holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Documentation update 1 for AUDIT supportttt

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-21 16:25:38 -07:00
parent 83cdf78b18
commit 99cb09bd84
8 changed files with 132 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/lib.cli
View File

@ -749,12 +749,8 @@ show_command() {
echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "drop1918src # Drop packets with an RFC 1918 source address"
echo "drop1918dst # Drop packets with an RFC 1918 original dest address"
echo "forwardUPnP # Allow traffic that upnpd has redirected from"
echo "rejNotSyn # Silently Reject Non-syn TCP packets"
echo "rej1918src # Reject packets with an RFC 1918 source address"
echo "rej1918dst # Reject packets with an RFC 1918 original dest address"
if [ -f ${CONFDIR}/actions ]; then
cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'

7
Shorewall/releasenotes.txt
View File

@ -122,13 +122,16 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
the entryto be audited. 'audit' may not be specified together
with 'accept'.
g) With the exception of 'Limit', the builtin actions
(dropBroadcast, rejNonSyn, etc.) now support
g) The builtin actions (dropBroadcast, rejNonSyn, etc.) now support
an 'audit' parameter which causes all ACCEPT, DROP and REJECTs
performed by the action to be audited. This allows creation of
audited versions of the Shorewall-provided default actions
(action.Drop and action.Reject).
Note: The builtin actions are those actions listed in the
output of 'shorewall show actions' whose names begin with a
lower-case letter.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------

8
manpages/shorewall-blacklist.xml
View File

@ -78,7 +78,7 @@
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src|whitelist}[,...]}</term>
{-|{dst|src|whitelist|audit}[,...]}</term>
<listitem>
<para>If specified, indicates whether traffic
@ -128,6 +128,12 @@
role="bold">whitelist</emphasis> is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.</para>
<para>The <emphasis role="bold">audit</emphasis> option was also
added in 4.4.20 and causes packets matching the entry to be audited.
The <emphasis role="bold">audit</emphasis> option may not be
specified in whitelist entries and require AUDIT_TARGET support in
the kernel and iptables.</para>
</listitem>
</varlistentry>
</variablelist>

30
manpages/shorewall-rules.xml
View File

@ -173,6 +173,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
in the kernel and iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NONAT</emphasis></term>
@ -202,6 +212,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>A_DROP and A_DROP!</term>
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of DROP and
DROP! respectively. Require AUDIT_TARGET support in the kernel
and iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REJECT</emphasis></term>
@ -221,6 +241,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>A_REJECT AND A_REJECT!</term>
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of REJECT
and REJECT! respectively. Require AUDIT_TARGET support in the
kernel and iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DNAT</emphasis></term>

38
manpages/shorewall.conf.xml
View File

@ -301,8 +301,8 @@
<varlistentry>
<term><emphasis
role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>]</term>
role="bold">DROP</emphasis>|A_DROP|<emphasis
role="bold">REJECT|A_REJECT</emphasis>]</term>
<listitem>
<para>This parameter determines the disposition of packets from
@ -310,6 +310,10 @@
be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed.</para>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para>
</listitem>
</varlistentry>
@ -1071,7 +1075,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<term><emphasis role="bold">MACLIST_DISPOSITION=</emphasis>[<emphasis
role="bold">ACCEPT</emphasis>|<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>]</term>
role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
<listitem>
<para>Determines the disposition of connections requests that fail
@ -1080,6 +1084,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
or DROP (ignore the connection request). If not set or if set to the
empty value (e.g., MACLIST_DISPOSITION="") then
MACLIST_DISPOSITION=REJECT is assumed.</para>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para>
</listitem>
</varlistentry>
@ -1108,8 +1116,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>This problem can be worked around by setting
MACLIST_TABLE=mangle which will cause Mac verification to occur out
of the PREROUTING chain. Because REJECT isn't available in that
environment, you may not specify MACLIST_DISPOSITION=REJECT with
MACLIST_TABLE=mangle.</para>
environment, you may not specify MACLIST_DISPOSITION=REJECT or
MACLIST_DISPOSITION=A_REJECT with MACLIST_TABLE=mangle.</para>
</listitem>
</varlistentry>
@ -1600,6 +1608,20 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SMURF_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|A_DROP]</term>
<listitem>
<para>Added in Shorewall 4.4.20. The default setting is DROP which
causes smurf packets (see the nosmurfs option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
be dropped. A_DROP causes the packets to be audited prior to being
dropped and requires AUDIT_TARGET support in the kernel and
iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SMURF_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>
@ -1744,7 +1766,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">TCP_FLAGS_DISPOSITION=</emphasis>[<emphasis
role="bold">ACCEPT</emphasis>|<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>]</term>
role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
<listitem>
<para>Determines the disposition of TCP packets that fail the checks
@ -1755,6 +1777,10 @@ net all DROP info</programlisting>then the chain name is 'net2all'
response) or DROP (ignore the packet). If not set or if set to the
empty value (e.g., TCP_FLAGS_DISPOSITION="") then
TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para>
</listitem>
</varlistentry>

