mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 08:33:40 +01:00
982 lines
40 KiB
XML
982 lines
40 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall6-rules</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>rules</refname>
|
|
|
|
<refpurpose>Shorewall6 rules file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>/etc/shorewall6/rules</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>Entries in this file govern connection establishment by defining
|
|
exceptions to the policies layed out in <ulink
|
|
url="shorewall6-policy.html">shorewall6-policy</ulink>(5). By default,
|
|
subsequent requests and responses are automatically allowed using
|
|
connection tracking. For any particular (source,dest) pair of zones, the
|
|
rules are evaluated in the order in which they appear in this file and the
|
|
first terminating match is the one that determines the disposition of the
|
|
request. All rules are terminating except LOG and QUEUE rules.</para>
|
|
|
|
<para>The rules file is divided into sections. Each section is introduced
|
|
by a "Section Header" which is a line beginning with SECTION and followed
|
|
by the section name.</para>
|
|
|
|
<para>Sections are as follows and must appear in the order listed:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ESTABLISHED</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the ESTABLISHED state are processed by rules in
|
|
this section.</para>
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">RELATED</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the RELATED state are processed by rules in this
|
|
section.</para>
|
|
|
|
<para>The only ACTIONs allowed in this section are ACCEPT, DROP,
|
|
REJECT, LOG and QUEUE</para>
|
|
|
|
<para>There is an implicit ACCEPT rule inserted at the end of this
|
|
section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">NEW</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Packets in the NEW, INVALID and UNTRACKED states are processed
|
|
by rules in this section.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<note>
|
|
<para>If you are not familiar with Netfilter to the point where you are
|
|
comfortable with the differences between the various connection tracking
|
|
states, then it is suggested that you omit the <emphasis
|
|
role="bold">ESTABLISHED</emphasis> and <emphasis
|
|
role="bold">RELATED</emphasis> sections and place all of your rules in
|
|
the NEW section (That's after the line that reads SECTION NEW').</para>
|
|
</note>
|
|
|
|
<warning>
|
|
<para>If you specify FASTACCEPT=Yes in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) then the <emphasis
|
|
role="bold">ESTABLISHED</emphasis> and <emphasis
|
|
role="bold">RELATED</emphasis> sections must be empty.</para>
|
|
</warning>
|
|
|
|
<para>You may omit any section that you don't need. If no Section Headers
|
|
appear in the file then all rules are assumed to be in the NEW
|
|
section.</para>
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACTION</emphasis> - {<emphasis
|
|
role="bold">ACCEPT</emphasis>[<emphasis
|
|
role="bold"><option>+</option>|<option>!</option></emphasis>]|<emphasis
|
|
role="bold">DROP[<option>!</option>]</emphasis>|<emphasis
|
|
role="bold">REJECT</emphasis>[<option>!</option>]|<emphasis
|
|
role="bold">DNAT</emphasis>[<emphasis
|
|
role="bold">-</emphasis>]|<emphasis
|
|
role="bold">SAME</emphasis>[<emphasis
|
|
role="bold">-</emphasis>]|<emphasis
|
|
role="bold">CONTINUE</emphasis>[<option>!</option>]|<emphasis
|
|
role="bold">LOG</emphasis>|<emphasis
|
|
role="bold">QUEUE</emphasis>[<option>!</option>]|<emphasis
|
|
role="bold">NFQUEUE</emphasis>[<emphasis
|
|
role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
|
|
role="bold">)</emphasis>]<emphasis
|
|
role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
|
|
role="bold">(</emphasis><emphasis>target</emphasis><emphasis
|
|
role="bold">)</emphasis>]}<emphasis
|
|
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
|
|
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
|
|
role="bold">!</emphasis></emphasis>][<emphasis
|
|
role="bold">:</emphasis><emphasis>tag</emphasis>]]</term>
|
|
|
|
<listitem>
|
|
<para>Specifies the action to be taken if the connection request
|
|
matches the rule. Must be one of the following.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACCEPT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Allow the connection request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ACCEPT!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like ACCEPT but exempts the rule from being suppressed
|
|
by OPTIMIZE=1 in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DROP</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Ignore the request.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DROP!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like DROP but exempts the rule from being suppressed by
|
|
OPTIMIZE=1 in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REJECT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>disallow the request and return an icmp-unreachable or
|
|
an RST packet.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">REJECT!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like REJECT but exempts the rule from being suppressed
|
|
by OPTIMIZE=1 in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">CONTINUE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>For experts only.</para>
|
|
|
|
<para>Do not process any of the following rules for this
|
|
(source zone,destination zone). If the source and/or
|
|
destination IP address falls into a zone defined later in
|
|
<ulink url="shorewall6-zones.html">shorewall6-zones</ulink>(5)
|
|
or in a parent zone of the source or destination zones, then
|
|
this connection request will be passed to the rules defined
|
|
for that (those) zone(s). See <ulink
|
|
url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5)
|
|
for additional information.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">CONTINUE!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like CONTINUE but exempts the rule from being suppressed
|
|
by OPTIMIZE=1 in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">LOG</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Simply log the packet and continue with the next
|
|
rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">QUEUE</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Queue the packet to a user-space application such as
|
|
ftwall (http://p2pwall.sf.net). The application may reinsert
|
|
the packet for further processing.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">QUEUE!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like QUEUE but exempts the rule from being suppressed by
|
|
OPTIMIZE=1 in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>NFQUEUE</term>
|
|
|
|
<listitem>
|
|
<para>Queues the packet to a user-space application using the
|
|
nfnetlink_queue mechanism. If a
|
|
<replaceable>queuenumber</replaceable> is not specified, queue
|
|
zero (0) is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">NFQUEUE!</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>like NFQUEUE but exempts the rule from being suppressed
|
|
by OPTIMIZE=1 in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">COMMENT</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>the rest of the line will be attached as a comment to
|
|
the Netfilter rule(s) generated by the following entries. The
|
|
comment will appear delimited by "/* ... */" in the output of
|
|
"shorewall6 show <chain>". To stop the comment from
|
|
being attached to further rules, simply include COMMENT on a
|
|
line by itself.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>action</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The name of an <emphasis>action</emphasis> declared in
|
|
<ulink
|
|
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
|
in /usr/share/shorewall6/actions.std.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>macro</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The name of a macro defined in a file named
|
|
macro.<emphasis>macro</emphasis>. If the macro accepts an
|
|
action parameter (Look at the macro source to see if it has
|
|
PARAM in the TARGET column) then the
|
|
<emphasis>macro</emphasis> name is followed by the
|
|
parenthesized <emphasis>target</emphasis> (<emphasis
|
|
role="bold">ACCEPT</emphasis>, <emphasis
|
|
role="bold">DROP</emphasis>, <emphasis
|
|
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
|
parameter.</para>
|
|
|
|
<para>Example: FTP(ACCEPT).</para>
|
|
|
|
<para>The older syntax where the macro name and the target are
|
|
separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
|
|
deprecated.</para>
|
|
|
|
<programlisting></programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<blockquote>
|
|
<para>The <emphasis role="bold">ACTION</emphasis> may optionally
|
|
be followed by ":" and a syslog log level (e.g, REJECT:info or
|
|
ACCEPT:debug). This causes the packet to be logged at the
|
|
specified level.</para>
|
|
|
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
|
<emphasis>action</emphasis> declared in <ulink
|
|
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
|
/usr/share/shorewall6/actions.std then:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If the log level is followed by "!' then all rules in
