forked from extern/shorewall_code
Update web site for 2.4.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2226 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
aef84305b4
commit
a3ad40f97c
@ -19,9 +19,499 @@ Texts. A copy of the license is included in the section entitled “<span
|
|||||||
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
|
class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free
|
||||||
Documentation License</a></span>”.<br>
|
Documentation License</a></span>”.<br>
|
||||||
</p>
|
</p>
|
||||||
<p>2005-05-26<br>
|
<p>2005-06-05<br>
|
||||||
</p>
|
</p>
|
||||||
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">05/20/2005
|
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">06/05/2005
|
||||||
|
Shorewall 2.4.0<br>
|
||||||
|
<br>
|
||||||
|
Note:</span> Because of the short time that has elapsed since the
|
||||||
|
release of Shorewall 2.2.0, Shorewall 2.0 will be supported until 1
|
||||||
|
December 2005 or until the release of Shorewall 2.6.0, whichever occurs
|
||||||
|
first.<br>
|
||||||
|
<br>
|
||||||
|
New Features:<br>
|
||||||
|
<ol>
|
||||||
|
<li>Shorewall 2.4.0 includes support for multiple internet interfaces
|
||||||
|
to different ISPs.<br>
|
||||||
|
<br>
|
||||||
|
The file /etc/shorewall/providers may be used to define the different
|
||||||
|
providers. It can actually be used to define alternate routing tables
|
||||||
|
so uses like transparent proxy can use the file as well.<br>
|
||||||
|
<br>
|
||||||
|
Columns are:<br>
|
||||||
|
<br>
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
NAME
|
||||||
|
The provider name.</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
NUMBER The
|
||||||
|
provider number -- a number between 1 and 15</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
MARK
|
||||||
|
A FWMARK value used in your /etc/shorewall/tcrules file to direct
|
||||||
|
packets for this provider.</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
DUPLICATE The name of an existing
|
||||||
|
table to duplicate. May</span><span style="font-family: monospace;"> be
|
||||||
|
'main' or the name of a previous provider.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
INTERFACE The name of the network
|
||||||
|
interface to the</span><span style="font-family: monospace;"> provider.
|
||||||
|
Must be listed in</span><span style="font-family: monospace;">
|
||||||
|
/etc/shorewall/interfaces.</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
GATEWAY The IP address
|
||||||
|
of the provider's gateway router.</span><span
|
||||||
|
style="font-family: monospace;"> If you enter "detect" here then
|
||||||
|
Shorewall will</span><span style="font-family: monospace;"> attempt to
|
||||||
|
determine the gateway IP address</span><span
|
||||||
|
style="font-family: monospace;"> automatically.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
OPTIONS A
|
||||||
|
comma-separated list selected from the</span><span
|
||||||
|
style="font-family: monospace;"> following:</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
track If specified, connections FROM this interface are</span><span
|
||||||
|
style="font-family: monospace;"> to be tracked so that responses may
|
||||||
|
be routed</span><span style="font-family: monospace;"> back out this
|
||||||
|
same interface.</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
You want specify 'track' if internet hosts will be</span><span
|
||||||
|
style="font-family: monospace;"> connecting to local servers through
|
||||||
|
this</span><span style="font-family: monospace;"> provider.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
Because of limitations in the 'ip' utility and</span><span
|
||||||
|
style="font-family: monospace;"> policy routing, you may not use the
|
||||||
|
SAVE or</span><span style="font-family: monospace;"> RESTORE tcrules
|
||||||
|
options or use connection</span><span style="font-family: monospace;">
|
||||||
|
marking on any traffic to or from this</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
interface. For traffic control purposes, you</span><span
|
||||||
|
style="font-family: monospace;"> must mark packets in the FORWARD
|
||||||
|
chain (or</span><span style="font-family: monospace;"> better yet, use
|
||||||
|
the CLASSIFY target).</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
balance The providers that have 'balance' specified will</span><span
|
||||||
|
style="font-family: monospace;"> get outbound traffic load-balanced
|
||||||
|
among them. By</span><span style="font-family: monospace;"> default,
