From a2b8069ee39b4cfd2735192a696bca61217671a0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 24 Jan 2015 18:15:10 -0800 Subject: [PATCH] Clarify Zone exclusion Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-rules.xml | 74 ++++++++++++++++++------ Shorewall6/manpages/shorewall6-rules.xml | 14 ++--- 2 files changed, 63 insertions(+), 25 deletions(-) diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index bfb3e7464..8ecb34f5b 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -660,8 +660,8 @@ Added in Shorewall 4.6.6. - TARPIT captures and holds incoming TCP connections - using no local per-connection resources. + TARPIT captures and holds incoming TCP connections using + no local per-connection resources. TARPIT only works with the PROTO column set to tcp (6), and is totally application agnostic. This module will answer a @@ -715,7 +715,7 @@ This mode is handy because we can send an inline - RST (reset). It has no other function. + RST (reset). It has no other function. @@ -856,7 +856,10 @@ When there are nested zones, any only refers to top-level zones (those with no parent zones). Note that any excludes all vserver - zones, since those zones are nested within the firewall zone. + zones, since those zones are nested within the firewall zone. + Beginning with Shorewall 4.4.13, exclusion is supported with + any -- see see shorewall-exclusion(5). Hosts may also be specified as an IP address range using the syntax @@ -962,18 +965,28 @@ (Shorewall 4.4.17 and later). + + + loc,dmz + + + Both the loc and + dmz zones. + + + + + all!dmz + + + All but the dmz + zone. + + - - - - - - - - DEST - {zone|zone-list[+]|{SOURCE or DEST column, the rule is ignored. + all means "All Zones", + including the firewall itself. all- + means "All Zones, except the firewall itself". When all[-] is + used either in the SOURCE or + DEST column intra-zone traffic is + not affected. When all+[-] is "used, intra-zone traffic is affected. + Beginning with Shorewall 4.4.13, exclusion is supported -- see see + shorewall6-exclusion(5). + + any is equivalent to + all when there are no nested zones. + When there are nested zones, any + only refers to top-level zones (those with no parent zones). Note + that any excludes all vserver + zones, since those zones are nested within the firewall zone. + + Except when all[+][-] or + any[+][-] is + specified, clients may be further restricted to a list of networks + and/or hosts by appending ":" and a comma-separated list of network + and/or host addresses. Hosts may be specified by IP or MAC address; + mac addresses must begin with "~" and must use "-" as a + separator. + When all is used either in the SOURCE or DEST column intra-zone traffic is not @@ -1025,11 +1067,6 @@ exclusion is supported -- see see shorewall-exclusion(5). - any is equivalent to - all when there are no nested zones. - When there are nested zones, any - only refers to top-level zones (those with no parent zones). - The zone should be omitted in DNAT-, REDIRECT- and NONAT rules. @@ -1050,7 +1087,8 @@ - Except when all[Except when {all|any}[+]|[-] is specified, the server may be further restricted to a particular network, host or interface by appending ":" and the network, host or interface. See shorewall6-exclusion(5). + any is equivalent to + all when there are no nested zones. + When there are nested zones, any + only refers to top-level zones (those with no parent zones). Note + that any excludes all vserver + zones, since those zones are nested within the firewall zone. + Except when all[+][-] or any[ - any is equivalent to - all when there are no nested zones. - When there are nested zones, any - only refers to top-level zones (those with no parent zones). Note - that any excludes all vserver - zones, since those zones are nested within the firewall zone. - Hosts may also be specified as an IP address range using the syntax lowaddress-highaddress.