|
|
the action are logged at the log level.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If the log level is not followed by "!" then only those
|
|
rules in the action that do not specify logging are logged at
|
|
the specified level.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The special log level <emphasis
|
|
role="bold">none!</emphasis> suppresses logging by the
|
|
action.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You may also specify <emphasis role="bold">NFLOG</emphasis>
|
|
(must be in upper case) as a log level.This will log to the NFLOG
|
|
target for routing to a separate log through use of ulogd (<ulink
|
|
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
|
|
|
<para>Actions specifying logging may be followed by a log tag (a
|
|
string of alphanumeric characters) which is appended to the string
|
|
generated by the LOGPREFIX (in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
|
|
|
<para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
|
|
the log prefix generated by the LOGPREFIX setting.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SOURCE</emphasis> -
|
|
{<emphasis>zone</emphasis>|<emphasis
|
|
role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis
|
|
role="bold">-</emphasis>]}<emphasis
|
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
|
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
|
|
|
<listitem>
|
|
<para>Source hosts to which the rule applies. May be a zone declared
|
|
in /etc/shorewall6/zones, <emphasis role="bold">$FW</emphasis> to
|
|
indicate the firewall itself, <emphasis role="bold">all</emphasis>,
|
|
<emphasis role="bold">all+</emphasis>, <emphasis
|
|
role="bold">all-</emphasis>, <emphasis role="bold">all+-</emphasis>
|
|
or <emphasis role="bold">none</emphasis>.</para>
|
|
|
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
|
|
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
|
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
|
means "All Zones, except the firewall itself". When <emphasis
|
|
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
|
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
|
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
|
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
|
role="bold">-</emphasis>] is "used, intra-zone traffic is
|
|
affected.</para>
|
|
|
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
|
specified, clients may be further restricted to a list of networks
|
|
and/or hosts by appending ":" and a comma-separated list of network
|
|
and/or host addresses. Hosts may be specified by IP or MAC address;
|
|
mac addresses must begin with "~" and must use "-" as a
|
|
separator.</para>
|
|
|
|
<para>Hosts may also be specified as an IP address range using the
|
|
syntax
|
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
|
This requires that your kernel and ip6tables contain iprange match
|
|
support. If your kernel and ip6tables have ipset match support then
|
|
you may give the name of an ipset prefaced by "+". The ipset name
|
|
may be optionally followed by a number from 1 to 6 enclosed in
|
|
square brackets ([]) to indicate the number of levels of source
|
|
bindings to be matched.</para>
|
|
|
|
<para>When an <replaceable>interface</replaceable> is not specified,
|
|
you may omit the angled brackets ('<' and '>') around the
|
|
address(es) or you may supply them to improve readability.</para>
|
|
|
|
<para>You may exclude certain hosts from the set already defined
|
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
|
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>dmz:2002:ce7c::92b4:1::2</term>
|
|
|
|
<listitem>
|
|
<para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:2001:4d48:ad51:24::/64</term>
|
|
|
|
<listitem>
|
|
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>loc:<2002:cec792b4:1::2,2002:cec792b4:1::44></term>
|
|
|
|
<listitem>
|
|
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
|
|
local zone.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>loc:~00-A0-C9-15-39-78</term>
|
|
|
|
<listitem>
|
|
<para>Host in the local zone with MAC address
|
|
00:A0:C9:15:39:78.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80</term>
|
|
|
|
<listitem>
|
|
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
|
|
2001:4d48:ad51:24:6:/80.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<blockquote>
|
|
<para>Alternatively, clients may be specified by interface by
|
|
appending ":" to the zone name followed by the interface name. For
|
|
example, <emphasis role="bold">loc:eth1</emphasis> specifies a
|
|
client that communicates with the firewall system through eth1.
