forked from extern/shorewall_code
Format and grammar fixes.
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8660 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
46ec09dddf
commit
1de5404e67
@ -10,7 +10,7 @@ Changes in 4.2.0-Beta3
|
||||
|
||||
5) Fix COPY column.
|
||||
|
||||
6) Add macro.RNDC.
|
||||
6) Add macro.RNDC.
|
||||
|
||||
Changes in 4.2.0-Beta2
|
||||
|
||||
|
@ -36,20 +36,20 @@ Migration Issues.
|
||||
3) Specifying a destination zone in a NAT-only rule now generates a
|
||||
warning and the destination zone is ignored. NAT-only rules are:
|
||||
|
||||
NONAT
|
||||
REDIRECT-
|
||||
DNAT-
|
||||
NONAT
|
||||
REDIRECT-
|
||||
DNAT-
|
||||
|
||||
4) The default value for LOG_MARTIANS has been changed. Previously,
|
||||
the defaults were:
|
||||
|
||||
Shorewall-perl - 'Off'
|
||||
Shorewall-shell - 'No'
|
||||
Shorewall-perl - 'Off'
|
||||
Shorewall-shell - 'No'
|
||||
|
||||
The new default values are:
|
||||
|
||||
Shorewall-perl - 'On'
|
||||
Shorewall-shell - 'Yes'.
|
||||
Shorewall-perl - 'On'
|
||||
Shorewall-shell - 'Yes'.
|
||||
|
||||
Shorewall-perl users may:
|
||||
|
||||
@ -200,16 +200,16 @@ New Features in Shorewall 4.2.
|
||||
|
||||
/etc/shorewall/route_rules:
|
||||
|
||||
#SOURCE DEST PROVIDER PRIORITY
|
||||
- 206.124.146.0/24 Blarg 1000
|
||||
- 130.252.144.0/24 Avvanta 1000
|
||||
206.124.146.177 - Blarg 26000
|
||||
#SOURCE DEST PROVIDER PRIORITY
|
||||
- 206.124.146.0/24 Blarg 1000
|
||||
- 130.252.144.0/24 Avvanta 1000
|
||||
206.124.146.177 - Blarg 26000
|
||||
|
||||
/etc/shorewall/tcrules
|
||||
|
||||
#MARK/CLASSIFY SOURCE DEST
|
||||
1 eth0:206.124.146.0/24 0.0.0.0/0
|
||||
2 eth0:130.242.144.0/24 0.0.0.0/0
|
||||
#MARK/CLASSIFY SOURCE DEST
|
||||
1 eth0:206.124.146.0/24 0.0.0.0/0
|
||||
2 eth0:130.242.144.0/24 0.0.0.0/0
|
||||
|
||||
2) You may now include the name of a table (nat, mangle or filter) in
|
||||
a 'shorewall refresh' command by following the table name with a
|
||||
@ -218,7 +218,7 @@ New Features in Shorewall 4.2.
|
||||
|
||||
Example:
|
||||
|
||||
shorewall refresh nat:
|
||||
shorewall refresh nat:
|
||||
|
||||
3) When no chain name is given to the 'shorewall refresh' command, the
|
||||
mangle table is refreshed along with the blacklist chain (if
|
||||
@ -243,11 +243,11 @@ New Features in Shorewall 4.2.
|
||||
|
||||
/etc/shorewall/shorewall.conf:
|
||||
|
||||
MACLIST_LOG_LEVEL=NFLOG(1,0,1)
|
||||
MACLIST_LOG_LEVEL=NFLOG(1,0,1)
|
||||
|
||||
/etc/shorewall/rules:
|
||||
|
||||
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080
|
||||
ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080
|
||||
|
||||
5) Shorewall-perl 4.2 implements an alternative syntax for macro
|
||||
parameters and for the NFQUEUE queue number. Rather than following
|
||||
@ -256,8 +256,8 @@ New Features in Shorewall 4.2.
