diff --git a/Shorewall-docs2/ports.xml b/Shorewall-docs2/ports.xml index 900f34532..d897173ae 100644 --- a/Shorewall-docs2/ports.xml +++ b/Shorewall-docs2/ports.xml @@ -51,14 +51,14 @@ Shorewall distribution contains a library of user-defined macros that allow for easily allowing or blocking a particular application. - Check your /usr/share/shorewall/actions.std file - for a list of macros in your distribution. If you find what you need, - you simply use the action in a rule. For example, to allow DNS queries + ls /usr/share/shorewall/macro.* + for the list of macros in your distribution. If you find what you need, + you simply use the macro in a rule. For example, to allow DNS queries from the dmz zone to the net zone: #ACTION SOURCE DESTINATION -DNS/ACCEPT dmz net +DNS/ACCEPT dmz net @@ -70,12 +70,12 @@ DNS/ACCEPT dmz net Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) FTP/ACCEPT <source> <destination> You would code your rule as follows: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) FTP/DNAT net dmz:192.168.1.4 @@ -84,19 +84,20 @@ FTP/DNAT net dmz:192.168.1.4 Auth (identd) - Now,It's 21 Century , - don't use identd in production anymore. + It is now the 21st + Century ; don't use identd in production + anymore. #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -Auth/ACCEPT <source> <destination> +Auth/ACCEPT <source> <destination>
DNS #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -DNS/ACCEPT <source> <destination> +DNS/ACCEPT <source> <destination> Note that if you are setting up a DNS server that supports recursive resolution, the server is the <destination> for @@ -106,7 +107,7 @@ DNS/ACCEPT <source> <destination&g a public DNS server in your DMZ that supports recursive resolution for local clients then you would need: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) DNS/ACCEPT all dmz DNS/ACCEPT dmz net @@ -157,7 +158,7 @@ DNAT net loc:192.168.1.4 tcp 4711
FTP - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) FTP/ACCEPT <source> <destination> Look here for much more @@ -186,13 +187,14 @@ FTP/ACCEPT <source> <destination> Your loc->net policy is ACCEPT - Gnutella/DNAT net loc:192.168.1.4 + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +Gnutella/DNAT net loc:192.168.1.4
ICQ/AIM - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ICQ/ACCEPT <source> net
@@ -205,7 +207,7 @@ ICQ/ACCEPT <source> net SSL - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) IMAP/ACCEPT <source> <destination> #Secure & Unsecure IMAP
@@ -235,14 +237,14 @@ ACCEPT <z1>:<list of client IPs> NTP (Network Time Protocol) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) NTP/ACCEPT <source> <destination>
<trademark>PCAnywhere</trademark> - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) PCA/ACCEPT <source> <destination>
@@ -256,7 +258,7 @@ PCA/ACCEPT <source> <destination> TCP Port 110 (Secure Pop3 is TCP Port 995) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) POP3/ACCEPT <source> <destination> # Secure & Unsecure Pop3 @@ -274,14 +276,14 @@ ACCEPT <source> <destination> rdate - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Rdate/ACCEPT <source> <destination>
rsync - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Rsync/ACCEPT <source> <destination>
@@ -295,7 +297,7 @@ SSH/ACCEPT <source> <destination> SMB/NMB (Samba/Windows Browsing/File Sharing) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) SMB/ACCEPT <source> <destination> SMB/ACCEPT <destination> <source> @@ -313,14 +315,14 @@ ACCEPT <source> <destination> SNMP - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) SNMP/ACCEPT <source> <destination>
Telnet - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Telnet/ACCEPT <source> <destination>
@@ -344,7 +346,7 @@ ACCEPT <source> <destination> Traceroute - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Trcrt/ACCEPT <source> <destination> #Good for 10 hops UDP traceroute uses ports 33434 through 33434+<max number of @@ -363,7 +365,7 @@ ACCEPT fw ...
Usenet (NNTP) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) NNTP/ACCEPT <source> <destination> TCP Port 119 @@ -385,7 +387,7 @@ ACCEPT <source> <destination>Vncserver to Vncviewer in listen mode -- TCP port 5500. - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) VNCL/ACCEPT <source> <destination>
@@ -404,7 +406,7 @@ VNCL/ACCEPT <source> <destination&g
Web Access - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) Web/ACCEPT <source> <destination> #Insecure HTTP& Secure HTTP
@@ -434,6 +436,16 @@ ACCEPT <apps> <chooser Revision History + + 1.17 + + 2005-09-20 + + TE + + More 3.0 Updates + + 1.16 diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml index f8ba4ca0c..9b9b01823 100644 --- a/Shorewall-docs2/standalone.xml +++ b/Shorewall-docs2/standalone.xml @@ -308,21 +308,18 @@ all all REJECT info
Enabling other Connections - Shorewall includes a collection of actions that can be used to - quickly allow or deny services. You can find a list of the actions - included in your version of Shorewall in the file - /usr/share/shorewall/actions.std. - - Those actions that allow a connection begin with - Allow. + Shorewall includes a collection of macros that can be used to + quickly allow or deny services. You can find a list of the macros included + in your version of Shorewall using the command ls + /usr/share/shorewall/macro.*. If you wish to enable connections from the internet to your firewall - and you find an appropriate Allow action in - /etc/shorewall/actions.std, the general format of a - rule in /etc/shorewall/rules is: + and you find an appropriate macro in + /etc/shorewall/macro.*, the general format of a rule + in /etc/shorewall/rules is: - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -<action> net $FW + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +<macro>/ACCEPT net $FW You want to run a Web Server and a IMAP Server on your firewall @@ -334,10 +331,9 @@ IMAP/ACCEPT net $FW</programlisting> </example> <para>You may also choose to code your rules directly without using the - pre-defined actions. This will be necessary in the event that there is not - a pre-defined action that meets your requirements. In that case the - general format of a rule in <filename>/etc/shorewall/rules</filename> - is:</para> + pre-defined macros. This will be necessary in the event that there is not + a pre-defined macro that meets your requirements. In that case the general + format of a rule in <filename>/etc/shorewall/rules</filename> is:</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting> @@ -433,6 +429,16 @@ SSH/ACCEPT net $FW </programlisting> <title>Revision History + + 2.0 + + 2005-09-12 + + TE + + More 3.0 Updates + + 1.9