holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Recognize IPv4 Addresses embedded in the IPv6 address space

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8994 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-11 19:24:34 +00:00
parent b75b9693b0
commit 71e7eb26f6
14 changed files with 332 additions and 854 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Shorewall-common/changelog.txt
View File

@ -1,3 +1,11 @@
Changes in Shorewall 4.3.1
1) Allow addresses in rules to be enclosed in square brackets.
2) Fix parsing of 6 hosts file.
3) Don't require Socket6 unless doing IPv6 DNS name resolution.
Changes in Shorewall 4.3.0 Changes in Shorewall 4.3.0
1) Verify User/Group names. 1) Verify User/Group names.
@ -21,43 +29,3 @@ Changes in Shorewall 4.3.0
10) IPv6 Alpha release. 10) IPv6 Alpha release.
Changes in Shorewall 4.2.2
1) Insure that lines copied from a user file are newline-terminated.
2) Added macro.JAP.
3) Added macro.DAAP.
4) Added macro.DCC.
5) Added macro.GNUnet.
6) Prevent invalid rules when KLUDGEFREE is not set.
7) Separated detection of old conntrack syntax from new conntrack
feature detection.
8) Fix nonat rules with destination IP address.
9) Correct NEW_CONNTRACK_MATCH with server port but no dest port.
Changes in Shorewall 4.2.1
1) Added CONNBYTES to tcrules manpage. Flesh out description of HELPER.
2) Fixed minor CONNBYTES editing issue.
3) Add CONNLIMIT to policy and rules.
4) Allow use of iptables-1.4.1.
5) Add time match support.
6) Applied Lennart Sorensen's patch for length match.
7) Take advantage of --ctorigdstport
8) Fix syntax error in 'export'
Initial release of Shorewall 4.2.0.

44
Shorewall-common/releasenotes.txt
View File

@ -1,13 +1,33 @@
Shorewall 4.3.0 Shorewall 4.3.1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S R E L E A S E 4 . 3 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Support is included for IPv6. 1) Support is included for IPv6.
Problems Corrected in 4.3.1
1) Shorewall6 parsing of the hosts file HOSTS column has been
corrected.
Other changes in 4.3.1
1) It is now permitted to enclose addresses in [] even when an
interface name is not specified.
Example:
ACCEPT net:[2001:1::1] $FW
2) The Socket6 perl module is only required now if DNS names appear in
your Shorewall6 configuration files.
3) Shorewall6 now recognizes IPv4 addresses embedded in the IPv6
address space (e.g., ::ffff:192.168.1.3).
Migration Issues. Migration Issues.
None. None.
New Features in Shorewall 4.3 New Features in Shorewall 4.3
@ -59,13 +79,31 @@ New Features in Shorewall 4.3
marking and connection marking are available to feed your current marking and connection marking are available to feed your current
traffic shaping defined in Shorewall. traffic shaping defined in Shorewall.
f) When both an interface and an IPv6 address or address list need to f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in be specified in a rule, the address or list must be enclosed in
square brackets. Example: square brackets. Example:
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
Note that this includes MAC addresses as well as IPv6 addresses.
The HOSTS column in /etc/shorewall6/hosts also uses this
convention:
#ZONE HOSTS OPTIONS
chat6 eth0:[2001:19f0:feee::dead:beef:cafe]
g) There are currently no Shorewall6 or Shorewall6-lite manpages. g) There are currently no Shorewall6 or Shorewall6-lite manpages.
h) The options available in shorewall6.conf are a subset of those h) The options available in shorewall6.conf are a subset of those
available in shorewall.conf. available in shorewall.conf.
i) The Socket6.pm Perl module is required if you include DNS names
in your Shorewall6 configuration. Note that it is loaded the
first time that a DNS name is encountered so if it is missing,
you get a message similar to this one:
...
Checking /etc/shorewall6/rules...
Can't locate Socket6.pm in @INC (@INC contains: /root ...
teastep@ursa:~/Configs/standalone6$

17
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -480,11 +480,20 @@ sub valid_6address( $ ) {
my $address = $_[0]; my $address = $_[0];
my @address = split /:/, $address; my @address = split /:/, $address;
my $max;
return 0 if @address > 8; if ( $address[-1] && $address[-1] =~ /^\d+\.\d+\.\d+\.\d+$/ ) {
return 0 if @address < 8 && ! $address =~ /::/; return 0 unless valid_4address pop @address;
return 0 if $address =~ /:::/ || $address =~ /::.*::/; $max = 6;
$address = join ':', @address;
} else {
$max = 8;
}
return 0 if @address > $max;
return 0 if @address < $max && ! $address =~ /::/;
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
if ( $address =~ /^:/ ) { if ( $address =~ /^:/ ) {
unless ( $address eq '::' ) { unless ( $address eq '::' ) {
return 0 if $address =~ /:$/ || $address =~ /^:.*::/; return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
@ -506,8 +515,8 @@ sub validate_6address( $$ ) {
my @addrs = ( $addr ); my @addrs = ( $addr );
unless ( valid_6address $addr ) { unless ( valid_6address $addr ) {
require Socket6;
fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name; fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
require Socket6;
fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6())); fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6()));
if ( defined wantarray ) { if ( defined wantarray ) {

