forked from extern/shorewall_code
Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code
# Conflicts: # Shorewall-init/install.sh
This commit is contained in:
commit
1d79cbc54e
Shorewall-core
Shorewall-init
Shorewall-lite
Shorewall/manpages
shorewall-accounting.xmlshorewall-arprules.xmlshorewall-conntrack.xmlshorewall-exclusion.xmlshorewall-ipsets.xmlshorewall-mangle.xmlshorewall-masq.xmlshorewall-nat.xmlshorewall-nesting.xmlshorewall-netmap.xmlshorewall-rules.xmlshorewall-secmarks.xmlshorewall-stoppedrules.xmlshorewall-tcfilters.xmlshorewall.conf.xml
Shorewall6-lite
Shorewall6
Samples6
Universal
one-interface
three-interfaces
two-interfaces
configfiles
manpages
shorewall6-accounting.xmlshorewall6-blacklist.xmlshorewall6-conntrack.xmlshorewall6-ipsets.xmlshorewall6-mangle.xmlshorewall6-masq.xmlshorewall6-nat.xmlshorewall6-nesting.xmlshorewall6-netmap.xmlshorewall6-rules.xmlshorewall6-secmarks.xmlshorewall6-stoppedrules.xmlshorewall6-tcfilters.xmlshorewall6-tcrules.xmlshorewall6-tos.xmlshorewall6.conf.xml
22
Shorewall-core/configure
vendored
22
Shorewall-core/configure
vendored
@ -91,6 +91,8 @@ for p in $@; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
cd $(dirname $0)
|
||||||
|
|
||||||
vendor=${params[HOST]}
|
vendor=${params[HOST]}
|
||||||
|
|
||||||
if [ -z "$vendor" ]; then
|
if [ -z "$vendor" ]; then
|
||||||
@ -102,7 +104,7 @@ if [ -z "$vendor" ]; then
|
|||||||
vendor=redhat
|
vendor=redhat
|
||||||
;;
|
;;
|
||||||
debian|ubuntu)
|
debian|ubuntu)
|
||||||
ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
|
vendor=debian
|
||||||
;;
|
;;
|
||||||
opensuse)
|
opensuse)
|
||||||
vendor=suse
|
vendor=suse
|
||||||
@ -122,7 +124,6 @@ if [ -z "$vendor" ]; then
|
|||||||
params[HOST]=apple
|
params[HOST]=apple
|
||||||
rcfile=shorewallrc.apple
|
rcfile=shorewallrc.apple
|
||||||
;;
|
;;
|
||||||
|
|
||||||
cygwin*|CYGWIN*)
|
cygwin*|CYGWIN*)
|
||||||
params[HOST]=cygwin
|
params[HOST]=cygwin
|
||||||
rcfile=shorewallrc.cygwin
|
rcfile=shorewallrc.cygwin
|
||||||
@ -130,7 +131,7 @@ if [ -z "$vendor" ]; then
|
|||||||
*)
|
*)
|
||||||
if [ -f /etc/debian_version ]; then
|
if [ -f /etc/debian_version ]; then
|
||||||
params[HOST]=debian
|
params[HOST]=debian
|
||||||
rcfile=shorewallrc.debian.sysvinit
|
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
|
||||||
elif [ -f /etc/redhat-release ]; then
|
elif [ -f /etc/redhat-release ]; then
|
||||||
params[HOST]=redhat
|
params[HOST]=redhat
|
||||||
rcfile=shorewallrc.redhat
|
rcfile=shorewallrc.redhat
|
||||||
@ -152,12 +153,16 @@ if [ -z "$vendor" ]; then
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
vendor=${params[HOST]}
|
vendor=${params[HOST]}
|
||||||
elif [ $vendor = linux ]; then
|
|
||||||
rcfile=shorewallrc.default;
|
|
||||||
else
|
else
|
||||||
rcfile=shorewallrc.$vendor
|
if [ $vendor = linux ]; then
|
||||||
|
rcfile=shorewallrc.default;
|
||||||
|
elif [ $vendor = debian -a -f /etc/debian_version ]; then
|
||||||
|
ls -l /sbin/init | fgrep -q systemd && rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
|
||||||
|
else
|
||||||
|
rcfile=shorewallrc.$vendor
|
||||||
|
fi
|
||||||
|
|
||||||
if [ ! -f $rcfile ]; then
|
if [ ! -f $rcfile ]; then
|
||||||
echo "ERROR: $vendor is not a recognized host type" >&2
|
echo "ERROR: $vendor is not a recognized host type" >&2
|
||||||
exit 1
|
exit 1
|
||||||
@ -170,7 +175,7 @@ fi
|
|||||||
if [ $vendor = linux ]; then
|
if [ $vendor = linux ]; then
|
||||||
echo "INFO: Creating a generic Linux installation - " `date`;
|
echo "INFO: Creating a generic Linux installation - " `date`;
|
||||||
else
|
else
|
||||||
echo "INFO: Creating a ${vendor}-specific installation - " `date`;
|
echo "INFO: Creating a $params[HOST]-specific installation - " `date`;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo
|
echo
|
||||||
@ -183,6 +188,7 @@ done
|
|||||||
|
|
||||||
echo '#' > shorewallrc
|
echo '#' > shorewallrc
|
||||||
echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
|
echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
|
||||||
|
echo "# rc file: $rcfile" >> shorewallrc
|
||||||
echo '#' >> shorewallrc
|
echo '#' >> shorewallrc
|
||||||
|
|
||||||
if [ $# -gt 0 ]; then
|
if [ $# -gt 0 ]; then
|
||||||
|
@ -81,7 +81,20 @@ unless ( defined $vendor ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( defined $vendor ) {
|
if ( defined $vendor ) {
|
||||||
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
|
if ( $vendor eq 'debian' && -f '/etc/debian_version' ) {
|
||||||
|
if ( -l '/sbin/init' ) {
|
||||||
|
if ( readlink '/sbin/init' =~ /systemd/ ) {
|
||||||
|
$rcfilename = 'debian.systemd';
|
||||||
|
} else {
|
||||||
|
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
|
||||||
|
}
|
||||||
|
|
||||||
unless ( -f $rcfilename ) {
|
unless ( -f $rcfilename ) {
|
||||||
die qq("ERROR: $vendor" is not a recognized host type);
|
die qq("ERROR: $vendor" is not a recognized host type);
|
||||||
} elsif ( $vendor eq 'default' ) {
|
} elsif ( $vendor eq 'default' ) {
|
||||||
@ -90,7 +103,15 @@ if ( defined $vendor ) {
|
|||||||
} else {
|
} else {
|
||||||
if ( -f '/etc/debian_version' ) {
|
if ( -f '/etc/debian_version' ) {
|
||||||
$vendor = 'debian';
|
$vendor = 'debian';
|
||||||
$rcfilename = 'shorewallrc.debian.sysvinit';
|
if ( -l '/sbin/init' ) {
|
||||||
|
if ( readlink '/sbin/init' =~ /systemd/ ) {
|
||||||
|
$rcfilename = 'debian.systemd';
|
||||||
|
} else {
|
||||||
|
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$rcfilename = 'shorewallrc.debian.sysvinit';
|
||||||
|
}
|
||||||
} elsif ( -f '/etc/redhat-release' ){
|
} elsif ( -f '/etc/redhat-release' ){
|
||||||
$vendor = 'redhat';
|
$vendor = 'redhat';
|
||||||
$rcfilename = 'shorewallrc.redhat';
|
$rcfilename = 'shorewallrc.redhat';
|
||||||
|
@ -1052,11 +1052,13 @@ show_command() {
|
|||||||
conntrack -f ipv6 -L $@ | show_connections_filter
|
conntrack -f ipv6 -L $@ | show_connections_filter
|
||||||
else
|
else
|
||||||
[ $# -gt 1 ] && usage 1
|
[ $# -gt 1 ] && usage 1
|
||||||
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then
|
||||||
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
|
||||||
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
|
local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
|
||||||
echo
|
echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
|
||||||
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
|
echo
|
||||||
|
grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
nat)
|
nat)
|
||||||
|
@ -316,6 +316,7 @@ reload_kernel_modules() {
|
|||||||
local moduleloader
|
local moduleloader
|
||||||
moduleloader=modprobe
|
moduleloader=modprobe
|
||||||
local uname
|
local uname
|
||||||
|
local extras
|
||||||
|
|
||||||
if ! qt mywhich modprobe; then
|
if ! qt mywhich modprobe; then
|
||||||
moduleloader=insmod
|
moduleloader=insmod
|
||||||
@ -323,9 +324,25 @@ reload_kernel_modules() {
|
|||||||
|
|
||||||
[ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
|
[ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]
|
||||||
|
|
||||||
[ -z "$MODULESDIR" ] && \
|
if [ -n "$MODULESDIR" ]; then
|
||||||
uname=$(uname -r) && \
|
case "$MODULESDIR" in
|
||||||
|
+*)
|
||||||
|
extras="$MODULESDIR"
|
||||||
|
extras=${extras#+}
|
||||||
|
MODULESDIR=
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$MODULESDIR" ]; then
|
||||||
|
uname=$(uname -r)
|
||||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||||
|
if [ -n "$extras" ]; then
|
||||||
|
for directory in $(split "$extras"); do
|
||||||
|
MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
|
||||||
|
|
||||||
@ -355,6 +372,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
|||||||
local savemoduleinfo
|
local savemoduleinfo
|
||||||
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
savemoduleinfo=${1:-Yes} # So old compiled scripts still work
|
||||||
local uname
|
local uname
|
||||||
|
local extras
|
||||||
|
|
||||||
if ! qt mywhich modprobe; then
|
if ! qt mywhich modprobe; then
|
||||||
moduleloader=insmod
|
moduleloader=insmod
|
||||||
@ -362,9 +380,25 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
|
|||||||
|
|
||||||
[ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
|
[ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]
|
||||||
|
|
||||||
[ -z "$MODULESDIR" ] && \
|
if [ -n "$MODULESDIR" ]; then
|
||||||
uname=$(uname -r) && \
|
case "$MODULESDIR" in
|
||||||
|
+*)
|
||||||
|
extras="$MODULESDIR"
|
||||||
|
extras=${extras#+}
|
||||||
|
MODULESDIR=
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$MODULESDIR" ]; then
|
||||||
|
uname=$(uname -r)
|
||||||
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
|
||||||
|
if [ -n "$extras" ]; then
|
||||||
|
for directory in $(split "$extras"); do
|
||||||
|
MODULESDIR="$MODULESDIR:/lib/modules/$uname/$directory"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
for directory in $(split $MODULESDIR); do
|
for directory in $(split $MODULESDIR); do
|
||||||
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
[ -d $directory ] && moduledirectories="$moduledirectories $directory"
|
||||||
|
@ -493,8 +493,7 @@ if [ -z "$DESTDIR" ]; then
|
|||||||
if [ $HOST = debian ]; then
|
if [ $HOST = debian ]; then
|
||||||
if [ -n "$SERVICEDIR" ]; then
|
if [ -n "$SERVICEDIR" ]; then
|
||||||
if systemctl enable ${PRODUCT}.service; then
|
if systemctl enable ${PRODUCT}.service; then
|
||||||
echo "Shorewall Init will start automatically at
|
echo "Shorewall Init will start automatically at boot"
|
||||||
boot"
|
|
||||||
fi
|
fi
|
||||||
elif mywhich insserv; then
|
elif mywhich insserv; then
|
||||||
if insserv ${INITDIR}/shorewall-init; then
|
if insserv ${INITDIR}/shorewall-init; then
|
||||||
|
@ -195,9 +195,11 @@ if [ -f "$FIREWALL" ]; then
