forked from extern/shorewall_code
Support additional forms of column/value pair specification
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
e728d663f9
commit
0a5d5821ec
@ -1339,57 +1339,33 @@ sub supplied( $ ) {
|
||||
|
||||
# ensure that it has an appropriate number of columns.
|
||||
# supply '-' in omitted trailing columns.
|
||||
#
|
||||
sub split_line( $$ ) {
|
||||
my ( $description, $columnsref ) = @_;
|
||||
|
||||
my @maxcolumns = ( keys %$columnsref );
|
||||
my $maxcolumns = @maxcolumns;
|
||||
|
||||
my ( $columns, $pairs, $rest ) = split( ';', $currentline );
|
||||
|
||||
fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
|
||||
fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $columns =~ /["'`\\]/;
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
|
||||
my @line = split( ' ', $columns );
|
||||
|
||||
my $line = @line;
|
||||
|
||||
fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns;
|
||||
|
||||
$line-- while $line > 0 && $line[$line-1] eq '-';
|
||||
|
||||
push @line, '-' while @line < $maxcolumns;
|
||||
|
||||
if ( supplied $pairs ) {
|
||||
my @pairs = split( ' ', $pairs );
|
||||
|
||||
for ( @pairs ) {
|
||||
fatal_error "Invalid column/value pair ($_)" unless /^(\w+)=(.+)$/;
|
||||
my ( $column, $value ) = ( lc $1, $2 );
|
||||
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
|
||||
$column = $columnsref->{$column};
|
||||
fatal_error "The $1 column already has a value" unless $line[$column] eq '-';
|
||||
$line[$column] = $value =~ /^"([^"]+)"$/ ? $1 : $value;
|
||||
}
|
||||
}
|
||||
|
||||
@line;
|
||||
}
|
||||
|
||||
#
|
||||
# Version of 'split_line' used on files with exceptions
|
||||
# Handles all of the supported forms of column/pair specification
|
||||
#
|
||||
sub split_line1( $$;$ ) {
|
||||
my ( $description, $columnsref, $nopad) = @_;
|
||||
|
||||
my @maxcolumns = ( keys %$columnsref );
|
||||
my $maxcolumns = @maxcolumns;
|
||||
|
||||
#
|
||||
# First see if there is a semicolon on the line; what follows will be column/value paris
|
||||
#
|
||||
my ( $columns, $pairs, $rest ) = split( ';', $currentline );
|
||||
|
||||
fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
|
||||
if ( supplied $pairs ) {
|
||||
#
|
||||
# Found it -- be sure there wasn't more than one.
|
||||
#
|
||||
fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
|
||||
} elsif ( $currentline =~ /(.*){(.*)}$/ ) {
|
||||
#
|
||||
# Pairs are enclosed in curly brackets.
|
||||
#
|
||||
$columns = $1;
|
||||
$pairs = $2;
|
||||
} else {
|
||||
$pairs = '';
|
||||
}
|
||||
|
||||
fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
|
||||
@ -1397,7 +1373,7 @@ sub split_line1( $$;$ ) {
|
||||
|
||||
$nopad = { COMMENT => 0 } unless $nopad;
|
||||
|
||||
my $first = $line[0];
|
||||
my $first = supplied $line[0] ? $line[0] : '-';
|
||||
my $npcolumns = $nopad->{$first};
|
||||
|
||||
if ( defined $npcolumns ) {
|
||||
@ -1416,21 +1392,31 @@ sub split_line1( $$;$ ) {
|
||||
push @line, '-' while @line < $maxcolumns;
|
||||
|
||||
if ( supplied $pairs ) {
|
||||
my @pairs = split( ' ', $pairs );
|
||||
$pairs =~ s/^\s*//;
|
||||
$pairs =~ s/\s*$//;
|
||||
|
||||
my @pairs = split( /,?\s+/, $pairs );
|
||||
|
||||
for ( @pairs ) {
|
||||
fatal_error "Invalid column/value pair ($_)" unless /^(\w+)=(.+)$/;
|
||||
fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
|
||||
my ( $column, $value ) = ( lc $1, $2 );
|
||||
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
|
||||
$column = $columnsref->{$column};
|
||||
fatal_error "The $1 column already has a value" unless $line[$column] eq '-';
|
||||
$line[$column] = $value =~ /^"([^"]+)"$/ ? $1 : $value;
|
||||
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
|
||||
$value = $1 if $value =~ /^"([^"]+)"$/;
|
||||
fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
|
||||
fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
|
||||
$line[$column] = $value;
|
||||
}
|
||||
}
|
||||
|
||||
@line;
|
||||
}
|
||||
|
||||
sub split_line($$) {
|
||||
&split_line1( @_, {} );
|
||||
}
|
||||
|
||||
#
|
||||
# Open a file, setting $currentfile. Returns the file's absolute pathname if the file
|
||||
# exists, is non-empty and was successfully opened. Terminates with a fatal error
|
||||
|
||||
@ -1037,7 +1037,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
|
||||
#
|
||||
sub process_tc_filter() {
|
||||
|
||||
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { interface => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
|
||||
my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
|
||||
|
||||
fatal_error 'CLASS must be specified' if $devclass eq '-';
|
||||
|
||||
|
||||
@ -504,21 +504,51 @@ ACCEPT net:\
|
||||
as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
|
||||
pairs.</para>
|
||||
|
||||
<para>At any point, you can enter a semicolon (';') followed by one or
|
||||
more specifications of the form:</para>
