Correct VLSM (56->60) in the Shared Config Document

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-07-09 16:17:16 -07:00
parent 4e978b687d
commit d2b3fa476a
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10

View File

@ -43,6 +43,12 @@
While Shorewall also separates the address families in this way, it is While Shorewall also separates the address families in this way, it is
possible for Shorewall and Shorewall6 to share almost all of the possible for Shorewall and Shorewall6 to share almost all of the
configuration files. This article gives an example.</para> configuration files. This article gives an example.</para>
<caution>
<para>What is shown here currently works best with Debian and
derivatives, or when the tarball installer is used and the SPARSE option
is enabled when running configure[.pl].</para>
</caution>
</section> </section>
<section> <section>
@ -66,14 +72,38 @@
<para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para> <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
<programlisting>root@gateway:/etc# ls shorewall shorewall6 <programlisting>root@gateway:/etc# ls -l shorewall shorewall6
shorewall: shorewall:
action.Mirrors conntrack interfaces mangle params providers rtrules shorewall.conf started zones total 88
actions hosts isusable mirrors policy proxyarp rules snat tunnels -rw-r--r-- 1 root root 201 Mar 19 08:43 action.Mirrors
-rw-r--r-- 1 root root 109 Jun 29 15:13 actions
-rw-r--r-- 1 root root 655 Jun 29 15:13 conntrack
-rw-r--r-- 1 root root 107 Jul 1 10:40 hosts
-rw-r--r-- 1 root root 867 Jul 1 10:50 interfaces
-rw-r--r-- 1 root root 107 Jun 29 15:14 isusable
-rw-r--r-- 1 root root 497 Jul 1 10:42 mangle
-rw-r--r-- 1 root root 7 Jul 6 09:24 masq
-rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
-rw-r--r-- 1 root root 2650 Jul 2 08:05 params
-rw-r--r-- 1 root root 645 Jun 28 10:04 policy
-rw-r--r-- 1 root root 1828 Jul 1 15:43 providers
-rw-r--r-- 1 root root 398 Mar 18 20:18 proxyarp
-rw-r--r-- 1 root root 702 Jul 1 10:42 rtrules
-rw-r--r-- 1 root root 6214 Jul 2 08:45 rules
lrwxrwxrwx 1 root root 29 Jul 6 12:42 shorewall6.conf -&gt; ../shorewall6/shorewall6.conf
-rw-r--r-- 1 root root 5571 Jun 25 18:09 shorewall.conf
-rw-r--r-- 1 root root 1084 Jul 1 10:42 snat
-rw-r--r-- 1 root root 181 Jun 29 15:12 started
-rw-r--r-- 1 root root 437 Jun 28 10:45 tunnels
-rw-r--r-- 1 root root 928 Jun 29 08:25 zones
shorewall6: shorewall6:
shorewall6.conf total 12
root@gateway:/etc#</programlisting> -rw------- 1 root root 954 Jul 6 12:48 conntrack
lrwxrwxrwx 1 root root 20 Jul 6 16:35 mirrors -&gt; ../shorewall/mirrors
lrwxrwxrwx 1 root root 19 Jul 6 12:48 params -&gt; ../shorewall/params
-rw-r--r-- 1 root root 5328 Jul 6 12:45 shorewall6.conf
root@gateway:/etc# </programlisting>
<para>The various configuration files are described in the sections that <para>The various configuration files are described in the sections that
follow. Note that in all cases, these files use the <ulink follow. Note that in all cases, these files use the <ulink
@ -87,11 +117,15 @@ root@gateway:/etc#</programlisting>
address families. The key setting is CONFIG_PATH in address families. The key setting is CONFIG_PATH in
shorewall6.conf:</para> shorewall6.conf:</para>
<programlisting>CONFIG_PATH="${CONFDIR}/shorewall6:<emphasis role="bold">${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"A</programlisting> <programlisting>CONFIG_PATH="<emphasis role="bold">${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"</programlisting>
<para>Any Shorewall6 configuration file not found in <para><filename>/etc/shorewall6/</filename> is only used for processing
/etc/shorewall/shorewall6/ will be searched for in the <filename>params</filename> and <filename>shorewall6.conf</filename>