|
||||||
|
all interfaces with 'balance' specified</span><span
|
||||||
|
style="font-family: monospace;"> will have the same
|
||||||
|
weight <br>
|
||||||
|
|
||||||
|
(1). You can change the</span><span style="font-family: monospace;">
|
||||||
|
weight of the route out of the interface by</span><span
|
||||||
|
style="font-family: monospace;"> specifiying balance=<weight>
|
||||||
|
where <weight> is</span><span style="font-family: monospace;">
|
||||||
|
the desired route weight.</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
Example: You run squid in
|
||||||
|
your DMZ on IP address 192.168.2.99. Your DMZ interface is eth2<br>
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
#NAME NUMBER MARK DUPLICATE INTERFACE
|
||||||
|
GATEWAY OPTIONS</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
Squid 1
|
||||||
|
1
|
||||||
|
-
|
||||||
|
eth2 192.168.2.99 -</span><br>
|
||||||
|
<br>
|
||||||
|
Use of this feature requires that your kernel and iptabls
|
||||||
|
support CONNMARK target and conntrack match support. It does NOT
|
||||||
|
require the ROUTE target extension.<br>
|
||||||
|
<br>
|
||||||
|
WARNING: The current version of iptables (1.3.1) is broken
|
||||||
|
with respect to CONNMARK and iptables-save/iptables-restore. This means
|
||||||
|
that if you configure multiple ISPs, "shorewall restore" may<br>
|
||||||
|
fail. You must patch your iptables using the patch at <a
|
||||||
|
href="http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff">http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff</a>.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Shorewall 2.3.0 supports the 'cmd-owner' option of the owner
|
||||||
|
match facility in Netfilter. Like all owner match options, 'cmd-owner'
|
||||||
|
may only be applied to traffic that originates on the firewall.<br>
|
||||||
|
<br>
|
||||||
|
The syntax of the USER/GROUP column in the following files has been
|
||||||
|
extended:<br>
|
||||||
|
<br>
|
||||||
|
/etc/shorewall/accounting<br>
|
||||||
|
/etc/shorewall/rules<br>
|
||||||
|
/etc/shorewall/tcrules<br>
|
||||||
|
|
||||||
|
/usr/share/shorewall/action.template<br>
|
||||||
|
<br>
|
||||||
|
To specify a command, prefix the command name with "+".<br>
|
||||||
|
<br>
|
||||||
|
Examples:<br>
|
||||||
|
<br>
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
+mozilla-bin
|
||||||
|
#The program is named "mozilla-bin"</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
joe+mozilla-bin #The
|
||||||
|
program is named "mozilla-bin" and</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
#is being run by user "joe"</span><br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
joe:users+mozilla-bin #The program is named "mozilla-bin"
|
||||||
|
and</span><br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
#is being run by user "joe" with</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
#effective group "users".</span><br style="font-family: monospace;">
|
||||||
|
<br>
|
||||||
|
Note that this is not a particularly robust feature and I
|
||||||
|
would never advertise it as a "Personal Firewall" equivalent. Using
|
||||||
|
symbolic links, it's easy to alias command names to be anything you
|
||||||
|
want.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Support has been added for ipsets (see <a
|
||||||
|
href="http://people.netfilter.org/kadlec/ipset/">http://people.netfilter.org/kadlec/ipset/</a>).<br>
|
||||||
|
<br>
|
||||||
|
In most places where a host or network address may be used, you may
|
||||||
|
also use the name of an ipset prefaced by "+".<br>
|
||||||
|
<br>
|
||||||
|
Example: "+Mirrors"<br>
|
||||||
|
<br>
|
||||||
|
The name of the set may be optionally followed by:<br>
|
||||||
|
<br>
|
||||||
|
a) a number from 1 to 6 enclosed in square brackets ([]) -- this number
|
||||||
|
indicates the maximum number of ipset binding levels that are to be
|
||||||
|
matched. Depending on the context where the ipset name is used, either
|
||||||
|
all "src" or all "dst" matches will be used.<br>
|
||||||
|
<br>
|
||||||
|
Example: "+Mirrors[4]"<br>
|
||||||
|
<br>
|
||||||
|
b) a series of "src" and "dst" options separated by commas and inclosed
|
||||||
|
in square brackets ([]). These will be passed directly to iptables in
|
||||||
|
the generated --set clause. See the ipset documentation for details.<br>
|
||||||
|
<br>
|
||||||
|
Example:
|
||||||
|
"+Mirrors[src,dst,src]"<br>
|
||||||
|
<br>
|
||||||
|
Note that "+Mirrors[4]" used in the SOURCE column of the rules file is