|
||||
<para>There is considerable flexibility in how you specify the
|
||||
pairs:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
|
||||
</simplelist>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>At any point, you can enter a semicolon (';') followed by one or
|
||||
more specifications of the following forms:</para>
|
||||
|
||||
<para>The value may optionally be enclosed in double quotes.</para>
|
||||
<simplelist>
|
||||
<member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
|
||||
|
||||
<para>The following table shows the right-most required column and the
|
||||
remaining column names for each of the table-oriented configuration
|
||||
files.</para>
|
||||
<member><replaceable>column-name</replaceable>=<replaceable>>value</replaceable></member>
|
||||
|
||||
<member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
|
||||
</simplelist>
|
||||
|
||||
<para>The value may optionally be enclosed in double quotes.</para>
|
||||
|
||||
<para>The pairs must be separated by white space, but you can add a
|
||||
comma adjacent to the <replaceable>values</replaceable> for
|
||||
readability as in:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">; proto=>udp,
|
||||
port=1024</emphasis></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You can enclose the pairs in curly brackets ("{...}") rather
|
||||
than separating them from columns by a semicolon:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis role="bold">{ proto:udp, port:1024
|
||||
}</emphasis></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The following table shows the column names for each of the
|
||||
table-oriented configuration files.</para>
|
||||
|
||||
<note>
|
||||
<para>Column names are case-insensitive.</para>
|
||||
<para>Column names are <emphasis
|
||||
role="bold">case-insensitive</emphasis>.</para>
|
||||
</note>
|
||||
|
||||
<informaltable>
|
||||
@ -576,7 +606,7 @@ ACCEPT net:\
|
||||
<row>
|
||||
<entry>nat</entry>
|
||||
|
||||
<entry>external,interface,internal,allints,localnat</entry>
|
||||
<entry>external,interface,internal,allints,local</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -630,7 +660,7 @@ ACCEPT net:\
|
||||
<row>
|
||||
<entry>secmarks</entry>
|
||||
|
||||
<entry>secmark,source,dest,proto,dport,sport,user,mark</entry>
|
||||
<entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -648,7 +678,7 @@ ACCEPT net:\
|
||||
<row>
|
||||
<entry>tcfilters</entry>
|
||||
|
||||
<entry>interface,source,dest,proto,dport,sport,tos,length</entry>
|
||||
<entry>class,source,dest,proto,dport,sport,tos,length</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
@ -694,7 +724,13 @@ ACCEPT net:\
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting>
|
||||
DNAT net loc:10.0.0.1 tcp 80 ; mark="88"</programlisting>
|
||||
|
||||
<para>Here's the same line in several equivalent formats:</para>
|
||||
|
||||
<programlisting>{ action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
|
||||
; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
|
||||
DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
||||
@ -165,7 +165,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax):</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -343,7 +345,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
|
||||
@ -358,7 +360,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
||||
@ -377,8 +379,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@ -401,8 +403,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@ -418,7 +420,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
@ -674,7 +676,7 @@
|
||||
the values <emphasis role="bold">-</emphasis>, <emphasis
|
||||
role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
|
||||
used as wildcards. Omitted trailing columns are also treated as
|
||||
wildcards.</para>
|
||||
wildcard.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
||||
@ -26,12 +26,14 @@
|
||||
<para>The blacklist file is used to perform static blacklisting. You can
|
||||
blacklist by source address (IP or MAC), or by application.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">ADDRESS/SUBNET</emphasis> (networks) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
||||
|
||||
@ -55,34 +57,32 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
|
||||
{<emphasis
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
||||
role="bold">-</emphasis>|[!]<emphasis>protocol-number</emphasis>|[!]<emphasis>protocol-name</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, must be a protocol number or a protocol name
|
||||
from protocols(5).</para>
|
||||
<para>Optional - If specified, must be a protocol number or a
|
||||
protocol name from protocols(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
|
||||
<term><emphasis role="bold">PORTS</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
<para>May only be specified if the protocol is TCP (6) or UDP (17).