|
|
This may be optionally followed by another colon (":") and an
|
|
IP/MAC/subnet address as described above (e.g., <emphasis
|
|
role="bold">loc:eth1:<2002:ce7c::92b4:1::2></emphasis>).</para>
|
|
</blockquote>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>loc:eth1:<2002:cec792b4:1::2,2002:cec792b4:1::44></term>
|
|
|
|
<listitem>
|
|
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
|
|
Local zone, with <emphasis role="bold">both</emphasis>
|
|
originating from eth1</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold"><emphasis role="bold">DEST</emphasis> -
|
|
{<emphasis>zone</emphasis>|<emphasis
|
|
role="bold">all</emphasis>[<emphasis
|
|
role="bold">+</emphasis>][<emphasis
|
|
role="bold">-</emphasis>]}<emphasis
|
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
|
role="bold">:<option><</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>></option>|<emphasis>exclusion</emphasis>|<emphasis
|
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Location of Server. May be a zone declared in <ulink
|
|
url="shorewall6-zones.html">shorewall6-zones</ulink>(5), $<emphasis
|
|
role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
|
|
role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
|
|
<emphasis role="bold">none</emphasis>.</para>
|
|
|
|
<para>When <emphasis role="bold">none</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
|
|
|
<para>When <emphasis role="bold">all</emphasis> is used either in
|
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis> column intra-zone traffic is not
|
|
affected. When <emphasis role="bold">all+</emphasis> is used,
|
|
intra-zone traffic is affected.</para>
|
|
|
|
<para>If the DEST <replaceable>zone</replaceable> is a bport zone,
|
|
then either:<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>the SOURCE must be <option>all[+][-]</option>, or</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>the SOURCE <replaceable>zone</replaceable> must be
|
|
another bport zone associated with the same bridge, or</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>the SOURCE <replaceable>zone</replaceable> must be an
|
|
ipv4 zone that is associated with only the same bridge.</para>
|
|
</listitem>
|
|
</orderedlist></para>
|
|
|
|
<blockquote>
|
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
|
role="bold">+]|[-</emphasis>] is specified, the server may be
|
|
further restricted to a particular network, host or interface by
|
|
appending ":" and the network, host or interface. See <emphasis
|
|
role="bold">SOURCE</emphasis> above.</para>
|
|
|
|
<para>You may exclude certain hosts from the set already defined
|
|
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
|
url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
|
|
|
|
<para>Restrictions:</para>
|
|
|
|
<para>1. MAC addresses are not allowed (this is a Netfilter
|
|
restriction).</para>
|
|
|
|
<para>If you kernel and ip6tables have ipset match support then
|
|
you may give the name of an ipset prefaced by "+". The ipset name
|
|
may be optionally followed by a number from 1 to 6 enclosed in
|
|
square brackets ([]) to indicate the number of levels of
|
|
destination bindings to be matched. Only one of the <emphasis
|
|
role="bold">SOURCE</emphasis> and <emphasis
|
|
role="bold">DEST</emphasis> columns may specify an ipset
|
|
name.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
|
|
role="bold">-</emphasis>|<emphasis
|
|
role="bold">tcp:syn</emphasis>|<emphasis
|
|
role="bold">ipp2p</emphasis>|<emphasis
|
|
role="bold">ipp2p:udp</emphasis>|<emphasis
|
|
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
|
|
role="bold">all}</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
|
|
ipp2p match support in your kernel and ip6tables. <emphasis
|
|
role="bold">tcp:syn</emphasis> implies <emphasis
|
|
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
|
RST,ACK and FIN flags must be reset.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) -
|
|
{<emphasis
|
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
|
|
|
<listitem>
|
|
<para>Destination Ports. A comma-separated list of Port names (from
|
|
services(5)), port numbers or port ranges; if the protocol is
|
|
<emphasis role="bold">icmp</emphasis>, this column is interpreted as
|
|
the destination icmp-type(s).</para>
|
|
|
|
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
|
this column is interpreted as an ipp2p option without the leading
|
|
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
|
|
If no port is given, <emphasis role="bold">ipp2p</emphasis> is
|
|
assumed.</para>
|
|
|
|
<para>A port range is expressed as
|
|
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
|
|
|
|
<para>This column is ignored if <emphasis
|
|
role="bold">PROTO</emphasis> = <emphasis role="bold">all</emphasis>
|
|
but must be entered if any of the following columns are supplied. In
|
|
that case, it is suggested that this field contain a dash (<emphasis
|
|
role="bold">-</emphasis>).</para>
|
|
|
|
<para>If your kernel contains multi-port match support, then only a
|
|
single Netfilter rule will be generated if in this list and the
|
|
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
|
|
|
|
<para>1. There are 15 or less ports listed.</para>
|
|
|
|