|
||||||
|
equivalent to "+Mirrors[src,src,src,src]".<br>
|
||||||
|
<br>
|
||||||
|
To generate a negative match, prefix the "+" with "!" as in "!+Mirrors".<br>
|
||||||
|
<br>
|
||||||
|
Example 1: Blacklist all hosts in an ipset named "blacklist"<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
/etc/shorewall/blacklist<br>
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
#ADDRESS/SUBNET
|
||||||
|
PROTOCOL PORT</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
+blacklist</span><br style="font-family: monospace;">
|
||||||
|
<br>
|
||||||
|
Example 2: Allow SSH from all hosts in an ipset named "sshok:<br>
|
||||||
|
<br>
|
||||||
|
|
||||||
|
/etc/shorewall/rules<br>
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
#ACTION
|
||||||
|
SOURCE DEST
|
||||||
|
PROTO DEST PORT(S)</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
ACCEPT
|
||||||
|
+sshok
|
||||||
|
fw
|
||||||
|
tcp 22</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br>
|
||||||
|
Shorewall can automatically capture the contents of your ipsets for
|
||||||
|
you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf
|
||||||
|
then "shorewall save" will save the contents of your ipsets. The file
|
||||||
|
where the sets are saved is formed by taking the name where the
|
||||||
|
Shorewall configuration is stored and appending "-ipsets". So if you
|
||||||
|
enter the command "shorewall save standard" then your Shorewall
|
||||||
|
configuration will be saved in var/lib/shorewall/standard and your
|
||||||
|
ipset contents will be saved in /var/lib/shorewall/standard-ipsets.
|
||||||
|
Assuming the default RESTOREFILE setting, if you just enter "shorewall
|
||||||
|
save" then your Shorewall configuration will be saved in
|
||||||
|
/var/lib/shorewall/restore and your ipset contents will be saved in
|
||||||
|
/var/lib/shorewall/restore-ipsets.<br>
|
||||||
|
<br>
|
||||||
|
Regardless of the setting of SAVE_IPSETS, the "shorewall -f start" and
|
||||||
|
"shorewall restore" commands will restore the ipset contents
|
||||||
|
corresponding to the Shorewall configuration restored provided that the
|
||||||
|
saved Shorewall configuration specified exists.<br>
|
||||||
|
<br>
|
||||||
|
For example, "shorewall restore standard" would restore the ipset
|
||||||
|
contents from /var/lib/shorewall/standard-ipsets provided that
|
||||||
|
/var/lib/shorewall/standard exists and is executable and that
|
||||||
|
/var/lib/shorewall/standard-ipsets exists and is executable.<br>
|
||||||
|
<br>
|
||||||
|
Also regardless of the setting of SAVE_IPSETS, the "shorewall forget"
|
||||||
|
command will purge the saved ipset information (if any) associated with
|
||||||
|
the saved shorewall configuration being removed.<br>
|
||||||
|
<br>
|
||||||
|
You can also associate ipset contents with Shorewall configuration
|
||||||
|
directories using the following command:<br>
|
||||||
|
<br>
|
||||||
|
ipset -S > <config
|
||||||
|
directory>/ipsets<br>
|
||||||
|
<br>
|
||||||
|
Example:<br>
|
||||||
|
<br>
|
||||||
|
ipset -S > /etc/shorewall/ipsets<br>
|
||||||
|
<br>
|
||||||
|
When you start or restart Shorewall (including using the 'try' command)
|
||||||
|
from the configuration directory, your ipsets will be configured from
|
||||||
|
the saved ipsets file. Once again, this behavior is independent of the
|
||||||
|
setting of SAVE_IPSETS.<br>
|
||||||
|
<br>
|
||||||
|
Ipsets are well suited for large blacklists. You can maintain your
|
||||||
|
blacklist using the 'ipset' utility without ever having to restart or
|
||||||
|
refresh Shorewall. If you use the SAVE_IPSETS=Yes feature just be sure
|
||||||
|
to "shorewall save" after altering the blacklist ipset(s).<br>
|
||||||
|
<br>
|
||||||
|
Example /etc/shorewall/blacklist:<br>
|
||||||
|
<br>
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
#ADDRESS/SUBNET
|
||||||
|
PROTOCOL PORT</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
+Blacklist[src,dst]</span><br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
+Blacklistnets[src,dst]</span><br style="font-family: monospace;">
|
||||||
|
<br>
|
||||||
|
Create the blacklist ipsets using:<br>
|
||||||
|
<br>
|
||||||
|
ipset -N
|
||||||
|
Blacklist iphash<br>
|
||||||
|
ipset -N
|
||||||
|
Blacklistnets nethash<br>
|
||||||
|
<br>
|
||||||
|
Add entries<br>
|
||||||
|
<br>
|
||||||
|
ipset -A Blacklist 206.124.146.177<br>
|
||||||
|
ipset -A Blacklistnets
|
||||||
|
206.124.146.0/24<br>
|
||||||
|
<br>
|
||||||
|
To allow entries for individual ports<br>
