forked from extern/shorewall_code
Merge branch '4.5.21'
Conflicts: Shorewall/manpages/shorewall.conf.xml Shorewall6/manpages/shorewall6.conf.xml Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
commit
c9d7370fb4
@ -690,7 +690,13 @@ sub process_stoppedrules() {
|
||||
my $result;
|
||||
|
||||
if ( my $fn = open_file 'stoppedrules' , 1, 1 ) {
|
||||
first_entry "$doing $fn...";
|
||||
first_entry sub() {
|
||||
progress_message2("$doing $fn...");
|
||||
unless ( $config{ADMINISABSENTMINDED} ) {
|
||||
warning_message("Entries in the routestopped file are processed as if ADMINISABSENTMINDED=Yes");
|
||||
$config{ADMINISABSENTMINDED} = 'Yes';
|
||||
}
|
||||
};
|
||||
|
||||
while ( read_a_line( NORMAL_READ ) ) {
|
||||
|
||||
@ -2526,9 +2532,9 @@ EOF
|
||||
"restore_default_route $config{USE_DEFAULT_RT}"
|
||||
);
|
||||
|
||||
my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
|
||||
|
||||
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for @chains;
|
||||
if ( $config{ADMINISABSENTMINDED} ) {
|
||||
add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
|
||||
}
|
||||
|
||||
if ( $family == F_IPV6 ) {
|
||||
add_ijump $input, j => 'ACCEPT', s => IPv6_LINKLOCAL;
|
||||
|
@ -9,9 +9,9 @@
|
||||
######################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#?SECTION ALL
|
||||
#?SECTION ESTABLISHED
|
||||
#?SECTION RELATED
|
||||
#?SECTION INVALID
|
||||
#?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
#SECTION INVALID
|
||||
#SECTION UNTRACKED
|
||||
SECTION NEW
|
||||
|
@ -120,7 +120,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>notrack</term>
|
||||
<term><emphasis role="bold">notrack</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The traffic will be exempted from connection
|
||||
@ -128,6 +128,13 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<note>
|
||||
<para>The <emphasis role="bold">source</emphasis> and <emphasis
|
||||
role="bold">dest</emphasis> options work best when used in
|
||||
conjunction with ADMINISABSENTMINDED=Yes in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -283,15 +283,48 @@
|
||||
|
||||
<listitem>
|
||||
<para>The value of this variable affects Shorewall's stopped state.
|
||||
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
||||
listed in <ulink
|
||||
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
|
||||
in addition to traffic to/from addresses in <ulink
|
||||
url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
|
||||
connections that were active when Shorewall stopped continue to work
|
||||
and all new connections from the firewall system itself are allowed.
|
||||
If this variable is not set or is given the empty value then
|
||||
The behavior differs depending on whether <ulink
|
||||
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
||||
or <ulink
|
||||
url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
|
||||
is used:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>routestopped</term>
|
||||
|
||||
<listitem>
|
||||
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
|
||||
addresses listed in <filename>routestopped</filename> is
|
||||
accepted when Shorewall is stopped. When
|
||||
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
|
||||
addresses in <filename>routestopped</filename>, connections
|
||||
that were active when Shorewall stopped continue to work and
|
||||
all new connections from the firewall system itself are
|
||||
allowed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>stoppedrules</term>
|
||||
|
||||
<listitem>
|
||||
<para>If ADMINISABSENTMINDED=No, a warning message is issued
|
||||
and the setting is ignored.</para>
|
||||
|
||||
<para>In addition to connections matching entries in
|
||||
<filename>stoppedrules</filename>, existing connections
|
||||
continue to work and all new connections from the firewall
|
||||
system itself are allowed. To sever all existing connections
|
||||
when the firewall is stopped, install the conntrack utility
|
||||
and place the command <command>conntrack -F</command> in the
|
||||
stopped user exit
|
||||
(<filename>/etc/shorewall/stopped</filename>).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para> If this variable is not set or is given the empty value then
|
||||
ADMINISABSENTMINDED=No is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -116,30 +116,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">critical</emphasis></term>
|
||||
<term><emphasis role="bold">notrack</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Allow traffic between the firewall and these hosts
|
||||
throughout '[re]start', 'stop' and 'clear'. Specifying
|
||||
<emphasis role="bold">critical</emphasis> on one or more
|
||||
entries will cause your firewall to be "totally open" for a
|
||||
brief window during each of those operations. Examples of
|
||||
where you might want to use this are:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>'Ping' nodes with heartbeat.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>LDAP server(s) if you use LDAP Authentication</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>NFS Server if you have an NFS-mounted root
|
||||
filesystem.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<para>The traffic will be exempted from connection
|
||||
tracking.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -218,18 +218,50 @@
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>The value of this variable affects Shorewall6's stopped state.
|
||||
When ADMINISABSENTMINDED=No, only traffic to/from those addresses
|
||||
listed in <ulink
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
is accepted when Shorewall6 is stopped. When
|
||||
ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in
|
||||
<ulink
|
||||
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5),
|
||||
connections that were active when Shorewall6 stopped continue to
|
||||
work and all new connections from the firewall system itself are
|
||||
allowed. If this variable is not set or is given the empty value
|
||||
then ADMINISABSENTMINDED=No is assumed.</para>
|
||||
<para>The value of this variable affects Shorewall's stopped state.
