forked from extern/shorewall_code
Clarify Zone exclusion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
e3b96862ef
commit
a2b8069ee3
@ -660,8 +660,8 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.6.6.</para>
|
||||
|
||||
<para> TARPIT captures and holds incoming TCP connections
|
||||
using no local per-connection resources.</para>
|
||||
<para>TARPIT captures and holds incoming TCP connections using
|
||||
no local per-connection resources.</para>
|
||||
|
||||
<para>TARPIT only works with the PROTO column set to tcp (6),
|
||||
and is totally application agnostic. This module will answer a
|
||||
@ -715,7 +715,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>This mode is handy because we can send an inline
|
||||
RST (reset). It has no other function. </para>
|
||||
RST (reset). It has no other function.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@ -856,7 +856,10 @@
|
||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||
only refers to top-level zones (those with no parent zones). Note
|
||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
||||
zones, since those zones are nested within the firewall zone.</para>
|
||||
zones, since those zones are nested within the firewall zone.
|
||||
Beginning with Shorewall 4.4.13, exclusion is supported with
|
||||
<emphasis role="bold">any</emphasis> -- see see <ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
|
||||
<para>Hosts may also be specified as an IP address range using the
|
||||
syntax
|
||||
@ -962,18 +965,28 @@
|
||||
(Shorewall 4.4.17 and later).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>loc,dmz</term>
|
||||
|
||||
<listitem>
|
||||
<para>Both the <emphasis role="bold">loc</emphasis> and
|
||||
<emphasis role="bold">dmz</emphasis> zones.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>all!dmz</term>
|
||||
|
||||
<listitem>
|
||||
<para>All but the <emphasis role="bold">dmz</emphasis>
|
||||
zone.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term></term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> -
|
||||
{<emphasis>zone</emphasis>|<emphasis>zone-list</emphasis>[+]|{<emphasis
|
||||
@ -1017,6 +1030,35 @@
|
||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||
role="bold">DEST</emphasis> column, the rule is ignored.</para>
|
||||
|
||||
<para><emphasis role="bold">all</emphasis> means "All Zones",
|
||||
including the firewall itself. <emphasis role="bold">all-</emphasis>
|
||||
means "All Zones, except the firewall itself". When <emphasis
|
||||
role="bold">all</emphasis>[<emphasis role="bold">-</emphasis>] is
|
||||
used either in the <emphasis role="bold">SOURCE</emphasis> or
|
||||
<emphasis role="bold">DEST</emphasis> column intra-zone traffic is
|
||||
not affected. When <emphasis role="bold">all+</emphasis>[<emphasis
|
||||
role="bold">-</emphasis>] is "used, intra-zone traffic is affected.
|
||||
Beginning with Shorewall 4.4.13, exclusion is supported -- see see
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||
only refers to top-level zones (those with no parent zones). Note
|
||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
||||
zones, since those zones are nested within the firewall zone.</para>
|
||||
|
||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||
<emphasis role="bold">any</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] is
|
||||
specified, clients may be further restricted to a list of networks
|
||||
and/or hosts by appending ":" and a comma-separated list of network
|
||||
and/or host addresses. Hosts may be specified by IP or MAC address;
|
||||
mac addresses must begin with "~" and must use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para>When <emphasis role="bold">all</emphasis> is used either in
|
||||
the <emphasis role="bold">SOURCE</emphasis> or <emphasis
|
||||
role="bold">DEST</emphasis> column intra-zone traffic is not
|
||||
@ -1025,11 +1067,6 @@
|
||||
exclusion is supported -- see see <ulink
|
||||
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||
only refers to top-level zones (those with no parent zones).</para>
|
||||
|
||||
<para>The <replaceable>zone</replaceable> should be omitted in
|
||||
DNAT-, REDIRECT- and NONAT rules.</para>
|
||||
|
||||
@ -1050,7 +1087,8 @@
|
||||
</listitem>
|
||||
</orderedlist></para>
|
||||
|
||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||
<para>Except when <emphasis
|
||||
role="bold">{all|any}</emphasis>[<emphasis
|
||||
role="bold">+]|[-</emphasis>] is specified, the server may be
|
||||
further restricted to a particular network, host or interface by
|
||||
appending ":" and the network, host or interface. See <emphasis
|
||||
|
||||
@ -791,6 +791,13 @@
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||
only refers to top-level zones (those with no parent zones). Note
|
||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
||||
zones, since those zones are nested within the firewall zone.</para>
|
||||
|
||||
<para>Except when <emphasis role="bold">all</emphasis>[<emphasis
|
||||
role="bold">+</emphasis>][<emphasis role="bold">-</emphasis>] or
|
||||
<emphasis role="bold">any</emphasis>[<emphasis
|
||||
@ -801,13 +808,6 @@
|
||||
mac addresses must begin with "~" and must use "-" as a
|
||||
separator.</para>
|
||||
|
||||
<para><emphasis role="bold">any</emphasis> is equivalent to
|
||||
<emphasis role="bold">all</emphasis> when there are no nested zones.
|
||||
When there are nested zones, <emphasis role="bold">any</emphasis>
|
||||
only refers to top-level zones (those with no parent zones). Note
|
||||
that <emphasis role="bold">any</emphasis> excludes all vserver
|
||||
zones, since those zones are nested within the firewall zone.</para>
|
||||
|
||||
<para>Hosts may also be specified as an IP address range using the
|
||||
syntax
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user