|
||||||
|
<br>
|
||||||
|
ipset -N SMTP portmap --from 1
|
||||||
|
--to 31<br>
|
||||||
|
ipset -A SMTP 25<br>
|
||||||
|
<br>
|
||||||
|
ipset -A Blacklist 206.124.146.177<br>
|
||||||
|
ipset -B Blacklist 206.124.146.177
|
||||||
|
-b SMTP<br>
|
||||||
|
<br>
|
||||||
|
Now only port 25 will be blocked from 206.124.146.177.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>Shorewall 2.4.0 can now configure routing if your kernel and
|
||||||
|
iptables support the ROUTE target extension. This extension is
|
||||||
|
available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since the
|
||||||
|
Netfilter team have no intention of ever releasing the ROUTE target
|
||||||
|
extension to kernel.org.<br>
|
||||||
|
<br>
|
||||||
|
Routing is configured using the /etc/shorewall/routes file. Columns in
|
||||||
|
the file are as follows:<br>
|
||||||
|
<br>
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
SOURCE
|
||||||
|
Source of the packet. May be any of the</span><span
|
||||||
|
style="font-family: monospace;"> following:</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- A host or network address</span><br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- A network interface name.</span><br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- The name of an ipset prefaced with "+"</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- $FW (for packets originating on the firewall)</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- A MAC address in Shorewall format</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- A range of IP addresses (assuming that your</span><span
|
||||||
|
style="font-family: monospace;"> kernel and iptables support range
|
||||||
|
match)</span><br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- A network interface name followed by ":"</span><span
|
||||||
|
style="font-family: monospace;"> and an address or address range.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
DEST
|
||||||
|
Destination of the packet. May be any of the</span><span
|
||||||
|
style="font-family: monospace;"> following:</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- A host or network address</span><br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- A network interface name (determined from</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
routing table(s))</span><br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- The name of an ipset prefaced with "+"</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
- A network interface name followed by ":"</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
and an address or address range.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
PROTO
|
||||||
|
Protocol - Must be "tcp", "udp", "icmp",</span><span
|
||||||
|
style="font-family: monospace;"> "ipp2p", a number, or "all". "ipp2p"
|
||||||
|
requires</span><span style="font-family: monospace;"> ipp2p match
|
||||||
|
support in your kernel and</span><span style="font-family: monospace;">
|
||||||
|
iptables.</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
PORT(S) Destination
|
||||||
|
Ports. A comma-separated list of</span><span
|
||||||
|
style="font-family: monospace;"> Port names (from /etc/services), port
|
||||||
|
numbers</span><span style="font-family: monospace;"> or port ranges; if
|
||||||
|
the protocol is "icmp", this</span><span style="font-family: monospace;">
|
||||||
|
column is interpreted as the destination</span><span
|
||||||
|
style="font-family: monospace;"> icmp-type(s).</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
If the protocol is ipp2p, this column is</span><span
|
||||||
|
style="font-family: monospace;"> interpreted as an ipp2p option
|
||||||
|
without the</span><span style="font-family: monospace;"> leading "--"
|
||||||
|
(example "bit" for bit-torrent).</span><span
|
||||||
|
style="font-family: monospace;"> If no PORT is given, "ipp2p" is
|
||||||
|
assumed.</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
This column is ignored if PROTOCOL = all but</span><span
|
||||||
|
style="font-family: monospace;"> must be entered if any of the
|
||||||
|
following field</span><span style="font-family: monospace;"> is
|
||||||
|
supplied. In that case, it is suggested that</span><span
|
||||||
|
style="font-family: monospace;"> this field contain "-"</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
SOURCE PORT(S) (Optional) Source port(s). If omitted,</span><span
|
||||||
|
style="font-family: monospace;"> any source port is acceptable.
