forked from extern/shorewall_code
Change ipp2p default to '-p all'
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4985 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
7531108431
commit
31092957ed
@ -124,7 +124,7 @@ my_pathname() {
|
||||
echo $PWD/$(basename $0)
|
||||
}
|
||||
|
||||
##
|
||||
#
|
||||
# Source a user exit file if it exists
|
||||
#
|
||||
run_user_exit() # $1 = file name
|
||||
|
@ -66,7 +66,7 @@ process_tc_rule()
|
||||
proto=${proto#*:}
|
||||
;;
|
||||
*)
|
||||
proto=tcp
|
||||
proto=all
|
||||
;;
|
||||
esac
|
||||
|
||||
|
@ -53,11 +53,11 @@ Migration Considerations:
|
||||
to silently drop or reject traffic that would otherwise be logged
|
||||
when the policy is enforced.
|
||||
|
||||
b) Ensure correct operation. Default actions can also avoid common
|
||||
pitfalls like dropping connection requests on port TCP port
|
||||
113. If these connections are dropped (rather than rejected)
|
||||
then you may encounter problems connecting to internet services
|
||||
that utilize the AUTH protocol of client authentication.
|
||||
b) Insure correct operation. Default actions can also avoid common
|
||||
pitfalls like dropping connection requests on TCP port 113. If
|
||||
these connections are dropped (rather than rejected) then you
|
||||
may encounter problems connecting to internet services that
|
||||
utilize the AUTH protocol of client authentication.
|
||||
|
||||
In prior Shorewall versions, default actions (action.Drop and
|
||||
action.Reject) were defined for DROP and REJECT policies in
|
||||
@ -100,7 +100,8 @@ New Features:
|
||||
- lib.actions. Must be available if you do not specify
|
||||
USE_ACTIONS=No in /etc/shorewall/shorewall.conf.
|
||||
|
||||
- lib.base. The base Shorewall library required by all programs.
|
||||
- lib.base. The base Shorewall library required by all programs,
|
||||
including compiled firewall scripts.
|
||||
|
||||
- lib.cli. Library containing the code common to /sbin/shorewall,
|
||||
/sbin/shorewall-lite.
|
||||
@ -139,8 +140,6 @@ New Features:
|
||||
|
||||
- Omitting the macro files.
|
||||
- Omitting all unused extension scripts.
|
||||
- Stripping the comments (except for copyright) from the various
|
||||
files.
|
||||
|
||||
2) As hinted in the previous bullet, there is a new USE_ACTIONS option
|
||||
in /etc/shorewall/shorewall.conf. Shorewall actions can be very
|
||||
@ -201,8 +200,8 @@ New Features:
|
||||
refer to macro.Drop and macro.Reject.
|
||||
|
||||
If you set the value of either option to "None" then no default
|
||||
action will be used and the default action or macro must be
|
||||
specified in /etc/shorewall/policy
|
||||
action will be used and the default action or macro (if any)
|
||||
must be specified in /etc/shorewall/policy
|
||||
|
||||
- The POLICY column in /etc/shorewall/policy has been extended.
|
||||
|
||||
@ -243,7 +242,7 @@ New Features:
|
||||
|4 192.168.1.1
|
||||
|
||||
5) Previously, zone names were restricted to five characters in
|
||||
length. That length derives from the --log-prefix in Netfilter log
|
||||
length. That limit derives from the --log-prefix in Netfilter log
|
||||
messages which must be 29 bytes or less in length. With the
|
||||
standard Shorewall LOGFORMAT, that leaves 11 characters for the
|
||||
chain name; given that many chain names are of the form
|
||||
@ -254,9 +253,9 @@ New Features:
|
||||
than 5 but it may be greater than 5). For example, setting
|
||||
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
|
||||
|
||||
6) Netfilter provides support for attaching comments to Netfilter
|
||||
rules. Comments can be up to 255 bytes in length and are
|
||||
visible using the "shorewall show <chain>", "shorewall show nat",
|
||||
6) Netfilter provides support for attachmend of comments to Netfilter
|
||||
rules. Comments can be up to 255 bytes in length and are visible
|
||||
using the "shorewall show <chain>", "shorewall show nat",
|
||||
"shorewall show mangle" and "shorewall dump" commands. Comments are
|
||||
delimited by '/* ... */" in the output.
|
||||
|
||||
@ -264,14 +263,14 @@ New Features:
|
||||
/etc/shorewall/rules, /etc/shorewall/tcrules, /etc/shorewall/nat
|
||||
and /etc/shorewall/masq files and in action files. The remainder of
|
||||
the line is treated as a comment and it will be attached as a
|
||||
Netfilter comment to the rule(s) generated by the following entries
|
||||
Netfilter comment to the rule(s) generated by succeding entries
|
||||
in the file.
|
||||
|
||||
Note: Do not prefix the comment with "#". Shorewall's two-pass
|
||||
compiler strips off "#" comments in the first pass and processes
|
||||
COMMENT lines in the second pass. So by the time that COMMENT is
|
||||
processed, the "#" and everything after it has been removed (see
|
||||
example below).
|
||||
COMMENT lines in the second pass. Hence, by the time that COMMENT
|
||||
is processed, the "#" and everything following it has been removed
|
||||
(see example below).
|
||||
|
||||
To stop the current comment from being attached to further
|
||||
rules, simply include COMMENT on a line by itself (so that the
|
||||
@ -306,10 +305,10 @@ New Features:
|
||||
|
||||
8) A new 'maclog' extension file has been added. This file is
|
||||
processed just before logging based on the setting of
|
||||
MACLIST_LOG_LEVEL is done. When invoked, the CHAIN variable will
|
||||
contain the name of the chain where rules should be inserted.
|
||||
Remember that if you have specified MACLIST_TABLE=mangle, then your
|
||||
run_iptables commands should include "-t mangle".
|
||||
MACLIST_LOG_LEVEL is done. When the extension is invoked, the CHAIN
|
||||
variable will contain the name of the chain where rules should be
|
||||
inserted. Remember that if you have specified MACLIST_TABLE=mangle,
|
||||
then your run_iptables commands should include "-t mangle".
|
||||
|
||||
9) The SUBNET column in /etc/shorewall/masq has been renamed SOURCE to
|
||||
more accurately describe the contents of the column.
|
||||
@ -350,10 +349,10 @@ New Features:
|
||||
Chain eth2_fwd (1 references)
|
||||
pkts bytes target prot opt in out source destination
|
||||
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
|
||||
0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
|
||||
0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0
|
||||
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
|
||||
gateway:~ #
|
||||
|
||||
This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf.
|
||||
|
Loading…
Reference in New Issue
Block a user