shorewall_code/Shorewall/manpages/shorewall-arprules.xml

379 lines
12 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-arprules</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>arprules</refname>
<refpurpose>Shorewall ARP rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/arprules</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file was added in Shorwall 4.5.12 and is used to describe
low-level rules managed by arptables (8). These rules only affect Address
Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
Dynamic Reverse Address Resolution Protocol (DRARP) frames.</para>
<para>The columns in the file are as shown below. MAC addresses are
specified normally (6 hexidecimal numbers separated by colons).</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION</emphasis></term>
<listitem>
<para>Describes the action to take when a frame matches the criteria
in the other columns. Possible values are:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACCEPT</emphasis></term>
<listitem>
<para>This is the default action if no rules matches a frame;
it lets the frame go through.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DROP</emphasis></term>
<listitem>
<para>Causes the frame to be dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SNAT:</emphasis><replaceable>ip-address</replaceable></term>
<listitem>
<para>Modifies the source IP address to the specified
<replaceable>ip-address</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DNAT:</emphasis><replaceable>ip-address</replaceable></term>
<listitem>
<para>Modifies the destination IP address to the specified
<replaceable>ip-address</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SMAT:</emphasis><replaceable>mac-address</replaceable></term>
<listitem>
<para>Modifies the source MAC address to the specified
<replaceable>mac-address</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DMAT:</emphasis><replaceable>mac-address</replaceable></term>
<listitem>
<para>Modifies the destination MAC address to the specified
<replaceable>mac-address</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SNATC:</emphasis><replaceable>ip-address</replaceable></term>
<listitem>
<para>Like SNAT except that the frame is then passed to the
next rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DNATC:</emphasis><replaceable>ip-address</replaceable></term>
<listitem>
<para>Like DNAT except that the frame is then passed to the
next rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SMATC:</emphasis><replaceable>mac-address</replaceable></term>
<listitem>
<para>Like SMAT except that the frame is then passed to the
next rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DMATC:</emphasis><replaceable>mac-address</replaceable></term>
<listitem>
<para>Like DMAT except that the frame is then passed to the
next rule.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - <emphasis
role="bold">[<replaceable>interface</replaceable>[:[!]<replaceable>ipaddress</replaceable>[/ip<replaceable>mask</replaceable>][:[!]<replaceable>macaddress</replaceable>[/<replaceable>macmask</replaceable>]]]]</emphasis></term>
<listitem>
<para>Where</para>
<variablelist>
<varlistentry>
<term><replaceable>interface</replaceable></term>
<listitem>
<para>Is an interface defined in
shorewall-interfaces(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>ipaddress</replaceable></term>
<listitem>
<para>is an IPv4 address. DNS names are not allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>ipmask</replaceable></term>
<listitem>
<para>specifies a mask to be applied to
<replaceable>ipaddress</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>macaddress</replaceable></term>
<listitem>
<para>The source MAC address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>macmask</replaceable></term>
<listitem>
<para>Mask for MAC address; must be specified as 6 hexidecimal
numbers separated by colons.</para>
</listitem>
</varlistentry>
</variablelist>
<para>When '!' is specified, the test is inverted.</para>
<para>If not specified, matches only frames originating on the
firewall itself.</para>
<caution>
<para>Either SOURCE or DEST must be specified.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - <emphasis
role="bold">[<replaceable>interface</replaceable>[:[!]<replaceable>ipaddress</replaceable>[/ip<replaceable>mask</replaceable>][:[!]<replaceable>macaddress</replaceable>[/<replaceable>macmask</replaceable>]]]]</emphasis></term>
<listitem>
<para>Where</para>
<variablelist>
<varlistentry>
<term><replaceable>interface</replaceable></term>
<listitem>
<para>Is an interface defined in
shorewall-interfaces(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>ipaddress</replaceable></term>
<listitem>
<para>is an IPv4 address. DNS Names are not allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>ipmask</replaceable></term>
<listitem>
<para>specifies a mask to be applied to frame
addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>macaddress</replaceable></term>
<listitem>
<para>The destination MAC address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>macmask</replaceable></term>
<listitem>
<para>Mask for MAC address; must be specified as 6 hexidecimal
numbers separated by colons.</para>
</listitem>
</varlistentry>
</variablelist>
<para>When '!' is specified, the test is inverted and the rule
matches frames which do not match the specified address/mask.</para>
<para>If not specified, matches only frames originating on the
firewall itself.</para>
<para>If both SOURCE and DEST are specified, then both interfaces
must be bridge ports on the same bridge.</para>
<caution>
<para>Either SOURCE or DEST must be specified.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term>ARP OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
<listitem>
<para>Optional. Describes the type of frame. Possible
<replaceable>opcode</replaceable> values are:</para>
<variablelist>
<varlistentry>
<term>1</term>
<listitem>
<para>ARP Request</para>
</listitem>
</varlistentry>
<varlistentry>
<term>2</term>
<listitem>
<para>ARP Reply</para>
</listitem>
</varlistentry>
<varlistentry>
<term>3</term>
<listitem>
<para>RARP Request</para>
</listitem>
</varlistentry>
<varlistentry>
<term>4</term>
<listitem>
<para>RARP Reply</para>
</listitem>
</varlistentry>
<varlistentry>
<term>5</term>
<listitem>
<para>Dynamic RARP Request</para>
</listitem>
</varlistentry>
<varlistentry>
<term>6</term>
<listitem>
<para>Dynamic RARP Reply</para>
</listitem>
</varlistentry>
<varlistentry>
<term>7</term>
<listitem>
<para>Dynamic RARP Error</para>
</listitem>
</varlistentry>
<varlistentry>
<term>8</term>
<listitem>
<para>InARP Request</para>
</listitem>
</varlistentry>
<varlistentry>
<term>9</term>
<listitem>
<para>ARP NAK</para>
</listitem>
</varlistentry>
</variablelist>
<para>When '!' is specified, the test is inverted and the rule
matches frames which do not match the specifed
<replaceable>opcode</replaceable>.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<para>The eth1 interface has both a pubiic IP address and a private
address (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use
the private address as the IP source:</para>
<programlisting>#ACTION SOURCE DEST ARP OPCODE
SNAT:10.1.10.11 - eth1:10.1.10.0/24 1</programlisting>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/arprules</para>
</refsect1>
</refentry>