|
||||
|
||||
Examples -- each pair shown below are equivalent:
|
||||
|
||||
DNS/ACCEPT DNS(ACCEPT)
|
||||
NFQUEUE/3 NFQUEUE(3)
|
||||
DNS/ACCEPT DNS(ACCEPT)
|
||||
NFQUEUE/3 NFQUEUE(3)
|
||||
|
||||
The old syntax will still be accepted but will cease to be documented
|
||||
in some future Shorewall release.
|
||||
@ -276,17 +276,17 @@ New Features in Shorewall 4.2.
|
||||
the verbosity at which logging will occur. It uses the same
|
||||
value range as VERBOSITY:
|
||||
|
||||
-1 Do not log
|
||||
0 Almost quiet
|
||||
1 Only major steps
|
||||
2 Verbose
|
||||
-1 Do not log
|
||||
0 Almost quiet
|
||||
1 Only major steps
|
||||
2 Verbose
|
||||
|
||||
c) An absolute VERBOSITY may be specified on the command line
|
||||
using the -v option followed by -1,0,1 or 2.
|
||||
|
||||
Example:
|
||||
Example:
|
||||
|
||||
shorewall -v2 check
|
||||
shorewall -v2 check
|
||||
|
||||
d) The /etc/init.d/shorewall script supplied with the
|
||||
shorewall.net packages sets '-v0' as the default. This may be
|
||||
@ -296,17 +296,17 @@ New Features in Shorewall 4.2.
|
||||
Logging occurs on both Shorewall-perl and the generated script when
|
||||
the following commands are issued:
|
||||
|
||||
start
|
||||
restart
|
||||
refresh
|
||||
start
|
||||
restart
|
||||
refresh
|
||||
|
||||
Messages in the log are always timestamped.
|
||||
|
||||
This change implemented two new options to the Shorewall-perl
|
||||
compiler (/usr/share/shorewall-perl/compiler.pl).
|
||||
|
||||
--log=<logfile>
|
||||
--log_verbosity={-1|0-2}
|
||||
--log=<logfile>
|
||||
--log_verbosity={-1|0-2}
|
||||
|
||||
The --log option is ignored when --log_verbosity is not supplied or
|
||||
is supplied with value -1.
|
||||
@ -315,35 +315,35 @@ New Features in Shorewall 4.2.
|
||||
Shorewall::Compiler::compile(), that function has been changed to
|
||||
use named parameters. Parameter names are:
|
||||
|
||||
object Object file. If omitted or '', the
|
||||
configuration is syntax checked.
|
||||
directory Directory. If omitted or '', configuration
|
||||
files are located using
|
||||
CONFIG_PATH. Otherwise, the directory named by
|
||||
this parameter is searched first.
|
||||
verbosity Verbosity; range -1 to 2
|
||||
timestamp 0|1 -- timestamp messages.
|
||||
debug 0|1 -- include stack trace in warning/error
|
||||
messages.
|
||||
export 0|1 -- compile for export.
|
||||
chains List of chains to be reloaded by 'refresh'.
|
||||
log File to log compiler messages to.
|
||||
log_verbosity Log Verbosity; range -1 to 2.
|
||||
object Object file. If omitted or '', the
|
||||
configuration is syntax checked.
|
||||
directory Directory. If omitted or '', configuration
|
||||
files are located using
|
||||
CONFIG_PATH. Otherwise, the directory named by
|
||||
this parameter is searched first.
|
||||
verbosity Verbosity; range -1 to 2
|
||||
timestamp 0|1 -- timestamp messages.
|
||||
debug 0|1 -- include stack trace in warning/error
|
||||
messages.
|
||||
export 0|1 -- compile for export.
|
||||
chains List of chains to be reloaded by 'refresh'.
|
||||
log File to log compiler messages to.
|
||||
log_verbosity Log Verbosity; range -1 to 2.
|
||||
|
||||
Those parameters that are supplied must have defined values.