<para>2. No port ranges are included or your kernel and ip6tables
|
|
contain extended multiport match support.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
|
|
{<emphasis
|
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
|
|
|
<listitem>
|
|
<para>Port(s) used by the client. If omitted, any source port is
|
|
acceptable. Specified as a comma- separated list of port names, port
|
|
numbers or port ranges.</para>
|
|
|
|
<warning>
|
|
<para>Unless you really understand IP, you should leave this
|
|
column empty or place a dash (<emphasis role="bold">-</emphasis>)
|
|
in the column. Most people who try to use this column get it
|
|
wrong.</para>
|
|
</warning>
|
|
|
|
<blockquote>
|
|
<para>If you don't want to restrict client ports but need to
|
|
specify a later column, then place "-" in this column.</para>
|
|
|
|
<para>If your kernel contains multi-port match support, then only
|
|
a single Netfilter rule will be generated if in this list and the
|
|
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
|
|
|
<para>1. There are 15 or less ports listed.</para>
|
|
|
|
<para>2. No port ranges are included or your kernel and ip6tables
|
|
contain extended multiport match support.</para>
|
|
</blockquote>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
|
|
[<emphasis role="bold">-</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>Included for compatibility with Shorewall. Enter '-' in this
|
|
column if you need to specify one of the later columns.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) -
|
|
[<emphasis role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
|
|
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
|
|
role="bold">/</emphasis>{<emphasis
|
|
role="bold">sec</emphasis>|<emphasis
|
|
role="bold">min</emphasis>}[:<emphasis>burst</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>You may rate-limit the rule by placing a value in this
|
|
column:</para>
|
|
|
|
<para><emphasis>rate</emphasis> is the number of connections per
|
|
interval (<emphasis role="bold">sec</emphasis> or <emphasis
|
|
role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
|
|
largest burst permitted. If no <emphasis>burst</emphasis> is given,
|
|
a value of 5 is assumed. There may be no no whitespace embedded in
|
|
the specification.</para>
|
|
|
|
<para>Example: <emphasis role="bold">10/sec:20</emphasis></para>
|
|
|
|
<para>When <option>s:</option> or <option>d:</option> is specified,
|
|
the rate applies per source IP address or per destination IP address
|
|
respectively. The <replaceable>name</replaceable> may be chosen by
|
|
the user and specifies a hash table to be used to count matching
|
|
connections. If not give, the name <emphasis
|
|
role="bold">shorewall</emphasis> is assumed. Where more than one
|
|
POLICY specifies the same name, the connections counts for the rules
|
|
are aggregated and the individual rates apply to the aggregated
|
|
count.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
|
[<emphasis
|
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>This column may only be non-empty if the SOURCE is the
|
|
firewall itself.</para>
|
|
|
|
<para>When this column is non-empty, the rule applies only if the
|
|
program generating the output is running under the effective
|
|
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
|
specified (or is NOT running under that id if "!" is given).</para>
|
|
|
|
<para>Examples:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>joe</term>
|
|
|
|
<listitem>
|
|
<para>program must be run by joe</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>:kids</term>
|
|
|
|
<listitem>
|
|
<para>program must be run by a member of the 'kids'
|
|
group</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>!:kids</term>
|
|
|
|
<listitem>
|
|
<para>program must not be run by a member of the 'kids'
|
|
group</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
|
|
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
|
role="bold">:C</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>Defines a test on the existing packet or connection mark. The
|
|
rule will match only if the test returns true.</para>
|
|
|
|
<para>If you don't want to define a test but need to specify
|
|
anything in the following columns, place a "-" in this field.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>!</term>
|
|
|
|
<listitem>
|
|
<para>Inverts the test (not equal)</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>value</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Value of the packet or connection mark.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis>mask</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>A mask to be applied to the mark before testing.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">:C</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Designates a connection mark. If omitted, the packet
|
|
mark's value is tested.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">CONNLIMIT</emphasis> - [<emphasis
|
|
role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
|
|
|
|
<listitem>
|
|
<para>May be used to limit the number of simultaneous connections
|
|
from each individual host to <replaceable>limit</replaceable>
|
|
connections. Requires connlimit match in your kernel and ip6tables.
