From 8e7f001f7e9b2c8d6919fc681b8f60608fc88eee Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 4 Dec 2015 14:53:26 -0800 Subject: [PATCH] Update manpages for column renaming Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 11 +- Shorewall/manpages/shorewall-accounting.xml | 30 +- Shorewall/manpages/shorewall-arprules.xml | 2 +- Shorewall/manpages/shorewall-conntrack.xml | 35 +- Shorewall/manpages/shorewall-exclusion.xml | 3 +- Shorewall/manpages/shorewall-ipsets.xml | 4 +- Shorewall/manpages/shorewall-mangle.xml | 33 +- Shorewall/manpages/shorewall-masq.xml | 17 +- Shorewall/manpages/shorewall-nat.xml | 13 +- Shorewall/manpages/shorewall-nesting.xml | 10 +- Shorewall/manpages/shorewall-netmap.xml | 8 +- Shorewall/manpages/shorewall-rules.xml | 98 +- Shorewall/manpages/shorewall-secmarks.xml | 16 +- Shorewall/manpages/shorewall-stoppedrules.xml | 17 +- Shorewall/manpages/shorewall-tcfilters.xml | 15 +- Shorewall6/manpages/shorewall6-accounting.xml | 33 +- Shorewall6/manpages/shorewall6-blacklist.xml | 217 --- Shorewall6/manpages/shorewall6-conntrack.xml | 28 +- Shorewall6/manpages/shorewall6-ipsets.xml | 4 +- Shorewall6/manpages/shorewall6-mangle.xml | 30 +- Shorewall6/manpages/shorewall6-masq.xml | 10 +- Shorewall6/manpages/shorewall6-nat.xml | 7 +- Shorewall6/manpages/shorewall6-nesting.xml | 2 +- Shorewall6/manpages/shorewall6-netmap.xml | 8 +- Shorewall6/manpages/shorewall6-rules.xml | 56 +- Shorewall6/manpages/shorewall6-secmarks.xml | 27 +- .../manpages/shorewall6-stoppedrules.xml | 17 +- Shorewall6/manpages/shorewall6-tcfilters.xml | 17 +- Shorewall6/manpages/shorewall6-tcrules.xml | 1240 ----------------- Shorewall6/manpages/shorewall6-tos.xml | 181 --- 30 files changed, 290 insertions(+), 1899 deletions(-) delete mode 100644 Shorewall6/manpages/shorewall6-blacklist.xml delete mode 100644 Shorewall6/manpages/shorewall6-tcrules.xml delete mode 100644 Shorewall6/manpages/shorewall6-tos.xml diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index b72e5dfe1..83b3578fc 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1052,11 +1052,12 @@ show_command() { conntrack -f ipv6 -L $@ | show_connections_filter else [ $# -gt 1 ] && usage 1 - local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) - local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) - echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)" - echo - grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter + if [ -f /proc/sys/net/netfilter/nf_conntrack_count -a -f /proc/sys/net/nf_conntrack ]; then + local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count) + local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max) + echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)" + echo + grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter fi ;; nat) diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml index c0ba3602a..ab1189f55 100644 --- a/Shorewall/manpages/shorewall-accounting.xml +++ b/Shorewall/manpages/shorewall-accounting.xml @@ -403,13 +403,15 @@ - DESTINATION (dest) - {DEST - {-|any|all|interface|interface:address|address} + This column was formerly named DESTINATION. + Packet Destination. Format same as SOURCE @@ -418,7 +420,7 @@ - PROTOCOL (proto) - {PROTO - {-|{any|all|protocol-name|protocol-number|all}]}[,...]} + This column was formerly named PROTOCOL + A protocol-name (from protocols(5)), a protocol-number, ipp2p, - DEST PORT(S) (dport) - - {-|DPORT - {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...} @@ -460,12 +464,14 @@ ("iptables -m ipp2p --help") without the leading "--". If no option is given in this column, ipp2p is assumed. + + This column was formerly named DEST PORT(S). - SOURCE PORT(S) (sport)- - {-|SPORT - {-|any|all|port-name-or-number[,port-name-or-number]...} @@ -482,20 +488,22 @@ column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + DPORT. Use of '=' requires multi-port match in your iptables and + kernel. + + This column was formerly labelled SOURCE PORT(S). - USER/GROUP (user) - [USER - [!][user-name-or-number][:group-name-or-number][+program-name] - This column may only be non-empty if the CHAIN is This column was formerly named USER/GROUP and may only be + non-empty if the CHAIN is OUTPUT. When this column is non-empty, the rule applies only if the diff --git a/Shorewall/manpages/shorewall-arprules.xml b/Shorewall/manpages/shorewall-arprules.xml index f21b50eb3..5e817ee5e 100644 --- a/Shorewall/manpages/shorewall-arprules.xml +++ b/Shorewall/manpages/shorewall-arprules.xml @@ -273,7 +273,7 @@ - ARP OPCODE - [[!]opcode] + OPCODE - [[!]opcode] Optional. Describes the type of frame. Possible diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index c5617ab9e..dd6c40264 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -424,7 +424,7 @@ - DEST PORT(S) (dport) - port-number/service-name-list + DPORT - port-number/service-name-list A comma-separated list of port numbers and/or service names @@ -432,11 +432,13 @@ ranges of the form low-port:high-port if your kernel and iptables include port range support. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - port-number/service-name-list + SPORT - port-number/service-name-list A comma-separated list of port numbers and/or service names @@ -446,22 +448,24 @@ if your kernel and iptables include port range support. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DPORT. Use of '=' + requires multi-port match in your iptables and kernel. + + This column was formerly labelled SOURCE PORT(S). - USER/GROUP (user) ‒ + USER ‒ [user][:group] - May only be specified if the SOURCE - zone is $FW. Specifies the effective user - id and or group id of the process sending the traffic. + This column was formerly named USER/GROUP and may only be + specified if the SOURCE zone is $FW. + Specifies the effective user id and or group id of the process + sending the traffic. @@ -520,8 +524,7 @@ Example 1: - #ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP -# PORT(S) PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER CT:helper:ftp(expevents=new) fw - tcp 21 Example 2 (Shorewall 4.5.10 or later): @@ -529,14 +532,12 @@ CT:helper:ftp(expevents=new) fw - tcp Drop traffic to/from all zones to IP address 1.2.3.4 FORMAT 2 -#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP -# PORT(S) PORT(S) +#ACTION SOURCE DEST PROTO DPORT SPORT USER DROP all-:1.2.3.4 - DROP all 1.2.3.4 orFORMAT 3 -#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP -# PORT(S) PORT(S) +#ACTION SOURCE DEST PROTO DPORT SPORT USER DROP:P 1.2.3.4 - DROP:PO - 1.2.3.4 diff --git a/Shorewall/manpages/shorewall-exclusion.xml b/Shorewall/manpages/shorewall-exclusion.xml index 6f414fbb2..e3b9952ad 100644 --- a/Shorewall/manpages/shorewall-exclusion.xml +++ b/Shorewall/manpages/shorewall-exclusion.xml @@ -76,8 +76,7 @@ z2 net REJECT /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT ACCEPT all!z2 net tcp 22 In this case, SSH connections from dst. Example: myset[src,dst]. - In a SOURCE or SOURCE PORT(S) column, the following pairs are + In a SOURCE or SPORT column, the following pairs are equivalent: @@ -66,7 +66,7 @@ - In a DEST or DEST PORT(S) column, the following pairs are + In a DEST or DPORT column, the following pairs are equivalent: diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index 3dce4acf7..1a8e17ddc 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -570,8 +570,7 @@ INLINE eth0 - ; -p tcp -j MARK --set that problem. SAME may be used in the PREROUTING and OUTPUT chains. When used in PREROUTING, it causes matching connections from an individual local system to all use the - same provider. For example: #ACTION SOURCE DEST PROTO DEST -# PORT(S) + same provider. For example: #ACTION SOURCE DEST PROTO DPORT SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in @@ -581,8 +580,7 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 When used in the OUTPUT chain, it causes all matching connections to an individual remote system to all use the same - provider. For example:#ACTION SOURCE DEST PROTO DEST -# PORT(S) + provider. For example:#ACTION SOURCE DEST PROTO DPORT SAME $FW 0.0.0.0/0 tcp 80,443The optional timeout parameter was added in Shorewall 4.6.7 and specifies a number of seconds . @@ -835,7 +833,7 @@ Normal-Service => 0x00 - PORT(S) (dport) - {DPORT- {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} @@ -863,12 +861,13 @@ Normal-Service => 0x00 ipset name can be specified in this column. This is intended to be used with bitmap:port ipsets. + + This column was formerly named DEST PORT(S). - SOURCE PORT(S) (sport) - - {SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} @@ -882,16 +881,17 @@ Normal-Service => 0x00 the following fields is supplied. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DEST PORTS(S). Use of + '=' requires multi-port match in your iptables and kernel. Beginning with Shorewall 4.6.0, an ipset name can be specified in this column. This is intended to be used with bitmap:port ipsets. + + This column was formerly labelled SOURCE PORT(S). @@ -1097,8 +1097,7 @@ Normal-Service => 0x00 by the named helper module. Example: Mark all FTP data connections with mark - 4:#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER -# PORT(S) + 4:#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER 4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp @@ -1287,8 +1286,7 @@ Normal-Service => 0x00 We assume packet/connection mark 0 means unclassified. - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0 @@ -1313,8 +1311,7 @@ Normal-Service => 0x00 /etc/shorewall/tcrules: - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW /etc/shorewall/masq: diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index 3d5c7bc82..01ffc1e93 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -249,7 +249,7 @@ - PORT(S) (Optional) - + PORT (Optional) - {-|[!]port-name-or-number[,port-name-or-number]...|+ipset} @@ -429,13 +429,14 @@ - USER/GROUP (Optional) - - [USER (Optional) - [!][user-name-or-number][:group-name-or-number][+program-name] + This column was formerly labelled USER/GROUP. + Only locally-generated connections will match if this column is non-empty. @@ -538,8 +539,7 @@ - ORIGINAL DEST (origdest) - - [ORIGDEST - [-|address[,address]...[exclusion]|exclusion] @@ -550,6 +550,8 @@ original destination address matches one of the listed addresses. It is useful for specifying that SNAT should occur only for connections that were acted on by a DNAT when they entered the firewall. + + This column was formerly labelled ORIGINAL DEST. @@ -639,7 +641,7 @@ 172.20.1.0/29 to be sent from eth0 with source IP address 206.124.146.176. - #INTERFACE SOURCE ADDRESS PROTO PORT(S) + #INTERFACE SOURCE ADDRESS PROTO DPORT eth0 172.20.1.0/29 206.124.146.177 tcp smtp eth0 172.20.1.0/29 206.124.146.176 @@ -672,8 +674,7 @@ /etc/shorewall/tcrules: - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST 1-3:CF 192.168.1.0/24 eth0 ; state=NEW /etc/shorewall/masq: diff --git a/Shorewall/manpages/shorewall-nat.xml b/Shorewall/manpages/shorewall-nat.xml index e58080895..8876c1307 100644 --- a/Shorewall/manpages/shorewall-nat.xml +++ b/Shorewall/manpages/shorewall-nat.xml @@ -106,15 +106,16 @@ - ALL INTERFACES (allints) - - [Yes|No] + ALLINTS - [Yes|No] If Yes or yes, NAT will be effective from all hosts. If No or no (or left empty) then NAT will be effective only through the interface named in the INTERFACE column. + + This column was formerly labelled ALL INTERFACES. @@ -160,8 +161,7 @@ smc eth0:10.1.10.0/24 /etc/shorewall/nat: - #EXTERNAL INTERFACE INTERNAL ALL LOCAL -# INTERFACES + #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL 10.1.10.100 eth0 172.20.1.100 @@ -170,8 +170,7 @@ smc eth0:10.1.10.0/24 /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER -# PORT PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED diff --git a/Shorewall/manpages/shorewall-nesting.xml b/Shorewall/manpages/shorewall-nesting.xml index 9287998cd..48598e82a 100644 --- a/Shorewall/manpages/shorewall-nesting.xml +++ b/Shorewall/manpages/shorewall-nesting.xml @@ -82,7 +82,7 @@ Partial /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ... DNAT sam loc:192.168.1.3 tcp ssh DNAT net loc:192.168.1.5 tcp www @@ -100,7 +100,7 @@ Because of the way that Netfilter is constructed, this requires two rules as follows: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ... ACCEPT+ sam $FW tcp ssh DNAT net loc:192.168.1.3 tcp ssh @@ -143,8 +143,7 @@ As a consequence, the following rules will have unexpected - behavior: #ACTION SOURCE DEST PROTO DEST - # PORT(S) + behavior: #ACTION SOURCE DEST PROTO DPORT ACCEPT net dmz tcp 80 REDIRECT loc 3128 tcp 80 @@ -173,8 +172,7 @@ When using other Shorewall versions, another way is to rewrite the DNAT rule (assume that the local zone is entirely within - 192.168.2.0/23): #ACTION SOURCE DEST PROTO DEST - # PORT(S) + 192.168.2.0/23): #ACTION SOURCE DEST PROTO DPORT ACCEPT net dmz tcp 80 REDIRECT loc:192.168.2.0/23 3128 tcp 80 diff --git a/Shorewall/manpages/shorewall-netmap.xml b/Shorewall/manpages/shorewall-netmap.xml index f9018b3c6..5c461928f 100644 --- a/Shorewall/manpages/shorewall-netmap.xml +++ b/Shorewall/manpages/shorewall-netmap.xml @@ -137,7 +137,7 @@ - DEST PORT(S) (dport) - + DPORT - port-number-or-name-list @@ -160,11 +160,13 @@ An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following field is supplied. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - + SPORT - port-number-or-name-list @@ -176,6 +178,8 @@ An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following fields is supplied. + + This column was formerly labelled SOURCE PORT(S). diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index e59b628dd..d001acd1c 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -173,9 +173,9 @@ The remaining columns specify characteristics of the packet - before rewriting. In particular, the ORIGINAL DEST column gives the - original destination IP address of the packet and the DEST PORT(S) - column give the original destination port(s). + before rewriting. In particular, the ORIGDEST column gives the + original destination IP address of the packet and the DPORT column + give the original destination port(s). @@ -1201,8 +1201,7 @@ - DEST PORT(S) (dport) - - {DPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} @@ -1234,7 +1233,7 @@ If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and the - CLIENT PORT(S) list below: + SPORT list below: 1. There are 15 or less ports listed. @@ -1245,12 +1244,13 @@ ipset name can be specified in this column. This is intended to be used with bitmap:port ipsets. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - - {SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} @@ -1260,11 +1260,10 @@ names, port numbers or port ranges. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DEST PORTS(S). Use of + '=' requires multi-port match in your iptables and kernel. Unless you really understand IP, you should leave this @@ -1274,12 +1273,12 @@ If you don't want to restrict client ports but need to specify - an ORIGINAL DEST in the next - column, then place "-" in this column. + an ORIGDEST in the next column, + then place "-" in this column. If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and the - DEST PORT(S) list above: + DPORT list above: 1. There are 15 or less ports listed. @@ -1290,12 +1289,13 @@ ipset name can be specified in this column. This is intended to be used with bitmap:port ipsets. + + This column was formerly labelled SOURCE PORT(S). - ORIGINAL DEST (origdest) - - [ORIGDEST - [-|address[,address]...[exclusion]|exclusion] @@ -1344,11 +1344,13 @@ url="/PortKnocking.html">http://www.shorewall.net/PortKnocking.html for an example of using an entry in this column with a user-defined action rule. + + This column was formerly labelled ORIGINAL DEST. - RATE LIMIT (rate) - + RATE - limit @@ -1413,11 +1415,13 @@ enforce the per-source limit and the compiler will pick a unique name for the hash table that tracks the per-destination limit. + + This column was formerly labelled RATE LIMIT. - USER/GROUP (user) - [USER - [!][user-name-or-number][:group-name-or-number][,...] @@ -1471,6 +1475,8 @@ + + This column was formerly labelled USER/GROUP. @@ -1626,6 +1632,8 @@ where dd is an ordinal day of the month + + @@ -1767,9 +1775,8 @@ Accept SMTP requests from the DMZ to the internet - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST - ACCEPT dmz net tcp smtp + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + ACCEPT dmz net tcp smtp @@ -1780,8 +1787,7 @@ Forward all ssh and http connection requests from the internet to local system 192.168.1.3 - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.3 tcp ssh,http @@ -1792,9 +1798,8 @@ Forward all http connection requests from the internet to local system 192.168.1.3 with a limit of 3 per second and a maximum - burst of 10 #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE - # PORT PORT(S) DEST LIMIT - DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 + burst of 10 #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE + DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 @@ -1806,8 +1811,7 @@ port 3128 on the firewall (Squid running on the firewall system) except when the destination address is 192.168.2.2 - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST REDIRECT loc 3128 tcp www - !192.168.2.2 @@ -1819,8 +1823,7 @@ All http requests from the internet to address 130.252.100.69 are to be forwarded to 192.168.1.3 - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 @@ -1832,10 +1835,9 @@ You want to accept SSH connections to your firewall only from internet IP addresses 130.252.100.69 and 130.252.100.70 - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST - ACCEPT net:130.252.100.69,130.252.100.70 $FW \ - tcp 22 + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST + ACCEPT net:130.252.100.69,130.252.100.70 \ + $FW tcp 22 @@ -1847,8 +1849,7 @@ firewall on port 2222 and you want to forward them to local system 192.168.1.3, port 22 - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST DNAT net loc:192.168.1.3:22 tcp 2222 @@ -1860,8 +1861,7 @@ You want to redirect connection requests to port 80 randomly to the port range 81-90. - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST REDIRECT net $FW::81-90:random tcp www @@ -1897,8 +1897,7 @@ rules: - #ACTION SOURCE DEST PROTO DEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT REDIRECT loc 3128 tcp 80 Note that it would have been tempting to simply define the @@ -1926,8 +1925,7 @@ Add the tuple (source IP, dest port, dest IP) of an incoming SSH connection to the ipset S: - #ACTION SOURCE DEST PROTO DEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT ADD(+S:dst,src,dst) net fw tcp 22 @@ -1939,8 +1937,7 @@ You wish to limit SSH connections from remote systems to 1/min with a burst of three (to allow for limited retry): - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE - # PORT(S) PORT(S) DEST LIMIT + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE SSH(ACCEPT) net all - - - - s:1/min:3 @@ -1952,8 +1949,7 @@ Forward port 80 to dmz host $BACKUP if switch 'primary_down' is on. - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH - # PORT(S) PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down @@ -1965,8 +1961,7 @@ Drop all email from the Anonymous Proxy and Satellite Provider address ranges: - #ACTION SOURCE DEST PROTO DEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT DROP net:^A1,A2 fw tcp 25 @@ -1978,8 +1973,7 @@ You want to generate your own rule involving iptables targets and matches not supported by Shorewall. - #ACTION SOURCE DEST PROTO DEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 The above will generate the following iptables-restore diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml index 33edfb571..e20af98a5 100644 --- a/Shorewall/manpages/shorewall-secmarks.xml +++ b/Shorewall/manpages/shorewall-secmarks.xml @@ -93,7 +93,7 @@ - CHAIN:STATE (chain) - + CHAIN - {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}] @@ -140,6 +140,8 @@ :NIU - NEW, INVALID or UNTRACKED connection. + + This column was formerly labelled CHAIN:STATE. @@ -236,7 +238,7 @@ - PORT(S) (dport) - [DPORT - [-|port-name-number-or-range[,port-name-number-or-range]...] @@ -259,12 +261,13 @@ This column is ignored if PROTOCOL = all but must be entered if any of the following field is supplied. In that case, it is suggested that this field contain "-" + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - - [SPORT - [-|port-name-number-or-range[,port-name-number-or-range]...] @@ -272,6 +275,8 @@ Optional source port(s). If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges. + + This column was formerly labelled SOURCE PORT(S). @@ -388,8 +393,7 @@ /etc/shorewall/secmarks: - #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK -# STATE PORT(S) PORT(S) GROUP + #SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK system_u:object_r:mysqld_packet_t:s0 I:N lo 127.0.0.1 tcp 3306 SAVE I:N lo 127.0.0.1 tcp 3306 RESTORE I:ER diff --git a/Shorewall/manpages/shorewall-stoppedrules.xml b/Shorewall/manpages/shorewall-stoppedrules.xml index d191ab035..f6aab918b 100644 --- a/Shorewall/manpages/shorewall-stoppedrules.xml +++ b/Shorewall/manpages/shorewall-stoppedrules.xml @@ -112,7 +112,7 @@ - DEST PORT(S) (dport) ‒ + DPORTservice-name/port-number-list @@ -121,11 +121,13 @@ include port ranges of the form low-port:high-port if your kernel and iptables include port range support. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) ‒ + SPORTservice-name/port-number-list @@ -136,11 +138,12 @@ if your kernel and iptables include port range support. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DEST PORTS(S). Use of + '=' requires multi-port match in your iptables and kernel. + + This column was formerly labelled SOURCE PORT(S). diff --git a/Shorewall/manpages/shorewall-tcfilters.xml b/Shorewall/manpages/shorewall-tcfilters.xml index e428b03e9..17f8d6d5d 100644 --- a/Shorewall/manpages/shorewall-tcfilters.xml +++ b/Shorewall/manpages/shorewall-tcfilters.xml @@ -135,7 +135,7 @@ - DEST PORT (dport) - [DPORT - [-|port-name-or-number] @@ -143,16 +143,19 @@ a port number; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). + + This column was previously labelled DEST PORT(S). - SOURCE PORT (sport) - - [SPORT - [-|port-name-or-number] Optional source port. + + This column was previously labelled SOURCE PORT(S). @@ -292,8 +295,7 @@ ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different protocols. - #CLASS SOURCE DEST PROTO DEST - # PORT + #CLASS SOURCE DEST PROTO DPORT IPV4 @@ -314,8 +316,7 @@ Add two filters with priority 10 (Shorewall 4.5.8 or later). - #CLASS SOURCE DEST PROTO DEST PRIORITY - # PORT + #CLASS SOURCE DEST PROTO DPORT PRIORITY IPV4 diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml index 077282ebf..f8db90e59 100644 --- a/Shorewall6/manpages/shorewall6-accounting.xml +++ b/Shorewall6/manpages/shorewall6-accounting.xml @@ -349,7 +349,7 @@ - DESTINATION (dest) - {DEST - {-|any|all|interface|interfaceaddress|address} @@ -359,11 +359,13 @@ Format same as SOURCE column. + + This column was formerly labelled DESTINATION. - PROTOCOL (proto) - {PROTO - {-|any|all|protocol-name|protocol-number|Beginning with Shorewall 4.5.12, this column can accept a comma-separated list of protocols. + + This column was formerly labelled PROTOCOL. - DEST PORT(S) (dport) - - {-|DPORT - {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...} @@ -405,12 +409,14 @@ ("ip6tables -m ipp2p --help") without the leading "--". If no option is given in this column, ipp2p is assumed. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - - {-|SPORT - {-|any|all|port-name-or-number[,port-name-or-number]...} @@ -424,16 +430,17 @@ support. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DPORT. Use of '=' + requires multi-port match in your iptables and kernel. + + This column was formerly labelled SOURCE PORT(S). - USER/GROUP (user) - [USER - [!][user-name-or-number][:group-name-or-number][+program-name] @@ -490,6 +497,8 @@ + + This column was formerly labelled USER/GROUP. diff --git a/Shorewall6/manpages/shorewall6-blacklist.xml b/Shorewall6/manpages/shorewall6-blacklist.xml deleted file mode 100644 index 1f590e209..000000000 --- a/Shorewall6/manpages/shorewall6-blacklist.xml +++ /dev/null @@ -1,217 +0,0 @@ - - - - - shorewall6-blacklist - - 5 - - Configuration Files - - - - blacklist - - shorewall6 Blacklist file - - - - - /etc/shorewall6/blacklist - - - - - Description - - The blacklist file is used to perform static blacklisting by source - address (IP or MAC), or by application. The use of this file is deprecated - in favor of shorewall6-blrules(5), - and beginning with Shorewall 4.5.7, the blacklist file is no longer - installed. Existing blacklist files can be converted to a corresponding - blrules file using the shorewall6 update -b - command. - - The columns in the file are as follows (where the column name is - followed by a different name in parentheses, the different name is used in - the alternate specification syntax). - - - - ADDRESS/SUBNET - {-|~mac-address|ip-address|address-range|+ipset} - - - Host address, network address, MAC address, IP address range - (if your kernel and ip6tables contain iprange match support) or - ipset name prefaced by "+" (if your kernel supports ipset match). - Exclusion (shorewall6-exclusion(5)) - is supported. - - MAC addresses must be prefixed with "~" and use "-" as a - separator. - - Example: ~00-A0-C9-15-39-78 - - A dash ("-") in this column means that any source address will - match. This is useful if you want to blacklist a particular - application using entries in the PROTOCOL and PORTS columns. - - - - - PROTOCOL (proto) - {-|protocol-number|protocol-name} - - - Optional - if specified, must be a protocol number or a - protocol name from protocols(5). - - - - - PORTS (port) - {-|port-name-or-number[,port-name-or-number]...} - - - May only be specified if the protocol is TCP (6), UDP (17), - DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of - destination port numbers or service names from services(5). - - - - - OPTIONS - {-|{dst|src|whitelist|audit}[,...]