forked from extern/shorewall_code
Documentation updates for 2.2.3
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2026 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
05601aeb63
commit
9edbc16770
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-03-10</pubdate>
|
||||
<pubdate>2005-04-06</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -1079,6 +1079,16 @@ loc eth1:192.168.1.0/24,192.168.12.0/24</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>QUEUE</term>
|
||||
|
||||
<listitem>
|
||||
<para>Send the connection request to a user-space process via the
|
||||
iptables QUEUE target (useful when you are using
|
||||
Snort-inline).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>CONTINUE</term>
|
||||
|
||||
@ -2651,6 +2661,37 @@ eth0 eth1 206.124.146.176</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>MACLIST_TTL</term>
|
||||
|
||||
<listitem>
|
||||
<para>(Added at version 2.2.0) The performance of configurations
|
||||
with a large numbers of entries in /etc/shorewall/maclist can be
|
||||
improved by setting the MACLIST_TTL variable in
|
||||
/etc/shorewall/shorewall.conf.</para>
|
||||
|
||||
<para>If your iptables and kernel support the "Recent Match" (see
|
||||
the output of "shorewall check" near the top), you can cache the
|
||||
results of a 'maclist' file lookup and thus reduce the overhead
|
||||
associated with <ulink url="MAC_Validation.html">MAC
|
||||
Verification</ulink>.</para>
|
||||
|
||||
<para>When a new connection arrives from a 'maclist' interface, the
|
||||
packet passes through then list of entries for that interface in
|
||||
/etc/shorewall/maclist. If there is a match then the source IP
|
||||
address is added to the 'Recent' set for that interface. Subsequent
|
||||
connection attempts from that IP address occuring within
|
||||
$MACLIST_TTL seconds will be accepted without having to scan all of
|
||||
the entries. After $MACLIST_TTL from the first accepted connection
|
||||
request from an IP address, the next connection request from that IP
|
||||
address will be checked against the entire list.</para>
|
||||
|
||||
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
|
||||
not be cached).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>RFC1918_STRICT</term>
|
||||
|
||||
@ -3861,7 +3902,11 @@ all all tcp ftp-data - 8</programlisting
|
||||
<title>/etc/shorewall/routestopped (Added in Version 1.3.4)</title>
|
||||
|
||||
<para>This file defines the hosts that are accessible from the firewall
|
||||
when the firewall is stopped. Columns in the file are:</para>
|
||||
when the firewall is stopped. Beginning with Shorewall version 2.2.3,
|
||||
entries in this file are also active while Shorewall is being [re]started.
|
||||
</para>
|
||||
|
||||
<para>Columns in the file are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-02-19</pubdate>
|
||||
<pubdate>2005-03-18</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -23,7 +23,7 @@
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<edition>2.2.0</edition>
|
||||
<edition>2.2.2</edition>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
@ -162,6 +162,11 @@
|
||||
address or Subnet</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="configuration_file_basics.htm#IPRanges">IP
|
||||
Address Ranges</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="configuration_file_basics.htm#Levels">Shorewall
|
||||
Configurations (making a test configuration)</ulink></para>
|
||||
|
@ -17,10 +17,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-03-07</pubdate>
|
||||
<pubdate>2005-04-05</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
<year>2001-2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -78,8 +78,8 @@
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>(FAQ 44) I can't install the RPM — I keep getting the message
|
||||
"error: failed dependencies:iproute is needed..."</title>
|
||||
<title>(FAQ 44) I can't install/upgrade the RPM — I keep getting the
|
||||
message "error: failed dependencies:iproute is needed..."</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Read the <ulink
|
||||
url="Install.htm">Installation Instructions</ulink>!!!!!</para>
|
||||
@ -233,6 +233,51 @@ DNAT net loc:<l<emphasis>ocal IP address</emphasis>>[:<<emphasis>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="faq1d">
|
||||
<title>(FAQ 1d) I have a web server in my DMZ and I use port
|
||||
forwarding to make that server accessible from the Internet. That
|
||||
works fine but when my local users try to connect to the server using
|
||||
the Firewall's external IP address, it doesn't work.</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Let's assume the
|
||||
following:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>External IP address is 206.124.146.176 on <filename
|
||||
class="devicefile">eth0</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Server's IP address is 192.168.2.4</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>You can enable access to the server from your local network
