From 8a6941707a46d78551488b8ecb24ce2143a538cd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 26 Mar 2016 09:01:02 -0700 Subject: [PATCH] Updates to the config basics article Signed-off-by: Tom Eastep --- docs/configuration_file_basics.xml | 112 ++++++++++++++--------------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index bc14430e4..094135585 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -175,20 +175,23 @@ /etc/shorewall/init - commands that you - wish to execute at the beginning of a shorewall start - or shorewall restart. + wish to execute at the beginning of a shorewall + start, "shorewall reload" or shorewall + restart. /etc/shorewall/start - commands that you wish to execute near the completion of a shorewall - start or shorewall restart + start, "shorewall reload" or shorewall + restart /etc/shorewall/started - commands that you wish to execute after the completion of a shorewall - start or shorewall restart + start, "shorewall reload" or shorewall + restart @@ -1779,6 +1782,10 @@ SSH(ACCEPT) net:$MYIP $FW Macro files + + Action files + + shorewall-rules (5) @@ -2011,7 +2018,7 @@ SSH(ACCEPT) net:$MYIP $FW In this simple form, the expression is evaluated by the compiler without having to invoke the (expensive) Perl exec() function. The 'passed' function may also be used in more complex expressions, but exec() - will be invoked to evaluate those expressions. + will be invoked to evaluate those expressions.
@@ -2570,6 +2577,44 @@ Shorewall has detected the following iptables/netfilter capabilities: "!tcp").
+
+ Port Ranges + + If you need to specify a range of ports, the proper syntax is + <low port number>:<high port number>. For example, if you want + to forward the range of tcp ports 4000 through 4100 to local host + 192.168.1.3, the entry in /etc/shorewall/rules is: + + #ACTION SOURCE DESTINATION PROTO DPORT +DNAT net loc:192.168.1.3 tcp 4000:4100 + + If you omit the low port number, a value of zero is assumed; if you + omit the high port number, a value of 65535 is assumed. + + Also, unless otherwise documented, a port range can be preceded by + '!' to specify "All ports except those in this range" (e.g., + "!4000:4100"). +
+ +
+ Port Lists + + In most cases where a port or port range may appear, a + comma-separated list of ports or port ranges may also be entered. + Shorewall requires the Netfilter multiport match capability if ports lists are used + (see the output of "shorewall show + capabilities"). + + Also, unless otherwise documented, a port list can be preceded by + '!' to specify "All ports except these" (e.g., "!80,443"). + + Prior to Shorewall 4.4.4, port lists appearing in the shorewall-routestopped + (5) file may specify no more than 15 ports; port ranges appearing in a + list count as two ports each. +
+
ICMP and ICMP6 Types and Codes @@ -2646,44 +2691,6 @@ redirect => 137 Shorewall 4.4.19.
-
- Port Ranges - - If you need to specify a range of ports, the proper syntax is - <low port number>:<high port number>. For example, if you want - to forward the range of tcp ports 4000 through 4100 to local host - 192.168.1.3, the entry in /etc/shorewall/rules is: - - #ACTION SOURCE DESTINATION PROTO DPORT -DNAT net loc:192.168.1.3 tcp 4000:4100 - - If you omit the low port number, a value of zero is assumed; if you - omit the high port number, a value of 65535 is assumed. - - Also, unless otherwise documented, a port range can be preceded by - '!' to specify "All ports except those in this range" (e.g., - "!4000:4100"). -
- -
- Port Lists - - In most cases where a port or port range may appear, a - comma-separated list of ports or port ranges may also be entered. - Shorewall requires the Netfilter multiport match capability if ports lists are used - (see the output of "shorewall show - capabilities"). - - Also, unless otherwise documented, a port list can be preceded by - '!' to specify "All ports except these" (e.g., "!80,443"). - - Prior to Shorewall 4.4.4, port lists appearing in the shorewall-routestopped - (5) file may specify no more than 15 ports; port ranges appearing in a - list count as two ports each. -
-
Using MAC Addresses @@ -2736,9 +2743,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100< url="manpages/shorewall.conf.html">shorewall.conf (5): - LOGRATE=10/minute - - LOGBURST=5 + LOGLIMIT=10/minute:5 For each logging rule, the first time the rule is reached, the @@ -2750,11 +2755,6 @@ DNAT net loc:192.168.1.3 tcp 4000:4100< 30 seconds, the burst will be fully recharged; back where we started. - - The LOGRATE and LOGBURST options are deprecated in favor of - LOGLIMIT. - - Shorewall also supports per-IP rate limiting. Another example from 4000:4100< Condition Match Support and you must be running Shorewall 4.4.24 or later. See the output of shorewall show capabilities and shorewall version to - determine if you can use this feature. As of this writing, Condition Match - Support requires that you install xtables-addons. + determine if you can use this feature. The SWITCH column contains the name of a switch. Each switch is initially in the COM_IF If detect is specified in the ADDRESS column of an entry in shorewall-masq (5) then the - firewall still start if the optional interface in the INTERFACE column - does not have an IP address. + firewall still startS if the optional interface in the INTERFACE + column does not have an IP address. @@ -2972,7 +2971,8 @@ Comcast 2 0x20000 main COM_IF Shorewall allows you to have configuration directories other than /etc/shorewall. The shorewall - check, start and restart commands allow you to specify an alternate + check, start and + restart commands allow you to specify an alternate configuration directory and Shorewall will use the files in the alternate directory rather than the corresponding files in /etc/shorewall. The alternate directory need not contain a complete configuration; those files