forked from extern/shorewall_code
Correct VLSM (56->60) in the Shared Config Document
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
4e978b687d
commit
d2b3fa476a
@ -43,6 +43,12 @@
|
|||||||
While Shorewall also separates the address families in this way, it is
|
While Shorewall also separates the address families in this way, it is
|
||||||
possible for Shorewall and Shorewall6 to share almost all of the
|
possible for Shorewall and Shorewall6 to share almost all of the
|
||||||
configuration files. This article gives an example.</para>
|
configuration files. This article gives an example.</para>
|
||||||
|
|
||||||
|
<caution>
|
||||||
|
<para>What is shown here currently works best with Debian and
|
||||||
|
derivatives, or when the tarball installer is used and the SPARSE option
|
||||||
|
is enabled when running configure[.pl].</para>
|
||||||
|
</caution>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -66,14 +72,38 @@
|
|||||||
|
|
||||||
<para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
|
<para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
|
||||||
|
|
||||||
<programlisting>root@gateway:/etc# ls shorewall shorewall6
|
<programlisting>root@gateway:/etc# ls -l shorewall shorewall6
|
||||||
shorewall:
|
shorewall:
|
||||||
action.Mirrors conntrack interfaces mangle params providers rtrules shorewall.conf started zones
|
total 88
|
||||||
actions hosts isusable mirrors policy proxyarp rules snat tunnels
|
-rw-r--r-- 1 root root 201 Mar 19 08:43 action.Mirrors
|
||||||
|
-rw-r--r-- 1 root root 109 Jun 29 15:13 actions
|
||||||
|
-rw-r--r-- 1 root root 655 Jun 29 15:13 conntrack
|
||||||
|
-rw-r--r-- 1 root root 107 Jul 1 10:40 hosts
|
||||||
|
-rw-r--r-- 1 root root 867 Jul 1 10:50 interfaces
|
||||||
|
-rw-r--r-- 1 root root 107 Jun 29 15:14 isusable
|
||||||
|
-rw-r--r-- 1 root root 497 Jul 1 10:42 mangle
|
||||||
|
-rw-r--r-- 1 root root 7 Jul 6 09:24 masq
|
||||||
|
-rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
|
||||||
|
-rw-r--r-- 1 root root 2650 Jul 2 08:05 params
|
||||||
|
-rw-r--r-- 1 root root 645 Jun 28 10:04 policy
|
||||||
|
-rw-r--r-- 1 root root 1828 Jul 1 15:43 providers
|
||||||
|
-rw-r--r-- 1 root root 398 Mar 18 20:18 proxyarp
|
||||||
|
-rw-r--r-- 1 root root 702 Jul 1 10:42 rtrules
|
||||||
|
-rw-r--r-- 1 root root 6214 Jul 2 08:45 rules
|
||||||
|
lrwxrwxrwx 1 root root 29 Jul 6 12:42 shorewall6.conf -> ../shorewall6/shorewall6.conf
|
||||||
|
-rw-r--r-- 1 root root 5571 Jun 25 18:09 shorewall.conf
|
||||||
|
-rw-r--r-- 1 root root 1084 Jul 1 10:42 snat
|
||||||
|
-rw-r--r-- 1 root root 181 Jun 29 15:12 started
|
||||||
|
-rw-r--r-- 1 root root 437 Jun 28 10:45 tunnels
|
||||||
|
-rw-r--r-- 1 root root 928 Jun 29 08:25 zones
|
||||||
|
|
||||||
shorewall6:
|
shorewall6:
|
||||||
shorewall6.conf
|
total 12
|
||||||
root@gateway:/etc#</programlisting>
|
-rw------- 1 root root 954 Jul 6 12:48 conntrack
|
||||||
|
lrwxrwxrwx 1 root root 20 Jul 6 16:35 mirrors -> ../shorewall/mirrors
|
||||||
|
lrwxrwxrwx 1 root root 19 Jul 6 12:48 params -> ../shorewall/params
|
||||||
|
-rw-r--r-- 1 root root 5328 Jul 6 12:45 shorewall6.conf
|
||||||
|
root@gateway:/etc# </programlisting>
|
||||||
|
|
||||||
<para>The various configuration files are described in the sections that
|
<para>The various configuration files are described in the sections that
|
||||||
follow. Note that in all cases, these files use the <ulink
|
follow. Note that in all cases, these files use the <ulink
|
||||||
@ -87,11 +117,15 @@ root@gateway:/etc#</programlisting>
|
|||||||
address families. The key setting is CONFIG_PATH in
|
address families. The key setting is CONFIG_PATH in
|
||||||
shorewall6.conf:</para>
|
shorewall6.conf:</para>
|
||||||
|
|
||||||
<programlisting>CONFIG_PATH="${CONFDIR}/shorewall6:<emphasis role="bold">${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"A</programlisting>
|
<programlisting>CONFIG_PATH="<emphasis role="bold">${CONFDIR}/shorewall:</emphasis>/usr/share/shorewall6:${SHAREDIR}/shorewall"</programlisting>
|
||||||
|
|
||||||
<para>Any Shorewall6 configuration file not found in
|
<para><filename>/etc/shorewall6/</filename> is only used for processing
|
||||||
/etc/shorewall/shorewall6/ will be searched for in
|
the <filename>params</filename> and <filename>shorewall6.conf</filename>
|
||||||
/etc/shorewall/.</para>
|
files. <filename>/etc/shorewall6/conntrack</filename> is installed when
|
||||||
|
SPARSE=Yes, but is not used.</para>
|
||||||
|
|
||||||
|
<para>The /etc/shorewall/shorewall6.conf symbolic link is required once
|
||||||
|
the above CONFIG_PATH setting is in effect.</para>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>shorewall.conf</title>
|
<title>shorewall.conf</title>
|
||||||
@ -309,7 +343,7 @@ UNTRACKED_LOG_LEVEL=
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||||
###############################################################################
|
###############################################################################
|
||||||
CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
|
CONFIG_PATH="${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
|
||||||
GEOIPDIR=/usr/share/xt_geoip/LE
|
GEOIPDIR=/usr/share/xt_geoip/LE
|
||||||
IP6TABLES=
|
IP6TABLES=
|
||||||
IP=
|
IP=
|
||||||
@ -427,12 +461,12 @@ ZONE_BITS=0
|
|||||||
|
|
||||||
<para>Because addresses and interfaces are different between the two
|
<para>Because addresses and interfaces are different between the two
|
||||||
address families, they cannot be hard-coded in the configuration files.
