forked from extern/shorewall_code
More documentation cleanup for 4.4
This commit is contained in:
Tom Eastep
parent
589df0dc57
commit
793a929051
@ -209,13 +209,13 @@ loc1:loc ipv4</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
loc eth1 192.168.1.255</programlisting>
|
loc eth1 -</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||||
|
|
||||||
<programlisting>#ZONE HOSTS
|
<programlisting>#ZONE HOSTS OPTIONS
|
||||||
loc1 eth1:192.168.2.0/24</programlisting>
|
loc1 eth1:192.168.2.0/24 -</programlisting>
|
||||||
|
|
||||||
<para>If you don't need Shorewall to set up infrastructure to route
|
<para>If you don't need Shorewall to set up infrastructure to route
|
||||||
traffic between <quote>loc</quote> and <quote>loc1</quote>, add these
|
traffic between <quote>loc</quote> and <quote>loc1</quote>, add these
|
||||||
@ -248,13 +248,14 @@ loc2 ipv4</programlisting>
|
|||||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||||||
- eth1 192.168.1.255</programlisting>
|
- eth1 192.168.1.255
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||||
|
|
||||||
<programlisting>#ZONE HOSTS
|
<programlisting>#ZONE HOSTS OPTIONS
|
||||||
loc1 eth1:192.168.1.0/24
|
loc1 eth1:192.168.1.0/24 -
|
||||||
loc2 eth1:192.168.2.0/24</programlisting>
|
loc2 eth1:192.168.2.0/24 -</programlisting>
|
||||||
|
|
||||||
<para>You don't need Shorewall to set up infrastructure to route
|
<para>You don't need Shorewall to set up infrastructure to route
|
||||||
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
|
traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
|
||||||
@ -287,10 +288,18 @@ loc1:loc ipv4</programlisting>
|
|||||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST
|
<programlisting>#ZONE INTERFACE BROADCAST
|
||||||
loc eth1 192.168.1.255</programlisting>
|
loc eth1 -</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS
|
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
|
||||||
loc1 eth1:192.168.1.8/29</programlisting></para>
|
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
|
||||||
|
|
||||||
|
<para>The <option>broadcast</option> option causes limited broadcasts
|
||||||
|
(destination IP address 255.255.255.255) to be checked against the loc1
|
||||||
|
zone. If that zone allows the packet, then of course it will be seen by
|
||||||
|
the mempers of loc that are outside of loc1 as well. If the broadcast is
|
||||||
|
not specifically DROPped by the fw->loc1 rules then it will also be
|
||||||
|
checked against the fw->loc rules, even if there is a DROP or REJECT
|
||||||
|
fw->loc1 policy.</para>
|
||||||
|
|
||||||
<para>You probably don't want Shorewall to set up infrastructure to route
|
<para>You probably don't want Shorewall to set up infrastructure to route
|
||||||
traffic between <quote>loc</quote> and <quote>loc1</quote> so you should
|
traffic between <quote>loc</quote> and <quote>loc1</quote> so you should
|
||||||
|
|||||||
@ -500,7 +500,7 @@ esac</programlisting><caution>
|
|||||||
the table name</member>
|
the table name</member>
|
||||||
</simplelist></para>
|
</simplelist></para>
|
||||||
|
|
||||||
<para>To add a rule to the chain:<programlisting>add_rule( $chainref, <<emphasis>the rule</emphasis>> );</programlisting>Where<simplelist>
|
<para>To add a rule to the chain:<programlisting>add_rule( $chainref, <<emphasis>the rule</emphasis>> [ , <<emphasis>break lists</emphasis>> ] );</programlisting>Where<simplelist>
|
||||||
<member><<emphasis>the rule</emphasis>> is a scalar argument
|
<member><<emphasis>the rule</emphasis>> is a scalar argument
|
||||||
holding the rule text. Do not include "-A <<emphasis>chain
|
holding the rule text. Do not include "-A <<emphasis>chain
|
||||||
name</emphasis>>"</member>
|
name</emphasis>>"</member>
|
||||||
@ -508,14 +508,16 @@ esac</programlisting><caution>
|
|||||||
|
|
||||||
<para>The add_rule() function accepts an optional third argument; If
|
<para>The add_rule() function accepts an optional third argument; If
|
||||||
that argument evaluates to true and the passed rule contains a <emphasis
|
that argument evaluates to true and the passed rule contains a <emphasis
|
||||||
role="bold">--dports</emphasis> list with more than 15 ports (a port