|
||||
|
||||
Defaults are:
|
||||
|
||||
object '' ('check' command)
|
||||
directory ''
|
||||
verbosity 1
|
||||
timestamp 0
|
||||
debug 0
|
||||
export 0
|
||||
chains ''
|
||||
log ''
|
||||
log_verbosity -1
|
||||
|
||||
object '' ('check' command)
|
||||
directory ''
|
||||
verbosity 1
|
||||
timestamp 0
|
||||
debug 0
|
||||
export 0
|
||||
chains ''
|
||||
log ''
|
||||
log_verbosity -1
|
||||
|
||||
|
||||
Example:
|
||||
|
||||
@ -352,7 +352,7 @@ New Features in Shorewall 4.2.
|
||||
|
||||
compiler( object => '/root/firewall',
|
||||
log => '/root/compile.log',
|
||||
log_verbosity => 2 );
|
||||
log_verbosity => 2 );
|
||||
|
||||
7) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
||||
mark values < 256 to be assigned in the OUTPUT chain. This has been
|
||||
@ -371,7 +371,7 @@ New Features in Shorewall 4.2.
|
||||
column. Currently only a single option is defined.
|
||||
|
||||
classify When specified, you must use explicit CLASSIFY tcrules
|
||||
to classify traffic by class. Shorewall will not create
|
||||
to classify traffic by class. Shorewall will not create
|
||||
any CLASSIFY rules to classify traffic by mark value.
|
||||
|
||||
See http://www.shorewall.net/traffic_shaping.htm for further
|
||||
@ -386,25 +386,25 @@ New Features in Shorewall 4.2.
|
||||
when the top-level macro was invoked. This allows the
|
||||
following:
|
||||
|
||||
/etc/shorewall/macro.SSH:
|
||||
/etc/shorewall/macro.SSH:
|
||||
|
||||
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
COMMENT My SSH Macro
|
||||
PARAM - - tcp 22
|
||||
#ACTION SOURCE PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
COMMENT My SSH Macro
|
||||
PARAM - - tcp 22
|
||||
|
||||
/etc/shorewall/rules:
|
||||
/etc/shorewall/rules:
|
||||
|
||||
COMMENT Allow SSH from home
|
||||
SSH/ALLOW net:$MYIP $FW
|
||||
COMMENT
|
||||
COMMENT Allow SSH from home
|
||||
SSH/ALLOW net:$MYIP $FW
|
||||
COMMENT
|
||||
|
||||
The comment line in macro.SSH will not override the
|
||||
COMMENT line in the rules file and the generated rule will show
|
||||
The comment line in macro.SSH will not override the
|
||||
COMMENT line in the rules file and the generated rule will show
|
||||
|
||||
/* Allow SSH from home */
|
||||
/* Allow SSH from home */
|
||||
|
||||
when displayed through the Shorewall show and dump commands.
|
||||
when displayed through the Shorewall show and dump commands.
|
||||
|
||||
If a macro is invoked and there is no current comment, then the
|
||||
name of the macro automatically becomes the current comment. This
|
||||
@ -429,7 +429,7 @@ New Features in Shorewall 4.2.
|
||||
|
||||
Example:
|
||||
|
||||
OWNER=foo GROUP=bar ./install.sh
|
||||
OWNER=foo GROUP=bar ./install.sh
|
||||
|
||||
To install Shorewall-perl under Cygwin:
|
||||
|
||||
@ -450,9 +450,9 @@ New Features in Shorewall 4.2.
|
||||
16) Specifying a destination zone in a NAT-only rule now generates a
|
||||
warning and the destination zone is ignored. NAT-only rules are:
|
||||
|
||||
NONAT
|
||||
REDIRECT-
|
||||
DNAT-
|
||||
NONAT
|
||||
REDIRECT-
|
||||
DNAT-
|
||||
|
||||
17) The /etc/shorewall/masq and /etc/shorewall/nat file now accept a
|
||||
comma-separated list of interface names where before only a single
|
||||
@ -469,26 +469,26 @@ New Features in Shorewall 4.2.
