holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Consolidate manpages between Shorewall and Shorewall6

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-06-16 15:01:41 -07:00
parent 62a60ad995
commit d8ef934f24
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
35 changed files with 1075 additions and 382 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/manpages/shorewall-accounting.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/accounting</command>
<command>/etc/shorewall[6]/accounting</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -783,6 +783,8 @@
<title>FILES</title>
<para>/etc/shorewall/accounting</para>
<para>/etc/shorewall6/accounting</para>
</refsect1>
<refsect1>

20
Shorewall/manpages/shorewall-actions.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/actions</command>
<command>/etc/shorewall[6]/actions</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -148,8 +148,8 @@
<listitem>
<para>Added in Shorewall 5.0.7. Specifies that this action is
to be used in <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
than <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
rather than <ulink
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -160,11 +160,11 @@
<listitem>
<para>Added in Shorewall 5.0.13. Specifies that this action is
to be used in <ulink
url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink> rather
than <ulink
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>. The
<option>mangle</option> and <option>nat</option> options are
mutually exclusive.</para>
url="/manpages/shorewall-snat.html">shorewall-snat(5)</ulink>
rather than <ulink
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink>.
The <option>mangle</option> and <option>nat</option> options
are mutually exclusive.</para>
</listitem>
</varlistentry>
@ -206,7 +206,7 @@
<para>Given that neither the <filename>snat</filename> nor the
<filename>mangle</filename> file is sectioned, this parameter
has no effect when <option>mangle</option> or
<option>nat</option> is specified. </para>
<option>nat</option> is specified.</para>
</listitem>
</varlistentry>
@ -239,6 +239,8 @@
<title>FILES</title>
<para>/etc/shorewall/actions</para>
<para>/etc/shorewall6/actions</para>
</refsect1>
<refsect1>

55
Shorewall/manpages/shorewall-blrules.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/blrules</command>
<command>/etc/shorewall[6]/blrules</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -27,12 +27,9 @@
<para>This file is used to perform blacklisting and whitelisting.</para>
<para>Rules in this file are applied depending on the setting of
BLACKLISTNEWONLY in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
connections in the NEW and INVALID states.</para>
<para>Rules in this file are applied depending on the setting of BLACKLIST
in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The format of rules in this file is the same as the format of rules
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
@ -118,10 +115,10 @@
</varlistentry>
<varlistentry>
<term>A_DROP and A_DROP!</term>
<term>A_DROP</term>
<listitem>
<para>Audited versions of DROP. Requires AUDIT_TARGET support
<para>Audited version of DROP. Requires AUDIT_TARGET support
in the kernel and ip6tables.</para>
</listitem>
</varlistentry>
@ -276,11 +273,11 @@
</refsect1>
<refsect1>
<title>Example</title>
<title>Examples</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<term>IPv4 Example 1:</term>
<listitem>
<para>Drop Teredo packets from the net.</para>
@ -290,7 +287,28 @@
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<term>IPv4 Example 2:</term>
<listitem>
<para>Don't subject packets from 2001:DB8::/64 to the remaining
rules in the file.</para>
<programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>Drop Teredo packets from the net.</para>
<programlisting>DROP net:[2001::/32] all</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>Don't subject packets from 2001:DB8::/64 to the remaining
@ -306,6 +324,8 @@
<title>FILES</title>
<para>/etc/shorewall/blrules</para>
<para>/etc/shorewall6/blrules</para>
</refsect1>
<refsect1>
@ -319,10 +339,11 @@
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-mangle(5) shorewall6-netmap(5),shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-snat(5),shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

44
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/conntrack</command>
<command>/etc/shorewall[6]/conntrack</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -35,7 +35,7 @@
<emphasis role="bold">conntrack</emphasis>.</para>
<para>The file supports three different column layouts: FORMAT 1, FORMAT
2, and FORMAT 3, FORMAT 1 being the default. The three differ as
2, and FORMAT 3 with FORMAT 1 being the default. The three differ as
follows:</para>
<itemizedlist>
@ -311,9 +311,9 @@
<listitem>
<para><option>ULOG</option></para>
<para>Added in Shoreawll 4.6.0. Queues the packet to a backend
logging daemon using the ULOG netfilter target with the
specified <replaceable>ulog-parameters</replaceable>.</para>
<para>IPv4 only. Added in Shoreawll 4.6.0. Queues the packet to
a backend logging daemon using the ULOG netfilter target with
the specified <replaceable>ulog-parameters</replaceable>.</para>
</listitem>
</itemizedlist>
@ -689,31 +689,57 @@
<refsect1>
<title>EXAMPLE</title>
<para>Example 1:</para>
<para>IPv4 Example 1:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>Example 2 (Shorewall 4.5.10 or later):</para>
<para>IPv4 Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
<programlisting>FORMAT 2
<programlisting>?FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP all-:1.2.3.4 -
DROP all 1.2.3.4</programlisting>
<para>or<programlisting>FORMAT 3
<para>or<programlisting>?FORMAT 3
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP:P 1.2.3.4 -
DROP:PO - 1.2.3.4
</programlisting></para>
<para>IPv6 Example 1:</para>
<para>Use the FTP helper for TCP port 21 connections from the firewall
itself.</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
CT:helper:ftp(expevents=new) fw - tcp 21 </programlisting>
<para>IPv6 Example 2 (Shorewall 4.5.10 or later):</para>
<para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
<programlisting>FORMAT 2
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP all-:2001:1.2.3::4 -
DROP all 2001:1.2.3::4
</programlisting>
<para>or<programlisting>FORMAT 3
#ACTION SOURCE DEST PROTO DPORT SPORT USER
DROP:P 2001:1.2.3::4 -
DROP:PO - 2001:1.2.3::4</programlisting></para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/conntrack</para>
<para>/etc/shorewall6/conntrack</para>
</refsect1>
<refsect1>

4
Shorewall/manpages/shorewall-ecn.xml
View File

@ -26,7 +26,9 @@
<title>Description</title>
<para>Use this file to list the destinations for which you want to disable
ECN (Explicit Congestion Notification).</para>
ECN (Explicit Congestion Notification). Use of this file is deprecated in
favor of ECN rules in <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle</ulink>(8).</para>
<para>The columns in the file are as follows.</para>

19
Shorewall/manpages/shorewall-exclusion.xml
View File

@ -49,9 +49,10 @@
<para>Beginning in Shorewall 4.4.13, the second form of exclusion is
allowed after <emphasis role="bold">all</emphasis> and <emphasis
role="bold">any</emphasis> in the SOURCE and DEST columns of
/etc/shorewall/rules. It allows you to omit arbitrary zones from the list
generated by those key words.</para>
role="bold">any</emphasis> in the SOURCE and DEST columns of <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5). It allows
you to omit arbitrary zones from the list generated by those key
words.</para>
<warning>
<para>If you omit a sub-zone and there is an explicit or explicit
@ -117,7 +118,7 @@ ACCEPT all!z2 net tcp 22</programlisting>
<variablelist>
<varlistentry>
<term>Example 1 - All IPv4 addresses except 192.168.3.4</term>
<term>IPv4 Example 1 - All IPv4 addresses except 192.168.3.4</term>
<listitem>
<para>!192.168.3.4</para>
@ -125,8 +126,8 @@ ACCEPT all!z2 net tcp 22</programlisting>
</varlistentry>
<varlistentry>
<term>Example 2 - All IPv4 addresses except the network 192.168.1.0/24
and the host 10.2.3.4</term>
<term>IPv4 Example 2 - All IPv4 addresses except the network
192.168.1.0/24 and the host 10.2.3.4</term>
<listitem>
<para>!192.168.1.0/24,10.1.3.4</para>
@ -134,7 +135,7 @@ ACCEPT all!z2 net tcp 22</programlisting>
</varlistentry>
<varlistentry>
<term>Example 3 - All IPv4 addresses except the range
<term>IPv4 Example 3 - All IPv4 addresses except the range
192.168.1.3-192.168.1.12 and the network 10.0.0.0/8</term>
<listitem>
@ -143,8 +144,8 @@ ACCEPT all!z2 net tcp 22</programlisting>
</varlistentry>
<varlistentry>
<term>Example 4 - The network 192.168.1.0/24 except hosts 192.168.1.3
and 192.168.1.9</term>
<term>IPv4 Example 4 - The network 192.168.1.0/24 except hosts
192.168.1.3 and 192.168.1.9</term>
<listitem>
<para>192.168.1.0/24!192.168.1.3,192.168.1.9</para>

4
Shorewall/manpages/shorewall-hosts.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/hosts</command>
<command>/etc/shorewall[6]/hosts</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -270,6 +270,8 @@ vpn ppp+:192.168.3.0/24</programlisting></para>
<title>FILES</title>
<para>/etc/shorewall/hosts</para>
<para>/etc/shorewall6/hosts</para>
</refsect1>
<refsect1>