} - - - Optional - added in 4.4.12. If specified, indicates whether - traffic from ADDRESS/SUBNET (src) or traffic to - ADDRESS/SUBNET (dst) should be - blacklisted. The default is src. If - the ADDRESS/SUBNET column is empty, then this column has no effect - on the generated rule. - - - In Shorewall 4.4.12, the keywords from and to were used in - place of src and dst respectively. Blacklisting was still - restricted to traffic arriving on an - interface that has the 'blacklist' option set. So to block traffic - from your local network to an internet host, you had to specify - on your internal interface in shorewall6-interfaces - (5). - - - - Beginning with Shorewall 4.4.13, entries are applied based - on the blacklist setting in - shorewall6-zones(5): - - - - 'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic - from this zone is passed against the entries in this file that - have the src option - (specified or defaulted). - - - - 'blacklist' in the OPTIONS or OUT_OPTIONS column. - Traffic to this zone is passed against the entries in this - file that have the dst - option. - - - - - In Shorewall 4.4.20, the whitelist option was added. When whitelist is specified, packets/connections - that match the entry are not matched against the remaining entries - in the file. - - The audit option was also - added in 4.4.20 and causes packets matching the entry to be audited. - The audit option may not be - specified in whitelist entries and require AUDIT_TARGET support in - the kernel and ip6tables. - - - - - When a packet arrives on an interface that has the blacklist option specified in shorewall6-interfaces(5), - its source IP address and MAC address is checked against this file and - disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall6.conf(5). If - PROTOCOL or PROTOCOL and PORTS - are supplied, only packets matching the protocol (and one of the ports if - PORTS supplied) are blocked. - - - - Example - - - - Example 1: - - - To block DNS queries from address - fe80::2a0:ccff:fedb:31c4: - - #ADDRESS/SUBNET PROTOCOL PORT - fe80::2a0:ccff:fedb:31c4/ udp 53 - - - - - Example 2: - - - To block some of the nuisance applications: - - #ADDRESS/SUBNET PROTOCOL PORT - - udp 1024:1033,1434 - - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898 - - - - - - - FILES - - /etc/shorewall6/blacklist - - - - See ALSO - - http://www.shorewall.net/blacklisting_support.htm - - http://www.shorewall.net/configuration_file_basics.htm#Pairs - - shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), - shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-rtrules(5), - shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), - shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), - shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), - shorewall6-zones(5) - - diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index 54b770674..64bd6cf81 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -414,7 +414,7 @@ - DEST PORT(S) (dport) - + DPORT - {-|port-number/service-name-list|+ipset} @@ -427,11 +427,13 @@ Beginning with Shorewall 4.6.0, an ipset name can be specified in this column. This is intended to be used with bitmap:port ipsets. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - + SPORT - {-|port-number/service-name-list|+ipset} @@ -442,25 +444,28 @@ if your kernel and iptables include port range support. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DPORT. Beginning with Shorewall 4.6.0, an ipset name can be specified in this column. This is intended to be used with bitmap:port ipsets. + + This column was formerly labelled SOURCE PORT(S). - USER/GROUP (user) ‒ + USER ‒ [user][:group] May only be specified if the SOURCE zone is $FW. Specifies the effective user id and or group id of the process sending the traffic. + + This column was formerly labelled USER/GROUP. @@ -523,8 +528,7 @@ itself. FORMAT 2 -#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP -# PORT(S) PORT(S) +#ACTION SOURCE DEST PROTO DPORT SPORT USER CT:helper:ftp(expevents=new) fw - tcp 21 Example 2 (Shorewall 4.5.10 or later): @@ -532,15 +536,13 @@ CT:helper:ftp(expevents=new) fw - tcp Drop traffic to/from all zones to IP address 2001:1.2.3::4 FORMAT 2 -#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP -# PORT(S) PORT(S) +#ACTION SOURCE DEST PROTO DPORT SPORT USER DROP all-:2001:1.2.3::4 - DROP all 2001:1.2.3::4 orFORMAT 3 -#ACTION SOURCE DEST PROTO DEST SOURCE USER/GROUP -# PORT(S) PORT(S) +#ACTION SOURCE DEST PROTO DPORT SPORT USER DROP:P 2001:1.2.3::4 - DROP:PO - 2001:1.2.3::4 diff --git a/Shorewall6/manpages/shorewall6-ipsets.xml b/Shorewall6/manpages/shorewall6-ipsets.xml index 4aafa5423..b71659b07 100644 --- a/Shorewall6/manpages/shorewall6-ipsets.xml +++ b/Shorewall6/manpages/shorewall6-ipsets.xml @@ -56,7 +56,7 @@ . Example: myset[src,dst]. - In a SOURCE or SOURCE PORT(S) column, the following pairs are + In a SOURCE or SPORT column, the following pairs are equivalent: @@ -65,7 +65,7 @@ - In a DEST or DEST PORT(S) column, the following pairs are + In a DEST or DPORT column, the following pairs are equivalent: diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml index 6fd30bbab..2931b5ee9 100644 --- a/Shorewall6/manpages/shorewall6-mangle.xml +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -593,8 +593,7 @@ INLINE eth0 - ; -p tcp -j MARK --set that problem. SAME may be used in the PREROUTING and OUTPUT chains. When used in PREROUTING, it causes matching connections from an individual local system to all use the - same provider. For example: #ACTION SOURCE DEST PROTO DEST -# PORT(S) + same provider. For example: #ACTION SOURCE DEST PROTO DPORT SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in @@ -604,8 +603,7 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 When used in the OUTPUT chain, it causes all matching connections to an individual remote system to all use the same - provider. For example:#ACTION SOURCE DEST PROTO DEST -# PORT(S) + provider. For example:#ACTION SOURCE DEST PROTO DPORT SAME $FW 0.0.0.0/0 tcp 80,443The optional timeout parameter was added in Shorewall 4.6.7 and specifies a number of seconds . @@ -812,7 +810,7 @@ Normal-Service => 0x00 - PORT(S) (dport) - [DPORT - [-|port-name-number-or-range[,port-name-number-or-range]...] @@ -835,12 +833,13 @@ Normal-Service => 0x00 An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following field is supplied. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - - [SPORT - [-|port-name-number-or-range[,port-name-number-or-range]...] @@ -854,11 +853,12 @@ Normal-Service => 0x00 the following fields is supplied. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DPORT. Use of '=' + requires multi-port match in your iptables and kernel. + + This column was formerly labelled SOURCE PORT(S). @@ -1064,8 +1064,7 @@ Normal-Service => 0x00 by the named helper module. Example: Mark all FTP data connections with mark - 4:#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER -# PORT(S) + 4:#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER 4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp @@ -1348,8 +1347,7 @@ Normal-Service => 0x00 We assume packet/connection mark 0 means unclassified. - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST MARK(1):T ::/0 ::/0 icmp echo-request MARK(1):T ::/0 ::/0 icmp echo-reply RESTORE:T ::/0 ::/0 all - - - 0 diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml index 036dfc727..c31540f88 100644 --- a/Shorewall6/manpages/shorewall6-masq.xml +++ b/Shorewall6/manpages/shorewall6-masq.xml @@ -199,7 +199,7 @@ - PORT(S) (Optional) - + DPORT (Optional) - {-|[!]port-name-or-number[,port-name-or-number]...|+ipset} @@ -379,8 +379,7 @@ - USER/GROUP (Optional) - - [USER (Optional) - [!][user-name-or-number][:group-name-or-number][+program-name] @@ -488,8 +487,7 @@ - ORIGINAL DEST (origdest) - - [ORIGDEST - [-|address[,address]...[exclusion]|exclusion] @@ -500,6 +498,8 @@ the listed addresses. It is useful for specifying that SNAT should occur only for connections that were acted on by a DNAT when they entered the firewall. + + This column was formerly labelled ORIGINAL DEST. diff --git a/Shorewall6/manpages/shorewall6-nat.xml b/Shorewall6/manpages/shorewall6-nat.xml index 51667570b..60a33bc9b 100644 --- a/Shorewall6/manpages/shorewall6-nat.xml +++ b/Shorewall6/manpages/shorewall6-nat.xml @@ -103,15 +103,16 @@ - ALL INTERFACES (allints) - - [Yes|No] + ALLINTS - [Yes|No] If Yes or yes, NAT will be effective from all hosts. If No or no (or left empty) then NAT will be effective only through the interface named in the INTERFACE column. + + This column was formerly labelled ALL INTERFACES. diff --git a/Shorewall6/manpages/shorewall6-nesting.xml b/Shorewall6/manpages/shorewall6-nesting.xml index 2f1d6bf13..3bae92f5e 100644 --- a/Shorewall6/manpages/shorewall6-nesting.xml +++ b/Shorewall6/manpages/shorewall6-nesting.xml @@ -82,7 +82,7 @@ Partial /etc/shorewall6/rules: - #ACTION SOURCE DEST PROTO DEST PORT(S) + #ACTION SOURCE DEST PROTO DPORT ... ACCEPT sam loc:2001:19f0:feee::3 tcp ssh ACCEPT net loc:2001:19f0:feee::5 tcp www diff --git a/Shorewall6/manpages/shorewall6-netmap.xml b/Shorewall6/manpages/shorewall6-netmap.xml index 8778edc57..a401227b9 100644 --- a/Shorewall6/manpages/shorewall6-netmap.xml +++ b/Shorewall6/manpages/shorewall6-netmap.xml @@ -137,7 +137,7 @@ - DEST PORT(S) (dport) - + DPORT - port-number-or-name-list @@ -159,11 +159,13 @@ An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following field is supplied. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - + SPORT - port-number-or-name-list @@ -174,6 +176,8 @@ An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following fields is supplied. + + This column was formerly labelled SOURCE PORT(S). diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 5e714450f..5d8b0a72b 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -1111,8 +1111,7 @@ - DEST PORT(S) (dport) - - {DPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} @@ -1144,8 +1143,7 @@ If your kernel contains multi-port match support, then only a single Netfilter rule will be generated in this list and the - CLIENT PORT(S) list below - if: + SPORT list below if: 1. There are 15 or less ports listed. @@ -1156,12 +1154,13 @@ ipset name can be specified in this column. This is intended to be used with bitmap:port ipsets. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) - - {SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} @@ -1171,11 +1170,10 @@ numbers or port ranges. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DPORT. Use of '=' + requires multi-port match in your iptables and kernel. Unless you really understand IP, you should leave this @@ -1189,7 +1187,7 @@ If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and the - DEST PORT(S) list above: + DPORT list above: 1. There are 15 or less ports listed. @@ -1199,21 +1197,25 @@ Beginning with Shorewall 4.6.0, an ipset name can be specified in this column. This is intended to be used with bitmap:port ipsets. + + This column was formerly labelled SOURCE PORT(S). - ORIGINAL DEST (origdest) - - [-] + ORIGDEST - [-] Included for compatibility with Shorewall. Enter '-' in this column if you need to specify one of the later columns. + + This column was formerly labelled ORIGINAL DEST. - RATE LIMIT (rate) - + RATE - limit @@ -1278,11 +1280,13 @@ enforce the per-source limit and the compiler will pick a unique name for the hash table that tracks the per-destination limit. + + This column was formerly labelled RATE LIMIT. - USER/GROUP (user) - [USER - [!][user-name-or-number-or-range][:group-name-or-number-or-range] @@ -1336,6 +1340,8 @@ + + This column was formerly labelled USER/GROUP. @@ -1716,8 +1722,7 @@ Accept SMTP requests from the DMZ to the internet - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT dmz net tcp smtp @@ -1730,8 +1735,7 @@ internet IP addresses 2002:ce7c::92b4:1::2 and 2002:ce7c::92b4:1::22 - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \ $FW tcp 22 @@ -1744,8 +1748,7 @@ You wish to limit SSH connections from remote systems to 1/min with a burst of three (to allow for limited retry): - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE - # PORT(S) PORT(S) DEST LIMIT + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE SSH(ACCEPT) net all - - - - s:1/min:3 @@ -1757,8 +1760,7 @@ Forward port 80 to dmz host $BACKUP if switch 'primary_down' is set. - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH - # PORT(S) PORT(S) DEST LIMIT GROUP + #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down @@ -1770,8 +1772,7 @@ Drop all email from IP addresses in the country whose ISO-3661 country code is ZZ. - #ACTION SOURCE DEST PROTO DEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT DROP net:^ZZ fw tcp 25 @@ -1783,8 +1784,7 @@ You want to generate your own rule involving ip6tables targets and matches not supported by Shorewall. - #ACTION SOURCE DEST PROTO DEST - # PORT(S) + #ACTION SOURCE DEST PROTO DPORT INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 The above will generate the following ip6tables-restore diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml index ae6387b3d..d176ab72e 100644 --- a/Shorewall6/manpages/shorewall6-secmarks.xml +++ b/Shorewall6/manpages/shorewall6-secmarks.xml @@ -92,7 +92,7 @@ - CHAIN:STATE (chain) - + CHAIN - {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}] @@ -139,6 +139,8 @@ :NIU - NEW, INVALID or UNTRACKED connection. + + This column was formerly labelled CHAIN:STATE. @@ -229,7 +231,7 @@ - PORT(S) (dport) - [DPORT - [-|port-name-number-or-range[,port-name-number-or-range]...] @@ -249,15 +251,14 @@ If no PORT is given, ipp2p is assumed. - This column is ignored if PROTOCOL = all but must be entered - if any of the following field is supplied. In that case, it is + This column is ignored if PROTO = all but must be entered if + any of the following field is supplied. In that case, it is suggested that this field contain "-" - SOURCE PORT(S) (sport) - - [SPORT - [-|port-name-number-or-range[,port-name-number-or-range]...] @@ -267,11 +268,10 @@ numbers or port ranges. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DPORT. Use of '=' + requires multi-port match in your iptables and kernel. @@ -318,6 +318,8 @@ + + This column was formerly labelled USER/GROUP. @@ -388,8 +390,7 @@ /etc/shorewall6/secmarks: - #SECMARK CHAIN: SOURCE DEST PROTO DEST SOURCE USER/ MARK -# STATE PORT(S) PORT(S) GROUP + #SECMARK CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK system_u:object_r:mysqld_packet_t:s0 I:N lo ::1 tcp 3306 SAVE I:N RESTORE I:ER diff --git a/Shorewall6/manpages/shorewall6-stoppedrules.xml b/Shorewall6/manpages/shorewall6-stoppedrules.xml index bd70f0e8e..0560b0609 100644 --- a/Shorewall6/manpages/shorewall6-stoppedrules.xml +++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml @@ -112,7 +112,7 @@ - DEST PORT(S) (dport) ‒ + DPORT ‒ service-name/port-number-list @@ -121,11 +121,13 @@ include port ranges of the form low-port:high-port if your kernel and iptables include port range support. + + This column was formerly labelled DEST PORT(S). - SOURCE PORT(S) (sport) ‒ + SPORT ‒ service-name/port-number-list @@ -136,11 +138,12 @@ if your kernel and iptables include port range support. Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. + column, provided that the DPORT column is non-empty. This causes the + rule to match when either the source port or the destination port in + a packet matches one of the ports specified in DPORT. Use of '=' + requires multi-port match in your iptables and kernel. + + This column was formerly labelled SOURCE PORT(S). diff --git a/Shorewall6/manpages/shorewall6-tcfilters.xml b/Shorewall6/manpages/shorewall6-tcfilters.xml index 1813c0cc0..c573e8fc3 100644 --- a/Shorewall6/manpages/shorewall6-tcfilters.xml +++ b/Shorewall6/manpages/shorewall6-tcfilters.xml @@ -131,7 +131,7 @@ - DEST PORT (dport) - [DPORT - [-|port-name-or-number] @@ -139,16 +139,19 @@ a port number; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). + + This column was formerly labelled DEST PORT(S). - SOURCE PORT (sport) - - [SPORT - [-|port-name-or-number] Optional source port. + + This column was formerly labelled SOURCE PORT(S). @@ -286,8 +289,7 @@ ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different protocols. - #CLASS SOURCE DEST PROTO DEST - # PORT + #CLASS SOURCE DEST PROTO DPORT IPV4 @@ -308,8 +310,7 @@ Add two filters with priority 10 (Shorewall 4.5.8 or later). - #CLASS SOURCE DEST PROTO DEST PRIORITY - # PORT + #CLASS SOURCE DEST PROTO DPORT PRIORITY IPV6 @@ -338,6 +339,6 @@ http://www.shorewall.net/PacketMarking.html - + diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml deleted file mode 100644 index 15e4a9528..000000000 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ /dev/null @@ -1,1240 +0,0 @@ - - - - - shorewall6-tcrules - - 5 - - Configuration Files - - - - tcrules - - Shorewall6 Packet Marking rules file - - - - - /etc/shorewall6/tcrules - - - - - Description - - Entries in this file cause packets to be marked as a means of - classifying them for traffic control or policy routing. - - - Unlike rules in the shorewall6-rules(5) file, - evaluation of rules in this file will continue after a match. So the - final mark for each packet will be the one assigned by the LAST tcrule - that matches. - - If you use multiple internet providers with the 'track' option, in - /etc/shorewall6/providers be sure to read the restrictions at http://www.shorewall.net/MultiISP.html. - - - Beginning with Shorewall 4.5.4, the tcrules file supports two - different formats: - - - - FORMAT 1 (default - deprecated) - - - The older limited-function version of TPROXY is - supported. - - - - - FORMAT 2 - - - The newer version of TPROXY is supported. - - - - - The format is specified by a line as follows: - -
- [?]FORMAT {1|2} -