34
manpages6/shorewall6-accounting.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-accounting</refentrytitle> <refentrytitle>shorewall6-accounting</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>accounting</refname> <refname>accounting</refname>
<refpurpose>Shorewall Accounting file</refpurpose> <refpurpose>Shorewall6 Accounting file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/accounting</command> <command>/etc/shorewall6/accounting</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -23,7 +25,7 @@
<para>Accounting rules exist simply to count packets and bytes in <para>Accounting rules exist simply to count packets and bytes in
categories that you define in this file. You may display these rules and categories that you define in this file. You may display these rules and
their packet and byte counters using the <command>shorewall show their packet and byte counters using the <command>shorewall6 show
accounting</command> command.</para> accounting</command> command.</para>
<para>The columns in the file are as follows.</para> <para>The columns in the file are as follows.</para>
@ -65,7 +67,7 @@
<listitem> <listitem>
<para>Where <emphasis>chain</emphasis> is the name of a chain; <para>Where <emphasis>chain</emphasis> is the name of a chain;
Shorewall will create the chain automatically if it doesn't shorewall6 will create the chain automatically if it doesn't
already exist. Causes a jump to that chain to be added to the already exist. Causes a jump to that chain to be added to the
chain specified in the CHAIN column. If <emphasis chain specified in the CHAIN column. If <emphasis
role="bold">:COUNT</emphasis> is included, a counting rule role="bold">:COUNT</emphasis> is included, a counting rule
@ -96,7 +98,7 @@
role="bold">-</emphasis>|<emphasis role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term> role="bold">:<option>[</option></emphasis><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
<listitem> <listitem>
<para>Packet Source.</para> <para>Packet Source.</para>
@ -112,8 +114,7 @@
<term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis <term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis role="bold">-</emphasis>|<emphasis
role="bold">any</emphasis>|<emphasis role="bold">any</emphasis>|<emphasis
role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
<listitem> <listitem>
<para>Packet Destination.</para> <para>Packet Destination.</para>
@ -306,7 +307,7 @@
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/accounting</para> <para>/etc/shorewall6/accounting</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -316,13 +317,12 @@
url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html url="http://shorewall.net/Accounting.html">http://shorewall.net/Accounting.html
</ulink></para> </ulink></para>
<para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5), <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

33
manpages6/shorewall6-actions.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-actions</refentrytitle> <refentrytitle>shorewall6-actions</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>actions</refname> <refname>actions</refname>
<refpurpose>Shorewall action declaration file</refpurpose> <refpurpose>shorewall6 action declaration file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/actions</command> <command>/etc/shorewall6/actions</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -22,12 +24,12 @@
<title>Description</title> <title>Description</title>
<para>This file allows you to define new ACTIONS for use in rules (see <para>This file allows you to define new ACTIONS for use in rules (see
<ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define <ulink url="shorewall-rules.html">shorewall6-rules(5)</ulink>). You define
the iptables rules to be performed in an ACTION in the iptables rules to be performed in an ACTION in
/etc/shorewall/action.<emphasis>action-name</emphasis>.</para> /etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
<para>ACTION names should begin with an upper-case letter to distinguish <para>ACTION names should begin with an upper-case letter to distinguish
them from Shorewall-generated chain names and they must meet the them from shorewall6-generated chain names and they must meet the
requirements of a Netfilter chain. If you intend to log from the action requirements of a Netfilter chain. If you intend to log from the action
then the name must be no longer than 11 characters in length. Names must then the name must be no longer than 11 characters in length. Names must
also meet the requirements for a Bourne Shell identifier (must begin with also meet the requirements for a Bourne Shell identifier (must begin with
@ -38,22 +40,21 @@
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/actions</para> <para>/etc/shorewall6/actions</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink <para><ulink
url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para> url="http://shorewall.net/Actions.html">http://shorewall6.net/Actions.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

38
manpages6/shorewall6-blacklist.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-blacklist</refentrytitle> <refentrytitle>shorewall6-blacklist</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>blacklist</refname> <refname>blacklist</refname>
<refpurpose>Shorewall Blacklist file</refpurpose> <refpurpose>shorewall6 Blacklist file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/blacklist</command> <command>/etc/shorewall6/blacklist</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -74,12 +76,12 @@
<para>When a packet arrives on an interface that has the <emphasis <para>When a packet arrives on an interface that has the <emphasis
role="bold">blacklist</emphasis> option specified in <ulink role="bold">blacklist</emphasis> option specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5), its url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5), its
source IP address and MAC address is checked against this file and source IP address and MAC address is checked against this file and
disposed of according to the <emphasis disposed of according to the <emphasis
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). If <emphasis url="shorewall.conf.html">shorewall6.conf</ulink>(5). If <emphasis
role="bold">PROTOCOL</emphasis> or <emphasis role="bold">PROTOCOL</emphasis> or <emphasis
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis> role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
are supplied, only packets matching the protocol (and one of the ports if are supplied, only packets matching the protocol (and one of the ports if
@ -94,10 +96,11 @@
<term>Example 1:</term> <term>Example 1:</term>
<listitem> <listitem>
<para>To block DNS queries from address 192.0.2.126:</para> <para>To block DNS queries from address
fe80::2a0:ccff:fedb:31c4:</para>
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT <programlisting> #ADDRESS/SUBNET PROTOCOL PORT
192.0.2.126 udp 53</programlisting> fe80::2a0:ccff:fedb:31c4/ udp 53</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -118,22 +121,21 @@
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/blacklist</para> <para>/etc/shorewall6/blacklist</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink <para><ulink
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para> url="http://shorewall.net/blacklisting_support.htm">http://shorewall6.net/blacklisting_support.htm</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

30
manpages6/shorewall6-ecn.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-ecn</refentrytitle> <refentrytitle>shorewall6-ecn</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>ecn</refname> <refname>ecn</refname>
<refpurpose>Shorewall ECN file</refpurpose> <refpurpose>shorewall6 ECN file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/ecn</command> <command>/etc/shorewall6/ecn</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -44,8 +46,8 @@
<listitem> <listitem>
<para>Comma-separated list of host and/or network addresses. If left <para>Comma-separated list of host and/or network addresses. If left
empty or supplied as "-", 0.0.0.0/0 is assumed. If your kernel and empty or supplied as "-", ::/0 is assumed. If your kernel and
iptables include iprange match support then IP address ranges are ip6tables include iprange match support then IP address ranges are
also permitted.</para> also permitted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -55,20 +57,18 @@
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/ecn</para> <para>/etc/shorewall6/ecn</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