95
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -199,11 +199,12 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">arp_filter[={0|1}]</emphasis></term>
<listitem>
<para>If specified, this interface will only respond to ARP
who-has requests for IP addresses configured on the interface.
If not specified, the interface can respond to ARP who-has
requests for IP addresses on any of the firewall's interface.
The interface must be up when Shorewall is started.</para>
<para>IPv4 only. If specified, this interface will only
respond to ARP who-has requests for IP addresses configured on
the interface. If not specified, the interface can respond to
ARP who-has requests for IP addresses on any of the firewall's
interface. The interface must be up when Shorewall is
started.</para>
<para>Only those interfaces with the
<option>arp_filter</option> option will have their setting
@ -225,8 +226,8 @@ loc eth2 -</programlisting>
role="bold">arp_ignore</emphasis>[=<emphasis>number</emphasis>]</term>
<listitem>
<para>If specified, this interface will respond to arp
requests based on the value of <emphasis>number</emphasis>
<para>IPv4 only. If specified, this interface will respond to
arp requests based on the value of <emphasis>number</emphasis>
(defaults to 1).</para>
<para>1 - reply only if the target IP address is local address
@ -411,8 +412,8 @@ loc eth2 -</programlisting>
<listitem>
<para>the interface is a <ulink
url="/SimpleBridge.html">simple bridge</ulink> with a
DHCP server on one port and DHCP clients on another
url="/SimpleBridge.html">simple bridge</ulink> with a DHCP
server on one port and DHCP clients on another
port.</para>
<note>
@ -467,15 +468,15 @@ loc eth2 -</programlisting>
role="bold">logmartians[={0|1}]</emphasis></term>
<listitem>
<para>Turn on kernel martian logging (logging of packets with
impossible source addresses. It is strongly suggested that if
you set <emphasis role="bold">routefilter</emphasis> on an
interface that you also set <emphasis
role="bold">logmartians</emphasis>. Even if you do not specify
the <option>routefilter</option> option, it is a good idea to
specify <option>logmartians</option> because your distribution
may have enabled route filtering without you knowing
it.</para>
<para>IPv4 only. Turn on kernel martian logging (logging of
packets with impossible source addresses. It is strongly
suggested that if you set <emphasis
role="bold">routefilter</emphasis> on an interface that you
also set <emphasis role="bold">logmartians</emphasis>. Even if
you do not specify the <option>routefilter</option> option, it
is a good idea to specify <option>logmartians</option> because
your distribution may have enabled route filtering without you
knowing it.</para>
<para>Only those interfaces with the
<option>logmartians</option> option will have their setting
@ -576,8 +577,8 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">nosmurfs</emphasis></term>
<listitem>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para>IPv4 only. Filter packets for smurfs (packets with a
broadcast address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
@ -596,9 +597,9 @@ loc eth2 -</programlisting>
<itemizedlist>
<listitem>
<para>a <filename
class="directory">/proc/sys/net/ipv4/conf/</filename>
class="directory">/proc/sys/net/ipv[46]/conf/</filename>
entry for the interface cannot be modified (including for
proxy ARP).</para>
proxy ARP or proxy NDP).</para>
</listitem>
<listitem>
@ -638,7 +639,7 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
<listitem>
<para>Sets
<para>IPv4 only. Sets
/proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
Do NOT use this option if you are employing Proxy ARP through
entries in <ulink
@ -659,6 +660,24 @@ loc eth2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
<listitem>
<para>IPv6 only. Sets
/proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/proxy_ndp.</para>
<para><emphasis role="bold">Note</emphasis>: This option does
not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para>
<para>Only those interfaces with the <option>proxyndp</option>
option will have their setting changed; the value assigned to
the setting will be the value specified (if any) or 1 if no
value is given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">required</emphasis></term>
@ -700,8 +719,8 @@ loc eth2 -</programlisting>
role="bold">routefilter[={0|1|2}]</emphasis></term>
<listitem>
<para>Turn on kernel route filtering for this interface
(anti-spoofing measure).</para>
<para>IPv4 only. Turn on kernel route filtering for this
interface (anti-spoofing measure).</para>
<para>Only those interfaces with the
<option>routefilter</option> option will have their setting
@ -886,10 +905,13 @@ loc eth2 -</programlisting>
role="bold">routefilter</emphasis></member>
<member><emphasis
role="bold">sourceroute</emphasis></member>
role="bold">proxyarp</emphasis></member>
<member><emphasis
role="bold">proxyndp</emphasis></member>
role="bold">proxyudp</emphasis></member>
<member><emphasis
role="bold">sourceroute</emphasis></member>
</simplelist>
</listitem>
</itemizedlist>
@ -902,7 +924,9 @@ loc eth2 -</programlisting>
<listitem>
<para>Incoming requests from this interface may be remapped
via UPNP (upnpd). See <ulink
url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
url="/UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.
Supported in IPv4 and in IPv6 in Shorewall 5.1.4 and
later.</para>
</listitem>
</varlistentry>
@ -916,7 +940,8 @@ loc eth2 -</programlisting>
causes Shorewall to detect the default gateway through the
interface and to accept UDP packets from that gateway. Note
that, like all aspects of UPnP, this is a security hole so use
this option at your own risk.</para>
this option at your own risk. Supported in IPv4 and in IPv6 in
Shorewall 5.1.4 and later.</para>
</listitem>
</varlistentry>
@ -943,7 +968,7 @@ loc eth2 -</programlisting>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<term>IPv4 Example 1:</term>
<listitem>
<para>Suppose you have eth0 connected to a DSL modem and eth1
@ -956,7 +981,7 @@ loc eth2 -</programlisting>
<para>Your entries for this setup would look like:</para>
<programlisting>FORMAT 1
<programlisting>?FORMAT 1
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.191.149.223 dhcp
loc eth1 192.168.1.255
@ -971,7 +996,7 @@ dmz eth2 192.168.2.255</programlisting>
<para>The same configuration without specifying broadcast addresses
is:</para>
<programlisting>FORMAT 2
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
net eth0 dhcp
loc eth1
@ -986,7 +1011,7 @@ dmz eth2</programlisting>
<para>You have a simple dial-in system with no Ethernet
connections.</para>
<programlisting>FORMAT 2
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
net ppp0 -</programlisting>
</listitem>
@ -999,7 +1024,7 @@ net ppp0 -</programlisting>
<para>You have a bridge with no IP address and you want to allow
traffic through the bridge.</para>
<programlisting>FORMAT 2
<programlisting>?FORMAT 2
#ZONE INTERFACE OPTIONS
- br0 bridge</programlisting>
</listitem>
@ -1011,6 +1036,8 @@ net ppp0 -</programlisting>
<title>FILES</title>
<para>/etc/shorewall/interfaces</para>
<para>/etc/shorewall6/interfaces</para>
</refsect1>
<refsect1>

20
Shorewall/manpages/shorewall-ipsets.xml
View File

@ -251,21 +251,39 @@
<para>/etc/shorewall/accounting</para>
<para>/etc/shorewall6/accounting</para>
<para>/etc/shorewall/blrules</para>
<para>/etc/shorewall6/blrules</para>
<para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall6/hosts -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall/masq</para>
<para>/etc/shorewall6/maclist -- <emphasis role="bold">Note:</emphasis>
Multiple matches enclosed in +[...] may not be used in this file.</para>
<para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/rules</para>
<para>/etc/shorewall/secmarks</para>
<para>/etc/shorewall6/secmarks</para>
<para>/etc/shorewall/mangle</para>
<para>/etc/shorewall6/mangle</para>
<para>/etc/shorewall/snat</para>
<para>/etc/shorewall6/snat</para>
</refsect1>
<refsect1>

4
Shorewall/manpages/shorewall-maclist.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/maclist</command>
<command>/etc/shorewall[6]/maclist</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -97,6 +97,8 @@
<title>FILES</title>
<para>/etc/shorewall/maclist</para>
<para>/etc/shorewall6/maclist</para>
</refsect1>
<refsect1>

75
Shorewall/manpages/shorewall-mangle.xml
View File

@ -18,31 +18,17 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/mangle</command>
<command>/etc/shorewall[6]/mangle</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file was introduced in Shorewall 4.6.0 and is intended to
replace <ulink
<para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
file is only processed by the compiler if:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>No file named 'tcrules' exists on the current CONFIG_PATH (see
<ulink url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>);
or</para>
</listitem>
<listitem>
<para>The first file named 'tcrules' found on the CONFIG_PATH contains
no non-commentary entries.</para>
</listitem>
</orderedlist>
<para>Entries in this file cause packets to be marked as a means of
classifying them for traffic control or policy routing.</para>
@ -117,9 +103,7 @@
SOURCE is $FW, the generated rule is always placed in the OUTPUT
chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
Additionally, a <replaceable>chain-designator</replaceable> may not
be specified in an action body unless the action is declared as
<option>inline</option> in <ulink
url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
be specified in an action body.</para>
<para>Where a command takes parameters, those parameters are
enclosed in parentheses ("(....)") and separated by commas.</para>
@ -365,8 +349,9 @@ DIVERTHA - - tcp</programlisting>
<listitem>
<para>Added in Shorewall 5.0.6 as an alternative to entries in
<ulink url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>. If a
PROTO is specified, it must be 'tcp' (6). If no PROTO is
<ulink
url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>.
If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
supplied, TCP is assumed. This action causes all ECN bits in
the TCP header to be cleared.</para>
</listitem>
@ -915,7 +900,8 @@ Normal-Service =&gt; 0x00</programlisting>
Matches packets leaving the firewall through the named
interface. May not be used in the PREROUTING chain (:P in the
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
in <ulink url="/manpages/shorewall.conf">shorewall.conf</ulink>
in <ulink
url="/manpages/shorewall.conf">shorewall.conf</ulink>
(5)).</para>
</listitem>
</varlistentry>
@ -1543,7 +1529,7 @@ Normal-Service =&gt; 0x00</programlisting>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<term>IPv4 Example 1:</term>
<listitem>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
@ -1572,7 +1558,7 @@ Normal-Service =&gt; 0x00</programlisting>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<term>IPv4 Example 2:</term>
<listitem>
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@ -1584,12 +1570,41 @@ Normal-Service =&gt; 0x00</programlisting>
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
/etc/shorewall/masq:
/etc/shorewall/snat:
#INTERFACE SOURCE ADDRESS ...
eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C
eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
#ACTION SOURCE DEST ...
SNAT(1.1.1.1) eth0:192.168.1.0/24 - { mark=1:C }
SNAT(1.1.1.3) eth0:192.168.1.0/24 - { mark=2:C }
SNAT(1.1.1.4) eth0:192.168.1.0/24 - { mark=3:C }</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
to peer traffic with packet mark 4.</para>
<para>This is a little more complex than otherwise expected. Since
the ipp2p module is unable to determine all packets in a connection
are P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match.</para>
<para>We assume packet/connection mark 0 means unclassified.</para>
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(1):T ::/0 ::/0 icmp echo-request
MARK(1):T ::/0 ::/0 icmp echo-reply
RESTORE:T ::/0 ::/0 all - - - 0
CONTINUE:T ::/0 ::/0 all - - - !0
MARK(4):T ::/0 ::/0 ipp2p:all
SAVE:T ::/0 ::/0 all - - - !0</programlisting>
<para>If a packet hasn't been classified (packet mark is 0), copy
the connection mark to the packet mark. If the packet mark is set,
we're done. If the packet is P2P, set the packet mark to 4. If the
packet mark has been set, save it to the connection mark.</para>
</listitem>
</varlistentry>
</variablelist>
@ -1599,6 +1614,8 @@ Normal-Service =&gt; 0x00</programlisting>
<title>FILES</title>
<para>/etc/shorewall/mangle</para>
<para>/etc/shorewall6/mangle</para>
</refsect1>
<refsect1>