|
||||
A comma-separated list of destination port numbers or service names
|
||||
from services(5).</para>
|
||||
<para>Optional - may only be specified if the protocol is TCP (6) or
|
||||
UDP (17). A comma-separated list of destination port numbers or
|
||||
service names from services(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OPTIONS (Optional - Added in 4.4.12) -
|
||||
{-|{dst|src|whitelist|audit}[,...]}</term>
|
||||
<term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, indicates whether traffic
|
||||
<emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
||||
<para>Optional - added in 4.4.12. If specified, indicates whether
|
||||
traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
||||
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
|
||||
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
|
||||
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
|
||||
|
||||
@ -31,7 +31,9 @@
|
||||
url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
|
||||
file.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -73,17 +75,17 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">IP ADDRESSES</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">IP ADDRESSES</emphasis> (addresses) -
|
||||
[<emphasis>address</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, both the MAC and IP address must match. This
|
||||
column can contain a comma-separated list of host and/or subnet
|
||||
addresses. If your kernel and iptables have iprange match support
|
||||
then IP address ranges are also allowed. Similarly, if your kernel
|
||||
and iptables include ipset support than set names (prefixed by "+")
|
||||
are also allowed.</para>
|
||||
<para>Optional - if specified, both the MAC and IP address must
|
||||
match. This column can contain a comma-separated list of host and/or
|
||||
subnet addresses. If your kernel and iptables have iprange match
|
||||
support then IP address ranges are also allowed. Similarly, if your
|
||||
kernel and iptables include ipset support than set names (prefixed
|
||||
by "+") are also allowed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -35,7 +35,9 @@
|
||||
solution that one-to-one NAT.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -101,8 +103,9 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL INTERFACES</emphasis> - [<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
<term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
|
||||
[<emphasis role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
||||
|
||||
@ -31,7 +31,9 @@
|
||||
support included.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -123,24 +125,23 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO (Optional - Added in Shorewall
|
||||
4.4.23.2)</emphasis> -
|
||||
<term><emphasis role="bold">PROTO</emphasis> -
|
||||
<emphasis>protocol-number-or-name</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Only packets specifying this protocol will have their IP
|
||||
header modified.</para>
|
||||
<para>Optional -- added in Shorewall 4.4.23.2. Only packets
|
||||
specifying this protocol will have their IP header modified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
<para>Optional - added in Shorewall 4.4.23.2. Destination Ports. A
|
||||
comma-separated list of Port names (from services(5)),
|
||||
<emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
@ -161,14 +162,14 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) (Optional - Added in
|
||||
Shorewall 4.4.23.2)</emphasis> -
|
||||
<term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
<para>Optional -- added in Shorewall 4.4.23.2. Source port(s). If
|
||||
omitted, any source port is acceptable. Specified as a
|
||||
comma-separated list of port names, port numbers or port
|
||||
ranges.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
|
||||
@ -27,7 +27,9 @@
|
||||
connection tracking. Traffic matching entries in this file will not be
|
||||
tracked.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -101,7 +103,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DEST PORT(S) - port-number/service-name-list</term>
|
||||
<term>DEST PORT(S) (dport) - port-number/service-name-list</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
@ -113,7 +115,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SOURCE PORT(S) - port-number/service-name-list</term>
|
||||
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
@ -125,7 +127,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>USER/GROUP ‒
|
||||
<term>USER/GROUP (user) ‒
|
||||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -51,7 +51,9 @@
|
||||
in this file.</para>
|
||||
</important>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -204,14 +206,14 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LOG LEVEL</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">LOG LEVEL</emphasis> (loglevel) -
|
||||
[<emphasis>log-level</emphasis>|<emphasis
|
||||
role="bold">ULOG|NFLOG</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If supplied, each connection handled under the default POLICY
|
||||
is logged at that level. If not supplied, no log message is
|
||||
generated. See syslog.conf(5) for a description of log
|
||||
<para>Optional - if supplied, each connection handled under the
|
||||
default POLICY is logged at that level. If not supplied, no log
|
||||
message is generated. See syslog.conf(5) for a description of log
|
||||
levels.</para>
|
||||
|
||||
<para>You may also specify ULOG or NFLOG (must be in upper case).
|
||||
@ -225,7 +227,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BURST:LIMIT</emphasis> -
|
||||
<term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
|
||||
[{<emphasis>s</emphasis>|<emphasis
|
||||
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
|
||||
role="bold">/</emphasis>{<emphasis
|
||||
|
||||
@ -33,7 +33,9 @@
|
||||
restart</command> command.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -47,27 +49,27 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HOST(S)</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">HOST(S)</emphasis> (hosts) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Comma-separated list of IP/subnet addresses. If your kernel
|
||||
and iptables include iprange match support, IP address ranges are
|
||||
also allowed.</para>
|
||||
<para>Optional. Comma-separated list of IP/subnet addresses. If your
|
||||
kernel and iptables include iprange match support, IP address ranges
|
||||
are also allowed.</para>
|
||||
|
||||
<para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">OPTIONS</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of options. The order of the options is
|
||||
not important but the list can contain no embedded whitespace. The
|
||||
currently-supported options are:</para>
|
||||
<para>Optional. A comma-separated list of options. The order of the
|
||||
options is not important but the list can contain no embedded
|
||||
whitespace. The currently-supported options are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -133,26 +135,26 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DEST PORT(S) (Optional) ‒
|
||||
<term>DEST PORT(S) (dport) ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
from <filename>/etc/services</filename>. May also include port
|
||||
ranges of the form
|
||||
<para>Optional. A comma-separated list of port numbers and/or
|
||||
service names from <filename>/etc/services</filename>. May also
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SOURCE PORT(S) (Optional) ‒
|
||||
<term>SOURCE PORT(S) (sport) ‒
|
||||
<replaceable>service-name/port-number-list</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
from <filename>/etc/services</filename>. May also include port
|
||||
ranges of the form
|
||||
<para>Optional. A comma-separated list of port numbers and/or
|
||||
service names from <filename>/etc/services</filename>. May also
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
</listitem>
|
||||
|
||||
@ -136,7 +136,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -859,7 +861,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
|
||||
<term><emphasis role="bold">PROTO</emphasis>- {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">tcp:syn</emphasis>|<emphasis
|
||||
role="bold">ipp2p</emphasis>|<emphasis
|
||||
@ -868,8 +870,8 @@
|
||||
role="bold">all}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
|
||||
ipp2p match support in your kernel and iptables. <emphasis
|
||||
<para>Optional Protocol - <emphasis role="bold">ipp2p</emphasis>*
|
||||
requires ipp2p match support in your kernel and iptables. <emphasis
|
||||
role="bold">tcp:syn</emphasis> implies <emphasis
|
||||
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
||||
RST,ACK and FIN flags must be reset.</para>
|
||||
@ -881,18 +883,18 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) -
|
||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), port numbers or port ranges; if the protocol is
|
||||
<emphasis role="bold">icmp</emphasis>, this column is interpreted as
|
||||
the destination icmp-type(s). ICMP types may be specified as a
|
||||
numeric type, a numberic type and code separated by a slash (e.g.,
|
||||
3/4), or a typename. See <ulink
|
||||
<para>Optional destination Ports. A comma-separated list of Port
|
||||
names (from services(5)), port numbers or port ranges; if the
|
||||
protocol is <emphasis role="bold">icmp</emphasis>, this column is
|
||||
interpreted as the destination icmp-type(s). ICMP types may be
|
||||
specified as a numeric type, a numberic type and code separated by a
|
||||
slash (e.g., 3/4), or a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||
Note that prior to Shorewall 4.4.19, only a single ICMP type may be
|
||||
listsed.</para>
|
||||
@ -924,15 +926,15 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Port(s) used by the client. If omitted, any source port is
|
||||
acceptable. Specified as a comma- separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
<para>Optional port(s) used by the client. If omitted, any source
|
||||
port is acceptable. Specified as a comma- separated list of port
|
||||
names, port numbers or port ranges.</para>
|
||||
|
||||
<warning>
|
||||
<para>Unless you really understand IP, you should leave this
|
||||
@ -959,19 +961,19 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
|
||||
role="bold">-</emphasis>] or <emphasis
|
||||
role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
|
||||
then if this column is included and is different from the IP address
|
||||
given in the <emphasis role="bold">DEST</emphasis> column, then
|
||||
connections destined for that address will be forwarded to the IP
|
||||
and port specified in the <emphasis role="bold">DEST</emphasis>
|
||||
column.</para>
|
||||
<para>Optional. If ACTION is <emphasis
|
||||
role="bold">DNAT</emphasis>[<emphasis role="bold">-</emphasis>] or
|
||||
<emphasis role="bold">REDIRECT</emphasis>[<emphasis
|
||||
role="bold">-</emphasis>] then if this column is included and is
|
||||
different from the IP address given in the <emphasis
|
||||
role="bold">DEST</emphasis> column, then connections destined for
|
||||
that address will be forwarded to the IP and port specified in the
|
||||
<emphasis role="bold">DEST</emphasis> column.</para>
|
||||
|
||||
<para>A comma-separated list of addresses may also be used. This is
|
||||
most useful with the <emphasis role="bold">REDIRECT</emphasis>
|
||||
@ -1013,8 +1015,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) -
|
||||
[<emphasis role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
|
||||
role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
|
||||
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
|
||||
role="bold">/</emphasis>{<emphasis
|
||||
role="bold">sec</emphasis>|<emphasis
|
||||
@ -1023,8 +1025,8 @@
|
||||
role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>You may rate-limit the rule by placing a value in this
|
||||
column:</para>
|
||||
<para>You may optionally rate-limit the rule by placing a value in
|
||||
this column:</para>
|
||||
|
||||
<para><emphasis>rate</emphasis> is the number of connections per
|
||||
interval (<emphasis role="bold">sec</emphasis> or <emphasis
|
||||
@ -1050,15 +1052,14 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column may only be non-empty if the SOURCE is the
|
||||
firewall itself.</para>
|
||||
<para>This optional column may only be non-empty if the SOURCE is
|
||||
the firewall itself.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
|
||||
@ -34,7 +34,9 @@
|
||||
<para>The secmarks file is used to associate an SELinux context with
|
||||
packets. It was added in Shorewall version 4.4.13.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -89,7 +91,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CHAIN:STATE -
|
||||
<term><emphasis role="bold">CHAIN:STATE (chain) -
|
||||
{P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -216,14 +218,14 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
<para>Optional destination Ports. A comma-separated list of Port
|
||||
names (from services(5)), <emphasis>port number</emphasis>s or
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
@ -243,26 +245,26 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma-separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column may only be non-empty if the SOURCE is the
|
||||
firewall itself.</para>
|
||||
<para>This optional column may only be non-empty if the SOURCE is
|
||||
the firewall itself.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
|
||||
@ -91,7 +91,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -120,7 +122,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">IN-BANDWIDTH</emphasis> -
|
||||
<term><emphasis role="bold">IN-BANDWIDTH (in_bandwidth)</emphasis> -
|
||||
<replaceable>bandwidth</replaceable>[:<replaceable>burst</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
@ -147,7 +149,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">OUT-BANDWIDTH</emphasis> -
|
||||
<term><emphasis role="bold">OUT-BANDWIDTH</emphasis> (out_bandwidth) -
|
||||
<emphasis>bandwidth</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -178,7 +180,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">REDIRECTED INTERFACES</emphasis> -
|
||||
<term><emphasis role="bold">REDIRECTED INTERFACES</emphasis>
|
||||
(redirect)-
|
||||
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -57,7 +57,9 @@
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -112,25 +114,24 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (Optional) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A Port name (from services(5)) or a
|
||||
<emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
<para>Optional destination Ports. A Port name (from services(5)) or
|
||||
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port.</para>
|
||||
<para>Optional source port.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -179,12 +180,12 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LENGTH</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">LENGTH</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be a power of 2 between 32 and 8192 inclusive. Packets
|
||||
with a total length that is strictly less than the specified
|
||||
<para>Optional - Must be a power of 2 between 32 and 8192 inclusive.
