holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Updates to the config basics article

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-03-26 09:01:02 -07:00
parent 0b049a55e0
commit 8a6941707a
1 changed files with 56 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
docs/configuration_file_basics.xml
View File

@ -175,20 +175,23 @@
<listitem> <listitem>
<para><filename>/etc/shorewall/init</filename> - commands that you <para><filename>/etc/shorewall/init</filename> - commands that you
wish to execute at the beginning of a <quote>shorewall start</quote> wish to execute at the beginning of a <quote>shorewall
or <quote>shorewall restart</quote>.</para> start</quote>, "shorewall reload" or <quote>shorewall
restart</quote>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><filename>/etc/shorewall/start</filename> - commands that you <para><filename>/etc/shorewall/start</filename> - commands that you
wish to execute near the completion of a <quote>shorewall wish to execute near the completion of a <quote>shorewall
start</quote> or <quote>shorewall restart</quote></para> start</quote>, "shorewall reload" or <quote>shorewall
restart</quote></para>
</listitem> </listitem>
<listitem> <listitem>
<para><filename>/etc/shorewall/started</filename> - commands that <para><filename>/etc/shorewall/started</filename> - commands that
you wish to execute after the completion of a <quote>shorewall you wish to execute after the completion of a <quote>shorewall
start</quote> or <quote>shorewall restart</quote></para> start</quote>, "shorewall reload" or <quote>shorewall
restart</quote></para>
</listitem> </listitem>
<listitem> <listitem>
@ -1779,6 +1782,10 @@ SSH(ACCEPT) net:$MYIP $FW
<para><ulink url="Macros.html">Macro</ulink> files</para> <para><ulink url="Macros.html">Macro</ulink> files</para>
</listitem> </listitem>
<listitem>
<para><ulink url="Actions.html">Action</ulink> files</para>
</listitem>
<listitem> <listitem>
<para><ulink <para><ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para> url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@ -2011,7 +2018,7 @@ SSH(ACCEPT) net:$MYIP $FW
<para>In this simple form, the expression is evaluated by the compiler <para>In this simple form, the expression is evaluated by the compiler
without having to invoke the (expensive) Perl exec() function. The without having to invoke the (expensive) Perl exec() function. The
'passed' function may also be used in more complex expressions, but exec() 'passed' function may also be used in more complex expressions, but exec()
will be invoked to evaluate those expressions. </para> will be invoked to evaluate those expressions.</para>
</section> </section>
<section id="Conditional"> <section id="Conditional">
@ -2570,6 +2577,44 @@ Shorewall has detected the following iptables/netfilter capabilities:
"!tcp").</para> "!tcp").</para>
</section> </section>
<section id="Ranges">
<title>Port Ranges</title>
<para>If you need to specify a range of ports, the proper syntax is
&lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
to forward the range of tcp ports 4000 through 4100 to local host
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
<para>If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.</para>
<para>Also, unless otherwise documented, a port range can be preceded by
'!' to specify "All ports except those in this range" (e.g.,
"!4000:4100").</para>
</section>
<section id="Portlists">
<title>Port Lists</title>
<para>In most cases where a port or port range may appear, a
comma-separated list of ports or port ranges may also be entered.
Shorewall requires the Netfilter <emphasis
role="bold">multiport</emphasis> match capability if ports lists are used
(see the output of "<emphasis role="bold">shorewall show
capabilities</emphasis>").</para>
<para>Also, unless otherwise documented, a port list can be preceded by
'!' to specify "All ports except these" (e.g., "!80,443").</para>
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
(5) file may specify no more than 15 ports; port ranges appearing in a
list count as two ports each.</para>
</section>
<section id="ICMP"> <section id="ICMP">
<title>ICMP and ICMP6 Types and Codes</title> <title>ICMP and ICMP6 Types and Codes</title>
@ -2646,44 +2691,6 @@ redirect =&gt; 137</programlisting>
Shorewall 4.4.19.</para> Shorewall 4.4.19.</para>
</section> </section>
<section id="Ranges">
<title>Port Ranges</title>
<para>If you need to specify a range of ports, the proper syntax is
&lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
to forward the range of tcp ports 4000 through 4100 to local host
192.168.1.3, the entry in /etc/shorewall/rules is:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100</emphasis></programlisting>
<para>If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.</para>
<para>Also, unless otherwise documented, a port range can be preceded by
'!' to specify "All ports except those in this range" (e.g.,
"!4000:4100").</para>
</section>
<section id="Portlists">
<title>Port Lists</title>
<para>In most cases where a port or port range may appear, a
comma-separated list of ports or port ranges may also be entered.
