forked from extern/shorewall_code
Merge branch '4.6.6'
This commit is contained in:
Tom Eastep
commit
5d110616a5
@ -660,8 +660,8 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.6.6.</para>
|
<para>Added in Shorewall 4.6.6.</para>
|
||||||
|
|
||||||
<para> TARPIT captures and holds incoming TCP connections
|
<para>TARPIT captures and holds incoming TCP connections using
|
||||||
using no local per-connection resources.</para>
|
no local per-connection resources.</para>
|
||||||
|
|
||||||
<para>TARPIT only works with the PROTO column set to tcp (6),
|
<para>TARPIT only works with the PROTO column set to tcp (6),
|
||||||
and is totally application agnostic. This module will answer a
|
and is totally application agnostic. This module will answer a
|
||||||
@ -715,7 +715,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This mode is handy because we can send an inline
|
<para>This mode is handy because we can send an inline
|
||||||
RST (reset). It has no other function. </para>
|
RST (reset). It has no other function.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -856,7 +856,10 @@
|
|||||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||||
only refers to top-level zones (those with no parent zones). Note
|
only refers to top-level zones (those with no parent zones). Note
|
||||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
that <emphasis role="bold">any</emphasis> excludes all vserver
|
||||||
zones, since those zones are nested within the firewall zone.</para>
|
zones, since those zones are nested within the firewall zone.
|
||||||
|
Beginning with Shorewall 4.4.13, exclusion is supported with
|
||||||
|
<emphasis role="bold">any</emphasis> -- see see <ulink
|
||||||
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
<para>Hosts may also be specified as an IP address range using the
|
<para>Hosts may also be specified as an IP address range using the
|
||||||
syntax
|
syntax
|
||||||
@ -962,15 +965,25 @@
|
|||||||
(Shorewall 4.4.17 and later).</para>
|
(Shorewall 4.4.17 and later).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>loc,dmz</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Both the <emphasis role="bold">loc</emphasis> and
|
||||||
|
<emphasis role="bold">dmz</emphasis> zones.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term></term>
|
<term>all!dmz</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para></para>
|
<para>All but the <emphasis role="bold">dmz</emphasis>
|
||||||
|
zone.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1017,6 +1030,35 @@
|
|||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||||
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
||||||
|
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
||||||
|
means "All Zones, except the firewall itself". When <emphasis
|
||||||
|
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
||||||
|
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||||
|
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
||||||
|
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
||||||
|
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
||||||
|
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
||||||
|
<ulink
|
||||||
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||||
|
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||||
|
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||||
|
only refers to top-level zones (those with no parent zones). Note
|
||||||
|
that <emphasis role="bold">any</emphasis> excludes all vserver
|
||||||
|
zones, since those zones are nested within the firewall zone.</para>
|
||||||
|
|
||||||
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||||
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||||
|
<emphasis role="bold">any</emphasis>[<emphasis
|
||||||
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
||||||
|
specified, clients may be further restricted to a list of networks
|
||||||
|
and/or hosts by appending ":" and a comma-separated list of network
|
||||||
|
and/or host addresses. Hosts may be specified by IP or MAC address;
|
||||||
|
mac addresses must begin with "~" and must use "-" as a
|
||||||
|
separator.</para>
|
||||||
|
|
||||||
<para>When <emphasis role="bold">all</emphasis> is used either in
|
<para>When <emphasis role="bold">all</emphasis> is used either in
|
||||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||||
role="bold">DEST</emphasis> column intra-zone traffic is not
|
role="bold">DEST</emphasis> column intra-zone traffic is not
|
||||||
@ -1025,11 +1067,6 @@
|
|||||||
exclusion is supported -- see see <ulink
|
exclusion is supported -- see see <ulink
|
||||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
|
||||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
|
||||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
|
||||||
only refers to top-level zones (those with no parent zones).</para>
|
|
||||||
|
|
||||||
<para>The <replaceable>zone</replaceable> should be omitted in
|
<para>The <replaceable>zone</replaceable> should be omitted in
|
||||||
DNAT-, REDIRECT- and NONAT rules.</para>
|
DNAT-, REDIRECT- and NONAT rules.</para>
|
||||||
|
|
||||||
@ -1050,7 +1087,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist></para>
|
</orderedlist></para>
|
||||||
|
|
||||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
<para>Except when <emphasis
|
||||||
|
role="bold">{all|any}</emphasis>[<emphasis
|
||||||
role="bold">+]|[-</emphasis>] is specified, the server may be
|
role="bold">+]|[-</emphasis>] is specified, the server may be
|
||||||
further restricted to a particular network, host or interface by
|
further restricted to a particular network, host or interface by
|
||||||
appending ":" and the network, host or interface. See <emphasis
|
appending ":" and the network, host or interface. See <emphasis
|
||||||
|
|||||||
@ -791,6 +791,13 @@
|
|||||||
<ulink
|
<ulink
|
||||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||||
|
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||||
|
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||||
|
only refers to top-level zones (those with no parent zones). Note
|
||||||
|
that <emphasis role="bold">any</emphasis> excludes all vserver
|
||||||
|
zones, since those zones are nested within the firewall zone.</para>
|
||||||
|
|
||||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||||
<emphasis role="bold">any</emphasis>[<emphasis
|
<emphasis role="bold">any</emphasis>[<emphasis
|
||||||
@ -801,13 +808,6 @@
|
|||||||
mac addresses must begin with "~" and must use "-" as a
|
mac addresses must begin with "~" and must use "-" as a
|
||||||
separator.</para>
|
separator.</para>
|
||||||
|
|
||||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
|
||||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
|
||||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
|
||||||
only refers to top-level zones (those with no parent zones). Note
|
|
||||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
|
||||||
zones, since those zones are nested within the firewall zone.</para>
|
|
||||||
|
|
||||||
<para>Hosts may also be specified as an IP address range using the
|
<para>Hosts may also be specified as an IP address range using the
|
||||||
syntax
|
syntax
|
||||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user