|
||||
Packets with a total length that is strictly less than the specified
|
||||
<replaceable>number</replaceable> will match the rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -104,7 +104,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -139,7 +141,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>IN-BANDWIDTH -
|
||||
<term>IN-BANDWIDTH (in_bandwidth) -
|
||||
[<replaceable>rate</replaceable>[:<replaceable>burst</replaceable>]]</term>
|
||||
|
||||
<listitem>
|
||||
@ -169,7 +171,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OUT-BANDWIDTH -
|
||||
<term>OUT-BANDWIDTH (out_bandwidth) -
|
||||
[<replaceable>rate</replaceable>[:[<replaceable>burst</replaceable>][:[<replaceable>latency</replaceable>][:[<replaceable>peek</replaceable>][:[<replaceable>minburst</replaceable>]]]]]]</term>
|
||||
|
||||
<listitem>
|
||||
@ -203,12 +205,13 @@
|
||||
url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||
shorewall-secmarks(5), shorewall-tcpri(5), shorewall-tcrules(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
||||
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
|
||||
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
|
||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||
shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
||||
@ -38,11 +38,13 @@
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
|
||||
<term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
|
||||
<replaceable>mark</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
@ -550,14 +552,14 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
<para>Optional destination Ports. A comma-separated list of Port
|
||||
names (from services(5)), <emphasis>port number</emphasis>s or
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
@ -577,15 +579,15 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma-separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
@ -594,14 +596,14 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column may only be non-empty if the SOURCE is the
|
||||
firewall itself.</para>
|
||||
<para>This optional column may only be non-empty if the SOURCE is
|
||||
the firewall itself.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
@ -654,13 +656,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TEST</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">TEST</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
||||
role="bold">:C</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true.</para>
|
||||
<para>Optional - Defines a test on the existing packet or connection
|
||||
mark. The rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
@ -703,15 +705,15 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LENGTH</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">LENGTH</emphasis> -
|
||||
[<emphasis>length</emphasis>|[<emphasis>min</emphasis>]<emphasis
|
||||
role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Packet Length. This field, if present allow you to match the
|
||||
length of a packet against a specific value or range of values. You
|
||||
must have iptables length support for this to work. A range is
|
||||
specified in the form
|
||||
<para>Optional - packet Length. This field, if present allow you to
|
||||
match the length of a packet against a specific value or range of
|
||||
values. You must have iptables length support for this to work. A
|
||||
range is specified in the form
|
||||
<emphasis>min</emphasis>:<emphasis>max</emphasis> where either
|
||||
<emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
|
||||
may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is
|
||||
@ -721,7 +723,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TOS</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">TOS</emphasis> -
|
||||
<emphasis>tos</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -737,7 +739,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">CONNBYTES</emphasis> -
|
||||
[!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
|
||||
role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
|
||||
role="bold">B</emphasis>}[:{<emphasis
|
||||
@ -745,8 +747,9 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
role="bold">A</emphasis>}]]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Connection Bytes; defines a byte or packet range that the
|
||||
connection must fall within in order for the rule to match.</para>
|
||||
<para>Optional connection Bytes; defines a byte or packet range that
|
||||
the connection must fall within in order for the rule to
|
||||
match.</para>
|
||||
|
||||
<para>A packet matches if the the packet/byte count is within the
|
||||
range defined by <emphasis>min</emphasis> and
|
||||
@ -784,7 +787,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HELPER (Optional) -
|
||||
<term><emphasis role="bold">HELPER -
|
||||
</emphasis><emphasis>helper</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -25,7 +25,9 @@
|
||||
|
||||
<para>This file defines rules for setting Type Of Service (TOS)</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -59,7 +61,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> -
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) -
|
||||
<emphasis>proto-name-or-number</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -68,7 +70,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
|
||||
|
||||
@ -78,7 +80,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> -
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
{-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
|
||||
|
||||
|
||||
@ -144,16 +144,17 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">GATEWAY ZONES</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone) -
|
||||
[<emphasis>zone</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>zone</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If the gateway system specified in the third column is a
|
||||
standalone host then this column should contain a comma-separated
|
||||
list of the names of the zones that the host might be in. This
|
||||
column only applies to IPSEC tunnels where it enables ISAKMP traffic
|
||||
to flow through the tunnel to the remote gateway.</para>
|
||||
<para>Optional. If the gateway system specified in the third column
|
||||
is a standalone host then this column should contain a
|
||||
comma-separated list of the names of the zones that the host might
|
||||
be in. This column only applies to IPSEC tunnels where it enables
|
||||
ISAKMP traffic to flow through the tunnel to the remote
|
||||
gateway.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -28,7 +28,9 @@
|
||||
<filename>/etc/shorewall/interfaces</filename> or
|
||||
<filename>/etc/shorewall/hosts</filename>.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -191,7 +193,8 @@ c:a,b ipv4</programlisting>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">OPTIONS, IN OPTIONS and OUT
|
||||
OPTIONS</emphasis> - [<emphasis>option</emphasis>[<emphasis
|
||||
OPTIONS</emphasis> (options, in_options, out_options) -
|
||||
[<emphasis>option</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -165,7 +165,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -285,7 +287,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
|
||||
@ -299,7 +301,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> - {<emphasis
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
||||
@ -318,8 +320,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@ -342,8 +344,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
||||
role="bold">any</emphasis>|<emphasis
|
||||
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
@ -359,7 +361,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> - [<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||
|
||||
@ -26,7 +26,9 @@
|
||||
<para>The blacklist file is used to perform static blacklisting. You can