|
||||
using the firewall's external IP address by adding this rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT DEST
|
||||
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</programlisting>
|
||||
|
||||
<para>If your external IP address is dynamic, then you must do the
|
||||
following:</para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting>
|
||||
|
||||
<para>For users of Shorewall 2.1.0 and later:</para>
|
||||
|
||||
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command></programlisting>
|
||||
|
||||
<para>and make your DNAT rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section id="faq30">
|
||||
@ -409,6 +454,51 @@ dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis>
|
||||
have <quote>Yes</quote> in the ALL INTERFACES column.</para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section id="faq2b">
|
||||
<title>(FAQ 2b) I have a web server in my DMZ and I use port
|
||||
forwarding to make that server accessible from the Internet as
|
||||
www.mydomain.com. That works fine but when my local users try to
|
||||
connect to www.mydomain.com, it doesn't work.</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Let's assume the
|
||||
following:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>External IP address is 206.124.146.176 on <filename
|
||||
class="devicefile">eth0</filename> (www.mydomain.com).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Server's IP address is 192.168.2.4</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>You can enable access to the server from your local network
|
||||
using the firewall's external IP address by adding this rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT DEST
|
||||
DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</programlisting>
|
||||
|
||||
<para>If your external IP address is dynamic, then you must do the
|
||||
following:</para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/init</filename>:</para>
|
||||
|
||||
<programlisting><command>ETH0_IP=`find_interface_address eth0`</command></programlisting>
|
||||
|
||||
<para>For users of Shorewall 2.1.0 and later:</para>
|
||||
|
||||
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command></programlisting>
|
||||
|
||||
<para>and make your DNAT rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -1144,9 +1234,13 @@ net net DROP</programlisting>
|
||||
eth0 eth2
|
||||
eth1 eth2</programlisting>
|
||||
|
||||
<para><citetitle>There was an article in SysAdmin covering this topic.
|
||||
It may be found at <ulink
|
||||
url="http://www.samag.com/documents/s=1824/sam0201h/">http://www.samag.com/documents/s=1824/sam0201h/</ulink></citetitle></para>
|
||||
<para>There was an article in SysAdmin covering the topic of setting up
|
||||
routing for this configuration. It may be found at <ulink
|
||||
url="http://www.samag.com/documents/s=1824/sam0201h/">http://www.samag.com/documents/s=1824/sam0201h/</ulink>.</para>
|
||||
|
||||
<para>Stephen Carville has put together a Shorewall-specific writeup
|
||||
that covers this subject at <ulink
|
||||
url="http://www.heronforge.net/redhat/node17.html">http://www.heronforge.net/redhat/node17.html</ulink>.</para>
|
||||
|
||||
<para><citetitle>The following information regarding setting up routing
|
||||
for this configuration is reproduced from the <ulink
|
||||
@ -1690,9 +1784,9 @@ alias ipt_pkttype off</programlisting>
|
||||
</variablelist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Given that the Debian Stable Release includes Shorewall 1.2.12,
|
||||
how can you not support that version?</title>
|
||||
<section id="faq43">
|
||||
<title>(FAQ 43) Given that the Debian Stable Release includes Shorewall
|
||||
1.2.12, how can you not support that version?</title>
|
||||
|
||||
<para>The first release of Shorewall was in March of 2001. Shorewall
|
||||
1.2.12 was released in May of 2002. It is now the year 2005 and
|
||||
@ -1909,7 +2003,12 @@ eth0 eth1 # eth1 = interface to local netwo
|
||||
nmap from the firewall system, I get <quote>operation not
|
||||
permitted</quote>. How do I allow this option?</title>
|
||||
|
||||
<para>Add this command to your /etc/shorewall/start file:</para>
|
||||
<para>If you are running Shorewall 2.2.0 or later, set DROPINVALID=No
|
||||
in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
||||
|
||||
<para>Otherwise, add this command to your /etc/shorewall/start
|
||||
file:</para>
|
||||
|
||||
<programlisting><command>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</command></programlisting>
|
||||
</section>
|
||||
@ -1958,8 +2057,8 @@ iptables: Invalid argument
|
||||
<section id="faq28">
|
||||
<title>(FAQ 28) How do I use Shorewall as a Bridging Firewall?</title>
|
||||
|
||||
<para>Experimental Shorewall Bridging Firewall support is available —
|
||||