63
Shorewall/manpages/shorewall-masq.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/masq</command>
<command>/etc/shorewall[6]/masq</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -579,7 +579,7 @@
<variablelist>
<varlistentry>
<term>Example 1:</term>
<term>IPv4 Example 1:</term>
<listitem>
<para>You have a simple masquerading setup where eth0 connects to a
@ -594,7 +594,7 @@
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<term>IPv4 Example 2:</term>
<listitem>
<para>You add a router to your local network to connect subnet
@ -607,7 +607,7 @@
</varlistentry>
<varlistentry>
<term>Example 3:</term>
<term>IPv4 Example 3:</term>
<listitem>
<para>You have an IPSEC tunnel through ipsec0 and you want to
@ -620,7 +620,7 @@
</varlistentry>
<varlistentry>
<term>Example 4:</term>
<term>IPv4 Example 4:</term>
<listitem>
<para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@ -634,7 +634,7 @@
</varlistentry>
<varlistentry>
<term>Example 5:</term>
<term>IPv4 Example 5:</term>
<listitem>
<para>You want all outgoing SMTP traffic entering the firewall from
@ -654,7 +654,7 @@
</varlistentry>
<varlistentry>
<term>Example 6:</term>
<term>IPv4 Example 6:</term>
<listitem>
<para>Connections leaving on eth0 and destined to any host defined
@ -667,7 +667,7 @@
</varlistentry>
<varlistentry>
<term>Example 7:</term>
<term>IPv4 Example 7:</term>
<listitem>
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@ -689,7 +689,7 @@
</varlistentry>
<varlistentry>
<term>Example 8:</term>
<term>IPv4 Example 8:</term>
<listitem>
<para>Your eth1 has two public IP addresses: 70.90.191.121 and
@ -716,6 +716,49 @@
</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>You have a simple 'masquerading' setup where eth0 connects to
a DSL or cable modem and eth1 connects to your local network with
subnet 2001:470:b:787::0/64</para>
<para>Your entry in the file will be:</para>
<programlisting> #INTERFACE SOURCE ADDRESS
eth0 2001:470:b:787::0/64 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>Your sit1 interface has two public IP addresses:
2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
iptables statistics match to masquerade outgoing connections evenly
between these two addresses.</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
INLINE(sit1) ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 ::/0 2001:470:a:227::2
</programlisting>
<para>If INLINE_MATCHES=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
then these rules may be specified as follows:</para>
<programlisting>/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
sit1 ::/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
sit1 ::/0 2001:470:a:227::2</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -723,6 +766,8 @@
<title>FILES</title>
<para>/etc/shorewall/masq</para>
<para>/etc/shorewall6/masq</para>
</refsect1>
<refsect1>

12
Shorewall/manpages/shorewall-modules.xml
View File

@ -18,11 +18,11 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/usr/share/shorewall/modules</command>
<command>/usr/share/shorewall[6]/modules</command>
</cmdsynopsis>
<cmdsynopsis>
<command>/usr/share/shorewall/helpers</command>
<command>/usr/share/shorewall[6]/helpers</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -82,6 +82,14 @@
<para>/etc/shorewall/modules</para>
<para>/etc/shorewall/helpers</para>
<para>/usr/share/shorewall6/modules</para>
<para>/usr/share/shorewall6/helpers</para>
<para>/etc/shorewall6/modules</para>
<para>/etc/shorewall6/helpers</para>
</refsect1>
<refsect1>

4
Shorewall/manpages/shorewall-nat.xml
View File

@ -34,6 +34,8 @@
url="/FAQ.htm#faq1">http://www.shorewall.net/FAQ.htm#faq1</ulink>. Also,
in many cases, Proxy ARP (<ulink
url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
or Proxy-NDP(<ulink
url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
is a better solution that one-to-one NAT.</para>
</warning>
@ -208,6 +210,8 @@ all all REJECT info
<title>FILES</title>
<para>/etc/shorewall/nat</para>
<para>/etc/shorewall6/nat</para>
</refsect1>
<refsect1>

10
Shorewall/manpages/shorewall-nesting.xml
View File

@ -200,6 +200,16 @@
<para>/etc/shorewall/policy</para>
<para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/zones</para>
<para>/etc/shorewall6/interfaces</para>
<para>/etc/shorewall6/hosts</para>
<para>/etc/shorewall6/policy</para>
<para>/etc/shorewall6/rules</para>
</refsect1>
<refsect1>

6
Shorewall/manpages/shorewall-netmap.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/netmap</command>
<command>/etc/shorewall[6]/netmap</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -44,8 +44,6 @@
role="bold">SNAT}</emphasis></term>
<listitem>
<para>Must be DNAT or SNAT</para>
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
its destination address rewritten to the corresponding address in
NET2.</para>
@ -169,6 +167,8 @@
<title>FILES</title>
<para>/etc/shorewall/netmap</para>
<para>/etc/shorewall6/netmap</para>
</refsect1>
<refsect1>

8
Shorewall/manpages/shorewall-params.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/params</command>
<command>/etc/shorewall[6]/params</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -107,7 +107,7 @@
<programlisting>NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918</programlisting>
NET_OPTIONS=routefilter</programlisting>
<para>Example <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
@ -119,13 +119,15 @@ net $NET_IF $NET_BCAST $NET_OPTIONS</programlisting>
<para>This is the same as if the interfaces file had contained:</para>
<programlisting>ZONE INTERFACE BROADCAST OPTIONS
net eth0 130.252.100.255 routefilter,norfc1918</programlisting>
net eth0 130.252.100.255 routefilter</programlisting>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/params</para>
<para>/etc/shorewall6/params</para>
</refsect1>
<refsect1>

27
Shorewall/manpages/shorewall-policy.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/policy</command>
<command>/etc/shorewall[6]/policy</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -33,25 +33,30 @@
<para>The order of entries in this file is important</para>
<para>This file determines what to do with a new connection request if
we don't get a match from the /etc/shorewall/rules file . For each
source/destination pair, the file is processed in order until a match is
found ("all" will match any source or destination).</para>
we don't get a match from the <ulink
url="/manpages/shorewall-blrules.html">shorewall-blrules</ulink>(5) or
<ulink url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5)
files. For each source/destination pair, the file is processed in order
until a match is found ("all" will match any source or
destination).</para>
</important>
<important>
<para>Intra-zone policies are pre-defined</para>
<para>For $FW and for all of the zones defined in /etc/shorewall/zones,
the POLICY for connections from the zone to itself is ACCEPT (with no
<para>For $FW and for all of the zones defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5), the
POLICY for connections from the zone to itself is ACCEPT (with no
logging or TCP connection rate limiting) but may be overridden by an
entry in this file. The overriding entry must be explicit (specifying
the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall
4.5.17 or later).</para>
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
then the implicit policy to/from any sub-zone is CONTINUE. These
implicit CONTINUE policies may also be overridden by an explicit entry
in this file.</para>
<para>Similarly, if you have IMPLICIT_CONTINUE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), then the
implicit policy to/from any sub-zone is CONTINUE. These implicit
CONTINUE policies may also be overridden by an explicit entry in this
file.</para>
</important>
<para>The columns in the file are as follows (where the column name is
@ -396,6 +401,8 @@
<title>FILES</title>
<para>/etc/shorewall/policy</para>
<para>/etc/shorewall6/policy</para>
</refsect1>
<refsect1>

53
Shorewall/manpages/shorewall-providers.xml
View File

@ -82,14 +82,11 @@
url="/manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>
file to direct packets to this provider.</para>
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
<para>If PROVIDER_OFFSET is non-zero in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then
the value must be a multiple of 256 between 256 and 65280 or their
hexadecimal equivalents (0x0100 and 0xff00 with the low-order byte
of the value being zero). Otherwise, the value must be between 1 and
255. Each provider must be assigned a unique mark value. This column
may be omitted if you don't use packet marking to direct connections
to a particular provider.</para>
the value must be a mutiple of 2^^PROVIDER_OFFSET. In all cases, the
number of significant bits may not exceed PROVIDER_OFFSET +
PROVIDER_BITS.</para>
</listitem>
</varlistentry>
@ -116,9 +113,9 @@
listed in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
In general, that interface should not have the
<option>proxyarp</option> option specified unless
<option>loose</option> is given in the OPTIONS column of this
entry.</para>
<option>proxyarp</option> or <option>proxyndp</option> option
specified unless <option>loose</option> is given in the OPTIONS
column of this entry.</para>
<para>Where more than one provider is serviced through a single
interface, the <emphasis>interface</emphasis> must be followed by a
@ -461,7 +458,7 @@
<variablelist>
<varlistentry>
<term>Example 1:</term>
<term>IPv4 Example 1:</term>
<listitem>
<para>You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
@ -473,7 +470,7 @@
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<term>IPv4 Example 2:</term>
<listitem>
<para>eth0 connects to ISP 1. The IP address of eth0 is
@ -491,6 +488,36 @@
ISP2 2 2 main eth1 130.252.99.254 track,balance eth2</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2.
Your DMZ interface is eth2</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 2002:ce7c:92b4:1::2 -</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>eth0 connects to ISP 1. The ISP's gateway router has IP
address 2001:ce7c:92b4:1::2.</para>
<para>eth1 connects to ISP 2. The ISP's gateway router has IP
address 2001:d64c:83c9:12::8b.</para>
<para>eth2 connects to a local network.</para>
<programlisting> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
ISP1 1 1 main eth0 2001:ce7c:92b4:1::2 track eth2
ISP2 2 2 main eth1 2001:d64c:83c9:12::8b track eth2</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -498,6 +525,8 @@
<title>FILES</title>
<para>/etc/shorewall/providers</para>
<para>/etc/shorewall6/providers</para>
</refsect1>
<refsect1>

4
Shorewall/manpages/shorewall-routes.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/routes</command>
<command>/etc/shorewall[6]/routes</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -109,6 +109,8 @@
<title>FILES</title>
<para>/etc/shorewall/routes</para>
<para>/etc/shorewall6/routes</para>
</refsect1>
<refsect1>

6
Shorewall/manpages/shorewall-rtrules.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/rtrules</command>
<command>/etc/shorewall[6]/rtrules</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -177,7 +177,7 @@
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<term>IPv4 Example 2:</term>
<listitem>
<para>You use OpenVPN (routed setup /tunX) in combination with
@ -199,6 +199,8 @@
<title>FILES</title>
<para>/etc/shorewall/rtrules</para>
<para>/etc/shorewall6/rtrules</para>
</refsect1>
<refsect1>

289
Shorewall/manpages/shorewall-rules.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/rules</command>
<command>/etc/shorewall[6]/rules</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -54,7 +54,8 @@
<listitem>
<para>This section was added in Shorewall 4.4.23. Rules in this
section are applied, regardless of the connection tracking state of
the packet.</para>
the packet and are applied before rules in the other
sections.</para>
</listitem>
</varlistentry>
@ -211,7 +212,8 @@
role="bold">DNAT</emphasis>[<emphasis
role="bold">-</emphasis>] or <emphasis
role="bold">REDIRECT</emphasis>[<emphasis
role="bold">-</emphasis>] rules.</para>
role="bold">-</emphasis>] rules. Use with IPv6 requires
Shorewall 4.5.14 or later.</para>
</listitem>
</varlistentry>
@ -232,7 +234,7 @@
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
or in /usr/share/shorewall/actions.std.</para>
or in /usr/share/shorewall[6]/actions.std.</para>
</listitem>
</varlistentry>
@ -286,7 +288,8 @@
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
in the kernel and iptables.</para>
in the kernel and iptables. A_ACCEPT+ with IPv6 requires
Shorewall 4.5.14 or later.</para>
</listitem>
</varlistentry>
@ -401,7 +404,8 @@
<listitem>
<para>Forward the request to another system (and optionally
another port).</para>
another port). Use with IPv6 requires Shorewall 4.5.14 or
later.</para>
</listitem>
</varlistentry>
@ -414,7 +418,8 @@
<para>Like <emphasis role="bold">DNAT</emphasis> but only
generates the <emphasis role="bold">DNAT</emphasis> iptables
rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para>
role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
Shorewall 4.5.14 or later.</para>
</listitem>
</varlistentry>
@ -496,11 +501,11 @@
[<replaceable>option</replaceable> ...])</term>
<listitem>
<para>This action allows you to specify an iptables target
with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
the <replaceable>iptables-target</replaceable> is not one
recognized by Shorewall, the following error message will be
issued:</para>
<para>IPv4 only. This action allows you to specify an iptables
target with options (e.g., 'IPTABLES(MARK --set-xmark
0x01/0xff)'. If the <replaceable>iptables-target</replaceable>
is not one recognized by Shorewall, the following error
message will be issued:</para>
<programlisting> ERROR: Unknown target (<replaceable>iptables-target</replaceable>)</programlisting>
@ -521,6 +526,39 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">IP6TABLES</emphasis>({<replaceable>ip6tables-target</replaceable>
[<replaceable>option</replaceable> ...])</term>
<listitem>
<para>IPv6 only. This action allows you to specify an
ip6tables target with options (e.g., 'IPTABLES(MARK
--set-xmark 0x01/0xff)'. If the
<replaceable>ip6tables-target</replaceable> is not one
recognized by Shorewall, the following error message will be
issued:</para>
<programlisting> ERROR: Unknown target (<replaceable>ip6tables-target</replaceable>)</programlisting>
<para>This error message may be eliminated by adding
the<replaceable>
ip6tables-</replaceable><replaceable>target</replaceable> as a
builtin action in <ulink
url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
<important>
<para>If you specify REJECT as the
<replaceable>ip6tables-target</replaceable>, the target of
the rule will be the i6ptables REJECT target and not
Shorewall's builtin 'reject' chain which is used when REJECT
(see below) is specified as the
<replaceable>target</replaceable> in the ACTION
column.</para>
</important>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
@ -673,7 +711,8 @@
<para>Excludes the connection from any subsequent <emphasis
role="bold">DNAT</emphasis>[-] or <emphasis
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
a rule to accept the traffic.</para>
a rule to accept the traffic. Use with IPv6 requires Shorewall
4.5.14 or later.</para>
</listitem>
</varlistentry>
@ -708,7 +747,7 @@
<para>Beginning with Shorewall 5.0.8, the type of reject may
be specified in the <replaceable>option</replaceable>
paramater. Valid <replaceable>option</replaceable> values
paramater. Valid IPv4 <replaceable>option</replaceable> values
are:</para>
<simplelist>
@ -731,6 +770,28 @@
option may also be specified as
<option>tcp-reset</option>.</member>
</simplelist>
<para>Valid IPv6 <replaceable>option</replaceable> values
are:</para>
<simplelist>
<member><option>icmp6-no-route</option></member>
<member><option>no-route</option></member>
<member><option>i</option><option>cmp6-adm-prohibited</option></member>
<member><option>adm-prohibited</option></member>
<member><option>icmp6-addr-unreachable</option></member>
<member><option>addr-unreach</option></member>
<member><option>icmp6-port-unreachable</option></member>
<member><option>tcp-reset</option> (the PROTO column must
specify TCP)</member>
</simplelist>
</listitem>
</varlistentry>
@ -749,7 +810,8 @@
<listitem>
<para>Redirect the request to a server running on the
firewall.</para>
firewall. Use with IPv6 requires Shorewall 4.5.14 or
later.</para>
</listitem>
</varlistentry>
@ -762,7 +824,8 @@
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only
generates the <emphasis role="bold">REDIRECT</emphasis>
iptables rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para>
role="bold">ACCEPT</emphasis> rule. Use with IPv6 requires
Shorewall 4.5.14 or later.</para>
</listitem>
</varlistentry>
@ -842,9 +905,9 @@
role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
<listitem>
<para>Added in Shorewall 4.5.10. Queues matching packets to a
back end logging daemon via a netlink socket then continues to
the next rule. See <ulink
<para>IPv4 only. Added in Shorewall 4.5.10. Queues matching
packets to a back end logging daemon via a netlink socket then
continues to the next rule. See <ulink
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
<para>Similar to<emphasis role="bold">
@ -889,10 +952,10 @@
</listitem>
</itemizedlist>
<para>You may also specify <emphasis role="bold">ULOG</emphasis> or
<emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a
log level.This will log to the ULOG or NFLOG target for routing to a
separate log through use of ulogd (<ulink
<para>You may also specify <emphasis role="bold">ULOG</emphasis>
(IPv4 only) or <emphasis role="bold">NFLOG</emphasis> (must be in
upper case) as a log level.This will log to the ULOG or NFLOG target
for routing to a separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>Actions specifying logging may be followed by a log tag (a
@ -922,9 +985,9 @@
<listitem>
<para>The name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When
only the zone name is specified, the packet source may be any
host in that zone.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
When only the zone name is specified, the packet source may be
any host in that zone.</para>
<para>zone may also be one of the following:</para>
@ -991,9 +1054,10 @@
<replaceable>zone</replaceable> in either <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink
url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5). Only
packets from hosts in the <replaceable>zone</replaceable> that
arrive through the named interface will match the rule.</para>
url="/manpages/shorewall.hosts.html">shorewall-hosts</ulink>(5).
Only packets from hosts in the <replaceable>zone</replaceable>
that arrive through the named interface will match the
rule.</para>
</listitem>
</varlistentry>
@ -1208,6 +1272,49 @@
of the net zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dmz:[2002:ce7c:2b4:1::2]</term>
<listitem>
<para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:2001:4d48:ad51:24::/64</term>
<listitem>
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:[2002:cec792b4:1::2],[2002:cec792b4:1::44]</term>
<listitem>
<para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
local zone.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>loc:~00-A0-C9-15-39-78</term>
<listitem>
<para>Host in the local zone with MAC address
00:A0:C9:15:39:78.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>net:[2001:4d48:ad51:24::]/64![2001:4d48:ad51:24:6::]/80</term>
<listitem>
<para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
2001:4d48:ad51:24:6::/80.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
@ -1229,9 +1336,9 @@
<listitem>
<para>The name of a zone defined in <ulink
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5). When
only the zone name is specified, the packet destination may be
any host in that zone.</para>
url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5).
When only the zone name is specified, the packet destination
may be any host in that zone.</para>
<para>zone may also be one of the following:</para>
@ -1298,9 +1405,9 @@
<replaceable>zone</replaceable> in either <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
or <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5). Only
packets to hosts in the <replaceable>zone</replaceable> that
are sent through the named interface will match the
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
Only packets to hosts in the <replaceable>zone</replaceable>
that are sent through the named interface will match the
rule.</para>
</listitem>
</varlistentry>
@ -2082,12 +2189,100 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HEADERS</emphasis></term>
<term><emphasis role="bold">HEADERS -
[!][any:|exactly:]</emphasis><replaceable>header-list
</replaceable>(Optional - Added in Shorewall 4.4.15)</term>
<listitem>
<para>Added in Shorewall 4.4.15. Not used in IPv4 configurations. If
you with to supply a value for one of the later columns, enter '-'
in this column.</para>
<para>This column is only used in IPv6. In IPv4, supply "-" in this
column if you with to place a value in one of the following
columns.</para>
<para>The <replaceable>header-list</replaceable> consists of a
comma-separated list of headers from the following list.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">auth</emphasis>, <emphasis
role="bold">ah</emphasis>, or <emphasis
role="bold">51</emphasis></term>
<listitem>
<para><firstterm>Authentication Headers</firstterm> extension
header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">esp</emphasis>, or <emphasis
role="bold">50</emphasis></term>
<listitem>
<para><firstterm>Encrypted Security Payload</firstterm>
extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hop</emphasis>, <emphasis
role="bold">hop-by-hop</emphasis> or <emphasis
role="bold">0</emphasis></term>
<listitem>
<para>Hop-by-hop options extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">route</emphasis>, <emphasis
role="bold">ipv6-route</emphasis> or <emphasis
role="bold">43</emphasis></term>
<listitem>
<para>IPv6 Route extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">frag</emphasis>, <emphasis
role="bold">ipv6-frag</emphasis> or <emphasis
role="bold">44</emphasis></term>
<listitem>
<para>IPv6 fragmentation extension header.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">none</emphasis>, <emphasis
role="bold">ipv6-nonxt</emphasis> or <emphasis
role="bold">59</emphasis></term>
<listitem>
<para>No next header</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">proto</emphasis>, <emphasis
role="bold">protocol</emphasis> or <emphasis
role="bold">255</emphasis></term>
<listitem>
<para>Any protocol header.</para>
</listitem>
</varlistentry>
</variablelist>
<para>If <emphasis role="bold">any:</emphasis> is specified, the
rule will match if any of the listed headers are present. If
<emphasis role="bold">exactly:</emphasis> is specified, the will
match packets that exactly include all specified headers. If neither
is given, <emphasis role="bold">any:</emphasis> is assumed.</para>
<para>If <emphasis role="bold">!</emphasis> is entered, the rule
will match those packets which would not be matched when <emphasis
role="bold">!</emphasis> is omitted.</para>
</listitem>
</varlistentry>
@ -2413,6 +2608,20 @@
SECCTX builtin</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 15:</term>
<listitem>
<para>You want to accept SSH connections to your firewall only from
internet IP addresses 2002:ce7c::92b4:1::2 and
2002:ce7c::92b4:1::22</para>
<programlisting> #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
ACCEPT net:&lt;2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22&gt; \
$FW tcp 22</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -2420,6 +2629,8 @@
<title>FILES</title>
<para>/etc/shorewall/rules</para>
<para>/etc/shorewall6/rules</para>
</refsect1>
<refsect1>

6
Shorewall/manpages/shorewall-secmarks.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/secmarks</command>
<command>/etc/shorewall[6]/secmarks</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -229,7 +229,7 @@
role="bold">all}[,...]</emphasis></term>
<listitem>
<para> See <ulink
<para>See <ulink
url="shorewall-rules.html">shorewall-rules(5)</ulink> for
details.</para>
@ -404,6 +404,8 @@ RESTORE I:ER</programlisting>
<title>FILES</title>
<para>/etc/shorewall/secmarks</para>
<para>/etc/shorewall6/secmarks</para>
</refsect1>
<refsect1>

60
Shorewall/manpages/shorewall-snat.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/snat</command>
<command>/etc/shorewall[6]/snat</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -86,7 +86,7 @@
ADD_SNAT_ALIASES is set to Yes or yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
then Shorewall will automatically add this address to the
INTERFACE named in the first column.</para>
INTERFACE named in the first column (IPv4 only).</para>
<para>You may also specify a range of up to 256 IP addresses
if you want the SNAT address to be assigned from that range in
@ -105,9 +105,7 @@
role="bold">:random</emphasis>) with <emphasis
role="bold">:persistent</emphasis>. This is only useful when
an address range is specified and causes a client to be given
the same source/destination IP pair. This feature replaces the
SAME modifier which was removed from Shorewall in version
4.4.0.</para>
the same source/destination IP pair.</para>
<para>You may also use the special value
<option>detect</option> which causes Shorewall to determine
@ -150,8 +148,8 @@
<listitem>
<para>where <replaceable>action</replaceable> is an action
declared in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink> with
the <option>nat</option> option. See <ulink
url="/manpages/shorewall-actions.html">shorewall-actions(5)</ulink>
with the <option>nat</option> option. See <ulink
url="/Actions.html">www.shorewall.net/Actions.html</ulink> for
further information.</para>
</listitem>
@ -257,7 +255,8 @@
<listitem>
<para>If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number here. See
<ulink url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
<ulink
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for
details.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a
@ -599,7 +598,7 @@
<variablelist>
<varlistentry>
<term>Example 1:</term>
<term>IPv4 Example 1:</term>
<listitem>
<para>You have a simple masquerading setup where eth0 connects to a
@ -614,7 +613,7 @@
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<term>IPv4 Example 2:</term>
<listitem>
<para>You add a router to your local network to connect subnet
@ -628,7 +627,7 @@
</varlistentry>
<varlistentry>
<term>Example 3:</term>
<term>IPv4 Example 3:</term>
<listitem>
<para>You want all outgoing traffic from 192.168.1.0/24 through eth0
@ -642,7 +641,7 @@
</varlistentry>
<varlistentry>
<term>Example 4:</term>
<term>IPv4 Example 4:</term>
<listitem>
<para>You want all outgoing SMTP traffic entering the firewall from
@ -666,7 +665,7 @@
</varlistentry>
<varlistentry>
<term>Example 5:</term>
<term>IPv4 Example 5:</term>
<listitem>
<para>Connections leaving on eth0 and destined to any host defined
@ -679,7 +678,7 @@
</varlistentry>
<varlistentry>
<term>Example 6:</term>
<term>IPv4 Example 6:</term>
<listitem>
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
@ -701,19 +700,34 @@
</varlistentry>
<varlistentry>
<term>Example 7:</term>
<term>IPv6 Example 1:</term>
<listitem>
<para>Your eth1 has two public IP addresses: 70.90.191.121 and
70.90.191.123. You want to use the iptables statistics match to
masquerade outgoing connections evenly between these two
addresses.</para>
<para>You have a simple 'masquerading' setup where eth0 connects to
a DSL or cable modem and eth1 connects to your local network with
subnet 2001:470:b:787::0/64</para>
<para>Your entry in the file will be:</para>
<programlisting> #ACTION SOURCE DEST
MASQUERADE 2001:470:b:787::0/64 eth0</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>Your sit1 interface has two public IP addresses:
2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
iptables statistics match to masquerade outgoing connections evenly
between these two addresses.</para>
<programlisting>/etc/shorewall/snat:
#ACTION SOURCE DEST
SNAT(70.90.191.121) - eth1 { probability=.50 }
SNAT(70.90.191.123) - eth1</programlisting>
#ACTION SOURCE DEST
SNAT(2001:470:a:227::1) ::/0 sit1 { probability=0.50 }
SNAT(2001:470:a:227::2) ::/0 sit</programlisting>
</listitem>
</varlistentry>
</variablelist>
@ -723,6 +737,8 @@
<title>FILES</title>
<para>/etc/shorewall/snat</para>
<para>/etc/shorewall6/snat</para>
</refsect1>
<refsect1>

4
Shorewall/manpages/shorewall-stoppedrules.xml
View File

@ -19,7 +19,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/stoppedrules</command>
<command>/etc/shorewall[6]/stoppedrules</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -153,6 +153,8 @@
<title>FILES</title>
<para>/etc/shorewall/stoppedrules</para>
<para>/etc/shorewall6/stoppedrules</para>
</refsect1>
<refsect1>

4
Shorewall/manpages/shorewall-tcclasses.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcclasses</command>
<command>/etc/shorewall[6]/tcclasses</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -763,6 +763,8 @@
<title>FILES</title>
<para>/etc/shorewall/tcclasses</para>
<para>/etc/shorewall6/tcclasses</para>
</refsect1>
<refsect1>

4
Shorewall/manpages/shorewall-tcdevices.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcdevices</command>
<command>/etc/shorewall[6]/tcdevices</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -276,6 +276,8 @@
<title>FILES</title>
<para>/etc/shorewall/tcdevices</para>
<para>/etc/shorewall6/tcdevices</para>
</refsect1>
<refsect1>

48
Shorewall/manpages/shorewall-tcfilters.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcfilters</command>
<command>/etc/shorewall[6]/tcfilters</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -89,12 +89,12 @@
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The
ipset name may optionally be followed by a number or a comma
separated list of src and/or dst enclosed in square brackets
([...]). See <ulink
url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
details.</para>
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
(5)</ulink>. The ipset name may optionally be followed by a number
or a comma separated list of src and/or dst enclosed in square
brackets ([...]). See <ulink
url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
for details.</para>
</listitem>
</varlistentry>
@ -108,12 +108,12 @@
Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch</firstterm> capability and you set BASIC_FILTERS=Yes in
<ulink url="/manpages/shorewall.conf.html">shorewall.conf (5)</ulink>. The
ipset name may optionally be followed by a number or a comma
separated list of src and/or dst enclosed in square brackets
([...]). See <ulink
url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
details.</para>
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
(5)</ulink>. The ipset name may optionally be followed by a number
or a comma separated list of src and/or dst enclosed in square
brackets ([...]). See <ulink
url="/manpages/shorewall-ipsets.html">shorewall-ipsets(5)</ulink>
for details.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
@ -288,7 +288,7 @@
<variablelist>
<varlistentry>
<term>Example 1:</term>
<term>IPv4 Example 1:</term>
<listitem>
<para>Place all 'ping' traffic on interface 1 in class 10. Note that
@ -310,7 +310,7 @@
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<term>IPv4 Example 2:</term>
<listitem>
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
@ -324,6 +324,22 @@
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 10</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>Add two filters with priority 10 (Shorewall 4.5.8 or
later).</para>
<programlisting> #CLASS SOURCE DEST PROTO DPORT PRIORITY
IPV6
1:10 ::/0 ::/0 icmp echo-request 10
1:10 ::/0 ::/0 icmp echo-reply 10</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -331,6 +347,8 @@
<title>FILES</title>
<para>/etc/shorewall/tcfilters</para>
<para>/etc/shorewall6/tcfilters</para>
</refsect1>
<refsect1>

6
Shorewall/manpages/shorewall-tcinterfaces.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcinterfaces</command>
<command>/etc/shorewall[6]/tcinterfaces</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -201,7 +201,9 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tcinterfaces.</para>
<para>/etc/shorewall/tcinterfaces</para>
<para>/etc/shorewall6/tcinterfaces</para>
</refsect1>
<refsect1>

4
Shorewall/manpages/shorewall-tcpri.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcpri</command>
<command>/etc/shorewall[6]/tcpri</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -148,6 +148,8 @@
<title>FILES</title>
<para>/etc/shorewall/tcpri</para>
<para>/etc/shorewall6/tcpri</para>
</refsect1>
<refsect1>

97
Shorewall/manpages/shorewall-tunnels.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tunnels</command>
<command>/etc/shorewall[6]/tunnels</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -173,7 +173,7 @@
<variablelist>
<varlistentry>
<term>Example 1:</term>
<term>IPv4 Example 1:</term>
<listitem>
<para>IPSec tunnel.</para>
@ -187,7 +187,7 @@
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<term>IPv4 Example 2:</term>
<listitem>
<para>Road Warrior (LapTop that may connect from anywhere) where the
@ -199,7 +199,7 @@
</varlistentry>
<varlistentry>
<term>Example 3:</term>
<term>IPv4 Example 3:</term>
<listitem>
<para>Host 4.33.99.124 is a standalone system connected via an ipsec
@ -211,7 +211,7 @@
</varlistentry>
<varlistentry>
<term>Example 4:</term>
<term>IPv4 Example 4:</term>
<listitem>
<para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
@ -225,7 +225,7 @@
</varlistentry>
<varlistentry>
<term>Example 5:</term>
<term>IPv4 Example 5:</term>
<listitem>
<para>You run the Linux PPTP client on your firewall and connect to
@ -237,7 +237,7 @@
</varlistentry>
<varlistentry>
<term>Example 6:</term>
<term>IPv4 Example 6:</term>
<listitem>
<para>You run a PPTP server on your firewall.</para>
@ -260,7 +260,7 @@
</varlistentry>
<varlistentry>
<term>Example 8:</term>
<term>IPv4 Example 8:</term>
<listitem>
<para>You have a tunnel that is not one of the supported types. Your
@ -273,7 +273,7 @@
</varlistentry>
<varlistentry>
<term>Example 9:</term>
<term>IPv4 Example 9:</term>
<listitem>
<para>TINC tunnel where the remote gateways are not specified. If
@ -284,6 +284,83 @@
tinc net 0.0.0.0/0</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 1:</term>
<listitem>
<para>IPSec tunnel.</para>
<para>The remote gateway is 2001:cec792b4:1::44. The tunnel does not
use the AH protocol</para>
<programlisting> #TYPE ZONE GATEWAY
ipsec:noah net 2002:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 2:</term>
<listitem>
<para>Road Warrior (LapTop that may connect from anywhere) where the
"gw" zone is used to represent the remote LapTop</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net ::/0 gw</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 3:</term>
<listitem>
<para>Host 2001:cec792b4:1::44 is a standalone system connected via
an ipsec tunnel to the firewall system. The host is in zone
gw.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
ipsec net 2001:cec792b4:1::44 gw</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 4:</term>
<listitem>
<para>OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
openvpn uses port 7777.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
openvpn:7777 net 2001:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 8:</term>
<listitem>
<para>You have a tunnel that is not one of the supported types. Your
tunnel uses UDP port 4444. The other end of the tunnel is
2001:cec792b4:1::44.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
generic:udp:4444 net 2001:cec792b4:1::44</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>IPv6 Example 9:</term>
<listitem>
<para>TINC tunnel where the remote gateways are not specified. If
you wish to specify a list of gateways, you can do so in the GATEWAY
column.</para>
<programlisting> #TYPE ZONE GATEWAY GATEWAY ZONES
tinc net ::/0</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -291,6 +368,8 @@
<title>FILES</title>
<para>/etc/shorewall/tunnels</para>
<para>/etc/shorewall6/tunnels</para>
</refsect1>
<refsect1>

7
Shorewall/manpages/shorewall-vardir.xml
View File

@ -18,7 +18,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/vardir</command>
<command>/etc/shorewall[6]/vardir</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -28,7 +28,8 @@
<para>This file does not exist by default. You may create the file if you
want to change the directory used by Shorewall to store state information,
including compiled firewall scripts. By default, the directory used is
<filename>/var/lib/shorewall/</filename>.</para>
<filename>/var/lib/shorewall/</filename> for IPv4 and /var/lib/shorewall6/
for IPv6</para>
<para>The file contains a single variable assignment:</para>
@ -50,6 +51,8 @@
<title>FILES</title>
<para>/etc/shorewall/vardir</para>
<para>/etc/shorewall6/vardir</para>
</refsect1>
<refsect1>

34
Shorewall/manpages/shorewall-zones.xml
View File

@ -128,9 +128,9 @@
<para>Example:</para>
<programlisting>#ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
a ipv4
b ipv4
c:a,b ipv4</programlisting>
a ip
b ip
c:a,b ip</programlisting>
<para>Currently, Shorewall uses this information to reorder the zone
list so that parent zones appear after their subzones in the list.
@ -140,8 +140,8 @@ c:a,b ipv4</programlisting>
<para>Where an <emphasis role="bold">ipsec</emphasis> zone is
explicitly included as a child of an <emphasis
role="bold">ipv4</emphasis> zone, the ruleset allows CONTINUE
policies (explicit or implicit) to work as expected.</para>
role="bold">ip</emphasis> zone, the ruleset allows CONTINUE policies
(explicit or implicit) to work as expected.</para>
<para>In the future, Shorewall may make additional use of nesting
information.</para>
@ -154,7 +154,7 @@ c:a,b ipv4</programlisting>
<listitem>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ipv4</emphasis></term>
<term><emphasis role="bold">ip</emphasis></term>
<listitem>
<para>This is the standard Shorewall zone type and is the
@ -162,17 +162,22 @@ c:a,b ipv4</programlisting>
the column. Communication with some zone hosts may be
encrypted. Encrypted hosts are designated using the 'ipsec'
option in <ulink
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
url="/manpages/shorewall-hosts.html">shorewall-hosts</ulink>(5).
For clarity, this zone type may be specified as
<option>ipv4</option> in IPv4 configurations and
<option>ipv6</option> in IPv6 configurations.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipsec</emphasis> (or <emphasis
role="bold">ipsec4</emphasis>)</term>
<term><emphasis role="bold">ipsec</emphasis></term>
<listitem>
<para>Communication with all zone hosts is encrypted. Your
kernel and iptables must include policy match support.</para>
kernel and iptables must include policy match support. For
clarity, this zone type may be specified as
<option>ipsec4</option> in IPv4 configurations and
<option>ipsec6</option> in IPv6 configurations.</para>
</listitem>
</varlistentry>
@ -190,12 +195,13 @@ c:a,b ipv4</programlisting>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">bport</emphasis> (or <emphasis
role="bold">bport4</emphasis>)</term>
<term><emphasis role="bold">bport</emphasis></term>
<listitem>
<para>The zone is associated with one or more ports on a
single bridge.</para>
single bridge. For clarity, this zone type may be specified as
<option>bport4</option> in IPv4 configurations and
<option>bport6</option> in IPv6 configurations.</para>
</listitem>
</varlistentry>
@ -424,6 +430,8 @@ c:a,b ipv4</programlisting>
<title>FILES</title>
<para>/etc/shorewall/zones</para>
<para>/etc/shorewall6/zones</para>
</refsect1>
<refsect1>