79
manpages6/shorewall6-exclusion.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-exclusion</refentrytitle> <refentrytitle>shorewall6-exclusion</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,7 +11,7 @@
<refnamediv> <refnamediv>
<refname>exclusion</refname> <refname>exclusion</refname>
<refpurpose>Exclude a set of hosts from a definition in a shorewall <refpurpose>Exclude a set of hosts from a definition in a shorewall6
configuration file.</refpurpose> configuration file.</refpurpose>
</refnamediv> </refnamediv>
@ -26,9 +28,9 @@
<para>Exclusion is used when you wish to exclude one or more addresses <para>Exclusion is used when you wish to exclude one or more addresses
from a definition. An exclaimation point is followed by a comma-separated from a definition. An exclaimation point is followed by a comma-separated
list of addresses. The addresses may be single host addresses (e.g., list of addresses. The addresses may be single host addresses (e.g.,
192.168.1.4) or they may be network addresses in CIDR format (e.g., fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
192.168.1.0/24). If your kernel and iptables include iprange support, you (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and iptables include
may also specify ranges of ip addresses of the form iprange support, you may also specify ranges of ip addresses of the form
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para> <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
<para>No embedded whitespace is allowed.</para> <para>No embedded whitespace is allowed.</para>
@ -39,70 +41,27 @@
exclusion.</para> exclusion.</para>
</refsect1> </refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1 - All IPv4 addresses except 192.168.3.4</term>
<listitem>
<para>!192.168.3.4</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
and the host 10.2.3.4</term>
<listitem>
<para>!192.168.1.0/24,10.1.3.4</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 3 - All IPv4 addresses except the range
192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>
<listitem>
<para>!192.168.1.3-192.168.1.12,10.0.0.0/8</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
and 192.168.1.9</term>
<listitem>
<para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/hosts</para> <para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall/masq</para> <para>/etc/shorewall6/masq</para>
<para>/etc/shorewall/rules</para> <para>/etc/shorewall6/rules</para>
<para>/etc/shorewall/tcrules</para> <para>/etc/shorewall6/tcrules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

146
manpages6/shorewall6-hosts.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-hosts</refentrytitle> <refentrytitle>shorewall6-hosts</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>hosts</refname> <refname>hosts</refname>
<refpurpose>Shorewall file</refpurpose> <refpurpose>shorewall6 file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/hosts</command> <command>/etc/shorewall6/hosts</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -27,8 +29,8 @@
<para>The order of entries in this file is not significant in determining <para>The order of entries in this file is not significant in determining
zone composition. Rather, the order that the zones are declared in <ulink zone composition. Rather, the order that the zones are declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) determines the order url="shorewall-zones.html">shorewall6-zones</ulink>(5) determines the
in which the records in this file are interpreted.</para> order in which the records in this file are interpreted.</para>
<warning> <warning>
<para>The only time that you need this file is when you have more than <para>The only time that you need this file is when you have more than
@ -37,7 +39,7 @@
<warning> <warning>
<para>If you have an entry for a zone and interface in <ulink <para>If you have an entry for a zone and interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5) then do
not include any entries in this file for that same (zone, interface) not include any entries in this file for that same (zone, interface)
pair.</para> pair.</para>
</warning> </warning>
@ -51,26 +53,26 @@
<listitem> <listitem>
<para>The name of a zone declared in <ulink <para>The name of a zone declared in <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5). You may not url="shorewall-zones.html">shorewall6-zones</ulink>(5). You may not
list the firewall zone in this column.</para> list the firewall zone in this column.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">HOST(S)</emphasis> - <term><emphasis role="bold">HOST(S)</emphasis> -
<emphasis>interface</emphasis>:{[{<emphasis>address-or-range</emphasis>[<emphasis <emphasis>interface</emphasis>:<option>[</option>{[{<emphasis>address-or-range</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term> role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]<option>]</option></term>
<listitem> <listitem>
<para>The name of an interface defined in the <ulink <para>The name of an interface defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
followed by a colon (":") and a comma-separated list whose elements file followed by a colon (":") and a comma-separated list whose
are either:</para> elements are either:</para>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
<para>The IP <replaceable>address</replaceable> of a <para>The IPv6 <replaceable>address</replaceable> of a
host.</para> host.</para>
</listitem> </listitem>
@ -92,7 +94,7 @@
<blockquote> <blockquote>
<para>You may also exclude certain hosts through use of an <para>You may also exclude certain hosts through use of an
<emphasis>exclusion</emphasis> (see <ulink <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para> url="shorewall-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
</blockquote> </blockquote>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -107,24 +109,11 @@
must have no embedded white space.</para> must have no embedded white space.</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from these hosts are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC or equivalent and must be up before Shorewall is
started.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">routeback</emphasis></term> <term><emphasis role="bold">routeback</emphasis></term>
<listitem> <listitem>
<para>Shorewall should set up the infrastructure to pass <para>shorewall6 should set up the infrastructure to pass
packets from this/these address(es) back to themselves. This packets from this/these address(es) back to themselves. This
is necessary if hosts in this group use the services of a is necessary if hosts in this group use the services of a
transparent proxy that is a member of the group or if DNAT is transparent proxy that is a member of the group or if DNAT is
@ -141,7 +130,7 @@
bridge.</para> bridge.</para>
<para>Check packets arriving on this port against the <ulink <para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5) url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para> file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -158,23 +147,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem>
<para>This option only makes sense for ports on a
bridge.</para>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ipsec</emphasis></term> <term><emphasis role="bold">ipsec</emphasis></term>
@ -182,94 +154,32 @@
<para>The zone is accessed via a kernel 2.6 ipsec SA. Note <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
that if the zone named in the ZONE column is specified as an that if the zone named in the ZONE column is specified as an
IPSEC zone in the <ulink IPSEC zone in the <ulink
url="shorewall-zones.html">shorewall-zones</ulink>(5) file url="shorewall-zones.html">shorewall6-zones</ulink>(5) file
then you do NOT need to specify the 'ipsec' option then you do NOT need to specify the 'ipsec' option
here.</para> here.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>broadcast</term>
<listitem>
<para>Used when you want to include limited broadcasts
(destination IP address 255.255.255.255) from the firewall to
this zone. Only necessary when:</para>
<orderedlist>
<listitem>
<para>The network specified in the HOST(S) column does not
include 255.255.255.255.</para>
</listitem>
<listitem>
<para>The zone does not have an entry for this interface
in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>destonly</term>
<listitem>
<para>Normally used with the Multi-cast IP address range
(224.0.0.0/4). Specifies that traffic will be sent to the
specified net(s) but that no traffic will be received from the
net(s).</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
<refsect1>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1</term>
<listitem>
<para>The firewall runs a PPTP server which creates a ppp interface
for each remote client. The clients are assigned IP addresses in the
network 192.168.3.0/24 and in a zone named 'vpn'.<programlisting>#ZONE HOST(S) OPTIONS
vpn ppp+:192.168.3.0/24</programlisting></para>
<para>If you are running a Shorewall version prior to 4.1.4, it is
especially recommended to define such a zone using this file rather
than <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8) if
there is another zone that uses a fixed PPP interface (for example,
if the 'net' zone always interfaces through ppp0). See <ulink
url="shorewall-nesting.html">shorewall-nesting</ulink>(8) for
additional information.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/hosts</para> <para>/etc/shorewall6/hosts</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5), shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