<ulink url="bridge.html">check here for details</ulink>.</para>
|
||||
<para>Shorewall Bridging Firewall support is available — <ulink
|
||||
url="bridge.html">check here for details</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq39">
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-03-11</pubdate>
|
||||
<pubdate>2005-04-06</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -94,6 +94,34 @@
|
||||
If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
|
||||
connection requests are not logged.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 2.2.3, the <emphasis
|
||||
role="bold">MACLIST_TTL</emphasis> variable in <ulink
|
||||
url="???">/etc/shorewall/shorewall.conf</ulink>. The performance of
|
||||
configurations with a large numbers of entries in
|
||||
/etc/shorewall/maclist can be improved by setting the MACLIST_TTL
|
||||
variable.</para>
|
||||
|
||||
<para>If your iptables and kernel support the "Recent Match" (see the
|
||||
output of "shorewall check" near the top), you can cache the results
|
||||
of a 'maclist' file lookup and thus reduce the overhead associated
|
||||
with MAC Verification.</para>
|
||||
|
||||
<para>When a new connection arrives from a 'maclist' interface, the
|
||||
packet passes through then list of entries for that interface in
|
||||
/etc/shorewall/maclist. If there is a match then the source IP address
|
||||
is added to the 'Recent' set for that interface. Subsequent connection
|
||||
attempts from that IP address occuring within $MACLIST_TTL seconds
|
||||
will be accepted without having to scan all of the entries. After
|
||||
$MACLIST_TTL from the first accepted connection request from an IP
|
||||
address, the next connection request from that IP address will be
|
||||
checked against the entire list.</para>
|
||||
|
||||
<para>If MACLIST_TTL is not specified or is specified as empty (e.g,
|
||||
MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
||||
be cached).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-12-23</pubdate>
|
||||
<pubdate>2005-03-28</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
@ -26,6 +26,8 @@
|
||||
|
||||
<year>2004</year>
|
||||
|
||||
<year>2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -355,7 +357,7 @@ alias ppp-compress-26 ppp_deflate</programlisting>
|
||||
<title>Configuring pptpd</title>
|
||||
|
||||
<para>PoPTop (pptpd) is available from <ulink
|
||||
url="http://poptop.lineo.com/">http://poptop.lineo.com/</ulink>.</para>
|
||||
url="http://www.poptop.org/">http://www.poptop.org/</ulink>.</para>
|
||||
|
||||
<para>Here is a copy of my /etc/pptpd.conf file:</para>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-03-24</pubdate>
|
||||
<pubdate>2005-03-18</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -448,7 +448,7 @@ smtp,www,pop3,imap #Services running on the firewall</programlisting>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="IPRanges">
|
||||
<title>IP Address Ranges</title>
|
||||
|
||||
<para>Beginning with Shorewall 2.2.0, if you kernel and iptables have
|
||||
@ -506,7 +506,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||||
heading "Shorewall has detected the following iptables/netfilter
|
||||
capabilities:") and if its use is appropriate.</para>
|
||||
|
||||
<para>Shorewall can use multiport match if: </para>
|
||||
<para>Shorewall can use multiport match if:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -630,9 +630,11 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>specifying the separate directory in a shorewall start or
|
||||
shorewall restart command (e.g., <command>shorewall /etc/testconfig
|
||||
restart</command> )</para>
|
||||
<para>specifying the separate directory in a <command>shorewall
|
||||
start</command> or <command>shorewall restart</command> command (e.g.,
|
||||
<command>shorewall restart /etc/testconfig</command> using Shorewall
|
||||
2.2.0 and later or <command>shorewall -c /etc/testconf
|
||||
restart</command> using earlier versions )</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
|
@ -15,10 +15,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-05-10</pubdate>
|
||||
<pubdate>2005-04-06</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
<year>2001-2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -29,7 +29,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -70,7 +71,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>start -- invoked after the firewall has been started or restarted.</para>
|
||||
<para>start -- invoked after the firewall has been started or
|
||||
restarted.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -96,10 +98,19 @@
|
||||
<quote>newnotsyn</quote> chain has been created but before any rules
|
||||
have been added to it.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>continue (added in version 2.2.3) -- invoked to allow you to
|
||||
insert special rules to allow traffic while Shorewall is [re]starting.