|
|||||||
remove_file $FIREWALL
|
remove_file $FIREWALL
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$SYSTEMD" ]; then
|
[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
|
||||||
|
|
||||||
|
if [ -n "$SERVICEDIR" ]; then
|
||||||
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}
|
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}
|
||||||
rm -f $SYSTEMD/shorewall-lite.service
|
rm -f $SERVICEDIR/shorewall-lite.service
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f ${SBINDIR}/shorewall-lite
|
rm -f ${SBINDIR}/shorewall-lite
|
||||||
|
@ -403,13 +403,15 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
|
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
role="bold">any</emphasis>|<emphasis
|
role="bold">any</emphasis>|<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
|
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
|
||||||
role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
|
role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
<para>This column was formerly named DESTINATION.</para>
|
||||||
|
|
||||||
<para>Packet Destination.</para>
|
<para>Packet Destination.</para>
|
||||||
|
|
||||||
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
|
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
|
||||||
@ -418,7 +420,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
|
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
role="bold">{any</emphasis>|<emphasis
|
role="bold">{any</emphasis>|<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
||||||
@ -428,6 +430,8 @@
|
|||||||
role="bold">all</emphasis>}]}[,...]}</term>
|
role="bold">all</emphasis>}]}[,...]}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
<para>This column was formerly named PROTOCOL</para>
|
||||||
|
|
||||||
<para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
|
<para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
|
||||||
<emphasis>protocol-number</emphasis>, <emphasis
|
<emphasis>protocol-number</emphasis>, <emphasis
|
||||||
role="bold">ipp2p</emphasis>, <emphasis
|
role="bold">ipp2p</emphasis>, <emphasis
|
||||||
@ -440,8 +444,8 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
role="bold">any</emphasis>|<emphasis
|
role="bold">any</emphasis>|<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||||
|
|
||||||
@ -460,12 +464,14 @@
|
|||||||
("iptables -m ipp2p --help") without the leading "--". If no option
|
("iptables -m ipp2p --help") without the leading "--". If no option
|
||||||
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
|
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
|
||||||
assumed.</para>
|
assumed.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly named DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
|
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
role="bold">any</emphasis>|<emphasis
|
role="bold">any</emphasis>|<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||||
|
|
||||||
@ -482,20 +488,22 @@
|
|||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DEST PORT(S) column is non-empty. This
|
||||||
causes the rule to match when either the source port or the
|
causes the rule to match when either the source port or the
|
||||||
destination port in a packet matches one of the ports specified in
|
destination port in a packet matches one of the ports specified in
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
DPORT. Use of '=' requires multi-port match in your iptables and
|
||||||
and kernel.</para>
|
kernel.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This column may only be non-empty if the <emphasis
|
<para>This column was formerly named USER/GROUP and may only be
|
||||||
role="bold">CHAIN</emphasis> is <emphasis
|
non-empty if the <emphasis role="bold">CHAIN</emphasis> is <emphasis
|
||||||
role="bold">OUTPUT</emphasis>.</para>
|
role="bold">OUTPUT</emphasis>.</para>
|
||||||
|
|
||||||
<para>When this column is non-empty, the rule applies only if the
|
<para>When this column is non-empty, the rule applies only if the
|
||||||
|
@ -273,7 +273,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>ARP OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
|
<term>OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Optional. Describes the type of frame. Possible
|
<para>Optional. Describes the type of frame. Possible
|
||||||
|
@ -424,7 +424,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>DEST PORT(S) (dport) - port-number/service-name-list</term>
|
<term>DPORT - port-number/service-name-list</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A comma-separated list of port numbers and/or service names
|
<para>A comma-separated list of port numbers and/or service names
|
||||||
@ -432,11 +432,13 @@
|
|||||||
ranges of the form
|
ranges of the form
|
||||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||||
if your kernel and iptables include port range support.</para>
|
if your kernel and iptables include port range support.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
|
<term>SPORT - port-number/service-name-list</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A comma-separated list of port numbers and/or service names
|
<para>A comma-separated list of port numbers and/or service names
|
||||||
@ -446,22 +448,24 @@
|
|||||||
if your kernel and iptables include port range support.</para>
|
if your kernel and iptables include port range support.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DPORT. Use of '='
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>USER/GROUP (user) ‒
|
<term>USER ‒
|
||||||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>May only be specified if the SOURCE
|
<para>This column was formerly named USER/GROUP and may only be
|
||||||
<replaceable>zone</replaceable> is $FW. Specifies the effective user
|
specified if the SOURCE <replaceable>zone</replaceable> is $FW.
|
||||||
id and or group id of the process sending the traffic.</para>
|
Specifies the effective user id and or group id of the process
|
||||||
|
sending the traffic.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -520,8 +524,7 @@
|
|||||||
|
|
||||||
<para>Example 1:</para>
|
<para>Example 1:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||||
# PORT(S) PORT(S)
|
|
||||||
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
||||||
|
|
||||||
<para>Example 2 (Shorewall 4.5.10 or later):</para>
|
<para>Example 2 (Shorewall 4.5.10 or later):</para>
|
||||||
@ -529,14 +532,12 @@ CT:helper:ftp(expevents=new) fw - tcp
|
|||||||
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
|
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
|
||||||
|
|
||||||
<programlisting>FORMAT 2
|
<programlisting>FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||||
# PORT(S) PORT(S)
|
|
||||||
DROP all-:1.2.3.4 -
|
DROP all-:1.2.3.4 -
|
||||||
DROP all 1.2.3.4</programlisting>
|
DROP all 1.2.3.4</programlisting>
|
||||||
|
|
||||||
<para>or<programlisting>FORMAT 3
|
<para>or<programlisting>FORMAT 3
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||||
# PORT(S) PORT(S)
|
|
||||||
DROP:P 1.2.3.4 -
|
DROP:P 1.2.3.4 -
|
||||||
DROP:PO - 1.2.3.4
|
DROP:PO - 1.2.3.4
|
||||||
</programlisting></para>
|
</programlisting></para>
|
||||||
|
@ -76,8 +76,7 @@ z2 net REJECT</programlisting>
|
|||||||
|
|
||||||
<para>/etc/shorewall/rules:</para>
|
<para>/etc/shorewall/rules:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ACCEPT all!z2 net tcp 22</programlisting>
|
ACCEPT all!z2 net tcp 22</programlisting>
|
||||||
|
|
||||||
<para>In this case, SSH connections from <emphasis
|
<para>In this case, SSH connections from <emphasis
|
||||||
|
@ -57,7 +57,7 @@
|
|||||||
<option>dst</option>. Example: myset[src,dst].</member>
|
<option>dst</option>. Example: myset[src,dst].</member>
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
|
<para>In a SOURCE or SPORT column, the following pairs are
|
||||||
equivalent:</para>
|
equivalent:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -66,7 +66,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>In a DEST or DEST PORT(S) column, the following pairs are
|
<para>In a DEST or DPORT column, the following pairs are
|
||||||
equivalent:</para>
|
equivalent:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
@ -570,8 +570,7 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
|||||||
that problem. SAME may be used in the PREROUTING and OUTPUT
|
that problem. SAME may be used in the PREROUTING and OUTPUT
|
||||||
chains. When used in PREROUTING, it causes matching
|
chains. When used in PREROUTING, it causes matching
|
||||||
connections from an individual local system to all use the
|
connections from an individual local system to all use the
|
||||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
|
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||||
If a host in 192.168.1.0/24 attempts a connection on TCP port
|
If a host in 192.168.1.0/24 attempts a connection on TCP port
|
||||||
80 or 443 and it has sent a packet on either of those ports in
|
80 or 443 and it has sent a packet on either of those ports in
|
||||||
@ -581,8 +580,7 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
|||||||
|
|
||||||
<para>When used in the OUTPUT chain, it causes all matching
|
<para>When used in the OUTPUT chain, it causes all matching
|
||||||
connections to an individual remote system to all use the same
|
connections to an individual remote system to all use the same
|
||||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
||||||
optional <replaceable>timeout</replaceable> parameter was
|
optional <replaceable>timeout</replaceable> parameter was
|
||||||
added in Shorewall 4.6.7 and specifies a number of seconds .
