forked from extern/shorewall_code
New syntax convention in rules manpage
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4988 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
6bb3658904
commit
f44e5d44e9
@ -109,7 +109,27 @@
|
|||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ACTION</emphasis></term>
|
<term><emphasis role="bold">ACTION</emphasis> — {<emphasis
|
||||||
|
role="bold">ACCEPT</emphasis>[<emphasis
|
||||||
|
role="bold">+</emphasis>]|<emphasis
|
||||||
|
role="bold">NONAT</emphasis>|<emphasis
|
||||||
|
role="bold">DROP</emphasis>|<emphasis
|
||||||
|
role="bold">REJECT</emphasis>|<emphasis
|
||||||
|
role="bold">DNAT</emphasis>[<emphasis
|
||||||
|
role="bold">-</emphasis>]|<emphasis
|
||||||
|
role="bold">SAME</emphasis>[<emphasis
|
||||||
|
role="bold">-</emphasis>]|<emphasis
|
||||||
|
role="bold">REDIRECT</emphasis>[<emphasis
|
||||||
|
role="bold">-</emphasis>]|<emphasis
|
||||||
|
role="bold">CONTINUE</emphasis>|<emphasis
|
||||||
|
role="bold">LOG</emphasis>|<emphasis
|
||||||
|
role="bold">QUEUE</emphasis>|<emphasis
|
||||||
|
role="bold">COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
|
||||||
|
role="bold">/</emphasis><emphasis>target</emphasis>}<emphasis
|
||||||
|
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
|
||||||
|
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
|
||||||
|
role="bold">!</emphasis></emphasis>][<emphasis
|
||||||
|
role="bold">:</emphasis><emphasis>tag</emphasis>]]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Must be one of the following.</para>
|
<para>Must be one of the following.</para>
|
||||||
@ -291,7 +311,8 @@
|
|||||||
macro accepts an action parameter (Look at the macro source to
|
macro accepts an action parameter (Look at the macro source to
|
||||||
see if it has PARAM in the TARGET column) then the
|
see if it has PARAM in the TARGET column) then the
|
||||||
<emphasis>macro</emphasis> name is followed by "/" and the
|
<emphasis>macro</emphasis> name is followed by "/" and the
|
||||||
action (<emphasis role="bold">ACCEPT</emphasis>, <emphasis
|
<emphasis>target</emphasis> (<emphasis
|
||||||
|
role="bold">ACCEPT</emphasis>, <emphasis
|
||||||
role="bold">DROP</emphasis>, <emphasis
|
role="bold">DROP</emphasis>, <emphasis
|
||||||
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
||||||
parameter.</para>
|
parameter.</para>
|
||||||
@ -343,7 +364,14 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE</emphasis></term>
|
<term><emphasis role="bold">SOURCE</emphasis> —
|
||||||
|
{<emphasis>zone</emphasis>|<emphasis
|
||||||
|
role="bold">all</emphasis>[<emphasis
|
||||||
|
role="bold">+</emphasis>][<emphasis
|
||||||
|
role="bold">-</emphasis>]}<emphasis
|
||||||
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||||
|
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...|<emphasis
|
||||||
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Source hosts to which the rule applies. May be a zone defined
|
<para>Source hosts to which the rule applies. May be a zone defined
|
||||||
@ -440,7 +468,14 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST</emphasis></term>
|
<term><emphasis role="bold">DEST</emphasis> —
|
||||||
|
{<emphasis>zone</emphasis>|<emphasis
|
||||||
|
role="bold">all</emphasis>[<emphasis
|
||||||
|
role="bold">+</emphasis>][<emphasis
|
||||||
|
role="bold">-</emphasis>]}<emphasis
|
||||||
|
role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
|
||||||
|
role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...|<emphasis
|
||||||
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Location of Server. May be a zone defined in
|
<para>Location of Server. May be a zone defined in
|
||||||
@ -520,17 +555,17 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">PROTO</emphasis> (Optional)</term>
|
<term><emphasis role="bold">PROTO</emphasis> (Optional) — {<emphasis
|
||||||
|
role="bold">-</emphasis>|<emphasis
|
||||||
|
role="bold">tcp:syn</emphasis>|<emphasis
|
||||||
|
role="bold">ipp2p</emphasis>|<emphasis
|
||||||
|
role="bold">ipp2p:udp</emphasis>|<emphasis
|
||||||
|
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
|
||||||
|
role="bold">all}</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Protocol - Must be <emphasis role="bold">tcp</emphasis>,
|
<para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
|
||||||
<emphasis role="bold">tcp:syn</emphasis>, <emphasis
|
ipp2p match support in your kernel and iptables. <emphasis
|
||||||
role="bold">udp</emphasis>, <emphasis role="bold">icmp</emphasis>,
|
|
||||||
<emphasis role="bold">ipp2p</emphasis>,<emphasis role="bold">
|
|
||||||
ipp2p:udp</emphasis>, <emphasis role="bold">ipp2p:all</emphasis> a
|
|
||||||
<emphasis>number</emphasis>, or <emphasis
|
|
||||||