|
||||
The behavior differs depending on whether <ulink
|
||||
url="shorewall-routestopped.html">shorewall6-routestopped</ulink>(5)
|
||||
or <ulink
|
||||
url="shorewall-stoppedrules.html">shorewall6-stoppedrules</ulink>(5)
|
||||
is used:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>routestopped</term>
|
||||
|
||||
<listitem>
|
||||
<para>When ADMINISABSENTMINDED=No, only traffic to/from those
|
||||
addresses listed in <filename>routestopped</filename> is
|
||||
accepted when Shorewall is stopped. When
|
||||
ADMINISABSENTMINDED=Yes, in addition to traffic to/from
|
||||
addresses in <filename>routestopped</filename>, connections
|
||||
that were active when Shorewall stopped continue to work and
|
||||
all new connections from the firewall system itself are
|
||||
allowed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>stoppedrules</term>
|
||||
|
||||
<listitem>
|
||||
<para>If ADMINISABSENTMINDED=No, a warning message is issued
|
||||
and the setting is ignored.</para>
|
||||
|
||||
<para>In addition to connections matching entries in
|
||||
<filename>stoppedrules</filename>, existing connections
|
||||
continue to work and all new connections from the firewall
|
||||
system itself are allowed. To sever all existing connections
|
||||
when the firewall is stopped, install the conntrack utility
|
||||
and place the command <command>conntrack -F</command> in the
|
||||
stopped user exit
|
||||
(<filename>/etc/shorewall6/stopped</filename>).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>If this variable is not set or is given the empty value then
|
||||
ADMINISABSENTMINDED=No is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -515,15 +515,16 @@ root@lists:~# </programlisting>
|
||||
|
||||
<para>If you wish to enable connections from the Internet to your firewall
|
||||
and you find an appropriate macro in
|
||||
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule
|
||||
in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
<filename>/usr/share/shorewall/macro.*</filename>, the general format of a
|
||||
rule in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
<<emphasis>macro</emphasis>>(ACCEPT) net $FW</programlisting>
|
||||
|
||||
<important>
|
||||
<para>Be sure to add your rules after the line that reads <emphasis
|
||||
role="bold">SECTION NEW.</emphasis></para>
|
||||
role="bold">SECTION NEW</emphasis> (?SECTION NEW in Shorewall 4.6.0 and
|
||||
later).</para>
|
||||
</important>
|
||||
|
||||
<example id="Example1">
|
||||
@ -605,19 +606,34 @@ SSH(ACCEPT) net $FW </programlisting>
|
||||
<quote><command>shorewall stop</command></quote>. When the firewall is
|
||||
stopped, routing is enabled on those hosts that have an entry in
|
||||
<filename><ulink
|
||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
|
||||
A running firewall may be restarted using the <quote><command>shorewall
|
||||
restart</command></quote> command. If you want to totally remove any trace
|
||||
of Shorewall from your Netfilter configuration, use
|
||||
<quote><command>shorewall clear</command></quote>.</para>
|
||||
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
|
||||
(<filename><ulink
|
||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>
|
||||
in Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
||||
the <quote><command>shorewall restart</command></quote> command. If you
|
||||
want to totally remove any trace of Shorewall from your Netfilter
|
||||
configuration, use <quote><command>shorewall
|
||||
clear</command></quote>.</para>
|
||||
|
||||
<warning>
|
||||
<para>If you are connected to your firewall from the Internet, do not
|
||||
issue a <quote><command>shorewall stop</command></quote> command unless
|
||||
you have added an entry for the IP address that you are connected from
|
||||
to <ulink
|
||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
||||
Also, I don't recommend using <quote><command>shorewall
|
||||
you have either:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Used ADMINISABSENTMINDED=Yes in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename> or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>added an entry for the IP address that you are connected from
|
||||
to <ulink
|
||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Also, I don't recommend using <quote><command>shorewall
|
||||
restart</command></quote>; it is better to create an <emphasis><ulink
|
||||
url="configuration_file_basics.htm#Configs">alternate
|
||||
configuration</ulink></emphasis> and test it using the <ulink
|
||||
|
@ -193,7 +193,6 @@
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/masq
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/routestopped
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
|
||||
/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
|
||||
~#</programlisting>
|
||||
@ -954,8 +953,8 @@ DNS(ACCEPT) $FW dmz:10.10.11.1 </programlisting></para>
|
||||
a <emphasis>defined macro</emphasis>. Shorewall includes a number of
|
||||
defined macros and <ulink url="Macros.html">you can add your own</ulink>.