|
||||||
|
Specified as a</span><span style="font-family: monospace;">
|
||||||
|
comma-separated list of port names, port</span><span
|
||||||
|
style="font-family: monospace;"> numbers or port ranges.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
TEST
|
||||||
|
Defines a test on the existing packet or</span><span
|
||||||
|
style="font-family: monospace;"> connection mark.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
The rule will match only if the test returns</span><span
|
||||||
|
style="font-family: monospace;"> true. Tests have the format</span><span
|
||||||
|
style="font-family: monospace;"> [!]<value>[/<mask>][:C]</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
Where:</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
! Inverts the test (not equal)</span><span
|
||||||
|
style="font-family: monospace;"> <value> Value of the packet or</span><span
|
||||||
|
style="font-family: monospace;"> connection mark.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
<mask> A mask to be applied to the</span><span
|
||||||
|
style="font-family: monospace;"> mark before testing</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
:C Designates a connection</span><span
|
||||||
|
style="font-family: monospace;"> mark. If omitted, the packet</span><span
|
||||||
|
style="font-family: monospace;"> mark's value is tested.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
INTERFACE The interface that the
|
||||||
|
packet is to be routed</span><span style="font-family: monospace;"> out
|
||||||
|
of. If you do not specify this field then</span><span
|
||||||
|
style="font-family: monospace;"> you must place "-" in this column and
|
||||||
|
enter an</span><span style="font-family: monospace;"> IP address in the
|
||||||
|
GATEWAY column.</span><br style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
<span style="font-family: monospace;">
|
||||||
|
GATEWAY The gateway
|
||||||
|
that the packet is to be forewarded</span><span
|
||||||
|
style="font-family: monospace;"> through.</span><br
|
||||||
|
style="font-family: monospace;">
|
||||||
|
<br style="font-family: monospace;">
|
||||||
|
</li>
|
||||||
|
<li>Normally when Shorewall is stopped, starting or restarting then
|
||||||
|
connections are allowed from hosts listed in
|
||||||
|
/etc/shorewall/routestopped to the firewall and to other hosts listed
|
||||||
|
in /etc/shorewall/routestopped.<br>
|
||||||
|
<br>
|
||||||
|
A new 'source' option is added for entries in that file which will
|
||||||
|
cause Shorewall to allow traffic from the host listed in the entry to
|
||||||
|
ANY other host. When 'source' is specified in an entry, it is
|
||||||
|
unnecessary to also specify 'routeback'.<br>
|
||||||
|
<br>
|
||||||
|
Similarly, a new 'dest' option is added which will cause Shorewall to
|
||||||
|
allow traffic to the host listed in the entry from ANY other host. When
|
||||||
|
'source' is specified in an entry, it is unnecessary to also specify
|
||||||
|
'routeback'.<br>
|
||||||
|
<br>
|
||||||
|
</li>
|
||||||
|
<li>This change was implemented by Lorenzo Martignoni. It provides
|
||||||
|
two new commands: "safe-start" and "safe-restart".<br>
|
||||||
|
<br>
|
||||||
|
<span style="font-weight: bold;">safe-start</span> starts Shorewall
|
||||||
|
then prompts you to ask you if everything looks ok. If you answer "no"
|
||||||
|
or if you don't answer within 60 seconds, a "shorewall clear" is
|
||||||
|
executed.<br>
|
||||||
|
<br>
|
||||||
|
<span style="font-weight: bold;">safe-restart</span> saves your
|
||||||
|
current configuration to /var/lib/shorewall/safe-restart then issues a
|
||||||
|
"shorewall restart"; It then prompts you to ask if you if you want to
|
||||||
|
accept the new configuration. If you answer "no" or if you don't answer
|
||||||
|
within 60 seconds, the configuration is restored to its prior state.<br>
|
||||||
|
<br>
|
||||||
|
These new commands require either that your /bin/sh supports the "-t"
|
||||||
|
option to the 'read' command or that you have /bin/bash installed.<br>
|
||||||
|
</li>
|
||||||
|
</ol>
|
||||||
|