336
Shorewall/manpages/shorewall.conf.xml
View File

@ -18,14 +18,15 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/shorewall.conf</command>
<command>/etc/shorewall/shorewall.conf and
/etc/shorewall6/shorewall6.conf</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file sets options that apply to Shorewall as a whole.</para>
<para>This file sets options that apply to Shorewall[6] as a whole.</para>
<para>The file consists of Shell comments (lines beginning with '#'),
blank lines and assignment statements
@ -65,16 +66,13 @@
level to choose, 6 (info) is a safe bet. You may specify levels by name or
by number.</para>
<para>If you have built your kernel with ULOG and/or NFLOG target support,
you may also specify a log level of ULOG and/or NFLOG (must be all caps).
Rather than log its messages to syslogd, Shorewall will direct netfilter
to log the messages via the ULOG or NFLOG target which will send them to a
process called 'ulogd'. ulogd is available with most Linux distributions
(although it probably isn't installed by default). Ulogd is also available
from <ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
and can be configured to log all Shorewall messages to their own log
file.</para>
<para>If you have built your kernel with ULOG (IPv4 only) and/or NFLOG
target support, you may also specify a log level of ULOG and/or NFLOG
(must be all caps). Rather than log its messages to syslogd, Shorewall
will direct netfilter to log the messages via the ULOG or NFLOG target
which will send them to a process called 'ulogd'. ulogd is available with
most Linux distributions (although it probably isn't installed by
default).</para>
<note>
<para>If you want to specify parameters to ULOG or NFLOG (e.g.,
@ -82,7 +80,7 @@
<para>Example:</para>
<programlisting>MACLIST_LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
<programlisting>LOG_LEVEL="NFLOG(1,0,1)"</programlisting>
</note>
<para>Beginning with Shorewall 5.0.0, the log level may be followed by a
@ -265,8 +263,9 @@
<listitem>
<para>This parameter determines whether Shorewall automatically adds
the external address(es) in <ulink
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5). If the
variable is set to <emphasis role="bold">Yes</emphasis> or <emphasis
url="/manpages/shorewall-nat.html">shorewall-nat</ulink>(5), and is
only available in IPv4 configurations. If the variable is set to
<emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these
aliases. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these aliases
@ -293,13 +292,14 @@
<listitem>
<para>This parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in <ulink
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5). If
the variable is set to <emphasis role="bold">Yes</emphasis> or
<emphasis role="bold">yes</emphasis> then Shorewall automatically
adds these addresses. If it is set to <emphasis
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
you must add these addresses yourself using your distribution's
network configuration tools.</para>
url="/manpages/shorewall-masq.html">shorewall-masq</ulink>(5), and
is only available in IPv4 configurations. If the variable is set to
<emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis> then Shorewall automatically adds these
addresses. If it is set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, you must add these addresses
yourself using your distribution's network configuration
tools.</para>
<para>If this variable is not set or is given an empty value
(ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.</para>
@ -379,10 +379,10 @@
role="bold">ARPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.12. This parameter names the arptables
executable to be used by Shorewall. If not specified or if specified
as a null value, then the arptables executable located using the
PATH option is used.</para>
<para>Added in Shorewall 4.5.12 and available in IPv4 only. This
parameter names the arptables executable to be used by Shorewall. If
not specified or if specified as a null value, then the arptables
executable located using the PATH option is used.</para>
<para>Regardless of how the arptables utility is located (specified
via arptables= or located via PATH), Shorewall uses the
@ -483,8 +483,8 @@
<para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
determines whether the <option>balance</option> provider option (see
<ulink
url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>) is
the default. When BALANCE_PROVIDERS=Yes, then the
url="/manpages/shorewall-providers.html">shorewall-providers(5)</ulink>)
is the default. When BALANCE_PROVIDERS=Yes, then the
<option>balance</option> option is assumed unless the
<option>fallback</option>, <option>loose</option>,
<option>load</option> or <option>tproxy</option> option is
@ -500,8 +500,8 @@
<listitem>
<para>Added in Shorewall-4.6.0. When set to <emphasis
role="bold">Yes</emphasis>, causes entries in <ulink
url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
generate a basic filter rather than a u32 filter. This setting
url="/manpages/shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
to generate a basic filter rather than a u32 filter. This setting
requires the <firstterm>Basic Ematch</firstterm> capability in your
kernel and iptables.</para>
@ -624,6 +624,11 @@
marking defined in <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
If not specified, CLEAR_TC=Yes is assumed.</para>
<warning>
<para>When you specify TC_ENABLED=shared (see below), then you
should also specify CLEAR_TC=No.</para>
</warning>
</listitem>
</varlistentry>
@ -662,17 +667,17 @@
role="bold">CONFIG_PATH</emphasis>=[<emphasis>directory</emphasis>[:<emphasis>directory</emphasis>]...]</term>
<listitem>
<para>Specifies where configuration files other than shorewall.conf
may be found. CONFIG_PATH is specifies as a list of directory names
separated by colons (":"). When looking for a configuration
file:</para>
<para>Specifies where configuration files other than
shorewall[6].conf may be found. CONFIG_PATH is specifies as a list
of directory names separated by colons (":"). When looking for a
configuration file:</para>
<itemizedlist>
<listitem>
<para>If the command is "try" or a "&lt;configuration
directory&gt;" was specified in the command (e.g.,
<command>shorewall check ./gateway</command>) then the directory
given in the command is searched first.</para>
<command>shorewall [-6] check ./gateway</command>) then the
directory given in the command is searched first.</para>
</listitem>
<listitem>
@ -697,8 +702,8 @@
<listitem>
<para>Added in Shorewall 4.5.12. When set to 'Yes' (the default),
DNS names are validated in the compiler and then passed on to the
generated script where they are resolved by iptables-restore. This
is an advantage if you use AUTOMAKE=Yes and the IP address
generated script where they are resolved by ip[6]tables-restore.
This is an advantage if you use AUTOMAKE=Yes and the IP address
associated with the DNS name is subject to change. When
DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses
by the compiler. This has the advantage that when AUTOMAKE=Yes, the
@ -715,7 +720,7 @@
<listitem>
<para>If set to Yes (the default value), entries in the
/etc/shorewall/rtrules files cause an 'ip rule del' command to be
/etc/shorewall[6]/rtrules files cause an 'ip rule del' command to be
generated in addition to an 'ip rule add' command. Setting this
option to No, causes the 'ip rule del' command to be omitted.</para>
</listitem>
@ -726,6 +731,8 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>IPv4 only.</para>
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, Shorewall will detect the first IP
address of the interface to the source zone and will include this
@ -742,6 +749,8 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>IPv4 only.</para>
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, IPv6 traffic to, from and through the
firewall system is disabled. If set to <emphasis
@ -761,7 +770,8 @@
</listitem>
<listitem>
<para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No</para>
<para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No in
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
</listitem>
<listitem>
@ -807,20 +817,21 @@
<listitem>
<para>Added in Shorewall 4.4.7. When set to <emphasis
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
chain-based dynamic blacklisting using <command>shorewall
drop</command>, <command>shorewall reject</command>,
<command>shorewall logdrop</command> and <command>shorewall
logreject</command> is disabled. Default is <emphasis
chain-based dynamic blacklisting using <command>shorewall [-6] [-l]
drop</command>, <command>shorewall [-6] [-l] reject</command>,
<command>shorewall logdrop</command> and <command>shorewall [-6]
[-l] logreject</command> is disabled. Default is <emphasis
role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
ipset-based dynamic blacklisting using the <command>shorewall
blacklist</command> command is also supported. The name of the set
(<replaceable>setname</replaceable>) and the level
(<replaceable>log_level</replaceable>), if any, at which blacklisted
traffic is to be logged may also be specified. The default set name
is SW_DBL4 and the default log level is <option>none</option> (no
logging). If <option>ipset-only</option> is given, then chain-based
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
had been specified.</para>
traffic is to be logged may also be specified. The default IPv4 set
name is SW_DBL4 and the default IPv6 set name is SW_DBL6. The
default log level is <option>none</option> (no logging). If
<option>ipset-only</option> is given, then chain-based dynamic
blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
specified.</para>
<para>Possible <replaceable>option</replaceable>s are:</para>
@ -866,9 +877,9 @@
<important>
<para>Once the dynamic blacklisting ipset has been created,
changing this option setting requires a complete restart of
the firewall; <command>shorewall restart</command> if
RESTART=restart, otherwise <command>shorewall stop
&amp;&amp; shorewall start</command></para>
the firewall; <command>shorewall [-6] restart</command> if
RESTART=restart, otherwise <command>shorewall [-6] [-l] stop
&amp;&amp; shorewall [-6] [-l] start</command></para>
</important>
</listitem>
</varlistentry>
@ -910,13 +921,15 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<listitem>
<para>Added in Shorewall 4.4.17. When set to Yes when compiling for
use by Shorewall Lite (<command>shorewall load</command>,
<command>shorewall reload </command>or <command>shorewall
use by Shorewall Lite (<command>shorewall [-6]
remote-start</command>, <command>shorewall [-6] remote-reload,
shorewall [-6] remote-restart </command>or <command>shorewall [-6]
export</command> commands), the compiler will copy the modules or
helpers file from the administrative system into the script. When
set to No or not specified, the compiler will not copy the modules
or helpers file from <filename>/usr/share/shorewall</filename> but
will copy those found in another location on the CONFIG_PATH.</para>
or helpers file from <filename>/usr/share/shorewall[6]</filename>
but will copy those found in another location on the
CONFIG_PATH.</para>
<para>When compiling for direct use by Shorewall, causes the
contents of the local module or helpers file to be copied into the
@ -1114,10 +1127,12 @@ net all DROP info</programlisting>then the chain name is 'net-all'
specificaitons</ulink> on the right.. When INLINE_MATCHES=Yes is
specified, the specifications on the right are interpreted as if
INLINE had been specified in the ACTION column. This also applies to
<ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink> and
<ulink url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>) which
also support INLINE. If not specified or if specified as the empty
value, the value 'No' is assumed for backward compatibility.</para>
<ulink url="/manpages/shorewall-masq.html">shorewall-masq(5)</ulink>
and <ulink
url="/manpages/shorewall-mangle.html">shorewall-mangle(5</ulink>)
which also support INLINE. If not specified or if specified as the
empty value, the value 'No' is assumed for backward
compatibility.</para>
<para>Beginning with Shorewall 5.0.0, it is no longer necessary to
set INLINE_MATCHES=Yes in order to be able to specify your own
@ -1176,9 +1191,13 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">Keep</emphasis>]</term>
<listitem>
<para>This parameter determines whether Shorewall enables or
disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
Possible values are:</para>
<para>This IPv4 parameter determines whether Shorewall enables or
disables IPv4 Packet Forwarding
(<filename>/proc/sys/net/ipv4/ip_forward</filename>). In an IPv6
configuration, this parameter determines the setting of
<filename>/proc/sys/net/ipv6/config/all/ip_forwarding</filename>.</para>
<para>Possible values are:</para>
<variablelist>
<varlistentry>
@ -1210,12 +1229,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</varlistentry>
</variablelist>
<para/>
<blockquote>
<para>If this variable is not set or is given an empty value
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
</blockquote>
<para>If this variable is not set or is given an empty value
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
</listitem>
</varlistentry>
@ -1258,6 +1273,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>IPv4 only.</para>
<para>This parameter names the iptables executable to be used by
Shorewall. If not specified or if specified as a null value, then
the iptables executable located using the PATH option is
@ -1270,22 +1287,71 @@ net all DROP info</programlisting>then the chain name is 'net-all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">IP6TABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>IPv6 only.</para>
<para>This parameter names the ip6tables executable to be used by
Shorewall6. If not specified or if specified as a null value, then
the ip6tables executable located using the PATH option is
used.</para>