8
manpages6/shorewall6-blacklist.xml
View File

@ -78,7 +78,7 @@
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src|whitelist}[,...]}</term>
{-|{dst|src|whitelist|audit}[,...]}</term>
<listitem>
<para>If specified, indicates whether traffic
@ -128,6 +128,12 @@
role="bold">whitelist</emphasis> is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.</para>
<para>The <emphasis role="bold">audit</emphasis> option was also
added in 4.4.20 and causes packets matching the entry to be audited.
The <emphasis role="bold">audit</emphasis> option may not be
specified in whitelist entries and require AUDIT_TARGET support in
the kernel and ip6tables.</para>
</listitem>
</varlistentry>
</variablelist>

30
manpages6/shorewall6-rules.xml
View File

@ -149,6 +149,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>A_ACCEPT and A_ACCEPT!</term>
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
and ACCEPT! respectively. Require AUDIT_TARGET support in the
kernel and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DROP</emphasis></term>
@ -167,6 +177,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>A_DROP and A_DROP!</term>
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of DROP and
DROP! respectively. Require AUDIT_TARGET support in the kernel
and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REJECT</emphasis></term>
@ -186,6 +206,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>A_REJECT AND A_REJECT!</term>
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of REJECT
and REJECT! respectively. Require AUDIT_TARGET support in the
kernel and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">CONTINUE</emphasis></term>

24
manpages6/shorewall6.conf.xml
View File

@ -240,8 +240,8 @@
<varlistentry>
<term><emphasis
role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>]</term>
role="bold">DROP</emphasis>|A_DROP|<emphasis
role="bold">REJECT|A_REJECT</emphasis>]</term>
<listitem>
<para>This parameter determines the disposition of packets from
@ -935,7 +935,7 @@
<term><emphasis role="bold">MACLIST_DISPOSITION=</emphasis>[<emphasis
role="bold">ACCEPT</emphasis>|<emphasis
role="bold">DROP</emphasis>|<emphasis
role="bold">REJECT</emphasis>]</term>
role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
<listitem>
<para>Determines the disposition of connections requests that fail
@ -944,6 +944,10 @@
or DROP (ignore the connection request). If not set or if set to the
empty value (e.g., MACLIST_DISPOSITION="") then
MACLIST_DISPOSITION=REJECT is assumed.</para>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and ip6tables.</para>
</listitem>
</varlistentry>
@ -1289,6 +1293,20 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SMURF_DISPOSITION=</emphasis>[<emphasis
role="bold">DROP</emphasis>|A_DROP]</term>
<listitem>
<para>Added in Shorewall 4.4.20. The default setting is DROP which
causes smurf packets (see the nosmurfs option in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
be dropped. A_DROP causes the packets to be audited prior to being
dropped and requires AUDIT_TARGET support in the kernel and
ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">SMURF_LOG_LEVEL=</emphasis>[<emphasis>log-level</emphasis>]</term>