Shorewall requires the Netfilter <emphasis
role="bold">multiport</emphasis> match capability if ports lists are used
(see the output of "<emphasis role="bold">shorewall show
capabilities</emphasis>").</para>
<para>Also, unless otherwise documented, a port list can be preceded by
'!' to specify "All ports except these" (e.g., "!80,443").</para>
<para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
(5) file may specify no more than 15 ports; port ranges appearing in a
list count as two ports each.</para>
</section>
<section id="MAC"> <section id="MAC">
<title>Using MAC Addresses</title> <title>Using MAC Addresses</title>
@ -2736,9 +2743,7 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para> url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
<simplelist> <simplelist>
<member>LOGRATE=10/minute</member> <member>LOGLIMIT=10/minute:5</member>
<member>LOGBURST=5</member>
</simplelist> </simplelist>
<para>For each logging rule, the first time the rule is reached, the <para>For each logging rule, the first time the rule is reached, the
@ -2750,11 +2755,6 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
30 seconds, the burst will be fully recharged; back where we 30 seconds, the burst will be fully recharged; back where we
started.</para> started.</para>
<note>
<para>The LOGRATE and LOGBURST options are deprecated in favor of
LOGLIMIT.</para>
</note>
<para>Shorewall also supports per-IP rate limiting.</para> <para>Shorewall also supports per-IP rate limiting.</para>
<para>Another example from <ulink <para>Another example from <ulink
@ -2788,8 +2788,7 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
<firstterm>Condition Match Support</firstterm> and you must be running <firstterm>Condition Match Support</firstterm> and you must be running
Shorewall 4.4.24 or later. See the output of <command>shorewall show Shorewall 4.4.24 or later. See the output of <command>shorewall show
capabilities</command> and <command>shorewall version</command> to capabilities</command> and <command>shorewall version</command> to
determine if you can use this feature. As of this writing, Condition Match determine if you can use this feature.</para>
Support requires that you install xtables-addons.</para>
<para>The SWITCH column contains the name of a <para>The SWITCH column contains the name of a
<firstterm>switch.</firstterm> Each switch is initially in the <emphasis <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
@ -2953,8 +2952,8 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
<para>If <emphasis role="bold">detect</emphasis> is specified in the <para>If <emphasis role="bold">detect</emphasis> is specified in the
ADDRESS column of an entry in <ulink ADDRESS column of an entry in <ulink
url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
firewall still start if the optional interface in the INTERFACE column firewall still startS if the optional interface in the INTERFACE
does not have an IP address.</para> column does not have an IP address.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -2972,7 +2971,8 @@ Comcast 2 0x20000 main <emphasis role="bold">COM_IF</emphasis>
<para>Shorewall allows you to have configuration directories other than <para>Shorewall allows you to have configuration directories other than
<filename class="directory">/etc/shorewall</filename>. The shorewall <filename class="directory">/etc/shorewall</filename>. The shorewall
check, start and restart commands allow you to specify an alternate <command>check</command>, <command>start</command> and
<command>restart</command> commands allow you to specify an alternate
configuration directory and Shorewall will use the files in the alternate configuration directory and Shorewall will use the files in the alternate
directory rather than the corresponding files in /etc/shorewall. The directory rather than the corresponding files in /etc/shorewall. The
alternate directory need not contain a complete configuration; those files alternate directory need not contain a complete configuration; those files