|
added in Shorewall 4.6.7 and specifies a number of seconds .
|
||||||
@ -835,7 +833,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - {<emphasis
|
<term><emphasis role="bold">DPORT</emphasis>- {<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
@ -863,12 +861,13 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<replaceable>ipset</replaceable> name can be specified in this
|
<replaceable>ipset</replaceable> name can be specified in this
|
||||||
column. This is intended to be used with
|
column. This is intended to be used with
|
||||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly named DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||||
{<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
@ -882,16 +881,17 @@ Normal-Service => 0x00</programlisting>
|
|||||||
the following fields is supplied.</para>
|
the following fields is supplied.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
'=' requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.6.0, an
|
<para>Beginning with Shorewall 4.6.0, an
|
||||||
<replaceable>ipset</replaceable> name can be specified in this
|
<replaceable>ipset</replaceable> name can be specified in this
|
||||||
column. This is intended to be used with
|
column. This is intended to be used with
|
||||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1097,8 +1097,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
by the named helper module.</para>
|
by the named helper module.</para>
|
||||||
|
|
||||||
<para>Example: Mark all FTP data connections with mark
|
<para>Example: Mark all FTP data connections with mark
|
||||||
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
4:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||||
# PORT(S)
|
|
||||||
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1287,8 +1286,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>We assume packet/connection mark 0 means unclassified.</para>
|
<para>We assume packet/connection mark 0 means unclassified.</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
|
||||||
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||||
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||||
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
|
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
|
||||||
@ -1313,8 +1311,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<programlisting>/etc/shorewall/tcrules:
|
<programlisting>/etc/shorewall/tcrules:
|
||||||
|
|
||||||
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
|
||||||
CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
|
CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
|
||||||
|
|
||||||
/etc/shorewall/masq:
|
/etc/shorewall/masq:
|
||||||
|
@ -249,7 +249,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
|
<term><emphasis role="bold">PORT</emphasis> (Optional) -
|
||||||
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -429,13 +429,14 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
<para>This column was formerly labelled USER/GROUP.</para>
|
||||||
|
|
||||||
<para>Only locally-generated connections will match if this column
|
<para>Only locally-generated connections will match if this column
|
||||||
is non-empty.</para>
|
is non-empty.</para>
|
||||||
|
|
||||||
@ -538,8 +539,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -550,6 +550,8 @@
|
|||||||
original destination address matches one of the listed addresses. It
|
original destination address matches one of the listed addresses. It
|
||||||
is useful for specifying that SNAT should occur only for connections
|
is useful for specifying that SNAT should occur only for connections
|
||||||
that were acted on by a DNAT when they entered the firewall.</para>
|
that were acted on by a DNAT when they entered the firewall.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -639,7 +641,7 @@
|
|||||||
172.20.1.0/29 to be sent from eth0 with source IP address
|
172.20.1.0/29 to be sent from eth0 with source IP address
|
||||||
206.124.146.176.</para>
|
206.124.146.176.</para>
|
||||||
|
|
||||||
<programlisting> #INTERFACE SOURCE ADDRESS PROTO PORT(S)
|
<programlisting> #INTERFACE SOURCE ADDRESS PROTO DPORT
|
||||||
eth0 172.20.1.0/29 206.124.146.177 tcp smtp
|
eth0 172.20.1.0/29 206.124.146.177 tcp smtp
|
||||||
eth0 172.20.1.0/29 206.124.146.176</programlisting>
|
eth0 172.20.1.0/29 206.124.146.176</programlisting>
|
||||||
|
|
||||||
@ -672,8 +674,7 @@
|
|||||||
|
|
||||||
<programlisting>/etc/shorewall/tcrules:
|
<programlisting>/etc/shorewall/tcrules:
|
||||||
|
|
||||||
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
|
||||||
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
|
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
|
||||||
|
|
||||||
/etc/shorewall/masq:
|
/etc/shorewall/masq:
|
||||||
|
@ -106,15 +106,16 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
|
<term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
|
||||||
[<emphasis role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
role="bold">No</emphasis>]</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
||||||
no (or left empty) then NAT will be effective only through the
|
no (or left empty) then NAT will be effective only through the
|
||||||
interface named in the <emphasis role="bold">INTERFACE</emphasis>
|
interface named in the <emphasis role="bold">INTERFACE</emphasis>
|
||||||
column.</para>
|
column.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled ALL INTERFACES.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -160,8 +161,7 @@ smc eth0:10.1.10.0/24</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||||
# INTERFACES
|
|
||||||
10.1.10.100 eth0 172.20.1.100
|
10.1.10.100 eth0 172.20.1.100
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
@ -170,8 +170,7 @@ smc eth0:10.1.10.0/24</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
|
||||||
?SECTION ALL
|
?SECTION ALL
|
||||||
?SECTION ESTABLISHED
|
?SECTION ESTABLISHED
|
||||||
?SECTION RELATED
|
?SECTION RELATED
|
||||||
|
@ -82,7 +82,7 @@
|
|||||||
|
|
||||||
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
<para>Partial <filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
...
|
...
|
||||||
DNAT sam loc:192.168.1.3 tcp ssh
|
DNAT sam loc:192.168.1.3 tcp ssh
|
||||||
DNAT net loc:192.168.1.5 tcp www
|
DNAT net loc:192.168.1.5 tcp www
|
||||||
@ -100,7 +100,7 @@
|
|||||||
Because of the way that Netfilter is constructed, this requires two rules
|
Because of the way that Netfilter is constructed, this requires two rules
|
||||||
as follows:</para>
|
as follows:</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
...
|
...
|
||||||
ACCEPT+ sam $FW tcp ssh
|
ACCEPT+ sam $FW tcp ssh
|
||||||
DNAT net loc:192.168.1.3 tcp ssh
|
DNAT net loc:192.168.1.3 tcp ssh
|
||||||
@ -143,8 +143,7 @@
|
|||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>As a consequence, the following rules will have unexpected
|
<para>As a consequence, the following rules will have unexpected
|
||||||
behavior:<programlisting> #ACTION SOURCE DEST PROTO DEST
|
behavior:<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ACCEPT net dmz tcp 80
|
ACCEPT net dmz tcp 80
|
||||||
REDIRECT loc 3128 tcp 80</programlisting></para>
|
REDIRECT loc 3128 tcp 80</programlisting></para>
|
||||||
|
|
||||||
@ -173,8 +172,7 @@
|
|||||||
|
|
||||||
<para>When using other Shorewall versions, another way is to rewrite the
|
<para>When using other Shorewall versions, another way is to rewrite the
|
||||||
DNAT rule (assume that the local zone is entirely within
|
DNAT rule (assume that the local zone is entirely within
|
||||||
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DEST
|
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ACCEPT net dmz tcp 80
|
ACCEPT net dmz tcp 80
|
||||||
REDIRECT loc:192.168.2.0/23 3128 tcp 80</programlisting></para>
|
REDIRECT loc:192.168.2.0/23 3128 tcp 80</programlisting></para>
|
||||||
|
|
||||||
|
@ -137,7 +137,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
|
<term><emphasis role="bold">DPORT</emphasis> -
|
||||||
<emphasis>port-number-or-name-list</emphasis></term>
|
<emphasis>port-number-or-name-list</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -160,11 +160,13 @@
|
|||||||
<para>An entry in this field requires that the PROTO column specify
|
<para>An entry in this field requires that the PROTO column specify
|
||||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||||
any of the following field is supplied.</para>
|
any of the following field is supplied.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> -
|
<term><emphasis role="bold">SPORT</emphasis> -
|
||||||
<emphasis>port-number-or-name-list</emphasis></term>
|
<emphasis>port-number-or-name-list</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -176,6 +178,8 @@
|
|||||||
<para>An entry in this field requires that the PROTO column specify
|
<para>An entry in this field requires that the PROTO column specify
|
||||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||||
the following fields is supplied.</para>
|
the following fields is supplied.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -173,9 +173,9 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The remaining columns specify characteristics of the packet
|
<para>The remaining columns specify characteristics of the packet
|
||||||
before rewriting. In particular, the ORIGINAL DEST column gives the
|
before rewriting. In particular, the ORIGDEST column gives the
|
||||||
original destination IP address of the packet and the DEST PORT(S)
|
original destination IP address of the packet and the DPORT column
|
||||||
column give the original destination port(s).</para>
|
give the original destination port(s).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -1201,8 +1201,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
|
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||||
{<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
@ -1234,7 +1233,7 @@
|
|||||||
|
|
||||||
<para>If your kernel contains multi-port match support, then only a
|
<para>If your kernel contains multi-port match support, then only a
|
||||||
single Netfilter rule will be generated if in this list and the
|
single Netfilter rule will be generated if in this list and the
|
||||||
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below:</para>
|
<emphasis role="bold">SPORT</emphasis> list below:</para>
|
||||||
|
|
||||||
<para>1. There are 15 or less ports listed.</para>
|
<para>1. There are 15 or less ports listed.</para>
|
||||||
|
|
||||||
@ -1245,12 +1244,13 @@
|
|||||||
<replaceable>ipset</replaceable> name can be specified in this
|
<replaceable>ipset</replaceable> name can be specified in this
|
||||||
column. This is intended to be used with
|
