forked from extern/shorewall_code
Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code
This commit is contained in:
commit
ddd4eb16b5
@ -74,20 +74,18 @@
|
||||
have a web server in your DMZ connected to eth1, then to count HTTP
|
||||
traffic in both directions requires two rules:</para>
|
||||
|
||||
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
DONE - eth0 eth1 tcp 80
|
||||
DONE - eth1 eth0 tcp - 80</programlisting>
|
||||
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
|
||||
DONE - eth0 eth1 tcp 80
|
||||
DONE - eth1 eth0 tcp - 80</programlisting>
|
||||
|
||||
<para>Associating a counter with a chain allows for nice reporting. For
|
||||
example:</para>
|
||||
|
||||
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
web:COUNT - eth0 eth1 tcp 80
|
||||
web:COUNT - eth1 eth0 tcp - 80
|
||||
web:COUNT - eth0 eth1 tcp 443
|
||||
web:COUNT - eth1 eth0 tcp - 443
|
||||
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
|
||||
web:COUNT - eth0 eth1 tcp 80
|
||||
web:COUNT - eth1 eth0 tcp - 80
|
||||
web:COUNT - eth0 eth1 tcp 443
|
||||
web:COUNT - eth1 eth0 tcp - 443
|
||||
DONE web</programlisting>
|
||||
|
||||
<para>Now <command>shorewall show web</command> (or
|
||||
@ -110,12 +108,11 @@
|
||||
|
||||
<para>Here is a slightly different example:</para>
|
||||
|
||||
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
web - eth0 eth1 tcp 80
|
||||
web - eth1 eth0 tcp - 80
|
||||
web - eth0 eth1 tcp 443
|
||||
web - eth1 eth0 tcp - 443
|
||||
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
|
||||
web - eth0 eth1 tcp 80
|
||||
web - eth1 eth0 tcp - 80
|
||||
web - eth0 eth1 tcp 443
|
||||
web - eth1 eth0 tcp - 443
|
||||
COUNT web eth0 eth1
|
||||
COUNT web eth1 eth0</programlisting>
|
||||
|
||||
@ -152,12 +149,11 @@
|
||||
you have to reverse the rules below.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
||||
# PORT PORT
|
||||
web - eth0 - tcp 80
|
||||
web - - eth0 tcp - 80
|
||||
web - eth0 - tcp 443
|
||||
web - - eth0 tcp - 443
|
||||
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
|
||||
web - eth0 - tcp 80
|
||||
web - - eth0 tcp - 80
|
||||
web - eth0 - tcp 443
|
||||
web - - eth0 tcp - 443
|
||||
COUNT web eth0
|
||||
COUNT web - eth0</programlisting>
|
||||
|
||||
@ -309,7 +305,7 @@
|
||||
|
||||
<para>Section headers have the form:</para>
|
||||
|
||||
<para><option>SECTION</option>
|
||||
<para><option>?SECTION</option>
|
||||
<replaceable>section-name</replaceable></para>
|
||||
|
||||
<para>When sections are enabled:</para>
|
||||
@ -414,19 +410,19 @@
|
||||
lives on the firewall itself.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
|
||||
# PORT(S) PORT(S) GROUP
|
||||
SECTION INPUT
|
||||
ACCOUNT(fw-net,$FW_NET) - COM_IF
|
||||
ACCOUNT(dmz-net,$DMZ_NET) - COM_IF
|
||||
<programlisting>
|
||||
#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
|
||||
?SECTION INPUT
|
||||
ACCOUNT(fw-net,$FW_NET) - COM_IF
|
||||
ACCOUNT(dmz-net,$DMZ_NET) - COM_IF
|
||||
|
||||
SECTION OUTPUT
|
||||
ACCOUNT(fw-net,$FW_NET) - - COM_IF
|
||||
ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF
|
||||
?SECTION OUTPUT
|
||||
ACCOUNT(fw-net,$FW_NET) - - COM_IF
|
||||
ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF
|
||||
|
||||
SECTION FORWARD
|
||||
ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF
|
||||
ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
|
||||
?SECTION FORWARD
|
||||
ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF
|
||||
ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
|
||||
</programlisting>
|
||||
</section>
|
||||
|
||||
@ -504,9 +500,9 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
|
||||
is eth1 with network 172.20.1.0/24. To account for all traffic between the
|
||||
WAN and LAN interfaces:</para>
|
||||
|
||||
<programlisting>#ACTION CHAIN SOURCE DEST ...