<span style="font-weight: bold;">05/20/2005
|
||||||
Shorewall CVS Repository has Moved to Sourceforge<br>
|
Shorewall CVS Repository has Moved to Sourceforge<br>
|
||||||
<br>
|
<br>
|
||||||
</span>The CVS repository may now be accessed at <a target="_top"
|
</span>The CVS repository may now be accessed at <a target="_top"
|
||||||
|
|||||||
@ -12,8 +12,15 @@
|
|||||||
<h1><span style="font-weight: bold;"></span>Shorewall 2.x</h1>
|
<h1><span style="font-weight: bold;"></span>Shorewall 2.x</h1>
|
||||||
<h2><a
|
<h2><a
|
||||||
href="http://lists.shorewall.net/pipermail/shorewall-users/2005-May/018605.html">A
|
href="http://lists.shorewall.net/pipermail/shorewall-users/2005-May/018605.html">A
|
||||||
Note About the Future of Shorewall from Tom Eastep</a><br>
|
Note About the Future of Shorewall from Tom Eastep</a></h2>
|
||||||
|
<h2>A Note of Thanks<br>
|
||||||
</h2>
|
</h2>
|
||||||
|
I would like to thank each and every one of you who have written to
|
||||||
|
offer your best wishes regarding my retirement from Shorewall. There
|
||||||
|
have been just too many posts to try to answer individually but I want
|
||||||
|
you to know that I appreciate your having taking the time to write.<br>
|
||||||
|
<br>
|
||||||
|
-Tom<br>
|
||||||
<hr style="width: 100%; height: 2px;">
|
<hr style="width: 100%; height: 2px;">
|
||||||
<p>The information on this site applies only
|
<p>The information on this site applies only
|
||||||
to 2.x releases of Shorewall. For older versions:</p>
|
to 2.x releases of Shorewall. For older versions:</p>
|
||||||
@ -31,19 +38,12 @@ to 2.x releases of Shorewall. For older versions:</p>
|
|||||||
target="_top">here</a>. </p>
|
target="_top">here</a>. </p>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
<p>The current 2.2 Stable Release is 2.2.5 -- Here are the <a
|
<p>The current 2.4 Stable Release is 2.4.0 -- Here are the <a
|
||||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/releasenotes.txt">release
|
href="http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0/releasenotes.txt">release
|
||||||
notes</a> and here are the <a
|
notes</a> and here are the <a
|
||||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/known_problems.txt">known
|
href="http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0/known_problems.txt">known
|
||||||
problems</a> and <a
|
problems</a> and <a
|
||||||
href="http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/">updates</a>.<br>
|
href="http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0/errata/">updates</a>.<br>
|
||||||
</p>
|
|
||||||
<p>The current 2.3 Development Release is 2.4.0-RC2 -- Here are the <a
|
|
||||||
href="http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0-RC2/releasenotes.txt">release
|
|
||||||
notes</a> and here are the <a
|
|
||||||
href="http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0-RC2/known_problems.txt">known
|
|
||||||
problems</a> and <a
|
|
||||||
href="http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0-RC2/errata/">updates</a>.
|
|
||||||
</p>
|
</p>
|
||||||
<p><a
|
<p><a
|
||||||
href="http://lists.shorewall.net/pipermail/shorewall-announce/2004-December/000451.html"><span
|
href="http://lists.shorewall.net/pipermail/shorewall-announce/2004-December/000451.html"><span
|
||||||
@ -58,7 +58,7 @@ Foundation; with no Invariant Sections, with no Front-Cover, and with
|
|||||||
no Back-Cover Texts. A copy of the license is included in the section
|
no Back-Cover Texts. A copy of the license is included in the section
|
||||||
entitled “<a href="GnuCopyright.htm" target="_self">GNU
|
entitled “<a href="GnuCopyright.htm" target="_self">GNU
|
||||||
Free Documentation License</a>”.</p>
|
Free Documentation License</a>”.</p>
|
||||||
<p>2005-05-30</p>
|
<p>2005-06-05</p>
|
||||||
<hr style="width: 100%; height: 2px;">
|
<hr style="width: 100%; height: 2px;">
|
||||||
<h3>Table of Contents</h3>
|
<h3>Table of Contents</h3>
|
||||||
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
<p style="margin-left: 0.42in; margin-bottom: 0in;"><a href="#Intro">Introduction
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user