|
||||
/etc/shorewall/masq:
|
||||
|
||||
#INTERFACE SOURCE ADDRESS
|
||||
eth0,eth1 eth2 1.2.3.4
|
||||
eth0,eth1 eth2 1.2.3.4
|
||||
|
||||
equivalent to:
|
||||
|
||||
#INTERFACE SOURCE ADDRESS
|
||||
eth0 eth2 1.2.3.4
|
||||
eth1 eth2 1.2.3.4
|
||||
eth0 eth2 1.2.3.4
|
||||
eth1 eth2 1.2.3.4
|
||||
|
||||
Example 2:
|
||||
|
||||
/etc/shorewall/masq:
|
||||
|
||||
#INTERFACE SOURCE ADDRESS
|
||||
eth0,eth1::192.168.1.0/24 eth2 1.2.3.4
|
||||
#INTERFACE SOURCE ADDRESS
|
||||
eth0,eth1::192.168.1.0/24 eth2 1.2.3.4
|
||||
|
||||
equivalent to:
|
||||
|
||||
#INTERFACE SOURCE ADDRESS
|
||||
eth0::192.168.1.0/24 eth2 1.2.3.4
|
||||
eth1::192.168.1.0/24 eth2 1.2.3.4
|
||||
eth0::192.168.1.0/24 eth2 1.2.3.4
|
||||
eth1::192.168.1.0/24 eth2 1.2.3.4
|
||||
|
||||
Example 3:
|
||||
|
||||
@ -513,11 +513,11 @@ New Features in Shorewall 4.2.
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
vpn tun+
|
||||
vpn tun+
|
||||
|
||||
/etc/shorewall/masq:
|
||||
|
||||
tun1 192.168.4.0/24
|
||||
tun1 192.168.4.0/24
|
||||
|
||||
19) Previously, Shorewall classified non-firewall zones as either
|
||||
'simple' or 'complex'. Attributes of a zone which made it 'complex'
|
||||
@ -564,7 +564,7 @@ New Features in Shorewall 4.2.
|
||||
|
||||
So, if you have this rule:
|
||||
|
||||
SSH/ACCEPT loc fw
|
||||
SSH/ACCEPT loc fw
|
||||
|
||||
then the generated netfilter rule will include "/* SSH */" when
|
||||
viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
|
||||
@ -594,9 +594,9 @@ New Features in Shorewall 4.2.
|
||||
|
||||
Example:
|
||||
|
||||
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
|
||||
1:eth0 1300kbit 384kbit classify
|
||||
2:eth1 5600kbit 1000kbit
|
||||
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
|
||||
1:eth0 1300kbit 384kbit classify
|
||||
2:eth1 5600kbit 1000kbit
|
||||
|
||||
In /etc/shorewall/tcclasses:
|
||||
|
||||
@ -634,26 +634,26 @@ New Features in Shorewall 4.2.
|
||||
|
||||
Example:
|
||||
|
||||
ursa:~ # modprobe ifb numifbs=1
|
||||
ursa:~ # ip link ls
|
||||
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
|
||||
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
|
||||
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
|
||||
ursa:~ # modprobe ifb numifbs=1
|
||||
ursa:~ # ip link ls
|
||||
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
|
||||
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
||||
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
|
||||
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
||||
link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
|
||||
4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
|
||||
link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
|
||||
ursa:~ #
|
||||
link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
|
||||
ursa:~ #
|
||||
|
||||
After you have created the IFB(s), you must bring it(them) up:
|
||||
|
||||
ip link set dev ifb0 up
|
||||
ip link set dev ifb0 up
|
||||
|
||||
You can place all of this in /etc/shorewall/init as follows:
|
||||
|
||||
modprobe ifb numifbs=1
|
||||
ip link set dev ifb0 up
|
||||
modprobe ifb numifbs=1
|
||||
ip link set dev ifb0 up
|
||||
|
||||
The /etc/shorewall/tcdevices file has been extended to include an
|
||||
additional REDIRECTED DEVICES column. To convert your configuration
|
||||
@ -662,15 +662,15 @@ New Features in Shorewall 4.2.
|
||||
a) Look at your current /etc/shorewall/tcdevices file. Suppose you
|
||||
have:
|
||||
|
||||
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
|
||||
eth0 1300kbit 384kbit -
|
||||
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
|
||||
eth0 1300kbit 384kbit -
|
||||
|
||||
Change it as follows:
|
||||
|
||||
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
# DEVICES
|
||||
eth0 - 384kkbit -
|
||||
ifb0 - 1300kbit - eth0
|
||||
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
# DEVICES
|
||||
eth0 - 384kkbit -
|
||||
ifb0 - 1300kbit - eth0
|
||||
|
||||
Note that the old IN-BANDWIDTH for eth0 has become the
|
||||
OUT-BANDWIDTH for ifb0 and that neither device has an
|
||||
@ -695,32 +695,32 @@ New Features in Shorewall 4.2.
|
||||
|
||||
INTERFACE:CLASS
|
||||
|
||||
The interface name or number followed by a colon (":")
|
||||
and the class number.
|
||||
The interface name or number followed by a colon (":")
|
||||
and the class number.
|
||||
|
||||
SOURCE
|
||||
Source IP address. May be a host or network address.
|
||||
Specify "-" if any SOURCE address should match.
|
||||
Specify "-" if any SOURCE address should match.
|
||||
|
||||
DEST
|
||||
Destination IP address. May be a host or network
|
||||
address. Specify "-" if any DEST address should match.
|
||||
Destination IP address. May be a host or network
|
||||
address. Specify "-" if any DEST address should match.
|
||||
|
||||
PROTO
|
||||
Protocol Name/Number. Specify "-" if any PROTO should
|
||||
match.
|
||||
Protocol Name/Number. Specify "-" if any PROTO should
|
||||
match.
|
||||
|
||||
DEST PORT(S)
|
||||
A comma-separated list of destination ports. May only
|
||||
be given if the PROTO is tcp, udp, icmp or
|
||||
sctp. Port ranges may be used, except when the PROTO is
|
||||
icmp. Specify "-" if any PORT should match.
|
||||
A comma-separated list of destination ports. May only
|
||||
be given if the PROTO is tcp, udp, icmp or
|
||||
sctp. Port ranges may be used, except when the PROTO is
|
||||
icmp. Specify "-" if any PORT should match.
|
||||
|
||||
SOURCE PORT(S)
|
||||
A comma-separated list of source port. May only be
|
||||
given if the PROTO is tcp, udp or sctp. Port ranges
|
||||
may be used unless the protocol is icmp. Specify "-" if
|
||||
any PORT should match.
|
||||
A comma-separated list of source port. May only be
|
||||
given if the PROTO is tcp, udp or sctp. Port ranges
|
||||
may be used unless the protocol is icmp. Specify "-" if
|
||||
any PORT should match.
|
||||
|
||||
Entries in /etc/shorewall/tcfilters generate U32 tc filters which
|
||||
may be displayed using the "shorewall show filters" ("shorewall-lite
|
||||
@ -745,23 +745,23 @@ New Features in Shorewall 4.2.
|
||||
|
||||
where <gw> is the interface name:
|
||||
|
||||
- in upper case
|
||||
- with any characters not allowed in shell variable names
|
||||
replaced by '_'.
|
||||
- in upper case
|
||||
- with any characters not allowed in shell variable names
|
||||
replaced by '_'.
|
||||
|
||||
Example (from OpenWRT):
|
||||
|
||||
Interface: eth0.1
|
||||
Variable: ETH0_1_GATEWAY
|
||||
Interface: eth0.1
|
||||
Variable: ETH0_1_GATEWAY
|
||||
/etc/shorewall/init:
|
||||
|
||||
ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway)
|
||||
ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway)
|
||||
|
||||
29) A new CONNBYTES column has been added to the tcrules file. The
|
||||
column defines a byte or packet range that the connection must fall
|
||||
within in order for the rule to match. The contents are:
|
||||
|
||||
[!]<min>:[<max>[:{O|R|B}[:{B|P|A}]]]
|
||||
[!]<min>:[<max>[:{O|R|B}[:{B|P|A}]]]
|
||||
|
||||
! matches if the the packet/byte count is not within the range
|
||||
defined by <min> and <max>.
