can use logical interface names
|
||||
which are mapped to the actual interface using the
|
||||
<option>physical</option> option in <ulink
|
||||
url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>Here is an example:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">COM_IF </emphasis> dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
|
||||
role="bold">physical=eth0</emphasis>
|
||||
net <emphasis role="bold">EXT_IF</emphasis> dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
|
||||
role="bold">physical=eth2</emphasis>
|
||||
loc <emphasis role="bold">INT_IF </emphasis> dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
|
||||
role="bold">physical=eth1</emphasis>
|
||||
dmz <emphasis role="bold">VPS_IF </emphasis> logmartians=1,routefilter=0,routeback,<emphasis
|
||||
role="bold">physical=venet0</emphasis>
|
||||
loc <emphasis role="bold">TUN_IF</emphasis> <emphasis role="bold">physical=tun+</emphasis></programlisting>
|
||||
|
||||
<para>In this example, COM_IF is a logical interface name that refers to
|
||||
Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
|
||||
a logical interface name that refers to Ethernet interface <filename
|
||||
class="devicefile">eth2</filename>, and so on.</para>
|
||||
|
||||
<para>Here are a couple of more files from the same configuration:</para>
|
||||
|
||||
<para><ulink url="manpages/shorewall-masq.html">shorewall-masq</ulink>
|
||||
(5):</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
|
||||
COMMENT Masquerade Local Network
|
||||
<emphasis role="bold">COM_IF</emphasis> 0.0.0.0/0
|
||||
<emphasis role="bold">EXT_IF </emphasis> !206.124.146.0/24 206.124.146.179:persistent</programlisting>
|
||||
|
||||
<para><ulink
|
||||
url="manpages/shorewall-providers.html">shorewall-providers</ulink>
|
||||
(5)</para>
|
||||
|
||||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||
Avvanta 1 0x10000 main <emphasis role="bold">EXT_IF </emphasis> 206.124.146.254 loose,fallback <emphasis
|
||||
role="bold">INT_IF,VPS_IF,TUN_IF</emphasis>
|
||||
Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis> detect balance <emphasis
|
||||
role="bold">INT_IF,VPS_IF,TUN_IF</emphasis></programlisting>
|
||||
|
||||
<para>Note in particular that Shorewall translates TUN_IF to <filename
|
||||
class="devicefile">tun*</filename> in the COPY column.</para>
|
||||
</refsect1>
|
||||
</refentry>
|
@ -3300,7 +3300,7 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
|
||||
<para>If <emphasis role="bold">detect</emphasis> is specified in the
|
||||
ADDRESS column of an entry in <ulink
|
||||
url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
|
||||
firewall still startS if the optional interface in the INTERFACE
|
||||
firewall still starts if the optional interface in the INTERFACE
|
||||
column does not have an IP address.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
Loading…
Reference in New Issue
Block a user