holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update Dynamic Zone document for 5.0

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-17 16:01:21 -08:00
parent 0b1588207d
commit 340ae1cca1
1 changed files with 3 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

245
docs/Dynamic.xml
View File

@ -49,140 +49,12 @@
support is based on <ulink support is based on <ulink
url="http://ipset.netfilter.org/">ipset</ulink>. Most current url="http://ipset.netfilter.org/">ipset</ulink>. Most current
distributions have ipset, but you may need to install the <ulink distributions have ipset, but you may need to install the <ulink
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para> url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
</section> package.</para>
<section id="xtables-addons">
<title>Installing xtables-addons</title>
<para>If your distribution does not have an xtables-addons package, the
xtables-addons are fairly easy to install. You do not need to recompile
your kernel.</para>
<para><trademark>Debian</trademark> users can find xtables-addons-common
and xtables-addons-source packages in <firstterm>testing</firstterm>. The
kernel modules can be built and installed with the help of
module-assistant. As of this writing, these packages are in the
<firstterm>admin</firstterm> group rather than in the
<firstterm>network</firstterm> group!!??</para>
<para>For other users, the basic steps are as follows:</para>
<orderedlist>
<listitem>
<para>Install gcc and make</para>
</listitem>
<listitem>
<para>Install the headers for the kernel you are running. In some
distributions, such as <trademark>Debian</trademark> and
<trademark>Ubuntu</trademark>, the packet is called kernel-headers.
For other distrubutions, such as OpenSuSE, you must install the
kernel-source package.</para>
</listitem>
<listitem>
<para>download the iptables source tarball</para>
</listitem>
<listitem>
<para>untar the source</para>
</listitem>
<listitem>
<para>cd to the iptables source directory</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>as root, run 'make install'</para>
</listitem>
<listitem>
<para>Your new iptables binary will now be installed in
/usr/local/sbin. Modify shorewall.conf to specify
IPTABLES=/usr/local/sbin/iptables</para>
</listitem>
<listitem>
<para>Download the latest xtables-addons source tarball</para>
</listitem>
<listitem>
<para>Untar the xtables-addons source</para>
</listitem>
<listitem>
<para>cd to the xtables-addons source directory</para>
</listitem>
<listitem>
<para>run './configure'</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>As root, cd to the xtables-addons directory and run 'make
install'.</para>
</listitem>
<listitem>
<para>Restart shorewall</para>
</listitem>
<listitem>
<para>'shorewall show capabilities' should now indicate<emphasis
role="bold"> Ipset Match: Available</emphasis></para>
</listitem>
</orderedlist>
<para>You will have to repeat steps 10-13 each time that you receive a
kernel upgrade from your distribution vendor. You can install
xtables-addons before booting to the new kernel as follows
(<emphasis>new-kernel-version</emphasis> is the version of the
newly-installed kernel - example <emphasis
role="bold">2.6.28.11-generic</emphasis>. Look in the /lib/modules
directory to get the full version name)</para>
<orderedlist>
<listitem>
<para>cd to the xtables-addons source directory</para>
</listitem>
<listitem>
<para>run 'make clean'</para>
</listitem>
<listitem>
<para>run './configure
--with-kbuild=/lib/modules/<emphasis>new-kernel-version</emphasis>/build
--with-ksource=/lib/modules/<emphasis>new-kernel-version</emphasis>/source'</para>
</listitem>
<listitem>
<para>run 'make'</para>
</listitem>
<listitem>
<para>As root, cd to the xtables-addons source directory and run 'make
install'.</para>
</listitem>
<listitem>
<para>As root, run 'depmod -a
<emphasis>new-kernel-version'</emphasis></para>
</listitem>
</orderedlist>
</section> </section>
<section> <section>
<title>Dynamic Zones -- Shorewall 4.5.9 and Later</title> <title>Dynamic Zones</title>
<para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in <para>Prior to Shorewall 4.5.9, when multiple records for a zone appear in
<filename>/etc/shorewall/hosts</filename>, Shorewall would create a <filename>/etc/shorewall/hosts</filename>, Shorewall would create a
@ -288,117 +160,6 @@ rsyncok:
</section> </section>
</section> </section>
<section id="Version-4.5.9">
<title>Dynamic Zones -- Shorewall 4.5.8 and Earlier.</title>
<para>The method described in this section is still supported in the later
releases.</para>
<section id="defining1">
<title>Defining a Dynamic Zone</title>
<para>A dynamic zone is defined by using the keyword <emphasis
role="bold">dynamic</emphasis> in the zones host list.</para>
<para>Example:</para>
<blockquote>
<para><filename>/etc/shorewall/zones</filename>:<programlisting>#NAME TYPE OPTIONS
loc ipv4
webok:loc ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth0 - …
</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para>
<programlisting>#ZONE HOSTS OPTIONS
webok eth0:<emphasis role="bold">dynamic</emphasis></programlisting>
</blockquote>
<para>Once the above definition is added, Shorewall will automatically
create an ipset named <emphasis>webok_eth0</emphasis> the next time that
Shorewall is started or restarted. Shorewall will create an ipset of
type <firstterm>iphash</firstterm>. If you want to use a different type
of ipset, such as <firstterm>macipmap</firstterm>, then you will want to
manually create that ipset yourself before the next Shorewall
start/restart.</para>
<para>The dynamic zone capability was added to Shorewall6 in Shorewall
4.4.21.</para>
</section>
<section id="adding1">
<title>Adding a Host to a Dynamic Zone</title>
<para>Adding a host to a dynamic zone is accomplished by adding the
host's IP address to the appropriate ipset. Shorewall provldes a command
for doing that:</para>
<blockquote>
<para><command>shorewall add</command> <replaceable>interface:address
...</replaceable> <replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<para><command>shorewall add eth0:192.168.3.4 webok</command></para>
</blockquote>
<para>The command can only be used when the ipset involved is of type
iphash. For other ipset types, the <command>ipset</command> command must
be used directly.</para>
</section>
<section id="deleting">
<title>Deleting a Host from a Dynamic Zone</title>
<para>Deleting a host from a dynamic zone is accomplished by removing
the host's IP address from the appropriate ipset. Shorewall provldes a
command for doing that:</para>
<blockquote>
<para><command>shorewall delete</command>
<replaceable>interface:address ...</replaceable>
<replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<para><command>shorewall delete eth0:192.168.3.4
webok</command></para>
</blockquote>
<para>The command can only be used when the ipset involved is of type
iphash. For other ipset types, the <command>ipse t</command> command
must be used directly.</para>
</section>
<section id="listing1">
<title>Listing the Contents of a Dynamic Zone</title>
<para>The shorewall show command may be used to list the current
contents of a dynamic zone.</para>
<blockquote>
<para><command>shorewall show dynamic</command>
<replaceable>zone</replaceable></para>
</blockquote>
<para>Example:</para>
<blockquote>
<programlisting><command>shorewall show dynamic webok</command>
eth0:
192.168.3.4
192.168.3.9</programlisting>
</blockquote>
</section>
</section>
<section id="start-stop"> <section id="start-stop">
<title>Dynamic Zone Contents and Shorewall stop/start/restart</title> <title>Dynamic Zone Contents and Shorewall stop/start/restart</title>