418
manpages6/shorewall6-interfaces.xml
View File

@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-interfaces</refentrytitle> <refentrytitle>shorewall6-interfaces</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -11,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>interfaces</refname> <refname>interfaces</refname>
<refpurpose>Shorewall interfaces file</refpurpose> <refpurpose>shorewall6 interfaces file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/interfaces</command> <command>/etc/shorewall6/interfaces</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -24,7 +24,7 @@
<title>Description</title> <title>Description</title>
<para>The interfaces file serves to define the firewall's network <para>The interfaces file serves to define the firewall's network
interfaces to Shorewall. The order of entries in this file is not interfaces to shorewall6. The order of entries in this file is not
significant in determining zone composition.</para> significant in determining zone composition.</para>
<para>The columns in the file are as follows.</para> <para>The columns in the file are as follows.</para>
@ -36,11 +36,11 @@
<listitem> <listitem>
<para>Zone for this interface. Must match the name of a zone <para>Zone for this interface. Must match the name of a zone
declared in /etc/shorewall/zones. You may not list the firewall zone declared in /etc/shorewall6/zones. You may not list the firewall
in this column.</para> zone in this column.</para>
<para>If the interface serves multiple zones that will be defined in <para>If the interface serves multiple zones that will be defined in
the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5) the <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
file, you should place "-" in this column.</para> file, you should place "-" in this column.</para>
<para>If there are multiple interfaces to the same zone, you must <para>If there are multiple interfaces to the same zone, you must
@ -73,51 +73,31 @@ loc eth2 -</programlisting>
applies to all PPP interfaces, use 'ppp+'; that would match ppp0, applies to all PPP interfaces, use 'ppp+'; that would match ppp0,
ppp1, ppp2, …</para> ppp1, ppp2, …</para>
<para>When using Shorewall versions before 4.1.4, care must be <para>Care must be exercised when using wildcards where there is
exercised when using wildcards where there is another zone that uses another zone that uses a matching specific interface. See <ulink
a matching specific interface. See <ulink url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
discussion of this problem.</para> discussion of this problem.</para>
<para>Beginning with Shorewall 4.2.3, Shorewall-perl allows '+' as <para>Shorewall6-perl allows '+' as an interface name.</para>
an interface name.</para>
<para>There is no need to define the loopback interface (lo) in this <para>There is no need to define the loopback interface (lo) in this
file.</para> file.</para>
<para>(Shorewall-perl only) If a <replaceable>port</replaceable> is <para>If a <replaceable>port</replaceable> is given, then the
given, then the <replaceable>interface</replaceable> must have been <replaceable>interface</replaceable> must have been defined
defined previously with the <option>bridge</option> option. The previously with the <option>bridge</option> option. The OPTIONS
OPTIONS column must be empty when a <replaceable>port</replaceable> column must be empty when a <replaceable>port</replaceable> is
is given.</para> given.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">BROADCAST</emphasis> (Optional) - <term><emphasis role="bold">UNICAST</emphasis> - <emphasis
{<emphasis role="bold">-</emphasis>|<emphasis role="bold">-</emphasis></term>
role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>
<listitem> <listitem>
<para>The broadcast address(es) for the network(s) to which the <para>Enter '<emphasis role="bold">-'</emphasis> in this column. It
interface belongs. For P-T-P interfaces, this column is left blank. is here for compatibility between Shorewall6 and Shorewall.</para>
If the interface has multiple addresses on multiple subnets then
list the broadcast addresses as a comma-separated list.</para>
<para>If you use the special value <emphasis
role="bold">detect</emphasis>, Shorewall will detect the broadcast
address(es) for you. If you select this option, the interface must
be up before the firewall is started.</para>
<para>If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter <emphasis
role="bold">-</emphasis> in this column.</para>
<para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
Shorewall-perl only supports <option>detect</option> or <emphasis
role="bold">-</emphasis> in this column. If you specify
<replaceable>address</replaceable>es, a compilation warning will be
issued.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -132,81 +112,13 @@ loc eth2 -</programlisting>
should have no embedded white space.</para> should have no embedded white space.</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
<listitem>
<para>If specified, this interface will only respond to ARP
who-has requests for IP addresses configured on the interface.
If not specified, the interface can respond to ARP who-has
requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>arp_filter</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
<listitem>
<para>If specified, this interface will respond to arp
requests based on the value of <emphasis>number</emphasis>
(defaults to 1).</para>
<para>1 - reply only if the target IP address is local address
configured on the incoming interface</para>
<para>2 - reply only if the target IP address is local address
configured on the incoming interface and the sender's IP
address is part from same subnet on this interface</para>
<para>3 - do not reply for local addresses configured with
scope host, only resolutions for global and link</para>
<para>4-7 - reserved</para>
<para>8 - do not reply for all local addresses</para>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<para></para>
<warning>
<para>Do not specify <emphasis
role="bold">arp_ignore</emphasis> for any interface involved
in <ulink url="../ProxyARP.htm">Proxy ARP</ulink>.</para>
</warning>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis role="bold">blacklist</emphasis></term>
<listitem> <listitem>
<para>Check packets arriving on this interface against the <para>Check packets arriving on this interface against the
<ulink <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5) url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para> file.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -215,237 +127,43 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">bridge</emphasis></term> <term><emphasis role="bold">bridge</emphasis></term>
<listitem> <listitem>
<para>(Shorewall-perl only) Designates the interface as a <para>(shorewall6-perl only) Designates the interface as a
bridge.</para> bridge.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">detectnets</emphasis>
(Deprecated)</term>
<listitem>
<para>Automatically tailors the zone named in the ZONE column
to include only those hosts routed through the
interface.</para>
<para></para>
<warning>
<para>Do not set the <emphasis
role="bold">detectnets</emphasis> option on your internet
interface.</para>
<para>Support for this option will be removed in a future
release of Shorewall-perl. Better to use the <emphasis
role="bold">routefilter</emphasis> option together with the
<emphasis role="bold">logmartians</emphasis> option.</para>
</warning>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">dhcp</emphasis></term>
<listitem>
<para>Specify this option when any of the following are
true:</para>
<orderedlist spacing="compact">
<listitem>
<para>the interface gets its IP address via DHCP</para>
</listitem>
<listitem>
<para>the interface is used by a DHCP server running on
the firewall</para>
</listitem>
<listitem>
<para>the interface has a static IP but is on a LAN
segment with lots of DHCP clients.</para>
</listitem>
<listitem>
<para>the interface is a bridge with a DHCP server on one
port and DHCP clients on another port.</para>
</listitem>
</orderedlist>
<para>This option allows DHCP datagrams to enter and leave the
interface.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">logmartians[={0|1}]</emphasis></term>
<listitem>
<para>Turn on kernel martian logging (logging of packets with
impossible source addresses. It is strongly suggested that if
you set <emphasis role="bold">routefilter</emphasis> on an