<para>Regardless of how the ip6tables utility is located (specified
via IP6TABLES= or located via PATH), Shorewall6 uses the
ip6tables-restore and ip6tables-save utilities from that same
directory.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>When set to <option>Yes</option>, this option prevents
generated scripts from altering the /etc/iproute2/rt_tables database
when there are entries in
<filename>/etc/shorewall/providers</filename>. If you set this
option to <option>Yes</option> while Shorewall (Shorewall-lite) is
running, you should remove the file
<filename>/var/lib/shorewall/rt_tables</filename>
(<filename>/var/lib/shorewall-lite/rt_tables</filename>) before your
next <command>stop</command>, <command>refresh</command>,
<command>restore</command>, <emphasis role="bold">reload</emphasis>
or <command>restart</command> command.</para>
<para>IPv4:</para>
<blockquote>
<para>When set to <option>Yes</option>, this option prevents
generated scripts from altering the /etc/iproute2/rt_tables
database when there are entries in
<filename>/etc/shorewall/providers</filename>. If you set this
option to <option>Yes</option> while Shorewall (Shorewall-lite) is
running, you should remove the file
<filename>/var/lib/shorewall/rt_tables</filename>
(<filename>/var/lib/shorewall-lite/rt_tables</filename>) before
your next <command>stop</command>, <command>refresh</command>,
<command>restore</command>, <emphasis
role="bold">reload</emphasis> or <command>restart</command>
command.</para>
</blockquote>
<para>IPv6:</para>
<blockquote>
<para>When set to <option>Yes</option>, this option prevents
scripts generated by Shorewall6 from altering the
/etc/iproute2/rt_tables database when there are entries in
<filename>/etc/shorewall6/providers</filename>. If you set this
option to <option>Yes</option> while Shorewall6 (Shorewall6-lite)
is running, you should remove the file
<filename>/var/lib/shorewall6/rt_tables</filename>
(<filename>/var/lib/shorewall6-lite/rt_tables</filename>) before
your next <command>stop</command>, <command>refresh</command>,
<command>restore</command>, <emphasis
role="bold">reload</emphasis> or <command>restart</command>
command.</para>
</blockquote>
<important>
<para>When both IPv4 and IPv6 Shorewall configurations are
present, KEEP_RT_TABLES=No should be specified in only one of the
two configurations unless the two provider configurations are
identical with respect to interface and provider names and
numbers.</para>
</important>
<para>The default is KEEP_RT_TABLES=No.</para>
</listitem>
@ -1298,9 +1364,9 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<listitem>
<para>Added in Shorewall 4.4.7. When set to Yes, restricts the set
of modules loaded by shorewall to those listed in
/var/lib/shorewall/helpers and those that are actually used. When
not set, or set to the empty value, LOAD_HELPERS_ONLY=No is
assumed.</para>
<filename>/var/lib/shorewall[6]/helpers</filename> and those that
are actually used. When not set, or set to the empty value,
LOAD_HELPERS_ONLY=No is assumed.</para>
</listitem>
</varlistentry>
@ -1309,11 +1375,11 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>Specifies the name of the Shorewall lock file, used to prevent
simultaneous state-changing commands. If not specified,
${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib
but can be changed when Shorewall-core is installed -- see the
output of <command>shorewall show vardir</command>).</para>
<para>Specifies the name of the Shorewall[6] lock file, used to
prevent simultaneous state-changing commands. If not specified,
${VARDIR}/shorewall[6]/lock is assumed (${VARDIR} is normally
/var/lib but can be changed when Shorewall-core is installed -- see
the output of <command>shorewall show vardir</command>).</para>
</listitem>
</varlistentry>
@ -1341,6 +1407,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<term>ULOG</term>
<listitem>
<para>IPv4 only.</para>
<para>Use ULOG logging to ulogd.</para>
</listitem>
</varlistentry>
@ -1365,8 +1433,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
sample configurations use this as the default log level and changing
it will change all packet logging done by the configuration. In any
configuration file (except <ulink
url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
will expand to this value.</para>
url="/manpages/shorewall-params.html">shorewall-params(5)</ulink>),
$LOG_LEVEL will expand to this value.</para>
</listitem>
</varlistentry>
@ -1376,6 +1444,8 @@ net all DROP info</programlisting>then the chain name is 'net-all'
role="bold">No</emphasis>|Keep]</term>
<listitem>
<para>IPv4 only.</para>
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, sets
<filename>/proc/sys/net/ipv4/conf/*/log_martians</filename> to 1
@ -1523,7 +1593,9 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<caution>
<para>Beginning with Shorewall 5.1.0, the default and sample
shorewall.conf files set LOGFORMAT="%s %s ". Shorewall log
shorewall[6].conf files set LOGFORMAT="%s %s ". </para>
<para>Regardless of the LOGFORMAT setting, Shorewall IPv4 log
messages that use this LOGFORMAT can be uniquely identified using
the following regular expression:</para>
@ -1531,8 +1603,15 @@ net all DROP info</programlisting>then the chain name is 'net-all'
<member>'IN=.* OUT=.* SRC=.*\..* DST='</member>
</simplelist>
<para>To match all Netfilter log messages (Both IPv4 and IPv6),
use:</para>
<para>and Shorewall IPv6 log messages can be uniquely identified
using the following regular expression:</para>
<simplelist>
<member>'IN=.* OUT=.* SRC=.*:.* DST='</member>
</simplelist>
<para>To match all Netfilter log messages (Both IPv4 and IPv6 and
regardless of the LOGFORMAT setting), use:</para>
<simplelist>
<member>'IN=.* OUT=.* SRC=.* DST='</member>
@ -1625,7 +1704,7 @@ LOG:info:,bar net fw</programlisting>
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para>
AUDIT_TARGET in the kernel and ip[6]tables.</para>
</listitem>
</varlistentry>
@ -1668,7 +1747,7 @@ LOG:info:,bar net fw</programlisting>
entries in <ulink
url="/manpages/shorewall-maclist.html">shorewall-maclist</ulink>(5)
can be improved by setting the MACLIST_TTL variable in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="/manpages/shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
<para>If your iptables and kernel support the "Recent Match" (see
the output of "shorewall check" near the top), you can cache the
@ -1710,6 +1789,8 @@ LOG:info:,bar net fw</programlisting>
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>IPv4 only.</para>
<para>This option is included for compatibility with old Shorewall
configuration. New installs should always have
MAPOLDACTIONS=No.</para>
@ -1740,11 +1821,11 @@ LOG:info:,bar net fw</programlisting>
PREROUTING chain. This permits you to mark inbound traffic based on
its destination address when DNAT is in use. To determine if your
kernel has a FORWARD chain in the mangle table, use the <emphasis
role="bold">shorewall show mangle</emphasis> command; if a FORWARD
chain is displayed then your kernel will support this option. If
this option is not specified or if it is given the empty value
(e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
assumed.</para>
role="bold">shorewall [-6] show mangle</emphasis> command; if a
FORWARD chain is displayed then your kernel will support this
option. If this option is not specified or if it is given the empty
value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No
is assumed.</para>
</listitem>
</varlistentry>
@ -1826,7 +1907,8 @@ LOG:info:,bar net fw</programlisting>
"/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset"
where <emphasis role="bold">uname</emphasis> holds the output of
'<command>uname -r</command>' and <emphasis
role="bold">g_family</emphasis> holds '4'.</para>
role="bold">g_family</emphasis> holds '4' in IPv4 configurations and
'6' in IPv6 configurations.</para>
<para>The option plus sign ('+') was added in Shorewall 5.0.3 and
causes the listed pathnames to be appended to the default list
@ -1839,6 +1921,8 @@ LOG:info:,bar net fw</programlisting>
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>IPv4 only.</para>
<para>This option will normally be set to 'No' (the default). It
should be set to 'Yes' under the following circumstances:</para>
@ -1865,17 +1949,18 @@ LOG:info:,bar net fw</programlisting>
<listitem>
<para>The value of this variable determines the number of seconds
that programs will wait for exclusive access to the Shorewall lock
file. After the number of seconds corresponding to the value of this
variable, programs will assume that the last program to hold the
lock died without releasing the lock.</para>
that programs will wait for exclusive access to the Shorewall[6]
lock file. After the number of seconds corresponding to the value of
this variable, programs will assume that the last program to hold
the lock died without releasing the lock.</para>
<para>If not set or set to the empty value, a value of 60 (60
seconds) is assumed.</para>
<para>An appropriate value for this parameter would be twice the
length of time that it takes your firewall system to process a
<emphasis role="bold">shorewall restart</emphasis> command.</para>
<emphasis role="bold">shorewall [-6] restart</emphasis>
command.</para>
</listitem>
</varlistentry>
@ -1899,6 +1984,8 @@ LOG:info:,bar net fw</programlisting>
role="bold">prohibit</emphasis>]</term>
<listitem>
<para>IPv4 only.</para>
<para>When set to Yes, causes Shorewall to null-route the IPv4
address ranges reserved by RFC1918. The default value is
'No'.</para>
@ -1935,12 +2022,11 @@ LOG:info:,bar net fw</programlisting>
<itemizedlist>
<listitem>
<para>Optimization category 1 - Traditionally, Shorewall has
created rules for the complete matrix of
host groups defined by the zones, interfaces and hosts
files. Any traffic that didn't correspond to an element
of that matrix was rejected in one of the built-in chains. When
the matrix is sparse, this results in lots of largely useless
rules.</para>
created rules for the complete matrix of host groups defined by
the zones, interfaces and hosts files. Any traffic that didn't
correspond to an element of that matrix was rejected in one of
the built-in chains. When the matrix is sparse, this results in
lots of largely useless rules.</para>
<para>These extra rules can be eliminated by setting the 1 bit
in OPTIMIZE.</para>
@ -2316,7 +2402,7 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
<listitem>
<para>if the protocol is UDP (17) then the packet is rejected
with an 'port-unreachable' ICMP (ICMP6).</para>
with an 'port-unreachable' ICMP.</para>
</listitem>
<listitem>
@ -2324,6 +2410,11 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
with a 'host-unreachable' ICMP.</para>
</listitem>
<listitem>
<para>if the protocol is ICMP6 (1) then the packet is rejected
with a 'icmp6-addr-unreachable' ICMP6.</para>
</listitem>
<listitem>
<para>otherwise, the packet is rejected with a 'host-prohibited'
ICMP.</para>
@ -2333,11 +2424,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
<para>You can modify this behavior by implementing your own
<replaceable>action</replaceable> that handles REJECT and specifying
it's name in this option. The <emphasis role="bold">nolog</emphasis>
and <emphasis role="bold">inline</emphasis> options will
and <emphasis role="bold">noinline</emphasis> options will
automatically be assumed for the specified
<replaceable>action</replaceable>.</para>
<para>The following action implements the standard behavior:</para>
<para>The following action implements the default reject
action:</para>
<programlisting>?format 2
#TARGET SOURCE DEST PROTO
@ -2437,10 +2529,10 @@ INLINE - - - ;; -j REJECT
<listitem>
<para>Specifies the simple name of a file in /var/lib/shorewall to
be used as the default restore script in the <emphasis
role="bold">shorewall save</emphasis>, <emphasis
role="bold">shorewall restore</emphasis>, <emphasis
role="bold">shorewall forget </emphasis>and <emphasis
role="bold">shorewall -f start</emphasis> commands.</para>
role="bold">shorewall [-6] save</emphasis>, <emphasis
role="bold">shorewall [-6] restore</emphasis>, <emphasis
role="bold">shorewall [-6] forget </emphasis>and <emphasis
role="bold">shorewall [6] -f start</emphasis> commands.</para>
</listitem>
</varlistentry>
@ -2449,6 +2541,8 @@ INLINE - - - ;; -j REJECT
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>IPv4 only.</para>
<para>During <emphasis role="bold">shorewall star</emphasis>t, IP
addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
@ -2461,7 +2555,7 @@ INLINE - - - ;; -j REJECT
not be deleted. Regardless of the setting of RETAIN_ALIASES,
addresses added during <emphasis role="bold">shorewall
start</emphasis> are still deleted at a subsequent <emphasis
role="bold">shorewall stop</emphasis>, <emphasis
role="bold">shorewall [stop</emphasis>, <emphasis
role="bold">shorewall reload</emphasis> or <emphasis
role="bold">shorewall restart</emphasis>.</para>
</listitem>
@ -3150,6 +3244,8 @@ INLINE - - - ;; -j REJECT
<title>FILES</title>
<para>/etc/shorewall/shorewall.conf</para>
<para>/etc/shorewall6/shorewall6.conf</para>
</refsect1>
<refsect1>

21
docs/configuration_file_basics.xml
View File

@ -1934,6 +1934,27 @@ SSH(ACCEPT) net:$MYIP $FW
<filename>init</filename> extension script, then the value 255 is
assumed.</para>
</important>
<caution>
<para>Care must be exercised when using port variables in port ranges.
At run-time, the generated script will verify that each port variable is
either empty or contains a valid port number or service name. It does
not ensure that the low port number in a range is strictly less than the
high port number, when either of these is specified as a port
variable.</para>
<para>Example: The following definitions will result in an
iptables-restore failure during start/restart/reload:</para>
<para>/etc/shorewall/init:</para>
<programlisting> LOW_PORT=100
HIGH_PORT=50</programlisting>
<para>/etc/shorewall/rules:</para>
<programlisting> ACCEPT net $FW tcp ${LOW_PORT}:${HIGH_PORT}</programlisting>
</caution>
</section>
<section id="ActionVariables">