|
||||
blacklist by source address (IP or MAC), or by application.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -55,18 +57,17 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
|
||||
{<emphasis
|
||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, must be a protocol number or a protocol name
|
||||
from protocols(5).</para>
|
||||
<para>Optional - if specified, must be a protocol number or a
|
||||
protocol name from protocols(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
|
||||
<term><emphasis role="bold">PORTS</emphasis> (port) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
@ -77,12 +78,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OPTIONS (Optional - Added in 4.4.12) -
|
||||
{-|{dst|src|whitelist|audit}[,...]}</term>
|
||||
<term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, indicates whether traffic
|
||||
<emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
||||
<para>Optional - added in 4.4.12. If specified, indicates whether
|
||||
traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
||||
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
|
||||
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
|
||||
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
|
||||
|
||||
@ -44,7 +44,9 @@
|
||||
pair.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -59,7 +61,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HOST(S)</emphasis> -
|
||||
<term><emphasis role="bold">HOST(S)</emphasis> (hosts)-
|
||||
<emphasis>interface</emphasis>:<option>[</option>{[{<emphasis>address-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
|
||||
role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]<option>]</option></term>
|
||||
@ -109,13 +111,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OPTIONS (Optional) - [<emphasis>option</emphasis>[<emphasis
|
||||
<term>OPTIONS - [<emphasis>option</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of options from the following list. The
|
||||
order in which you list the options is not significant but the list
|
||||
must have no embedded white space.</para>
|
||||
<para>An optional comma-separated list of options from the following
|
||||
list. The order in which you list the options is not significant but
|
||||
the list must have no embedded white space.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
|
||||
@ -32,7 +32,9 @@
|
||||
table support included.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -113,13 +115,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NET3 (Optional)</emphasis> -
|
||||
<term><emphasis role="bold">NET3</emphasis> -
|
||||
<emphasis>network-address</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
|
||||
It specifies a SOURCE network for DNAT rules and a DESTINATON
|
||||
network for SNAT rules.</para>
|
||||
<para>Optional - added in Shorewall 4.4.11. If specified, qualifies
|
||||
INTERFACE. It specifies a SOURCE network for DNAT rules and a
|
||||
DESTINATON network for SNAT rules.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -134,13 +136,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> -
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
<para>Destination Ports. An optional comma-separated list of Port
|
||||
names (from services(5)), <emphasis>port number</emphasis>s or
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
@ -160,13 +162,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
<emphasis>port-number-or-name-list</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma-separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
|
||||
@ -27,7 +27,9 @@
|
||||
connection tracking. Traffic matching entries in this file will not be
|
||||
tracked.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -84,7 +86,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>DEST PORT(S) - port-number/service-name-list</term>
|
||||
<term>DEST PORT(S) (dport) - port-number/service-name-list</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
@ -96,7 +98,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SOURCE PORT(S) - port-number/service-name-list</term>
|
||||
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of port numbers and/or service names
|
||||
@ -108,7 +110,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>USER/GROUP ‒
|
||||
<term>USER/GROUP (user) ‒
|
||||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -51,7 +51,9 @@
|
||||
in this file.</para>
|
||||
</important>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -204,14 +206,14 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LOG LEVEL</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">LOG LEVEL</emphasis> (loglevel) -
|
||||
[<emphasis>log-level</emphasis>|<emphasis
|
||||
role="bold">NFLOG</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If supplied, each connection handled under the default POLICY
|
||||
is logged at that level. If not supplied, no log message is
|
||||
generated. See syslog.conf(5) for a description of log
|
||||
<para>Optional - if supplied, each connection handled under the
|
||||
default POLICY is logged at that level. If not supplied, no log
|
||||
message is generated. See syslog.conf(5) for a description of log
|
||||
levels.</para>
|
||||
|
||||
<para>You may also specify NFLOG (must be in upper case). This will
|
||||
@ -225,7 +227,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BURST:LIMIT</emphasis> -
|
||||
<term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
|
||||
[{<emphasis>s</emphasis>|<emphasis
|
||||
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
|
||||
role="bold">/</emphasis>{<emphasis
|
||||
|
||||
@ -29,7 +29,9 @@
|
||||
used, the file also determines those hosts that are accessible when the
|
||||
firewall is in the process of being [re]started.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -43,27 +45,27 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HOST(S)</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">HOST(S)</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Comma-separated list of IP/subnet addresses. If your kernel
|
||||
and ip6tables include iprange match support, IP address ranges are
|
||||
also allowed.</para>
|
||||
<para>Optional comma-separated list of IP/subnet addresses. If your
|
||||
kernel and ip6tables include iprange match support, IP address
|
||||
ranges are also allowed.</para>
|
||||
|
||||
<para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">OPTIONS</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">OPTIONS</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>A comma-separated list of options. The order of the options is
|
||||
not important but the list can contain no embedded whitespace. The
|
||||
currently-supported options are:</para>
|
||||
<para>An optional comma-separated list of options. The order of the
|
||||
options is not important but the list can contain no embedded
|
||||
whitespace. The currently-supported options are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
|
||||
@ -109,7 +109,9 @@
|
||||
appear in the file then all rules are assumed to be in the NEW
|
||||
section.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -661,7 +663,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
|
||||
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis
|
||||
role="bold">tcp:syn</emphasis>|<emphasis
|
||||
role="bold">ipp2p</emphasis>|<emphasis
|
||||
@ -670,8 +672,8 @@
|
||||
role="bold">all}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
|
||||
ipp2p match support in your kernel and ip6tables. <emphasis
|
||||
<para>Optional protocol - <emphasis role="bold">ipp2p</emphasis>*
|
||||
requires ipp2p match support in your kernel and ip6tables. <emphasis
|
||||
role="bold">tcp:syn</emphasis> implies <emphasis
|
||||