interface that you also set <emphasis
role="bold">logmartians</emphasis>. Even if you do not specify
the <option>routefilter</option> option, it is a good idea to
specify <option>logmartians</option> because your distribution
may be enabling route filtering without you knowing it.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>logmartians</option> option will
have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is
given.</para>
<para>To find out if route filtering is set on a given
<replaceable>interface</replaceable>, check the contents of
<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter</filename>
- a non-zero value indicates that route filtering is
enabled.</para>
<para>Example:</para>
<programlisting> teastep@lists:~$ <command>cat /proc/sys/net/ipv4/conf/eth0/rp_filter </command>
1
teastep@lists:~$ </programlisting>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<blockquote>
<para>This option may also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">mss</emphasis>[=<emphasis>number</emphasis>]</term> role="bold">mss</emphasis>[=<emphasis>number</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN <para>Causes forwarded TCP SYN packets entering or leaving on
packets entering or leaving on this interface to have their this interface to have their MSS field set to the specified
MSS field set to the specified
<replaceable>number</replaceable>.</para> <replaceable>number</replaceable>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">norfc1918</emphasis></term>
<listitem>
<para>This interface should not receive any packets whose
source is in one of the ranges reserved by RFC 1918 (i.e.,
private or "non-routable" addresses). If packet mangling or
connection-tracking match is enabled in your kernel, packets
whose destination addresses are reserved by RFC 1918 are also
rejected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">optional</emphasis></term> <term><emphasis role="bold">optional</emphasis></term>
<listitem> <listitem>
<para>Only supported by Shorewall-perl. When <para>When <option>optional</option> is specified for an
<option>optional</option> is specified for an interface, interface, shorewall6 will be silent when:</para>
Shorewall will be silent when:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>a <filename <para>a <filename
class="directory">/proc/sys/net/ipv4/conf/</filename> class="directory">/proc/sys/net/ipv5/conf/</filename>
entry for the interface cannot be modified (including for entry for the interface cannot be modified.</para>
proxy ARP).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The first address of the interface cannot be <para>The first global IPv6 address of the interface
obtained.</para> cannot be obtained.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para></para> <para></para>
<blockquote>
<para>I specify <option>optional</option> on interfaces to
Xen virtual machines that may or may not be running when
Shorewall is [re]started.</para>
<para></para>
<caution>
<para>Use <option>optional</option> at your own risk. If
you [re]start Shorewall when an 'optional' interface is
not available and then do a <command>shorewall
save</command>, subsequent <command>shorewall
restore</command> and <command>shorewall -f
start</command> operations will instantiate a ruleset that
does not support that interface, even if it is available
at the time of the restore/start.</para>
</caution>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
<listitem>
<para>Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in <ulink
url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
This option is intended solely for use with Proxy ARP
sub-networking as described at: <ulink
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
</ulink></para>
<para><emphasis role="bold">Note</emphasis>: This option does
not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>proxyarp</option> option will have
their setting changes; the value assigned to the setting will
be the value specified (if any) or 1 if no value is
given.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -453,7 +171,7 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">routeback</emphasis></term> <term><emphasis role="bold">routeback</emphasis></term>
<listitem> <listitem>
<para>If specified, indicates that Shorewall should include <para>If specified, indicates that shorewall6 should include
rules that allow filtering traffic arriving on this interface rules that allow filtering traffic arriving on this interface
back out that same interface. This option is also required back out that same interface. This option is also required
when you have used a wildcard in the INTERFACE column if you when you have used a wildcard in the INTERFACE column if you
@ -471,7 +189,7 @@ loc eth2 -</programlisting>
(anti-spoofing measure).</para> (anti-spoofing measure).</para>
<para>The option value (0 or 1) may only be specified if you <para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those are using shorewall6-perl. With shorewall6-perl, only those
interfaces with the <option>routefilter</option> option will interfaces with the <option>routefilter</option> option will
have their setting changes; the value assigned to the setting have their setting changes; the value assigned to the setting
will be the value specified (if any) or 1 if no value is will be the value specified (if any) or 1 if no value is
@ -487,7 +205,7 @@ loc eth2 -</programlisting>
<blockquote> <blockquote>
<para>This option can also be enabled globally in the <ulink <para>This option can also be enabled globally in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) url="shorewall6.conf.html">shorewall6.conf</ulink>(5)
file.</para> file.</para>
</blockquote> </blockquote>
</listitem> </listitem>
@ -501,19 +219,15 @@ loc eth2 -</programlisting>
<para>If this option is not specified for an interface, then <para>If this option is not specified for an interface, then
source-routed packets will not be accepted from that interface source-routed packets will not be accepted from that interface
(sets (sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/accept_source_route
to 1). Only set this option if you know what you are doing. to 1). Only set this option if you know what you are doing.
This might represent a security risk and is not usually This might represent a security risk and is not usually
needed.</para> needed.</para>
<para>The option value (0 or 1) may only be specified if you <para>Only those interfaces with the
are using Shorewall-perl. With Shorewall-perl, only those <option>sourceroute</option> option will have their setting
interfaces with the <option>sourceroute</option> option will changes; the value assigned to the setting will be the value
have their setting changes; the value assigned to the setting specified (if any) or 1 if no value is given.</para>
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para>
<note> <note>
<para>This option does not work with a wild-card <para>This option does not work with a wild-card
@ -559,43 +273,14 @@ loc eth2 -</programlisting>
<listitem> <listitem>
<para>Suppose you have eth0 connected to a DSL modem and eth1 <para>Suppose you have eth0 connected to a DSL modem and eth1
connected to your local network and that your local subnet is connected to your local network You have a DMZ using eth2.</para>
192.168.1.0/24. The interface gets it's IP address via DHCP from
subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
using eth2.</para>
<para>Your entries for this setup would look like:</para> <para>Your entries for this setup would look like:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE UNICAST OPTIONS
net eth0 206.191.149.223 dhcp net eth0 -
loc eth1 192.168.1.255 loc eth1 -
dmz eth2 192.168.2.255</programlisting> dmz eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>The same configuration without specifying broadcast addresses
is:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
loc eth1 detect
dmz eth2 detect</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 3:</term>
<listitem>
<para>You have a simple dial-in system with no ethernet
connections.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -604,19 +289,18 @@ net ppp0 -</programlisting>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/interfaces</para> <para>/etc/shorewall6/interfaces</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-ipsec(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

