holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add more man pages

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4889 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-11-15 21:05:32 +00:00
parent 3379252b88
commit 2244bdc84c
2 changed files with 462 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

218
manpages/shorewall-hosts.xml Normal file
View File

@ -0,0 +1,218 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry>
<refmeta>
<refentrytitle>shorewall-hosts</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>hosts</refname>
<refpurpose>Shorewall file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/hosts</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define zones in terms of subnets and/or
individual IP addresses. Most simple setups don't need to (should not)
place anything in this file.</para>
<para>The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are defined in
shorewall-zones(5) determines the order in which the records in this file
are interpreted. </para>
<warning>
<para>The only time that you need this file is when you have more than
one zone connected through a single interface.</para>
</warning>
<warning>
<para>If you have an entry for a zone and interface in
shorewall-interfaces(5) then do not include any entries in this file for
that same (zone, interface) pair.</para>
</warning>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ZONE</emphasis></term>
<listitem>
<para>The name of a zone defined in shorewall-zones(5). You may not
list the firewall zone in this column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HOST(S)</emphasis></term>
<listitem>
<para>The name of an interface defined in the
shorewall-interfaces(5) file followed by a colon (":") and a
comma-separated list whose elements are either:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The IP address of a host.</para>
</listitem>
<listitem>
<para>A network in CIDR format.</para>
</listitem>
<listitem>
<para>An IP address range of the form
<emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
Your kernel and iptables must have iprange match support.</para>
</listitem>
<listitem>
<para>A physical port name; only allowed when the interface
names a bridge created by the <command>brctl(8) addbr</command>
command. This port must not be defined in
shorewall-interfaces(5) and may optionally followed by a colon
(":") and a host or network IP or a range. See
http://www.shorewall.net/bridge.html for details. Specifying a
physical port name requires that you have BRIDGING=Yes in
shorewall.conf(5).</para>
</listitem>
</orderedlist>
<para>Examples:</para>
<simplelist>
<member>eth1:192.168.1.3</member>
<member>eth2:192.168.2.0/24</member>
<member>eth3:192.168.2.0/24,192.168.3.1</member>
<member>br0:eth4</member>
<member>br0:eth0:192.168.1.16/28</member>
<member>eth4:192.168.1.44-192.168.1.49</member>
<member>eth2:+Admin</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS</emphasis></term>
<listitem>
<para>A comma-separated list of options from the following list. The
order in which you list the options is not significant but the list
should have no embedded white space.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from these hosts are compared
against the contents of shorewall-maclist(5). If this option
is specified, the interface must be an ethernet NIC or
equivalent and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routeback</emphasis></term>
<listitem>
<para>Shorewall should set up the infrastructure to pass
packets from this/these address(es) back to themselves. This
is necessary if hosts in this group use the services of a
transparent proxy that is a member of the group or if DNAT is
used to send requests originating from this group to a server
in the group.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>This option only makes sense for ports on a
bridge.</para>
<para>Check packets arriving on this port against the
shorewall-blacklist(5) file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving from these hosts are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem>
<para>This option only makes sense for ports on a
bridge.</para>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the
packets are dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipsec</emphasis></term>
<listitem>
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an
IPSEC zone in the shorewall-zones(5) file then you do NOT need
to specify the 'ipsec' option here.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/hosts</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

244
manpages/shorewall-providers.xml Normal file
View File

@ -0,0 +1,244 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry>
<refmeta>
<refentrytitle>shorewall-providers</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>providers</refname>
<refpurpose>Shorewall Providers file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/providers</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to define additional routing tables. You will want
to define an additional table if:</para>
<itemizedlist>
<listitem>
<para>You have connections to more than one ISP or multiple
connections to the same ISP</para>
</listitem>
<listitem>
<para>You run Squid as a transparent proxy on a host other than the
firewall.</para>
</listitem>
<listitem>
<para>You have other requirements for policy routing.</para>
</listitem>
</itemizedlist>
<para>Each entry in the file defines a single routing table.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">NAME</emphasis></term>
<listitem>
<para>The provider name. Must be a valid shell variable name. The
names 'local', 'main', 'default' and 'unspec' are reserved and may
not be used as provider names.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NUMBER</emphasis></term>
<listitem>
<para>The provider number -- a number between 1 and 15. Each
provider must be assigned a unique value.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MARK</emphasis></term>
<listitem>
<para>A FWMARK value used in your shorewall-tcrules(5) file to
direct packets to this provider.</para>
<para>If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value
must be a multiple of 256 between 256 and 65280 or their hexadecimal
equivalents (0x0100 and 0xff00 with the low-order byte of the value
being zero). Otherwise, the value must be between 1 and 255. Each
provider must be assigned a unique mark value.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DUPLICATE</emphasis></term>
<listitem>
<para>The name of an existing table to duplicate to create this
routing. May be 'main' or the name of a previous provider. You may
select only certain entries from the table to copy by using the COPY
column below.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis></term>
<listitem>
<para>The name of the network interface to the provider. Must be
listed in shorewall-interfaces(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis></term>
<listitem>
<para>The IP address of the provider's gateway router.</para>
<para>You can enter "detect" here and Shorewall will attempt to
detect the gateway automatically.</para>
<para>For PPP devices, you may omit this column.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">OPTIONS</emphasis> (Optional)</term>
<listitem>
<para>A comma-separated list selected from the following. The order
of the options is not significant but the list may contain no
embedded whitespace.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">track</emphasis></term>
<listitem>
<para>If specified, inbound connections on this interface are
to be tracked so that responses may be routed back out this
same interface.</para>
<para>You want to specify 'track' if internet hosts will be
connecting to local servers through this provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">balance</emphasis></term>
<listitem>
<para>The providers that have 'balance' specified will get
outbound traffic load-balanced among them. By default, all
interfaces with 'balance' specified will have the same weight
(1). You can change the weight of an interface by specifiying
balance=&lt;weight&gt; where &lt;weight&gt; is the weight of
the route out of this interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">loose</emphasis></term>
<listitem>
<para>Shorewall normally adds a routing rule for each IP
address on an interface which forces traffic whose source is
that IP address to be sent using the routing table for that
interface. Setting 'loose' prevents creation of such rules on
this interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">optional</emphasis></term>
<listitem>
<para> If the interface named in the INTERFACE column is not
up and configured with an IPv4 address then ignore this
provider. </para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">COPY</emphasis></term>
<listitem>
<para>A comma-separated lists of other interfaces on your firewall.
Usually used only when DUPLICATE is 'main'. Only copy routes through
INTERFACE and through interfaces listed here. If you only wish to
copy routes through INTERFACE, enter 'none' here.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
interface is eth2</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 192.168.2.99 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>eth0 connects to ISP 1. The IP address of eth0 is
206.124.146.176 and the ISP's gateway router has IP address
206.124.146.254.</para>
<para>eth1 connects to ISP 2. The IP address of eth1 is
130.252.99.27 and the ISP's gateway router has IP address
130.252.99.254.</para>
<para>eth2 connects to a local network.</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
ISP1 1 1 main eth0 206.124.146.254 track,balance eth2
ISP2 2 2 main eth1 130.252.99.254 track,balance eth2</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/providers</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-proxyarp(5), shorewall-route_routes(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>