forked from extern/shorewall_code
More documentation cleanup for 4.4
This commit is contained in:
parent
589df0dc57
commit
793a929051
@ -209,13 +209,13 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
loc eth1 192.168.1.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
|
||||
<programlisting>#ZONE HOSTS
|
||||
loc1 eth1:192.168.2.0/24</programlisting>
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
loc1 eth1:192.168.2.0/24 -</programlisting>
|
||||
|
||||
<para>If you don't need Shorewall to set up infrastructure to route
|
||||
traffic between <quote>loc</quote> and <quote>loc1</quote>, add these
|
||||
@ -248,13 +248,14 @@ loc2 ipv4</programlisting>
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
- eth1 192.168.1.255</programlisting>
|
||||
- eth1 192.168.1.255
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
|
||||
<programlisting>#ZONE HOSTS
|
||||
loc1 eth1:192.168.1.0/24
|
||||
loc2 eth1:192.168.2.0/24</programlisting>
|
||||
<programlisting>#ZONE HOSTS OPTIONS
|
||||
loc1 eth1:192.168.1.0/24 -
|
||||
loc2 eth1:192.168.2.0/24 -</programlisting>
|
||||
|
||||
<para>You don't need Shorewall to set up infrastructure to route
|
||||
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
|
||||
@ -287,10 +288,18 @@ loc1:loc ipv4</programlisting>
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
loc eth1 192.168.1.255</programlisting>
|
||||
loc eth1 -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS
|
||||
loc1 eth1:192.168.1.8/29</programlisting></para>
|
||||
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
|
||||
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
|
||||
|
||||
<para>The <option>broadcast</option> option causes limited broadcasts
|
||||
(destination IP address 255.255.255.255) to be checked against the loc1
|
||||
zone. If that zone allows the packet, then of course it will be seen by
|
||||
the mempers of loc that are outside of loc1 as well. If the broadcast is
|
||||
not specifically DROPped by the fw->loc1 rules then it will also be
|
||||
checked against the fw->loc rules, even if there is a DROP or REJECT
|
||||
fw->loc1 policy.</para>
|
||||
|
||||
<para>You probably don't want Shorewall to set up infrastructure to route
|
||||
traffic between <quote>loc</quote> and <quote>loc1</quote> so you should
|
||||
|
@ -500,7 +500,7 @@ esac</programlisting><caution>
|
||||
the table name</member>
|
||||
</simplelist></para>
|
||||
|
||||
<para>To add a rule to the chain:<programlisting>add_rule( $chainref, <<emphasis>the rule</emphasis>> );</programlisting>Where<simplelist>
|
||||
<para>To add a rule to the chain:<programlisting>add_rule( $chainref, <<emphasis>the rule</emphasis>> [ , <<emphasis>break lists</emphasis>> ] );</programlisting>Where<simplelist>
|
||||
<member><<emphasis>the rule</emphasis>> is a scalar argument
|
||||
holding the rule text. Do not include "-A <<emphasis>chain
|
||||
name</emphasis>>"</member>
|
||||
@ -508,14 +508,16 @@ esac</programlisting><caution>
|
||||
|
||||
<para>The add_rule() function accepts an optional third argument; If
|
||||
that argument evaluates to true and the passed rule contains a <emphasis
|
||||
role="bold">--dports</emphasis> list with more than 15 ports (a port
|
||||
role="bold">--dports</emphasis> or <emphasis
|
||||
role="bold">--sports</emphasis> list with more than 15 ports (a port
|
||||
range counts as two ports), the rule will be split into multiple rules
|
||||
where each resulting rule has 15 or fewer ports in its <emphasis
|
||||
role="bold">--dports</emphasis> list.</para>
|
||||
role="bold">--dports</emphasis> and <emphasis
|
||||
role="bold">--sports</emphasis> lists.</para>
|
||||
|
||||
<para>To insert a rule into the chain:<programlisting> insert_rule( $chainref, <<emphasis>rulenum</emphasis>>, <<emphasis>the rule</emphasis>> );</programlisting>The
|
||||
<emphasis role="bold">log_rule_limit()</emphasis> function works like it
|
||||
does in the shell compiler with three exceptions:<itemizedlist>
|
||||
did in the shell compiler with three exceptions:<itemizedlist>
|
||||
<listitem>
|
||||
<para>You pass the chain reference rather than the name of the
|
||||
chain.</para>
|
||||
@ -531,14 +533,14 @@ esac</programlisting><caution>
|
||||
you must quote that part).</para>
|
||||
</listitem>
|
||||
</itemizedlist>Example:<programlisting>log_rule_limit(
|
||||
'info' ,
|
||||
$chainref ,
|
||||
$chainref->{name},
|
||||
'DROP' ,
|
||||
'', #Limit
|
||||
'' , #Log tag
|
||||
'add', #Command
|
||||
'-p tcp' #Pass as-is
|
||||
'info' , #Log Level
|
||||
$chainref , #Chain to add the rule to
|
||||
$chainref->{name}, #Name of the chain as it will appear in the log prefix
|
||||
'DROP' , #Disposition of the packet
|
||||
'', #Limit
|
||||
'' , #Log tag
|
||||
'add', #Command
|
||||
'-p tcp' #Added to the rule as-is
|
||||
);</programlisting>Note that in the 'initdone' script, there is
|
||||
no default chain (<emphasis role="bold">$chainref</emphasis>). You can
|
||||
obtain a reference to a standard chain by:<programlisting>my $chainref = $chain_table{<<emphasis>table</emphasis>>}{<<emphasis>chain name</emphasis>>};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting></para>
|
||||
|
@ -191,13 +191,12 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>broadcast</term>
|
||||
<term><emphasis role="bold">broadcast</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>(Only supported by Shorewall-perl). Used when you want
|
||||
to include limited broadcasts (destination IP address
|
||||
255.255.255.255) from the firewall to this zone. Only
|
||||
necessary when:</para>
|
||||
<para>Used when you want to include limited broadcasts
|
||||
(destination IP address 255.255.255.255) from the firewall to
|
||||
this zone. Only necessary when:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -215,13 +214,13 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>destonly</term>
|
||||
<term><emphasis role="bold">destonly</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>(Only supported by Shorewall-perl). Normally used with
|
||||
the Multi-cast IP address range (224.0.0.0/4). Specifies that
|
||||
traffic will be sent to the specified net(s) but that no
|
||||
traffic will be received from the net(s).</para>
|
||||
<para>Normally used with the Multi-cast IP address range
|
||||
(224.0.0.0/4). Specifies that traffic will be sent to the
|
||||
specified net(s) but that no traffic will be received from the
|
||||
net(s).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
Loading…
Reference in New Issue
Block a user