column. This is intended to be used with
|
||||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||||
{<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
@ -1260,11 +1260,10 @@
|
|||||||
names, port numbers or port ranges.</para>
|
names, port numbers or port ranges.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
'=' requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Unless you really understand IP, you should leave this
|
<para>Unless you really understand IP, you should leave this
|
||||||
@ -1274,12 +1273,12 @@
|
|||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
<para>If you don't want to restrict client ports but need to specify
|
<para>If you don't want to restrict client ports but need to specify
|
||||||
an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
|
an <emphasis role="bold">ORIGDEST</emphasis> in the next column,
|
||||||
column, then place "-" in this column.</para>
|
then place "-" in this column.</para>
|
||||||
|
|
||||||
<para>If your kernel contains multi-port match support, then only a
|
<para>If your kernel contains multi-port match support, then only a
|
||||||
single Netfilter rule will be generated if in this list and the
|
single Netfilter rule will be generated if in this list and the
|
||||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
<emphasis role="bold">DPORT</emphasis> list above:</para>
|
||||||
|
|
||||||
<para>1. There are 15 or less ports listed.</para>
|
<para>1. There are 15 or less ports listed.</para>
|
||||||
|
|
||||||
@ -1290,12 +1289,13 @@
|
|||||||
<replaceable>ipset</replaceable> name can be specified in this
|
<replaceable>ipset</replaceable> name can be specified in this
|
||||||
column. This is intended to be used with
|
column. This is intended to be used with
|
||||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1344,11 +1344,13 @@
|
|||||||
url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</ulink>
|
url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html</ulink>
|
||||||
for an example of using an entry in this column with a user-defined
|
for an example of using an entry in this column with a user-defined
|
||||||
action rule.</para>
|
action rule.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
|
<term><emphasis role="bold">RATE</emphasis> -
|
||||||
<replaceable>limit</replaceable></term>
|
<replaceable>limit</replaceable></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1413,11 +1415,13 @@
|
|||||||
enforce the per-source limit and the compiler will pick a unique
|
enforce the per-source limit and the compiler will pick a unique
|
||||||
name for the hash table that tracks the per-destination
|
name for the hash table that tracks the per-destination
|
||||||
limit.</para>
|
limit.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled RATE LIMIT.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][,...]</term>
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][,...]</term>
|
||||||
|
|
||||||
@ -1471,6 +1475,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled USER/GROUP.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1626,6 +1632,8 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>where <replaceable>dd</replaceable> is an ordinal day of
|
<para>where <replaceable>dd</replaceable> is an ordinal day of
|
||||||
the month</para>
|
the month</para>
|
||||||
|
|
||||||
|
<para/>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1767,9 +1775,8 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Accept SMTP requests from the DMZ to the internet</para>
|
<para>Accept SMTP requests from the DMZ to the internet</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
ACCEPT dmz net tcp smtp</programlisting>
|
||||||
ACCEPT dmz net tcp smtp</programlisting>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1780,8 +1787,7 @@
|
|||||||
<para>Forward all ssh and http connection requests from the internet
|
<para>Forward all ssh and http connection requests from the internet
|
||||||
to local system 192.168.1.3</para>
|
to local system 192.168.1.3</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
|
||||||
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
|
DNAT net loc:192.168.1.3 tcp ssh,http</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1792,9 +1798,8 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Forward all http connection requests from the internet to
|
<para>Forward all http connection requests from the internet to
|
||||||
local system 192.168.1.3 with a limit of 3 per second and a maximum
|
local system 192.168.1.3 with a limit of 3 per second and a maximum
|
||||||
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
burst of 10<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||||
# PORT PORT(S) DEST LIMIT
|
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
||||||
DNAT net loc:192.168.1.3 tcp http - - 3/sec:10</programlisting></para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1806,8 +1811,7 @@
|
|||||||
port 3128 on the firewall (Squid running on the firewall system)
|
port 3128 on the firewall (Squid running on the firewall system)
|
||||||
except when the destination address is 192.168.2.2</para>
|
except when the destination address is 192.168.2.2</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
|
||||||
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
|
REDIRECT loc 3128 tcp www - !192.168.2.2</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1819,8 +1823,7 @@
|
|||||||
<para>All http requests from the internet to address 130.252.100.69
|
<para>All http requests from the internet to address 130.252.100.69
|
||||||
are to be forwarded to 192.168.1.3</para>
|
are to be forwarded to 192.168.1.3</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
|
||||||
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
|
DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1832,10 +1835,9 @@
|
|||||||
<para>You want to accept SSH connections to your firewall only from
|
<para>You want to accept SSH connections to your firewall only from
|
||||||
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
|
internet IP addresses 130.252.100.69 and 130.252.100.70</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
ACCEPT net:130.252.100.69,130.252.100.70 \
|
||||||
ACCEPT net:130.252.100.69,130.252.100.70 $FW \
|
$FW tcp 22</programlisting>
|
||||||
tcp 22</programlisting>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1847,8 +1849,7 @@
|
|||||||
firewall on port 2222 and you want to forward them to local system
|
firewall on port 2222 and you want to forward them to local system
|
||||||
192.168.1.3, port 22</para>
|
192.168.1.3, port 22</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
|
||||||
DNAT net loc:192.168.1.3:22 tcp 2222</programlisting>
|
DNAT net loc:192.168.1.3:22 tcp 2222</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1860,8 +1861,7 @@
|
|||||||
<para>You want to redirect connection requests to port 80 randomly
|
<para>You want to redirect connection requests to port 80 randomly
|
||||||
to the port range 81-90.</para>
|
to the port range 81-90.</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
|
||||||
REDIRECT net $FW::81-90:random tcp www</programlisting>
|
REDIRECT net $FW::81-90:random tcp www</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1897,8 +1897,7 @@
|
|||||||
|
|
||||||
<para>rules:</para>
|
<para>rules:</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
REDIRECT loc 3128 tcp 80 </programlisting>
|
REDIRECT loc 3128 tcp 80 </programlisting>
|
||||||
|
|
||||||
<simpara>Note that it would have been tempting to simply define the
|
<simpara>Note that it would have been tempting to simply define the
|
||||||
@ -1926,8 +1925,7 @@
|
|||||||
<para>Add the tuple (source IP, dest port, dest IP) of an incoming
|
<para>Add the tuple (source IP, dest port, dest IP) of an incoming
|
||||||
SSH connection to the ipset S:</para>
|
SSH connection to the ipset S:</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
ADD(+S:dst,src,dst) net fw tcp 22</programlisting>
|
ADD(+S:dst,src,dst) net fw tcp 22</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1939,8 +1937,7 @@
|
|||||||
<para>You wish to limit SSH connections from remote systems to 1/min
|
<para>You wish to limit SSH connections from remote systems to 1/min
|
||||||
with a burst of three (to allow for limited retry):</para>
|
with a burst of three (to allow for limited retry):</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||||
# PORT(S) PORT(S) DEST LIMIT
|
|
||||||
SSH(ACCEPT) net all - - - - s:1/min:3</programlisting>
|
SSH(ACCEPT) net all - - - - s:1/min:3</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1952,8 +1949,7 @@
|
|||||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
|
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
|
||||||
is on.</para>
|
is on.</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
|
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1965,8 +1961,7 @@
|
|||||||
<para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
|
<para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
|
||||||
and <emphasis>Satellite Provider</emphasis> address ranges:</para>
|
and <emphasis>Satellite Provider</emphasis> address ranges:</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
DROP net:^A1,A2 fw tcp 25</programlisting>
|
DROP net:^A1,A2 fw tcp 25</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1978,8 +1973,7 @@
|
|||||||
<para>You want to generate your own rule involving iptables targets
|
<para>You want to generate your own rule involving iptables targets
|
||||||
and matches not supported by Shorewall.</para>
|
and matches not supported by Shorewall.</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||||
|
|
||||||
<para>The above will generate the following iptables-restore
|
<para>The above will generate the following iptables-restore
|
||||||
|
@ -93,7 +93,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CHAIN:STATE (chain) -
|
<term><emphasis role="bold">CHAIN -
|
||||||
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
|
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -140,6 +140,8 @@
|
|||||||
|
|
||||||
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
|
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled CHAIN:STATE.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -236,7 +238,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||||
|
|
||||||
@ -259,12 +261,13 @@
|
|||||||
<para>This column is ignored if PROTOCOL = all but must be entered
|
<para>This column is ignored if PROTOCOL = all but must be entered
|
||||||
if any of the following field is supplied. In that case, it is
|
if any of the following field is supplied. In that case, it is
|
||||||
suggested that this field contain "-"</para>
|
