mirror of
https://gitlab.com/shorewall/code.git
synced 2025-08-16 11:44:28 +02:00
Update for Shorewall 2.2.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1749 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.0 -- Sample Rules File For Three Interfaces
|
||||
# Shorewall version 2.2 -- Sample Rules File For Three Interfaces
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
@ -27,6 +27,15 @@
|
||||
#
|
||||
# ACCEPT
|
||||
# Allow the connection request.
|
||||
# ACCEPT+
|
||||
# Like ACCEPT but also excludes the
|
||||
# connection from any subsequent
|
||||
# DNAT[-] or REDIRECT[-] rules
|
||||
# NONAT
|
||||
# Excludes the connection from any
|
||||
# subsequent DNAT[-] or REDIRECT[-]
|
||||
# rules but doesn't generate a rule
|
||||
# to accept the traffic.
|
||||
# DROP
|
||||
# Ignore the request.
|
||||
# REJECT
|
||||
@ -74,11 +83,35 @@
|
||||
# level (e.g, REJECT:info or DNAT:debug). This causes the packet
|
||||
# to be logged at the specified level.
|
||||
#
|
||||
#
|
||||
# If the ACTION names an action defined in
|
||||
# /etc/shorewall/actions or in
|
||||
# /usr/share/shorewall/actions.std then:
|
||||
#
|
||||
# - If the log level is followed by "!' then all rules
|
||||
# in the action are logged at the log level.
|
||||
#
|
||||
# - If the log level is not followed by "!" then only
|
||||
# those rules in the action that do not specify
|
||||
# logging are logged at the specified level.
|
||||
#
|
||||
# - The special log level 'none!' suppresses logging
|
||||
# by the action.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level. This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd.
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# Actions specifying logging may be followed by a
|
||||
# log tag (a string of alphanumeric characters)
|
||||
# are appended to the string generated by the
|
||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
||||
#
|
||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
||||
# at the end of the log prefix generated by the
|
||||
# LOGPREFIX setting.
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, or "all" If the ACTION is DNAT or
|
||||
@ -86,6 +119,10 @@
|
||||
# excluded from the rule by following the zone name with
|
||||
# "!' and a comma-separated list of sub-zone names.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
# separate rules to handle that traffic.
|
||||
#
|
||||
# Except when "all" is specified, clients may be further
|
||||
# restricted to a list of subnets and/or hosts by
|
||||
# appending ":" and a comma-separated list of subnets
|
||||
@ -93,6 +130,10 @@
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Hosts may be specified as an IP address range using the
|
||||
# syntax <low address>-<high address>. This requires that
|
||||
# your kernel and iptables contain iprange match support.
|
||||
#
|
||||
# Some Examples:
|
||||
#
|
||||
# net:155.186.235.1
|
||||
@ -110,6 +151,10 @@
|
||||
# Host on the Local Network with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# net:192.0.2.11-192.0.2.17
|
||||
# Hosts 192.0.2.11-192.0.2.17 in
|
||||
# the net zone.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" to the zone name followed by the
|
||||
# interface name. For example, net:eth0 specifies a
|
||||
@ -157,14 +202,20 @@
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# "all".
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
@ -186,8 +237,8 @@
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
# specify an ORIGINAL DEST in the next column, then place
|
||||
# "-" in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
@ -214,14 +265,6 @@
|
||||
# destination address in the connection request does not
|
||||
# match any of the addresses listed.
|
||||
#
|
||||
# The address may optionally be followed by
|
||||
# a colon (":") and a second IP address. This causes
|
||||
# Shorewall to use the second IP address as the source
|
||||
# address in forwarded packets. See the Shorewall
|
||||
# documentation for restrictions concerning this feature.
|
||||
# If no source IP address is given, the original source
|
||||
# address is not altered.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
|
||||
#
|
||||
# <rate>/<interval>[:<burst>]
|
||||
|
||||
Reference in New Issue
Block a user