|
||||
@ -790,7 +790,7 @@ New Features in Shorewall 4.2.
|
||||
|
||||
Examples:
|
||||
|
||||
1000000: - Connection has transferred a total of
|
||||
1000000: - Connection has transferred a total of
|
||||
at least 1,000,000 bytes.
|
||||
|
||||
1000000::R - Connection has transferred at least
|
||||
@ -799,8 +799,8 @@ New Features in Shorewall 4.2.
|
||||
large download).
|
||||
|
||||
1000000::O:P - Connection has sent at least 1,000,000
|
||||
packets in the direction of the original
|
||||
connection.
|
||||
packets in the direction of the original
|
||||
connection.
|
||||
|
||||
30) A new MANGLE_ENABLED option is added to shorewall.conf. The default
|
||||
setting is 'Yes' which causes Shorewall to assume responsibility for
|
||||
@ -828,7 +828,7 @@ New Features in Shorewall 4.2.
|
||||
columns. So that Shorewall-perl can determine which column layout
|
||||
each macro has, a new FORMAT directive is added:
|
||||
|
||||
FORMAT {1|2}
|
||||
FORMAT {1|2}
|
||||
|
||||
The default is FORMAT 1 which is the old format. FORMAT 2 specifies
|
||||
that the macro is in the new format.
|
||||
@ -839,12 +839,12 @@ New Features in Shorewall 4.2.
|
||||
|
||||
The macro body is:
|
||||
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
FORMAT 2
|
||||
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
|
||||
DEST - - - - - -
|
||||
PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
||||
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
|
||||
DEST - - - - - -
|
||||
PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
The 'norfc1918' option on the interface associated with zone 'z'
|
||||
@ -875,7 +875,6 @@ New Features in Shorewall 4.2.
|
||||
35) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall
|
||||
would enable ip forwarding before instantiating the rules. This
|
||||
could lead to incorrect connection tracking entries being created
|
||||
|
||||
between the time that forwarding was enabled and when the nat table
|
||||
rules were instantiated.
|
||||
|
||||
@ -904,12 +903,12 @@ New Features in Shorewall 4.2.
|
||||
39) A 'save' extension script is added. The script is run after
|
||||
iptables-save has completed successfully.
|
||||
|
||||
The 'load' and 'reload' commands copy the save script (if any) to
|
||||
/etc/shorewall-lite/ on the remove firewall system. The 'export'
|
||||
command copies the file to the same directory as the 'firewall' and
|
||||
'firewall.conf' scripts.
|
||||
The 'load' and 'reload' commands copy the save script (if any) to
|
||||
/etc/shorewall-lite/ on the remove firewall system. The 'export'
|
||||
command copies the file to the same directory as the 'firewall' and
|
||||
'firewall.conf' scripts.
|
||||
|
||||
I have the following commands in my 'save' script:
|
||||
I have the following commands in my 'save' script:
|
||||
|
||||
[ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup
|
||||
ipset -S > /root/ipsets.save
|
||||
@ -921,10 +920,10 @@ New Features in Shorewall 4.2.
|
||||
|
||||
if [ "$COMMAND" = start ]; then
|
||||
ipset -U :all: :all:
|
||||
ipset -U :all: :default:
|
||||
ipset -F
|
||||
ipset -X
|
||||
ipset -R < /root/ipsets.save
|
||||
ipset -U :all: :default:
|
||||
ipset -F
|
||||
ipset -X
|
||||
ipset -R < /root/ipsets.save
|
||||
fi
|
||||
|
||||
Those two scripts allow me to save and restore the contents of my
|
||||
|
Loading…
Reference in New Issue
Block a user