diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index 960706bab..340adee95 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -1151,6 +1151,58 @@ REDIRECT net $FW::81-90:random tcp www + + + Example 9: + + + Shorewall does not impose as much structure on the Netfilter + rules in the 'nat' table as it does on those in the filter table. As + a consequence, care must be exercised when using DNAT and REDIRECT + rules with zones defined with wildcard interfaces (those ending with + '+'. Here is an example: + + shorewall-zones(8): #ZONE TYPE OPTIONS + fw firewall + net ipv4 + dmz ipv4 + loc ipv4 + + shorewall-interfaces(8): #ZONE INTERFACE BROADCAST OPTIONS + net ppp0 + loc eth1 detect + dmz eth2 detect + - ppp+ # Addresses are assigned from 192.168.3.0/24 + + shorewall-host(8): #ZONE HOST(S) OPTIONS + loc ppp+:192.168.3.0/24 + + rules: + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + REDIRECT loc 3128 tcp 80 + + Note that it would have been tempting to simply define the + loc zone entirely in shorewall-interfaces(8): + + #******************* INCORRECT ***************** + #ZONE INTERFACE BROADCAST OPTIONS + net ppp0 + loc eth1 detect + loc ppp+ + dmz eth2 + + This would have made it impossible to run a + internet-accessible web server in the DMZ because all traffic + entering ppp+ interfaces would have been redirected to port 3128 on + the firewall and there would have been no net->fw ACCEPT rule for + that traffic. + +