45
manpages6/shorewall6-maclist.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-maclist</refentrytitle> <refentrytitle>shorewall6-maclist</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>maclist</refname> <refname>maclist</refname>
<refpurpose>Shorewall MAC Verification file</refpurpose> <refpurpose>shorewall6 MAC Verification file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/maclist</command> <command>/etc/shorewall6/maclist</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -22,12 +24,12 @@
<title>Description</title> <title>Description</title>
<para>This file is used to define the MAC addresses and optionally their <para>This file is used to define the MAC addresses and optionally their
associated IP addresses to be allowed to use the specified interface. The associated IPv6 addresses to be allowed to use the specified interface.
feature is enabled by using the <emphasis role="bold">maclist</emphasis> The feature is enabled by using the <emphasis
option in the <ulink role="bold">maclist</emphasis> option in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5) or
url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5)
file.</para> configuration file.</para>
<para>The columns in the file are as follows.</para> <para>The columns in the file are as follows.</para>
@ -41,8 +43,8 @@
<listitem> <listitem>
<para><emphasis role="bold">ACCEPT</emphasis> or <emphasis <para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is url="shorewall6.conf.html">shorewall6.conf</ulink>(5), then REJECT
also allowed). If specified, the is also allowed). If specified, the
<replaceable>log-level</replaceable> causes packets matching the <replaceable>log-level</replaceable> causes packets matching the
rule to be logged at that level.</para> rule to be logged at that level.</para>
</listitem> </listitem>
@ -63,7 +65,7 @@
<listitem> <listitem>
<para>MAC <emphasis>address</emphasis> of the host -- you do not <para>MAC <emphasis>address</emphasis> of the host -- you do not
need to use the Shorewall format for MAC addresses here. If need to use the shorewall6 format for MAC addresses here. If
<emphasis role="bold">IP ADDRESSESES</emphasis> is supplied then <emphasis role="bold">IP ADDRESSESES</emphasis> is supplied then
<emphasis role="bold">MAC</emphasis> can be supplied as a dash <emphasis role="bold">MAC</emphasis> can be supplied as a dash
(<emphasis role="bold">-</emphasis>)</para> (<emphasis role="bold">-</emphasis>)</para>
@ -90,7 +92,7 @@
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/maclist</para> <para>/etc/shorewall6/maclist</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -99,13 +101,12 @@
<para><ulink <para><ulink
url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para> url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall-ipsec(5), shorewall-masq(5), shorewall-nat(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