suggested that this field contain "-"</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||||
|
|
||||||
@ -272,6 +275,8 @@
|
|||||||
<para>Optional source port(s). If omitted, any source port is
|
<para>Optional source port(s). If omitted, any source port is
|
||||||
acceptable. Specified as a comma-separated list of port names, port
|
acceptable. Specified as a comma-separated list of port names, port
|
||||||
numbers or port ranges.</para>
|
numbers or port ranges.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -388,8 +393,7 @@
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/secmarks</filename>:</para>
|
<para><filename>/etc/shorewall/secmarks</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
<programlisting>#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||||
# STATE PORT(S) PORT(S) GROUP
|
|
||||||
system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
|
system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306
|
||||||
SAVE I:N lo 127.0.0.1 tcp 3306
|
SAVE I:N lo 127.0.0.1 tcp 3306
|
||||||
RESTORE I:ER</programlisting>
|
RESTORE I:ER</programlisting>
|
||||||
|
@ -112,7 +112,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> ‒
|
<term><emphasis role="bold">DPORT</emphasis> ‒
|
||||||
<replaceable>service-name/port-number-list</replaceable></term>
|
<replaceable>service-name/port-number-list</replaceable></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -121,11 +121,13 @@
|
|||||||
include port ranges of the form
|
include port ranges of the form
|
||||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||||
if your kernel and iptables include port range support.</para>
|
if your kernel and iptables include port range support.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> ‒
|
<term><emphasis role="bold">SPORT</emphasis> ‒
|
||||||
<replaceable>service-name/port-number-list</replaceable></term>
|
<replaceable>service-name/port-number-list</replaceable></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -136,11 +138,12 @@
|
|||||||
if your kernel and iptables include port range support.</para>
|
if your kernel and iptables include port range support.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DEST PORTS(S). Use of
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
'=' requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -135,7 +135,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
|
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -143,16 +143,19 @@
|
|||||||
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||||
destination icmp-type(s).</para>
|
destination icmp-type(s).</para>
|
||||||
|
|
||||||
|
<para>This column was previously labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Optional source port.</para>
|
<para>Optional source port.</para>
|
||||||
|
|
||||||
|
<para>This column was previously labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -292,8 +295,7 @@
|
|||||||
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
|
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
|
||||||
protocols.</para>
|
protocols.</para>
|
||||||
|
|
||||||
<programlisting> #CLASS SOURCE DEST PROTO DEST
|
<programlisting> #CLASS SOURCE DEST PROTO DPORT
|
||||||
# PORT
|
|
||||||
|
|
||||||
IPV4
|
IPV4
|
||||||
|
|
||||||
@ -314,8 +316,7 @@
|
|||||||
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
|
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
|
||||||
later).</para>
|
later).</para>
|
||||||
|
|
||||||
<programlisting> #CLASS SOURCE DEST PROTO DEST PRIORITY
|
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
|
||||||
# PORT
|
|
||||||
|
|
||||||
IPV4
|
IPV4
|
||||||
|
|
||||||
|
@ -1625,11 +1625,11 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter specifies the directory/directories where your
|
<para>This parameter specifies the directory/directories where your
|
||||||
kernel netfilter modules may be found. If you leave the variable
|
kernel netfilter modules may be found. If you leave the variable
|
||||||
empty, Shorewall will supply the value "/lib/modules/`uname
|
empty, Shorewall will supply the value
|
||||||
-r`/kernel/net/ipv4/netfilter" in versions of Shorewall prior to
|
"/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
|
||||||
3.2.4 and "/lib/modules/`uname
|
where <emphasis role="bold">uname</emphasis> holds the output of
|
||||||
-r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
|
'<command>uname -r</command>' and <emphasis
|
||||||
-r`/kernel/net/ipv4/netfilter" in later versions.</para>
|
role="bold">g_family</emphasis> holds '4'. </para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -193,9 +193,11 @@ if [ -f "$FIREWALL" ]; then
|
|||||||
remove_file $FIREWALL
|
remove_file $FIREWALL
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$SYSTEMD" ]; then
|
[ -z "$SERVICEDIR" ] && SERVICEDIR="$SYSTEMD"
|
||||||
|
|
||||||
|
if [ -n "$SERVICEDIR" ]; then
|
||||||
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}
|
[ $configure -eq 1 ] && systemctl disable ${PRODUCT}
|
||||||
rm -f $SYSTEMD/shorewall6-lite.service
|
rm -f $SERVICEDIR/shorewall6-lite.service
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f ${SBINDIR}/shorewall6-lite
|
rm -f ${SBINDIR}/shorewall6-lite
|
||||||
@ -205,7 +207,6 @@ rm -rf ${SHAREDIR}/shorewall6-lite
|
|||||||
rm -rf ${LIBEXECDIR}/shorewall6-lite
|
rm -rf ${LIBEXECDIR}/shorewall6-lite
|
||||||
rm -f ${CONFDIR}/logrotate.d/shorewall6-lite
|
rm -f ${CONFDIR}/logrotate.d/shorewall6-lite
|
||||||
rm -f ${SYSCONFDIR}/shorewall6-lite
|
rm -f ${SYSCONFDIR}/shorewall6-lite
|
||||||
[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6-lite.service
|
|
||||||
|
|
||||||
rm -f ${MANDIR}/man5/shorewall6-lite*
|
rm -f ${MANDIR}/man5/shorewall6-lite*
|
||||||
rm -f ${MANDIR}/man8/shorewall6-lite*
|
rm -f ${MANDIR}/man8/shorewall6-lite*
|
||||||
|
@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
|||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=keep
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
@ -160,7 +160,7 @@ INLINE_MATCHES=Yes
|
|||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=keep
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
|||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=keep
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
@ -159,7 +159,7 @@ INLINE_MATCHES=Yes
|
|||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=keep
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
@ -159,7 +159,7 @@ INLINE_MATCHES=No
|
|||||||
|
|
||||||
IPSET_WARNINGS=Yes
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=keep
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
|
||||||
|
@ -349,7 +349,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
|
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
role="bold">any</emphasis>|<emphasis
|
role="bold">any</emphasis>|<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
|
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
|
||||||
@ -359,11 +359,13 @@
|
|||||||
|
|
||||||
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
|
<para>Format same as <emphasis role="bold">SOURCE</emphasis>
|
||||||
column.</para>
|
column.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DESTINATION.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
role="bold">any</emphasis>|<emphasis
|
role="bold">any</emphasis>|<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
|
||||||
@ -381,12 +383,14 @@
|
|||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
<para>Beginning with Shorewall 4.5.12, this column can accept a
|
||||||
comma-separated list of protocols.</para>
|
comma-separated list of protocols.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled PROTOCOL.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
role="bold">any</emphasis>|<emphasis
|
role="bold">any</emphasis>|<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||||
|
|
||||||
@ -405,12 +409,14 @@
|
|||||||
("ip6tables -m ipp2p --help") without the leading "--". If no option
|
("ip6tables -m ipp2p --help") without the leading "--". If no option
|
||||||
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
|
is given in this column, <emphasis role="bold">ipp2p</emphasis> is
|
||||||
assumed.</para>
|
assumed.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||||
{<emphasis role="bold">-</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
role="bold">any</emphasis>|<emphasis
|
role="bold">any</emphasis>|<emphasis
|
||||||
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
||||||
|
|
||||||
@ -424,16 +430,17 @@
|
|||||||
support.</para>
|
support.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DPORT. Use of '='
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||||
@ -490,6 +497,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled USER/GROUP.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -1,217 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
||||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
||||||
<refentry>
|
|
||||||
<refmeta>
|
|
||||||
<refentrytitle>shorewall6-blacklist</refentrytitle>
|
|
||||||
|
|
||||||
<manvolnum>5</manvolnum>
|
|
||||||
|
|
||||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
|
||||||
</refmeta>
|
|
||||||
|
|
||||||
<refnamediv>
|
|
||||||
<refname>blacklist</refname>
|
|
||||||
|
|
||||||
<refpurpose>shorewall6 Blacklist file</refpurpose>
|
|
||||||
</refnamediv>
|
|
||||||
|
|
||||||
<refsynopsisdiv>
|
|
||||||
<cmdsynopsis>
|
|
||||||
<command>/etc/shorewall6/blacklist</command>
|
|
||||||
</cmdsynopsis>
|
|
||||||
</refsynopsisdiv>
|
|
||||||
|
|
||||||
<refsect1>
|
|
||||||
<title>Description</title>
|
|
||||||
|
|
||||||
<para>The blacklist file is used to perform static blacklisting by source
|
|
||||||
address (IP or MAC), or by application. The use of this file is deprecated
|
|
||||||
in favor of <ulink
|
|
||||||
url="/manpages6/shorewall6-blrules.html">shorewall6-blrules</ulink>(5),
|
|
||||||
and beginning with Shorewall 4.5.7, the blacklist file is no longer
|
|
||||||
installed. Existing blacklist files can be converted to a corresponding
|
|
||||||
blrules file using the <command>shorewall6 update -b</command>
|
|
||||||
command.</para>
|
|
||||||
|
|
||||||
<para>The columns in the file are as follows (where the column name is
|
|
||||||
followed by a different name in parentheses, the different name is used in
|
|
||||||
the alternate specification syntax).</para>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis
|
|
||||||
role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
|
|
||||||
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Host address, network address, MAC address, IP address range
|
|
||||||
(if your kernel and ip6tables contain iprange match support) or
|
|
||||||
ipset name prefaced by "+" (if your kernel supports ipset match).
|
|
||||||
Exclusion (<ulink
|
|
||||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5))
|
|
||||||
is supported.</para>
|
|
||||||
|
|
||||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
|
||||||
separator.</para>
|
|
||||||
|
|
||||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
|
||||||
|
|
||||||
<para>A dash ("-") in this column means that any source address will
|
|
||||||
match. This is useful if you want to blacklist a particular
|
|
||||||
application using entries in the PROTOCOL and PORTS columns.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Optional - if specified, must be a protocol number or a
|
|
||||||
protocol name from protocols(5).</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">PORTS</emphasis> (port) - {<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>May only be specified if the protocol is TCP (6), UDP (17),
|
|
||||||
DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
|
|
||||||
destination port numbers or service names from services(5).</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Optional - added in 4.4.12. If specified, indicates whether
|
|
||||||
traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
|
||||||
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
|
|
||||||
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
|
|
||||||
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
|
|
||||||
the ADDRESS/SUBNET column is empty, then this column has no effect
|
|
||||||
on the generated rule.</para>
|
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>In Shorewall 4.4.12, the keywords from and to were used in
|
|
||||||
place of src and dst respectively. Blacklisting was still
|
|
||||||
restricted to traffic <emphasis>arriving</emphasis> on an
|
|
||||||
interface that has the 'blacklist' option set. So to block traffic
|
|
||||||
from your local network to an internet host, you had to specify
|
|
||||||
<option>blacklist</option> on your internal interface in <ulink
|
|
||||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
|
||||||
(5).</para>
|
|
||||||
</note>
|
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>Beginning with Shorewall 4.4.13, entries are applied based
|
|
||||||
on the <emphasis role="bold">blacklist</emphasis> setting in
|
|
||||||
<ulink
|
|
||||||
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5):</para>
|
|
||||||
|
|
||||||
<orderedlist>
|
|
||||||
<listitem>
|
|
||||||
<para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
|
|
||||||
from this zone is passed against the entries in this file that
|
|
||||||
have the <emphasis role="bold">src</emphasis> option
|
|
||||||
(specified or defaulted).</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
|
|
||||||
Traffic to this zone is passed against the entries in this
|
|
||||||
file that have the <emphasis role="bold">dst</emphasis>
|
|
||||||
option.</para>
|
|
||||||
</listitem>
|
|
||||||
</orderedlist>
|
|
||||||
</note>
|
|
||||||
|
|
||||||
<para>In Shorewall 4.4.20, the <emphasis
|
|
||||||
role="bold">whitelist</emphasis> option was added. When <emphasis
|
|
||||||
role="bold">whitelist</emphasis> is specified, packets/connections
|
|
||||||
that match the entry are not matched against the remaining entries
|
|
||||||
in the file.</para>
|
|
||||||
|
|
||||||
<para>The <emphasis role="bold">audit</emphasis> option was also
|
|
||||||
added in 4.4.20 and causes packets matching the entry to be audited.
|
|
||||||
The <emphasis role="bold">audit</emphasis> option may not be
|
|
||||||
specified in whitelist entries and require AUDIT_TARGET support in
|
|
||||||
the kernel and ip6tables.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
|
|
||||||
<para>When a packet arrives on an interface that has the <emphasis
|
|
||||||
role="bold">blacklist</emphasis> option specified in <ulink
|
|
||||||
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5),
|
|
||||||
its source IP address and MAC address is checked against this file and
|
|
||||||
disposed of according to the <emphasis
|
|
||||||
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
|
|
||||||
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
|
|
||||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
|
||||||
<emphasis role="bold">PROTOCOL</emphasis> or <emphasis
|
|
||||||
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
|
|
||||||
are supplied, only packets matching the protocol (and one of the ports if
|
|
||||||
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1>
|
|
||||||
<title>Example</title>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term>Example 1:</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>To block DNS queries from address
|
|
||||||
fe80::2a0:ccff:fedb:31c4:</para>
|
|
||||||
|
|
||||||
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
|
||||||
fe80::2a0:ccff:fedb:31c4/ udp 53</programlisting>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>Example 2:</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>To block some of the nuisance applications:</para>
|
|
||||||
|
|
||||||
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
|
||||||
- udp 1024:1033,1434
|
|
||||||
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1>
|
|
||||||
<title>FILES</title>
|
|
||||||
|
|
||||||
<para>/etc/shorewall6/blacklist</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1>
|
|
||||||
<title>See ALSO</title>
|
|
||||||
|
|
||||||
<para><ulink
|
|
||||||
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
|
||||||
|
|
||||||
<para><ulink
|
|
||||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
|
||||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
|
||||||
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
|
||||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
|
||||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
|
||||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
|
||||||
shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
|
||||||
shorewall6-zones(5)</para>
|
|
||||||
</refsect1>
|
|
||||||
</refentry>
|
|
@ -414,7 +414,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>DEST PORT(S) (dport) -
|
<term>DPORT -
|
||||||
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
|
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -427,11 +427,13 @@
|
|||||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||||
in this column. This is intended to be used with
|
in this column. This is intended to be used with
|
||||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>SOURCE PORT(S) (sport) -
|
<term>SPORT -
|
||||||
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
|
{-|<replaceable>port-number/service-name-list</replaceable>|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -442,25 +444,28 @@
|
|||||||
if your kernel and iptables include port range support.</para>
|
if your kernel and iptables include port range support.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DPORT.</para>
|
||||||
DEST PORTS(S).</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||||
in this column. This is intended to be used with
|
in this column. This is intended to be used with
|
||||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>USER/GROUP (user) ‒
|
<term>USER ‒
|
||||||
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
[<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>May only be specified if the SOURCE
|
<para>May only be specified if the SOURCE
|
||||||
<replaceable>zone</replaceable> is $FW. Specifies the effective user
|
<replaceable>zone</replaceable> is $FW. Specifies the effective user
|
||||||
id and or group id of the process sending the traffic.</para>
|
id and or group id of the process sending the traffic.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled USER/GROUP.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -523,8 +528,7 @@
|
|||||||
itself.</para>
|
itself.</para>
|
||||||
|
|
||||||
<programlisting>FORMAT 2
|
<programlisting>FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||||
# PORT(S) PORT(S)
|
|
||||||
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
|
||||||
|
|
||||||
<para>Example 2 (Shorewall 4.5.10 or later):</para>
|
<para>Example 2 (Shorewall 4.5.10 or later):</para>
|
||||||
@ -532,15 +536,13 @@ CT:helper:ftp(expevents=new) fw - tcp
|
|||||||
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
|
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
|
||||||
|
|
||||||
<programlisting>FORMAT 2
|
<programlisting>FORMAT 2
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||||
# PORT(S) PORT(S)
|
|
||||||
DROP all-:2001:1.2.3::4 -
|
DROP all-:2001:1.2.3::4 -
|
||||||
DROP all 2001:1.2.3::4
|
DROP all 2001:1.2.3::4
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>or<programlisting>FORMAT 3
|
<para>or<programlisting>FORMAT 3
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP
|
#ACTION SOURCE DEST PROTO DPORT SPORT USER
|
||||||
# PORT(S) PORT(S)
|
|
||||||
DROP:P 2001:1.2.3::4 -
|
DROP:P 2001:1.2.3::4 -
|
||||||
DROP:PO - 2001:1.2.3::4
|
DROP:PO - 2001:1.2.3::4
|
||||||
</programlisting></para>
|
</programlisting></para>
|
||||||
|
@ -56,7 +56,7 @@
|
|||||||
<option>dst</option>. Example: myset[src,dst].</member>
|
<option>dst</option>. Example: myset[src,dst].</member>
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>In a SOURCE or SOURCE PORT(S) column, the following pairs are
|
<para>In a SOURCE or SPORT column, the following pairs are
|
||||||
equivalent:</para>
|
equivalent:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -65,7 +65,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>In a DEST or DEST PORT(S) column, the following pairs are
|
<para>In a DEST or DPORT column, the following pairs are
|
||||||
equivalent:</para>
|
equivalent:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
@ -593,8 +593,7 @@ INLINE eth0 - ; -p tcp -j MARK --set
|
|||||||
that problem. SAME may be used in the PREROUTING and OUTPUT
|
that problem. SAME may be used in the PREROUTING and OUTPUT
|
||||||
chains. When used in PREROUTING, it causes matching
|
chains. When used in PREROUTING, it causes matching
|
||||||
connections from an individual local system to all use the
|
connections from an individual local system to all use the
|
||||||
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
|
same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||||
If a host in 192.168.1.0/24 attempts a connection on TCP port
|
If a host in 192.168.1.0/24 attempts a connection on TCP port
|
||||||
80 or 443 and it has sent a packet on either of those ports in
|
80 or 443 and it has sent a packet on either of those ports in
|
||||||
@ -604,8 +603,7 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
|||||||
|
|
||||||
<para>When used in the OUTPUT chain, it causes all matching
|
<para>When used in the OUTPUT chain, it causes all matching
|
||||||
connections to an individual remote system to all use the same
|
connections to an individual remote system to all use the same
|
||||||
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
|
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>The
|
||||||
optional <replaceable>timeout</replaceable> parameter was
|
optional <replaceable>timeout</replaceable> parameter was
|
||||||
added in Shorewall 4.6.7 and specifies a number of seconds .
|
added in Shorewall 4.6.7 and specifies a number of seconds .