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
||||
RST,ACK and FIN flags must be reset.</para>
|
||||
@ -683,18 +685,18 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) -
|
||||
<term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), port numbers or port ranges; if the protocol is
|
||||
<emphasis role="bold">icmp</emphasis>, this column is interpreted as
|
||||
the destination icmp-type(s). ICMP types may be specified as a
|
||||
numeric type, a numberic type and code separated by a slash (e.g.,
|
||||
3/4), or a typename. See <ulink
|
||||
<para>Optional destination Ports. A comma-separated list of Port
|
||||
names (from services(5)), port numbers or port ranges; if the
|
||||
protocol is <emphasis role="bold">icmp</emphasis>, this column is
|
||||
interpreted as the destination icmp-type(s). ICMP types may be
|
||||
specified as a numeric type, a numberic type and code separated by a
|
||||
slash (e.g., 3/4), or a typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
|
||||
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
|
||||
listsed.</para>
|
||||
@ -726,13 +728,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
{<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Port(s) used by the client. If omitted, any source port is
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma- separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
|
||||
@ -760,7 +762,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
||||
[<emphasis role="bold">-</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
@ -770,8 +772,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) -
|
||||
[<emphasis role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
|
||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
|
||||
role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
|
||||
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
|
||||
role="bold">/</emphasis>{<emphasis
|
||||
role="bold">sec</emphasis>|<emphasis
|
||||
@ -780,8 +782,8 @@
|
||||
role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>You may rate-limit the rule by placing a value in this
|
||||
column:</para>
|
||||
<para>You may optionally rate-limit the rule by placing a value in
|
||||
this column:</para>
|
||||
|
||||
<para><emphasis>rate</emphasis> is the number of connections per
|
||||
interval (<emphasis role="bold">sec</emphasis> or <emphasis
|
||||
@ -805,14 +807,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column may only be non-empty if the SOURCE is the
|
||||
firewall itself.</para>
|
||||
<para>This optional column may only be non-empty if the SOURCE is
|
||||
the firewall itself.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
|
||||
@ -34,7 +34,9 @@
|
||||
<para>The secmarks file is used to associate an SELinux context with
|
||||
packets. It was added in Shorewall6 version 4.4.13.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -207,14 +209,14 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
<para>Optional destination Ports. A comma-separated list of Port
|
||||
names (from services(5)), <emphasis>port number</emphasis>s or
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
@ -234,26 +236,26 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma-separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column may only be non-empty if the SOURCE is the
|
||||
firewall itself.</para>
|
||||
<para>This optional column may only be non-empty if the SOURCE is
|
||||
the firewall itself.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
|
||||
@ -91,7 +91,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -121,7 +123,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">IN-BANDWIDTH</emphasis> - <emphasis
|
||||
<term><emphasis role="bold">IN-BANDWIDTH</emphasis> (in_bandwidth) -
|
||||
<emphasis
|
||||
role="bold"><replaceable>bandwidth</replaceable>[:<replaceable>burst</replaceable>]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -148,7 +151,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">OUT-BANDWIDTH</emphasis> -
|
||||
<term><emphasis role="bold">OUT-BANDWIDTH</emphasis> (out_bandwidth) -
|
||||
<emphasis>bandwidth</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
@ -179,7 +182,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">REDIRECTED INTERFACES</emphasis> -
|
||||
<term><emphasis role="bold">REDIRECTED INTERFACES</emphasis>
|
||||
(redirect) -
|
||||
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
@ -229,8 +233,8 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcrules(5),
|
||||
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
|
||||
@ -57,7 +57,9 @@
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -108,34 +110,33 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (Optional) -
|
||||
[<emphasis
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A Port name (from services(5)) or a
|
||||
<emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
<para>Optional destination Ports. A Port name (from services(5)) or
|
||||
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port.</para>
|
||||
<para>Optional source port.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TOS</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">TOS</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>tos</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Specifies the value of the TOS field. The
|
||||
<para>Optional - specifies the value of the TOS field. The
|
||||
<replaceable>tos</replaceable> value can be any of the
|
||||
following:</para>
|
||||
|
||||
@ -175,12 +176,12 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LENGTH</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">LENGTH</emphasis> - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be a power of 2 between 32 and 8192 inclusive. Packets
|
||||
with a total length that is strictly less than the specified
|
||||
<para>Optional. Must be a power of 2 between 32 and 8192 inclusive.
|
||||
Packets with a total length that is strictly less than the specified
|
||||
<replaceable>number</replaceable> will match the rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -104,7 +104,9 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -139,7 +141,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>IN-BANDWIDTH -
|
||||
<term>IN-BANDWIDTH (in_bandwidth) -
|
||||
[<replaceable>rate</replaceable>[:<replaceable>burst</replaceable>]]</term>
|
||||
|
||||
<listitem>
|
||||
@ -169,7 +171,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>OUT-BANDWIDTH -
|
||||
<term>OUT-BANDWIDTH (out_bandwidth) -
|
||||
[<replaceable>rate</replaceable>[:[<replaceable>burst</replaceable>][:[<replaceable>latency</replaceable>][:[<replaceable>peek</replaceable>][:[<replaceable>minburst</replaceable>]]]]]]</term>
|
||||
|
||||
<listitem>
|
||||
@ -204,10 +206,10 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcpri, shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5)</para>
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcpri, shorewall6-tos(5),
|
||||
shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
||||
@ -38,7 +38,9 @@
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -421,14 +423,14 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A comma-separated list of Port names (from
|
||||
services(5)), <emphasis>port number</emphasis>s or <emphasis>port
|
||||
range</emphasis>s; if the protocol is <emphasis
|
||||
<para>Optional destination Ports. A comma-separated list of Port
|
||||
names (from services(5)), <emphasis>port number</emphasis>s or
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">ipv6-icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numberic type and code separated by a slash (e.g., 3/4), or
|
||||
@ -448,15 +450,15 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port(s). If omitted, any source port is acceptable.