|
address families, they cannot be hard-coded in the configuration files.
|
||||||
/etc/shorewall/params is used to set shell variables whose contents will
|
<filename>/etc/shorewall/params</filename> is used to set shell
|
||||||
vary between Shorewall and Shorewall6. In the params file and in
|
variables whose contents will vary between Shorewall and Shorewall6. In
|
||||||
run-time extension files, the shell variable <emphasis
|
the <filename>params</filename> file and in run-time extension files,
|
||||||
role="bold">g_family</emphasis> can be used to determine which address
|
the shell variable <emphasis role="bold">g_family</emphasis> can be used
|
||||||
family to use; if IPv4, then $g_family will expand to 4 and if IPv6,
|
to determine which address family to use; if IPv4, then $g_family will
|
||||||
$g_family will expand to 6.</para>
|
expand to 4 and if IPv6, $g_family will expand to 6.</para>
|
||||||
|
|
||||||
<para>The contents of /etc/shorewall/params is as follows:</para>
|
<para>The contents of /etc/shorewall/params is as follows:</para>
|
||||||
|
|
||||||
@ -474,7 +508,7 @@ else
|
|||||||
LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS)
|
LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (MX and HTTPS)
|
||||||
MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS)
|
MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (IMAPS and HTTPS)
|
||||||
SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org (HTTP, FTP and RSYNC)
|
SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org (HTTP, FTP and RSYNC)
|
||||||
PROXY=Yes # Use TPROXY for local web access
|
PROXY=
|
||||||
ALL=[::]/0 # Entire address space
|
ALL=[::]/0 # Entire address space
|
||||||
LOC_ADDR=[2601:601:8b00:bf0::1] # IP address of the local LAN interface
|
LOC_ADDR=[2601:601:8b00:bf0::1] # IP address of the local LAN interface
|
||||||
FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf # Default gateway through the IF_FAST interface
|
FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf # Default gateway through the IF_FAST interface
|
||||||
@ -646,7 +680,7 @@ Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
|
|||||||
?else
|
?else
|
||||||
{ SOURCE=2001:470:A:227::/64, PROVIDER=HE, PRIORITY=1000! }
|
{ SOURCE=2001:470:A:227::/64, PROVIDER=HE, PRIORITY=1000! }
|
||||||
{ SOURCE=2001:470:B:227::/64, PROVIDER=HE, PRIORITY=11000 }
|
{ SOURCE=2001:470:B:227::/64, PROVIDER=HE, PRIORITY=11000 }
|
||||||
{ SOURCE=2601:601:8b00:bf0::/56 PROVIDER=IPv6Fast, PRIORITY=11000 }
|
{ SOURCE=2601:601:8b00:bf0::/60 PROVIDER=IPv6Fast, PRIORITY=11000 }
|
||||||
?endif
|
?endif
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</section>
|
</section>
|
||||||
@ -885,7 +919,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
|
|||||||
SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" }
|
SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, COMMENT="Masquerade Local Network" }
|
||||||
SNAT(172.20.1.253) { SOURCE=172.20.3.0/24, DEST=LOC_IF:172.20.1.100 }
|
SNAT(172.20.1.253) { SOURCE=172.20.3.0/24, DEST=LOC_IF:172.20.1.100 }
|
||||||
?else
|
?else
|
||||||
SNAT(&PROD_IF) { SOURCE=2601:601:8b00:bf0::56, DEST=PROD_IF }
|
SNAT(&PROD_IF) { SOURCE=2601:601:8b00:bf0::/60, DEST=PROD_IF }
|
||||||
SNAT(&FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF }
|
SNAT(&FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST_IF }
|
||||||
?endif
|
?endif
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user