- - The optional '?' was introduced in Shorewall 4.5.11 and ?FORMAT is - the preferred form; the form without the '?' is deprecated. - - The columns in the file are as follows (where the column name is - followed by a different name in parentheses, the different name is used in - the alternate specification syntax). - - - - ACTION - - action - - - action may assume one of the - following values. - - - - A mark value which is an integer in - the range 1-255. - - Normally will set the mark value. If preceded by a - vertical bar ("|"), the mark value will be logically ORed with - the current mark value to produce a new mark value. If preceded - by an ampersand ("&"), will be logically ANDed with the - current mark value to produce a new mark value. - - Both "|" and "&" require Extended MARK Target support - in your kernel and ip6tables; neither may be used with - connection marks (see below). - - May optionally be followed by :P, :F - or :T, :I - where :P indicates - that marking should occur in the PREROUTING chain, :F indicates that marking should occur in - the FORWARD chain, :I indicates - that marking should occur in the INPUT chain (added in Shorewall - 4.4.13) and :T indicates that - marking should occur in the POSTROUTING chain. If neither - :P, :F nor :T follow the mark value then the chain - is determined as follows: - - - If the SOURCE is $FW[:address-or-range[,address-or-range]...], - then the rule is inserted into the OUTPUT chain. The behavior - changed in Shorewall6-perl 4.1. Only high mark values may be - assigned in this case. Packet marking rules for traffic shaping - of packets originating on the firewall must be coded in the - POSTROUTING chain (see below). - - - Otherwise, the chain is determined by the setting of - MARK_IN_FORWARD_CHAIN in shorewall6.conf(5). - - Please note that :I is - included for completeness and affects neither traffic shaping - nor policy routing. - - If your kernel and ip6tables include CONNMARK support then - you can also mark the connection rather than the packet. - - The mark value may be optionally followed by "/" and a - mask value (used to determine those bits of the connection mark - to actually be set). When a mask is specified, the result of - logically ANDing the mark value with the mask must be the same - as the mark value. - - The mark and optional mask are then followed by one - of:+ - - - - C - - - Mark the connection in the chain determined by the - setting of MARK_IN_FORWARD_CHAIN - - - - - CF - - - Mark the connection in the FORWARD chain - - - - - CP - - - Mark the connection in the PREROUTING chain. - - - - - CT - - - Mark the connection in the POSTROUTING chain - - - - - CI - - - Mark the connection in the INPUT chain. This option - is included for completeness and has no applicability to - traffic shaping or policy routing. - - - - - - - A mark range which is a pair of integers separated by a - dash ("-"). Added in Shorewall 4.5.9. - - May be optionally followed by a slash ("/") and a mask and - requires the Statistics Match capability - in iptables and kernel. Marks in the specified range are - assigned to packets on a round-robin fashion. - - When a mask is specified, the result of logically ANDing - each mark value with the mask must be the same as the mark - value. The least significant bit in the mask is used as an - increment. For example, if '0x200-0x400/0xff00' is specified, - then the assigned mark values are 0x200, 0x300 and 0x400 in - equal proportions. If no mask is specified, then ( 2 ** - MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall6.conf(5)). - - May optionally be followed by :P, :F,:T or - :I where - :P indicates that marking should occur in the - PREROUTING chain, :F indicates - that marking should occur in the FORWARD chain, :I indicates that marking should occur in - the INPUT chain (added in Shorewall 4.4.13), and :T indicates that marking should occur in - the POSTROUTING chain. If neither :P, :F - nor :T follow the mark value - then the chain is determined as follows: - - - If the SOURCE is $FW[:address-or-range[,address-or-range]...], - then the rule is inserted into the OUTPUT chain. When - HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned - there. Packet marking rules for traffic shaping of packets - originating on the firewall must be coded in the POSTROUTING - chain (see below). - - - Otherwise, the chain is determined by the setting of - MARK_IN_FORWARD_CHAIN in shorewall6.conf(5). - - Please note that :I is - included for completeness and affects neither traffic shaping - nor policy routing. - - If your kernel and iptables include CONNMARK support then - you can also mark the connection rather than the packet. - - The mark range may be optionally followed by "/" and a - mask value (used to determine those bits of the connection mark - to actually be set). When a mask is specified, the result of - logically ANDing the mark value with each of the masks must be - the same as the mark value. - - The mark range and optional mask may followed by one - of: - - - - C - - - Mark the connection in the chain determined by the - setting of MARK_IN_FORWARD_CHAIN - - - - - CF - - - Mark the connection in the FORWARD chain - - - - - CP - - - Mark the connection in the PREROUTING chain. - - - - - CT - - - Mark the connection in the POSTROUTING chain - - - - - CI - - - Mark the connection in the INPUT chain. This option - is included for completeness and has no applicability to - traffic shaping or policy routing. - - - - - - - A classification Id (classid) of the form - major:minor where - major and minor are - integers. Corresponds to the 'class' specification in these - traffic shaping modules: - - atm - cbq - dsmark - pfifo_fast - htb - prio - - Classification occurs in the POSTROUTING chain except when - the SOURCE is $FW[:address] in - which case classification occurs in the OUTPUT chain. - - When using Shorewall6's built-in traffic shaping tool, the - major class is the device number (the first - device in shorewall6-tcdevices(5) - is major class 1, the second device is major class 2, and so on) - and the minor class is the class's MARK - value in shorewall6-tcclasses(5) - preceded by the number 1 (MARK 1 corresponds to minor class 11, - MARK 5 corresponds to minor class 15, MARK 22 corresponds to - minor class 122, etc.). - - Beginning with Shorewall 4.4.27, the classid may be - optionally followed by ':' and a capital letter designating the - chain where classification is to occur. - - - - F - - - FORWARD chain. - - - - - T - - - POSTROUTING chain (default). - - - - - - - CHECKSUM - - Added in Shorewall 4.5.9. Compute and fill in the checksum - in a packet that lacks a checksum. This is particularly useful - if you need to work around old applications, such as dhcp - clients, that do not work well with checksum offloads, but you - don't want to disable checksum offload in your device. - - Requires 'Checksum Target' support in your kernel and - ip6tables. - - - - [?]COMMENT -- the rest of - the line will be attached as a comment to the Netfilter rule(s) - generated by the following entries. The comment will appear - delimited by "/* ... */" in the output of shorewall6 - show mangle - - To stop the comment from being attached to further rules, - simply include COMMENT on a line by itself. - - - Beginning with Shorewall 4.5.11, ?COMMENT is a synonym - for COMMENT and is preferred. - - - - - CONTINUE Don't process - any more marking rules in the table. - - As in 1) above, may be followed by :P or :F. Currently, CONTINUE may not be used - with exclusion (see the SOURCE and DEST - columns below); that restriction will be removed when - ip6tables/Netfilter provides the necessary support. - - - - DIVERT - - Added in Shorewall 4.5.3. Two DIVERT rule should precede - the TPROXY rule and should select DEST PORT tcp 80 and SOURCE - PORT tcp 80 respectively (assuming that tcp port 80 is being - proxied). DIVERT avoids sending packets to the TPROXY target - once a socket connection to Squid3 has been established by - TPROXY. DIVERT marks the packet with a unique mark and exempts - it from any rules that follow. - - - - DROP - - Added in Shorewall 4.5.21.4. Causes matching packets to be - discarded. - - - - DSCP(dscp) - - Added in Shorewall 4.5.1. Sets the - Differentiated Services Code Point field - in the IP header. The dscp value may - be given as an even number (hex or decimal) or as the name of a - DSCP class. Valid class names and their associated hex numeric - values are: - - CS0 => 0x00 - CS1 => 0x08 - CS2 => 0x10 - CS3 => 0x18 - CS4 => 0x20 - CS5 => 0x28 - CS6 => 0x30 - CS7 => 0x38 - BE => 0x00 - AF11 => 0x0a - AF12 => 0x0c - AF13 => 0x0e - AF21 => 0x12 - AF22 => 0x14 - AF23 => 0x16 - AF31 => 0x1a - AF32 => 0x1c - AF33 => 0x1e - AF41 => 0x22 - AF42 => 0x24 - AF43 => 0x26 - EF => 0x2e - - To indicate more than one class, add their hex values - together and specify the result. - - May be optionally followed by ':' and a capital letter - designating the chain where classification is to occur. - - - - F - - - FORWARD chain. - - - - - T - - - POSTROUTING chain. - - - - - - - HL([-|+]number) - - Added in Shorewall 4.4.24. - - Prior to Shorewall 4.5.7.2, may be optionally followed by - :F but the resulting rule is - always added to the FORWARD chain. Beginning with Shorewall - 4.5.7.s, it may be optionally followed by :P, in which case the rule is added to - the PREROUTING chain. - - If + is included, packets - matching the rule will have their HL (hop limit) incremented by - number. Similarly, if - is included, matching packets have - their HL decremented by number. If - neither + nor - is given, the HL of matching packets is - set to number. The valid range of - values for number is 1-255. - - - - IMQ(number) - - Added in Shorewall 4.5.1. Specifies that the packet should - be passed to the IMQ identified by - number. Requires IMQ Target support - in your kernel and ip6tables. - - - - INLINE[(action)] - - Added