|
||||
To see the list of macros included with your version of Shorewall, run the
|
||||
command <command>ls
|
||||
<filename>/usr/share/shorewall/macro.*</filename></command>.</para>
|
||||
command <command>shorewall show
|
||||
<filename>macros</filename></command>.</para>
|
||||
|
||||
<para>You don't have to use defined macros when coding a rule in
|
||||
<filename>/etc/shorewall/rules</filename>. The first example above (name
|
||||
@ -1128,12 +1127,14 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
<para>The firewall is started using the <command>shorewall start</command>
|
||||
command and stopped using <command>shorewall stop</command>. When the
|
||||
firewall is stopped, routing is enabled on those hosts that have an entry
|
||||
in <ulink
|
||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
||||
A running firewall may be restarted using the <command>shorewall
|
||||
restart</command> command. If you want to totally remove any trace of
|
||||
Shorewall from your Netfilter configuration, use <command>shorewall
|
||||
clear</command>.</para>
|
||||
in <filename><ulink
|
||||
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>
|
||||
(<ulink
|
||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>
|
||||
on Shorewall 4.5.7 and earlier). A running firewall may be restarted using
|
||||
the <command>shorewall restart</command> command. If you want to totally
|
||||
remove any trace of Shorewall from your Netfilter configuration, use
|
||||
<command>shorewall clear</command>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
@ -1144,16 +1145,26 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
DMZ or if you want to enable a different set of hosts, modify
|
||||
<filename>/etc/shorewall/routestopped</filename> accordingly. <warning>
|
||||
<para>If you are connected to your firewall from the Internet, do not
|
||||
issue a <command>shorewall stop</command> command unless you have
|
||||
added an entry for the IP address that you are connected from to
|
||||
<ulink
|
||||
url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
|
||||
Also, I don't recommend using <command>shorewall restart</command>; it
|
||||
is better to create an <ulink
|
||||
url="configuration_file_basics.htm#Levels">alternate
|
||||
configuration</ulink> and test it using the <ulink
|
||||
url="starting_and_stopping_shorewall.htm"><command>shorewall
|
||||
try</command> command</ulink>.</para>
|
||||
issue a <quote><command>shorewall stop</command></quote> command
|
||||
unless you have either:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Used ADMINISABSENTMINDED=Yes in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename>; or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>added an entry for the <acronym>IP</acronym> address that
|
||||
you are connected from to <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Also, I don't recommend using <quote><command>shorewall
|
||||
restart</command></quote>; it is better to create an alternate
|
||||
configuration and test it using the <quote><command>shorewall
|
||||
try</command></quote> command.</para>
|
||||
</warning></para>
|
||||
|
||||
<para>The firewall will start after your network interfaces have been
|
||||
|
@ -171,7 +171,6 @@
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/routestopped
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
|
||||
/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
|
||||
~#</programlisting>
|
||||
@ -203,8 +202,9 @@
|
||||
|
||||
<para>If you install using the .deb, you will find that your
|
||||
<filename class="directory">/etc/shorewall</filename> directory
|
||||
is empty. This is intentional. The released configuration file
|
||||
skeletons may be found on your system in the directory <filename
|
||||
is practially empty. This is intentional. The released
|
||||
configuration file skeletons may be found on your system in the
|
||||
directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
@ -910,8 +910,8 @@ DNS(ACCEPT) $FW net</programlisting>This rule allows
|
||||
|
||||
<para>In the rule shown above, <quote>DNS</quote>(ACCEPT)is an example of
|
||||
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
|
||||
macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink
|
||||
url="Macros.html">you can add your own</ulink>.</para>
|
||||
macros (command <emphasis role="bold">shorewall show macros</emphasis>)
|
||||
and <ulink url="Macros.html">you can add your own</ulink>.</para>
|
||||
|
||||
<para>You don't have to use defined macros when coding a rule in
|
||||
<filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
|
||||
@ -1046,7 +1046,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
<quote><command>shorewall stop</command></quote>. When the firewall is
|
||||
stopped, routing is enabled on those hosts that have an entry in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename><ulink
|
||||
url="manpages/shorewall-routestopped.html">routestopped</ulink></filename>.
|
||||
url="manpages/shorewall-routestopped.html">routestopped</ulink></filename>
|
||||
(Shorewall 4.5.7 and earlier) or in<filename> <ulink
|
||||
url="manpages/shorewall-stoppedrules.html">/etc/shorewall/stoppedrules</ulink></filename>.
|
||||
A running firewall may be restarted using the <quote><command>shorewall
|
||||
restart</command></quote> command. If you want to totally remove any trace
|
||||
of Shorewall from your Netfilter configuration, use
|
||||
@ -1063,10 +1065,22 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
accordingly. <warning>
|
||||
<para>If you are connected to your firewall from the Internet, do not
|
||||
issue a <quote><command>shorewall stop</command></quote> command
|
||||
unless you have added an entry for the <acronym>IP</acronym> address
|
||||
that you are connected from to <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.
|
||||
Also, I don't recommend using <quote><command>shorewall
|
||||
unless you have either:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Used ADMINISABSENTMINDED=Yes in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename>; or</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>added an entry for the <acronym>IP</acronym> address that
|
||||
you are connected from to <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para> Also, I don't recommend using <quote><command>shorewall
|
||||
restart</command></quote>; it is better to create an alternate
|
||||
configuration and test it using the <quote><command>shorewall
|
||||
try</command></quote> command.</para>
|
||||
|
Loading…
Reference in New Issue
Block a user