|
||||||
@ -812,7 +810,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||||
|
|
||||||
@ -835,12 +833,13 @@ Normal-Service => 0x00</programlisting>
|
|||||||
<para>An entry in this field requires that the PROTO column specify
|
<para>An entry in this field requires that the PROTO column specify
|
||||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||||
any of the following field is supplied.</para>
|
any of the following field is supplied.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT </emphasis>- [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||||
|
|
||||||
@ -854,11 +853,12 @@ Normal-Service => 0x00</programlisting>
|
|||||||
the following fields is supplied.</para>
|
the following fields is supplied.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DPORT. Use of '='
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1064,8 +1064,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
by the named helper module.</para>
|
by the named helper module.</para>
|
||||||
|
|
||||||
<para>Example: Mark all FTP data connections with mark
|
<para>Example: Mark all FTP data connections with mark
|
||||||
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
4:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
|
||||||
# PORT(S)
|
|
||||||
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1348,8 +1347,7 @@ Normal-Service => 0x00</programlisting>
|
|||||||
|
|
||||||
<para>We assume packet/connection mark 0 means unclassified.</para>
|
<para>We assume packet/connection mark 0 means unclassified.</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
|
||||||
MARK(1):T ::/0 ::/0 icmp echo-request
|
MARK(1):T ::/0 ::/0 icmp echo-request
|
||||||
MARK(1):T ::/0 ::/0 icmp echo-reply
|
MARK(1):T ::/0 ::/0 icmp echo-reply
|
||||||
RESTORE:T ::/0 ::/0 all - - - 0
|
RESTORE:T ::/0 ::/0 all - - - 0
|
||||||
|
@ -199,7 +199,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
|
<term><emphasis role="bold">DPORT</emphasis> (Optional) -
|
||||||
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
{-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -379,8 +379,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
|
<term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||||
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||||
@ -488,8 +487,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -500,6 +498,8 @@
|
|||||||
the listed addresses. It is useful for specifying that SNAT should
|
the listed addresses. It is useful for specifying that SNAT should
|
||||||
occur only for connections that were acted on by a DNAT when they
|
occur only for connections that were acted on by a DNAT when they
|
||||||
entered the firewall.</para>
|
entered the firewall.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -103,15 +103,16 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
|
<term><emphasis role="bold">ALLINTS</emphasis> - [<emphasis
|
||||||
[<emphasis role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||||
role="bold">No</emphasis>]</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
<para>If Yes or yes, NAT will be effective from all hosts. If No or
|
||||||
no (or left empty) then NAT will be effective only through the
|
no (or left empty) then NAT will be effective only through the
|
||||||
interface named in the <emphasis role="bold">INTERFACE</emphasis>
|
interface named in the <emphasis role="bold">INTERFACE</emphasis>
|
||||||
column.</para>
|
column.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled ALL INTERFACES.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -82,7 +82,7 @@
|
|||||||
|
|
||||||
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
<para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
...
|
...
|
||||||
ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
|
ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
|
||||||
ACCEPT net loc:2001:19f0:feee::5 tcp www
|
ACCEPT net loc:2001:19f0:feee::5 tcp www
|
||||||
|
@ -137,7 +137,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
|
<term><emphasis role="bold">DPORT</emphasis> -
|
||||||
<emphasis>port-number-or-name-list</emphasis></term>
|
<emphasis>port-number-or-name-list</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -159,11 +159,13 @@
|
|||||||
<para>An entry in this field requires that the PROTO column specify
|
<para>An entry in this field requires that the PROTO column specify
|
||||||
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
|
||||||
any of the following field is supplied.</para>
|
any of the following field is supplied.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> -
|
||||||
<emphasis>port-number-or-name-list</emphasis></term>
|
<emphasis>port-number-or-name-list</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -174,6 +176,8 @@
|
|||||||
<para>An entry in this field requires that the PROTO column specify
|
<para>An entry in this field requires that the PROTO column specify
|
||||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||||
the following fields is supplied.</para>
|
the following fields is supplied.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -1111,8 +1111,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) -
|
<term><emphasis role="bold">DPORT</emphasis> - {<emphasis
|
||||||
{<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
@ -1144,8 +1143,7 @@
|
|||||||
|
|
||||||
<para>If your kernel contains multi-port match support, then only a
|
<para>If your kernel contains multi-port match support, then only a
|
||||||
single Netfilter rule will be generated in this list and the
|
single Netfilter rule will be generated in this list and the
|
||||||
<emphasis role="bold">CLIENT PORT(S)</emphasis> list below
|
<emphasis role="bold">SPORT</emphasis> list below if:</para>
|
||||||
if:</para>
|
|
||||||
|
|
||||||
<para>1. There are 15 or less ports listed.</para>
|
<para>1. There are 15 or less ports listed.</para>
|
||||||
|
|
||||||
@ -1156,12 +1154,13 @@
|
|||||||
<replaceable>ipset</replaceable> name can be specified in this
|
<replaceable>ipset</replaceable> name can be specified in this
|
||||||
column. This is intended to be used with
|
column. This is intended to be used with
|
||||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> - {<emphasis
|
||||||
{<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
|
||||||
|
|
||||||
@ -1171,11 +1170,10 @@
|
|||||||
numbers or port ranges.</para>
|
numbers or port ranges.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DPORT. Use of '='
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Unless you really understand IP, you should leave this
|
<para>Unless you really understand IP, you should leave this
|
||||||
@ -1189,7 +1187,7 @@
|
|||||||
|
|
||||||
<para>If your kernel contains multi-port match support, then only a
|
<para>If your kernel contains multi-port match support, then only a
|
||||||
single Netfilter rule will be generated if in this list and the
|
single Netfilter rule will be generated if in this list and the
|
||||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
<emphasis role="bold">DPORT</emphasis> list above:</para>
|
||||||
|
|
||||||
<para>1. There are 15 or less ports listed.</para>
|
<para>1. There are 15 or less ports listed.</para>
|
||||||
|
|
||||||
@ -1199,21 +1197,25 @@
|
|||||||
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
<para>Beginning with Shorewall 4.6.0, an ipset name can be specified
|
||||||
in this column. This is intended to be used with
|
in this column. This is intended to be used with
|
||||||
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
<firstterm>bitmap:port</firstterm> ipsets.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
|
<term><emphasis role="bold">ORIGDEST</emphasis> - [<emphasis
|
||||||
[<emphasis role="bold">-</emphasis>]</term>
|
role="bold">-</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Included for compatibility with Shorewall. Enter '-' in this
|
<para>Included for compatibility with Shorewall. Enter '-' in this
|
||||||
column if you need to specify one of the later columns.</para>
|
column if you need to specify one of the later columns.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled ORIGINAL DEST.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (rate) -
|
<term><emphasis role="bold">RATE</emphasis> -
|
||||||
<replaceable>limit</replaceable></term>
|
<replaceable>limit</replaceable></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1278,11 +1280,13 @@
|
|||||||
enforce the per-source limit and the compiler will pick a unique
|
enforce the per-source limit and the compiler will pick a unique
|
||||||
name for the hash table that tracks the per-destination
|
name for the hash table that tracks the per-destination
|
||||||
limit.</para>
|
limit.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled RATE LIMIT.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
|
<term><emphasis role="bold">USER</emphasis> - [<emphasis
|
||||||
role="bold">!</emphasis>][<emphasis>user-name-or-number-or-range</emphasis>][<emphasis
|
role="bold">!</emphasis>][<emphasis>user-name-or-number-or-range</emphasis>][<emphasis
|
||||||
role="bold">:</emphasis><emphasis>group-name-or-number-or-range</emphasis>]</term>
|
role="bold">:</emphasis><emphasis>group-name-or-number-or-range</emphasis>]</term>
|
||||||
|
|
||||||
@ -1336,6 +1340,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled USER/GROUP.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1716,8 +1722,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Accept SMTP requests from the DMZ to the internet</para>
|
<para>Accept SMTP requests from the DMZ to the internet</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
|
||||||
ACCEPT dmz net tcp smtp</programlisting>
|
ACCEPT dmz net tcp smtp</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1730,8 +1735,7 @@
|
|||||||
internet IP addresses 2002:ce7c::92b4:1::2 and
|
internet IP addresses 2002:ce7c::92b4:1::2 and
|
||||||
2002:ce7c::92b4:1::22</para>
|
2002:ce7c::92b4:1::22</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
# PORT PORT(S) DEST
|
|
||||||
ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
|
ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \
|
||||||
$FW tcp 22</programlisting>
|
$FW tcp 22</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1744,8 +1748,7 @@
|
|||||||
<para>You wish to limit SSH connections from remote systems to 1/min
|
<para>You wish to limit SSH connections from remote systems to 1/min
|
||||||
with a burst of three (to allow for limited retry):</para>
|
with a burst of three (to allow for limited retry):</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE
|
||||||
# PORT(S) PORT(S) DEST LIMIT
|
|
||||||
SSH(ACCEPT) net all - - - - s:1/min:3</programlisting>
|
SSH(ACCEPT) net all - - - - s:1/min:3</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1757,8 +1760,7 @@
|
|||||||
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
|
<para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
|
||||||
is set.</para>
|
is set.</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH
|
||||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
|
||||||
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
|
DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1770,8 +1772,7 @@
|
|||||||
<para>Drop all email from IP addresses in the country whose ISO-3661
|
<para>Drop all email from IP addresses in the country whose ISO-3661
|
||||||
country code is ZZ.</para>
|
country code is ZZ.</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
DROP net:^ZZ fw tcp 25</programlisting>
|
DROP net:^ZZ fw tcp 25</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -1783,8 +1784,7 @@
|
|||||||
<para>You want to generate your own rule involving ip6tables targets
|
<para>You want to generate your own rule involving ip6tables targets
|
||||||
and matches not supported by Shorewall.</para>
|
and matches not supported by Shorewall.</para>
|
||||||
|
|
||||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
<programlisting> #ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORT(S)
|
|
||||||
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||||