in Shorewall 4.6.0. Allows you to place your own - ip[6]tables matches at the end of the line following a semicolon - (";"). If an action is specified, the - compiler procedes as if that action - had been specified in this column. If no action is specified, - then you may include your own jump ("-j - target - [option] ...") after any matches - specified at the end of the rule. If the target is not one known - to Shorewall, then it must be defined as a builtin action in - shorewall6-actions - (5). - - The following rules are equivalent: - - 2:P eth0 - tcp 22 -INLINE(2):P eth0 - tcp 22 -INLINE(2):P eth0 - ; -p tcp -INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 -INLINE eth0 - ; -p tcp -j MARK --set-mark 2 - - If INLINE_MATCHES=Yes in shorewall6.conf(5) - then the third rule above can be specified as follows: - - 2:P eth0 - ; -p tcp - - In other words, when only matches are given after the ';', - INLINE is unnecessary. - - - - RESTORE[/mask] -- - restore the packet's mark from the connection's mark using the - supplied mask if any. Your kernel and ip6tables must include - CONNMARK support. - - As in 1) above, may be followed by :P or :F - - - - SAME (Added in Shorewall - 4.3.5) -- Some websites run applications that require multiple - connections from a client browser. Where multiple 'balanced' - providers are configured, this can lead to problems when some of - the connections are routed through one provider and some through - another. The SAME target allows you to work around that problem. - SAME may be used in the PREROUTING and OUTPUT chains. When used - in PREROUTING, it causes matching connections from an individual - local system to all use the same provider. For example: - #ACTION SOURCE DEST PROTO DEST -# PORT(S) -SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 - If a host in 192.168.1.0/24 attempts a connection on TCP port 80 - or 443 and it has sent a packet on either of those ports in the - last five minutes then the new connection will use the same - provider as the connection over which that last packet was - sent. - - When used in the OUTPUT chain, it causes all matching - connections to an individual remote system to all use the same - provider. For example:#ACTION SOURCE DEST PROTO DEST -# PORT(S) -SAME $FW 0.0.0.0/0 tcp 80,443 - If the firewall attempts a connection on TCP port 80 or 443 and - it has sent a packet on either of those ports in the last five - minutes to the same remote system then the new connection will - use the same provider as the connection over which that last - packet was sent. - - - - SAVE[/mask] -- save - the packet's mark to the connection's mark using the supplied - mask if any. Your kernel and ip6tables must include CONNMARK - support. - - As in 1) above, may be followed by :P or :F - - - - TOS(tos[/mask]) - - Added in Shorewall 4.5.1. Sets the Type of - Service field in the IP header. The - tos value may be given as an number - (hex or decimal) or as the name of a TOS type. Valid type names - and their associated hex numeric values are: - - Minimize-Delay => 0x10, -Maximize-Throughput => 0x08, -Maximize-Reliability => 0x04, -Minimize-Cost => 0x02, -Normal-Service => 0x00 - - To indicate more than one class, add their hex values - together and specify the result. - - When tos is given as a number, - it may be optionally followed by '/' and a - mask. When no - mask is given, the value 0xff is - assumed. When tos is given as a type - name, the mask 0x3f is - assumed. - - The action performed is to zero out the bits specified by - the mask, then set the bits specified - by tos. - - May be optionally followed by ':' and a capital letter - designating the chain where classification is to occur. - - - - F - - - FORWARD chain. - - - - - T - - - POSTROUTING chain (default). - - - - - - - TPROXY(mark[,[port][,[address]]]) - -- FORMAT 1 - - Transparently redirects a packet without altering the IP - header. Requires a local provider to be defined in shorewall6-providers(5). - - There are three parameters to TPROXY - only the first - (mark) is required: - - - - mark - the MARK value - corresponding to the local provider in shorewall6-providers(5). - - - - port - the port on which - the proxy server is listening. If omitted, the original - destination port. - - - - address - a local (to the - firewall) IP address on which the proxy server is listening. - If omitted, the IP address of the interface on which the - request arrives. - - - - - - TPROXY([port][,[address]]]) - -- FORMAT 2 - - Transparently redirects a packet without altering the IP - header. Requires a local provider to be defined in shorewall6-providers(5). - - There are three parameters to TPROXY - only the first - (mark) is required: - - - - port - the port on which - the proxy server is listening. If omitted, the original - destination port. - - - - address - a local (to the - firewall) IP address on which the proxy server is listening. - If omitted, the IP address of the interface on which the - request arrives. - - - - - - - - - SOURCE - {-|{interface|$FW}|[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]> - - - Source of the packet. A comma-separated list of interface - names, IP addresses, MAC addresses and/or subnets for packets being - routed through a common path. List elements may also consist of an - interface name followed by ":" and an address (e.g., - eth1:<2002:ce7c:92b4::/48>). For example, all packets for - connections masqueraded to eth0 from other interfaces can be matched - in a single rule with several alternative SOURCE criteria. However, - a connection whose packets gets to eth0 in a different way, e.g., - direct from the firewall itself, needs a different rule. - - Accordingly, use $FW in its - own separate rule for packets originating on the firewall. In such a - rule, the ACTION column may NOT specify either :P or :F - because marking for firewall-originated packets always occurs in the - OUTPUT chain. - - MAC addresses must be prefixed with "~" and use "-" as a - separator. - - Example: ~00-A0-C9-15-39-78 - - When an interface is not specified, the angled brackets - ('<' and '>') surrounding the address(es) may be - omitted. - - You may exclude certain hosts from the set already defined - through use of an exclusion (see shorewall6-exclusion(5)). - - - - - DEST - {-|{interface|$FW}[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]> - - - Destination of the packet. Comma separated list of IP - addresses and/or subnets. If your kernel and ip6tables include - iprange match support, IP address ranges are also allowed. List - elements may also consist of an interface name followed by ":" and - an address (e.g., eth1:<2002:ce7c:92b4::/48>). If the - ACTION column specifies a - classification of the form - major:minor then this - column may also contain an interface name. - - When an interface is not specified, the angled brackets - ('<' and '>') surrounding the address(es) may be - omitted. - - Beginning with Shorewall 4.4.13, $FW may be given by itself or - qualified by an address list. This causes marking to occur in the - INPUT chain. - - You may exclude certain hosts from the set already defined - through use of an exclusion (see shorewall6-exclusion(5)). - - - - - PROTO - {-|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]} - - - Protocol - ipp2p requires - ipp2p match support in your kernel and ip6tables. - - Beginning with Shorewall 4.5.12, this column can accept a - comma-separated list of protocols. - - - - - PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...] - - - Optional destination Ports. A comma-separated list of Port - names (from services(5)), port numbers or - port ranges; if the protocol is ipv6-icmp, this column is interpreted as the - destination icmp-type(s). ICMP types may be specified as a numeric - type, a numeric type and code separated by a slash (e.g., 3/4), or a - typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. - - If the protocol is ipp2p, - this column is interpreted as an ipp2p option without the leading - "--" (example bit for bit-torrent). - If no PORT is given, ipp2p is - assumed. - - An entry in this field requires that the PROTO column specify - tcp (6), udp (17), ipv6-icmp (58), sctp (132) or udplite (136). Use - '-' if any of the following field is supplied. - - - - - SOURCE PORT(S) (sport) - - [-|port-name-number-or-range[,port-name-number-or-range]...] - - - Optional source port(s). If omitted, any source port is - acceptable. Specified as a comma-separated list of port names, port - numbers or port ranges. - - An entry in this field requires that the PROTO column specify - tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of - the following fields is supplied. - - Beginning with Shorewall 4.5.15, you may place '=' in this - column, provided that the DEST PORT(S) column is non-empty. This - causes the rule to match when either the source port or the - destination port in a packet matches one of the ports specified in - DEST PORTS(S). Use of '=' requires multi-port match in your iptables - and kernel. - - - - - USER - [!][user-name-or-number][:group-name-or-number] - - - This optional column may only be non-empty if the SOURCE is - the firewall itself. - - When this column is non-empty, the rule applies only if the - program generating the output is running under the effective - user and/or group - specified (or is NOT running under that id if "!" is given). - - Examples: - - - - joe - - - program must be run by joe - - - - - :kids - - - program must be run by a member of the 'kids' - group - - - - - !:kids - - - program must not be run by a member of the 'kids' - group - - - - - - - - TEST - [!]value[/mask][:C] - - - Optional. Defines a test on the existing packet or connection - mark. The rule will match only if the test returns true. - - If you don't want to define a test but need to specify - anything in the following columns, place a "-" in this field. - - - - ! - - - Inverts the test (not equal) - - - - - value - - - Value of the packet or connection mark. - - - - - mask - - - A mask to be applied to the mark before testing. - - - - - :C - - - Designates a connection mark. If omitted, the packet - mark's value is tested. - - - - - - - - LENGTH - - [length|[min]:[max]] - - - Optional - packet payload length. This field, if present allow - you to match the length of a packet payload (Layer 4 data ) against - a specific value or range of values. You must have iptables length - support for this to work. A range is specified in the form - min:max where either - min or max (but not both) - may be omitted. If min is omitted, then 0 is - assumed; if max is omitted, than any packet - that is min or longer will match. - - - - - TOS (Optional) - - tos - - - Type of service. Either a standard name, or a numeric value to - match. - - Minimize-Delay (16) - Maximize-Throughput (8) - Maximize-Reliability (4) - Minimize-Cost (2) - Normal-Service (0) - - - - - CONNBYTES - - [!]min:[max[:{O|R|B}[:{B|P|A}]]] - - - Optional connection Bytes; defines a byte or packet range that - the connection must fall within in order for the rule to - match. - - A packet matches if the the packet/byte count is within the - range defined by min and - max (unless ! is given in which case, a packet - matches if the packet/byte count is not within the range). - min is an integer which defines the beginning - of the byte/packet range. max is an integer - which defines the end of the byte/packet range; if omitted, only the - beginning of the range is checked. The first letter gives the - direction which the range refers to:
- O - The original - direction of the connection. - - R - The opposite - direction from the original connection. - - B - The total of both - directions. -
- - If omitted, B is - assumed. - - The second letter determines what the range refers - to.
- B - Bytes - - P - Packets - - A - Average packet - size. -
If omitted, B is - assumed. - - - - - HELPER - - helper - - - Optional. Names a Netfilter protocol - helper module such as , - , , etc. A packet will - match if it was accepted by the named helper module. - - Example: Mark all FTP data connections with mark - 4:#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER -# PORT(S) -4 ::/0 ::/0 TCP - - - - - - - ftp - - - - - HEADERS - - [!][any:|exactly:]header-list - (Optional - Added in Shorewall 4.4.15) - - - The header-list consists of a - comma-separated list of headers from the following list. - - - - auth, ah, or 51 - - - Authentication Headers extension - header. - - - - - esp, or 50 - - - Encrypted Security Payload - extension header. - - - - - hop, hop-by-hop or 0 - - - Hop-by-hop options extension header. - - - - - route, ipv6-route or 41 - - - IPv6 Route extension header. - - - - - frag, ipv6-frag or 44 - - - IPv6 fragmentation extension header. - - - - - none, ipv6-nonxt or 59 - - - No next header - - - - - proto, protocol or 255 - - - Any protocol header. - - - - - If any: is specified, the - rule will match if any of the listed headers are present. If - exactly: is specified, the will - match packets that exactly include all specified headers. If neither - is given, any: is assumed. - - If ! is entered, the rule - will match those packets which would not be matched when ! is omitted. - - - - - PROBABILITY - - [probability] - - - Added in Shorewall 4.5.0. When non-empty, requires the - Statistics Match capability in your kernel - and ip6tables and causes the rule to match randomly but with the - given probability. The - probability is a number 0 < - probability <= 1 and may be expressed - at up to 8 decimal points of precision. - - - - - STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...] - - - Added in Shorewall 4.5.9. The rule will only match if the - packet's connection is in one of the listed states. - - - - - - - Example - - - - Example 1: - - - Mark all forwarded ICMP echo traffic with packet mark 1. Mark - all forwarded peer to peer traffic with packet mark 4. - - This is a little more complex than otherwise expected. Since - the ipp2p module is unable to determine all packets in a connection - are P2P packets, we mark the entire connection as P2P if any of the - packets are determined to match. - - We assume packet/connection mark 0 means unclassified. - - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST - # PORT(S) - 1 ::/0 ::/0 icmp echo-request - 1 ::/0 ::/0 icmp echo-reply - RESTORE ::/0 ::/0 all - - - 0 - CONTINUE ::/0 ::/0 all - - - !0 - 4 ::/0 ::/0 ipp2p:all - SAVE ::/0 ::/0 all - - - !0 - - If a packet hasn't been classified (packet mark is 0), copy - the connection mark to the packet mark. If the packet mark is set, - we're done. If the packet is P2P, set the packet mark to 4. If the - packet mark has been set, save it to the connection mark. - - - - - - - FILES - - /etc/shorewall6/tcrules - - - - See ALSO - - http://www.shorewall.net/traffic_shaping.htm - - http://www.shorewall.net/MultiISP.html - - http://www.shorewall.net/PacketMarking.html - - http://www.shorewall.net/configuration_file_basics.htm#Pairs - - shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), - shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5), - shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), - shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-rtrules(5), - shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), - shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), - shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5) - - diff --git a/Shorewall6/manpages/shorewall6-tos.xml b/Shorewall6/manpages/shorewall6-tos.xml deleted file mode 100644 index 981df9807..000000000 --- a/Shorewall6/manpages/shorewall6-tos.xml +++ /dev/null @@ -1,181 +0,0 @@ - - - - - shorewall6-tos - - 5 - - Configuration Files - - - - tos - - Shorewall6 Type of Service rules file - - - - - /etc/shorewall6/tos - - - - - Description - - This file defines rules for setting Type Of Service (TOS). Its use - is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in - shorewall6-mangle - (5). - - The columns in the file are as follows. - - - - SOURCE - {all|address]|all:address|$FW} - - - If all, may optionally be - followed by ":" and an IP address, a MAC address, a subnet - specification or the name of an interface. - - Example: all:2002:ce7c::92b4:1::2 - - MAC addresses must be prefixed with "~" and use "-" as a - separator. - - Example: ~00-A0-C9-15-39-78 - - - - - DEST - {all|address]|all:address} - - - Example: 2002:ce7c::92b4:1::2 - - - - - PROTOCOL - - proto-name-or-number - - - Protocol name or number. - - - - - SOURCE PORT(S) - - {-|port|lowport:highport} - - - Source port or port range. If all ports, use "-". - - - - - DEST PORT(S) - - {-|port|lowport:highport} - - - Destination port or port range. If all ports, use "-" - - - - - TOS - - tos - - - Must be one of the following; - - tos-minimize-delay (16) - tos-maximize-throughput (8) - tos-maximize-reliability (4) - tos-minimize-cost (2) - tos-normal-service (0) - - To specify more than one flag, add their values together and - specify the numeric result. - - - - - MARK - [!]value[/mask][:C] - - - If you don't want to define a test but need to specify - anything in the following columns, place a "-" in this field. - - - - ! - - - Inverts the test (not equal) - - - - - value - - - Value of the packet or connection mark. - - - - - mask - - - A mask to be applied to the mark before testing. - - - - - :C - - - Designates a connection mark. If omitted, the packet - mark's value is tested. - - - - - - - - - - FILES - - /etc/shorewall6/tos - - - - See ALSO - - http://www.shorewall.net/configuration_file_basics.htm#Pairs - - shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), - shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), - shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), - shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), - shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), - shorewall6-mangle(5), shorewall6-tunnels(5), shorewall6-zones(5) - -