46
manpages6/shorewall6-modules.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-modules</refentrytitle> <refentrytitle>shorewall6-modules</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,19 +11,19 @@
<refnamediv> <refnamediv>
<refname>modules</refname> <refname>modules</refname>
<refpurpose>Shorewall file</refpurpose> <refpurpose>shorewall6 file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/usr/share/shorewall/modules</command> <command>/usr/share/shorewall6/modules</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file specifies which kernel modules Shorewall will load before <para>This file specifies which kernel modules shorewall6 will load before
trying to determine your iptables/kernel's capabilities. Each record in trying to determine your iptables/kernel's capabilities. Each record in
the file has the following format:</para> the file has the following format:</para>
@ -35,19 +37,19 @@
</cmdsynopsis> </cmdsynopsis>
<para>The <replaceable>modulename</replaceable> names a kernel module <para>The <replaceable>modulename</replaceable> names a kernel module
(without suffix). Shorewall will search for modules based on your (without suffix). shorewall6 will search for modules based on your
MODULESDIR and MODULE_SUFFIX settings in <ulink MODULESDIR and MODULE_SUFFIX settings in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(8). The url="shorewall6.conf.html">shorewall6.conf</ulink>(8). The
<replaceable>moduleoption</replaceable>s are passed to modprobe (if <replaceable>moduleoption</replaceable>s are passed to modprobe (if
installed) or to insmod.</para> installed) or to insmod.</para>
<para>The /usr/share/shorewall/modules file contains a large number of <para>The /usr/share/shorewall6/modules file contains a large number of
modules. Users are encouraged to copy the file to /etc/shorewall/modules modules. Users are encouraged to copy the file to /etc/shorewall6/modules
and modify the copy to load only the modules required.<note> and modify the copy to load only the modules required.<note>
<para>If you build monolithic kernels and have not installed <para>If you build monolithic kernels and have not installed
module-init-tools, then create an empty /etc/shorewall/modules file; module-init-tools, then create an empty /etc/shorewall6/modules file;
that will prevent Shorewall from trying to load modules at all. that will prevent shorewall6 from trying to load modules at
</para> all.</para>
</note></para> </note></para>
</refsect1> </refsect1>
@ -60,22 +62,20 @@
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/usr/share/shorewall/modules</para> <para>/usr/share/shorewall6/modules</para>
<para>/etc/shorewall/modules</para> <para>/etc/shorewall6/modules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