|
||||
ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
|
||||
ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0</programlisting>
|
||||
<programlisting>#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
|
||||
ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
|
||||
ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0</programlisting>
|
||||
|
||||
<para>This will create a <emphasis role="bold">net-loc</emphasis> table
|
||||
for counting packets and bytes for traffic between the two
|
||||
|
@ -139,9 +139,8 @@
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG
|
||||
# LEVEL
|
||||
net fw DROP:audit</programlisting>
|
||||
<programlisting>#SOURCE DEST POLICY
|
||||
net $FW DROP:audit</programlisting>
|
||||
|
||||
<para>It is allowed to also specify a log level on audited policies
|
||||
resulting in both auditing and logging.</para>
|
||||
@ -170,8 +169,8 @@ net fw DROP:audit</programlisting>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO
|
||||
A_ACCEPT:info loc net ...</programlisting>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO
|
||||
A_ACCEPT:info loc net ...</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -330,12 +329,12 @@ A_ACCEPT:info loc net ...</programlisting>
|
||||
<para> The parameters can be passed in the POLICY column of the policy
|
||||
file. </para>
|
||||
|
||||
<programlisting>SOURCE DEST POLICY
|
||||
net all DROP:Drop(audit):audit #Same as DROP:A_DROP:audit
|
||||
<programlisting>#SOURCE DEST POLICY
|
||||
net all DROP:Drop(audit):audit #Same as DROP:A_DROP:audit
|
||||
</programlisting>
|
||||
|
||||
<programlisting>SOURCE DEST POLICY
|
||||
net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth
|
||||
<programlisting>#SOURCE DEST POLICY
|
||||
net all DROP:Drop(-,DROP) #DROP rather than REJECT Auth
|
||||
</programlisting>
|
||||
|
||||
<para>The parameters can also be specified in shorewall.conf: </para>
|
||||
|
216
docs/FAQ.xml
216
docs/FAQ.xml
@ -207,28 +207,26 @@
|
||||
port-forwarding rule <emphasis>from the net</emphasis> to a local system
|
||||
is as follows:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis></programlisting>
|
||||
|
||||
<para>So to forward UDP port 7777 to internal system 192.168.1.5, the
|
||||
rule is:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net loc:192.168.1.5 udp 7777</programlisting>
|
||||
|
||||
<para>If you want to forward requests directed to a particular address (
|
||||
<emphasis>external-IP</emphasis> ) on your firewall to an internal
|
||||
system:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:<emphasis>local-IP-address</emphasis>>[:<emphasis>local-port</emphasis>] <emphasis>protocol</emphasis> <emphasis>port-number</emphasis> - <emphasis>external-IP</emphasis></programlisting>
|
||||
|
||||
<para>If you want to forward requests from a particular Internet address
|
||||
( <emphasis>address</emphasis> ):</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>] <emphasis> protocol</emphasis> <emphasis>port-number</emphasis> -</programlisting>
|
||||
|
||||
<para>Finally, if you need to forward a range of ports, in the DEST PORT
|
||||
@ -386,7 +384,7 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
|
||||
<para><emphasis role="bold">Answer:</emphasis>In
|
||||
/<filename>etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
DNAT net loc:192.168.1.3:22 tcp 1022</programlisting>
|
||||
</section>
|
||||
|
||||
@ -448,8 +446,7 @@ DNAT net fw:192.168.1.1:22 tcp 4104</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You have this rule on the Shorewall system:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
<para>You have this rule on the Shorewall system:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net loc:192.168.1.4 tcp 21 - 206.124.146.176</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
@ -494,8 +491,8 @@ DNAT net loc:192.168.1.4 tcp 21 - 206.1
|
||||
default gateway on the FTP server to the Shorewall system's internal
|
||||
IP address (192.168.1.1). But if that isn't possible, you can work
|
||||
around the problem with the following ugly hack in
|
||||
<filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
|
||||
eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21</programlisting></para>
|
||||
<filename>/etc/shorewall/masq</filename>:<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
|
||||
eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21</programlisting></para>
|
||||
|
||||
<para>This rule has the undesirable side effect of making all FTP
|
||||
connections from the net appear to the FTP server as if they
|
||||
@ -514,17 +511,25 @@ eth1:192.168.1.4 0.0.0.0/0 192.168.1.1 tcp 21</
|
||||
that your Internet zone is named <emphasis>net</emphasis> and connects
|
||||