/etc/shorewall/.</para> files. <filename>/etc/shorewall6/conntrack</filename> is installed when
SPARSE=Yes, but is not used.</para>
<para>The /etc/shorewall/shorewall6.conf symbolic link is required once
the above CONFIG_PATH setting is in effect.</para>
<section> <section>
<title>shorewall.conf</title> <title>shorewall.conf</title>
@ -309,7 +343,7 @@ UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall" CONFIG_PATH="${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE GEOIPDIR=/usr/share/xt_geoip/LE
IP6TABLES= IP6TABLES=
IP= IP=
@ -427,12 +461,12 @@ ZONE_BITS=0
<para>Because addresses and interfaces are different between the two <para>Because addresses and interfaces are different between the two
address families, they cannot be hard-coded in the configuration files. address families, they cannot be hard-coded in the configuration files.
/etc/shorewall/params is used to set shell variables whose contents will <filename>/etc/shorewall/params</filename> is used to set shell
vary between Shorewall and Shorewall6. In the params file and in variables whose contents will vary between Shorewall and Shorewall6. In
run-time extension files, the shell variable <emphasis the <filename>params</filename> file and in run-time extension files,
role="bold">g_family</emphasis> can be used to determine which address the shell variable <emphasis role="bold">g_family</emphasis> can be used
family to use; if IPv4, then $g_family will expand to 4 and if IPv6, to determine which address family to use; if IPv4, then $g_family will
$g_family will expand to 6.</para> expand to 4 and if IPv6, $g_family will expand to 6.</para>
<para>The contents of /etc/shorewall/params is as follows:</para> <para>The contents of /etc/shorewall/params is as follows:</para>
@ -474,7 +508,7 @@ else
LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS) LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS)
MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS) MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS)
SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org (HTTP, FTP and RSYNC) SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org (HTTP, FTP and RSYNC)
PROXY=Yes # Use TPROXY for local web access PROXY=
ALL=[::]/0 # Entire address space ALL=[::]/0 # Entire address space
LOC_ADDR=[2601:601:8b00:bf0::1] # IP address of the local LAN interface LOC_ADDR=[2601:601:8b00:bf0::1] # IP address of the local LAN interface
FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf # Default gateway through the IF_FAST interface FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf # Default gateway through the IF_FAST interface
@ -646,7 +680,7 @@ Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
?else ?else
{ SOURCE=2001:470:A:227::/64, PROVIDER=HE, PRIORITY=1000! } { SOURCE=2001:470:A:227::/64, PROVIDER=HE, PRIORITY=1000! }
{ SOURCE=2001:470:B:227::/64, PROVIDER=HE, PRIORITY=11000 } { SOURCE=2001:470:B:227::/64, PROVIDER=HE, PRIORITY=11000 }
{ SOURCE=2601:601:8b00:bf0::/56 PROVIDER=IPv6Fast, PRIORITY=11000 } { SOURCE=2601:601:8b00:bf0::/60 PROVIDER=IPv6Fast, PRIORITY=11000 }
?endif ?endif
</programlisting> </programlisting>
</section> </section>
@ -885,7 +919,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" } SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" }
SNAT(172.20.1.253) { SOURCE=172.20.3.0/24, DEST=LOC_IF:172.20.1.100 } SNAT(172.20.1.253) { SOURCE=172.20.3.0/24, DEST=LOC_IF:172.20.1.100 }
?else ?else
SNAT(&amp;PROD_IF) { SOURCE=2601:601:8b00:bf0::56, DEST=PROD_IF } SNAT(&amp;PROD_IF) { SOURCE=2601:601:8b00:bf0::/60, DEST=PROD_IF }
SNAT(&amp;FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF } SNAT(&amp;FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF }
?endif ?endif
</programlisting> </programlisting>