role="bold">all</emphasis>. <emphasis role="bold">ipp2p</emphasis>*
|
|
||||||
requires ipp2p match support in your kernel and iptables. <emphasis
|
|
||||||
role="bold">tcp:syn</emphasis> implies <emphasis
|
role="bold">tcp:syn</emphasis> implies <emphasis
|
||||||
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
role="bold">tcp</emphasis> plus the SYN flag must be set and the
|
||||||
RST,ACK and FIN flags must be reset.</para>
|
RST,ACK and FIN flags must be reset.</para>
|
||||||
@ -538,7 +573,10 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional)</term>
|
<term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) —
|
||||||
|
{<emphasis
|
||||||
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Destination Ports. A comma-separated list of Port names (from
|
<para>Destination Ports. A comma-separated list of Port names (from
|
||||||
@ -576,8 +614,10 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">SOURCE PORT(S)</emphasis>
|
<term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) —
|
||||||
(Optional)</term>
|
{<emphasis
|
||||||
|
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
|
||||||
|
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Port(s) used by the client. If omitted, any source port is
|
<para>Port(s) used by the client. If omitted, any source port is
|
||||||
@ -610,7 +650,9 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional)</term>
|
<term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) —
|
||||||
|
[<emphasis
|
||||||
|
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
|
<para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
|
||||||
@ -647,37 +689,38 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional)</term>
|
<term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) —
|
||||||
|
[<emphasis role="bold">-</emphasis>|<emphasis>rate</emphasis><emphasis
|
||||||
|
role="bold">/</emphasis>{<emphasis
|
||||||
|
role="bold">sec</emphasis>|<emphasis
|
||||||
|
role="bold">min</emphasis>}[:<emphasis>burst</emphasis>] </term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>You may rate-limit the rule by placing a value in this
|
<para>You may rate-limit the rule by placing a value in this
|
||||||
column:</para>
|
column:</para>
|
||||||
|
|
||||||
<para><emphasis>rate</emphasis>/<emphasis>interval</emphasis>[:<emphasis>burst</emphasis>]
|
<para><emphasis>rate</emphasis> is the number of connections per
|
||||||
where <emphasis>rate</emphasis> is the number of connections per
|
interval (<emphasis role="bold">sec</emphasis> or <emphasis
|
||||||
<emphasis>interval</emphasis> (<emphasis role="bold">sec</emphasis>
|
role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
|
||||||
or <emphasis role="bold">min</emphasis>) and
|
largest burst permitted. If no <emphasis>burst</emphasis> is given,
|
||||||
<emphasis>burst</emphasis> is the largest burst permitted. If no
|
a value of 5 is assumed. There may be no no whitespace embedded in
|
||||||
<emphasis>burst</emphasis> is given, a value of 5 is assumed. There
|
the specification.</para>
|
||||||
may be no no whitespace embedded in the specification.</para>
|
|
||||||
|
|
||||||
<para>Example: 10/sec:20</para>
|
<para>Example: 10/sec:20</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional)</term>
|
<term><emphasis role="bold">USER/GROUP</emphasis> (Optional) —
|
||||||
|
[<emphasis
|
||||||
|
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
|
||||||
|
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
|
||||||
|
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>This column may only be non-empty if the SOURCE is the
|
<para>This column may only be non-empty if the SOURCE is the
|
||||||
firewall itself.</para>
|
firewall itself.</para>
|
||||||
|
|
||||||
<para>The column may contain:</para>
|
|
||||||
|
|
||||||
<para>[!][<emphasis>user name or number</emphasis>][:<emphasis>group
|
|
||||||
name or number</emphasis>][+<emphasis>program
|
|
||||||
name</emphasis>]</para>
|
|
||||||
|
|
||||||
<para>When this column is non-empty, the rule applies only if the
|
<para>When this column is non-empty, the rule applies only if the
|
||||||
program generating the output is running under the effective
|
program generating the output is running under the effective
|
||||||
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
<emphasis>user</emphasis> and/or <emphasis>group</emphasis>
|
||||||
@ -838,8 +881,7 @@
|
|||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://shorewall.net/Documentation.htm#Rules">http://shorewall.net/Documentation.htm#Rules</ulink>
|
url="http://shorewall.net/Documentation.htm#Rules">http://shorewall.net/Documentation.htm#Rules</ulink></para>
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user