From bb7d41234b224fbf489be0dbc7a1ade808a01cc1 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 09:21:58 +0200 Subject: [PATCH 001/141] ECN: 2006-01-17 is not recent Signed-off-by: Tuomo Soini --- docs/ECN.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ECN.xml b/docs/ECN.xml index 9b3c2f656..b31f67d21 100644 --- a/docs/ECN.xml +++ b/docs/ECN.xml @@ -41,7 +41,7 @@ - 2006-01-17. The ECN Netfilter target in recent 2.6 Linux Kernels is + 2006-01-17. The ECN Netfilter target in some 2.6 Linux Kernels is broken. Symptoms are that you will be unable to establish a TCP connection to hosts defined in the /etc/shorewall/ecn file. From 457147b7f546a9bc7d85c62f1fdbf62c17159642 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 09:27:42 +0200 Subject: [PATCH 002/141] ISO-3661: update rules header to new format Signed-off-by: Tuomo Soini --- docs/ISO-3661.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/ISO-3661.xml b/docs/ISO-3661.xml index e7729bbf8..5aaad88da 100644 --- a/docs/ISO-3661.xml +++ b/docs/ISO-3661.xml @@ -49,9 +49,11 @@ /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST - # PORT(S) - DROP:info net:^[A1,A2] dmz tcp 25 + #ACTION SOURCE DEST PROTO DPORT + + ?SECTION NEW + + DROP:info net:^[A1,A2] dmz tcp 25 Using this feature requires the GeoIP Match From 4a44cc787e643c668264b789bbed99c83ef1a829 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 09:45:50 +0200 Subject: [PATCH 003/141] IPv6Support: Add missing DEST to samples and update header format Signed-off-by: Tuomo Soini --- docs/IPv6Support.xml | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/docs/IPv6Support.xml b/docs/IPv6Support.xml index c20ffe480..e26363d22 100644 --- a/docs/IPv6Support.xml +++ b/docs/IPv6Support.xml @@ -187,10 +187,8 @@ If you are using a 6to4 tunnel for your IPv6 connectivity, you need an entry in - /etc/shorewall/tunnels.#TYPE ZONE GATEWAY GATEWAY -# ZONE -6to4 net -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + /etc/shorewall/tunnels.#TYPE ZONE GATEWAY GATEWAY_ZONE +6to4 net @@ -409,9 +407,11 @@ Example (/etc/shorewall6/rules): - #ACTION SOURCE DEST PROTO DEST -# PORT(S) -ACCEPT net $FW:[2002:ce7c:92b4::3] tcp 22 + #ACTION SOURCE DEST PROTO DPORT + +?SECTION NEW + +ACCEPT net $FW:[2002:ce7c:92b4::3] tcp 22 When the colon is preceeded by an interface name, the angle brackets are required. This is true @@ -419,9 +419,11 @@ ACCEPT net $FW:[2002:ce7c:92b4::3] tcp 22 Example (/etc/shorewall6/rules): - #ACTION SOURCE DEST PROTO DEST -# PORT(S) -ACCEPT net:wlan0:[2002:ce7c:92b4::3] tcp 22 + #ACTION SOURCE DEST PROTO DPORT + +?SECTION NEW + +ACCEPT net:wlan0:[2002:ce7c:92b4::3] $FW tcp 22 Prior to Shorewall 4.5.4, angled brackets ("<" and ">") were used. While these are still accepted, their use is deprecated @@ -429,9 +431,11 @@ ACCEPT net:wlan0:[2002:ce7c:92b4::3] tcp 22 Example (/etc/shorewall6/rules): - #ACTION SOURCE DEST PROTO DEST -# PORT(S) -ACCEPT net:wlan0:<2002:ce7c:92b4::3> tcp 22 + #ACTION SOURCE DEST PROTO DPORT + +SECTION NEW + +ACCEPT net:wlan0:<2002:ce7c:92b4::3> $FW tcp 22 Prior to Shorewall 4.5.9, network addresses were required to be enclosed in either angle brackets or square brackets (e.g. From cc2ae454a031c4c36492ff4c99025fefbef732d0 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 09:54:16 +0200 Subject: [PATCH 004/141] IPP2P: update mangle headers Signed-off-by: Tuomo Soini --- docs/IPP2P.xml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/IPP2P.xml b/docs/IPP2P.xml index a271c241e..61723543a 100644 --- a/docs/IPP2P.xml +++ b/docs/IPP2P.xml @@ -194,14 +194,14 @@ tcp 6 269712 ESTABLISHED src=192.168.3.8 dst=206.124.146.177 sport=50584 dp These are implemented in the /etc/shorewall/tcrules and /etc/shorewall/mangle files as follows: - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) -RESTORE:P - - tcp -CONTINUE:P - - tcp - - - !0 -1:P - - ipp2p ipp2p -SAVE:P - - tcp - - - 1 -1:12 - eth0 - - - - 1 -2:12 - eth1 - - - - 1 + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST + +RESTORE:P - - tcp +CONTINUE:P - - tcp - - - !0 +1:P - - ipp2p ipp2p +SAVE:P - - tcp - - - 1 +1:12 - eth0 - - - - 1 +2:12 - eth1 - - - - 1 These rules do exactly the same thing as their counterparts described above. @@ -209,14 +209,14 @@ SAVE:P - - tcp - - One change that I recommend --do your marking in the FORWARD chain rather than in the PREROUTING chain: - #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) -RESTORE:F - - tcp -CONTINUE:F - - tcp - - - !0 -1:F - - ipp2p ipp2p -SAVE:F - - tcp - - - 1 -1:12 - eth0 - - - - 1 -2:12 - eth1 - - - - 1 + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST + +RESTORE:F - - tcp +CONTINUE:F - - tcp - - - !0 +1:F - - ipp2p ipp2p +SAVE:F - - tcp - - - 1 +1:12 - eth0 - - - - 1 +2:12 - eth1 - - - - 1 It will work the same and will work with a Multi-ISP setup. From 4014fdb204f15722b2eafd0ba2cde94f837098be Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 13:55:52 +0200 Subject: [PATCH 005/141] LXC: update header Signed-off-by: Tuomo Soini --- docs/LXC.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/LXC.xml b/docs/LXC.xml index 7eaa3ec07..5fecf806c 100644 --- a/docs/LXC.xml +++ b/docs/LXC.xml @@ -100,7 +100,7 @@ lxc.network.ipv6=2001:470:b:227::43/124 accessible from the LOC zone, the following entries are required in /etc/shorewall6/proxyndp: - #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT + #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 2001:470:b:227::41 - eth1 Yes Yes 2001:470:b:227::42 - eth1 Yes Yes 2001:470:b:227::43 - eth1 Yes Yes From 97b3dd244adb6157ca626d7ff436b0fc91abf0b3 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 14:31:00 +0200 Subject: [PATCH 006/141] Macros: update headers Signed-off-by: Tuomo Soini --- docs/Macros.xml | 128 +++++++++++++++++++++++++----------------------- 1 file changed, 67 insertions(+), 61 deletions(-) diff --git a/docs/Macros.xml b/docs/Macros.xml index 852cc0aa7..ce88c055e 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -78,19 +78,20 @@ macro. # -# Shorewall 3.0 /usr/share/shorewall/macro.SMB +# Shorewall -- /usr/share/shorewall/macro.SMB # -# Handle Microsoft SMB traffic. You need to invoke this macro in -# both directions. +# This macro handles Microsoft SMB traffic. You need to invoke +# this macro in both directions. Beware! This rule opens a lot +# of ports, and could possibly be used to compromise your firewall +# if not used with care. You should only allow SMB traffic +# between hosts you fully trust. # ###################################################################################### -#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT PORT(S) LIMIT GROUP -PARAM - - udp 135,445 -PARAM - - udp 137:139 -PARAM - - udp 1024: 137 -PARAM - - tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +#TARGET SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER +PARAM - - udp 135,445 +PARAM - - udp 137:139 +PARAM - - udp 1024: 137 +PARAM - - tcp 135,139,445 If you wish to modify one of the standard macros, do not modify the definition in /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) -SMB(ACCEPT) loc fw + #ACTION SOURCE DEST PROTO DPORT + +SMB(ACCEPT) loc $FW The above is equivalent to coding the following series of rules: - #TARGET SOURCE DEST PROTO DEST PORT(s) -ACCEPT loc fw udp 135,445 -ACCEPT loc fw udp 137:139 -ACCEPT loc fw udp 1024: 137 -ACCEPT loc fw tcp 135,139,445 + #ACTION SOURCE DEST PROTO DPORT SPORT + +ACCEPT loc $FW udp 135,445 +ACCEPT loc $FW udp 137:139 +ACCEPT loc $FW udp 1024: 137 +ACCEPT loc $FW tcp 135,139,445 Logging is covered in a following @@ -154,24 +157,24 @@ ACCEPT loc fw tcp 135,139,445
/etc/shorewall/macro.SMTP - #TARGET SOURCE DEST PROTO DEST PORT(S) -PARAM - loc tcp 25 + #ACTION SOURCE DEST PROTO DPORT +PARAM - loc tcp 25 /etc/shorewall/rules (Shorewall 4.0): - #ACTION SOURCE DEST PROTO DEST PORT(S) -SMTP(DNAT):info net 192.168.1.5 + #ACTION SOURCE DEST PROTO DPORT +SMTP(DNAT):info net 192.168.1.5 /etc/shorewall/rules (Shorewall 4.2.0 and later): - #ACTION SOURCE DEST PROTO DEST PORT(S) -SMTP(DNAT):info net 192.168.1.5 + #ACTION SOURCE DEST PROTO DPORT +SMTP(DNAT):info net 192.168.1.5 This would be equivalent to coding the following directly in /etc/shorewall/rules - #ACTION SOURCE DEST PROTO DEST PORT(S) -DNAT:info net loc:192.168.1.5 tcp 25 + #ACTION SOURCE DEST PROTO DPORT +DNAT:info net loc:192.168.1.5 tcp 25
Example 2: @@ -179,19 +182,20 @@ DNAT:info net loc:192.168.1.5 tcp 25
/etc/shorewall/macro.SMTP - #TARGET SOURCE DEST PROTO DEST PORT(S) -PARAM - 192.168.1.5 tcp 25 + +#ACTION SOURCE DEST PROTO DPORT +PARAM - 192.168.1.5 tcp 25 /etc/shorewall/rules - #ACTION SOURCE DEST PROTO DEST PORT(S) -SMTP(DNAT):info net loc + #ACTION SOURCE DEST PROTO DPORT +SMTP(DNAT):info net loc This would be equivalent to coding the following directly in /etc/shorewall/rules - #ACTION SOURCE DEST PROTO DEST PORT(S) -DNAT:info net loc:192.168.1.5 tcp 25 + #ACTION SOURCE DEST PROTO DPORT +DNAT:info net loc:192.168.1.5 tcp 25
You may also specify SOURCE or DEST in the SOURCE and DEST @@ -205,8 +209,7 @@ DNAT:info net loc:192.168.1.5 tcp 25 is already a standard macro like this released as part of Shorewall): - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER PARAM - - udp 135,445 PARAM - - udp 137:139 PARAM - - udp 1024: 137 @@ -214,26 +217,28 @@ PARAM - - tcp 135,139,445 PARAM DEST SOURCE udp 135,445 PARAM DEST SOURCE udp 137:139 PARAM DEST SOURCE udp 1024: 137 -PARAM DEST SOURCE tcp 135,139,445 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +PARAM DEST SOURCE tcp 135,139,445 /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) -SMBBI(ACCEPT) loc fw + #ACTION SOURCE DEST PROTO DPORT + +SMBBI(ACCEPT) loc $FW This would be equivalent to coding the following directly in /etc/shorewall/rules - #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT loc fw udp 135,445 -ACCEPT loc fw udp 137:139 -ACCEPT loc fw udp 1024: 137 -ACCEPT loc fw tcp 135,139,445 -ACCEPT fw loc udp 135,445 -ACCEPT fw loc udp 137:139 -ACCEPT fw loc udp 1024: 137 -ACCEPT fw loc tcp 135,139,445 + #ACTION SOURCE DEST PROTO DPORT SPORT + +ACCEPT loc $FW udp 135,445 +ACCEPT loc $FW udp 137:139 +ACCEPT loc $FW udp 1024: 137 +ACCEPT loc $FW tcp 135,139,445 + +ACCEPT $FW loc udp 135,445 +ACCEPT $FW loc udp 137:139 +ACCEPT $FW loc udp 1024: 137 +ACCEPT $FW loc tcp 135,139,445 @@ -696,7 +701,7 @@ ACCEPT fw loc tcp 135,139,445 Omitted column entries should be entered using a dash - ("-:). + ("-"). Example: @@ -706,8 +711,9 @@ ACCEPT fw loc tcp 135,139,445 To use your macro, in /etc/shorewall/rules you might do something like: - #ACTION SOURCE DEST PROTO DEST PORT(S) -LogAndAccept loc $FW tcp 22 + #ACTION SOURCE DEST PROTO DPORT + +LogAndAccept loc $FW tcp 22 @@ -731,20 +737,20 @@ LogAndAccept loc $FW tcp 22 /etc/shorewall/macro.foo - #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT - - tcp 22 + #ACTION SOURCE DEST PROTO DPORT +ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) -foo:debug $FW net + #ACTION SOURCE DEST PROTO DPORT +foo:debug $FW net Logging in the invoked 'foo' macro will be as if foo had been defined as: - #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT:debug - - tcp 22 + #ACTION SOURCE DEST PROTO DPORT +ACCEPT:debug - - tcp 22 bar:info @@ -756,20 +762,20 @@ bar:info /etc/shorewall/macro.foo - #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT - - tcp 22 + #ACTION SOURCE DEST PROTO DPORT +ACCEPT - - tcp 22 bar:info /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) -foo:debug! $FW net + #ACTION SOURCE DEST PROTO DPORT +foo:debug! $FW net Logging in the invoked 'foo' macro will be as if foo had been defined as: - #ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT:debug - - tcp 22 + #ACTION SOURCE DEST PROTO DPORT +ACCEPT:debug - - tcp 22 bar:debug From 7b4c4fb30db1b047bb352a7b424d12e43701a723 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:19:11 +0200 Subject: [PATCH 007/141] macro.MSA: Add as alias for Submission Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.MSA | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 Shorewall/Macros/macro.MSA diff --git a/Shorewall/Macros/macro.MSA b/Shorewall/Macros/macro.MSA new file mode 100644 index 000000000..68216d7ac --- /dev/null +++ b/Shorewall/Macros/macro.MSA @@ -0,0 +1,9 @@ +# +# Shorewall -- /usr/share/shorewall/macro.MSA +# +# This macro handles mail message submission agent (MSA) traffic. +# +############################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +PARAM - - tcp 587 From 4a3e168476273d5a0fdf7a16ee827f937f5194b3 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 008/141] macro.A_AllowICMPs: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.A_AllowICMPs | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.A_AllowICMPs b/Shorewall/Macros/macro.A_AllowICMPs index 54064650c..76ac07465 100644 --- a/Shorewall/Macros/macro.A_AllowICMPs +++ b/Shorewall/Macros/macro.A_AllowICMPs @@ -1,13 +1,10 @@ # -# Shorewall - Audited AllowICMPs Macro +# Shorewall -- /usr/share/shorewall/macro.A_AllowICMPs # -# /usr/share/shorewall/macro.A_AllowICMPs -# -# This macro A_ACCEPTs needed ICMP types +# This macro audits and accepts needed ICMP types. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE ?COMMENT Needed ICMP types From a883a0720cf3248d003d3a7d016ffc24835901b6 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 009/141] macro.ActiveDir: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.ActiveDir | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/Shorewall/Macros/macro.ActiveDir b/Shorewall/Macros/macro.ActiveDir index 63bbc4573..08ce8ac26 100644 --- a/Shorewall/Macros/macro.ActiveDir +++ b/Shorewall/Macros/macro.ActiveDir @@ -1,16 +1,13 @@ # -# Shorewall - Samba 4 Macro -# -# /usr/share/shorewall/macro.ActiveDir -# -# This macro handles ports for Samba 4 Active Directory Service -# -# You can comment out the ports you do not want open +# Shorewall -- /usr/share/shorewall/macro.ActiveDir # +# This macro handles ports for Samba 4 Active Directory Service. +# You can copy this file to /etc/shorewall[6]/ and comment out the ports you +# do not want open. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 389 #LDAP services PARAM - - udp 389 PARAM - - tcp 636 #LDAP SSL From e4a4fb25f1968f71a87b8b2f0031685e0e959d5e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 010/141] macro.A_DropDNSrep: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.A_DropDNSrep | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.A_DropDNSrep b/Shorewall/Macros/macro.A_DropDNSrep index 59b74c540..ffd117641 100644 --- a/Shorewall/Macros/macro.A_DropDNSrep +++ b/Shorewall/Macros/macro.A_DropDNSrep @@ -1,13 +1,10 @@ # -# Shorewall - Audited DropDNSrep Macro +# Shorewall -- /usr/share/shorewall/macro.A_DropDNSrep # -# /usr/share/shorewall/macro.A_DropDNSrep -# -# This macro silently audites and drops DNS UDP replies +# This macro audits and drops DNS UDP replies. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?COMMENT Late DNS Replies From bc34b4990598772b78ba89bc870aaa7f7a491d1a Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 011/141] macro.A_DropUPnP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.A_DropUPnP | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.A_DropUPnP b/Shorewall/Macros/macro.A_DropUPnP index e200d61fd..61bfd674d 100644 --- a/Shorewall/Macros/macro.A_DropUPnP +++ b/Shorewall/Macros/macro.A_DropUPnP @@ -1,13 +1,10 @@ # -# Shorewall - ADropUPnP Macro +# Shorewall -- /usr/share/shorewall/macro.A_DropUPnP # -# /usr/share/shorewall/macro.A_DropUPnP -# -# This macro silently drops UPnP probes on UDP port 1900 +# This macro audits and drops UPnP probes on UDP port 1900. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?COMMENT UPnP From 538600d38928ef2f1f598a34492aeb3b05c2e1e3 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 012/141] macro.AllowICMPs: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.AllowICMPs | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.AllowICMPs b/Shorewall/Macros/macro.AllowICMPs index febb685bd..4b56bf3dc 100644 --- a/Shorewall/Macros/macro.AllowICMPs +++ b/Shorewall/Macros/macro.AllowICMPs @@ -1,13 +1,10 @@ # -# Shorewall - AllowICMPs Macro +# Shorewall -- /usr/share/shorewall/macro.AllowICMPs # -# /usr/share/shorewall/macro.AllowICMPs -# -# This macro ACCEPTs needed ICMP types +# This macro ACCEPTs needed ICMP types. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?COMMENT Needed ICMP types From 6888195ce6d80d7a8dfd1134a901380acb346523 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 013/141] macro.Amanda: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Amanda | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.Amanda b/Shorewall/Macros/macro.Amanda index f0d280d58..c72e67cfc 100644 --- a/Shorewall/Macros/macro.Amanda +++ b/Shorewall/Macros/macro.Amanda @@ -1,15 +1,12 @@ # -# Shorewall - Amanda Macro +# Shorewall -- /usr/share/shorewall/macro.Amanda # -# /usr/share/shorewall/macro.Amanda -# -# This macro handles connections required by the AMANDA backup system -# to back up remote nodes. It does not provide the ability to restore -# files from those nodes. +# This macro handles connections required by the AMANDA backup system +# to back up remote nodes. It does not provide the ability to restore +# files from those nodes. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER ) PARAM - - udp 10080 { helper=amanda } From 84caee9a3e5ba21f51a768bf5cb6edcfb443c555 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 014/141] macro.AMQP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.AMQP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.AMQP b/Shorewall/Macros/macro.AMQP index 51ab98d1f..1a10938ef 100644 --- a/Shorewall/Macros/macro.AMQP +++ b/Shorewall/Macros/macro.AMQP @@ -1,12 +1,10 @@ # -# Shorewall - AMQP Macro +# Shorewall -- /usr/share/shorewall/macro.AMQP # -# /usr/share/shorewall/macro.AMQP -# -# This macro handles AMQP traffic. +# This macro handles AMQP traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 5672 PARAM - - udp 5672 From 2cea1627134e2257c1c5ac07c00cdee70e2f503c Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 015/141] macro.Auth: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Auth | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Auth b/Shorewall/Macros/macro.Auth index 4d9a92674..ad7bfeb2c 100644 --- a/Shorewall/Macros/macro.Auth +++ b/Shorewall/Macros/macro.Auth @@ -1,11 +1,9 @@ # -# Shorewall - Auth Macro +# Shorewall -- /usr/share/shorewall/macro.Auth # -# /usr/share/shorewall/macro.Auth -# -# This macro handles Auth (identd) traffic. +# This macro handles Auth (identd) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 113 From 016978eab5f142a23260988288c9a78359a63fcf Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 016/141] macro.BGP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.BGP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.BGP b/Shorewall/Macros/macro.BGP index b3ad3b6e8..552ed5d98 100644 --- a/Shorewall/Macros/macro.BGP +++ b/Shorewall/Macros/macro.BGP @@ -1,11 +1,9 @@ # -# Shorewall - BGP Macro +# Shorewall -- /usr/share/shorewall/macro.BGP # -# /usr/share/shorewall/macro.BGP -# -# This macro handles BGP4 traffic. +# This macro handles BGP4 traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 179 # BGP4 From 231b12b52088f0e92b77d49a44a94a461a0f4092 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 017/141] macro.BitTorrent: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.BitTorrent | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/Shorewall/Macros/macro.BitTorrent b/Shorewall/Macros/macro.BitTorrent index 815bd2781..f68c78b6d 100644 --- a/Shorewall/Macros/macro.BitTorrent +++ b/Shorewall/Macros/macro.BitTorrent @@ -1,19 +1,16 @@ # -# Shorewall - BitTorrent Macro +# Shorewall -- /usr/share/shorewall/macro.BitTorrent # -# /usr/share/shorewall/macro.BitTorrent +# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier. # -# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier. -# -# If you are running BitTorrent 3.2 or later, you should use the -# BitTorrent32 macro. +# If you are running BitTorrent 3.2 or later, you should use the +# BitTorrent32 macro. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 6881:6889 # # It may also be necessary to allow UDP traffic: # PARAM - - udp 6881 -# From 5075e298dcb24ce037ad807134b2e8e193f3ece1 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 018/141] macro.BitTorrent32: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.BitTorrent32 | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.BitTorrent32 b/Shorewall/Macros/macro.BitTorrent32 index 94bd8fcda..c75de2120 100644 --- a/Shorewall/Macros/macro.BitTorrent32 +++ b/Shorewall/Macros/macro.BitTorrent32 @@ -1,16 +1,13 @@ # -# Shorewall - BitTorrent 3.2 Macro +# Shorewall -- /usr/share/shorewall/macro.BitTorrent32 # -# /usr/share/shorewall/macro.BitTorrent32 -# -# This macro handles BitTorrent traffic for BitTorrent 3.2 and later. +# This macro handles BitTorrent traffic for BitTorrent 3.2 and later. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 6881:6999 # # It may also be necessary to allow UDP traffic: # PARAM - - udp 6881 -# From af1d90368ebbecd8a69d682479c5129cfbccca25 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 019/141] macro.BLACKLIST: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.BLACKLIST | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.BLACKLIST b/Shorewall/Macros/macro.BLACKLIST index 48364c089..9c45d98f0 100644 --- a/Shorewall/Macros/macro.BLACKLIST +++ b/Shorewall/Macros/macro.BLACKLIST @@ -1,13 +1,11 @@ # -# Shorewall - blacklist Macro +# Shorewall -- /usr/share/shorewall/macro.blacklist # -# /usr/share/shorewall/macro.blacklist -# -# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL +# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + ?if $BLACKLIST_LOGLEVEL blacklog ?else From 3ac875a66cce998eb7a34e0957125d00b3a3b193 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 020/141] macro.Citrix: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Citrix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.Citrix b/Shorewall/Macros/macro.Citrix index 8e6c9b3ef..2c75e85fd 100644 --- a/Shorewall/Macros/macro.Citrix +++ b/Shorewall/Macros/macro.Citrix @@ -1,14 +1,12 @@ # -# Shorewall - Citrix/ICA Macro +# Shorewall -- /usr/share/shorewall/macro.Citrix # -# /usr/share/shorewall/macro.Citrix -# -# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. -# ICA Session Reliability) +# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. +# ICA Session Reliability) # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 1494 # ICA PARAM - - udp 1604 # ICA Browser PARAM - - tcp 2598 # CGP Session Reliabilty From ff5c3eba5a5243fdf0db94079bd6b7b3da76f948 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 021/141] macro.CVS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.CVS | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.CVS b/Shorewall/Macros/macro.CVS index 63d4f596a..33c55b7dd 100644 --- a/Shorewall/Macros/macro.CVS +++ b/Shorewall/Macros/macro.CVS @@ -1,11 +1,9 @@ # -# Shorewall - CVS Macro +# Shorewall -- /usr/share/shorewall/macro.CVS # -# /usr/share/shorewall/macro.CVS -# -# This macro handles connections to the CVS pserver. +# This macro handles connections to the CVS pserver. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 2401 From f09d93a5a6f5df42e01e281c18a82d67484b2521 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 022/141] macro.DAAP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.DAAP | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.DAAP b/Shorewall/Macros/macro.DAAP index e17c2f48b..38f4c1b92 100644 --- a/Shorewall/Macros/macro.DAAP +++ b/Shorewall/Macros/macro.DAAP @@ -1,13 +1,11 @@ # -# Shorewall - DAAP Macro +# Shorewall -- /usr/share/shorewall/macro.DAAP # -# /usr/share/shorewall/macro.DAAP -# -# This macro handles DAAP (Digital Audio Access Protocol) traffic. -# The protocol is used by iTunes, Rythmbox and other similar daemons. +# This macro handles DAAP (Digital Audio Access Protocol) traffic. +# The protocol is used by iTunes, Rythmbox and other similar daemons. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 3689 PARAM - - udp 3689 From 848cb5954df42f03659c7e45f782bd87eb82959a Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 023/141] macro.DCC: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.DCC | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.DCC b/Shorewall/Macros/macro.DCC index 470785e5d..fc414911d 100644 --- a/Shorewall/Macros/macro.DCC +++ b/Shorewall/Macros/macro.DCC @@ -1,12 +1,10 @@ # -# Shorewall - DCC Macro +# Shorewall -- /usr/share/shorewall/macro.DCC # -# /usr/share/shorewall/macro.DCC -# -# This macro handles DCC (Distributed Checksum Clearinghouse) traffic. -# DCC is a distributed spam filtering mechanism. +# This macro handles DCC (Distributed Checksum Clearinghouse) traffic. +# DCC is a distributed spam filtering mechanism. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 6277 From a881d663be609180c259fac6cf9302e2cccaaa7e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 024/141] macro.DHCPfwd: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.DHCPfwd | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.DHCPfwd b/Shorewall/Macros/macro.DHCPfwd index 62b194fdd..e363f19c5 100644 --- a/Shorewall/Macros/macro.DHCPfwd +++ b/Shorewall/Macros/macro.DHCPfwd @@ -1,12 +1,10 @@ # -# Shorewall - DHCPfwd Macro +# Shorewall -- /usr/share/shorewall/macro.DHCPfwd # -# /usr/share/shorewall/macro.DHCPfwd -# -# This macro (bidirectional) handles forwarded DHCP traffic +# This macro (bidirectional) handles forwarded DHCP traffic # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 67:68 67:68 # DHCP PARAM DEST SOURCE udp 67:68 67:68 # DHCP From 934fa782285dacbf5bc1e7d6663763bad4cd1d4b Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 025/141] macro.Distcc: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Distcc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Distcc b/Shorewall/Macros/macro.Distcc index 6f930c7c6..26099a499 100644 --- a/Shorewall/Macros/macro.Distcc +++ b/Shorewall/Macros/macro.Distcc @@ -1,11 +1,9 @@ # -# Shorewall - Distcc Macro +# Shorewall -- /usr/share/shorewall/macro.Distcc # -# /usr/share/shorewall/macro.Distcc -# -# This macro handles connections to the Distributed Compiler service. +# This macro handles connections to the Distributed Compiler service. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 3632 From 8bb0fd93dfe5970bcd9448ee0615efc232b70e17 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 026/141] macro.DNS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.DNS | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.DNS b/Shorewall/Macros/macro.DNS index defd35e61..e89f7157c 100644 --- a/Shorewall/Macros/macro.DNS +++ b/Shorewall/Macros/macro.DNS @@ -1,12 +1,10 @@ # -# Shorewall - DNS Macro +# Shorewall -- /usr/share/shorewall/macro.DNS # -# /usr/share/shorewall/macro.DNS -# -# This macro handles DNS traffic. +# This macro handles DNS traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 53 PARAM - - tcp 53 From 71df5b504278b706a6c0024b22d4a1007d3d83ba Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 027/141] macro.Drop: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Drop | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/Shorewall/Macros/macro.Drop b/Shorewall/Macros/macro.Drop index af5053706..c45b69ad4 100644 --- a/Shorewall/Macros/macro.Drop +++ b/Shorewall/Macros/macro.Drop @@ -1,18 +1,15 @@ # -# Shorewall - Drop Macro +# Shorewall -- /usr/share/shorewall/macro.Drop # -# /usr/share/shorewall/macro.Drop +# This macro generates the same rules as the Drop default action +# It is used in place of action.Drop when USE_ACTIONS=No. # -# This macro generates the same rules as the Drop default action -# It is used in place of action.Drop when USE_ACTIONS=No. +# Example: # -# Example: -# -# Drop net all +# Drop net all # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER # # Don't log 'auth' DROP # From c0d1cbd4ca9b474ccd28efaf6a412c315ef3d263 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 028/141] macro.DropDNSrep: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.DropDNSrep | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.DropDNSrep b/Shorewall/Macros/macro.DropDNSrep index c242a42f7..837ad060b 100644 --- a/Shorewall/Macros/macro.DropDNSrep +++ b/Shorewall/Macros/macro.DropDNSrep @@ -1,13 +1,10 @@ # -# Shorewall - DropDNSrep Macro +# Shorewall -- /usr/share/shorewall/macro.DropDNSrep # -# /usr/share/shorewall/macro.DropDNSrep -# -# This macro silently drops DNS UDP replies +# This macro silently drops DNS UDP replies # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?COMMENT Late DNS Replies From a12225047cf3cdc32a5e2470c5f034b29648ee9a Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 029/141] macro.DropUPnP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.DropUPnP | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.DropUPnP b/Shorewall/Macros/macro.DropUPnP index 70b21acb5..36777abf8 100644 --- a/Shorewall/Macros/macro.DropUPnP +++ b/Shorewall/Macros/macro.DropUPnP @@ -1,13 +1,10 @@ # -# Shorewall - DropUPnP Macro +# Shorewall -- /usr/share/shorewall/macro.DropUPnP # -# /usr/share/shorewall/macro.DropUPnP -# -# This macro silently drops UPnP probes on UDP port 1900 +# This macro silently drops UPnP probes on UDP port 1900 # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?COMMENT UPnP From 2622489f3608da5f6add2eec3ee1699296c4bf0f Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 030/141] macro.Edonkey: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Edonkey | 37 ++++++++++++++++------------------ 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/Shorewall/Macros/macro.Edonkey b/Shorewall/Macros/macro.Edonkey index 4f6fbe3a9..34ed32634 100644 --- a/Shorewall/Macros/macro.Edonkey +++ b/Shorewall/Macros/macro.Edonkey @@ -1,34 +1,31 @@ # -# Shorewall - Edonkey Macro +# Shorewall -- /usr/share/shorewall/macro.Edonkey # -# /usr/share/shorewall/macro.Edonkey +# This macro handles Edonkey traffic. # -# This macro handles Edonkey traffic. +# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm +# says to use udp 5737 rather than 4665. # +# http://www.amule.org/wiki/index.php/FAQ_ed2k says this: # -# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm -# says to use udp 5737 rather than 4665. +# 4661 TCP (outgoing) Port, on which a server listens for connection +# (defined by server). # -# http://www.amule.org/wiki/index.php/FAQ_ed2k says this: +# 4665 UDP (outgoing) used for global server searches and global source +# queries. This is always Server TCP port (in this case 4661) + 4. # -# 4661 TCP (outgoing) Port, on which a server listens for connection -# (defined by server). +# 4662 TCP (outgoing and incoming) Client to client transfers. # -# 4665 UDP (outgoing) used for global server searches and global source -# queries. This is always Server TCP port (in this case 4661) + 4. +# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue +# Rating, File Reask Ping # -# 4662 TCP (outgoing and incoming) Client to client transfers. +# 4711 TCP WebServer listening port. # -# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue -# Rating, File Reask Ping -# -# 4711 TCP WebServer listening port. -# -# 4712 TCP External Connection port. Used to communicate aMule with other -# applications such as aMule WebServer or aMuleCMD. +# 4712 TCP External Connection port. Used to communicate aMule with other +# applications such as aMule WebServer or aMuleCMD. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 4662 PARAM - - udp 4665 From 26d1896d8193b7614421c3dc875f78ef3180bd7d Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 031/141] macro.Finger: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Finger | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.Finger b/Shorewall/Macros/macro.Finger index 9c47bbcbf..e56b608e5 100644 --- a/Shorewall/Macros/macro.Finger +++ b/Shorewall/Macros/macro.Finger @@ -1,12 +1,10 @@ # -# Shorewall - Finger Macro +# Shorewall -- /usr/share/shorewall/macro.Finger # -# /usr/share/shorewall/macro.Finger -# -# This macro handles Finger protocol. You should not generally open -# your finger information to internet. +# This macro handles Finger protocol. +# You should not generally open your finger information to internet. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 79 From 5985ab2f883d104f0df0b208dbd89dd017ed4cbc Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 032/141] macro.FTP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.FTP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.FTP b/Shorewall/Macros/macro.FTP index 1bbcabf08..beda60025 100644 --- a/Shorewall/Macros/macro.FTP +++ b/Shorewall/Macros/macro.FTP @@ -1,13 +1,11 @@ # -# Shorewall - FTP Macro +# Shorewall -- /usr/share/shorewall/macro.FTP # -# /usr/share/shorewall/macro.FTP -# -# This macro handles FTP traffic. +# This macro handles FTP traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER ) PARAM - - tcp 21 { helper=ftp } ?else From 77a1d0343540d7330999dabaa04ac8b8b5afc30e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 033/141] macro.Git: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Git | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Git b/Shorewall/Macros/macro.Git index 45fc4af86..84df68448 100644 --- a/Shorewall/Macros/macro.Git +++ b/Shorewall/Macros/macro.Git @@ -1,11 +1,9 @@ # -# Shorewall - Git Macro +# Shorewall -- /usr/share/shorewall/macro.Git # -# /usr/share/shorewall/macro.Git -# -# This macro handles Git traffic. +# This macro handles Git traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 9418 From 3b039c0cf0a5c7996415723d598bc2a4733e37d8 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 034/141] macro.GNUnet: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.GNUnet | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.GNUnet b/Shorewall/Macros/macro.GNUnet index e55c84591..18308de30 100644 --- a/Shorewall/Macros/macro.GNUnet +++ b/Shorewall/Macros/macro.GNUnet @@ -1,13 +1,11 @@ # -# Shorewall - GNUnet Macro +# Shorewall -- /usr/share/shorewall/macro.GNUnet # -# /usr/share/shorewall/macro.GNUnet -# -# This macro handles GNUnet (secure peer-to-peer networking) traffic. +# This macro handles GNUnet (secure peer-to-peer networking) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 2086 PARAM - - udp 2086 PARAM - - tcp 1080 From 536b5c4cfcdefe0251ef3199d25d620e49a15427 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 035/141] macro.Gnutella: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Gnutella | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Gnutella b/Shorewall/Macros/macro.Gnutella index da323c05c..1497f7c91 100644 --- a/Shorewall/Macros/macro.Gnutella +++ b/Shorewall/Macros/macro.Gnutella @@ -1,12 +1,10 @@ # -# Shorewall - Gnutella Macro +# Shorewall -- /usr/share/shorewall/macro.Gnutella # -# /usr/share/shorewall/macro.Gnutella -# -# This macro handles Gnutella traffic. +# This macro handles Gnutella traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 6346 PARAM - - udp 6346 From 6a73b5bc87d99a978ccd8fd14c5c5106da44b33d Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 036/141] macro.Goto-Meeting: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Goto-Meeting | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/Shorewall/Macros/macro.Goto-Meeting b/Shorewall/Macros/macro.Goto-Meeting index 7a92cb124..950d63a27 100644 --- a/Shorewall/Macros/macro.Goto-Meeting +++ b/Shorewall/Macros/macro.Goto-Meeting @@ -1,12 +1,11 @@ # -# Shorewall - Citrix/Goto Meeting macro +# Shorewall -- /usr/share/shorewall/macro.Goto-Meeting # -# /usr/share/shorewall/macro.Goto-Meeting -# by Eric Teeter -# This macro handles Citrix/Goto Meeting -# Assumes that ports 80 and 443 are already open -# If needed, use the macros that open Http and Https to reduce redundancy -#################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - tcp 8200 # Goto Meeting only needed (TCP outbound) +# This macro handles Citrix/Goto Meeting. +# +############################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +PARAM - - tcp 8200 # Goto Meeting only needed outbound +HTTP +HTTPS From 336518e24ba49848d93fb227b390a1eff58a7688 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 037/141] macro.GRE: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.GRE | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.GRE b/Shorewall/Macros/macro.GRE index bbf24ed13..5515a7be6 100644 --- a/Shorewall/Macros/macro.GRE +++ b/Shorewall/Macros/macro.GRE @@ -1,13 +1,10 @@ # -# Shorewall - GRE Macro +# Shorewall -- /usr/share/shorewall/macro.GRE # -# /usr/share/shorewall/macro.GRE -# -# This macro (bi-directional) handles Generic Routing Encapsulation -# traffic (RFC 1701) +# This macro (bidirectional) handles Generic Routing Encapsulation (GRE). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - 47 # GRE PARAM DEST SOURCE 47 # GRE From 696996c8de6ff86ee745c45a5890fbf628658d9b Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 038/141] macro.HKP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.HKP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.HKP b/Shorewall/Macros/macro.HKP index b9eafa246..fe491991b 100644 --- a/Shorewall/Macros/macro.HKP +++ b/Shorewall/Macros/macro.HKP @@ -1,11 +1,9 @@ # -# Shorewall - HKP Macro +# Shorewall -- /usr/share/shorewall/macro.HKP # -# /usr/share/shorewall/macro.HKP -# -# This macro handles OpenPGP HTTP keyserver protocol traffic. +# This macro handles OpenPGP HTTP keyserver protocol traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 11371 From 4289d0a2c09ddcb0889089f84c5cf663efe33f1b Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:38 +0200 Subject: [PATCH 039/141] macro.HTTP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.HTTP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.HTTP b/Shorewall/Macros/macro.HTTP index 1f8d3278a..a83b0a0d8 100644 --- a/Shorewall/Macros/macro.HTTP +++ b/Shorewall/Macros/macro.HTTP @@ -1,11 +1,9 @@ # -# Shorewall - HTTP Macro +# Shorewall -- /usr/share/shorewall/macro.HTTP # -# /usr/share/shorewall/macro.HTTP -# -# This macro handles plaintext HTTP (WWW) traffic. +# This macro handles plaintext HTTP (WWW) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 80 From e4982e691925bf58a3c4b8a62835a408226bd493 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 040/141] macro.HTTPS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.HTTPS | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.HTTPS b/Shorewall/Macros/macro.HTTPS index 2e7e4653e..256825a66 100644 --- a/Shorewall/Macros/macro.HTTPS +++ b/Shorewall/Macros/macro.HTTPS @@ -1,11 +1,9 @@ # -# Shorewall - HTTPS Macro +# Shorewall -- /usr/share/shorewall/macro.HTTPS # -# /usr/share/shorewall/macro.HTTPS -# -# This macro handles HTTPS (WWW over SSL) traffic. +# This macro handles HTTPS (WWW over TLS) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 443 From f516a07f08772c17a5233163253ee1dbb049ed0a Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 041/141] macro.ICPV2: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.ICPV2 | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.ICPV2 b/Shorewall/Macros/macro.ICPV2 index eebc622ec..118055386 100644 --- a/Shorewall/Macros/macro.ICPV2 +++ b/Shorewall/Macros/macro.ICPV2 @@ -1,11 +1,9 @@ # -# Shorewall - ICPV2 Macro +# Shorewall - /usr/share/shorewall/macro.ICPV2 # -# /usr/share/shorewall/macro.ICPV2 -# -# This macro handles Internet Cache Protocol V2 (Squid) traffic +# This macro handles Internet Cache Protocol V2 (Squid) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 3130 From 89bf8332bed58c4b37dd8b401ff39f06c7249458 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 042/141] macro.ICQ: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.ICQ | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.ICQ b/Shorewall/Macros/macro.ICQ index 9b8c2efc1..eeb4ba2e2 100644 --- a/Shorewall/Macros/macro.ICQ +++ b/Shorewall/Macros/macro.ICQ @@ -1,11 +1,9 @@ # -# Shorewall - ICQ Macro +# Shorewall -- /usr/share/shorewall/macro.ICQ # -# /usr/share/shorewall/macro.ICQ -# -# This macro handles ICQ, now called AOL Instant Messenger (or AIM). +# This macro handles ICQ, now called AOL Instant Messenger (or AIM). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 5190 From db62969526f93bfdef5188bc56d4af77b12bcc3b Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 043/141] macro.ILO: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.ILO | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.ILO b/Shorewall/Macros/macro.ILO index e0a678803..0e6a47790 100644 --- a/Shorewall/Macros/macro.ILO +++ b/Shorewall/Macros/macro.ILO @@ -1,15 +1,13 @@ # -# Shorewall - ILO Macro +# Shorewall -- /usr/share/shorewall/macro.ILO # -# /usr/share/shorewall/macro.ILO -# -# This macro handles console redirection with HP ILO 2+, -# Use this macro to open access to your ILO interface from management -# workstations. +# This macro handles console redirection with HP ILO 2+, +# Use this macro to open access to your ILO interface from management +# workstations. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 3002 # Raw serial data PARAM - - tcp 9300 # Shared Remote Console PARAM - - tcp 17988 # Virtual Media From 4f36f961633bb684f6ffedd8de85978de9cc4818 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 044/141] macro.IMAP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IMAP | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.IMAP b/Shorewall/Macros/macro.IMAP index 0f58d30cf..87973fac2 100644 --- a/Shorewall/Macros/macro.IMAP +++ b/Shorewall/Macros/macro.IMAP @@ -1,12 +1,10 @@ # -# Shorewall - IMAP Macro +# Shorewall -- /usr/share/shorewall/macro.IMAP # -# /usr/share/shorewall/macro.IMAP -# -# This macro handles plaintext IMAP traffic. For encrypted IMAP, -# see macro.IMAPS. +# This macro handles plaintext and STARTTLS IMAP traffic. +# For SSL (TLS) IMAP, see macro.IMAPS. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 143 From ce2cf9e9f63e8d22bfe417ecb69e853792e44860 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 045/141] macro.IMAPS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IMAPS | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.IMAPS b/Shorewall/Macros/macro.IMAPS index 5aa455829..d99b17d37 100644 --- a/Shorewall/Macros/macro.IMAPS +++ b/Shorewall/Macros/macro.IMAPS @@ -1,12 +1,11 @@ # -# Shorewall - IMAPS Macro +# Shorewall -- /usr/share/shorewall/macro.IMAPS # -# /usr/share/shorewall/macro.IMAPS -# -# This macro handles encrypted IMAP traffic. For plaintext IMAP -# (not recommended), see macro.IMAP. +# This macro handles SSL (TLS) IMAP traffic. +# For plaintext (not recommended) and STARTLS (recommended) IMAP see +# macro.IMAP. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 993 From 5496eacfa7fb09fb00dd7a73f044934f0e629ed4 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 046/141] macro.IPIP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IPIP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.IPIP b/Shorewall/Macros/macro.IPIP index 9a04a0819..6c010b18f 100644 --- a/Shorewall/Macros/macro.IPIP +++ b/Shorewall/Macros/macro.IPIP @@ -1,12 +1,10 @@ # -# Shorewall - IPIP Macro +# Shorewall -- /usr/share/shorewall/macro.IPIP # -# /usr/share/shorewall/macro.IPIP -# -# This macro (bidirectional) handles IPIP capsulation traffic +# This macro (bidirectional) handles IPIP capsulation traffic # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - 94 # IPIP PARAM DEST SOURCE 94 # IPIP From e49494bbe4dd2c705e767b25cd47dd30c73c70b0 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 047/141] macro.IPMI: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IPMI | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/Shorewall/Macros/macro.IPMI b/Shorewall/Macros/macro.IPMI index 631a5d905..9a1326285 100644 --- a/Shorewall/Macros/macro.IPMI +++ b/Shorewall/Macros/macro.IPMI @@ -1,16 +1,15 @@ # -# Shorewall - IPMI Macro +# Shorewall -- /usr/share/shorewall/macro.IPMI # -# /usr/share/shorewall/macro.IPMI -# -# This macro handles IPMI console redirection with Asus (AMI), -# Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI). -# Use this macro to open access to your IPMI interface from management -# workstations. +# This macro handles IPMI console redirection with RMCP protocol. +# Tested to work with with Asus (AMI), +# Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI). +# Use this macro to open access to your IPMI interface from management +# workstations. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 623 # RMCP PARAM - - tcp 3668,3669 # Virtual Media, Secure (Dell) PARAM - - tcp 5120,5123 # CD, floppy (Asus, Aten) From e08079cc1b80bcf34e13d2157f12c93cd71e8526 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 048/141] macro.IPP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IPP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.IPP b/Shorewall/Macros/macro.IPP index a83e3a6a8..434e175ee 100644 --- a/Shorewall/Macros/macro.IPP +++ b/Shorewall/Macros/macro.IPP @@ -1,11 +1,9 @@ # -# Shorewall - IPP Macro +# Shorewall -- /usr/share/shorewall/macro.IPP # -# /usr/share/shorewall/macro.IPP -# -# This macro handles Internet Printing Protocol (IPP). +# This macro handles Internet Printing Protocol (IPP). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 631 From 42438c817a7287214dc62fea99d76054a301355e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 049/141] macro.IPPbrd: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IPPbrd | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.IPPbrd b/Shorewall/Macros/macro.IPPbrd index 8ef7a80b8..aa9602a75 100644 --- a/Shorewall/Macros/macro.IPPbrd +++ b/Shorewall/Macros/macro.IPPbrd @@ -1,13 +1,11 @@ # -# Shorewall - IPP Broadcast Macro +# Shorewall -- /usr/share/shorewall/macro.IPPbrd # -# /usr/share/shorewall/macro.IPPbrd -# -# This macro handles Internet Printing Protocol (IPP) broadcasts. -# If you also need to handle TCP 631 connections in the opposite -# direction, use the IPPserver Macro +# This macro handles Internet Printing Protocol (IPP) broadcasts. +# If you also need to handle TCP 631 connections in the opposite +# direction, use the IPPserver Macro # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 631 From 9ce2df55d180c3d523b634ec28efb823d57acb29 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 050/141] macro.IPPserver: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IPPserver | 37 ++++++++++++++++---------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/Shorewall/Macros/macro.IPPserver b/Shorewall/Macros/macro.IPPserver index 37a8485ae..595bac669 100644 --- a/Shorewall/Macros/macro.IPPserver +++ b/Shorewall/Macros/macro.IPPserver @@ -1,29 +1,28 @@ # -# Shorewall - IPPserver Macro +# Shorewall -- /usr/share/shorewall/macro.IPPserver # -# /usr/share/shorewall/macro.IPPserver +# This macro handles Internet Printing Protocol (IPP), indicating +# that DEST is a printing server for SOURCE. The macro allows +# print queue broadcasts from the server to the client, and +# printing connections from the client to the server. # -# This macro handles Internet Printing Protocol (IPP), indicating -# that DEST is a printing server for SOURCE. The macro allows -# print queue broadcasts from the server to the client, and -# printing connections from the client to the server. +# Example usage on a single-interface firewall which is a print client: # -# Example usage on a single-interface firewall which is a print -# client: -# IPPserver/ACCEPT $FW net +# IPPserver(ACCEPT) $FW net # -# Example for a two-interface firewall which acts as a print -# server for loc: -# IPPserver/ACCEPT loc $FW +# Example for a two-interface firewall which acts as a print server for loc: # -# NOTE: If you want both to serve requests for local printers and -# listen to requests for remote printers (i.e. your CUPS server is -# also a client), you need to apply the rule twice, e.g. -# IPPserver/ACCEPT loc $FW -# IPPserver/ACCEPT $FW loc +# IPPserver(ACCEPT) loc $FW +# +# NOTE: If you want both to serve requests for local printers and listen to +# requests for remote printers (i.e. your CUPS server is also a client), +# you need to apply the rule twice, e.g. +# +# IPPserver(ACCEPT) loc $FW +# IPPserver(ACCEPT) $FW loc # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM SOURCE DEST tcp 631 PARAM DEST SOURCE udp 631 From f7a9d7dc4db1ea7d550ac0a003a534bf7f3794a6 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 051/141] macro.IPsec: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IPsec | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.IPsec b/Shorewall/Macros/macro.IPsec index 31a10fc49..84d135800 100644 --- a/Shorewall/Macros/macro.IPsec +++ b/Shorewall/Macros/macro.IPsec @@ -1,13 +1,11 @@ # -# Shorewall - IPsec Macro +# Shorewall -- /usr/share/shorewall/macro.IPsec # -# /usr/share/shorewall/macro.IPsec -# -# This macro (bidirectional) handles IPsec traffic +# This macro (bidirectional) handles IPsec traffic # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 500 500 # IKE PARAM - - 50 # ESP PARAM DEST SOURCE udp 500 500 # IKE From 0718bebf6f5f490a58fe8cf0e66275e515fd92aa Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 052/141] macro.IPsecah: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IPsecah | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.IPsecah b/Shorewall/Macros/macro.IPsecah index 22a05e74b..475a3f4a7 100644 --- a/Shorewall/Macros/macro.IPsecah +++ b/Shorewall/Macros/macro.IPsecah @@ -1,14 +1,12 @@ # -# Shorewall - IPsecah Macro +# Shorewall -- /usr/share/shorewall/macro.IPsecah # -# /usr/share/shorewall/macro.IPsecah -# -# This macro (bidirectional) handles IPsec authentication (AH) traffic. -# This is insecure. You should use ESP with encryption for security. +# This macro (bidirectional) handles IPsec authentication (AH) traffic. +# This is insecure. You should use ESP with encryption for security. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 500 500 # IKE PARAM - - 51 # AH PARAM DEST SOURCE udp 500 500 # IKE From 8c9c96c8d78485cc06f4af78c63aa16a244278d9 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 053/141] macro.IPsecnat: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IPsecnat | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.IPsecnat b/Shorewall/Macros/macro.IPsecnat index 70bcfca2b..e351deaa6 100644 --- a/Shorewall/Macros/macro.IPsecnat +++ b/Shorewall/Macros/macro.IPsecnat @@ -1,13 +1,11 @@ # -# Shorewall - IPsecnat Macro +# Shorewall -- /usr/share/shorewall/macro.IPsecnat # -# /usr/share/shorewall/macro.IPsecnat -# -# This macro (bidirectional) handles IPsec traffic and Nat-Traversal +# This macro (bidirectional) handles IPsec traffic and Nat-Traversal # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 500 # IKE PARAM - - udp 4500 # NAT-T PARAM - - 50 # ESP From d890a840d43da11d9cc29cc3db4b614b9b338077 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 054/141] macro.IRC: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.IRC | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.IRC b/Shorewall/Macros/macro.IRC index 637d51c69..f31b6f9ce 100644 --- a/Shorewall/Macros/macro.IRC +++ b/Shorewall/Macros/macro.IRC @@ -1,13 +1,10 @@ # -# Shorewall IRC Macro +# Shorewall -- /usr/share/shorewall/macro.IRC # -# /usr/share/shorewall/macro.IRC -# -# This macro handles IRC traffic (Internet Relay Chat). +# This macro handles IRC traffic (Internet Relay Chat). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER ) PARAM - - tcp 6667 { helper=irc } From 4ed88eb4ad82651f1690c47dbfdcc5eb307c22e8 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 055/141] macro.Jabber: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Jabber | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Jabber b/Shorewall/Macros/macro.Jabber index 69103e123..6cfda9d91 100644 --- a/Shorewall/Macros/macro.Jabber +++ b/Shorewall/Macros/macro.Jabber @@ -1,11 +1,9 @@ # -# Shorewall - Jabber Macro +# Shorewall -- /usr/share/shorewall/macro.Jabber # -# /usr/share/shorewall/macro.Jabber -# -# This macro accepts Jabber traffic. +# This macro handles Jabber traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 5222 From 3a9979fb3d671af6557644875df0a10eb61901b1 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 056/141] macro.Jabberd: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Jabberd | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Jabberd b/Shorewall/Macros/macro.Jabberd index 2e13c4cb5..7a6471a70 100644 --- a/Shorewall/Macros/macro.Jabberd +++ b/Shorewall/Macros/macro.Jabberd @@ -1,11 +1,9 @@ # -# Shorewall - Jabberd (server intercommunication) +# Shorewall -- /usr/share/shorewall/macro.Jabberd # -# /usr/share/shorewall/macro.Jabberd -# -# This macro accepts Jabberd intercommunication traffic +# This macro handles Jabberd intercommunication traffic # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 5269 From e99b23c154bbb72573580c40a9f4f3ca7f495d22 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 057/141] macro.JabberPlain: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.JabberPlain | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.JabberPlain b/Shorewall/Macros/macro.JabberPlain index 47f7780a8..8ae6ed306 100644 --- a/Shorewall/Macros/macro.JabberPlain +++ b/Shorewall/Macros/macro.JabberPlain @@ -1,12 +1,9 @@ # -# Shorewall - JabberPlain Macro +# Shorewall -- /usr/share/shorewall/macro.JabberPlain # -# /usr/share/shorewall/macro.JabberPlain -# -# This macro accepts Jabber traffic (plaintext). This macro is -# deprecated - use of macro.Jabber instead is recommended. +# This macro is deprecated - use of macro.Jabber instead is recommended. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + Jabber From 9b2bc4f53df835c0339a0465042246481f10eb28 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 058/141] macro.JabberSecure: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.JabberSecure | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.JabberSecure b/Shorewall/Macros/macro.JabberSecure index 036d4e53c..6c3be3eff 100644 --- a/Shorewall/Macros/macro.JabberSecure +++ b/Shorewall/Macros/macro.JabberSecure @@ -1,13 +1,9 @@ # -# Shorewall - JabberSecure (SSL) Macro +# Shorewall -- /usr/share/shorewall/macro.JabberSecure # -# /usr/share/shorewall/macro.JabberSecure -# -# This macro accepts Jabber traffic (SSL). Use of Jabber with SSL -# is deprecated, please configure Jabber with STARTTLS and use -# Jabber macro instead. +# This macro handles deprecated Jabber (SSL) traffic. Use STARTTLS instead. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 5223 From 6222ec1e1a75c667cc6f83f9c7ebf29a50c89de8 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 059/141] macro.JAP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.JAP | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.JAP b/Shorewall/Macros/macro.JAP index ee7826b8c..48b516b00 100644 --- a/Shorewall/Macros/macro.JAP +++ b/Shorewall/Macros/macro.JAP @@ -1,15 +1,13 @@ # -# Shorewall - JAP Macro +# Shorewall -- /usr/share/shorewall/macro.JAP # -# /usr/share/shorewall/macro.JAP -# -# This macro handles JAP Anon Proxy traffic. This macro is for -# administrators running a Mix server. It is NOT for people trying -# to browse anonymously! +# This macro handles JAP Anon Proxy Mix server traffic. +# This macro is for administrators running a Mix server. It is NOT for people +# trying to browse anonymously! # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 8080 # HTTP port PARAM - - tcp 6544 # HTTP port PARAM - - tcp 6543 # InfoService port From d9907e93e8bad453972aefd2314de7159f3408f1 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 060/141] macro.Jetdirect: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Jetdirect | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Jetdirect b/Shorewall/Macros/macro.Jetdirect index 24a662aac..da63c9a97 100644 --- a/Shorewall/Macros/macro.Jetdirect +++ b/Shorewall/Macros/macro.Jetdirect @@ -1,11 +1,9 @@ # -# Shorewall - Jetdirect Macro +# Shorewall -- /usr/share/shorewall/macro.Jetdirect # -# /usr/share/shorewall/macro.Jetdirect -# -# This macro handles HP Jetdirect printing. +# This macro handles HP Jetdirect printing. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 9100 From 9b45c81dc63223e039176d0635bc1952fe18dfc6 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 061/141] macro.Kerberos: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Kerberos | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Kerberos b/Shorewall/Macros/macro.Kerberos index ff70d1ba9..18fe40939 100644 --- a/Shorewall/Macros/macro.Kerberos +++ b/Shorewall/Macros/macro.Kerberos @@ -1,12 +1,10 @@ # -# Shorewall - Kerberos Macro +# Shorewall -- /usr/share/shorewall/macro.Kerberos # -# /usr/share/shorewall/macro.Kerberos -# -# This macro handles Kerberos traffic. +# This macro handles Kerberos traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 88 PARAM - - udp 88 From ccd1f3b9d3e964fa98bba3a54f71d8253d82857e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 062/141] macro.L2TP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.L2TP | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.L2TP b/Shorewall/Macros/macro.L2TP index 28765fecd..5fe351316 100644 --- a/Shorewall/Macros/macro.L2TP +++ b/Shorewall/Macros/macro.L2TP @@ -1,13 +1,11 @@ # -# Shorewall - L2TP Macro +# Shorewall -- /usr/share/shorewall/macro.L2TP # -# /usr/share/shorewall/macro.L2TP -# -# This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic -# (RFC 2661) +# This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic. +# (RFC 2661) # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 1701 # L2TP PARAM DEST SOURCE udp 1701 # L2TP From a82e517d058f98e272c9efcfd3840231f713cfd7 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 063/141] macro.LDAP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.LDAP | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/Shorewall/Macros/macro.LDAP b/Shorewall/Macros/macro.LDAP index 48aa5dd96..366160cb4 100644 --- a/Shorewall/Macros/macro.LDAP +++ b/Shorewall/Macros/macro.LDAP @@ -1,16 +1,14 @@ # -# Shorewall - LDAP Macro +# Shorewall -- /usr/share/shorewall/macro.LDAP # -# /usr/share/shorewall/macro.LDAP -# -# This macro handles plaintext LDAP traffic. For encrypted LDAP -# traffic, see macro.LDAPS. Use of LDAPS is recommended (and is -# required by some directory services) if you want to do user -# authentication over LDAP. Note that some LDAP implementations -# support initiating TLS connections via the plaintext LDAP port. -# Consult your LDAP server documentation for details. +# This macro handles plaintext LDAP traffic. For encrypted LDAP +# traffic, see macro.LDAPS. Use of LDAPS is recommended (and is +# required by some directory services) if you want to do user +# authentication over LDAP. Note that some LDAP implementations +# support initiating TLS connections via the plaintext LDAP port. +# Consult your LDAP server documentation for details. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 389 From ce6532ebfb5c4b8cea238e5a9446c932a7dc9e8b Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 064/141] macro.LDAPS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.LDAPS | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/Shorewall/Macros/macro.LDAPS b/Shorewall/Macros/macro.LDAPS index 2060e398a..fccd5ccd4 100644 --- a/Shorewall/Macros/macro.LDAPS +++ b/Shorewall/Macros/macro.LDAPS @@ -1,16 +1,14 @@ # -# Shorewall - LDAPS Macro +# Shorewall -- /usr/share/shorewall/macro.LDAPS # -# /usr/share/shorewall/macro.LDAPS -# -# This macro handles encrypted LDAP traffic. For plaintext LDAP -# traffic, see macro.LDAP. Use of LDAPS is recommended (and is -# required by some directory services) if you want to do user -# authentication over LDAP. Note that some LDAP implementations -# support initiating TLS connections via the plaintext LDAP port. -# Consult your LDAP server documentation for details. +# This macro handles encrypted LDAP traffic. For plaintext LDAP +# traffic, see macro.LDAP. Use of LDAPS is recommended (and is +# required by some directory services) if you want to do user +# authentication over LDAP. Note that some LDAP implementations +# support initiating TLS connections via the plaintext LDAP port. +# Consult your LDAP server documentation for details. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 636 From d732a8a040a369818e855cfc835b30e9f8f6caa7 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 065/141] macro.Mail: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Mail | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/Shorewall/Macros/macro.Mail b/Shorewall/Macros/macro.Mail index c3f39e6a8..078c08c6a 100644 --- a/Shorewall/Macros/macro.Mail +++ b/Shorewall/Macros/macro.Mail @@ -1,19 +1,17 @@ # -# Shorewall - Mail Macro +# Shorewall -- /usr/share/shorewall/macro.Mail # -# /usr/share/shorewall/macro.Mail +# This macro handles SMTP (email secure and insecure) traffic. +# It's the aggregate of macro.SMTP, macro.SMTPS, macro.Submission. # -# This macro handles SMTP (email secure and insecure) traffic. -# It's the aggregate of macro.SMTP, macro.SMTPS, macro.Submission. -# -# Note: This macro handles traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the POP3 or IMAP macros. +# Note: This macro handles traffic between an MUA (Email client) +# and an MTA (mail server) or between MTAs. It does not enable +# reading of email via POP3 or IMAP. For those you need to use +# the POP3 or IMAP macros. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - tcp 25 -PARAM - - tcp 465 -PARAM - - tcp 587 +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +SMTP +SMTPS +Submission From 996b6290299b0cd06057ccca80a6f3787a20246c Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 066/141] macro.mDNS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.mDNS | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.mDNS b/Shorewall/Macros/macro.mDNS index 75ba6a6ce..c45350052 100644 --- a/Shorewall/Macros/macro.mDNS +++ b/Shorewall/Macros/macro.mDNS @@ -1,15 +1,13 @@ # -# Shorewall - Multicast DNS Macro -- this macro assumes that only -# the DEST zone sends mDNS queries. If both zones send -# queries, use the mDNSbi macro. +# Shorewall -- /usr/share/shorewall/macro.mDNS # -# /usr/share/shorewall/macro.mDNS -# -# This macro handles multicast DNS traffic +# This macro handles multicast DNS traffic from DEST zone. +# This macro assumes that only the DEST zone sends mDNS queries. +# If both zones send queries, use the mDNSbi macro. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE -# PORT(S) PORT(S) DEST LIMIT +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + PARAM - 224.0.0.251 udp 5353 PARAM - - udp 1024: 5353 PARAM - 224.0.0.251 2 From a4c88ee966c6deea62a420d57d07b537a3a8ef35 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 067/141] macro.mDNSbi: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.mDNSbi | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.mDNSbi b/Shorewall/Macros/macro.mDNSbi index a3e4add91..367db575e 100644 --- a/Shorewall/Macros/macro.mDNSbi +++ b/Shorewall/Macros/macro.mDNSbi @@ -1,13 +1,11 @@ # -# Shorewall - Bi-directional Multicast DNS Macro. +# Shorewall -- /usr/share/shorewall/macro.mDNSbi # -# /usr/share/shorewall/macro.mDNSbi -# -# This macro handles multicast DNS traffic +# This macro handles bidirectional multicast DNS traffic # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE -# PORT(S) PORT(S) DEST LIMIT +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + PARAM - 224.0.0.251 udp 5353 PARAM - - udp 1024: 5353 PARAM - 224.0.0.251 2 From f16a7d62249fdfc569fd6a2c030bff0a65c845b6 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 068/141] macro.MongoDB: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.MongoDB | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.MongoDB b/Shorewall/Macros/macro.MongoDB index a34a5dc7b..69bb90cc3 100644 --- a/Shorewall/Macros/macro.MongoDB +++ b/Shorewall/Macros/macro.MongoDB @@ -1,11 +1,9 @@ # -# Shorewall - MongoDB Macro +# Shorewall -- /usr/share/shorewall/macro.MongoDB # -# /usr/share/shorewall/macro.MongoDB -# -# This macro handles MongoDB Daemon/Router traffic. +# This macro handles MongoDB Daemon/Router traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 27017 From bb558baf23c253731bb4038d14cdd0131f4daced Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 069/141] macro.MSNP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.MSNP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.MSNP b/Shorewall/Macros/macro.MSNP index bb9a3e637..59973fa92 100644 --- a/Shorewall/Macros/macro.MSNP +++ b/Shorewall/Macros/macro.MSNP @@ -1,11 +1,9 @@ # -# Shorewall - MSNP Macro +# Shorewall - /usr/share/shorewall/macro.MSNP # -# /usr/share/shorewall/macro.MSNP -# -# This macro handles MSNP (MicroSoft Notification Protocol) +# This macro handles MSNP (MicroSoft Notification Protocol) # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 1863 From 2208dc85c6ac6d33f0cc1b3facc61dcaeac0dd12 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 070/141] macro.MSSQL: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.MSSQL | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.MSSQL b/Shorewall/Macros/macro.MSSQL index 700ee80d2..eb31ee5ec 100644 --- a/Shorewall/Macros/macro.MSSQL +++ b/Shorewall/Macros/macro.MSSQL @@ -1,12 +1,10 @@ # -# Shorewall - MSSQL Macro +# Shorewall -- /usr/share/shorewall/macro.MSSQL # -# /usr/share/shorewall/macro.MSSQL -# -# This macro handles MSSQL (Microsoft SQL Server) +# This macro handles MSSQL (Microsoft SQL Server) # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 1433 PARAM - - udp 1434 From f447e5f3ce323f84b7281476136045eae2b37100 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 071/141] macro.Munin: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Munin | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Munin b/Shorewall/Macros/macro.Munin index afa926400..957cff767 100644 --- a/Shorewall/Macros/macro.Munin +++ b/Shorewall/Macros/macro.Munin @@ -1,11 +1,9 @@ # -# Shorewall - Munin Macro +# Shorewall -- /usr/share/shorewall/macro.Munin # -# /usr/share/shorewall/macro.Munin -# -# This macro handles Munin networked resource monitoring traffic +# This macro handles Munin networked resource monitoring traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 4949 From 897337acef93db85274872e1f465eb5a65dac451 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 072/141] macro.MySQL: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.MySQL | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.MySQL b/Shorewall/Macros/macro.MySQL index b308c945b..d4ebf6981 100644 --- a/Shorewall/Macros/macro.MySQL +++ b/Shorewall/Macros/macro.MySQL @@ -1,11 +1,9 @@ # -# Shorewall - MySQL Macro +# Shorewall -- /usr/share/shorewall/macro.MySQL # -# /usr/share/shorewall/macro.MySQL -# -# This macro handles connections to the MySQL server. +# This macro handles connections to the MySQL server. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 3306 From 9bf7bb73f9e09e9fc7303bc2da67f5f1fe5d1c8a Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 073/141] macro.NNTP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.NNTP | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.NNTP b/Shorewall/Macros/macro.NNTP index 2a2d1cc4c..d6076bdb0 100644 --- a/Shorewall/Macros/macro.NNTP +++ b/Shorewall/Macros/macro.NNTP @@ -1,12 +1,10 @@ # -# Shorewall NNTP Macro +# Shorewall -- /usr/share/shorewall/macro.NNTP # -# /usr/share/shorewall/macro.NNTP -# -# This macro handles plaintext NNTP traffic (Usenet). For -# encrypted NNTP, see macro.NNTPS. +# This macro handles plaintext NNTP traffic (Usenet). +# For encrypted NNTP, see macro.NNTPS. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 119 From 688ba42a578880fba373913a3e2c8ef3caa8f6cb Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 074/141] macro.NNTPS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.NNTPS | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.NNTPS b/Shorewall/Macros/macro.NNTPS index 834f3f140..5e57cb5b9 100644 --- a/Shorewall/Macros/macro.NNTPS +++ b/Shorewall/Macros/macro.NNTPS @@ -1,12 +1,10 @@ # -# Shorewall NNTPS Macro +# Shorewall -- /usr/share/shorewall/macro.NNTPS # -# /usr/share/shorewall/macro.NNTPS -# -# This macro handles encrypted NNTP traffic (Usenet). For -# plaintext NNTP, see macro.NNTP. +# This macro handles encrypted NNTP traffic (Usenet). +# For plaintext NNTP, see macro.NNTP. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 563 From 2420f24a62162ccbcd554eb3bb796a69cb73b36e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 075/141] macro.NTP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.NTP | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.NTP b/Shorewall/Macros/macro.NTP index 19299664d..22566bc5d 100644 --- a/Shorewall/Macros/macro.NTP +++ b/Shorewall/Macros/macro.NTP @@ -1,12 +1,10 @@ # -# Shorewall - NTP Macro +# Shorewall -- /usr/share/shorewall/macro.NTP # -# /usr/share/shorewall/macro.NTP -# -# This macro handles NTP traffic (ntpd). -# For broadcast NTP traffic, use NTPbrd Macro. +# This macro handles NTP traffic. +# For broadcast NTP traffic, use NTPbrd Macro. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 123 From 2612e012d6a09750ff893795fa817d3a0fd87209 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 076/141] macro.NTPbi: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.NTPbi | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.NTPbi b/Shorewall/Macros/macro.NTPbi index fe5f2e534..139dbd372 100644 --- a/Shorewall/Macros/macro.NTPbi +++ b/Shorewall/Macros/macro.NTPbi @@ -1,12 +1,10 @@ # -# Shorewall - NTPbi Macro +# Shorewall -- /usr/share/shorewall/macro.NTPbi # -# /usr/share/shorewall/macro.NTPbi -# -# This macro handles bi-directional NTP (for NTP peers) +# This macro handles bi-directional NTP (for NTP peers). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - udp 123 -PARAM DEST SOURCE udp 123 +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +NTP +NTP DEST SOURCE From efa019a782d12acfb5900f6124ed70c65b7bfd9f Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 077/141] macro.NTPbrd: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.NTPbrd | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/Shorewall/Macros/macro.NTPbrd b/Shorewall/Macros/macro.NTPbrd index 5e2a0b819..4a7a0f4df 100644 --- a/Shorewall/Macros/macro.NTPbrd +++ b/Shorewall/Macros/macro.NTPbrd @@ -1,17 +1,14 @@ # -# Shorewall - NTPbrd Macro +# Shorewall -- /usr/share/shorewall/macro.NTPbrd # -# /usr/share/shorewall/macro.NTPbrd +# This macro handles NTP traffic including replies to Broadcast NTP traffic. # -# This macro handles NTP traffic (ntpd) including replies to Broadcast -# NTP traffic. -# -# It is recommended only to use this where the source host is trusted - -# otherwise it opens up a large hole in your firewall because -# Netfilter doesn't track connections for broadcast traffic. +# It is recommended only to use this where the source host is trusted - +# otherwise it opens up a large hole in your firewall because +# Netfilter doesn't track connections for broadcast traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - udp 123 -PARAM - - udp 1024: 123 +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +PARAM - - udp 123 +PARAM - - udp 1024: 123 From 724f21202c6115d8c9781beb19f039ba80ad4c6d Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 078/141] macro.OpenVPN: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.OpenVPN | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.OpenVPN b/Shorewall/Macros/macro.OpenVPN index 266cddc4a..736305899 100644 --- a/Shorewall/Macros/macro.OpenVPN +++ b/Shorewall/Macros/macro.OpenVPN @@ -1,11 +1,9 @@ # -# Shorewall - OpenVPN Macro +# Shorewall -- /usr/share/shorewall/macro.OpenVPN # -# /usr/share/shorewall/macro.OpenVPN Macro -# -# This macro handles OpenVPN traffic. +# This macro handles OpenVPN traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 1194 From 4f340e70337b9e07e2977a75ff244da3907b7c02 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 079/141] macro.OSPF: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.OSPF | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.OSPF b/Shorewall/Macros/macro.OSPF index 036159051..efbb21d1c 100644 --- a/Shorewall/Macros/macro.OSPF +++ b/Shorewall/Macros/macro.OSPF @@ -1,11 +1,9 @@ # -# Shorewall - OSPF Macro +# Shorewall -- /usr/share/shorewall/macro.OSPF # -# /usr/share/shorewall/macro.OSPF -# -# This macro handles OSPF multicast traffic +# This macro handles OSPF multicast traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - 89 # OSPF From 5667919b91b95a66f685794cc2ec64c19fe6766c Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 080/141] macro.PCA: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.PCA | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.PCA b/Shorewall/Macros/macro.PCA index 1ffa330f2..a2415defa 100644 --- a/Shorewall/Macros/macro.PCA +++ b/Shorewall/Macros/macro.PCA @@ -1,12 +1,10 @@ # -# Shorewall - PCA Macro +# Shorewall -- /usr/share/shorewall/macro.PCA # -# /usr/share/shorewall/macro.PCA -# -# This macro handles PCAnywere (tm) +# This macro handles PCAnywere (tm) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 5632 PARAM - - tcp 5631 From c25ddcea40cf4adf90ba66847dd901a0f7d19d43 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 081/141] macro.Ping: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Ping | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Ping b/Shorewall/Macros/macro.Ping index aa8b1f5f2..cec49bc2f 100644 --- a/Shorewall/Macros/macro.Ping +++ b/Shorewall/Macros/macro.Ping @@ -1,11 +1,9 @@ # -# Shorewall - Ping Macro +# Shorewall -- /usr/share/shorewall/macro.Ping # -# /usr/share/shorewall/macro.Ping -# -# This macro handles 'ping' requests. +# This macro handles ICMP 'ping' requests. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - icmp 8 From 9b6f8d2f0ce0a8e0ef2e9fa20d9ac0201a822e2d Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 082/141] macro.POP3: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.POP3 | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.POP3 b/Shorewall/Macros/macro.POP3 index da9cc1f5a..cc034832d 100644 --- a/Shorewall/Macros/macro.POP3 +++ b/Shorewall/Macros/macro.POP3 @@ -1,12 +1,10 @@ # -# Shorewall - POP3 Macro +# Shorewall -- /usr/share/shorewall/macro.POP3 # -# /usr/share/shorewall/macro.POP3 -# -# This macro handles plaintext POP3 traffic. For encrypted POP3, -# see macro.POP3S. +# This macro handles plaintext POP3 traffic. +# For encrypted POP3, see macro.POP3S. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 110 From 5cda192731724015d9625159219c24bbd3360b52 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 083/141] macro.POP3S: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.POP3S | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.POP3S b/Shorewall/Macros/macro.POP3S index b2400b815..19f896981 100644 --- a/Shorewall/Macros/macro.POP3S +++ b/Shorewall/Macros/macro.POP3S @@ -1,12 +1,10 @@ # -# Shorewall - POP3S Macro +# Shorewall -- /usr/share/shorewall/macro.POP3S # -# /usr/share/shorewall/macro.POP3S -# -# This macro handles encrypted POP3 traffic. For plaintext POP3, -# see macro.POP3. +# This macro handles encrypted POP3 traffic. +# For plaintext POP3, see macro.POP3. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 995 # Secure POP3 From 2c2c4194ce134711cf8da982060b12ee3e396352 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 084/141] macro.PostgreSQL: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.PostgreSQL | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.PostgreSQL b/Shorewall/Macros/macro.PostgreSQL index 73ea9092d..4927bd509 100644 --- a/Shorewall/Macros/macro.PostgreSQL +++ b/Shorewall/Macros/macro.PostgreSQL @@ -1,11 +1,9 @@ # -# Shorewall - PostgreSQL Macro +# Shorewall -- /usr/share/shorewall/macro.PostgreSQL # -# /usr/share/shorewall/macro.PostgreSQL -# -# This macro handles connections to the PostgreSQL server. +# This macro handles connections to the PostgreSQL server. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 5432 From c9161a3eb2371e56686763e08723793b0053e613 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 085/141] macro.PPtP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.PPtP | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.PPtP b/Shorewall/Macros/macro.PPtP index af36be522..5c9f32128 100644 --- a/Shorewall/Macros/macro.PPtP +++ b/Shorewall/Macros/macro.PPtP @@ -1,15 +1,12 @@ # -# Shorewall - PPTP Macro +# Shorewall -- /usr/share/shorewall/macro.PPtP Macro # -# /usr/share/shorewall/macro.PPtP Macro -# -# This macro handles PPTP traffic. +# This macro handles PPTP traffic. NOTE: PPTP protocol is insecure. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - 47 -PARAM DEST SOURCE 47 +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +GRE ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER ) PARAM - - tcp 1723 { helper=pptp } From 71681d1ccdc8db5b497d7c7120613d39195586ea Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 086/141] macro.Printer: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Printer | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Printer b/Shorewall/Macros/macro.Printer index 9607313ad..ab50e5174 100644 --- a/Shorewall/Macros/macro.Printer +++ b/Shorewall/Macros/macro.Printer @@ -1,11 +1,9 @@ # -# Shorewall - Printer Macro +# Shorewall -- /usr/share/shorewall/macro.Printer # -# /usr/share/shorewall/macro.Printer -# -# This macro handles Line Printer protocol printing. +# This macro handles Line Printer protocol printing. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 515 From feaadcd8f891e1ac0f46fb47fbfd7ee01b9e3f5a Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 087/141] macro.Puppet: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Puppet | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.Puppet b/Shorewall/Macros/macro.Puppet index 77bb73fad..bcb75818f 100644 --- a/Shorewall/Macros/macro.Puppet +++ b/Shorewall/Macros/macro.Puppet @@ -1,12 +1,9 @@ # -# Shorewall - Puppet Macro +# Shorewall -- /usr/share/shorewall/macro.Puppet # -# /usr/share/shorewall/macro.Puppet -# -# This macro handles client-to-server for the Puppet configuration -# management system. +# This macro handles client-to-server for the Puppet configuration management. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 8140 From 29b30f29a02391e9181d65b476afb0cd7f5e48c8 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 088/141] macro.QUIC: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.QUIC | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.QUIC b/Shorewall/Macros/macro.QUIC index 715c1c7cd..e38f19b6d 100644 --- a/Shorewall/Macros/macro.QUIC +++ b/Shorewall/Macros/macro.QUIC @@ -1,11 +1,9 @@ # -# Shorewall - QUIC Macro +# Shorewall -- /usr/share/shorewall/macro.QUIC # -# /usr/share/shorewall/macro.QUIC -# -# This macro handles QUIC (Quick UDP Internet Connections). +# This macro handles QUIC (Quick UDP Internet Connections). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 80,443 From e5818fb9d8e6a693f83b518d51ef84be600db367 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 089/141] macro.Razor: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Razor | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Razor b/Shorewall/Macros/macro.Razor index 726cff994..f3890d421 100644 --- a/Shorewall/Macros/macro.Razor +++ b/Shorewall/Macros/macro.Razor @@ -1,11 +1,9 @@ # -# Shorewall - Razor Macro +# Shorewall -- /usr/share/shorewall/macro.Razor # -# /usr/share/shorewall/macro.Razor -# -# This macro handles traffic for the Razor Antispam System +# This macro handles traffic for the Razor Antispam System # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + ACCEPT - - tcp 2703 From ff449953c652fa96017547bda7ace840af9e6f37 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 090/141] macro.Rdate: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Rdate | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/Shorewall/Macros/macro.Rdate b/Shorewall/Macros/macro.Rdate index fe83a8bbb..ea6507e64 100644 --- a/Shorewall/Macros/macro.Rdate +++ b/Shorewall/Macros/macro.Rdate @@ -1,15 +1,13 @@ # -# Shorewall - Rdate Macro +# Shorewall -- /usr/share/shorewall/macro.Rdate # -# /usr/share/shorewall/macro.Rdate -# -# This macro handles remote time retrieval (rdate). -# Unless you are supporting extremely old hardware or software, -# you shouldn't be using this. NTP is a superior alternative. -# And even if you need to use rfc 868 Time protocol you should -# use Time macro instead. +# This macro handles remote time retrieval (rdate). +# Unless you are supporting extremely old hardware or software, +# you shouldn't be using this. NTP is a superior alternative. +# And even if you need to use rfc 868 Time protocol you should +# use Time macro instead. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 37 From 974e88c03870c65e6c837137679e514a23892594 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 091/141] macro.RDP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.RDP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.RDP b/Shorewall/Macros/macro.RDP index 0f28f0c46..870f78749 100644 --- a/Shorewall/Macros/macro.RDP +++ b/Shorewall/Macros/macro.RDP @@ -1,11 +1,9 @@ # -# Shorewall - RDP Macro +# Shorewall -- /usr/share/shorewall/macro.RDP # -# /usr/share/shorewall/macro.RDP -# -# This macro handles Microsoft RDP (Remote Desktop) traffic. +# This macro handles Microsoft RDP (Remote Desktop) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 3389 From 8d13653fc2dd2a7dffc4c523c1fad534d2b48a0e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 092/141] macro.Redis: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Redis | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Redis b/Shorewall/Macros/macro.Redis index 16ca47a2b..8a8d7ffa1 100644 --- a/Shorewall/Macros/macro.Redis +++ b/Shorewall/Macros/macro.Redis @@ -1,11 +1,9 @@ # -# Shorewall - Redis Macro +# Shorewall -- /usr/share/shorewall/macro.Redis # -# /usr/share/shorewall/macro.Redis -# -# This macro handles Redis traffic. +# This macro handles Redis traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 6379 From 9d4eb3eccf3465d36419ff64b32a78fc4ad79835 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 093/141] macro.Reject: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Reject | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/Shorewall/Macros/macro.Reject b/Shorewall/Macros/macro.Reject index cf92ddcf9..abf2473e1 100644 --- a/Shorewall/Macros/macro.Reject +++ b/Shorewall/Macros/macro.Reject @@ -1,19 +1,15 @@ # -# Shorewall - Reject Macro +# Shorewall -- /usr/share/shorewall/macro.Reject # -# /usr/share/shorewall/macro.Reject +# This macro generates the same rules as the Reject default action +# It is used in place of action.Reject when USE_ACTIONS=No. # -# This macro generates the same rules as the Reject default action -# It is used in place of action.Reject when USE_ACTIONS=No. -# -# Example: -# -# Reject loc fw +# Example: # +# Reject loc fw # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER # # Don't log 'auth' REJECT # From cfe2b89e2ddd9b8682810c5137c2059a04d57421 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 094/141] macro.Rfc1918: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Rfc1918 | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/Shorewall/Macros/macro.Rfc1918 b/Shorewall/Macros/macro.Rfc1918 index 264f7ab28..87aaba1c4 100644 --- a/Shorewall/Macros/macro.Rfc1918 +++ b/Shorewall/Macros/macro.Rfc1918 @@ -1,14 +1,10 @@ # -# Shorewall - Macro Template +# Shorewall -- /usr/share/shorewall/macro.Rfc1918 # -# /usr/share/shorewall/macro.Rfc1918 +# This macro handles SOURCE or ORIGDEST address reserved by RFC 1918. # -# This macro handles pkts with a SOURCE or ORIGINAL DEST address -# reserved by RFC 1918 -# -############################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ - DEST -PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 +############################################################################### +#ACTION SOURCE DEST + +PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 DEST +PARAM SOURCE DEST { origdest=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 } From b960256fdb64e95523cd9c0e38dca68639a953eb Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 095/141] macro.RIPbi: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.RIPbi | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.RIPbi b/Shorewall/Macros/macro.RIPbi index 45af3324d..d441bd6c3 100644 --- a/Shorewall/Macros/macro.RIPbi +++ b/Shorewall/Macros/macro.RIPbi @@ -1,12 +1,10 @@ # -# Shorewall - RIPbi Macro +# Shorewall -- /usr/share/shorewall/macro.RIPbi # -# /usr/share/shorewall/macro.RIPbi -# -# This macro handles RIP (Routing Information Protocol) - bidirectional +# This macro (bidirectional) handles Routing Information Protocol (RIP). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 520 PARAM DEST SOURCE udp 520 From 38953df7fbbf24bf9ad4a741db9305f927f36633 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 096/141] macro.RNDC: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.RNDC | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.RNDC b/Shorewall/Macros/macro.RNDC index 0362bbc94..cd888588e 100644 --- a/Shorewall/Macros/macro.RNDC +++ b/Shorewall/Macros/macro.RNDC @@ -1,11 +1,9 @@ # -# Shorewall - RNDC Macro +# Shorewall -- /usr/share/shorewall/macro.RNDC # -# /usr/share/shorewall/macro.RNDC -# -# This macro handles RNDC (BIND remote management protocol) traffic. +# This macro handles BIND remote management protocol (RNDC) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 953 From a32c0c990126ae4cbab8a0f5a415e88b44a6a648 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 097/141] macro.Rsync: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Rsync | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Rsync b/Shorewall/Macros/macro.Rsync index 71894b95a..9970b045f 100644 --- a/Shorewall/Macros/macro.Rsync +++ b/Shorewall/Macros/macro.Rsync @@ -1,11 +1,9 @@ # -# Shorewall - Rsync Macro +# Shorewall -- /usr/share/shorewall/macro.Rsync # -# /usr/share/shorewall/macro.Rsync -# -# This macro handles connections to the rsync server. +# This macro handles connections to the rsync server. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 873 From a1a6352617c3b957418cb3f2feedd3b924b14599 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 098/141] macro.SANE: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SANE | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.SANE b/Shorewall/Macros/macro.SANE index ee396c432..34ffae3ae 100644 --- a/Shorewall/Macros/macro.SANE +++ b/Shorewall/Macros/macro.SANE @@ -1,13 +1,10 @@ # -# Shorewall - SANE Macro +# Shorewall -- /usr/share/shorewall/macro.SANE # -# /usr/share/shorewall/macro.SANE -# -# This macro handles SANE network scanning. +# This macro handles SANE network scanning. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER ) PARAM - - tcp 6566 { helper=sane } @@ -17,7 +14,8 @@ # # Kernels 2.6.23+ has nf_conntrack_sane module which will handle -# sane data connection. +# sane data connection. If you need these, copy this file to /etc/shorewall +# and remove comments from one of the entries below. # # If you don't have sane conntracking support you need to open whole dynamic # port range. From 3cec3ce6bc703d7b902e6dccc229d13b5e8705e0 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 099/141] macro.Sieve: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Sieve | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Sieve b/Shorewall/Macros/macro.Sieve index 39e865ccf..1fef9add2 100644 --- a/Shorewall/Macros/macro.Sieve +++ b/Shorewall/Macros/macro.Sieve @@ -1,11 +1,9 @@ # -# Shorewall - Sieve Macro +# Shorewall -- /usr/share/shorewall/macro.Sieve # -# /usr/share/shorewall/macro.Sieve -# -# This macro handles sieve aka ManageSieve protocol. +# This macro handles sieve aka ManageSieve protocol. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 4190 From c2b1a0ce048fe00a449baa15318bc16b71df5eb6 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 100/141] macro.SIP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SIP | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.SIP b/Shorewall/Macros/macro.SIP index 3e17b0e74..cf6d85202 100644 --- a/Shorewall/Macros/macro.SIP +++ b/Shorewall/Macros/macro.SIP @@ -1,13 +1,10 @@ # -# Shorewall - SIP Macro +# Shorewall -- /usr/share/shorewall/macro.SIP # -# /usr/share/shorewall/macro.SIP -# -# This macro handles SIP traffic. +# This macro handles SIP traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER ) PARAM - - udp 5060 { helper=sip } From 73aa2c68ebceb3dda79a5eeb2abbd47fa2127a30 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 101/141] macro.SixXS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SixXS | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/Shorewall/Macros/macro.SixXS b/Shorewall/Macros/macro.SixXS index eb2bc0094..3b50982df 100644 --- a/Shorewall/Macros/macro.SixXS +++ b/Shorewall/Macros/macro.SixXS @@ -1,24 +1,21 @@ # -# Shorewall - SIXXS Macro +# Shorewall -- /usr/share/shorewall/macro.SixXS # -# /usr/share/shorewall/macro.SixXS -# -# This macro handles SixXS -- An IPv6 Deployment and Tunnel Broker +# This macro handles SixXS - An IPv6 Deployment and Tunnel Broker # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -# +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + # Used for retrieving the tunnel information (eg by AICCU) PARAM - - tcp 3874 -# + # Used for signaling where the current IPv4 endpoint # of the tunnel is and that it is alive PARAM - - udp 3740 -# + # Used for tunneling IPv6 over IPv4 (static + heartbeat tunnels) PARAM - - 41 -# + # Used for tunneling IPv6 over IPv4 (AYIYA # tunnels)(5072 is official port, 8374 is used in the beta) PARAM - - udp 5072,8374 From 316f07bce92d84bcca440f6de5dae3d6f58650c8 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 102/141] macro.SMB: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SMB | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/Shorewall/Macros/macro.SMB b/Shorewall/Macros/macro.SMB index d433a6b3e..7312331f3 100644 --- a/Shorewall/Macros/macro.SMB +++ b/Shorewall/Macros/macro.SMB @@ -1,17 +1,15 @@ # -# Shorewall - SMB Macro +# Shorewall -- /usr/share/shorewall/macro.SMB # -# /usr/share/shorewall/macro.SMB -# -# This macro handles Microsoft SMB traffic. You need to invoke -# this macro in both directions. Beware! This rule opens a lot -# of ports, and could possibly be used to compromise your firewall -# if not used with care. You should only allow SMB traffic -# between hosts you fully trust. +# This macro handles Microsoft SMB traffic. +# You need to invoke this macro in both directions. +# Beware! This rule opens a lot of ports, and could possibly be used to +# compromise your firewall if not used with care. You should only allow SMB +# traffic between hosts you fully trust. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 135,445 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) From f8d99a0f22b1b07fbb23d7fc9c1b7d15f7da5363 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 103/141] macro.SMBBI: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SMBBI | 38 ++++++++---------------------------- 1 file changed, 8 insertions(+), 30 deletions(-) diff --git a/Shorewall/Macros/macro.SMBBI b/Shorewall/Macros/macro.SMBBI index 8bcf313a5..536697e30 100644 --- a/Shorewall/Macros/macro.SMBBI +++ b/Shorewall/Macros/macro.SMBBI @@ -1,36 +1,14 @@ # -# Shorewall - SMB Bi-directional Macro +# Shorewall -- /usr/share/shorewall/macro.SMBBI # -# /usr/share/shorewall/macro.SMBBI +# This macro (bidirectional) handles Microsoft SMB traffic. # -# This macro (bidirectional) handles Microsoft SMB traffic. -# -# Beware! This macro opens a lot of ports, and could possibly be used -# to compromise your firewall if not used with care. You should only -# allow SMB traffic between hosts you fully trust. +# Beware! This macro opens a lot of ports, and could possibly be used +# to compromise your firewall if not used with care. You should only +# allow SMB traffic between hosts you fully trust. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - udp 135,445 +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER -?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) - PARAM - - udp 137 { helper=netbios-ns } - PARAM - - udp 138:139 -?else - PARAM - - udp 137:139 -?endif - -PARAM - - udp 1024: 137 -PARAM - - tcp 135,139,445 -PARAM DEST SOURCE udp 135,445 - -?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER ) - PARAM DEST SOURCE udp 137 { helper=netbios-ns } - PARAM DEST SOURCE udp 138:139 -?else - PARAM DEST SOURCE udp 137:139 -?endif - -PARAM DEST SOURCE udp 1024: 137 -PARAM DEST SOURCE tcp 135,139,445 +SMB +SMB DEST SOURCE From 26710e72a943e2e1422d0692c5089e1b3d7bc510 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 104/141] macro.SMBswat: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SMBswat | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.SMBswat b/Shorewall/Macros/macro.SMBswat index 3ae40abeb..101e1f504 100644 --- a/Shorewall/Macros/macro.SMBswat +++ b/Shorewall/Macros/macro.SMBswat @@ -1,12 +1,9 @@ # -# Shorewall - SMBswat Macro +# Shorewall -- /usr/share/shorewall/macro.SMBswat # -# /usr/share/shorewall/macro.SMBswat -# -# This macro handles connections to the Samba Web Administration Tool -# (SWAT). +# This macro handles connections to the Samba Web Administration Tool (SWAT). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 901 From 48efde89cd721850117cedea44ef8b8dc953005c Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 105/141] macro.SMTP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SMTP | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/Shorewall/Macros/macro.SMTP b/Shorewall/Macros/macro.SMTP index f8a20336d..ad302acc4 100644 --- a/Shorewall/Macros/macro.SMTP +++ b/Shorewall/Macros/macro.SMTP @@ -1,19 +1,12 @@ # -# Shorewall - SMTP Macro +# Shorewall -- /usr/share/shorewall/macro.SMTP # -# /usr/share/shorewall/macro.SMTP -# -# This macro handles plaintext SMTP (email) traffic. For SMTP -# encrypted over SSL, use macro.SMTPS. Note that STARTTLS can be -# used over the standard STMP port, so the use of this macro -# doesn't necessarily imply the use of an insecure connection. -# -# Note: This macro handles traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the POP3 or IMAP macros. +# This macro handles SMTP (email) traffic. +# For deprecated SMTP encrypted over SSL (TLS), use macro.SMTPS. +# Note that STARTTLS can be used over the standard STMP port, so the use of +# this macro doesn't necessarily imply the use of an insecure connection. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 25 From 11cf80ce98a2409626685f6c3a0ad0530546e032 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 106/141] macro.SMTPS: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SMTPS | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/Shorewall/Macros/macro.SMTPS b/Shorewall/Macros/macro.SMTPS index b0791b254..36c3215d1 100644 --- a/Shorewall/Macros/macro.SMTPS +++ b/Shorewall/Macros/macro.SMTPS @@ -1,16 +1,10 @@ # -# Shorewall - SMTPS Macro +# Shorewall -- /usr/share/shorewall/macro.SMTPS # -# /usr/share/shorewall/macro.SMTPS -# -# This macro handles encrypted SMTPS (email) traffic. -# -# Note: This macro handles traffic between an MUA (Email client) -# and an MTA (mail server) or between MTAs. It does not enable -# reading of email via POP3 or IMAP. For those you need to use -# the POP3(S) or IMAP(S) macros. +# This macro handles legacy SMTP over SSL (TLS) traffic. +# You should configure SMTP STARTTLS instead. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 465 From d72f0a1f41ba626916157d12b8736b50e3bb7e22 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 107/141] macro.SNMP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SNMP | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.SNMP b/Shorewall/Macros/macro.SNMP index 85653651c..8749c852f 100644 --- a/Shorewall/Macros/macro.SNMP +++ b/Shorewall/Macros/macro.SNMP @@ -1,15 +1,11 @@ # -# Shorewall - SNMP Macro +# Shorewall -- /usr/share/shorewall/macro.SNMP # -# /usr/share/shorewall/macro.SNMP -# -# This macro handles SNMP traffic. -# -# Note: To allow SNMP Traps, use the SNMPTrap macro +# This macro handles SNMP traffic. +# Note: To allow SNMP Traps, use the SNMPTrap macro. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER ) PARAM - - udp 161 { helper=snmp } From d092044bdd79fad8ef79515db7ebae8b5811abfb Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 108/141] macro.SNMPTrap: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SNMPTrap | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.SNMPTrap b/Shorewall/Macros/macro.SNMPTrap index 2023ed3bc..83cce5b52 100644 --- a/Shorewall/Macros/macro.SNMPTrap +++ b/Shorewall/Macros/macro.SNMPTrap @@ -1,11 +1,9 @@ # -# Shorewall - SNMP Trap Macro +# Shorewall - /usr/share/shorewall/macro.SNMPtrap # -# /usr/share/shorewall/macro.SNMPtrap -# -# This macro handles SNMP traps. +# This macro handles SNMP traps. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 162 From 687cd578eb13349da4a9d192b26d2f6606c01eba Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 109/141] macro.SPAMD: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SPAMD | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.SPAMD b/Shorewall/Macros/macro.SPAMD index b34c1ca07..dd779ff60 100644 --- a/Shorewall/Macros/macro.SPAMD +++ b/Shorewall/Macros/macro.SPAMD @@ -1,11 +1,9 @@ # -# Shorewall - SPAMD Macro +# Shorewall -- /usr/share/shorewall/macro.SPAMD # -# /usr/share/shorewall/macro.SPAMD -# -# This macro handles Spam Assassin SPAMD traffic. +# This macro handles SpamAssassin SPAMD traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 783 From 864659b96e85e48d6038e426a0323bc0a18bf29a Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 110/141] macro.Squid: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Squid | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Squid b/Shorewall/Macros/macro.Squid index 910440dc6..17b2e8778 100644 --- a/Shorewall/Macros/macro.Squid +++ b/Shorewall/Macros/macro.Squid @@ -1,11 +1,9 @@ # -# Shorewall - Squid Macro +# Shorewall -- /usr/share/shorewall/macro.Squid # -# /usr/share/shorewall/macro.Squid -# -# This macro handles Squid web proxy traffic +# This macro handles Squid web proxy traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 3128 From 4f4ddd48097473d9db7b1ede58f64357768f27f5 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 111/141] macro.SSH: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SSH | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.SSH b/Shorewall/Macros/macro.SSH index ff888c19b..161d283d0 100644 --- a/Shorewall/Macros/macro.SSH +++ b/Shorewall/Macros/macro.SSH @@ -1,11 +1,9 @@ # -# Shorewall - SSH Macro +# Shorewall -- /usr/share/shorewall/macro.SSH # -# /usr/share/shorewall/macro.SSH -# -# This macro handles secure shell (SSH) traffic. +# This macro handles secure shell (SSH) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 22 From 078dfc38ee0410f8894461cfe401eb3900beee6e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 112/141] macro.Submission: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Submission | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.Submission b/Shorewall/Macros/macro.Submission index 8e80a3dc7..c67c1f79b 100644 --- a/Shorewall/Macros/macro.Submission +++ b/Shorewall/Macros/macro.Submission @@ -1,11 +1,9 @@ # -# Shorewall - Submission Macro +# Shorewall -- /usr/share/shorewall/macro.Submission # -# /usr/share/shorewall/macro.Submission -# -# This macro handles mail message submission traffic. +# This macro handles mail message submission (MSA) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - tcp 587 +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +MSA From f36e204d4abb707fa95107b055694fcfe5ce0e08 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 113/141] macro.SVN: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.SVN | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.SVN b/Shorewall/Macros/macro.SVN index 1bf7d795f..0489f9261 100644 --- a/Shorewall/Macros/macro.SVN +++ b/Shorewall/Macros/macro.SVN @@ -1,12 +1,9 @@ # -# Shorewall - SVN Macro -# -# /usr/share/shorewall/macro.SVN -# -# This macro handles connections to the Subversion server (svnserve). +# Shorewall -- /usr/share/shorewall/macro.SVN # +# This macro handles connections to the Subversion server (svnserve). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 3690 From cdae111c8d57a1e9eb1bfeac372062d3e052c980 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:39 +0200 Subject: [PATCH 114/141] macro.Syslog: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Syslog | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Syslog b/Shorewall/Macros/macro.Syslog index f00e138f0..0aa9bcefe 100644 --- a/Shorewall/Macros/macro.Syslog +++ b/Shorewall/Macros/macro.Syslog @@ -1,12 +1,10 @@ # -# Shorewall - Syslog Macro +# Shorewall -- /usr/share/shorewall/macro.Syslog # -# /usr/share/shorewall/macro.Syslog -# -# This macro handles syslog traffic. +# This macro handles syslog traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 514 PARAM - - tcp 514 From ae7d78d75fd0be59ff66500c449f2a03f7031bee Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 115/141] macro.Telnet: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Telnet | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.Telnet b/Shorewall/Macros/macro.Telnet index 055f4fc1c..8263cef17 100644 --- a/Shorewall/Macros/macro.Telnet +++ b/Shorewall/Macros/macro.Telnet @@ -1,12 +1,10 @@ # -# Shorewall - Telnet Macro +# Shorewall -- /usr/share/shorewall/macro.Telnet # -# /usr/share/shorewall/macro.Telnet -# -# This macro handles Telnet traffic. For traffic over the -# internet, telnet is inappropriate; use SSH instead +# This macro handles Telnet traffic. +# For traffic over the internet, telnet is inappropriate; use SSH instead. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 23 From bc57fedac40a83fa706a43cf1f631a32d4663baf Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 116/141] macro.Telnets: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Telnets | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.Telnets b/Shorewall/Macros/macro.Telnets index 8fcdbc7ae..a66c26511 100644 --- a/Shorewall/Macros/macro.Telnets +++ b/Shorewall/Macros/macro.Telnets @@ -1,12 +1,10 @@ # -# Shorewall - Telnet Macro +# Shorewall -- /usr/share/shorewall/macro.Telnets # -# /usr/share/shorewall/macro.Telnets -# -# This macro handles Telnets (Telnet over SSL) traffic. -# For traffic over the internet, SSH might be more practical. +# This macro handles Telnet over SSL (TLS) traffic. +# For traffic over the internet, SSH might be more practical. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDIST RATE USER + PARAM - - tcp 992 From c285330f25614e02070e0b8304fb0a1603aa8950 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 117/141] macro.template: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.template | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index 29c03c27a..a4a2a3494 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -20,20 +20,17 @@ # # /etc/shorewall/macro.FwdFTP: # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# # PORT(S) PORT(S) DEST LIMIT GROUP +# #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # DNAT - - tcp 21 # # /etc/shorewall/rules: # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# # PORT(S) PORT(S) DEST LIMIT GROUP +# #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # FwdFTP net loc:192.168.1.5 # # The result is equivalent to: # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# # PORT(S) PORT(S) DEST LIMIT GROUP +# #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # DNAT net loc:192.168.1.5 tcp 21 # # The substitution rules are as follows: @@ -62,11 +59,10 @@ # separator. # # Example: ############################################### -# #ACTION SOURCE DEST PROTO DEST -# # PORT(S) -# macro.FTP File PARAM net loc tcp 21 -# rules File FTP/DNAT - 192.168.1.5 -# Result DNAT net loc:192.168.1.5 tcp 21 +# #ACTION SOURCE DEST PROTO DPORT +# macro.FTP File PARAM net loc tcp 21 +# rules File FTP(DNAT) - 192.168.1.5 +# Result DNAT net loc:192.168.1.5 tcp 21 # # Remaining Any value in the rules file REPLACES the value # columns given in the macro file. @@ -83,6 +79,5 @@ # ####################################################################################################### # DO NOT REMOVE THE FOLLOWING LINE -################################################################################################################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER -# PORT PORT(S) DEST LIMIT GROUP +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER From aee6f9faa2f9417a5e03d746c90acffa65358f56 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 118/141] macro.Teredo: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Teredo | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Teredo b/Shorewall/Macros/macro.Teredo index 7b175f4ba..168c4bbe0 100644 --- a/Shorewall/Macros/macro.Teredo +++ b/Shorewall/Macros/macro.Teredo @@ -1,11 +1,9 @@ # -# Shorewall - Teredo Macro +# Shorewall -- /usr/share/shorewall/macro.Teredo # -# /usr/share/shorewall/macro.Teredo -# -# This macro handles Teredo IPv6 over UDP tunneling traffic +# This macro handles Teredo IPv6 over UDP tunneling traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 3544 From a9e354cec83a1d364ae9d5c5ea335151de27c20f Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 119/141] macro.TFTP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.TFTP | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.TFTP b/Shorewall/Macros/macro.TFTP index fc3fac37f..bdbf340d7 100644 --- a/Shorewall/Macros/macro.TFTP +++ b/Shorewall/Macros/macro.TFTP @@ -1,15 +1,11 @@ # -# Shorewall - TFTP Macro +# Shorewall -- /usr/share/shorewall/macro.TFTP # -# /usr/share/shorewall/macro.TFTP -# -# This macro handles Trivial File Transfer Protocol (TFTP) -# Because TFTP lacks all security you should not enable it over -# Internet. +# This macro handles Trivial File Transfer Protocol (TFTP) +# Because TFTP lacks all security you should not enable it over Internet. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER ) PARAM - - udp 69 { helper=tftp } From a351431c62a1bec965e6da7513f8fae310e0bccd Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 120/141] macro.Time: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Time | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.Time b/Shorewall/Macros/macro.Time index 4de5f757e..c52f7247f 100644 --- a/Shorewall/Macros/macro.Time +++ b/Shorewall/Macros/macro.Time @@ -1,13 +1,11 @@ # -# Shorewall - Time Macro +# Shorewall -- /usr/share/shorewall/macro.Time # -# /usr/share/shorewall/macro.Time -# -# This macro handles rfc 868 Time protocol. -# Unless you are supporting extremely old hardware or software, -# you shouldn't be using this. NTP is a superior alternative. +# This macro handles Time protocol (RFC868). +# Unless you are supporting extremely old hardware or software, +# you shouldn't be using this. NTP is a superior alternative. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 37 From f00f03eee3765f4468893f5db64c536eefcf9d71 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 121/141] macro.Trcrt: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Trcrt | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall/Macros/macro.Trcrt b/Shorewall/Macros/macro.Trcrt index 83cd5bd77..385022bfa 100644 --- a/Shorewall/Macros/macro.Trcrt +++ b/Shorewall/Macros/macro.Trcrt @@ -1,12 +1,10 @@ # -# Shorewall -Trcrt Macro +# Shorewall -- /usr/share/shorewall/macro.Trcrt # -# /usr/share/shorewall/macro.Trcrt -# -# This macro handles Traceroute (for up to 30 hops). +# This macro handles ICMP and UDP Traceroute. (UDP for up to 30 hops). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - udp 33434:33524 # UDP Traceroute -PARAM - - icmp 8 # ICMP Traceroute +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +PARAM - - udp 33434:33524 # UDP Traceroute +PARAM - - icmp 8 # ICMP Traceroute From 6dcb1e28b42280d78fd8b6a9e7fbc308aeee8508 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 122/141] macro.VNC: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.VNC | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.VNC b/Shorewall/Macros/macro.VNC index f8a549c07..9f80625cb 100644 --- a/Shorewall/Macros/macro.VNC +++ b/Shorewall/Macros/macro.VNC @@ -1,11 +1,9 @@ # -# Shorewall - VNC Macro +# Shorewall -- /usr/share/shorewall/macro.VNC # -# /usr/share/shorewall/macro.VNC -# -# This macro handles VNC traffic for VNC display's 0 - 9. +# This macro handles VNC traffic for VNC display's 0 - 9. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 5900:5909 From d2422a1dea13c6aacd961bd39bfe853fc70bb0c3 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 123/141] macro.VNCL: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.VNCL | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.VNCL b/Shorewall/Macros/macro.VNCL index e69f6fe09..62fee0b36 100644 --- a/Shorewall/Macros/macro.VNCL +++ b/Shorewall/Macros/macro.VNCL @@ -1,12 +1,9 @@ # -# Shorewall -VNCL Macro +# Shorewall -- /usr/share/shorewall/macro.VNCL # -# /usr/share/shorewall/macro.VNCL -# -# This macro handles VNC traffic from Vncservers to Vncviewers in listen -# mode. +# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 5500 From 6535633fbbb6f8ef0a04c3275f25e75d4c068f13 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 124/141] macro.VRRP: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.VRRP | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.VRRP b/Shorewall/Macros/macro.VRRP index c72b72fe5..09414cc1f 100644 --- a/Shorewall/Macros/macro.VRRP +++ b/Shorewall/Macros/macro.VRRP @@ -1,11 +1,9 @@ # -# Shorewall - VRRP Macro +# Shorewall -- /usr/share/shorewall/macro.VRRP # -# /usr/share/shorewall/macro.VRRP -# -# This macro handles VRRP traffic. +# This macro handles Virtual Router Redundancy Protocol (VRRP) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE + PARAM SOURCE DEST:224.0.0.18 vrrp From d1d0dac9ce8f45cfd0c25ac6e778af7cace22130 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 125/141] macro.Web: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Web | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/Shorewall/Macros/macro.Web b/Shorewall/Macros/macro.Web index 4240a1190..8df9db81c 100644 --- a/Shorewall/Macros/macro.Web +++ b/Shorewall/Macros/macro.Web @@ -1,14 +1,12 @@ # -# Shorewall - Web Macro +# Shorewall -- /usr/share/shorewall/macro.Web # -# /usr/share/shorewall/macro.Web -# -# This macro handles WWW traffic (secure and insecure). This -# macro is deprecated - use of macro.HTTP and macro.HTTPS instead -# is recommended. +# This macro handles WWW traffic (secure and insecure). +# This macro is deprecated - use of macro.HTTP and macro.HTTPS instead +# is recommended. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - tcp 80 # HTTP (plaintext) -PARAM - - tcp 443 # HTTPS (over SSL) +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + +HTTP +HTTPS From 4ef0ebabbb76ac1ad7322f3498fec4f7b4329674 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 126/141] macro.Webcache: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Webcache | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Webcache b/Shorewall/Macros/macro.Webcache index f6f19732e..40a767cfd 100644 --- a/Shorewall/Macros/macro.Webcache +++ b/Shorewall/Macros/macro.Webcache @@ -1,11 +1,9 @@ # -# Shorewall - Web Cache Macro +# Shorewall -- /usr/share/shorewall/macro.WebCache # -# /usr/share/shorewall/macro.WebCache -# -# This macro handles Web Caches and Dan't Guardian +# This macro handles Web Caches and Dansguardian traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 8080 From b2fa4219334cf641f0238cba69fa77e43c84d709 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 127/141] macro.Webmin: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Webmin | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Webmin b/Shorewall/Macros/macro.Webmin index fd06a02a0..ec94d816d 100644 --- a/Shorewall/Macros/macro.Webmin +++ b/Shorewall/Macros/macro.Webmin @@ -1,11 +1,9 @@ # -# Shorewall - Webmin Macro +# Shorewall -- /usr/share/shorewall/macro.Webmin # -# /usr/share/shorewall/macro.Webmin -# -# This macro handles Webmin traffic. +# This macro handles Webmin traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 10000 From c2e8659ba5b6a8c245e08dacc4b2a82668ec919c Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 128/141] macro.Whois: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Whois | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Whois b/Shorewall/Macros/macro.Whois index 9314aaad0..2e46a1bcd 100644 --- a/Shorewall/Macros/macro.Whois +++ b/Shorewall/Macros/macro.Whois @@ -1,11 +1,9 @@ # -# Shorewall - Whois Macro +# Shorewall -- /usr/share/shorewall/macro.Whois # -# /usr/share/shorewall/macro.Whois -# -# This macro handles whois (nicname) traffic. +# This macro handles whois (nicname) traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 43 From 4bfa419d4d7eeaadc8a3614b552d76c1576a8d3b Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 129/141] macro.Xymon: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Xymon | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Xymon b/Shorewall/Macros/macro.Xymon index 222b59462..218d4105e 100644 --- a/Shorewall/Macros/macro.Xymon +++ b/Shorewall/Macros/macro.Xymon @@ -1,11 +1,9 @@ # -# Shorewall - Xymon Macro +# Shorewall -- /usr/share/shorewall/macro.Xymon # -# /usr/share/shorewall/macro.Xymon -# -# This macro handles Xymon traffic. +# This macro handles Xymon traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 1984 From a86f895ae66768226017786f25952c59df863e96 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:20:40 +0200 Subject: [PATCH 130/141] macro.Zabbix: update macro header and description Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Zabbix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Shorewall/Macros/macro.Zabbix b/Shorewall/Macros/macro.Zabbix index 9fc88ab77..339a37e9d 100644 --- a/Shorewall/Macros/macro.Zabbix +++ b/Shorewall/Macros/macro.Zabbix @@ -1,13 +1,11 @@ # -# Shorewall - Zabbix Macro +# Shorewall -- /usr/share/shorewall/macro.Zabbix # -# /usr/share/shorewall/macro.Zabbix -# -# This macro handles Zabbix monitoring software server traffic to agent -# and trap traffic from agent to zabbix server. +# This macro handles Zabbix monitoring software traffic from server to agent +# and trap traffic from agent to zabbix server. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - tcp 10050 # zabbix_agent PARAM DEST SOURCE tcp 10051 # zabbix_trap From 6e41bc7e88ad060754c954eb08f568760a373c21 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:28:12 +0200 Subject: [PATCH 131/141] Submission: use common format for header Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Submission | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Macros/macro.Submission b/Shorewall/Macros/macro.Submission index c67c1f79b..b7827687e 100644 --- a/Shorewall/Macros/macro.Submission +++ b/Shorewall/Macros/macro.Submission @@ -1,7 +1,7 @@ # # Shorewall -- /usr/share/shorewall/macro.Submission # -# This macro handles mail message submission (MSA) traffic. +# This macro handles mail message submission (MSA) traffic. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER From 2c966d90f12b8a0bdfa0517433e4b5225a60ac0e Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:31:41 +0200 Subject: [PATCH 132/141] macro.Tinc: update header Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Tinc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall/Macros/macro.Tinc b/Shorewall/Macros/macro.Tinc index a1686271e..a343dd71e 100644 --- a/Shorewall/Macros/macro.Tinc +++ b/Shorewall/Macros/macro.Tinc @@ -1,12 +1,10 @@ # -# Shorewall - tinc Macro +# Shorewall -- /usr/share/shorewall/macro.Tinc # -# /usr/share/shorewall/macro.Tinc Macro -# -# This macro handles tinc traffic. +# This macro handles tinc VPN traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ -# PORT(S) PORT(S) LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER + PARAM - - udp 655 PARAM - - tcp 655 From 74cb2bea832af766ec6d733063bb9798301027bf Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 18:36:24 +0200 Subject: [PATCH 133/141] macro.template: update header for better screen fit Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.template | 68 ++++++++++++++++----------------- 1 file changed, 33 insertions(+), 35 deletions(-) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index a4a2a3494..bfee93a93 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -1,19 +1,17 @@ # -# Shorewall - Macro Template -# -# /usr/share/shorewall/macro.template +# Shorewall --/usr/share/shorewall/macro.template # # Macro files are similar to action files with the following exceptions: # -# - A macro file is not processed unless the marcro that it defines is -# referenced in the /etc/shorewall/rules file or in an action -# definition file. +# - A macro file is not processed unless the marcro that it defines is +# referenced in the /etc/shorewall/rules file or in an action +# definition file. # -# - Macros are translated directly into one or more rules whereas -# actions become their own chain. +# - Macros are translated directly into one or more rules whereas +# actions become their own chain. # -# - All entries in a macro undergo substitution when the macro is -# invoked in the rules file. +# - All entries in a macro undergo substitution when the macro is +# invoked in the rules file. # # Columns are the same as in /etc/shorewall/rules. # A few examples should help show how Macros work. @@ -35,37 +33,37 @@ # # The substitution rules are as follows: # -# ACTION column If in the invocation of the macro, the macro -# name is followed by slash ("/") and a second -# name, the second name is substituted for each -# entry in the macro whose ACTION is PARAM +# ACTION column If in the invocation of the macro, the macro +# name is followed by slash ("/") and a second +# name, the second name is substituted for each +# entry in the macro whose ACTION is PARAM # -# For example, if macro FOO is invoked as -# FOO/ACCEPT then when expanding macro.FOO, -# Shorewall will substitute ACCEPT in each -# entry in macro.FOO whose ACTION column -# contains PARAM. PARAM may be optionally -# followed by a colon and a log level. +# For example, if macro FOO is invoked as +# FOO/ACCEPT then when expanding macro.FOO, +# Shorewall will substitute ACCEPT in each +# entry in macro.FOO whose ACTION column +# contains PARAM. PARAM may be optionally +# followed by a colon and a log level. # -# You may also follow the +# You may also follow the # -# Any logging specified when the macro is -# invoked is applied to each entry in the macros. +# Any logging specified when the macro is +# invoked is applied to each entry in the macros. # -# SOURCE and DEST If the column in the macro is empty then the -# columns value in the rules file is used. If the column -# in the macro is non-empty then any value in -# the rules file is appended with a ":" -# separator. +# SOURCE and DEST If the column in the macro is empty then the +# columns value in the rules file is used. If the column +# in the macro is non-empty then any value in +# the rules file is appended with a ":" +# separator. # -# Example: ############################################### -# #ACTION SOURCE DEST PROTO DPORT -# macro.FTP File PARAM net loc tcp 21 -# rules File FTP(DNAT) - 192.168.1.5 -# Result DNAT net loc:192.168.1.5 tcp 21 +# Example: ####################################################### +# #ACTION SOURCE DEST PROTO DPORT +# macro.FTP File PARAM net loc tcp 21 +# rules File FTP(DNAT) - 192.168.1.5 +# Result DNAT net loc:192.168.1.5 tcp 21 # -# Remaining Any value in the rules file REPLACES the value -# columns given in the macro file. +# Remaining Any value in the rules file REPLACES the value +# columns given in the macro file. # # Multiple parameters may be passed to a macro. Within this file, $1 refers # to the first parameter, $2 to the second an so on. $1 is a synonym for From 62fab6e20d6d6f3f1c8b2fe66654e637e303e5f8 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 20:13:41 +0200 Subject: [PATCH 134/141] macro.mDNS: update header Signed-off-by: Tuomo Soini --- Shorewall6/Macros/macro.mDNS | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/Shorewall6/Macros/macro.mDNS b/Shorewall6/Macros/macro.mDNS index 73bcf30f6..73e4541f7 100644 --- a/Shorewall6/Macros/macro.mDNS +++ b/Shorewall6/Macros/macro.mDNS @@ -1,15 +1,13 @@ # -# Shorewall6 - Multicast DNS Macro +# Shorewall6 -- /usr/share/shorewall6/macro.mDNS # -# /usr/share/shorewall6/macro.mDNS -# -# This macro handles multicast DNS traffic. +# This macro handles multicast DNS traffic. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE -# PORT(S) PORT(S) -PARAM - udp 5353 +#ACTION SOURCE DEST PROTO DPORT SPORT + +PARAM - [ff02::fb] udp 5353 PARAM - - udp 32768: 5353 -PARAM - 2 -PARAM DEST SOURCE: udp 5353 -PARAM DEST SOURCE: 2 +PARAM - [ff02::fb] 2 +PARAM DEST SOURCE:[ff02::fb] udp 5353 +PARAM DEST SOURCE:[ff02::fb] 2 From 23baddab167abbcf292eb7cb106dd04a8822882b Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 20:13:41 +0200 Subject: [PATCH 135/141] macro.Ping: update header Signed-off-by: Tuomo Soini --- Shorewall6/Macros/macro.Ping | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Shorewall6/Macros/macro.Ping b/Shorewall6/Macros/macro.Ping index aef7ff0d3..32da212dc 100644 --- a/Shorewall6/Macros/macro.Ping +++ b/Shorewall6/Macros/macro.Ping @@ -1,11 +1,9 @@ # -# Shorewall6 - Ping Macro +# Shorewall6 -- /usr/share/shorewall6/macro.Ping # -# /usr/share/shorewall6/macro.Ping -# -# This macro handles 'ping' requests. +# This macro handles 'ping' requests. # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE + PARAM - - ipv6-icmp 128 From 453244fe9595b0391503d6f262d84676f3faf631 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 20:13:41 +0200 Subject: [PATCH 136/141] macro.Trcrt: update header Signed-off-by: Tuomo Soini --- Shorewall6/Macros/macro.Trcrt | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Shorewall6/Macros/macro.Trcrt b/Shorewall6/Macros/macro.Trcrt index 9141e4443..696d2c764 100644 --- a/Shorewall6/Macros/macro.Trcrt +++ b/Shorewall6/Macros/macro.Trcrt @@ -1,12 +1,10 @@ # -# Shorewall6 - Trcrt Macro +# Shorewall6 -- /usr/share/shorewall6/macro.Trcrt # -# /usr/share/shorewall6/macro.Trcrt -# -# This macro handles Traceroute (for up to 30 hops). +# This macro handles ICMP and UDP Traceroute (UDP for up to 30 hops). # ############################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/ -# PORT(S) PORT(S) DEST LIMIT GROUP -PARAM - - udp 33434:33524 # UDP Traceroute -PARAM - - ipv6-icmp 128 # ICMP Traceroute +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE + +PARAM - - udp 33434:33524 # UDP Traceroute +PARAM - - ipv6-icmp 128 # ICMP Traceroute From c78e7635c1aa139c57e47dc9c8322083f4f6e8a9 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 20:16:14 +0200 Subject: [PATCH 137/141] macro.Trcrt: Remove extra "." Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Trcrt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Macros/macro.Trcrt b/Shorewall/Macros/macro.Trcrt index 385022bfa..a37082366 100644 --- a/Shorewall/Macros/macro.Trcrt +++ b/Shorewall/Macros/macro.Trcrt @@ -1,7 +1,7 @@ # # Shorewall -- /usr/share/shorewall/macro.Trcrt # -# This macro handles ICMP and UDP Traceroute. (UDP for up to 30 hops). +# This macro handles ICMP and UDP Traceroute (UDP for up to 30 hops). # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER From 5c7cba676ba3af98afc1dbe6b679655deb89ea92 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 20:17:24 +0200 Subject: [PATCH 138/141] macro.Mail: use new MSA macro Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Mail | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Macros/macro.Mail b/Shorewall/Macros/macro.Mail index 078c08c6a..4a4994da9 100644 --- a/Shorewall/Macros/macro.Mail +++ b/Shorewall/Macros/macro.Mail @@ -2,7 +2,7 @@ # Shorewall -- /usr/share/shorewall/macro.Mail # # This macro handles SMTP (email secure and insecure) traffic. -# It's the aggregate of macro.SMTP, macro.SMTPS, macro.Submission. +# It's the aggregate of macro.SMTP, macro.SMTPS, macro.MSA. # # Note: This macro handles traffic between an MUA (Email client) # and an MTA (mail server) or between MTAs. It does not enable @@ -14,4 +14,4 @@ SMTP SMTPS -Submission +MSA From ea716796314c2d60868f773381568f95beec180a Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 21:06:40 +0200 Subject: [PATCH 139/141] macro.JAP: fix comment text to work properly for "shorewall show macros" Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.JAP | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Shorewall/Macros/macro.JAP b/Shorewall/Macros/macro.JAP index 48b516b00..a46c955cb 100644 --- a/Shorewall/Macros/macro.JAP +++ b/Shorewall/Macros/macro.JAP @@ -2,8 +2,7 @@ # Shorewall -- /usr/share/shorewall/macro.JAP # # This macro handles JAP Anon Proxy Mix server traffic. -# This macro is for administrators running a Mix server. It is NOT for people -# trying to browse anonymously! +# It is NOT for people trying to browse anonymously! # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER @@ -11,5 +10,5 @@ PARAM - - tcp 8080 # HTTP port PARAM - - tcp 6544 # HTTP port PARAM - - tcp 6543 # InfoService port -HTTPS(PARAM) -SSH(PARAM) +HTTPS +SSH From 4e4f54a6cdf34e6c0c6a4f944aa599f1a387e192 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 21:09:25 +0200 Subject: [PATCH 140/141] macro.MDNS: fix header to show only one line in "shorewall show macros" Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.mDNS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Macros/macro.mDNS b/Shorewall/Macros/macro.mDNS index c45350052..66cf90a61 100644 --- a/Shorewall/Macros/macro.mDNS +++ b/Shorewall/Macros/macro.mDNS @@ -2,7 +2,7 @@ # Shorewall -- /usr/share/shorewall/macro.mDNS # # This macro handles multicast DNS traffic from DEST zone. -# This macro assumes that only the DEST zone sends mDNS queries. +# It assumes that only the DEST zone sends mDNS queries. # If both zones send queries, use the mDNSbi macro. # ############################################################################### From 32cd6eaa8a2276a3d8a21c1131adcb9d6d61d1a3 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Mon, 15 Feb 2016 21:12:57 +0200 Subject: [PATCH 141/141] macro.Web: remove duplicate "This macro" Signed-off-by: Tuomo Soini --- Shorewall/Macros/macro.Web | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Shorewall/Macros/macro.Web b/Shorewall/Macros/macro.Web index 8df9db81c..99dd82b7f 100644 --- a/Shorewall/Macros/macro.Web +++ b/Shorewall/Macros/macro.Web @@ -2,8 +2,7 @@ # Shorewall -- /usr/share/shorewall/macro.Web # # This macro handles WWW traffic (secure and insecure). -# This macro is deprecated - use of macro.HTTP and macro.HTTPS instead -# is recommended. +# You should use macro.HTTP and macro.HTTPS instead. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER