From f2eb6f71e453d12b5c8cbf9954f7c92c055cf8ca Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 26 Nov 2006 18:45:23 +0000 Subject: [PATCH] More fixes to 'rules' man page git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5009 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages/shorewall-rules.xml | 64 ++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 28 deletions(-) diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index 74d585da1..1a8b31efc 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -21,11 +21,11 @@ Description - Rules in this file govern connection establishment. Subsequent - requests and responses are automatically allowed using connection - tracking. For any particular (source,dest) pair of zones, the rules are - evaluated in the order in which they appear in this file and the first - terminating match is the one that determines the disposition of the + Rules in this file govern connection establishment. By default, + subsequent requests and responses are automatically allowed using + connection tracking. For any particular (source,dest) pair of zones, the + rules are evaluated in the order in which they appear in this file and the + first terminating match is the one that determines the disposition of the request. All rules are terminating except LOG and QUEUE rules. In most places where an IP address or subnet is allowed, you can @@ -415,13 +415,14 @@ Except when all[+][-] is - specified, clients may be further restricted to a list of subnets - and/or hosts by appending ":" and a comma-separated list of subnets - and/or hosts. Hosts may be specified by IP or MAC address; mac - addresses must begin with "~" and must use "-" as a + specified, clients may be further restricted to a list of networks + and/or hosts by appending ":" and a comma-separated list of network + and/or host addresses. Hosts may be specified by IP or MAC address; + mac addresses must begin with "~" and must use "-" as a separator. - Hosts may be specified as an IP address range using the syntax + Hosts may also be specified as an IP address range using the + syntax lowaddress-highaddress. This requires that your kernel and iptables contain iprange match support. If your kernel and iptables have ipset match support then @@ -515,9 +516,8 @@ role="bold">all[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset} + role="bold">[:{interface|address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset}] Location of Server. May be a zone defined in @@ -538,8 +538,9 @@ Except when all[+] is specified, the server may be further - restricted to a particular subnet, host or interface by appending - ":" and the subnet, host or interface. See above. + restricted to a particular network, host or interface by appending + ":" and the network, host or interface. See SOURCE above. You may exclude certain hosts from the set already defined through use of an exclusion (see @@ -547,7 +548,8 @@ Restrictions: - 1. MAC addresses are not allowed. + 1. MAC addresses are not allowed (this is a Netfilter + restriction). 2. In DNAT rules, only IP addresses are allowed; no FQDNs or subnet addresses are @@ -703,25 +705,25 @@ ORIGINAL DEST (Optional) — [-|address[,address]...] + role="bold">-|address[,address]...[exclusion]|exclusion] If ACTION is DNAT[-] or REDIRECT[-] - then if included and different from the IP address given in the - SERVER column, this is an address - on some interface on the firewall and connections to that address - will be forwarded to the IP and port specified in the DEST column. + then if this column is included and is different from the IP address + given in the SERVER column, then + connections destined for that address will be forwarded to the IP + and port specified in the DEST + column. A comma-separated list of addresses may also be used. This is - usually most useful with the REDIRECT target where you want to redirect - traffic destined for particular set of hosts. Finally, if the list - of addresses begins with "!" then the rule will be followed only if - the original destination address in the connection request does not - match any of the addresses listed. + most useful with the REDIRECT + target where you want to redirect traffic destined for particular + set of hosts. Finally, if the list of addresses begins with "!" + (exclusion) then the rule will be followed only + if the original destination address in the connection request does + not match any of the addresses listed. For other actions, this column may be included and may contain one or more addresses (host or network) separated by commas. Address @@ -733,6 +735,12 @@ role="bold">REDIRECT- rule. In this usage, the list of addresses should not begin with "!". + It is also possible to specify a set of addresses then exclude + part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 specifies the + addresses 192.168.1.0-182.168.1.15 and + 192.168.1.32-192.168.1.255. + See http://shorewall.net/PortKnocking.html for an example of using an entry in this column with a user-defined action rule.