|
||||
Any rules added in this script should be deleted in your
|
||||
<emphasis>start</emphasis> script. This script is invoked earlier in the
|
||||
[re]start process than is the <emphasis>initdone</emphasis> script
|
||||
described above.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para><emphasis role="bold">If your version of Shorewall doesn't have
|
||||
the file that you want to use from the above list, you can simply create the
|
||||
<para><emphasis role="bold">If your version of Shorewall doesn't have the
|
||||
file that you want to use from the above list, you can simply create the
|
||||
file yourself.</emphasis> You can also supply a script with the same name as
|
||||
any of the filter chains in the firewall and the script will be invoked
|
||||
after the /etc/shorewall/rules file has been processed but before the
|
||||
@ -114,10 +125,10 @@
|
||||
<command>run_iptables</command> instead. <command>run_iptables</command>
|
||||
will run the iptables utility passing the arguments to
|
||||
<command>run_iptables</command> and if the command fails, the firewall
|
||||
will be stopped (Shorewall version < 2.0.2 Beta 1 or there is no
|
||||
will be stopped (Shorewall version < 2.0.2 Beta 1 or there is no
|
||||
<filename>/var/lib/shorewall/restore</filename> file) or restored
|
||||
(Shorewall version >= 2.0.2 Beta 1 and <filename>/var/lib/shorewall/restore</filename>
|
||||
exists).</para>
|
||||
(Shorewall version >= 2.0.2 Beta 1 and
|
||||
<filename>/var/lib/shorewall/restore</filename> exists).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -125,11 +136,13 @@
|
||||
commands other than <command>iptables</command> that must be re-run in
|
||||
order to restore the firewall to its current state then you must save
|
||||
the commands to the <firstterm>restore file</firstterm>. The restore
|
||||
file is a temporary file in <filename class="directory">/var/lib/shorewall</filename>
|
||||
that will be renamed <filename>/var/lib/shorewall/restore-base</filename>
|
||||
at the successful completion of the Shorewall command. The
|
||||
<command>shorewall save</command> command combines <filename>/var/lib/shorewall/restore-base</filename>
|
||||
with the output of <command>iptables-save</command> to produce the
|
||||
file is a temporary file in <filename
|
||||
class="directory">/var/lib/shorewall</filename> that will be renamed
|
||||
<filename>/var/lib/shorewall/restore-base</filename> at the successful
|
||||
completion of the Shorewall command. The <command>shorewall
|
||||
save</command> command combines
|
||||
<filename>/var/lib/shorewall/restore-base</filename> with the output of
|
||||
<command>iptables-save</command> to produce the
|
||||
<filename>/var/lib/shorewall/restore</filename> script.</para>
|
||||
|
||||
<para>Here are three functions that are useful when running commands
|
||||
@ -142,15 +155,15 @@
|
||||
|
||||
<para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
|
||||
|
||||
<para>That command would simply write "echo Operation
|
||||
Complete" to the restore file.</para>
|
||||
<para>That command would simply write "echo Operation Complete" to
|
||||
the restore file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">run_and_save_command()</emphasis> --
|
||||
saves the passed command to the restore file then executes it. The
|
||||
return value is the exit status of the command. Example:
|
||||
<programlisting>run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para>
|
||||
<programlisting>run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para>
|
||||
|
||||
<para>Note that as in this example, when the command involves file
|
||||
redirection then the entire command must be enclosed in quotes. This
|
||||
@ -160,21 +173,21 @@
|
||||
<listitem>
|
||||
<para><emphasis role="bold">ensure_and_save_command()</emphasis> --
|
||||
runs the passed command. If the command fails, the firewall is
|
||||
restored to it's prior saved state and the operation is
|
||||
terminated. If the command succeeds, the command is written to the
|
||||
restore file</para>
|
||||
restored to it's prior saved state and the operation is terminated.