on interface <filename class="devicefile">eth0</filename>:</para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176</programlisting></para>
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
DNAT net net:66.249.93.111:993 tcp 80 - 206.124.146.176</programlisting></para>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>, specify the
|
||||
<emphasis role="bold">routeback</emphasis> option on
|
||||
eth0:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect <emphasis role="bold">routeback</emphasis></programlisting></para>
|
||||
eth0:<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 <emphasis role="bold">routeback</emphasis></programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
|
||||
eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlisting></para>
|
||||
<para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
|
||||
eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlisting></para>
|
||||
|
||||
<para>and in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename>:</para>
|
||||
@ -542,9 +547,8 @@ eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlistin
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Use this rule.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
REDIRECT net 22 tcp 9022</programlisting>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
REDIRECT net 22 tcp 9022</programlisting>
|
||||
|
||||
<para>Note that the above rule will also allow connections from the
|
||||
net on TCP port 22. If you don't want that, see <link
|
||||
@ -617,9 +621,8 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT net net:192.168.4.22 tcp 80,443 - <emphasis
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
DNAT net net:192.168.4.22 tcp 80,443 - <emphasis
|
||||
role="bold">206.124.146.178</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
@ -704,14 +707,15 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback</emphasis></programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S)
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
|
||||
<emphasis role="bold">eth1:192.168.1.5 192.168.1.0/24 192.168.1.254 tcp www</emphasis></programlisting>
|
||||
|
||||
<para>Note: The technique described here is known as
|
||||
@ -721,16 +725,23 @@ loc eth1 detect <emphasis role="bold">routeback</emphasis>
|
||||
<emphasis>external IP address</emphasis> be used as the
|
||||
source:</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S)
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
|
||||
eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</emphasis> tcp www</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
<emphasis role="bold">DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69</emphasis></programlisting>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
<emphasis role="bold">DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69</emphasis></programlisting>
|
||||
|
||||
<para>That rule (and the second one in the previous bullet) only
|
||||
works of course if you have a static external IP address. If you
|
||||
@ -741,9 +752,16 @@ eth1:192.168.1.5 192.168.1.0/24 <emphasis role="bold">130.151.100.69</em
|
||||
|
||||
<para>and make your DNAT rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT loc loc:192.168.1.5 tcp www - <emphasis
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
DNAT loc loc:192.168.1.5 tcp www - <emphasis
|
||||
role="bold">$ETH0_IP</emphasis></programlisting>
|
||||
|
||||
<para>Using this technique, you will want to configure your
|
||||
@ -825,14 +843,14 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>?FORMAT 2
|
||||
#ZONE INTERFACE OPTIONS
|
||||
dmz eth2 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
<programlisting>#INTERFACE: SOURCE ADDRESS
|
||||
#ADDRESS
|
||||
eth2:192.168.1.2 192.168.2.0/24</programlisting>
|
||||
<programlisting>#INTERFACE SOURCE
|
||||
eth2:192.168.1.2 192.168.2.0/24</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/nat</filename>, be sure that you
|
||||
have <quote>Yes</quote> in the ALL INTERFACES column.</para>
|
||||
@ -862,9 +880,16 @@ eth2:192.168.1.2 192.168.2.0/24</programlisting>
|
||||
<para>You can enable access to the server from your local network
|
||||
using the firewall's external IP address by adding this rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
# PORT DEST
|
||||
<emphasis role="bold">DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</emphasis></programlisting>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
<emphasis role="bold">DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</emphasis></programlisting>
|
||||
|
||||
<para>If your external IP address is dynamic, then you must do the
|
||||
following:</para>
|
||||
@ -875,9 +900,16 @@ eth2:192.168.1.2 192.168.2.0/24</programlisting>
|
||||
|
||||
<para>and make your DNAT rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST.