|
||||
Specified as a comma-separated list of port names, port numbers or
|
||||
port ranges.</para>
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma-separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
@ -465,13 +467,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column may only be non-empty if the SOURCE is the
|
||||
firewall itself.</para>
|
||||
<para>This optional column may only be non-empty if the SOURCE is
|
||||
the firewall itself.</para>
|
||||
|
||||
<para>When this column is non-empty, the rule applies only if the
|
||||
program generating the output is running under the effective
|
||||
@ -511,13 +513,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TEST</emphasis>(Optional) - [<emphasis
|
||||
<term><emphasis role="bold">TEST</emphasis> - [<emphasis
|
||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
||||
role="bold">:C</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Defines a test on the existing packet or connection mark. The
|
||||
rule will match only if the test returns true.</para>
|
||||
<para>Optional. Defines a test on the existing packet or connection
|
||||
mark. The rule will match only if the test returns true.</para>
|
||||
|
||||
<para>If you don't want to define a test but need to specify
|
||||
anything in the following columns, place a "-" in this field.</para>
|
||||
@ -560,15 +562,15 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LENGTH</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">LENGTH</emphasis> -
|
||||
[<emphasis>length</emphasis>|[<emphasis>min</emphasis>]<emphasis
|
||||
role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Packet Length. This field, if present allow you to match the
|
||||
length of a packet against a specific value or range of values. You
|
||||
must have ip6tables length support for this to work. A range is
|
||||
specified in the form
|
||||
<para>Optional packet Length. This field, if present allow you to
|
||||
match the length of a packet against a specific value or range of
|
||||
values. You must have ip6tables length support for this to work. A
|
||||
range is specified in the form
|
||||
<emphasis>min</emphasis>:<emphasis>max</emphasis> where either
|
||||
<emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
|
||||
may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is
|
||||
@ -594,7 +596,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">CONNBYTES</emphasis> -
|
||||
[!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
|
||||
role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
|
||||
role="bold">B</emphasis>}[:{<emphasis
|
||||
@ -602,8 +604,9 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
role="bold">A</emphasis>}]]]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Connection Bytes; defines a byte or packet range that the
|
||||
connection must fall within in order for the rule to match.</para>
|
||||
<para>Optional connection Bytes; defines a byte or packet range that
|
||||
the connection must fall within in order for the rule to
|
||||
match.</para>
|
||||
|
||||
<para>A packet matches if the the packet/byte count is within the
|
||||
range defined by <emphasis>min</emphasis> and
|
||||
@ -641,17 +644,17 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">HELPER (Optional) -
|
||||
<term><emphasis role="bold">HELPER -
|
||||
</emphasis><emphasis>helper</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Names a Netfiler protocol <firstterm>helper</firstterm> module
|
||||
such as <option>ftp</option>, <option>sip</option>,
|
||||
<option>amanda</option>, etc. A packet will match if it was accepted
|
||||
by the named helper module. You can also append "-" and a port
|
||||
number to the helper module name (e.g., <emphasis
|
||||
role="bold">ftp-21</emphasis>) to specify the port number that the
|
||||
original connection was made on.</para>
|
||||
<para>Optional. Names a Netfiler protocol
|
||||
<firstterm>helper</firstterm> module such as <option>ftp</option>,
|
||||
<option>sip</option>, <option>amanda</option>, etc. A packet will
|
||||
match if it was accepted by the named helper module. You can also
|
||||
append "-" and a port number to the helper module name (e.g.,
|
||||
<emphasis role="bold">ftp-21</emphasis>) to specify the port number
|
||||
that the original connection was made on.</para>
|
||||
|
||||
<para>Example: Mark all FTP data connections with mark
|
||||
4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
|
||||
@ -30,7 +30,9 @@
|
||||
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
|
||||
for details.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -131,16 +133,17 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">GATEWAY ZONES</emphasis> (Optional) -
|
||||
<term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone) -
|
||||
[<emphasis>zone</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>zone</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If the gateway system specified in the third column is a
|
||||
standalone host then this column should contain a comma-separated
|
||||
list of the names of the zones that the host might be in. This
|
||||
column only applies to IPSEC tunnels where it enables ISAKMP traffic
|
||||
to flow through the tunnel to the remote gateway.</para>
|
||||
<para>Optional. If the gateway system specified in the third column
|
||||
is a standalone host then this column should contain a
|
||||
comma-separated list of the names of the zones that the host might
|
||||
be in. This column only applies to IPSEC tunnels where it enables
|
||||
ISAKMP traffic to flow through the tunnel to the remote
|
||||
gateway.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
@ -28,7 +28,9 @@
|
||||
<filename>/etc/shorewall6/interfaces</filename> or
|
||||
<filename>/etc/shorewall6/hosts</filename>.</para>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
followed by a different name in parentheses, the different name is used in
|
||||
the alternate specification syntax).</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -189,7 +191,8 @@ c:a,b ipv6</programlisting>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">OPTIONS, IN OPTIONS and OUT
|
||||
OPTIONS</emphasis> - [<emphasis>option</emphasis>[<emphasis
|
||||
OPTIONS</emphasis> (options, in_options, out_options) -
|
||||
[<emphasis>option</emphasis>[<emphasis
|
||||
role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user