|
|
||||||
<para>The above will generate the following ip6tables-restore
|
<para>The above will generate the following ip6tables-restore
|
||||||
|
@ -92,7 +92,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">CHAIN:STATE (chain) -
|
<term><emphasis role="bold">CHAIN -
|
||||||
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
|
{P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -139,6 +139,8 @@
|
|||||||
|
|
||||||
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
|
<member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled CHAIN:STATE.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -229,7 +231,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
|
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||||
|
|
||||||
@ -249,15 +251,14 @@
|
|||||||
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
|
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
|
||||||
assumed.</para>
|
assumed.</para>
|
||||||
|
|
||||||
<para>This column is ignored if PROTOCOL = all but must be entered
|
<para>This column is ignored if PROTO = all but must be entered if
|
||||||
if any of the following field is supplied. In that case, it is
|
any of the following field is supplied. In that case, it is
|
||||||
suggested that this field contain "-"</para>
|
suggested that this field contain "-"</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
|
||||||
|
|
||||||
@ -267,11 +268,10 @@
|
|||||||
numbers or port ranges.</para>
|
numbers or port ranges.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DPORT. Use of '='
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -318,6 +318,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled USER/GROUP.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -388,8 +390,7 @@
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall6/secmarks</filename>:</para>
|
<para><filename>/etc/shorewall6/secmarks</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK
|
<programlisting>#SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK
|
||||||
# STATE PORT(S) PORT(S) GROUP
|
|
||||||
system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
|
system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306
|
||||||
SAVE I:N
|
SAVE I:N
|
||||||
RESTORE I:ER</programlisting>
|
RESTORE I:ER</programlisting>
|
||||||
|
@ -112,7 +112,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>DEST PORT(S) (dport) ‒
|
<term>DPORT ‒
|
||||||
<replaceable>service-name/port-number-list</replaceable></term>
|
<replaceable>service-name/port-number-list</replaceable></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -121,11 +121,13 @@
|
|||||||
include port ranges of the form
|
include port ranges of the form
|
||||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||||
if your kernel and iptables include port range support.</para>
|
if your kernel and iptables include port range support.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>SOURCE PORT(S) (sport) ‒
|
<term>SPORT ‒
|
||||||
<replaceable>service-name/port-number-list</replaceable></term>
|
<replaceable>service-name/port-number-list</replaceable></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -136,11 +138,12 @@
|
|||||||
if your kernel and iptables include port range support.</para>
|
if your kernel and iptables include port range support.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||||
column, provided that the DEST PORT(S) column is non-empty. This
|
column, provided that the DPORT column is non-empty. This causes the
|
||||||
causes the rule to match when either the source port or the
|
rule to match when either the source port or the destination port in
|
||||||
destination port in a packet matches one of the ports specified in
|
a packet matches one of the ports specified in DPORT. Use of '='
|
||||||
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
|
requires multi-port match in your iptables and kernel.</para>
|
||||||
and kernel.</para>
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -131,7 +131,7 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
|
<term><emphasis role="bold">DPORT</emphasis> - [<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -139,16 +139,19 @@
|
|||||||
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
a <emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||||
destination icmp-type(s).</para>
|
destination icmp-type(s).</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled DEST PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
|
<term><emphasis role="bold">SPORT</emphasis> - [<emphasis
|
||||||
[<emphasis
|
|
||||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Optional source port.</para>
|
<para>Optional source port.</para>
|
||||||
|
|
||||||
|
<para>This column was formerly labelled SOURCE PORT(S).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -286,8 +289,7 @@
|
|||||||
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
|
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
|
||||||
protocols.</para>
|
protocols.</para>
|
||||||
|
|
||||||
<programlisting> #CLASS SOURCE DEST PROTO DEST
|
<programlisting> #CLASS SOURCE DEST PROTO DPORT
|
||||||
# PORT
|
|
||||||
|
|
||||||
IPV4
|
IPV4
|
||||||
|
|
||||||
@ -308,8 +310,7 @@
|
|||||||
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
|
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
|
||||||
later).</para>
|
later).</para>
|
||||||
|
|
||||||
<programlisting> #CLASS SOURCE DEST PROTO DEST PRIORITY
|
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
|
||||||
# PORT
|
|
||||||
|
|
||||||
IPV6
|
IPV6
|
||||||
|
|
||||||
@ -338,6 +339,6 @@
|
|||||||
<para><ulink
|
<para><ulink
|
||||||
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink></para>
|
||||||
|
|
||||||
<para></para>
|
<para/>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
</refentry>
|
</refentry>
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,181 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
||||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
||||||
<refentry>
|
|
||||||
<refmeta>
|
|
||||||
<refentrytitle>shorewall6-tos</refentrytitle>
|
|
||||||
|
|
||||||
<manvolnum>5</manvolnum>
|
|
||||||
|
|
||||||
<refmiscinfo>Configuration Files</refmiscinfo>
|
|
||||||
</refmeta>
|
|
||||||
|
|
||||||
<refnamediv>
|
|
||||||
<refname>tos</refname>
|
|
||||||
|
|
||||||
<refpurpose>Shorewall6 Type of Service rules file</refpurpose>
|
|
||||||
</refnamediv>
|
|
||||||
|
|
||||||
<refsynopsisdiv>
|
|
||||||
<cmdsynopsis>
|
|
||||||
<command>/etc/shorewall6/tos</command>
|
|
||||||
</cmdsynopsis>
|
|
||||||
</refsynopsisdiv>
|
|
||||||
|
|
||||||
<refsect1>
|
|
||||||
<title>Description</title>
|
|
||||||
|
|
||||||
<para>This file defines rules for setting Type Of Service (TOS). Its use
|
|
||||||
is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
|
|
||||||
<ulink url="/manpages6/shorewall6-mangle.html">shorewall6-mangle</ulink>
|
|
||||||
(5).</para>
|
|
||||||
|
|
||||||
<para>The columns in the file are as follows.</para>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
|
|
||||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
|
||||||
role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
|
|
||||||
role="bold">$FW</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>If <emphasis role="bold">all</emphasis>, may optionally be
|
|
||||||
followed by ":" and an IP address, a MAC address, a subnet
|
|
||||||
specification or the name of an interface.</para>
|
|
||||||
|
|
||||||
<para>Example: all:2002:ce7c::92b4:1::2</para>
|
|
||||||
|
|
||||||
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
|
||||||
separator.</para>
|
|
||||||
|
|
||||||
<para>Example: ~00-A0-C9-15-39-78</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
|
|
||||||
role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
|
|
||||||
role="bold">all</emphasis>:<emphasis>address</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Example: 2002:ce7c::92b4:1::2</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">PROTOCOL</emphasis> -
|
|
||||||
<emphasis>proto-name-or-number</emphasis></term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Protocol name or number.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> -
|
|
||||||
{-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
|
|
||||||
role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Source port or port range. If all ports, use "-".</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">DEST PORT(S)</emphasis> -
|
|
||||||
{-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
|
|
||||||
role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Destination port or port range. If all ports, use "-"</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">TOS</emphasis> -
|
|
||||||
<emphasis>tos</emphasis></term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Must be one of the following;</para>
|
|
||||||
|
|
||||||
<programlisting> <emphasis role="bold">tos-minimize-delay</emphasis> (16)
|
|
||||||
<emphasis role="bold">tos-maximize-throughput</emphasis> (8)
|
|
||||||
<emphasis role="bold">tos-maximize-reliability</emphasis> (4)
|
|
||||||
<emphasis role="bold">tos-minimize-cost</emphasis> (2)
|
|
||||||
<emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
|
|
||||||
|
|
||||||
<para>To specify more than one flag, add their values together and
|
|
||||||
specify the numeric result.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">MARK</emphasis> - [<emphasis
|
|
||||||
role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
|
|
||||||
role="bold">:C</emphasis>]</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>If you don't want to define a test but need to specify
|
|
||||||
anything in the following columns, place a "-" in this field.</para>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term>!</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Inverts the test (not equal)</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis>value</emphasis></term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Value of the packet or connection mark.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis>mask</emphasis></term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>A mask to be applied to the mark before testing.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><emphasis role="bold">:C</emphasis></term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Designates a connection mark. If omitted, the packet
|
|
||||||
mark's value is tested.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1>
|
|
||||||
<title>FILES</title>
|
|
||||||
|
|
||||||
<para>/etc/shorewall6/tos</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
<refsect1>
|
|
||||||
<title>See ALSO</title>
|
|
||||||
|
|
||||||
<para><ulink
|
|
||||||
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
|
||||||
|
|
||||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
|
||||||
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
|
||||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
|
||||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
|
||||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
|
||||||
shorewall6-mangle(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
|
||||||
</refsect1>
|
|
||||||
</refentry>
|
|
@ -1442,9 +1442,11 @@ LOG:info:,bar net fw</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>This parameter specifies the directory/directories where your
|
<para>This parameter specifies the directory/directories where your
|
||||||
kernel netfilter modules may be found. If you leave the variable
|
kernel netfilter modules may be found. If you leave the variable
|
||||||
empty, Shorewall6 will supply "/lib/modules/`uname
|
empty, Shorewall will supply the value
|
||||||
-r`/kernel/net/ipv4/netfilter:/lib/modules/`uname
|
"/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
|
||||||
-r`/kernel/net/ipv4/netfilter".</para>
|
where <emphasis role="bold">uname</emphasis> holds the output of
|
||||||
|
'<command>uname -r</command>' and <emphasis
|
||||||
|
role="bold">g_family</emphasis> holds '6'.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user