|
||||
DNAT loc dmz:192.168.2.4 tcp 80 - <emphasis
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
DNAT loc dmz:192.168.2.4 tcp 80 - <emphasis
|
||||
role="bold">$ETH0_IP</emphasis></programlisting>
|
||||
|
||||
<warning>
|
||||
@ -1433,16 +1465,23 @@ net-fw DROP eth2 5 packets from 61.158.162.9 to 206.124.146.177</programlisting
|
||||
<para><emphasis role="bold">Answer:</emphasis> Temporarily add the
|
||||
following rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DROP net fw udp 10619</programlisting>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
<para>Alternatively, if you do not set BLACKLIST_LOGLEVEL and you have
|
||||
specifed the 'blacklist' option on your external interface in
|
||||
<filename>/etc/shorewall/interfaces</filename>, then you can blacklist
|
||||
the port. In <filename>/etc/shorewall/blacklist</filename>:</para>
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||
- udp 10619</programlisting>
|
||||
DROP net $FW udp 10619</programlisting>
|
||||
|
||||
<para>Alternatively, if you do not set BLACKLIST_LOGLEVEL you can blacklist
|
||||
the port. In <filename>/etc/shorewall/blrules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
DROP net $FW udp 10619</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="faq6d">
|
||||
@ -2361,12 +2400,11 @@ gateway:~# </programlisting>
|
||||
<para><emphasis role="bold">Answer:</emphasis> Suppose that you want all
|
||||
traffic to go out through ISP1 (mark 1) unless you specify otherwise.
|
||||
Then simply add these two rules as the first marking rules in your
|
||||
<filename>/etc/shorewall/mangle</filename>
|
||||
(<filename>/etc/shorewall/tcrules</filename>) file:</para>
|
||||
<filename>/etc/shorewall/mangle</filename> (was tcrules) file:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
1:P 0.0.0.0/0
|
||||
1 $FW
|
||||
<programlisting>#ACTION SOURCE DEST
|
||||
MARK(1):P 0.0.0.0/0
|
||||
MARK(1) $FW
|
||||
<emphasis>other MARK rules</emphasis></programlisting>
|
||||
|
||||
<para>Now any traffic that isn't marked by one of your other MARK rules
|
||||
@ -2449,8 +2487,8 @@ root@gateway:~#</programlisting>
|
||||
at 10-12kb and adjust as necessary. Example (simple traffic
|
||||
shaping):</para>
|
||||
|
||||
<programlisting>#INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:<emphasis
|
||||
<programlisting>#INTERFACE TYPE IN_BANDWIDTH OUT_BANDWIDTH
|
||||
eth0 External 50mbit:200kb 5.0mbit:100kb:200ms:100mbit:<emphasis
|
||||
role="bold">10kb</emphasis>
|
||||
</programlisting>
|
||||
|
||||
@ -2495,8 +2533,7 @@ root@gateway:/etc/shorewall#
|
||||
|
||||
<para>Example from /etc/shorewall/tcdevices:</para>
|
||||
|
||||
<programlisting>#NUMBER: IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
|
||||
#INTERFACE
|
||||
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS
|
||||
1:COMB_IF <emphasis role="bold">~20mbit:250ms:4sec</emphasis> ${UPLOAD}kbit hfsc,linklayer=ethernet,overhead=0</programlisting>
|
||||
|
||||
<para>To create a rate-estimated filter, precede the bandwidth with a
|
||||
@ -2674,9 +2711,17 @@ VS3=fw:192.168.2.14</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT $VS1 net tcp 25
|
||||
DNAT net $VS1 tcp 25
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||
|
||||
?SECTION ALL
|
||||
?SECTION ESTABLISHED
|
||||
?SECTION RELATED
|
||||
?SECTION INVALID
|
||||
?SECTION UNTRACKED
|
||||
?SECTION NEW
|
||||
|
||||
ACCEPT $VS1 net tcp 25
|
||||
DNAT net $VS1 tcp 25
|
||||
etc...</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
@ -2925,7 +2970,7 @@ else
|
||||
<section id="faq26">
|
||||
<title>(FAQ 26) When I try to use any of the SYN options in nmap on or
|
||||
behind the firewall, I get <quote>operation not permitted</quote>. How
|
||||
can I use nmap with Shorewall?"</title>
|
||||
can I use nmap with Shorewall?</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> Temporarily remove any
|
||||
<emphasis role="bold">rejNotSyn</emphasis>, <emphasis
|
||||
@ -2964,8 +3009,8 @@ else
|
||||
everyone's site. Adsense is a Javascript that people add to their Web
|
||||
pages. So I entered the rule:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO
|
||||
REJECT fw net:pagead2.googlesyndication.com all</programlisting>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO
|
||||
REJECT fw net:pagead2.googlesyndication.com all</programlisting>
|
||||
|
||||
<para>However, this also sometimes restricts access to "google.com". Why
|
||||
is that? Using dig, I found these IPs for domain
|
||||
@ -2992,9 +3037,9 @@ REJECT fw net:pagead2.googlesyndication.com all</programlisting
|
||||
expressed in terms of those IP addresses. So the rule that you entered
|
||||
was equivalent to:</para>
|
||||
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO
|
||||
REJECT fw net:216.239.37.99 all
|
||||
REJECT fw net:216.239.39.99 all</programlisting>Given that
|
||||
<para><programlisting>#ACTION SOURCE DEST PROTO
|
||||
REJECT $FW net:216.239.37.99 all
|
||||
REJECT $FW net:216.239.39.99 all</programlisting>Given that
|
||||
name-based multiple hosting is a common practice (another example:
|
||||
lists.shorewall.net and www1.shorewall.net are both hosted on the same
|
||||
system with a single IP address), it is not possible to filter
|
||||
@ -3079,10 +3124,9 @@ gateway:~# </programlisting>
|
||||
<para><emphasis role="bold">Answer:</emphasis> Add these two
|
||||
policies:</para>
|
||||
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
$FW loc ACCEPT
|
||||
loc $FW ACCEPT </programlisting>
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
|
||||
$FW loc ACCEPT
|
||||
loc $FW ACCEPT</programlisting>
|
||||
|
||||
<para>You should also delete any ACCEPT rules from $FW->loc and
|
||||
loc->$FW since those rules are redundant with the above
|
||||
@ -3121,16 +3165,16 @@ loc $FW ACCEPT </programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq:</filename></para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
|
||||
COMMENT DSL Modem
|
||||
|
||||
EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
|
||||
EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
172.20.1.2 EXT_IF INT_IF no yes
|
||||
</programlisting>
|
||||
</listitem>
|
||||
@ -3159,11 +3203,11 @@ EXT_IF:172.20.1.2 0.0.0.0/0 172.20.1.254
|
||||
<para>Your entry in <filename>/etc/shorewall/masq</filename> would
|
||||
then be:</para>
|
||||
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
|
||||
COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html
|
||||
COMMENT DSL Modem
|
||||
|
||||
EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
@ -3192,8 +3236,9 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
default name for the firewall zone is <emphasis
|
||||
role="bold">fw</emphasis>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
<emphasis role="bold">fw</emphasis> firewall</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
|
||||
<emphasis role="bold">fw</emphasis> firewall</programlisting>
|
||||
|
||||
<para>So, using the default or sample configurations, writing <emphasis
|
||||
role="bold">$FW</emphasis> is the same as writing <emphasis
|
||||
@ -3202,8 +3247,9 @@ EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
<emphasis role="bold">$FW</emphasis> would be the same as writing
|
||||
<emphasis role="bold">gate</emphasis>.</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
<emphasis role="bold">gate</emphasis> firewall</programlisting>
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
|
||||
<emphasis role="bold">gate</emphasis> firewall</programlisting>
|
||||
|
||||
<section id="faq95a">
|
||||
<title>Why was that done?</title>
|
||||
|
@ -92,7 +92,7 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Beginning with Shorewall 4.6.0, ection headers are now preceded
|
||||
<para>Beginning with Shorewall 4.6.0, section headers are now preceded
|
||||
by '?' (e.g., '?SECTION ...'). If your configuration contains any bare
|
||||
'SECTION' entries, the following warning is issued:</para>
|
||||
|
||||
@ -1139,8 +1139,7 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG
|
||||
# LEVEL
|
||||
<programlisting>#SOURCE DEST POLICY LOGLEVEL
|
||||
loc net ACCEPT
|
||||
net all DROP:MyDrop info
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user