holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Avoid confusion with <...>

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7818 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-12-02 17:11:46 +00:00
parent 963653ff5f
commit c6acc09cde
1 changed files with 33 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
docs/FAQ.xml
View File

@ -176,7 +176,7 @@
port-forwarding rule to a local system is as follows:</para> port-forwarding rule to a local system is as follows:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT <programlisting>#ACTION SOURCE DEST PROTO DEST PORT
DNAT net loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>local port</emphasis>&gt;] &lt;<emphasis>protocol</emphasis>&gt; &lt;<emphasis>port #</emphasis>&gt;</programlisting> DNAT net loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis></programlisting>
<para>So to forward UDP port 7777 to internal system 192.168.1.5, the <para>So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</para> rule is:</para>
@ -185,23 +185,23 @@ DNAT net loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<e
DNAT net loc:192.168.1.5 udp 7777</programlisting> DNAT net loc:192.168.1.5 udp 7777</programlisting>
<para>If you want to forward requests directed to a particular address ( <para>If you want to forward requests directed to a particular address (
<emphasis>&lt;external IP&gt;</emphasis> ) on your firewall to an <emphasis>external-IP</emphasis> ) on your firewall to an internal
internal system:</para> system:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST. # PORT DEST.
DNAT net loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>local port</emphasis>&gt;] &lt;<emphasis>protocol</emphasis>&gt; &lt;<emphasis>port #</emphasis>&gt; - &lt;<emphasis>external IP</emphasis>&gt;</programlisting> DNAT net loc:<emphasis>local-IP-address</emphasis>&gt;[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis> - <emphasis>external-IP</emphasis></programlisting>
<para>If you want to forward requests from a particular internet address <para>If you want to forward requests from a particular internet address
( <emphasis>&lt;address&gt;</emphasis> ):</para> ( <emphasis>address</emphasis> ):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
# PORT DEST. # PORT DEST.
DNAT net:<emphasis>&lt;address&gt;</emphasis> loc:&lt;l<emphasis>ocal IP address</emphasis>&gt;[:&lt;<emphasis>local port</emphasis>&gt;] &lt;<emphasis>protocol</emphasis>&gt; &lt;<emphasis>port #</emphasis>&gt; -</programlisting> DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis> protocol</emphasis> <emphasis>port-number</emphasis> -</programlisting>
<para>Finally, if you need to forward a range of ports, in the DEST PORT <para>Finally, if you need to forward a range of ports, in the DEST PORT
column specify the range as column specify the range as
<emphasis>&lt;low-port&gt;:&lt;high-port&gt;</emphasis>.</para> <emphasis>low-port:high-port</emphasis>.</para>
<section id="faq1a"> <section id="faq1a">
<title>(FAQ 1a) Okay -- I followed those instructions but it doesn't <title>(FAQ 1a) Okay -- I followed those instructions but it doesn't
@ -628,8 +628,8 @@ dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis>
following:</para> following:</para>
<para>In <filename>/etc/shorewall/params (or in your <para>In <filename>/etc/shorewall/params (or in your
<filename>&lt;export directory&gt;/init</filename> file if you are <filename>export-directory/init</filename> file if you are using
using Shorewall Lite on the firewall system)</filename>:</para> Shorewall Lite on the firewall system)</filename>:</para>
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command> </programlisting> <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command> </programlisting>
@ -1240,7 +1240,8 @@ DROP net fw udp 10619</programlisting>
</varlistentry> </varlistentry>
<varlistentry id="all2all"> <varlistentry id="all2all">
<term>all2&lt;zone&gt;, &lt;zone&gt;2all or all2all</term> <term>all2<emphasis>zone</emphasis>, <emphasis>zone</emphasis>2all
or all2all</term>
<listitem> <listitem>
<para>You have a <ulink <para>You have a <ulink
@ -1259,36 +1260,36 @@ DROP net fw udp 10619</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>&lt;zone1&gt;2&lt;zone2&gt;</term> <term><emphasis>zone</emphasis>12<emphasis>zone2</emphasis></term>
<listitem> <listitem>
<para>Either you have a <ulink <para>Either you have a <ulink
url="manpages/shorewall-policy.html">policy</ulink> for <emphasis url="manpages/shorewall-policy.html">policy</ulink> for
role="bold">&lt;zone1&gt;</emphasis> to <emphasis <emphasis>zone1</emphasis> to<emphasis> zone2</emphasis> that
role="bold">&lt;zone2&gt;</emphasis> that specifies a log level specifies a log level and this packet is being logged under that
and this packet is being logged under that policy or this packet policy or this packet matches a <ulink
matches a <ulink url="manpages/shorewall-rules.html">rule</ulink> url="manpages/shorewall-rules.html">rule</ulink> that includes a
that includes a log level.</para> log level.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>@&lt;source&gt;2&lt;dest&gt;</term> <term>@<emphasis>source</emphasis>2<emphasis>dest</emphasis></term>
<listitem> <listitem>
<para>You have a policy for traffic from &lt;<emphasis <para>You have a policy for traffic from
role="bold">source</emphasis>&gt; to &lt;<emphasis <emphasis>source</emphasis> to <emphasis>dest</emphasis> that
role="bold">dest</emphasis>&gt; that specifies TCP connection rate specifies TCP connection rate limiting (value in the LIMIT:BURST
limiting (value in the LIMIT:BURST column). The logged packet column). The logged packet exceeds that limit and was dropped.
exceeds that limit and was dropped. Note that these log messages Note that these log messages themselves are severely rate-limited
themselves are severely rate-limited so that a syn-flood won't so that a syn-flood won't generate a secondary DOS because of
generate a secondary DOS because of excessive log message. These excessive log message. These log messages were added in Shorewall
log messages were added in Shorewall 2.2.0 Beta 7.</para> 2.2.0 Beta 7.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>&lt;interface&gt;_mac</term> <term><emphasis>interface</emphasis>_mac</term>
<listitem> <listitem>
<para>The packet is being logged under the <emphasis <para>The packet is being logged under the <emphasis
@ -1911,7 +1912,7 @@ iptables: Invalid argument
<programlisting>#MARK SOURCE DEST <programlisting>#MARK SOURCE DEST
1:P 0.0.0.0/0 1:P 0.0.0.0/0
1 $FW 1 $FW
&lt;other MARK rules&gt;</programlisting> <emphasis>other MARK rules</emphasis></programlisting>
<para>Now any traffic that isn't marked by one of your other MARK rules <para>Now any traffic that isn't marked by one of your other MARK rules
will have mark = 1 and will be sent via ISP1. That will work whether will have mark = 1 and will be sent via ISP1. That will work whether