mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
3379252b88
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4888 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
359 lines
12 KiB
XML
359 lines
12 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall-rules</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>rules</refname>
|
|
|
|
<refpurpose>Shorewall rules file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>/etc/shorewall/rules</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>Rules in this file govern connection establishment. Requests and
|
|
responses are automatically allowed using connection tracking. For any
|
|
particular (source,dest) pair of zones, the rules are evaluated in the
|
|
order in which they appear in this file and the first match is the one
|
|
that determines the disposition of the request.</para>
|
|
|
|
<para>In most places where an IP address or subnet is allowed, you can
|
|
preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to indicate
|
|
that the rule matches all addresses except the address/subnet given.
|
|
Notice that no white space is permitted between "!" and the
|
|
address/subnet.</para>
|
|
|
|
<warning>
|
|
<para>If you masquerade or use SNAT from a local system to the internet,
|
|
you cannot use an ACCEPT rule to allow traffic from the internet to that
|
|
system. You *must* use a DNAT rule instead.</para>
|
|
</warning>
|
|
|
|
<para>The rules file is divided into sections. Each section is introduced
|
|
by a "Section Header" which is a line beginning with SECTION followed by
|
|
the section name.</para>
|
|
|
|
<para>Sections are as follows and must appear in the order listed:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>ESTABLISHED</term>
|
|
|
|
<listitem>
|
|
<para>Packets in the ESTABLISHED state are processed by rules in
|
|
this section.</para>
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>RELATED</term>
|
|
|
|
<listitem>
|
|
<para>Packets in the RELATED state are processed by rules in this
|
|
section.</para>
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>NEW</term>
|
|
|
|
<listitem>
|
|
<para>Packets in the NEW and INVALID states are processed by rules
|
|
in this section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<note>
|
|
<para>If you are not familiar with Netfilter to the point where you are
|
|
comfortable with the differences between the various connection tracking
|
|
states, then I suggest that you omit the ESTABLISHED and RELATED
|
|
sections and place all of your rules in the NEW section (That's after
|
|
the line that reads SECTION NEW').</para>
|
|
</note>
|
|
|
|
<warning>
|
|
<para>If you specify FASTACCEPT=Yes in shorewall.conf(5) then the
|
|
ESTABLISHED and RELATED sections must be empty.</para>
|
|
</warning>
|
|
|
|
<para>You may omit any section that you don't need. If no Section Headers
|
|
appear in the file then all rules are assumed to be in the NEW section.
|
|
</para>
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>ACTION</term>
|
|
|
|
<listitem>
|
|
<para> ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, LOG,
|
|
QUEUE, COMMENT, a <emphasis>macro</emphasis>, or an
|
|
<emphasis>action</emphasis>.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>ACCEPT</term>
|
|
|
|
<listitem>
|
|
<para>Allow the connection request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ACCEPT+</term>
|
|
|
|
<listitem>
|
|
<para>like ACCEPT but also excludes the connection from any
|
|
subsequent DNAT[-] or REDIRECT[-] rules</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>NONAT</term>
|
|
|
|
<listitem>
|
|
<para>Excludes the connection from any subsequent <emphasis
|
|
role="bold">DNAT</emphasis>[-] or <emphasis
|
|
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
|
|
a rule to accept the traffic.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>DROP</term>
|
|
|
|
<listitem>
|
|
<para>Ignore the request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>REJECT</term>
|
|
|
|
<listitem>
|
|
<para>disallow the request and return an icmp-unreachable or
|
|
an RST packet.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>DNAT</term>
|
|
|
|
<listitem>
|
|
<para>Forward the request to another system (and optionally
|
|
another port).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>DNAT-</term>
|
|
|
|
<listitem>
|
|
<para>Advanced users only.</para>
|
|
|
|
<para> Like DNAT but only generates the DNAT iptables rule and
|
|
not the companion ACCEPT rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>SAME</term>
|
|
|
|
<listitem>
|
|
<para>Similar to DNAT except that the port may not be remapped
|
|
and when multiple server addresses are listed, all requests
|
|
from a given remote system go to the same server.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>SAME-</term>
|
|
|
|
<listitem>
|
|
<para>Advanced users only.</para>
|
|
|
|
<para>Like SAME but only generates the NAT iptables rule and
|
|
not the companion ACCEPT rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>REDIRECT</term>
|
|
|
|
<listitem>
|
|
<para>Redirect the request to a server on the firewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>REDIRECT-</term>
|
|
|
|
<listitem>
|
|
<para>Advanced users only.</para>
|
|
|
|
<para>Like REDIRET but only generates the REDIRECT iptables
|
|
rule and not the companion ACCEPT rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>CONTINUE</term>
|
|
|
|
<listitem>
|
|
<para> For experts only.</para>
|
|
|
|
<para>Do not process any of the following rules for this
|
|
(source zone,destination zone). If the source and/or
|
|
destination IP address falls into a zone defined later in
|
|
shorewall-zones(5), this connection request will be passed to
|
|
the rules defined for that (those) zone(s).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>LOG</term>
|
|
|
|
<listitem>
|
|
<para>Simply log the packet and continue.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>QUEUE</term>
|
|
|
|
<listitem>
|
|
<para>Queue the packet to a user-space application such as
|
|
ftwall (http://p2pwall.sf.net).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>COMMENT</term>
|
|
|
|
<listitem>
|
|
<para>the rest of the line will be attached as a comment to
|
|
the Netfilter rule(s) generated by the following entres. The
|
|
comment will appear delimited by "/* ... */" in the output of
|
|
"shorewall show <chain>". To stop the comment from being
|
|
attached to further rules, simply include COMMENT on a line by
|
|
itself.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>action</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The name of an <emphasis>action</emphasis> defined in
|
|
shorewall.actions(5) or in
|
|
/usr/share/shorewall/actions.std.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>macro</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The name of a macro defined in a file named macro.If the
|
|
macro accepts an action parameter (Look at the macro source to
|
|
see if it has PARAM in the TARGET column) then the
|
|
<emphasis>macro</emphasis> name is followed by "/" and the
|
|
action (ACCEPT, DROP, REJECT, ...) to be substituted for the
|
|
parameter.</para>
|
|
|
|
<para>Example: FTP/ACCEPT.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>The ACTION may optionally be followed by ":" and a syslog log
|
|
level (e.g, REJECT:info or DNAT:debug). This causes the packet to be
|
|
logged at the specified level.</para>
|
|
|
|
<para>If the ACTION names an <emphasis>action</emphasis> defined in
|
|
shorewall.actions(5) or in /usr/share/shorewall/actions.std
|
|
then:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If the log level is followed by "!' then all rules in the
|
|
action are logged at the log level.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If the log level is not followed by "!" then only those
|
|
rules in the action that do not specify logging are logged at
|
|
the specified level.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The special log level 'none!' suppresses logging by the
|
|
action.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You may also specify ULOG (must be in upper case) as a log
|
|
level.This will log to the ULOG target for routing to a separate log
|
|
through use of ulogd
|
|
(http://www.gnumonks.org/projects/ulogd).</para>
|
|
|
|
<para>Actions specifying logging may be followed by a log tag (a
|
|
string of alphanumeric characters) are appended to the string
|
|
generated by the LOGPREFIX (in shorewall.conf(5)).</para>
|
|
|
|
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
|
the log prefix generated by the LOGPREFIX setting.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Example</title>
|
|
|
|
<para></para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall/</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
|
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
shorewall-route_routes(5), shorewall-routestopped(5), shorewall.conf(5),
|
|
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
|
|
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
|
</refsect1>
|
|
</refentry> |