176
manpages6/shorewall6-nesting.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-nesting</refentrytitle> <refentrytitle>shorewall6-nesting</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,7 +11,7 @@
<refnamediv> <refnamediv>
<refname>nesting</refname> <refname>nesting</refname>
<refpurpose>Shorewall Nested Zones</refpurpose> <refpurpose>shorewall6 Nested Zones</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
@ -22,40 +24,40 @@
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>In <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5), a <para>In <ulink url="shorewall-zones.html">shorewall6-zones</ulink>(5), a
zone may be declared to be a sub-zone of one or more other zones using the zone may be declared to be a sub-zone of one or more other zones using the
above syntax.</para> above syntax.</para>
<para>Where zones are nested, the CONTINUE policy in <ulink <para>Where zones are nested, the CONTINUE policy in <ulink
url="shorewall-policy.html">shorewall-policy</ulink>(5) allows hosts that url="shorewall6-policy.html">shorewall6-policy</ulink>(5) allows hosts
are within multiple zones to be managed under the rules of all of these that are within multiple zones to be managed under the rules of all of
zones.</para> these zones.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>Example</title> <title>Example</title>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall6/zones</filename>:</para>
<programlisting> #ZONE TYPE OPTION <programlisting> #ZONE TYPE OPTION
fw firewall fw firewall
net ipv4 net ipv6
sam:net ipv4 sam:net ipv6
loc ipv4</programlisting> loc ipv6</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall6/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS <programlisting> #ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect dhcp,norfc1918 - eth0 detect blacklist
loc eth1 detect</programlisting> loc eth1 detect</programlisting>
<para><filename>/etc/shorewall/hosts</filename>:</para> <para><filename>/etc/shorewall6/hosts</filename>:</para>
<programlisting> #ZONE HOST(S) OPTIONS <programlisting> #ZONE HOST(S) OPTIONS
net eth0:0.0.0.0/0 net eth0:[::\]
sam eth0:206.191.149.197</programlisting> sam eth0:[2001:19f0:feee::dead:beef:cafe]</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para> <para><filename>/etc/shorewall6/policy</filename>:</para>
<programlisting> #SOURCE DEST POLICY LOG LEVEL <programlisting> #SOURCE DEST POLICY LOG LEVEL
loc net ACCEPT loc net ACCEPT
@ -69,143 +71,45 @@
under rules where the source zone is net. It is important that this policy under rules where the source zone is net. It is important that this policy
be listed BEFORE the next policy (net to all). You can have this policy be listed BEFORE the next policy (net to all). You can have this policy
generated for you automatically by using the IMPLICIT_CONTINUE option in generated for you automatically by using the IMPLICIT_CONTINUE option in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Partial <filename>/etc/shorewall/rules</filename>:</para> <para>Partial <filename>/etc/shorewall6/rules</filename>:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
... ...
DNAT sam loc:192.168.1.3 tcp ssh ACCEPT sam loc:2001:19f0:feee::3 tcp ssh
DNAT net loc:192.168.1.5 tcp www ACCEPT net loc:2001:19f0:feee::5 tcp www
...</programlisting> ...</programlisting>
<para>Given these two rules, Sam can connect to the firewall's internet <para>Given these two rules, Sam can connect with ssh to
interface with ssh and the connection request will be forwarded to 2001:19f0:feee::3. Like all hosts in the net zone, Sam can connect to TCP
192.168.1.3. Like all hosts in the net zone, Sam can connect to the port 80 on 2001:19f0:feee::5. The order of the rules is not
firewall's internet interface on TCP port 80 and the connection request significant.</para>
will be forwarded to 192.168.1.5. The order of the rules is not
significant. Sometimes it is necessary to suppress port forwarding for a
sub-zone. For example, suppose that all hosts can SSH to the firewall and
be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the
firewall's external IP, he should be connected to the firewall itself.
Because of the way that Netfilter is constructed, this requires two rules
as follows:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST PORT(S)
...
ACCEPT+ sam $FW tcp ssh
DNAT net loc:192.168.1.3 tcp ssh
...</programlisting>
<para>The first rule allows Sam SSH access to the firewall. The second
rule says that any clients from the net zone with the exception of those
in the “sam” zone should have their connection port forwarded to
192.168.1.3. If you need to exclude more than one zone, simply use
multiple ACCEPT+ rules. This technique also may be used when the ACTION is
REDIRECT.</para>
<para>Care must be taken when nesting occurs as a result of the use of
wildcard interfaces (interface names ends in '+').</para>
<para>Here's an example. <filename>/etc/shorewall/zones</filename>:</para>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1
loc ppp+
dmz eth2</programlisting></para>
<para>Because the net zone is declared before the loc zone, net is an
implicit sub-zone of loc and in the absence of a net-&gt;... CONTINUE
policy, traffic from the net zone will not be passed through loc-&gt;...
rules. But DNAT and REDIRECT rules are an exception!</para>
<itemizedlist>
<listitem>
<para>DNAT and REDIRECT rules generate two Netfilter rules: a 'nat'
table rule that rewrites the destination IP address and/or port
number, and a 'filter' table rule that ACCEPTs the rewritten
connection.</para>
</listitem>
<listitem>
<para>Policies only affect the 'filter' table.</para>
</listitem>
</itemizedlist>
<para>As a consequence, the following rules will have unexpected
behavior:<programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net dmz tcp 80
REDIRECT loc 3128 tcp 80</programlisting></para>
<para>The second rule is intended to redirect local web requests to a
proxy running on the firewall and listening on TCP port 3128. But the
'nat' part of that rule will cause all connection requests for TCP port 80
arriving on interface ppp+ (including ppp0!) to have their destination
port rewritten to 3128. Hence, the web server running in the DMZ will be
inaccessible from the web.</para>
<para>The above problem can be corrected in several ways.</para>
<para>The preferred way is to use the <option>ifname</option> pppd option
to change the 'net' interface to something other than ppp0. That way, it
won't match ppp+.</para>
<para>If you are running Shorewall version 4.1.4 or later, a second way is
to simply make the nested zones explicit:<programlisting> #ZONE TYPE OPTION
fw firewall
loc ipv4
net:loc ipv4
dmz ipv4</programlisting></para>
<para>If you take this approach, be sure to set IMPLICIT_CONTINUE=No in
<filename>shorewall.conf</filename>.</para>
<para>When using other Shorewall versions, another way is to rewrite the
DNAT rule (assume that the local zone is entirely within
192.168.2.0/23):<programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net dmz tcp 80
REDIRECT loc:192.168.2.0/23 3128 tcp 80</programlisting></para>
<para>Another way is to restrict the definition of the loc zone:</para>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
net ppp0
loc eth1
- ppp+
dmz eth2</programlisting></para>
<para><filename>/etc/shorewall/hosts</filename>:<programlisting> #ZONE HOST(S) OPTIONS
loc ppp+:192.168.2.0/23</programlisting></para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/zones</para> <para>/etc/shorewall6/zones</para>
<para>/etc/shorewall/interfaces</para> <para>/etc/shorewall6/interfaces</para>
<para>/etc/shorewall/hosts</para> <para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall/policy</para> <para>/etc/shorewall6/policy</para>
<para>/etc/shorewall/rules</para> <para>/etc/shorewall6/rules</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

32
manpages6/shorewall6-params.xml
View File

@ -1,7 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-params</refentrytitle> <refentrytitle>shorewall6-params</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -9,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>params</refname> <refname>params</refname>
<refpurpose>Shorewall parameters file</refpurpose> <refpurpose>Shorewall6 parameters file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/params</command> <command>/etc/shorewall6/params</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -34,7 +36,7 @@ NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918</programlisting> NET_OPTIONS=routefilter,norfc1918</programlisting>
<para>Example <ulink <para>Example <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
file.</para> file.</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS <programlisting>ZONE INTERFACE BROADCAST OPTIONS
@ -49,22 +51,22 @@ net eth0 130.252.100.255 routefilter,norfc1918</programlisting>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/params</para> <para>/etc/shorewall6/params</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink <para><ulink
url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para> url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall6.net/configuration_file_basics.htm#Variables</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5), shorewall6-nat(5), shorewall6-netmap(5), shorewall6-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>