|
||||
If the command succeeds, the command is written to the restore
|
||||
file</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Beginning with Shorewall 2.0.0, you can also define a
|
||||
<emphasis>common action</emphasis> to be performed immediately before a
|
||||
policy of ACCEPT, DROP or REJECT is applied. Separate <ulink
|
||||
url="Actions.html">actions</ulink> can be assigned to each
|
||||
policy type so for example you can have a different common action for DROP
|
||||
and REJECT policies. The most common usage of common actions is to silently
|
||||
drop traffic that you don't wish to have logged by the policy.</para>
|
||||
<para>Beginning with Shorewall 2.0.0, you can also define a <emphasis>common
|
||||
action</emphasis> to be performed immediately before a policy of ACCEPT,
|
||||
DROP or REJECT is applied. Separate <ulink
|
||||
url="Actions.html">actions</ulink> can be assigned to each policy type so
|
||||
for example you can have a different common action for DROP and REJECT
|
||||
policies. The most common usage of common actions is to silently drop
|
||||
traffic that you don't wish to have logged by the policy.</para>
|
||||
|
||||
<para>As released, Shorewall defines a number of actions which are cataloged
|
||||
in the <filename>/usr/share/shorewall/actions.std</filename> file. That file
|
||||
@ -197,10 +210,10 @@ Reject:REJECT</programlisting>
|
||||
|
||||
<para>One final note. The chain created to perform an action has the same
|
||||
name as the action. You can use an extension script by that name to add
|
||||
rules to the action's chain in the same way as you can any other chain.
|
||||
So if you create the new action <quote>Dagger</quote> and define it in
|
||||
rules to the action's chain in the same way as you can any other chain. So
|
||||
if you create the new action <quote>Dagger</quote> and define it in
|
||||
<filename>/etc/shorewall/action.Dagger</filename>, you can also have an
|
||||
extension script named <filename>/etc/shorewall/Dagger</filename> that can
|
||||
add rules to the <quote>Dagger</quote> chain that can't be created using
|
||||
add rules to the <quote>Dagger</quote> chain that can't be created using
|
||||
<filename>/etc/shorewall/action.Dagger</filename>.</para>
|
||||
</article>
|
||||
</article>
|
@ -13,7 +13,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2005-02-07</pubdate>
|
||||
<pubdate>2005-03-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -38,9 +38,8 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>A kernel that supports netfilter. I've tested with 2.4.2 -
|
||||
2.6.10. With current releases of Shorewall, Traffic Shaping/Control
|
||||
requires at least 2.4.18. Check <ulink url="kernel.htm">here</ulink>
|
||||
for kernel configuration information.</para>
|
||||
2.6.11. Check <ulink url="kernel.htm">here</ulink> for kernel
|
||||
configuration information.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -52,7 +51,7 @@
|
||||
<para>Iproute (<quote>ip</quote> utility). The iproute package is
|
||||
included with most distributions but may not be installed by default.
|
||||
The official download site is <ulink type="remote"
|
||||
url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>.</para>
|
||||
url="ftp://ftp.inr.ac.ru/ip-routing">http://developer.osdl.org/dev/iproute2/download/</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -15,11 +15,13 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-12-11</pubdate>
|
||||
<pubdate>2005-04-06</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2004</year>
|
||||
|
||||
<year>2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2005-02-12</pubdate>
|
||||
<pubdate>2005-03-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2002-2005</year>
|
||||
@ -63,7 +63,11 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DMZ connected to a separate ethernet interface.</para>
|
||||
<para>DMZ connected to a separate ethernet interface. The purpose of a
|
||||
DMZ is to isolate those servers that are exposed to the Internet from
|
||||
your local systems so that if one of those servers is compromised
|
||||
there is still a firewall between the hacked server and your local
|
||||
systems.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -13,7 +13,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2005-03-05</pubdate>
|
||||
<pubdate>2005-03-22</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2005</year>
|
||||
@ -406,7 +406,7 @@ AllowPing <emphasis><source zone></emphasis> <emphasis><des
|
||||
should be included with your distribution (though many distributions
|
||||
don't install iproute by default). You may also download the latest
|
||||
source tarball from <ulink
|
||||
url="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</ulink>
|
||||
url="http://developer.osdl.org/dev/iproute2/download/">http://developer.osdl.org/dev/iproute2/download/</ulink>
|
||||
.</para>
|
||||
</listitem>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user