|
role="bold">--dports</emphasis> or <emphasis
|
||||||
|
role="bold">--sports</emphasis> list with more than 15 ports (a port
|
||||||
range counts as two ports), the rule will be split into multiple rules
|
range counts as two ports), the rule will be split into multiple rules
|
||||||
where each resulting rule has 15 or fewer ports in its <emphasis
|
where each resulting rule has 15 or fewer ports in its <emphasis
|
||||||
role="bold">--dports</emphasis> list.</para>
|
role="bold">--dports</emphasis> and <emphasis
|
||||||
|
role="bold">--sports</emphasis> lists.</para>
|
||||||
|
|
||||||
<para>To insert a rule into the chain:<programlisting> insert_rule( $chainref, <<emphasis>rulenum</emphasis>>, <<emphasis>the rule</emphasis>> );</programlisting>The
|
<para>To insert a rule into the chain:<programlisting> insert_rule( $chainref, <<emphasis>rulenum</emphasis>>, <<emphasis>the rule</emphasis>> );</programlisting>The
|
||||||
<emphasis role="bold">log_rule_limit()</emphasis> function works like it
|
<emphasis role="bold">log_rule_limit()</emphasis> function works like it
|
||||||
does in the shell compiler with three exceptions:<itemizedlist>
|
did in the shell compiler with three exceptions:<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>You pass the chain reference rather than the name of the
|
<para>You pass the chain reference rather than the name of the
|
||||||
chain.</para>
|
chain.</para>
|
||||||
@ -531,14 +533,14 @@ esac</programlisting><caution>
|
|||||||
you must quote that part).</para>
|
you must quote that part).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>Example:<programlisting>log_rule_limit(
|
</itemizedlist>Example:<programlisting>log_rule_limit(
|
||||||
'info' ,
|
'info' , #Log Level
|
||||||
$chainref ,
|
$chainref , #Chain to add the rule to
|
||||||
$chainref->{name},
|
$chainref->{name}, #Name of the chain as it will appear in the log prefix
|
||||||
'DROP' ,
|
'DROP' , #Disposition of the packet
|
||||||
'', #Limit
|
'', #Limit
|
||||||
'' , #Log tag
|
'' , #Log tag
|
||||||
'add', #Command
|
'add', #Command
|
||||||
'-p tcp' #Pass as-is
|
'-p tcp' #Added to the rule as-is
|
||||||
);</programlisting>Note that in the 'initdone' script, there is
|
);</programlisting>Note that in the 'initdone' script, there is
|
||||||
no default chain (<emphasis role="bold">$chainref</emphasis>). You can
|
no default chain (<emphasis role="bold">$chainref</emphasis>). You can
|
||||||
obtain a reference to a standard chain by:<programlisting>my $chainref = $chain_table{<<emphasis>table</emphasis>>}{<<emphasis>chain name</emphasis>>};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting></para>
|
obtain a reference to a standard chain by:<programlisting>my $chainref = $chain_table{<<emphasis>table</emphasis>>}{<<emphasis>chain name</emphasis>>};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting></para>
|
||||||
|
|||||||
@ -191,13 +191,12 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>broadcast</term>
|
<term><emphasis role="bold">broadcast</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>(Only supported by Shorewall-perl). Used when you want
|
<para>Used when you want to include limited broadcasts
|
||||||
to include limited broadcasts (destination IP address
|
(destination IP address 255.255.255.255) from the firewall to
|
||||||
255.255.255.255) from the firewall to this zone. Only
|
this zone. Only necessary when:</para>
|
||||||
necessary when:</para>
|
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -215,13 +214,13 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>destonly</term>
|
<term><emphasis role="bold">destonly</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>(Only supported by Shorewall-perl). Normally used with
|
<para>Normally used with the Multi-cast IP address range
|
||||||
the Multi-cast IP address range (224.0.0.0/4). Specifies that
|
(224.0.0.0/4). Specifies that traffic will be sent to the
|
||||||
traffic will be sent to the specified net(s) but that no
|
specified net(s) but that no traffic will be received from the
|
||||||
traffic will be received from the net(s).</para>
|
net(s).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user