|
|
While the limit is only checked on rules specifying CONNLIMIT, the
|
|
number of current connections is calculated over all current
|
|
connections from the SOURCE host. By default, the limit is applied
|
|
to each host but can be made to apply to networks of hosts by
|
|
specifying a <replaceable>mask</replaceable>. The
|
|
<replaceable>mask</replaceable> specifies the width of a VLSM mask
|
|
to be applied to the source address; the number of current
|
|
connections is then taken over all hosts in the subnet
|
|
<replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
|
|
When<option> !</option> is specified, the rule matches when the
|
|
number of connection exceeds the
|
|
<replaceable>limit</replaceable>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">TIME</emphasis> -
|
|
<emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
|
|
|
|
<listitem>
|
|
<para>May be used to limit the rule to a particular time period each
|
|
day, to particular days of the week or month, or to a range defined
|
|
by dates and times. Requires time match support in your kernel and
|
|
ip6tables.</para>
|
|
|
|
<para><replaceable>timeelement</replaceable> may be:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
|
|
|
|
<listitem>
|
|
<para>Defines the starting time of day.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
|
|
|
|
<listitem>
|
|
<para>Defines the ending time of day.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>utc</term>
|
|
|
|
<listitem>
|
|
<para>Times are expressed in Greenwich Mean Time.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>localtz</term>
|
|
|
|
<listitem>
|
|
<para>Times are expressed in Local Civil Time
|
|
(default).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>weekdays=ddd[,ddd]...</term>
|
|
|
|
<listitem>
|
|
<para>where <replaceable>ddd</replaceable> is one of
|
|
<option>Mon</option>, <option>Tue</option>,
|
|
<option>Wed</option>, <option>Thu</option>,
|
|
<option>Fri</option>, <option>Sat</option> or
|
|
<option>Sun</option></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>monthdays=dd[,dd],...</term>
|
|
|
|
<listitem>
|
|
<para>where <replaceable>dd</replaceable> is an ordinal day of
|
|
the month</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
|
|
|
|
<listitem>
|
|
<para>Defines the starting date and time.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
|
|
|
|
<listitem>
|
|
<para>Defines the ending date and time.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Example</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Example 1:</term>
|
|
|
|
<listitem>
|
|
<para>Accept SMTP requests from the DMZ to the internet</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
ACCEPT dmz net tcp smtp</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 2:</term>
|
|
|
|
<listitem>
|
|
<para>Allow all ssh and http connection requests from the internet
|
|
to local system 2002:cec792b4:1::44</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
DNAT net loc:2002:cec792b4:1::44 tcp ssh,http</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 3:</term>
|
|
|
|
<listitem>
|
|
<para>Allow http connection requests from the internet to local
|
|
system 2002:cec792b4:1::44 with a limit of 3 per second and a
|
|
maximum burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
# PORT PORT(S) DEST LIMIT
|
|
DNAT net loc:<2002:cec792b4:1::44> tcp http - - 3/sec:10</programlisting></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Example 4:</term>
|
|
|
|
<listitem>
|
|
<para>You want to accept SSH connections to your firewall only from
|
|
internet IP addresses 2002:ce7c::92b4:1::2 and
|
|
2002:ce7c::92b4:1::22</para>
|
|
|
|
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
# PORT PORT(S) DEST
|
|
ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
|
|
$FW tcp 22</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall6/rules</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
|
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
|
shorewall6-providers(5), shorewall6-route_rules(5),
|
|
shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-tcclasses(5),
|
|
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
|
shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|