From d2bb96be886bcc5cf4a788acc8347133610ec0ad Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 16 Jul 2010 16:41:07 -0700 Subject: [PATCH] Emphasize that you must have a Nic to post on the Shorewall channel --- docs/support.xml | 4 +- manpages/shorewall-rules.xml | 101 +++++++++++++++++++++++++---------- 2 files changed, 77 insertions(+), 28 deletions(-) diff --git a/docs/support.xml b/docs/support.xml index 17beea894..56f0e8ddb 100644 --- a/docs/support.xml +++ b/docs/support.xml @@ -428,7 +428,9 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006) below). For quick questions, there is also - a #shorewall channel at irc.freenode.net. + a #shorewall channel at irc.freenode.net. You must + have a registered Nic on freenode in order to post on the + channel.
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index 449bca47a..77ad871f5 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -130,33 +130,16 @@ - ACTION - {ACCEPT[|]|NONAT|DROP[]|REJECT[]|DNAT[-]|REDIRECT[-]|CONTINUE[]|LOG|QUEUE[]|NFQUEUE[!]|COUNT[(queuenumber)]|COMMENT|action|macro[(target)]}[:{log-level|ACTION - target[:{log-level|none}[!][:tag]] Specifies the action to be taken if the connection request - matches the rule. Must be one of the following. + matches the rule. target must be one of + the following. @@ -340,7 +323,7 @@ - NFQUEUE + NFQUEUE[(queuenumber)] Queues the packet to a user-space application using the @@ -351,7 +334,8 @@ - NFQUEUE! + NFQUEUE![(queuenumber)] like NFQUEUE but exempts the rule from being suppressed @@ -394,7 +378,8 @@ - macro + macro[(macrotarget)] The name of a macro defined in a file named @@ -402,7 +387,7 @@ action parameter (Look at the macro source to see if it has PARAM in the TARGET column) then the macro name is followed by the - parenthesized target (macrotarget (ACCEPT, DROP, REJECT, ...) to be substituted for the @@ -415,9 +400,30 @@ deprecated. + + + TRIGGER(trigger[:direction]) + + + Added in Shorewall 4.4.12. Causes either the SOURCE or + DESTINATION address of the connection to be added to the named + trigger. By default, the SOURCE + address is added to the trigger but if + direction is + (e.g., trig:d) then the DESTINATION address is added. See the + TRIGGER column below. + + When a TRIGGER rule is placed in the NEW section, the + SOURCE is added to the trigger at the time of the connection. + If it is placed in the ESTABLISHED section, each packet that + matches the rule causes the trigger time of the address + (SOURCE or DEST) to be set to the current time. + + - The ACTION may optionally be + The target may optionally be followed by ":" and a syslog log level (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at the specified level. Note that if the + + + TRIGGER - + trigger[:[seconds][:[direction]]] + + + Added in Shorewall 4.4.12. An entry in this column restrict + the rule to matching an address that has been previously triggered + by a TRIGGER rule. Normally the SOURCE address is checked but you + can cause the DESTINATION address to be used instead by supplying a + direction of (e.g., + foo::d). By default, the address must have been triggered within the + last 60 seconds but you can specify a different time using the + seconds option (e.g., foo:30). + + @@ -1224,7 +1246,7 @@ to the port range 81-90. #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL - # PORT PORT(S) DEST + # PORT PORT(S) DEST REDIRECT net $FW::81-90:random tcp www @@ -1281,6 +1303,31 @@ that traffic. + + + Example 10: + + + Allow a connection from internet host to the firewall's TCP + port 1088 within 30 seconds after the firewall establishes an SSH + connection to that host. + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME TRIGGER + # PORT(S) PORT(S) DEST LIMIT GROUP + # + # Trigger the incoming connection + # + TRIGGER(port1088:d) fw net tcp 22 + # + # Note that the TRIGGER rule must precede the ACCEPT rule; the ACCEPT rule can be omitted if the fw->net policy is ACCEPT + # + ACCEPT fw net tcp 22 + # + # Now accept the return connection on port 1088 + # + ACCEPT net fw tcp 1088 - - - - - - - port1088:30 + +